Network Working Group T. Dietz Internet-Draft NEC Europe Ltd. Expires: August 1, 2004 F. Dressler G. Carle University of Tuebingen B. Claise Cisco Systems February 2004 Information Model for Packet Sampling Exports draft-ietf-psamp-info-01 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 1, 2004. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document defines an information and data model for the Packet Sampling (PSAMP) protocol. It is used by the PSAMP protocol for encoding sampled packet data and information related to the sampling process. The model is an extension to the IPFIX information model. Dietz, et al. draft-ietf-psamp-info-01.txt [Page 1] Internet-Draft PSAMP Information Model February 2004 Table of Contents 1. Open Issues . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . 4 3. Relationship between PSAMP and IPFIX . . . . . . . . . . . 4 4. Properties of a PSAMP Information Element . . . . . . . . 5 5. Type Space . . . . . . . . . . . . . . . . . . . . . . . . 5 6. The PSAMP Fields . . . . . . . . . . . . . . . . . . . . . 5 6.1 PSAMP Usage of IPFIX Attributes . . . . . . . . . . . . . 5 6.2 Additional PSAMP Fields . . . . . . . . . . . . . . . . . 5 6.2.1 optionTemplateId . . . . . . . . . . . . . . . . . . . . . 5 6.2.2 sequenceNumber . . . . . . . . . . . . . . . . . . . . . . 5 6.2.3 samplingAlgorithm . . . . . . . . . . . . . . . . . . . . 6 6.2.4 filteringAlgorithm . . . . . . . . . . . . . . . . . . . . 6 6.2.5 samplingPacketInterval . . . . . . . . . . . . . . . . . . 7 6.2.6 samplingPacketSpace . . . . . . . . . . . . . . . . . . . 7 6.2.7 samplingTimeInterval . . . . . . . . . . . . . . . . . . . 7 6.2.8 samplingTimeSpace . . . . . . . . . . . . . . . . . . . . 8 6.2.9 samplingPopulation . . . . . . . . . . . . . . . . . . . . 8 6.2.10 samplingSize . . . . . . . . . . . . . . . . . . . . . . . 8 6.2.11 packetSample . . . . . . . . . . . . . . . . . . . . . . . 8 6.2.12 hashFunction . . . . . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . 9 8. IANA Considerations . . . . . . . . . . . . . . . . . . . 9 Normative References . . . . . . . . . . . . . . . . . . . 9 Informative References . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . 11 A. Formal Specification of PSAMP Fields . . . . . . . . . . . 12 Intellectual Property and Copyright Statements . . . . . . 17 Dietz, et al. draft-ietf-psamp-info-01.txt [Page 2] Internet-Draft PSAMP Information Model February 2004 1. Open Issues This section covers some open issues which have to be solved in a future version of this draft: We currently define the sampling/filtering algorithm and the hash function field as an simple 8-bit identifier. This implies that an extension is very easy. Nevertheless, it might be appropriate to have single field for each method in order to integrate special information about the sampling/filtering algorithm or the hash function directly into the field. The PSAMP protocol allows to define more than one sampling or filtering method which are applied in a sequential order. Therfore, the order of the fields in a template becomes important. This is a primary difference to the semantics of the flow template in the IPFIX definition. Currently, we do not have a proper definition for the ordering of flow fields. The unit property is currently optional, but we would like to have information about units wherever possible. The unit property may become mandatory in a future version of this document and we would define the unit as "not applicable" when no unit can be given. This document only defines the fields for exporting PSAMP data that are not defined by the IPFIX information model. Nevertheless, we should include a usage statement for the fields defined by IPFIX when used by the PSAMP export protocol or include a special section discussing the usage of IPFIX fields by PSAMP. The export of sampled data may not need all fields defined by the IPFIX information model. Thus a section within this document should give an overview of flow fields defined in the IPFIX information model and their usage in the PSAMP environment. The flow state sampling, random non-uniform probabilistic sampling, the mask filtering and the router state filtering are currently not covered by the information model because the fields needed for these algorithm still need to be specified. The observation point is currently not covered by the IPFIX information model. It is not clear if we should include the observation point by ourselves or if we should wait for IPFIX to include it in their information model. The number space for field types is not assigned by any directory (IANA), yet. It currently starts at 1024 to leave enough space for the IPFIX fields. Dietz, et al. draft-ietf-psamp-info-01.txt [Page 3] Internet-Draft PSAMP Information Model February 2004 2. Introduction Packet sampling techniques are required for various measurement scenarios. The packet sampling (PSAMP) protocol provides mechanisms for the packet selection using different filtering and sampling techniques. A standard way for the export and storage of such sampled packet data is required. The definition of the PSAMP information and data model is based on the IP Flow Information eXport (IPFIX) protocol [I-D.ietf-ipfix-protocol]. The PSAMP protocol document [I-D.ietf-psamp-protocol] describes how to use the IPFIX protocol in the PSAMP context. This document examines the IPFIX information model [I-D.ietf-ipfix-info] and extends it to meet the PSAMP requirements. Therefore, the structure of this document is strongly based on the IPFIX document. It complements the PSAMP protocol specification by providing an appropriate PSAMP information model. The main part of this document, section 6, defines the list of fields to be transmitted by the PSAMP protcol. Sections 5 and 4 describe the data types and field properties used within this document and their relationship to the IPFIX information model. The main body of section 6 was generated from a XML document. The XML-based specification of the PSAMP fields can be used for automatically checking syntactical correctness of the specification. Furthermore it can be used - in combination with the IPFIX information model - for an automated code generation. The resulting code can be used in PSAMP protocol implementations to deal with processing PSAMP fields. For that reason, the XML document that served as source for section 6 is attached to this document in Appendix A. Note that although partially generated from the attached XML documents, the main body of this document is normative while the appendices are informational. 3. Relationship between PSAMP and IPFIX As described in IETF working document draft-quittek-psamp-ipfix-01.txt [I-D.quittek-psamp-ipfix], a PSAMP data record can be seen as a very special IPFIX flow record. It represents an IPFIX flow containing only a single packet. Therefore, the IPFIX information model can be used as a basis for PSAMP reports. Nevertheless, there are properties required in PSAMP reports which cannot be modeled using the current IPFIX information model. This document describes extensions to the IPFIX model which allow the modeling of information and data required by PSAMP. Dietz, et al. draft-ietf-psamp-info-01.txt [Page 4] Internet-Draft PSAMP Information Model February 2004 4. Properties of a PSAMP Information Element The PSAMP information elements are in accordance with the definitions of IPFIX. Therefore we do not repeat the properties in this draft. Nevertheless, we strongly recommend to define the optional "usage" and "unit" elements for every field (if applicable). 5. Type Space The PSAMP fields MUST be constructed from the basic data types described in the IPFIX Information Model [I-D.ietf-ipfix-info]. To avoid duplicated work and to keep consistency between IPFIX and PSAMP the data types are not repeated in this document. 6. The PSAMP Fields This sections describes the fields used by the PSAMP exporting functions. Basically, the fields described by the IPFIX information model [I-D.ietf-ipfix-info] are used by the PSAMP export functions where applicable. To avoid inconsistencies between the IPFIX and the PSAMP information and data models, only those fields are defined here that are not already described by the IPFIX information model. 6.1 PSAMP Usage of IPFIX Attributes Some fields defined by the IPFIX information model are not needed by the PSAMP protocol. Other fields have a different meaning or usage pattern than in IPFIX. This section list the IPFIX fields that are needed in the PSAMP context and introduces their usage. EDITOR NOTE: this section needs to be finished once IPFIX as well as PSAMP info model are stable. 6.2 Additional PSAMP Fields 6.2.1 optionTemplateId Description: The unique Id of a selector which defines the sampling instance. Abstract Data Type: unsigned16 Data Type Semantics: identifier Field Id: 1024 6.2.2 sequenceNumber Dietz, et al. draft-ietf-psamp-info-01.txt [Page 5] Internet-Draft PSAMP Information Model February 2004 Description: The sequence number of a sample packet. Abstract Data Type: unsigned32 Field Id: 1025 6.2.3 samplingAlgorithm Description: The following sampling algorithms are defined: * 1 Systematic count-based sampling * 2 Systematic time-based sampling * 3 Random n-out-of-N sampling * 4 Random uniform probabilistic sampling * 5 Random non-uniform probabilistic sampling * 6 Flow state sampling EDITOR'S NOTE: This list may extend to the final version. The "octet" data type is probably not the best choice but keeps the list extensible. Abstract Data Type: octet Data Type Semantics: identifier Field Id: 1026 6.2.4 filteringAlgorithm Description: The following filtering algorithms are defined: * 1 Mask based filtering * 2 Hash based filtering * 3 Router state filtering Dietz, et al. draft-ietf-psamp-info-01.txt [Page 6] Internet-Draft PSAMP Information Model February 2004 EDITOR'S NOTE: This list may extend to the final version. The "octet" data type is probably not the best choice but keeps the list extensible. Abstract Data Type: octet Data Type Semantics: identifier Field Id: 1027 6.2.5 samplingPacketInterval Description: Number of packets that are consecutively sampled. For example a value of 100 would mean that the next 100 packets are sampled. Abstract Data Type: unsigned32 Field Id: 1028 Units: packets 6.2.6 samplingPacketSpace Description: The number of packets between two "samplingPacketInterval"s. A value of 100 would mean that the next interval would start after 100 packets (which are not sampled) when the current "samplingPacketInterval" is over. Abstract Data Type: unsigned32 Field Id: 1029 Units: packets 6.2.7 samplingTimeInterval Description: Time interval in microseconds in which all arriving packets are sampled. Abstract Data Type: dateTimeMicroSeconds Field Id: 1030 Units: microseconds Dietz, et al. draft-ietf-psamp-info-01.txt [Page 7] Internet-Draft PSAMP Information Model February 2004 6.2.8 samplingTimeSpace Description: The time interval in microseconds between two "samplingTimeInterval"s. A value of 100 would mean that the next interval would start after 100 microseconds (in which no packets are sampled) when the current "samplingTimeInterval" is over. Abstract Data Type: dateTimeMicroSeconds Field Id: 1031 Units: microseconds 6.2.9 samplingPopulation Description: The number of elements in the parent population for random sampling algorithms. Abstract Data Type: unsigned32 Field Id: 1032 Units: packets 6.2.10 samplingSize Description: The number of elements take from the parent population for random sampling algorithms. Abstract Data Type: unsigned32 Field Id: 1033 Units: packets 6.2.11 packetSample Description: The first n bytes of the sampled packet. Abstract Data Type: octetArray Field Id: 1034 6.2.12 hashFunction Dietz, et al. draft-ietf-psamp-info-01.txt [Page 8] Internet-Draft PSAMP Information Model February 2004 Description: The following hash functions are defined: * 1 Hash function 1 * 2 Hash function 2 * ... EDITOR'S NOTE: This list is currently just a sample. Abstract Data Type: octet Data Type Semantics: identifier Field Id: 1035 7. Security Considerations The PSAMP information model itself does not directly introduce security issues. Rather it defines a set of attributes which may for privacy or business issues be considered sensitive information. The underlying protocol used to exchange the information described here must therefore apply appropriate procedures to guarantee the integrity and confidentiality of the exported information. Such protocols are defined in separate documents, specifically the IPFIX protocol document [I-D.ietf-ipfix-protocol]. 8. IANA Considerations Field ID's for fields defined in this document need to be registered at IANA as new IPFIX field numbers. Normative References [I-D.ietf-psamp-sample-tech] Zseby, T., Molina, M., Raspall, F. and N. Duffield, "Sampling and Filtering Techniques for IP Packet Selection", draft-ietf-psamp-sample-tech-03 (work in progress), October 2003. [I-D.ietf-psamp-protocol] Claise, B., "Packet Sampling (PSAMP) Protocol Specifications", draft-ietf-psamp-protocol-00 (work in progress), October 2003. Dietz, et al. draft-ietf-psamp-info-01.txt [Page 9] Internet-Draft PSAMP Information Model February 2004 [I-D.ietf-psamp-mib] Dietz, T., "Definitions of Managed Objects for Packet Sampling", draft-ietf-psamp-mib-01 (work in progress), October 2003. [I-D.ietf-ipfix-reqs] Quittek, J., "Requirements for IP Flow Information Export", draft-ietf-ipfix-reqs-15 (work in progress), January 2004. [I-D.ietf-ipfix-info] Calato, P., "Information Model for IP Flow Information Export", draft-ietf-ipfix-info-02 (work in progress), December 2003. [I-D.ietf-ipfix-protocol] Claise, B., "IPFIX Protocol Specifications", draft-ietf-ipfix-protocol-02 (work in progress), January 2004. Informative References [I-D.ietf-ipfix-architecture] Norseth, K. and G. Sadasivan, "Architecture Model for IP Flow Information Export", draft-ietf-ipfix-architecture-02 (work in progress), June 2002. [I-D.ietf-psamp-framework] Duffield, N., "A Framework for Passive Packet Measurement", draft-ietf-psamp-framework-05 (work in progress), January 2004. [I-D.quittek-psamp-ipfix] Quittek, J. and B. Claise, "On the Relationship between PSAMP and IPFIX", draft-quittek-psamp-ipfix-01 (work in progress), March 2003. [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June 1999. [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between Information Models and Data Models", RFC 3444, January 2003. [RFC3470] Hollenbeck, S., Rose, M. and L. Masinter, "Guidelines for the Use of Extensible Markup Language (XML) within IETF Protocols", BCP 70, RFC 3470, January 2003. Dietz, et al. draft-ietf-psamp-info-01.txt [Page 10] Internet-Draft PSAMP Information Model February 2004 Authors' Addresses Thomas Dietz NEC Europe Ltd. Network Laboratories Kurfuersten-Anlage 36 Heidelberg 69115 Germany Phone: +49 6221 90511-28 EMail: dietz@ccrle.nec.de URI: http://www.ccrle.nec.de/ Falko Dressler University of Tuebingen Wilhelm-Schickard-Institute for Computer Science Auf der Morgenstelle 10C Tuebingen 71076 Germany Phone: +49 7071 29-70522 EMail: dressler@informatik.uni-tuebingen.de URI: http://net.informatik.uni-tuebingen.de/ Georg Carle University of Tuebingen Wilhelm-Schickard-Institute for Computer Science Auf der Morgenstelle 10C Tuebingen 71076 Germany Phone: +49 7071 29-70505 EMail: carle@informatik.uni-tuebingen.de URI: http://net.informatik.uni-tuebingen.de/ Benoit Claise Cisco Systems De Kleetlaan 6a b1 Degem 1813 Belgium Phone: +32 2 704 5622 EMail: bclaise@cisco.com Dietz, et al. draft-ietf-psamp-info-01.txt [Page 11] Internet-Draft PSAMP Information Model February 2004 Appendix A. Formal Specification of PSAMP Fields This appendix containfs a formal description of the PSAMP information model XML document. Note that this appendix is of informational nature, while the text in section Section 6 generated from this appendix is normative. Using a formal and machine readable syntax for the information model enables the creation of PSAMP aware tools which can automatically adapt to extensions to the information model, by simply reading updated information model specifications. The wide availability of XML aware tools and libraries for client devices is a primary consideration for this choice. In particular libraries for parsing XML documents are readily available. Also mechanisms such as the Extensible Stylesheet Language (XSL) allow for transforming a source XML document into other documents. This draft was authored in XML and transformed according to RFC2629. It should be noted that the use of XML in exporters, collectors or other tools is not mandatory for the deployment of PSAMP. In particular, exporting processes do not produce or consume XML as part of their operation. It is expected that PSAMP collectors MAY take advantage of the machine readability of the information model vs. hardcoding their behavior or inventing proprietary means for accomodating extensions. Using XML-based specifications does not currently address possible IANA implications associated with XML Namespace URIs. The use of Namespaces as an extension mechanism implies that an IANA registered Namespace URI should be available and that directory names below this base URI be assigned for relevant IETF specifications. The authors are not aware of this mechanism today. The unique Id of a selector which defines the sampling instance. The attribute is used to specify which options data flow record was used to sample the arriving data record. It must be present in each data flow record. Dietz, et al. draft-ietf-psamp-info-01.txt [Page 12] Internet-Draft PSAMP Information Model February 2004 The sequence number of a sample packet. The attribute is used to specify the sequence number of a sample packet to record loss of packets while exporting data flow records. The following sampling algorithms are defined: 1 Systematic count-based sampling 2 Systematic time-based sampling 3 Random n-out-of-N sampling 4 Random uniform probabilistic sampling 5 Random non-uniform probabilistic sampling 6 Flow state sampling EDITOR'S NOTE: This list may extend to the final version. The "octet" data type is probably not the best choice but keeps the list extensible. The attribute is used to specify the sampling algorithm that was used to sample a packet. It is exported in the options data flow record to specify how a collector has to interpret a data flow record. The following filtering algorithms are defined: 1 Mask based filtering 2 Hash based filtering Dietz, et al. draft-ietf-psamp-info-01.txt [Page 13] Internet-Draft PSAMP Information Model February 2004 3 Router state filtering EDITOR'S NOTE: This list may extend to the final version. The "octet" data type is probably not the best choice but keeps the list extensible. The attribute is used to specify the filtering algorithm that was used to sample a packet. It is exported in the options data flow record to specify how a collector has to interpret a data flow record. Number of packets that are consecutively sampled. For example a value of 100 would mean that the next 100 packets are sampled. packets This field is used for the systematic count-based sampling. The number of packets between two "samplingPacketInterval"s. A value of 100 would mean that the next interval would start after 100 packets (which are not sampled) when the current "samplingPacketInterval" is over. packets This field is used for the systematic count-based sampling. Time interval in microseconds in which all arriving packets are Dietz, et al. draft-ietf-psamp-info-01.txt [Page 14] Internet-Draft PSAMP Information Model February 2004 sampled. microseconds This field is used for the systematic time-based sampling. The time interval in microseconds between two "samplingTimeInterval"s. A value of 100 would mean that the next interval would start after 100 microseconds (in which no packets are sampled) when the current "samplingTimeInterval" is over. microseconds This field is used for the systematic time-based sampling. The number of elements in the parent population for random sampling algorithms. packets This field is used for n-out-of-N and the probabilistic sampling algorithms. The number of elements take from the parent population for random sampling algorithms. packets This field is used for n-out-of-N and the probabilistic sampling algorithms. Dietz, et al. draft-ietf-psamp-info-01.txt [Page 15] Internet-Draft PSAMP Information Model February 2004 The first n bytes of the sampled packet. The following hash functions are defined: 1 Hash function 1 2 Hash function 2 ... EDITOR'S NOTE: This list is currently just a sample. The attribute is used to specify the hash function that was used to filter a packet. It is exported in the options data flow record to specify how a collector has to interpret a data flow record. Dietz, et al. draft-ietf-psamp-info-01.txt [Page 16] Internet-Draft PSAMP Information Model February 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2004). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION Dietz, et al. draft-ietf-psamp-info-01.txt [Page 17] Internet-Draft PSAMP Information Model February 2004 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Dietz, et al. draft-ietf-psamp-info-01.txt [Page 18]