Internet Engineering Task Force (IETF) A. Kobayashi, Ed.
Request for Comments: 5982 NTT PF Lab.
Category: Informational B. Claise, Ed.
ISSN: 2070-1721 Cisco Systems, Inc.
August 2010
Internet Engineering Task Force (IETF) A. Kobayashi, Ed.
Request for Comments: 5982 NTT PF Lab.
Category: Informational B. Claise, Ed.
ISSN: 2070-1721 Cisco Systems, Inc.
August 2010
IP Flow Information Export (IPFIX) Mediation: Problem Statement
IP流信息导出(IPFIX)中介:问题陈述
Abstract
摘要
Flow-based measurement is a popular method for various network monitoring usages. The sharing of flow-based information for monitoring applications having different requirements raises some open issues in terms of measurement system scalability, flow-based measurement flexibility, and export reliability that IP Flow Information Export (IPFIX) Mediation may help resolve. This document describes some problems related to flow-based measurement that network administrators have been facing, and then it describes IPFIX Mediation applicability examples along with the problems.
基于流量的测量是各种网络监控用途的常用方法。为监视具有不同需求的应用程序而共享基于流的信息会在测量系统可伸缩性、基于流的测量灵活性和导出可靠性方面引发一些悬而未决的问题,IP流信息导出(IPFIX)中介可能有助于解决这些问题。本文档描述了网络管理员一直面临的一些与基于流的度量相关的问题,然后描述了IPFIX中介适用性示例以及这些问题。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5982.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5982.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从该文档中提取的代码组件必须
include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
包括信托法律条款第4.e节中所述的简化BSD许可证文本,且不提供简化BSD许可证中所述的担保。
Table of Contents
目录
1. Introduction ....................................................3
2. Terminology and Definitions .....................................3
3. IPFIX/PSAMP Documents Overview ..................................5
3.1. IPFIX Documents Overview ...................................5
3.2. PSAMP Documents Overview ...................................5
4. Problem Statement ...............................................5
4.1. Coping with IP Traffic Growth ..............................6
4.2. Coping with Multipurpose Traffic Measurement ...............7
4.3. Coping with Heterogeneous Environments .....................7
4.4. Summary ....................................................7
5. Mediation Applicability Examples ................................8
5.1. Adjusting Flow Granularity .................................8
5.2. Collecting Infrastructure ..................................8
5.3. Correlation for Data Records ...............................9
5.4. Time Composition ...........................................9
5.5. Spatial Composition .......................................10
5.6. Data Record Anonymization .................................11
5.7. Data Retention ............................................11
5.8. IPFIX Export from a Branch Office .........................12
5.9. Distributing Data Record Types ............................13
5.10. Flow-Based Sampling and Selection ........................14
5.11. Interoperability between Legacy Protocols and IPFIX ......15
6. IPFIX Mediators' Implementation-Specific Problems ..............15
6.1. Loss of Original Exporter Information .....................15
6.2. Loss of Base Time Information .............................16
6.3. Transport Sessions Management .............................16
6.4. Loss of Options Template Information ......................16
6.5. Template ID Management ....................................17
6.6. Consideration for Network Topology ........................18
6.7. IPFIX Mediation Interpretation ............................18
6.8. Consideration for Aggregation .............................19
7. Summary and Conclusion .........................................20
8. Security Considerations ........................................20
9. Acknowledgements ...............................................21
10. References ....................................................22
10.1. Normative References .....................................22
10.2. Informative References ...................................22
Contributors ......................................................24
1. Introduction ....................................................3
2. Terminology and Definitions .....................................3
3. IPFIX/PSAMP Documents Overview ..................................5
3.1. IPFIX Documents Overview ...................................5
3.2. PSAMP Documents Overview ...................................5
4. Problem Statement ...............................................5
4.1. Coping with IP Traffic Growth ..............................6
4.2. Coping with Multipurpose Traffic Measurement ...............7
4.3. Coping with Heterogeneous Environments .....................7
4.4. Summary ....................................................7
5. Mediation Applicability Examples ................................8
5.1. Adjusting Flow Granularity .................................8
5.2. Collecting Infrastructure ..................................8
5.3. Correlation for Data Records ...............................9
5.4. Time Composition ...........................................9
5.5. Spatial Composition .......................................10
5.6. Data Record Anonymization .................................11
5.7. Data Retention ............................................11
5.8. IPFIX Export from a Branch Office .........................12
5.9. Distributing Data Record Types ............................13
5.10. Flow-Based Sampling and Selection ........................14
5.11. Interoperability between Legacy Protocols and IPFIX ......15
6. IPFIX Mediators' Implementation-Specific Problems ..............15
6.1. Loss of Original Exporter Information .....................15
6.2. Loss of Base Time Information .............................16
6.3. Transport Sessions Management .............................16
6.4. Loss of Options Template Information ......................16
6.5. Template ID Management ....................................17
6.6. Consideration for Network Topology ........................18
6.7. IPFIX Mediation Interpretation ............................18
6.8. Consideration for Aggregation .............................19
7. Summary and Conclusion .........................................20
8. Security Considerations ........................................20
9. Acknowledgements ...............................................21
10. References ....................................................22
10.1. Normative References .....................................22
10.2. Informative References ...................................22
Contributors ......................................................24
An advantage of flow-based measurement is that it allows monitoring large amounts of traffic observed at distributed Observation Points. While flow-based measurement can be applied to one of various purposes and applications, it is difficult for flow-based measurement to apply to multiple applications with very different requirements in parallel. Network administrators need to adjust the parameters of the metering devices to fulfill the requirements of every single measurement application. Such configurations are often not supported by the metering devices, either because of functional restrictions or because of limited computational and memory resources, which inhibit the metering of large amounts of traffic with the desired setup. IP Flow Information Export (IPFIX) Mediation fills the gap between restricted metering capabilities and the requirements of measurement applications by introducing an intermediate device called the IPFIX Mediator.
基于流量的测量的一个优点是,它允许监控在分布式观测点观测到的大量流量。虽然基于流的测量可以应用于各种用途和应用之一,但基于流的测量很难并行应用于具有非常不同需求的多个应用。网络管理员需要调整计量设备的参数,以满足每个测量应用的要求。由于功能限制或有限的计算和内存资源,计量设备通常不支持此类配置,这会抑制使用所需设置计量大量流量。IP流信息导出(IPFIX)中介通过引入称为IPFIX中介的中间设备,填补了受限计量功能与计量应用程序需求之间的差距。
The IPFIX requirements defined in [RFC3917] mention examples of intermediate devices located between Exporters and Collectors, such as IPFIX proxies or concentrators. But, there are no documents defining a generalized concept for such intermediate devices. This document addresses that issue by defining IPFIX Mediation -- a generalized intermediate device concept for IPFIX -- and examining in detail the motivations behind its application.
[RFC3917]中定义的IPFIX要求提到了位于导出器和收集器之间的中间设备的示例,如IPFIX代理或集中器。但是,没有任何文件定义此类中间设备的通用概念。本文通过定义IPFIX中介(IPFIX的通用中间设备概念)并详细研究其应用背后的动机来解决这个问题。
This document is structured as follows: Section 2 describes the terminology used in this document, Section 3 gives an IPFIX/Packet Sampling (PSAMP) document overview, Section 4 introduces general problems related to flow-based measurement, Section 5 describes some applicability examples where IPFIX Mediation would be beneficial, and, finally, Section 6 describes some problems an IPFIX Mediation implementation might face.
本文档的结构如下:第2节描述了本文档中使用的术语,第3节给出了IPFIX/数据包采样(PSAMP)文档概述,第4节介绍了与基于流的测量相关的一般问题,第5节描述了IPFIX中介可能有益的一些适用性示例,最后,第6节描述了IPFIX中介实现可能面临的一些问题。
The IPFIX-specific and PSAMP-specific terminology used in this document is defined in [RFC5101] and [RFC5476], respectively. In this document, as in [RFC5101] and [RFC5476], the first letter of each IPFIX-specific and PSAMP-specific term is capitalized along with the IPFIX Mediation-specific terms defined here.
本文件中使用的特定于IPFIX和特定于PSAMP的术语分别在[RFC5101]和[RFC5476]中定义。在本文档中,与[RFC5101]和[RFC5476]中一样,每个特定于IPFIX和PSAMP的术语的首字母与此处定义的特定于IPFIX中介的术语一起大写。
In this document, we call "record stream" a stream of records carrying flow- or packet-based information. The records may be encoded as IPFIX Data Records or in any other format.
在本文中,我们称“记录流”为携带基于流或包的信息的记录流。这些记录可以编码为IPFIX数据记录或任何其他格式。
Original Exporter
原始出口商
An Original Exporter is an IPFIX Device that hosts the Observation Points where the metered IP packets are observed.
原始导出器是一个IPFIX设备,它承载观测点,在观测点上观测经过计量的IP数据包。
IPFIX Mediation
IPFIX调解
IPFIX Mediation is the manipulation and conversion of a record stream for subsequent export using the IPFIX protocol.
IPFIX中介是使用IPFIX协议操纵和转换记录流以进行后续导出。
The following terms are used in this document to describe the architectural entities used by IPFIX Mediation.
本文档中使用以下术语来描述IPFIX中介使用的体系结构实体。
Intermediate Process
中间过程
An Intermediate Process takes a record stream as its input from Collecting Processes, Metering Processes, IPFIX File Readers, other Intermediate Processes, or other record sources; performs some transformations on this stream, based upon the content of each record, states maintained across multiple records, or other data sources; and passes the transformed record stream as its output to Exporting Processes, IPFIX File Writers, or other Intermediate Processes, in order to perform IPFIX Mediation. Typically, an Intermediate Process is hosted by an IPFIX Mediator. Alternatively, an Intermediate Process may be hosted by an Original Exporter.
中间进程从收集进程、计量进程、IPFIX文件读取器、其他中间进程或其他记录源获取记录流作为其输入;根据每个记录的内容、跨多个记录维护的状态或其他数据源在此流上执行一些转换;并将转换后的记录流作为其输出传递给导出进程、IPFIX文件编写器或其他中间进程,以便执行IPFIX中介。通常,中间进程由IPFIX中介托管。或者,中间过程可以由原始导出器托管。
IPFIX Mediator
IPFIX中介
An IPFIX Mediator is an IPFIX Device that provides IPFIX Mediation by receiving a record stream from some data sources, hosting one or more Intermediate Processes to transform that stream, and exporting the transformed record stream into IPFIX Messages via an Exporting Process. In the common case, an IPFIX Mediator receives a record stream from a Collecting Process, but it could also receive a record stream from data sources not encoded using IPFIX, e.g., in the case of conversion from the NetFlow V9 protocol [RFC3954] to the IPFIX protocol.
IPFIX中介器是一种IPFIX设备,它通过从某些数据源接收记录流、承载一个或多个中间进程来转换该流,并通过导出进程将转换后的记录流导出为IPFIX消息来提供IPFIX中介。在常见情况下,IPFIX中介从收集进程接收记录流,但也可以从未使用IPFIX编码的数据源接收记录流,例如,在从NetFlow V9协议[RFC3954]转换为IPFIX协议的情况下。
Note that the IPFIX Mediator is a generalization of the concentrator and proxy elements envisioned in the IPFIX requirements [RFC3917]. IPFIX Mediators running appropriate Intermediate Processes provide the functionality specified therein.
请注意,IPFIX中介是IPFIX需求[RFC3917]中设想的集中器和代理元素的概括。运行适当中间进程的IPFIX中介提供其中指定的功能。
IPFIX Mediation can be applied to Flow- or packet-based information. The Flow-based information is encoded as IPFIX Flow Records by the IPFIX protocol, and the packet-based information is extracted by some packet selection techniques and then encoded as PSAMP Packet Reports by the PSAMP protocol. Thus, this section describes relevant documents for both protocols.
IPFIX中介可以应用于基于流或包的信息。基于流的信息通过IPFIX协议编码为IPFIX流记录,基于包的信息通过一些包选择技术提取,然后通过PSAMP协议编码为PSAMP包报告。因此,本节描述了两个协议的相关文档。
The IPFIX protocol [RFC5101] provides network administrators with access to IP flow information. The architecture for the export of measured IP flow information from an IPFIX Exporting Process to a Collecting Process is defined in [RFC5470], per the requirements defined in [RFC3917]. The IPFIX protocol [RFC5101] specifies how IPFIX Data Records and Templates are carried via a number of transport protocols from IPFIX Exporting Processes to IPFIX Collecting Processes. IPFIX has a formal description of IPFIX Information Elements, their names, types, and additional semantic information, as specified in [RFC5102]. [RFC5815] specifies the IPFIX Management Information Base. Finally, [RFC5472] describes what types of applications can use the IPFIX protocol and how they can use the information provided. Furthermore, it shows how the IPFIX framework relates to other architectures and frameworks. The storage of IPFIX Messages in a file is specified in [RFC5655].
IPFIX协议[RFC5101]为网络管理员提供了访问IP流信息的权限。[RFC5470]根据[RFC3917]中定义的要求,定义了将测量的IP流信息从IPFIX导出过程导出到收集过程的体系结构。IPFIX协议[RFC5101]指定如何通过多个传输协议将IPFIX数据记录和模板从IPFIX导出进程传送到IPFIX收集进程。IPFIX对IPFIX信息元素、它们的名称、类型和附加语义信息进行了正式描述,如[RFC5102]中所述。[RFC5815]指定IPFIX管理信息库。最后,[RFC5472]描述了什么类型的应用程序可以使用IPFIX协议,以及它们如何使用提供的信息。此外,它还展示了IPFIX框架与其他体系结构和框架的关系。[RFC5655]中规定了文件中IPFIX消息的存储。
The framework for packet selection and reporting [RFC5474] enables network elements to select subsets of packets by statistical and other methods and to export a stream of reports on the selected packets to a Collector. The set of packet selection techniques (Sampling and Filtering) standardized by PSAMP is described in [RFC5475]. The PSAMP protocol [RFC5476] specifies the export of packet information from a PSAMP Exporting Process to a Collector. Like IPFIX, PSAMP has a formal description of its Information Elements, their names, types, and additional semantic information. The PSAMP information model is defined in [RFC5477]. [PSAMP-MIB] describes the PSAMP Management Information Base.
分组选择和报告框架[RFC5474]使网络元件能够通过统计和其他方法选择分组子集,并将所选分组的报告流导出到收集器。[RFC5475]中描述了PSAMP标准化的数据包选择技术(采样和过滤)。PSAMP协议[RFC5476]指定从PSAMP导出进程向收集器导出数据包信息。与IPFIX一样,PSAMP对其信息元素、名称、类型和附加语义信息进行了形式化描述。PSAMP信息模型在[RFC5477]中定义。[PSAMP-MIB]描述了PSAMP管理信息库。
Network administrators generally face the problems of measurement system scalability, Flow-based measurement flexibility, and export reliability, even if some techniques, such as Packet Sampling, Filtering, Data Records aggregation, and export replication, have already been developed. The problems consist of adjusting some
网络管理员通常面临测量系统可伸缩性、基于流的测量灵活性和导出可靠性的问题,即使已经开发了一些技术,如数据包采样、过滤、数据记录聚合和导出复制。这些问题包括调整一些
parameters of metering devices to resources of the measurement system while fulfilling appropriate conditions: data accuracy, Flow granularity, and export reliability. These conditions depend on two factors.
在满足适当条件(数据准确性、流量粒度和输出可靠性)的情况下,计量装置的参数与计量系统的资源相关联。这些条件取决于两个因素。
o Measurement system capacity: This consists of the bandwidth of the management network, the storage capacity, and the performances of the collecting devices and exporting devices.
o 测量系统容量:包括管理网络的带宽、存储容量以及采集设备和导出设备的性能。
o Application requirements: Different applications, such as traffic engineering, detecting traffic anomalies, and accounting, impose different Flow Record granularities, and data accuracies.
o 应用要求:不同的应用程序(如流量工程、检测流量异常和记帐)施加不同的流量记录粒度和数据精度。
The sustained growth of IP traffic has been overwhelming the capacities of measurement systems. Furthermore, a large variety of applications (e.g., Quality-of-Service (QoS) measurement, traffic engineering, security monitoring) and the deployment of measurement systems in heterogeneous environments have been increasing the demand and complexity of IP traffic measurements.
IP流量的持续增长已经压倒了测量系统的容量。此外,各种各样的应用(例如,服务质量(QoS)测量、流量工程、安全监控)以及在异构环境中部署测量系统,都增加了IP流量测量的需求和复杂性。
Enterprise or service provider networks already have multiple 10 Gb/s links, their total traffic exceeding 100 Gb/s. In the near future, broadband users' traffic will increase by approximately 40% every year according to [TRAFGRW]. When administrators monitor IP traffic sustaining its growth at multiple Exporters, the amount of exported Flow Records from Exporters could exceed the ability of a single Collector.
企业或服务提供商网络已经有多个10 Gb/s链路,其总流量超过100 Gb/s。根据[Traffgrw]的数据,在不久的将来,宽带用户的流量将以每年约40%的速度增长。当管理员在多个导出器上监视维持其增长的IP流量时,导出器导出的流量记录数量可能超过单个收集器的能力。
To deal with this problem, current data reduction techniques (Packet Sampling and Filtering in [RFC5475], and aggregation of measurement data) have been generally implemented on Exporters. Note that Packet Sampling leads to potential loss of small Flows. With both Packet Sampling and aggregation techniques, administrators might no longer be able to detect and investigate subtle traffic changes and anomalies, as this requires detailed Flow information. With Filtering, only a subset of the Data Records are exported.
为了解决这个问题,目前的数据缩减技术(RFC5475中的数据包采样和过滤,以及测量数据的聚合)一般都在出口商身上实现。请注意,数据包采样会导致小流量的潜在丢失。使用数据包采样和聚合技术,管理员可能不再能够检测和调查细微的流量变化和异常,因为这需要详细的流量信息。通过过滤,仅导出数据记录的子集。
Considering the potential drawbacks of Packet Sampling, Filtering, and Data Records aggregation, there is a need for a large-scale collecting infrastructure that does not rely on data reduction techniques.
考虑到数据包采样、过滤和数据记录聚合的潜在缺点,需要一个不依赖数据缩减技术的大规模收集基础设施。
Different monitoring applications impose different requirements on the monitoring infrastructure. Some of them require traffic monitoring at a Flow level while others need information about individual packets or just Flow aggregates.
不同的监控应用程序对监控基础设施提出了不同的要求。其中一些需要在流级别进行流量监控,而另一些则需要关于单个数据包或流聚合的信息。
To fulfill these diverse requirements, an Exporter would need to perform various complex metering tasks in parallel, which is a problem due to limited resources. Hence, it can be advantageous to run the Exporter with a much simpler setup and to perform appropriate post-processing of the exported Data Records at a later stage.
为了满足这些不同的要求,出口商需要并行执行各种复杂的计量任务,这是一个由于资源有限的问题。因此,使用更简单的设置运行导出器并在稍后阶段对导出的数据记录执行适当的后处理是有利的。
Network administrators use IPFIX Devices and PSAMP Devices from various vendors, various software versions, and various device types (router, switch, or probe) in a single network domain. Even legacy flow export protocols are still deployed in current networks. This heterogeneous environment leads to differences in Metering Process capabilities, Exporting Process capacity (export rate, cache memory, etc.), and data format. For example, probes and switches cannot retrieve some derived packet properties from a routing table.
网络管理员在单个网络域中使用来自不同供应商、不同软件版本和不同设备类型(路由器、交换机或探测器)的IPFIX设备和PSAMP设备。即使是传统的流导出协议也仍然部署在当前网络中。这种异构环境导致计量处理能力、导出处理能力(导出速率、缓存等)和数据格式的差异。例如,探测器和交换机无法从路由表中检索某些派生的数据包属性。
To deal with this problem, the measurement system needs to mediate the differences. However, equipping all collecting devices with this absorption function is difficult.
为了解决这个问题,测量系统需要调解这些差异。然而,为所有收集装置配备这种吸收功能是困难的。
Due to resource limitations of the measurement system, it is important to use traffic data reduction techniques as early as possible, e.g., at the Exporter. However, this implementation is made difficult by the heterogeneous environment of exporting devices. On the other hand, keeping data accuracy and Flow granularity to meet the requirements of different monitoring applications requires a scalable and flexible collecting infrastructure.
由于测量系统的资源限制,尽早使用交通数据简化技术非常重要,例如,在出口商。然而,由于导出设备的异构环境,这种实现变得很困难。另一方面,保持数据准确性和流粒度以满足不同监视应用程序的要求需要一个可扩展且灵活的收集基础架构。
This implies that a new Mediation function is required in typical Exporter-Collector architectures. Based on some applicability examples, the next section shows the limitation of the typical Exporter-Collector architecture model and the IPFIX Mediation benefits.
这意味着在典型的导出器-收集器体系结构中需要一个新的中介函数。基于一些适用性示例,下一节将展示典型导出器-收集器体系结构模型的局限性和IPFIX中介的好处。
The simplest set of Flow Keys is a fixed 5-tuple of protocol, source and destination IP addresses, and source and destination port numbers. A shorter set of Flow Keys, such as a triple, a double, or a single property, (for example, network prefix, peering autonomous system number, or BGP Next-Hop fields), creates more aggregated Flow Records. This is especially useful for measuring router-level traffic matrices in a core network domain and for easily adjusting the performance of Exporters and Collectors.
最简单的流密钥集是协议、源和目标IP地址以及源和目标端口号的固定5元组。较短的流密钥集(如三元组、双元组或单个属性)(例如,网络前缀、对等自治系统编号或BGP下一跳字段)会创建更多聚合流记录。这对于测量核心网络域中的路由器级流量矩阵以及轻松调整导出器和收集器的性能特别有用。
Implementation analysis:
实施分析:
Implementations for this case depend on where Flow granularity is adjusted. More suitable implementations use configurable Metering Processes in Original Exporters. The cache in the Metering Process can specify its own set of Flow Keys and extra fields. The Original Exporter thus generates Flow Records of the desired Flow granularity.
这种情况下的实现取决于调整流粒度的位置。更合适的实现是在原始导出器中使用可配置的计量过程。计量过程中的缓存可以指定自己的一组流键和额外字段。因此,原始导出器生成所需流粒度的流记录。
In the case where a Metering Process hosting no ability to change the Flow Keys in Original Exporters creates Flow Records, or PSAMP Packet Reports, an IPFIX Mediator can aggregate Data Records based on a new set of Flow Keys. Even in the case of a Metering Process hosting this ability, an IPFIX Mediator can further aggregate the Flow Records.
如果无法更改原始导出器中的流密钥的计量进程创建流记录或PSAMP数据包报告,IPFIX中介可以基于一组新的流密钥聚合数据记录。即使在承载此功能的计量进程的情况下,IPFIX中介也可以进一步聚合流记录。
Increasing numbers of IPFIX Exporters, IP traffic growth, and the variety of treatments expected to be performed on the Data Records make it more and more difficult to implement all measurement applications within a single Collector.
IPFIX导出器数量的增加、IP流量的增长以及预期对数据记录执行的各种处理使得在单个收集器中实现所有测量应用程序变得越来越困难。
Implementation analysis:
实施分析:
To increase the collecting (e.g., the bandwidth capacity) and processing capacity, distributed Collectors close to Exporters need to be deployed. In such a case, those Collectors would become IPFIX Mediators, re-exporting Data Records on demand to centralized applications. To cope with the variety of measurement applications, one possible implementation uses an Intermediate Process deciding to which Collector(s) each record is exported. More specific cases are described in Section 5.9.
为了增加收集(例如,带宽容量)和处理能力,需要在出口商附近部署分布式收集器。在这种情况下,这些收集器将成为IPFIX中介,根据需要将数据记录重新导出到集中式应用程序。为了应对各种测量应用程序,一种可能的实现使用一个中间过程来决定将每条记录导出到哪个收集器。第5.9节描述了更具体的情况。
The correlation amongst Data Records or between Data Records and metadata provides new metrics or information, including the following.
数据记录之间或数据记录与元数据之间的相关性提供了新的度量或信息,包括以下内容。
o One-to-one correlation between Data Records
o 数据记录之间的一对一关联
* One-way delay from the correlation of PSAMP Packet Reports from different Exporters along a specific path. For example, one-way delay is calculated from the correlation of two PSAMP Packet Reports, including the packet digest and the arrival time at the Observation Point. This scenario is described in Section 6.2.1.2 of [RFC5475].
* 来自特定路径上不同导出器的PSAMP数据包报告相关性的单向延迟。例如,根据两个PSAMP数据包报告的相关性计算单向延迟,包括数据包摘要和观测点的到达时间。[RFC5475]第6.2.1.2节描述了这种情况。
* Packet inter-arrival time from the correlation of sequential PSAMP Packet Reports from an Exporter.
* 来自导出器的顺序PSAMP数据包报告相关性的数据包到达时间。
* Treatment from the correlation of Data Records with common properties, observed at incoming/outgoing interfaces. Examples are the rate-limiting ratio, the compression ratio, the optimization ratio, etc.
* 从传入/传出接口观察到的数据记录与公共属性的相关性进行处理。例如,速率限制比、压缩比、优化比等。
o Correlation amongst Data Records
o 数据记录之间的相关性
Average/maximum/minimum values from correlating multiple Data Records. Examples are the average/maximum/minimum number of packets of the measured Flows, the average/maximum/minimum one-way delay, the average/maximum/minimum number of lost packets, etc.
关联多个数据记录的平均值/最大值/最小值。例如,测量流的平均/最大/最小分组数、平均/最大/最小单向延迟、平均/最大/最小丢失分组数等。
o Correlation between Data Records and other metadata
o 数据记录与其他元数据之间的相关性
Examples are some BGP attributes associated with Data Records, as determined via routing table lookup.
例如,通过路由表查找确定的与数据记录关联的一些BGP属性。
Implementation analysis:
实施分析:
One possible implementation for this case uses an Intermediate Process located between the Metering Processes and Exporting Processes on the Original Exporter, or alternatively, a separate IPFIX Mediator located between the Original Exporters and IPFIX Collectors.
这种情况下的一种可能实现是使用位于原始导出器上的计量过程和导出过程之间的中间过程,或者,使用位于原始导出器和IPFIX收集器之间的单独IPFIX中介。
Time composition is defined as the aggregation of consecutive Data Records with identical Flow Keys. It leads to the same output as setting a longer active timeout on Original Exporters, with one
时间合成定义为具有相同流键的连续数据记录的聚合。它产生的输出与在原始导出器上设置更长的活动超时相同,只有一个超时
advantage: the creation of new metrics such as average, maximum, and minimum values from Flow Records with a shorter time interval enables administrators to keep track of changes that might have happened during the time interval.
优点:从具有较短时间间隔的流记录中创建新的度量,例如平均值、最大值和最小值,使管理员能够跟踪在该时间间隔内可能发生的更改。
Implementation analysis:
实施分析:
One possible implementation for this case uses an Intermediate Process located between the Metering Processes and Exporting Processes on the Original Exporter, or alternatively a separate IPFIX Mediator located between the Original Exporters and IPFIX Collectors.
这种情况下的一种可能实现是使用位于原始导出器上的计量过程和导出过程之间的中间过程,或者使用位于原始导出器和IPFIX收集器之间的单独IPFIX中介。
Spatial composition is defined as the aggregation of Data Records in a set of Observation Points within an Observation Domain, across multiple Observation Domains from a single Exporter, or even across multiple Exporters. The spatial composition is divided into four types.
空间组合定义为一个观测域内一组观测点中的数据记录聚合,从单个导出器跨多个观测域,甚至跨多个导出器。空间构成分为四种类型。
o Case 1: Spatial composition within one Observation Domain
o 案例1:一个观测域内的空间构成
For example, to measure the traffic for a single logical interface in the case in which link aggregation [IEEE802.3ad] exists, Data Records metered at physical interfaces belonging to the same trunk can be merged.
例如,为了在链路聚合[IEEE802.3ad]存在的情况下测量单个逻辑接口的流量,可以合并在属于同一中继线的物理接口处计量的数据记录。
o Case 2: Spatial composition across Observation Domains, but within a single Original Exporter
o 案例2:跨观测域但在单个原始导出器内的空间构成
For example, in the case in which link aggregation exists, Data Records metered at physical interfaces belonging to the same trunk grouping beyond the line card can be merged.
例如,在存在链路聚合的情况下,可以合并在属于线路卡之外的同一中继分组的物理接口上计量的数据记录。
o Case 3: Spatial composition across Exporters
o 案例3:出口商之间的空间构成
Data Records metered within an administrative domain, such as the west area and east area of an ISP network, can be merged.
可以合并在管理域(如ISP网络的西区和东区)内计量的数据记录。
o Case 4: Spatial composition across administrative domains
o 案例4:跨行政领域的空间构成
Data Records metered across administrative domains, such as across different customer networks or different ISP networks, can be merged. For example, a unique Collector knows in which customer network an Exporter exists, and then works out the traffic data per customer based on the Exporter IP address.
可以合并跨管理域(例如跨不同客户网络或不同ISP网络)计量的数据记录。例如,唯一收集器知道导出器存在于哪个客户网络中,然后根据导出器IP地址计算每个客户的流量数据。
Implementation analysis:
实施分析:
One possible implementation for cases 1 and 2 uses an Intermediate Process located between the Metering Processes and Exporting Processes on the Original Exporter. A separate IPFIX Mediator located between the Original Exporters and IPFIX Collectors is a valid solution for cases 1, 2, 3, and 4.
案例1和案例2的一个可能实现使用位于原始导出器上的计量过程和导出过程之间的中间过程。对于案例1、2、3和4,位于原始导出器和IPFIX收集器之间的单独IPFIX中介是一个有效的解决方案。
IPFIX exports across administrative domains can be used to measure traffic for wide-area traffic engineering or to analyze Internet traffic trends, as described in the spatial composition across administrative domains in the previous subsection. In such a case, administrators need to adhere to privacy protection policies and prevent access to confidential traffic measurements by other people. Typically, anonymization techniques enable the provision of traffic data to other people without violating these policies.
跨管理域的IPFIX导出可用于测量广域流量工程的流量或分析Internet流量趋势,如前一小节中跨管理域的空间构成所述。在这种情况下,管理员需要遵守隐私保护策略,并防止其他人访问机密流量测量。通常,匿名化技术允许在不违反这些策略的情况下向其他人提供流量数据。
Generally, anonymization modifies a data set to protect the identity of the people or entities described by the data set from being disclosed. It also attempts to preserve sets of network traffic properties useful for a given analysis while ensuring the data cannot be traced back to the specific networks, hosts, or users generating the traffic. For example, IP address anonymization is particularly important for avoiding the identification of users, hosts, and routers. As another example, when an ISP provides traffic monitoring service to end customers, network administrators take care of anonymizing interface index fields that could disclose any information about the vendor or software version of the Exporters.
通常,匿名化修改数据集以保护数据集所描述的人或实体的身份不被披露。它还试图保留对给定分析有用的网络流量属性集,同时确保数据不能追溯到生成流量的特定网络、主机或用户。例如,IP地址匿名对于避免识别用户、主机和路由器尤为重要。另一个例子是,当ISP向终端客户提供流量监控服务时,网络管理员负责匿名化接口索引字段,这些字段可能会泄露有关供应商或出口商软件版本的任何信息。
Implementation analysis:
实施分析:
One possible implementation for this case uses an anonymization function at the Original Exporter. However, this increases the load on the Original Exporter. A more flexible implementation uses a separate IPFIX Mediator between the Original Exporter and Collector.
这种情况下的一个可能实现是在原始导出器中使用匿名功能。但是,这会增加原始导出器的负载。更灵活的实现在原始导出器和收集器之间使用单独的IPFIX中介。
Data retention refers to the storage of traffic data by service providers and commercial organizations. Legislative regulations often require that network operators retain both IP traffic data and call detail records, in wired and wireless networks, generated by end
数据保留是指服务提供商和商业组织对流量数据的存储。立法法规通常要求网络运营商保留终端生成的有线和无线网络中的IP流量数据和呼叫详细记录
users while using a service provider's services. The traffic data is required for the purpose of the investigation, detection, and prosecution of serious crime, if necessary. Data retention examples relevant to IP networks are the following:
用户在使用服务提供商的服务时。必要时,交通数据用于调查、侦查和起诉严重犯罪。与IP网络相关的数据保留示例如下:
o Internet telephony (includes every multimedia session associated with IP multimedia services)
o Internet电话(包括与IP多媒体服务相关的每个多媒体会话)
o Internet email
o 因特网电子邮件
o Internet access
o 互联网接入
Data retention, for these services in particular, requires a measurement system with reliable export and huge storage, as the data must be available for a long period of time, typically at least six months.
特别是对于这些服务,数据保留需要一个具有可靠导出和巨大存储的测量系统,因为数据必须能够长期使用,通常至少六个月。
Implementation analysis:
实施分析:
Regarding export reliability requirement, the most suitable implementation uses the Stream Control Transmission Protocol (SCTP) between the Original Exporter and Collector. If an unreliable transport protocol such as UDP is used, a legacy exporting device exports Data Records to a nearby IPFIX Mediator through UDP, and then an IPFIX Mediator could reliably export them to the IPFIX Collector through SCTP. If an unreliable transport protocol such as UDP is used and if there is no IPFIX Mediator, the legacy exporting device should duplicate the exports to several Collectors to lower the probability of losing Flow Records. However, it might result in network congestion, unless dedicated export links are used.
关于导出可靠性要求,最合适的实现是在原始导出器和收集器之间使用流控制传输协议(SCTP)。如果使用了不可靠的传输协议(如UDP),则旧版导出设备会通过UDP将数据记录导出到附近的IPFIX中介,然后IPFIX中介可以通过SCTP将数据记录可靠地导出到IPFIX收集器。如果使用了不可靠的传输协议(如UDP),并且没有IPFIX中介,则旧版导出设备应将导出复制到多个收集器,以降低流记录丢失的概率。但是,除非使用专用的导出链接,否则可能会导致网络拥塞。
Regarding huge storage requirements, the collecting infrastructure is described in Section 5.2.
关于巨大的存储需求,第5.2节介绍了收集基础设施。
Generally, in large enterprise networks, Data Records from branch offices are gathered in a central office. However, in the long-distance branch office case, the bandwidth for transporting IPFIX is limited. Therefore, even if multiple Data Record types should be of interest to the Collector (e.g., IPFIX Flow Records in both directions, IPFIX Flow Records before and after WAN optimization techniques, performance metrics associated with the IPFIX Flow Records exported at regular intervals, etc.), the export bandwidth limitation is an important factor to pay attention to.
通常,在大型企业网络中,来自分支机构的数据记录收集在中央办公室。然而,在远程分支办公室的情况下,用于传输IPFIX的带宽是有限的。因此,即使收集器对多种数据记录类型感兴趣(例如,双向的IPFIX流记录、WAN优化技术前后的IPFIX流记录、与定期导出的IPFIX流记录相关联的性能指标等),导出带宽限制是需要注意的一个重要因素。
Implementation analysis:
实施分析:
One possible implementation for this case uses an IPFIX Mediator located in a branch office. The IPFIX Mediator would aggregate and correlate Data Records to cope with the export bandwidth limitation.
本例的一个可能实现使用位于分支办公室的IPFIX中介。IPFIX中介将聚合和关联数据记录,以应对导出带宽限制。
Recently, several networks have shifted towards integrated networks, such as the pure IP and MPLS networks, which include IPv4, IPv6, and VPN traffic. Data Record types (IPv4, IPv6, MPLS, and VPN) need to be analyzed separately and from different perspectives for different organizations. A single Collector handling all Data Record types might become a bottleneck in the collecting infrastructure. Data Records distributed based on their respective types can be exported to the appropriate Collector, resulting in load distribution amongst multiple Collectors.
最近,一些网络已转向集成网络,如纯IP和MPLS网络,其中包括IPv4、IPv6和VPN流量。数据记录类型(IPv4、IPv6、MPLS和VPN)需要针对不同的组织从不同的角度进行单独分析。处理所有数据记录类型的单个收集器可能会成为收集基础结构中的瓶颈。基于各自类型分布的数据记录可以导出到相应的收集器,从而在多个收集器之间分配负载。
Implementation analysis:
实施分析:
One possible implementation for this case uses replication of the IPFIX Message in an Original Exporter for multiple IPFIX Collectors. Each Collector then extracts the Data Record required by its own applications. However, this replication increases the load of the Exporting Process and the waste of bandwidth between the Exporter and Collector.
对于这种情况,一种可能的实现是在多个IPFIX收集器的原始导出器中复制IPFIX消息。然后,每个收集器提取其自己的应用程序所需的数据记录。但是,此复制会增加导出过程的负载以及导出器和收集器之间的带宽浪费。
A more sophisticated implementation uses an Intermediate Process located between the Metering Processes and Exporting Processes in an Original Exporter. The Intermediate Process determines to which Collector a Data Record is exported, depending on certain field values. If an Original Exporter does not have this capability, it exports Data Records to a nearby separate IPFIX Mediator, and then the IPFIX Mediator could distribute them to the appropriate IPFIX Collectors.
更复杂的实现使用位于原始导出器中的计量过程和导出过程之间的中间过程。中间过程根据某些字段值确定将数据记录导出到哪个采集器。如果原始导出器不具备此功能,它会将数据记录导出到附近单独的IPFIX中介,然后IPFIX中介可以将它们分发到适当的IPFIX收集器。
For example, in the case of distributing a specific customer's Data Records, an IPFIX Mediator needs to identify the customer networks. The Route Distinguisher (RD), ingress interface, peering Autonomous System (AS) number, or BGP Next-Hop, or simply the network prefix may be evaluated to distinguish different customer networks. In the following figure, the IPFIX Mediator reroutes Data Records on the basis of the RD value. This system enables each customer's traffic to be inspected independently.
例如,在分发特定客户的数据记录的情况下,IPFIX中介需要识别客户网络。可以评估路由识别器(RD)、入口接口、对等自治系统(AS)号码或BGP下一跳,或者简单地评估网络前缀以区分不同的客户网络。在下图中,IPFIX中介器根据RD值重新路由数据记录。该系统可独立检查每个客户的流量。
.---------.
|Traffic |
.---->|Collector|<==>Customer#A
| |#1 |
| '---------'
RD=100:1
.----------. .-----------. |
|IPFIX | |IPFIX |----' .---------.
|Exporter#1| |Mediator | RD=100:2 |Traffic |
| |------->| |--------->|Collector|<==>Customer#B
| | | | |#2 |
| | | |----. '---------'
'----------' '-----------' |
RD=100:3
| .---------.
| |Traffic |
'---->|Collector|<==>Customer#C
|#3 |
'---------'
.---------.
|Traffic |
.---->|Collector|<==>Customer#A
| |#1 |
| '---------'
RD=100:1
.----------. .-----------. |
|IPFIX | |IPFIX |----' .---------.
|Exporter#1| |Mediator | RD=100:2 |Traffic |
| |------->| |--------->|Collector|<==>Customer#B
| | | | |#2 |
| | | |----. '---------'
'----------' '-----------' |
RD=100:3
| .---------.
| |Traffic |
'---->|Collector|<==>Customer#C
|#3 |
'---------'
Figure A. Distributing Data Records to Collectors Using IPFIX Mediator
图A.使用IPFIX Mediator将数据记录分发给收集器
Generally, the distribution of the number of packets per Flow seems to be heavy tailed. Most types of Flow Records are likely to be small Flows consisting of a small number of packets. The measurement system is overwhelmed with a huge amount of these small Flows. If statistics information of small Flows is exported as merged data by applying a policy or threshold, the load on the Exporter is reduced. Furthermore, if the Flow distribution is known, exporting only a subset of the Data Records might be sufficient.
通常,每个流的数据包数分布似乎是重尾分布。大多数类型的流记录可能是由少量数据包组成的小流。测量系统被大量的小流量淹没。如果通过应用策略或阈值将小流量的统计信息导出为合并数据,则导出器上的负载将减少。此外,如果已知流量分布,仅导出数据记录的子集可能就足够了。
Implementation analysis:
实施分析:
One possible implementation for this case uses an Intermediate Process located between the Metering Processes and Exporting Processes on the Original Exporter, or alternatively a separate IPFIX Mediator located between the Original Exporters and IPFIX Collectors. A set of IPFIX Mediation functions, such as Filtering, selecting, and aggregation, is used in the IPFIX Mediator.
这种情况下的一种可能实现是使用位于原始导出器上的计量过程和导出过程之间的中间过程,或者使用位于原始导出器和IPFIX收集器之间的单独IPFIX中介。IPFIX中介器中使用了一组IPFIX中介函数,例如筛选、选择和聚合。
During the migration process from a legacy protocol such as NetFlow [RFC3954] to IPFIX, both NetFlow exporting devices and IPFIX Exporters are likely to coexist in the same network. Operators need to continue measuring the traffic data from legacy exporting devices, even after introducing IPFIX Collectors.
在从传统协议(如NetFlow[RFC3954])迁移到IPFIX的过程中,NetFlow导出设备和IPFIX导出器可能共存于同一网络中。运营商需要继续测量来自传统导出设备的流量数据,即使在引入IPFIX收集器之后也是如此。
Implementation analysis:
实施分析:
One possible implementation for this case uses an IPFIX Mediator that converts a legacy protocol to IPFIX.
这种情况下的一个可能实现是使用IPFIX中介,将遗留协议转换为IPFIX。
Both the Exporter IP address indicated by the source IP address of the IPFIX Transport Session and the Observation Domain ID included in the IPFIX Message header are likely to be lost during IPFIX Mediation. In some cases, an IPFIX Mediator might drop the information deliberately. In general, however, the Collector must recognize the origin of the measurement information, such as the IP address of the Original Exporter, the Observation Domain ID, or even the Observation Point ID. Note that, if an IPFIX Mediator cannot communicate the Original Exporter IP address, then the IPFIX Collector will wrongly deduce that the IP address of the IPFIX Mediator is that of the Original Exporter.
IPFIX传输会话的源IP地址指示的导出器IP地址和IPFIX消息头中包含的观察域ID都可能在IPFIX调解期间丢失。在某些情况下,IPFIX中介可能会故意删除信息。但是,通常情况下,收集器必须识别测量信息的来源,例如原始导出器的IP地址、观测域ID,甚至观测点ID。请注意,如果IPFIX中介无法与原始导出器IP地址通信,然后IPFIX收集器将错误地推断IPFIX中介的IP地址是原始导出器的IP地址。
In the following figure, a Collector can identify two IP addresses: 192.0.2.3 (IPFIX Mediator) and 192.0.2.2 (Exporter#2), respectively. The Collector, however, needs to somehow recognize both Exporter#1 and Exporter#2, which are the Original Exporters. The IPFIX Mediator must be able to notify the Collector about the IP address of the Original Exporter.
在下图中,收集器可以识别两个IP地址:分别为192.0.2.3(IPFIX Mediator)和192.0.2.2(Exporter#2)。然而,催收员需要以某种方式识别出口商1和出口商2,它们都是原始出口商。IPFIX中介必须能够通知收集器原始导出器的IP地址。
.----------. .--------.
|IPFIX | |IPFIX |
|Exporter#1|--------->|Mediator|---+
| | | | |
'----------' '--------' | .---------.
IP:192.0.2.1 IP:192.0.2.3 '----->|IPFIX |
ODID:10 ODID:0 |Collector|
+------>| |
.----------. | '---------'
|IPFIX | |
|Exporter#2|-----------------------'
| |
'----------'
IP:192.0.2.2
ODID:20
.----------. .--------.
|IPFIX | |IPFIX |
|Exporter#1|--------->|Mediator|---+
| | | | |
'----------' '--------' | .---------.
IP:192.0.2.1 IP:192.0.2.3 '----->|IPFIX |
ODID:10 ODID:0 |Collector|
+------>| |
.----------. | '---------'
|IPFIX | |
|Exporter#2|-----------------------'
| |
'----------'
IP:192.0.2.2
ODID:20
Figure B. Loss of Original Exporter Information
图B.原始出口商信息的损失
The Export Time field included in the IPFIX Message header represents a reference timestamp for Data Records. Some IPFIX Information Elements, described in [RFC5102], carry delta timestamps that indicate the time difference from the value of the Export Time field. If the Data Records include any delta time fields and the IPFIX Mediator overwrites the Export Time field when sending IPFIX Messages, the delta time fields become meaningless and, because Collectors cannot recognize this situation, wrong time values are propagated.
IPFIX消息头中包含的导出时间字段表示数据记录的参考时间戳。[RFC5102]中描述的某些IPFIX信息元素带有delta时间戳,指示与导出时间字段值的时间差。如果数据记录包含任何增量时间字段,并且IPFIX中介器在发送IPFIX消息时覆盖导出时间字段,则增量时间字段将变得毫无意义,并且由于收集器无法识别这种情况,将传播错误的时间值。
Maintaining relationships between the incoming Transport Sessions and the outgoing ones depends on the Mediator's implementation. If an IPFIX Mediator relays multiple incoming Transport Sessions to a single outgoing Transport Session, and if the IPFIX Mediator shuts down its outgoing Transport Session, Data Records of the incoming Transport Sessions would not be relayed anymore. In the case of resetting an incoming Transport Session, the behavior of the IPFIX Mediator needs to be specified.
维护传入传输会话和传出传输会话之间的关系取决于中介的实现。如果IPFIX中介将多个传入传输会话中继到单个传出传输会话,并且如果IPFIX中介关闭其传出传输会话,则传入传输会话的数据记录将不再中继。在重置传入传输会话的情况下,需要指定IPFIX中介的行为。
In some cases, depending on the implementation of the IPFIX Mediators, the information reported in the Data Records defined by Options Templates could also be lost. If, for example, the Sampling rate is not communicated from the Mediator to the Collector, the Collector would miscalculate the traffic volume. This might lead to
在某些情况下,根据IPFIX中介的实现,选项模板定义的数据记录中报告的信息也可能丢失。例如,如果采样率没有从中介器传递给采集器,采集器将错误计算通信量。这可能导致
crucial problems. Even if an IPFIX Mediator were to simply relay received Data Records defined by Options Templates, the values of its scope fields could become meaningless in the content of a different Transport Session. The minimal information to be communicated by an IPFIX Mediator must be specified.
关键问题。即使IPFIX中介只是中继由选项模板定义的接收数据记录,其作用域字段的值在不同传输会话的内容中也可能变得毫无意义。必须指定IPFIX中介要传递的最小信息。
The Template ID is unique on the basis of the Transport Session and Observation Domain ID. If an IPFIX Mediator is not able to manage the relationships amongst the Template IDs and the incoming Transport Session information, and if the Template ID is used in the Options Template scope, IPFIX Mediators would, for example, relay wrong values in the scope field and in the Template Withdrawal Message. The Collector would thus not be able to interpret the Template ID in the Template Withdrawal Message and in the Options Template scope. As a consequence, there is a risk that the Collector would then shut down the IPFIX Transport Session.
根据传输会话和观察域ID,模板ID是唯一的。如果IPFIX中介无法管理模板ID和传入传输会话信息之间的关系,并且如果模板ID用于选项模板范围,IPFIX中介将,在范围字段和模板撤回消息中传递错误值。因此,收集器将无法解释模板撤回消息和选项模板范围中的模板ID。因此,收集器可能会关闭IPFIX传输会话。
For example, an IPFIX Mediator must maintain the state of the incoming Transport Sessions in order to manage the Template ID on its outgoing Transport Session correctly. Even if the Exporter Transport Session re-initializes, the IPFIX Mediator must manage the association of Template IDs in a specific Transport Session. In the following figure, the IPFIX Mediator exports three Templates (256, 257, and 258), received from Exporter#3, Exporter#2, and Exporter#1, respectively. If Exporter#1 re-initializes, and the Template ID value 258 is now replaced with 256, the IPFIX Mediator must correctly manage the new mapping of (incoming Transport Session, Template ID) and (outgoing Transport Session, Template ID) without shutting down its outgoing Transport Session.
例如,IPFIX中介必须维护传入传输会话的状态,以便正确管理其传出传输会话上的模板ID。即使导出器传输会话重新初始化,IPFIX中介也必须管理特定传输会话中模板ID的关联。在下图中,IPFIX中介导出三个模板(256、257和258),分别从导出器3、导出器2和导出器1接收。如果导出器#1重新初始化,模板ID值258现在替换为256,则IPFIX中介器必须正确管理(传入传输会话,模板ID)和(传出传输会话,模板ID)的新映射,而无需关闭其传出传输会话。
.----------. OLD: Template ID 258
|IPFIX | NEW: Template ID 256
|Exporter#1|----+
| | |
'----------' X
.----------. | .-----------. .----------.
|IPFIX | '---------->| | | |
|Exporter#2|--------------->|IPFIX |-------------->|IPFIX |
| |Template ID 257 |Mediator |Template ID 258| Collector|
'----------' +---------->| |Template ID 257| |
.----------. | '-----------'Template ID 256'----------'
|IPFIX | |
|Exporter#3|----'
| | Template ID 256
'----------'
.----------. OLD: Template ID 258
|IPFIX | NEW: Template ID 256
|Exporter#1|----+
| | |
'----------' X
.----------. | .-----------. .----------.
|IPFIX | '---------->| | | |
|Exporter#2|--------------->|IPFIX |-------------->|IPFIX |
| |Template ID 257 |Mediator |Template ID 258| Collector|
'----------' +---------->| |Template ID 257| |
.----------. | '-----------'Template ID 256'----------'
|IPFIX | |
|Exporter#3|----'
| | Template ID 256
'----------'
Figure C. Relaying from Multiple Transport Sessions to a Single Transport Session
图C.从多个传输会话到单个传输会话的中继
While IPFIX Mediation can be applied anywhere, caution should be taken as to how to aggregate the counters, as there is a potential risk of double counting. For example, if three Exporters export PSAMP Packet Reports related to the same flow, the one-way delay can be calculated, while summing up the number of packets and bytes does not make sense. Alternatively, if three Exporters export Flow Records entering an administrative domain, then the sum of the packets and bytes is a valid operation. Therefore, the possible function to be applied to Flow Records must take into consideration the measurement topology. The information such as the network topology, or at least the Observation Point and measurement direction, is required for IPFIX Mediation.
虽然IPFIX中介可以应用于任何地方,但应注意如何聚合计数器,因为存在重复计算的潜在风险。例如,如果三个导出器导出与相同流相关的PSAMP数据包报告,则可以计算单向延迟,而将数据包数和字节数相加则没有意义。或者,如果三个导出器导出进入管理域的流记录,则数据包和字节的总和是有效的操作。因此,应用于流量记录的可能功能必须考虑测量拓扑。IPFIX中介需要网络拓扑或至少观察点和测量方向等信息。
In some cases, the IPFIX Collector needs to recognize which specific function(s) IPFIX Mediation has executed on the Data Records. The IPFIX Collector cannot distinguish between time composition and spatial composition, if the IPFIX Mediator does not export the applied function. Some parameters related to the function also would need to be exported. For example, in the case of time composition, the active timeout of original Flow Records is required to interpret the minimum/maximum counter correctly. In the case of spatial composition, spatial area information on which Data Records is aggregated is required.
在某些情况下,IPFIX收集器需要识别IPFIX中介在数据记录上执行了哪些特定功能。如果IPFIX中介器未导出应用的函数,IPFIX收集器将无法区分时间组合和空间组合。与函数相关的一些参数也需要导出。例如,在时间合成的情况下,需要原始流记录的活动超时来正确解释最小/最大计数器。在空间组合的情况下,需要在其上聚合数据记录的空间区域信息。
Whether the aggregation is based on time or spatial composition, caution should be taken regarding how to aggregate non-key fields in IPFIX Mediation. The IPFIX information model [RFC5102] specifies that the value of non-key fields, which are derived from fields of packets or from packet treatment and for which the value may change from packet to packet within a single Flow, is determined by the first packet observed for the corresponding Flow, unless the description of the Information Element explicitly specifies a different semantics.
无论聚合是基于时间还是空间组合,都应注意如何在IPFIX中介中聚合非关键字段。IPFIX信息模型[RFC5102]规定,非关键字段的值由相应流中观察到的第一个数据包确定,非关键字段是从数据包字段或数据包处理中导出的,并且在单个流中,非关键字段的值可能会随着数据包的变化而变化,除非信息元素的描述明确指定了不同的语义。
However, this simple rule might not be appropriate when aggregating Flow Records that have different values in a non-key field. For example, if Differentiated Services Code Point (DSCP) information is to be exported, the following problem can be observed: if two Flows with identical Flow Key values are measured at different Observation Points, they may contain identical packets observed at different locations in the network and at different points in time. On their way from the first to the second Observation Point, the DSCP and potentially some other packet fields may have changed. Hence, if the Information Element ipDiffServCodePoint is included as a non-key field, it can be useful to include the DSCP value observed at either the first or the second Observation Point in the resulting Flow Record, depending on the application.
但是,在聚合非键字段中具有不同值的流记录时,此简单规则可能不合适。例如,如果要导出区分服务代码点(DSCP)信息,则可以观察到以下问题:如果在不同的观察点测量具有相同流键值的两个流,则它们可能包含在网络中不同位置和不同时间点观察到的相同包。在从第一个观察点到第二个观察点的过程中,DSCP和可能的其他一些数据包字段可能已经改变。因此,如果信息元素ipDiffServCodePoint作为非关键字段包含,则根据应用,将在第一个或第二个观察点观察到的DSCP值包含在结果流记录中可能会很有用。
Other potential solutions include removing the Information Element ipDiffServCodePoint from the Data Record when re-exporting the aggregate Flow Record, changing the Information Element ipDiffServCodePoint from a non-key field to a Flow Key when re-exporting the aggregated Flow Record, or assigning a non-valid value for the Information Element to express to the Collector that this Information Element is meaningless.
其他可能的解决方案包括在重新导出聚合流记录时从数据记录中删除信息元素ipDiffServCodePoint,在重新导出聚合流记录时将信息元素ipDiffServCodePoint从非键字段更改为流键,或者为信息元素指定一个无效值,以向收集器表示该信息元素没有意义。
If Packet Sampling or Filtering is applied, the IPFIX Mediator must report an adjusted PSAMP Configured Selection Fraction when aggregating IPFIX Flow Records with different Sampling rates.
如果应用了数据包采样或过滤,则IPFIX中介器在聚合具有不同采样率的IPFIX流记录时,必须报告调整后的PSAMP配置的选择分数。
Finally, special care must be taken when aggregating Flow Records resulting from different Sampling techniques such as Systematic Count-Based Sampling and Random n-out-of-N Sampling, for example.
最后,在汇总不同采样技术(例如基于系统计数的采样和随机n取n采样)产生的流量记录时,必须特别小心。
This document describes the problems that network administrators have been facing, the applicability of IPFIX Mediation to these problems, and the problems related to the implementation of IPFIX Mediators. To assist the operations of the Exporters and Collectors, this document demonstrates that there exist various IPFIX Mediation functions from which the administrators may select.
本文档描述了网络管理员一直面临的问题、IPFIX中介对这些问题的适用性,以及与IPFIX中介的实现相关的问题。为了帮助导出器和收集器的操作,本文档演示了存在各种IPFIX中介函数,管理员可以从中进行选择。
However, there are still some open issues with the use of IPFIX Mediators. These issues stem from the fact that no standards regarding IPFIX Mediation have been set. In particular, the minimum information that should be communicated between Original Exporters and Collectors, the mapping between different IPFIX Transport Sessions, and the internal components of IPFIX Mediators should be standardized.
但是,在使用IPFIX中介程序时仍然存在一些未解决的问题。这些问题源于尚未制定关于IPFIX调解的标准这一事实。特别是,原始导出者和收集器之间应交流的最低限度信息、不同IPFIX传输会话之间的映射以及IPFIX中介的内部组件应标准化。
A flow-based measurement system must prevent potential security threats: the disclosure of confidential traffic data, injection of incorrect data, and unauthorized access to traffic data. These security threats of the IPFIX protocol are covered by the Security Considerations section in [RFC5101] and are still valid for IPFIX Mediators.
基于流量的测量系统必须防止潜在的安全威胁:泄露机密流量数据、注入不正确的数据以及未经授权访问流量数据。[RFC5101]中的“安全注意事项”部分介绍了IPFIX协议的这些安全威胁,这些威胁对IPFIX中介仍然有效。
A measurement system must also prevent the following security threats related to IPFIX Mediation:
度量系统还必须防止与IPFIX中介相关的以下安全威胁:
o Attacks against an IPFIX Mediator
o 对IPFIX中介的攻击
IPFIX Mediators can be considered as a prime target for attacks, as an alternative to IPFIX Exporters and Collectors. IPFIX Proxies or Masquerading Proxies need to prevent unauthorized access or denial-of-service (DoS) attacks from untrusted public networks.
IPFIX中介可以被视为攻击的主要目标,作为IPFIX导出器和收集器的替代方案。IPFIX代理或伪装代理需要防止来自不受信任的公共网络的未授权访问或拒绝服务(DoS)攻击。
o Man-in-the-middle attack by untrusted IPFIX Mediator
o 不受信任的IPFIX中介进行中间人攻击
The Exporter-Mediator-Collector structure model could be misused for a man-in-the-middle attack.
Exporter-Mediator-Collector结构模型可能被错误地用于中间人攻击。
o Configuration on IPFIX Mediation
o IPFIX中介上的配置
An accidental misconfiguration and unauthorized access to configuration data could lead to the crucial problem of disclosure of confidential traffic data.
意外的错误配置和对配置数据的未经授权访问可能会导致机密流量数据的泄露这一关键问题。
o Unintentional exposure of end-user information
o 最终用户信息的无意泄露
The probability of collecting fine-grained information on one arbitrary end user increases with the number of Observation Points. An IPFIX Mediator facing such a situation may have to apply appropriate functions (e.g., anonymization or aggregation) to the Data Records it produces.
收集任意最终用户的细粒度信息的概率随着观察点的数量而增加。面对这种情况的IPFIX中介可能必须对其生成的数据记录应用适当的功能(例如,匿名或聚合)。
o Multiple-tenancy policy on an IPFIX Mediator
o IPFIX中介上的多租户策略
An IPFIX Mediator handling traffic data from multiple tenants or customers needs to protect those tenants or customers from one another's traffic data. For example, an IPFIX Mediator needs to identify the customer's identifier, e.g., ingress interface index, network address range, VLAN ID, Media Access Control (MAC) address, etc., when feeding the customer's traffic data to a customer's own dedicated IPFIX Collector. If the IPFIX Mediator cannot identify each customer's traffic data, it may need to drop the Data Records. In addition, another technique to keep track of a customer's identifier may be required when customer sites are movable, e.g., in the case of a virtual machine moving to another physical machine.
处理来自多个租户或客户的流量数据的IPFIX中介需要保护这些租户或客户不受彼此流量数据的影响。例如,当将客户的流量数据提供给客户自己的专用IPFIX收集器时,IPFIX中介需要识别客户的标识符,例如入口接口索引、网络地址范围、VLAN ID、媒体访问控制(MAC)地址等。如果IPFIX中介无法识别每个客户的流量数据,则可能需要删除数据记录。此外,当客户站点可移动时,例如,在虚拟机移动到另一物理机的情况下,可能需要另一种跟踪客户标识符的技术。
o Confidentiality protection via an IPFIX Mediator
o 通过IPFIX中介提供机密性保护
To ensure security of Data Records in transit, transport of Data Records should be confidential and integrity-protected, e.g., by using Transport Layer Security (TLS) [RFC5246] or Datagram Transport Layer Security (DTLS) [RFC4347]. However, an IPFIX Collector cannot know whether received Data Records are transported as encrypted data between an Original Exporter and an IPFIX Mediator. If this information is required on the IPFIX Collector, it must be encoded in the IPFIX Mediator.
为确保传输中数据记录的安全性,数据记录的传输应保密并受完整性保护,例如,使用传输层安全性(TLS)[RFC5246]或数据报传输层安全性(DTLS)[RFC4347]。但是,IPFIX收集器无法知道收到的数据记录是否作为加密数据在原始导出器和IPFIX中介器之间传输。如果IPFIX收集器上需要此信息,则必须在IPFIX中介中对其进行编码。
o Certification for an Original Exporter
o 原始出口商的证明
An IPFIX Collector communicating via an IPFIX Mediator cannot verify the identity of an Original Exporter directly. If an Original Exporter and an IPFIX Collector are located in different administrative domains, an IPFIX Collector cannot trust its Data Records. If this information is required on the IPFIX Collector, it must be encoded in the IPFIX Mediator.
通过IPFIX中介进行通信的IPFIX收集器无法直接验证原始导出器的身份。如果原始导出器和IPFIX收集器位于不同的管理域中,则IPFIX收集器不能信任其数据记录。如果IPFIX收集器上需要此信息,则必须在IPFIX中介中对其进行编码。
We would like to thank the following persons: Gerhard Muenz for thorough, detailed review and significant contributions regarding the improvement of whole sections; Keisuke Ishibashi for contributions
我们要感谢以下人员:Gerhard Muenz对整个路段的改进进行了全面、详细的审查并做出了重大贡献;石桥敬介捐款
during the initial phases of the document; Brian Trammell for contributions regarding the improvement of the Terminology and Definitions section; and Nevil Brownlee, Juergen Schoenwaelder, and Motonori Shindo for their technical reviews and feedback.
在文件的初始阶段;Brian Trammell对术语和定义部分改进的贡献;以及Nevil Brownlee、Juergen Schoenwaeld和Motonori Shindo的技术评论和反馈。
[RFC5101] Claise, B., Ed., "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", RFC 5101, January 2008.
[RFC5101]Claise,B.,Ed.,“交换IP流量信息的IP流量信息导出(IPFIX)协议规范”,RFC 5101,2008年1月。
[RFC5476] Claise, B., Ed., Johnson, A., and J. Quittek, "Packet Sampling (PSAMP) Protocol Specifications", RFC 5476, March 2009.
[RFC5476]Claise,B.,Ed.,Johnson,A.,和J.Quittek,“数据包采样(PSAMP)协议规范”,RFC 54762009年3月。
[IEEE802.3ad] IEEE Computer Society, "Link Aggregation", IEEE Std 802.3ad-2000, March 2000.
[IEEE802.3ad]IEEE计算机协会,“链路聚合”,IEEE标准802.3ad-2000,2000年3月。
[PSAMP-MIB] Dietz, T., Ed., Claise, B., and J. Quittek, "Definitions of Managed Objects for Packet Sampling", Work in Progress, July 2010.
[PSAMP-MIB]Dietz,T.,Ed.,Claise,B.,和J.Quittek,“数据包采样管理对象的定义”,正在进行的工作,2010年7月。
[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, "Requirements for IP Flow Information Export (IPFIX)", RFC 3917, October 2004.
[RFC3917]Quitek,J.,Zseby,T.,Claise,B.,和S.Zander,“IP流信息导出(IPFIX)的要求”,RFC 39172004年10月。
[RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export Version 9", RFC 3954, October 2004.
[RFC3954]Claise,B.,Ed.,“Cisco Systems NetFlow服务导出版本9”,RFC 3954,2004年10月。
[RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security", RFC 4347, April 2006.
[RFC4347]Rescorla,E.和N.Modadugu,“数据报传输层安全”,RFC 4347,2006年4月。
[RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, "Information Model for IP Flow Information Export", RFC 5102, January 2008.
[RFC5102]Quitek,J.,Bryant,S.,Claise,B.,Aitken,P.,和J.Meyer,“IP流信息导出的信息模型”,RFC 5102,2008年1月。
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,2008年8月。
[RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, "Architecture for IP Flow Information Export", RFC 5470, March 2009.
[RFC5470]Sadasivan,G.,Brownlee,N.,Claise,B.,和J.Quitek,“IP流信息导出架构”,RFC 54702009年3月。
[RFC5472] Zseby, T., Boschi, E., Brownlee, N., and B. Claise, "IP Flow Information Export (IPFIX) Applicability", RFC 5472, March 2009.
[RFC5472]Zseby,T.,Boschi,E.,Brownlee,N.,和B.Claise,“IP流信息导出(IPFIX)适用性”,RFC 54722009年3月。
[RFC5474] Duffield, N., Ed., Chiou, D., Claise, B., Greenberg, A., Grossglauser, M., and J. Rexford, "A Framework for Packet Selection and Reporting", RFC 5474, March 2009.
[RFC5474]Duffield,N.,Ed.,Chiou,D.,Claise,B.,Greenberg,A.,Grossglauser,M.,和J.Rexford,“数据包选择和报告框架”,RFC 54742009年3月。
[RFC5475] Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F. Raspall, "Sampling and Filtering Techniques for IP Packet Selection", RFC 5475, March 2009.
[RFC5475]Zseby,T.,Molina,M.,Duffield,N.,Niccolini,S.,和F.Raspall,“IP数据包选择的采样和过滤技术”,RFC 5475,2009年3月。
[RFC5477] Dietz, T., Claise, B., Aitken, P., Dressler, F., and G. Carle, "Information Model for Packet Sampling Exports", RFC 5477, March 2009.
[RFC5477]Dietz,T.,Claise,B.,Aitken,P.,Dressler,F.,和G.Carle,“数据包抽样出口的信息模型”,RFC 5477,2009年3月。
[RFC5655] Trammell, B., Boschi, E., Mark, L., Zseby, T., and A. Wagner, "Specification of the IP Flow Information Export (IPFIX) File Format", RFC 5655, October 2009.
[RFC5655]Trammell,B.,Boschi,E.,Mark,L.,Zseby,T.,和A.Wagner,“IP流信息导出(IPFIX)文件格式规范”,RFC 56552009年10月。
[RFC5815] Dietz, T., Ed., Kobayashi, A., Claise, B., and G. Muenz, "Definitions of Managed Objects for IP Flow Information Export", RFC 5815, April 2010.
[RFC5815]Dietz,T.,Ed.,Kobayashi,A.,Claise,B.,和G.Muenz,“IP流信息导出的托管对象定义”,RFC 5815,2010年4月。
[TRAFGRW] Cho, K., Fukuda, K., Esaki, H., and A. Kato, "The Impact and Implications of the Growth in Residential User-to-User Traffic", SIGCOMM2006, pp. 207-218, Pisa, Italy, September 2006.
[Traffrw]Cho,K.,Fukuda,K.,Esaki,H.,和A.Kato,“住宅用户对用户流量增长的影响和影响”,SIGCOMM2006,第207-218页,意大利比萨,2006年9月。
Contributors
贡献者
Haruhiko Nishida NTT Information Sharing Platform Laboratories 3-9-11 Midori-cho Musashino-shi, Tokyo 180-8585 Japan
西田春彦NTT信息共享平台实验室3-9-11 Midori cho Musashino shi,东京180-8585
Phone: +81-422-59-3978
EMail: nishida.haruhiko@lab.ntt.co.jp
Phone: +81-422-59-3978
EMail: nishida.haruhiko@lab.ntt.co.jp
Christoph Sommer University of Erlangen-Nuremberg Department of Computer Science 7 Martensstr. 3 Erlangen 91058 Germany
克里斯托夫索默大学埃朗根纽伦堡计算机科学系7马丁斯特。3爱尔兰根91058德国
Phone: +49 9131 85-27993
EMail: christoph.sommer@informatik.uni-erlangen.de
URI: http://www7.informatik.uni-erlangen.de/~sommer/
Phone: +49 9131 85-27993
EMail: christoph.sommer@informatik.uni-erlangen.de
URI: http://www7.informatik.uni-erlangen.de/~sommer/
Falko Dressler University of Erlangen-Nuremberg Department of Computer Science 7 Martensstr. 3 Erlangen 91058 Germany
埃朗根德雷斯勒大学福尔科-纽伦堡计算机科学系7。3爱尔兰根91058德国
Phone: +49 9131 85-27914
EMail: dressler@informatik.uni-erlangen.de
URI: http://www7.informatik.uni-erlangen.de/~dressler/
Phone: +49 9131 85-27914
EMail: dressler@informatik.uni-erlangen.de
URI: http://www7.informatik.uni-erlangen.de/~dressler/
Stephan Emile France Telecom 2 Avenue Pierre Marzin Lannion, F-22307 France
Stephan Emile法国电信2大道Pierre Marzin Lannion,F-22307法国
Fax: +33 2 96 05 18 52
EMail: emile.stephan@orange-ftgroup.com
Fax: +33 2 96 05 18 52
EMail: emile.stephan@orange-ftgroup.com
Authors' Addresses
作者地址
Atsushi Kobayashi (editor) NTT Information Sharing Platform Laboratories 3-9-11 Midori-cho Musashino-shi, Tokyo 180-8585 Japan
小林尊(编辑)NTT信息共享平台实验室3-9-11 Midori cho Musashino shi,东京180-8585
Phone: +81-422-59-3978
EMail: akoba@nttv6.net
Phone: +81-422-59-3978
EMail: akoba@nttv6.net
Benoit Claise (editor) Cisco Systems, Inc. De Kleetlaan 6a b1 Diegem 1831 Belgium
Benoit Claise(编辑)Cisco Systems,Inc.De Kleetlaan 6a b1 Diegem 1831比利时
Phone: +32 2 704 5622
EMail: bclaise@cisco.com
Phone: +32 2 704 5622
EMail: bclaise@cisco.com