Internet Engineering Task Force (IETF) S. D'Antonio Request for Comments: 7014 Univ. of Napoli "Parthenope" Category: Standards Track T. Zseby ISSN: 2070-1721 CAIDA/FhG FOKUS C. Henke Tektronix Communications Berlin L. Peluso University of Napoli September 2013
Internet Engineering Task Force (IETF) S. D'Antonio Request for Comments: 7014 Univ. of Napoli "Parthenope" Category: Standards Track T. Zseby ISSN: 2070-1721 CAIDA/FhG FOKUS C. Henke Tektronix Communications Berlin L. Peluso University of Napoli September 2013
Flow Selection Techniques
流量选择技术
Abstract
摘要
The Intermediate Flow Selection Process is the process of selecting a subset of Flows from all observed Flows. The Intermediate Flow Selection Process may be located at an IP Flow Information Export (IPFIX) Exporter or Collector, or within an IPFIX Mediator. It reduces the effort of post-processing Flow data and transferring Flow Records. This document describes motivations for using the Intermediate Flow Selection process and presents Intermediate Flow Selection techniques. It provides an information model for configuring Intermediate Flow Selection Process techniques and discusses what information about an Intermediate Flow Selection Process should be exported.
中间流选择过程是从所有观测流中选择流子集的过程。中间流选择过程可以位于IP流信息导出(IPFIX)导出器或收集器处,或者位于IPFIX中介器内。它减少了后处理流数据和传输流记录的工作量。本文档描述了使用中间流选择过程的动机,并介绍了中间流选择技术。它提供了一个用于配置中间流选择过程技术的信息模型,并讨论了应该导出哪些关于中间流选择过程的信息。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7014.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7014.
Copyright Notice
版权公告
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Difference between Intermediate Flow Selection Process and Packet Selection . . . . . . . . . . . . . . . . . . . . . . . 7 4. Difference between Intermediate Flow Selection Process and Intermediate Selection Process . . . . . . . . . . . . . . . . 9 5. Intermediate Flow Selection Process within the IPFIX Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.1. Intermediate Flow Selection Process in the Metering Process . . . . . . . . . . . . . . . . . . . . . . . . . 11 5.2. Intermediate Flow Selection Process in the Exporting Process . . . . . . . . . . . . . . . . . . . . . . . . . 11 5.3. Intermediate Flow Selection Process as a Function of the IPFIX Mediator . . . . . . . . . . . . . . . . . . . . 11 6. Intermediate Flow Selection Process Techniques . . . . . . . . 12 6.1. Flow Filtering . . . . . . . . . . . . . . . . . . . . . . 12 6.1.1. Property Match Filtering . . . . . . . . . . . . . . . 12 6.1.2. Hash-Based Flow Filtering . . . . . . . . . . . . . . 13 6.2. Flow Sampling . . . . . . . . . . . . . . . . . . . . . . 13 6.2.1. Systematic Sampling . . . . . . . . . . . . . . . . . 13 6.2.2. Random Sampling . . . . . . . . . . . . . . . . . . . 14 6.3. Flow-State Dependent Intermediate Flow Selection Process . . . . . . . . . . . . . . . . . . . . . . . . . 14 6.4. Flow-State Dependent Packet Selection . . . . . . . . . . 15 7. Configuration of Intermediate Flow Selection Process Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . 16 7.1. Intermediate Flow Selection Process Parameters . . . . . . 17 7.2. Description of Flow-State Dependent Packet Selection . . . 19 8. Information Model for Intermediate Flow Selection Process Configuration and Reporting . . . . . . . . . . . . . . . . . 20 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 9.1. Registration of Information Elements . . . . . . . . . . . 22 9.1.1. flowSelectorAlgorithm . . . . . . . . . . . . . . . . 22 9.1.2. flowSelectedOctetDeltaCount . . . . . . . . . . . . . 24 9.1.3. flowSelectedPacketDeltaCount . . . . . . . . . . . . . 24 9.1.4. flowSelectedFlowDeltaCount . . . . . . . . . . . . . . 24 9.1.5. selectorIDTotalFlowsObserved . . . . . . . . . . . . . 25 9.1.6. selectorIDTotalFlowsSelected . . . . . . . . . . . . . 25 9.1.7. samplingFlowInterval . . . . . . . . . . . . . . . . . 26 9.1.8. samplingFlowSpacing . . . . . . . . . . . . . . . . . 26 9.1.9. flowSamplingTimeInterval . . . . . . . . . . . . . . . 27 9.1.10. flowSamplingTimeSpacing . . . . . . . . . . . . . . . 27 9.1.11. hashFlowDomain . . . . . . . . . . . . . . . . . . . . 28 9.2. Registration of Object Identifier . . . . . . . . . . . . 28 10. Security and Privacy Considerations . . . . . . . . . . . . . 28
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Difference between Intermediate Flow Selection Process and Packet Selection . . . . . . . . . . . . . . . . . . . . . . . 7 4. Difference between Intermediate Flow Selection Process and Intermediate Selection Process . . . . . . . . . . . . . . . . 9 5. Intermediate Flow Selection Process within the IPFIX Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.1. Intermediate Flow Selection Process in the Metering Process . . . . . . . . . . . . . . . . . . . . . . . . . 11 5.2. Intermediate Flow Selection Process in the Exporting Process . . . . . . . . . . . . . . . . . . . . . . . . . 11 5.3. Intermediate Flow Selection Process as a Function of the IPFIX Mediator . . . . . . . . . . . . . . . . . . . . 11 6. Intermediate Flow Selection Process Techniques . . . . . . . . 12 6.1. Flow Filtering . . . . . . . . . . . . . . . . . . . . . . 12 6.1.1. Property Match Filtering . . . . . . . . . . . . . . . 12 6.1.2. Hash-Based Flow Filtering . . . . . . . . . . . . . . 13 6.2. Flow Sampling . . . . . . . . . . . . . . . . . . . . . . 13 6.2.1. Systematic Sampling . . . . . . . . . . . . . . . . . 13 6.2.2. Random Sampling . . . . . . . . . . . . . . . . . . . 14 6.3. Flow-State Dependent Intermediate Flow Selection Process . . . . . . . . . . . . . . . . . . . . . . . . . 14 6.4. Flow-State Dependent Packet Selection . . . . . . . . . . 15 7. Configuration of Intermediate Flow Selection Process Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . 16 7.1. Intermediate Flow Selection Process Parameters . . . . . . 17 7.2. Description of Flow-State Dependent Packet Selection . . . 19 8. Information Model for Intermediate Flow Selection Process Configuration and Reporting . . . . . . . . . . . . . . . . . 20 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 9.1. Registration of Information Elements . . . . . . . . . . . 22 9.1.1. flowSelectorAlgorithm . . . . . . . . . . . . . . . . 22 9.1.2. flowSelectedOctetDeltaCount . . . . . . . . . . . . . 24 9.1.3. flowSelectedPacketDeltaCount . . . . . . . . . . . . . 24 9.1.4. flowSelectedFlowDeltaCount . . . . . . . . . . . . . . 24 9.1.5. selectorIDTotalFlowsObserved . . . . . . . . . . . . . 25 9.1.6. selectorIDTotalFlowsSelected . . . . . . . . . . . . . 25 9.1.7. samplingFlowInterval . . . . . . . . . . . . . . . . . 26 9.1.8. samplingFlowSpacing . . . . . . . . . . . . . . . . . 26 9.1.9. flowSamplingTimeInterval . . . . . . . . . . . . . . . 27 9.1.10. flowSamplingTimeSpacing . . . . . . . . . . . . . . . 27 9.1.11. hashFlowDomain . . . . . . . . . . . . . . . . . . . . 28 9.2. Registration of Object Identifier . . . . . . . . . . . . 28 10. Security and Privacy Considerations . . . . . . . . . . . . . 28
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 30 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30 12.1. Normative References . . . . . . . . . . . . . . . . . . . 30 12.2. Informative References . . . . . . . . . . . . . . . . . . 31
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 30 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30 12.1. Normative References . . . . . . . . . . . . . . . . . . . 30 12.2. Informative References . . . . . . . . . . . . . . . . . . 31
This document describes Intermediate Flow Selection Process techniques for network traffic measurements. A Flow is defined as a set of packets with common properties, as described in [RFC7011]. An Intermediate Flow Selection Process can be executed to limit the resource demands for capturing, storing, exporting, and post-processing Flow Records. It also can be used to select a particular set of Flows that are of interest to a specific application. This document provides a categorization of Intermediate Flow Selection Process techniques and describes configuration and reporting parameters for them.
本文档描述用于网络流量测量的中间流选择过程技术。流定义为具有公共属性的一组数据包,如[RFC7011]所述。可以执行中间流选择过程来限制捕获、存储、导出和后处理流记录的资源需求。它还可用于选择特定应用程序感兴趣的特定流集。本文档对中间流选择过程技术进行了分类,并描述了它们的配置和报告参数。
This document also addresses configuration and reporting parameters for Flow-state dependent packet selection as described in [RFC5475], although this technique is categorized as packet selection. The reason is that Flow-state dependent packet selection techniques often aim at the reduction of resources for Flow capturing and Flow processing. Furthermore, these techniques were only briefly discussed in [RFC5475]. Therefore, configuration and reporting considerations for Flow-state dependent packet selection techniques have been included in this document.
本文件还说明了[RFC5475]中所述的流状态相关数据包选择的配置和报告参数,尽管该技术被归类为数据包选择。原因是依赖于流状态的数据包选择技术通常旨在减少用于流捕获和流处理的资源。此外,这些技术仅在[RFC5475]中进行了简要讨论。因此,本文档中包含了流状态相关数据包选择技术的配置和报告注意事项。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
This document is consistent with the terminology introduced in [RFC7011], [RFC5470], [RFC5475], and [RFC3917]. As in [RFC7011] and [RFC5476], the first letter of each IPFIX specific and Packet Sampling (PSAMP) specific term is capitalized, along with the Intermediate Flow Selection Process specific terms defined here.
本文件与[RFC7011]、[RFC5470]、[RFC5475]和[RFC3917]中介绍的术语一致。与[RFC7011]和[RFC5476]一样,每个特定于IPFIX和特定于数据包采样(PSAMP)的术语的首字母大写,以及此处定义的特定于中间流选择过程的术语。
* Packet Classification
* 包分类
Packet Classification is a process by which packets are mapped to specific Flow Records, based on packet properties or external properties (e.g., interface). The properties (e.g., header information, packet content, Autonomous System (AS) number) make up the Flow Key. If a Flow Record for a specific Flow Key value already exists, the Flow Record is updated; otherwise, a new Flow Record is created.
数据包分类是根据数据包属性或外部属性(例如接口)将数据包映射到特定流记录的过程。属性(例如,报头信息、数据包内容、自治系统(AS)编号)构成流密钥。如果已经存在特定流量键值的流量记录,则更新该流量记录;否则,将创建一个新的流记录。
* Intermediate Flow Selection Process
* 中间流选择过程
An Intermediate Flow Selection Process is an Intermediate Process, as defined in [RFC6183] that takes Flow Records as its input and selects a subset of this set as its output. The Intermediate Flow Selection Process is a more general concept than the Intermediate Selection Process as defined in [RFC6183]. While an Intermediate Selection Process selects Flow Records from a sequence based upon criteria-evaluated Flow Record values and only passes on those Flow Records that match the criteria, an Intermediate Flow Selection Process selects Flow Records using selection criteria applicable to a larger set of Flow characteristics and information.
中间流选择过程是[RFC6183]中定义的中间过程,它将流记录作为输入,并选择该集合的子集作为输出。与[RFC6183]中定义的中间选择过程相比,中间流选择过程是一个更一般的概念。中间选择过程根据标准评估的流量记录值从序列中选择流量记录,并仅传递与标准匹配的流量记录,而中间流量选择过程使用适用于更大流量特征和信息集的选择标准选择流量记录。
* Flow Cache
* 流缓存
A Flow Cache is the set of Flow Records.
流缓存是流记录的集合。
* Flow Selection State
* 流选择状态
An Intermediate Flow Selection Process maintains state information for use by the Flow Selector. At a given time, the Flow Selection State may depend on Flows and packets observed at and before that time, as well as other variables. Examples include:
中间流选择过程维护供流选择器使用的状态信息。在给定时间,流选择状态可能取决于在该时间和之前观察到的流和包,以及其他变量。例子包括:
(i) sequence number of packets and Flow Records;
(i) 数据包和流量记录的序列号;
(ii) number of selected Flows;
(ii)选定流量的数量;
(iii) number of observed Flows;
(iii)观测到的流量数量;
(iv) current Flow Cache occupancy;
(iv)当前流缓存占用率;
(v) Flow specific counters, lower and upper bounds;
(v) 特定于流的计数器,下限和上限;
(vi) Intermediate Flow Selection Process timeout intervals.
(vi)中间流选择过程超时间隔。
* Flow Selector
* 流量选择器
A Flow Selector defines the action of an Intermediate Flow Selection Process on a single Flow of its input. The Flow Selector can make use of the following information in order to establish whether or not a Flow has to be selected:
流选择器定义中间流选择过程对其输入的单个流的操作。流量选择器可利用以下信息确定是否必须选择流量:
(i) the content of the Flow Record;
(i) 流量记录的内容;
(ii) any state information related to the Metering Process or Exporting Process;
(ii)与计量过程或出口过程相关的任何状态信息;
(iii) any Flow Selection State that may be maintained by the Intermediate Flow Selection Process.
(iii)中间流量选择过程可能维持的任何流量选择状态。
* Complete Flow
* 全流
A Complete Flow consists of all the packets that enter the Intermediate Flow Selection Process within the Flow timeout interval and that belong to the same Flow, per the definition of "Flow" in [RFC5470]. For this definition, only packets that arrive at the Intermediate Flow Selection Process are considered.
根据[RFC5470]中“流”的定义,完整流包括在流超时时间间隔内进入中间流选择过程且属于同一流的所有数据包。对于该定义,仅考虑到达中间流选择过程的分组。
* Flow Position
* 流动位置
Flow Position is the position of a Flow Record within the Flow Cache.
Flow Position是流缓存中流记录的位置。
* Flow Filtering
* 流量过滤
Flow Filtering selects flows based on a deterministic function on the Flow Record content, Flow Selection State, external properties (e.g., ingress interface), or external events (e.g., violated Access Control List). If the relevant parts of the Flow Record content can already be observed at the packet level (e.g., Flow Keys from packet header fields), Flow Filtering can be performed at the packet level by Property Match Filtering, as described in [RFC5475].
流过滤根据流记录内容、流选择状态、外部属性(如入口接口)或外部事件(如违反的访问控制列表)上的确定函数选择流。如果流记录内容的相关部分已经可以在数据包级别上观察到(例如,来自数据包报头字段的流键),则可以通过属性匹配过滤在数据包级别上执行流过滤,如[RFC5475]中所述。
* Hash-based Flow Filtering
* 基于散列的流过滤
Hash-based Flow Filtering is a deterministic Flow filter function that selects flows based on a hash function. The hash function is calculated over parts of the Flow Record content or external properties that are called the Hash Domain. If the hash value falls into a predefined Hash Selection Range, the Flow is selected.
基于散列的流过滤是一种确定性流过滤函数,它基于散列函数选择流。散列函数是在流记录内容或称为散列域的外部属性的部分上计算的。如果哈希值落入预定义的哈希选择范围,则选择流。
* Flow-state Dependent Intermediate Flow Selection Process
* 流状态相关的中间流选择过程
The Flow-state dependent Intermediate Flow Selection Process is a selection function that selects or drops Flows based on the current Flow Selection State. The selection can be either deterministic, random, or non-uniform random.
依赖于流状态的中间流选择过程是一种选择功能,它基于当前流选择状态选择或删除流。选择可以是确定性的、随机的或非均匀随机的。
* Flow-state Dependent Packet Selection
* 流状态相关的包选择
Flow-state dependent packet selection is a selection function that selects or drops packets based on the current Flow Selection State. The selection can be either deterministic, random, or non-uniform random. Flow-state dependent packet selection can be used to implement a preference for the selection of packets belonging to specific Flows. For example, the selection probability of packets belonging to Flows that are already within the Flow Cache may be higher than for packets that have not been recorded yet.
依赖于流状态的分组选择是基于当前流选择状态选择或丢弃分组的选择功能。选择可以是确定性的、随机的或非均匀随机的。依赖于流状态的分组选择可用于实现对属于特定流的分组的选择的偏好。例如,属于已经在流缓存内的流的分组的选择概率可能高于尚未记录的分组的选择概率。
* Flow Sampling
* 流动取样
Flow Sampling selects flows based on Flow Record sequence or arrival times (e.g., entry in Flow Cache, arrival time at Exporter or Mediator). The selection can be systematic (e.g., every n-th Flow) or based on a random function (e.g., select each Flow Record with probability p, or randomly select n out of N Flow Records).
流采样根据流记录顺序或到达时间(例如,流缓存中的条目、导出器或中介器处的到达时间)选择流。选择可以是系统性的(例如,每n个流量)或基于随机函数(例如,用概率p选择每个流量记录,或从n个流量记录中随机选择n个)。
3. Difference between Intermediate Flow Selection Process and Packet Selection
3. 中间流选择过程和数据包选择之间的区别
The Intermediate Flow Selection Process differs from packet selection as described in [RFC5475]. Packet selection techniques consider packets as the basic element, and the parent population consists of all packets observed at an Observation Point. In contrast to this, the basic elements in Flow selection are the Flows. The parent population consists of all observed Flows, and the Intermediate Flow Selection Process operates on the Flows. The major characteristics of the Intermediate Flow Selection Process are the following:
中间流选择过程不同于[RFC5475]中描述的分组选择。分组选择技术将分组视为基本元素,父种群由观测点上观察到的所有分组组成。与此相反,流选择中的基本元素是流。父总体由所有观察到的流组成,中间流选择过程对这些流进行操作。中间流选择过程的主要特征如下:
- The Intermediate Flow Selection Process takes Flows as basic elements. For packet selection, packets are considered as basic elements.
- 中间流选择过程将流作为基本元素。对于数据包选择,数据包被视为基本元素。
- The Intermediate Flow Selection Process typically takes place after Packet Classification, because the classification rules determine to which Flow a packet belongs. The Intermediate Flow Selection Process can be performed before Packet Classification. In that case, the Intermediate Flow Selection Process is based on the Flow Key (and also on a hash value over the Flow Key) but not
- 中间流选择过程通常在分组分类之后发生,因为分类规则确定分组属于哪个流。中间流选择过程可以在分组分类之前执行。在这种情况下,中间流选择过程基于流键(以及流键上的散列值),但不基于流键
on characteristics that are only available after Packet Classification (e.g., Flow size, Flow duration). Packet selection can be applied before and after Packet Classification. As an example, packet selection before Packet Classification can be random packet selection, whereas packet selection after Packet Classification can be Flow-state dependent packet selection (as described in [RFC5475]).
仅在数据包分类后可用的特征(例如,流大小、流持续时间)。包选择可以在包分类之前和之后应用。例如,分组分类之前的分组选择可以是随机分组选择,而分组分类之后的分组选择可以是依赖于流状态的分组选择(如[RFC5475]中所述)。
- The Intermediate Flow Selection Process operates on Complete Flows. That means that after the Intermediate Flow Selection Process, either all packets of the Flow are kept or all packets of the Flow are discarded. That means that if the Intermediate Flow Selection Process is preceded by a packet selection process, the Complete Flow consists only of the packets that were not discarded during the packet selection.
- 中间流选择过程在完整流上运行。这意味着在中间流选择过程之后,要么保留流的所有分组,要么丢弃流的所有分组。这意味着,如果中间流选择过程之前是分组选择过程,则整个流仅包括在分组选择期间未丢弃的分组。
There are some techniques that are difficult to unambiguously categorize into one of the categories. Here, some guidance is given on how to categorize such techniques:
有一些技术很难明确地归类到其中一个类别中。这里给出了如何对此类技术进行分类的一些指导:
- Techniques that can be considered as both packet selection and an Intermediate Flow Selection Process: some packet selection techniques result in the selection of Complete Flows and therefore can be considered as packet selection or as an Intermediate Flow Selection Process at the same time. An example is Property Match Filtering of all packets to a specific destination address. If Flows are defined based on destination addresses, such a packet selection also results in an Intermediate Flow Selection Process and can be considered as packet selection or as an Intermediate Flow Selection Process.
- 可同时被视为分组选择和中间流选择过程的技术:一些分组选择技术导致选择完整流,因此可同时被视为分组选择或中间流选择过程。例如,将所有数据包的属性匹配过滤到特定的目标地址。如果基于目的地地址定义流,则这样的分组选择还导致中间流选择过程,并且可以被视为分组选择或中间流选择过程。
- Flow-state Dependent Packet Selection: there exist techniques that select packets based on the Flow state, e.g., based on the number of already observed packets belonging to the Flow. Examples of these techniques from the literature include "Sample and Hold" [EsVa01], "Fast Filtered Sampling" [MSZC10], and the "Sticky Sampling" algorithm presented in [MaMo02]. Such techniques can be used to influence which Flows are captured (e.g., increase the selection of packets belonging to large Flows) and reduce the number of Flows that need to be stored in the Flow Cache. Nevertheless, such techniques do not necessarily select Complete Flows, because they do not ensure that all packets of a selected Flow are captured. Therefore, Flow-state dependent packet selection techniques that do not ensure that either all or no packets of a Flow are selected, strictly speaking, have to be considered as packet selection techniques and not as Intermediate Flow Selection Process techniques.
- 依赖于流状态的分组选择:存在基于流状态选择分组的技术,例如,基于属于流的已观察分组的数量。文献中这些技术的示例包括“采样保持”[EsVa01]、“快速滤波采样”[MSZC10]和[MaMo02]中介绍的“粘性采样”算法。此类技术可用于影响捕获哪些流(例如,增加属于大流的分组的选择)并减少需要存储在流缓存中的流的数量。然而,这些技术不一定选择完整的流,因为它们不确保捕获所选流的所有分组。因此,严格地说,不能确保流的所有或没有分组被选择的流状态相关分组选择技术必须被视为分组选择技术而不是中间流选择处理技术。
4. Difference between Intermediate Flow Selection Process and Intermediate Selection Process
4. 中间流选择过程与中间选择过程的区别
The Intermediate Flow Selection Process differs from the Intermediate Selection Process, since the Intermediate Flow Selection Process uses selection criteria that apply to a larger set of Flow information and properties than those used by the Intermediate Selection Process. The typical function of an Intermediate Selection Process is Property Match Filtering, which selects a Flow Record if the value of a specific field in the Flow Record matches a configured value or falls within a configured range. This means that the selection criteria used by an Intermediate Selection Process are evaluated only on Flow Record values. An Intermediate Flow Selection Process makes its decision on whether a Flow has to be selected or not by taking into account not only information related to the content of the Flow Record but also any Flow Selection State information or variable that can be used to select Flows in order to meet application requirements or resource constraints (e.g., Flow Cache occupancy, export link capacity). Examples include flow counters, Intermediate Flow Selection Process timeout intervals, and Flow Record time information.
中间流选择过程与中间选择过程不同,因为中间流选择过程使用的选择标准适用于比中间选择过程使用的更大的一组流信息和特性。中间选择过程的典型功能是属性匹配过滤,如果流记录中特定字段的值与配置值匹配或在配置范围内,则选择流记录。这意味着中间选择过程使用的选择标准仅根据流量记录值进行评估。中间流选择过程不仅考虑与流记录内容相关的信息,而且还考虑可用于选择流以满足应用程序要求或资源约束的任何流选择状态信息或变量,从而决定是否必须选择流(例如,流缓存占用率、导出链路容量)。示例包括流计数器、中间流选择过程超时间隔和流记录时间信息。
An Intermediate Flow Selection Process can be deployed at any of three places within the IPFIX architecture. As shown in Figure 1, the Intermediate Flow Selection Process can occur
中间流选择过程可以部署在IPFIX体系结构中的三个位置中的任意一个。如图1所示,可以进行中间流选择过程
1. in the Metering Process at the IPFIX Exporter
1. 在IPFIX导出器的计量过程中
2. in the Exporting Process at the Collector
2. 在收集器的导出过程中
3. within a Mediator
3. 在调解人之内
+===========================================+ | IPFIX Exporter +----------------+ | | | Metering Proc. | | | +-----------------+ +----------------+ | | | Metering | | Intermediate | | | | Process | or | Flow Selection | | | | | | Process | | | +-----------------+----+----------------+ | | | Exporting Process | | | +----|-------------------------------|--+ | +======|===============================|====+ | | | | +======|========================+ | | | Mediator | | | +-V-------------------+ | | | | Collecting Process | | | | +---------------------+ | | | | Intermediate Flow | | | | | Selection Process | | | | +---------------------+ | | | | Exporting Process | | | | +-|-------------------+ | | +======|========================+ | | | | | +======|===============================|=====+ | | Collector | | | +----V-------------------------------V-+ | | | Collecting Process | | | +--------------------------------------+ | | | Intermediate Flow Selection Process | | | +--------------------------------------+ | | | Exporting Process | | | +------------------------------|-------+ | +================================|===========+ | | V +------------------+ | IPFIX | +------------------+
+===========================================+ | IPFIX Exporter +----------------+ | | | Metering Proc. | | | +-----------------+ +----------------+ | | | Metering | | Intermediate | | | | Process | or | Flow Selection | | | | | | Process | | | +-----------------+----+----------------+ | | | Exporting Process | | | +----|-------------------------------|--+ | +======|===============================|====+ | | | | +======|========================+ | | | Mediator | | | +-V-------------------+ | | | | Collecting Process | | | | +---------------------+ | | | | Intermediate Flow | | | | | Selection Process | | | | +---------------------+ | | | | Exporting Process | | | | +-|-------------------+ | | +======|========================+ | | | | | +======|===============================|=====+ | | Collector | | | +----V-------------------------------V-+ | | | Collecting Process | | | +--------------------------------------+ | | | Intermediate Flow Selection Process | | | +--------------------------------------+ | | | Exporting Process | | | +------------------------------|-------+ | +================================|===========+ | | V +------------------+ | IPFIX | +------------------+
Figure 1: Potential Intermediate Flow Selection Process Locations
图1:潜在中间流选择过程位置
In contrast to packet selection, the Intermediate Flow Selection Process is always applied after the packets are classified into Flows.
与分组选择相反,中间流选择过程总是在分组被分类成流之后应用。
An Intermediate Flow Selection Process in the Metering Process uses packet information to update the Flow Records in the Flow Cache. The Intermediate Flow Selection Process, before Packet Classification, can be based on the Flow Key (and also on a hash value over the Flow Key) but not on characteristics that are only available after Packet Classification (e.g., Flow size, Flow duration). Here, an Intermediate Flow Selection Process is applied to reduce resources for all subsequent processes or to select specific Flows of interest in cases where such Flow characteristics are already observable at the packet level (e.g., Flows to specific IP addresses). In contrast, Flow-state dependent packet selection is a packet selection technique, because it does not necessarily select Complete Flows.
计量过程中的中间流选择过程使用分组信息来更新流缓存中的流记录。在分组分类之前,中间流选择过程可以基于流密钥(并且也基于流密钥上的散列值),但不基于仅在分组分类之后可用的特征(例如,流大小、流持续时间)。这里,中间流选择过程被应用于减少所有后续过程的资源,或者在这种流特性已经在分组级别上可观察到的情况下选择感兴趣的特定流(例如,到特定IP地址的流)。相反,流状态相关的包选择是一种包选择技术,因为它不一定选择完整的流。
An Intermediate Flow Selection Process in the Exporting Process works on Flow Records and can therefore depend on Flow characteristics that are only visible after the classification of packets, such as Flow size and Flow duration. The Exporting Process may implement policies for exporting only a subset of the Flow Records that have been stored in the system's memory, in order to offload Flow export and Flow post-processing. An Intermediate Flow Selection Process in the Exporting Process may select only the subset of Flow Records that are of interest to the user's application or select only as many Flow Records as can be handled by the available resources (e.g., limited export link capacity).
导出过程中的中间流选择过程基于流记录,因此可以依赖于仅在分组分类后可见的流特征,例如流大小和流持续时间。导出过程可以实现仅导出已存储在系统存储器中的流记录的子集的策略,以便卸载流导出和流后处理。导出过程中的中间流选择过程可仅选择用户应用程序感兴趣的流记录子集,或仅选择可用资源(例如,有限的导出链路容量)可处理的尽可能多的流记录。
5.3. Intermediate Flow Selection Process as a Function of the IPFIX Mediator
5.3. 作为IPFIX中介函数的中间流选择过程
As shown in Figure 1, the Intermediate Flow Selection Process can be performed within an IPFIX Mediator [RFC6183]. The Intermediate Flow Selection Process takes a Flow Record stream as its input and selects Flow Records from a sequence based upon criteria-evaluated record values. The Intermediate Flow Selection Process can again apply an Intermediate Flow Selection Process technique to obtain Flows of interest to the application. Further, the Intermediate Flow Selection Process can base its selection decision on the correlation of data from different IPFIX Exporters, e.g., by only selecting Flows that were recorded on two or more IPFIX Exporters.
如图1所示,中间流选择过程可以在IPFIX中介程序[RFC6183]中执行。中间流选择过程将流记录流作为其输入,并根据标准评估的记录值从序列中选择流记录。中间流选择过程可以再次应用中间流选择过程技术以获得应用感兴趣的流。此外,中间流选择过程可以基于来自不同IPFIX导出器的数据的相关性来做出选择决策,例如,通过仅选择在两个或多个IPFIX导出器上记录的流。
An Intermediate Flow Selection Process technique selects either all or none of the packets of a Flow; otherwise, the technique has to be considered as packet selection. A difference between Flow Filtering and Flow sampling is recognized.
中间流选择处理技术选择流的所有分组或不选择任何分组;否则,该技术必须被视为分组选择。流量过滤和流量采样之间的差异是可以识别的。
Flow Filtering is a deterministic function on the IPFIX Flow Record content. If the relevant Flow characteristics are already observable at the packet level (e.g., Flow Keys), Flow Filtering can be applied before aggregation at the packet level. In order to be compliant with IPFIX, at least one of this document's Flow Filtering schemes MUST be implemented.
流过滤是IPFIX流记录内容的确定性功能。如果相关的流特征在分组级别(例如,流密钥)已经可以观察到,则可以在分组级别的聚合之前应用流过滤。为了符合IPFIX,必须至少实现本文档的一个流过滤方案。
Property Match Filtering is performed similarly to Property Match Filtering for packet selection as described in [RFC5475]. The difference is that Flow Record fields are used here, instead of packet fields, to derive the selection decision. Property Match Filtering is used to select a specific subset of the Flows that are of interest to a particular application (e.g., all Flows to a specific destination, all large Flows, etc.). Properties on which the filtering is based can be Flow Keys, Flow Timestamps, or Per-Flow Counters as described in [RFC7012]. Examples include the Flow size in bytes, the number of packets in the Flow, the observation time of the first or last packet, and the maximum packet length. An example of Property Match Filtering is to select Flows with more than a threshold number of observed octets. The selection criteria can be a specific value, a set of specific values, or an interval. For example, a Flow is selected if destinationIPv4Address and the total number of packets of the Flow equal two predefined values. An Intermediate Flow Selection Process using Property Match Filtering in the Metering Process relies on properties that are observable at the packet level (e.g., Flow Key). For example, a Flow is selected if sourceIPv4Address and sourceIPv4PrefixLength equal, respectively, two specific values.
属性匹配过滤的执行方式与[RFC5475]中描述的包选择的属性匹配过滤类似。区别在于这里使用流记录字段而不是数据包字段来推导选择决策。属性匹配筛选用于选择特定应用程序感兴趣的流的特定子集(例如,到特定目的地的所有流、所有大型流等)。过滤所基于的属性可以是流键、流时间戳或每流计数器,如[RFC7012]中所述。示例包括以字节为单位的流大小、流中的数据包数量、第一个或最后一个数据包的观察时间以及最大数据包长度。属性匹配过滤的一个示例是选择观察到的八位字节数超过阈值的流。选择标准可以是特定值、一组特定值或间隔。例如,如果destinationIPv4Address和流的数据包总数等于两个预定义值,则选择流。在计量过程中使用属性匹配过滤的中间流选择过程依赖于在分组级别可观察的属性(例如,流密钥)。例如,如果sourceIPv4Address和sourceIPv4PrefixLength分别等于两个特定值,则选择流。
An Intermediate Flow Selection Process using Property Match Filtering in the Exporting Process is based on properties that are only visible after Packet Classification, such as Flow size and Flow duration. An example is the selection of the largest Flows or a percentage of Flows with the longest lifetime. Another example is to select and remove from the Flow Cache the Flow Record with the lowest Flow volume per current Flow lifetime if the Flow Cache is full.
在导出过程中使用属性匹配过滤的中间流选择过程基于仅在数据包分类后可见的属性,例如流大小和流持续时间。一个例子是选择最大的流或生命周期最长的流的百分比。另一个示例是,如果流缓存已满,则从流缓存中选择并删除每个当前流生存期具有最低流量的流记录。
An Intermediate Flow Selection Process using Property Match Filtering within an IPFIX Mediator selects a Flow Record if the value of a specific field in the Flow Record equals a configured value or falls within a configured range [RFC6183].
如果流记录中特定字段的值等于配置值或在配置范围内[RFC6183],则在IPFIX中介中使用属性匹配筛选的中间流选择过程将选择流记录。
Hash-based Flow Filtering uses a hash function h to map the Flow Key c onto a Hash Range R. A Flow is selected if the hash value h(c) is within the Hash Selection Range S, which is a subset of R. Hash-based Flow Filtering can be used to emulate a random sampling process but still enable the correlation between selected Flow subsets at different Observation Points. Hash-based Flow Filtering is similar to Hash-based packet selection and is in fact identical when Hash-based packet selection uses the Flow Key that defines the Flow as the hash input. Nevertheless, there may be the incentive to apply Hash-based Flow Filtering, but not at the packet level, in the Metering Process, for example, when the size of the selection range, and therefore the sampling probability, are dependent on the number of observed Flows. If Hash-based Flow Filtering is used to select the same subset of flows at different Observation Points, the Hash Domain MUST only include parts of the Flow Record content that are invariant on the Flow path. Refer also to the Trajectory Sampling application example of coordinated packet selection [RFC5475], which explains the hash-based filtering approach at the packet level.
基于散列的流过滤使用散列函数h将流键c映射到散列范围R。如果散列值h(c)在散列选择范围S内,则选择流,这是R的子集。基于散列的流过滤可用于模拟随机采样过程,但仍能在不同观测点的选定流子集之间建立关联。基于散列的流过滤类似于基于散列的数据包选择,并且当基于散列的数据包选择使用将流定义为散列输入的流键时,实际上是相同的。然而,例如,当选择范围的大小以及因此采样概率取决于所观察到的流的数量时,可能存在在计量过程中应用基于散列的流过滤的激励,但不在分组级别。如果使用基于散列的流过滤来选择不同观察点的相同流子集,则散列域必须仅包括流路径上不变的流记录内容的一部分。另请参阅协调数据包选择的轨迹采样应用示例[RFC5475],该示例解释了数据包级别的基于散列的过滤方法。
Flow sampling operates on Flow Record sequence or arrival times. It can use either a systematic or a random function for the Intermediate Flow Selection Process. Flow sampling usually aims at the selection of a representative subset of all Flows in order to estimate characteristics of the whole set (e.g., mean Flow size in the network).
流量采样根据流量记录顺序或到达时间进行操作。它可以使用系统或随机函数进行中间流选择过程。流量采样通常旨在选择所有流量的代表子集,以估计整个集合的特征(例如,网络中的平均流量大小)。
Systematic sampling is a deterministic selection function. It may be a periodic selection of the N-th Flow Record that arrives at the Intermediate Flow Selection Process. Systematic sampling MAY be applied in the Metering Process. An example would be to create, besides the Flow Cache of selected Flows, an additional data structure that saves the Flow Key values of the Flows that are not selected. The selection of a Flow would then be based on the first packet of a Flow. Every time a packet belonging to a new Flow (which is not in the data structure of either the selected or non-selected Flows) arrives at the Observation Point, a counter is increased. If
系统抽样是一种确定性选择函数。它可以是到达中间流选择过程的第N个流记录的周期性选择。计量过程中可采用系统取样。例如,除了选定流的流缓存之外,还可以创建一个附加数据结构,用于保存未选定流的流键值。然后,流的选择将基于流的第一个分组。每当属于新流(不在所选或非所选流的数据结构中)的数据包到达观察点时,计数器增加。如果
the counter is increased to a multiple of N, a new Flow Cache entry is created; if the counter is not a multiple of N, the Flow Key value is added to the data structure for non-selected Flows.
计数器增加到N的倍数,创建一个新的流缓存项;如果计数器不是N的倍数,则将流键值添加到非选定流的数据结构中。
Systematic sampling can also be time-based. Time-based systematic sampling is applied by only creating Flows that are observed between time-based start and stop triggers. The time interval may be applied at the packet level in the Metering Process or after aggregation at the Flow level, e.g., by selecting a Flow arriving at the Exporting Process every n seconds.
系统抽样也可以是基于时间的。基于时间的系统采样仅通过在基于时间的启动和停止触发器之间创建观察到的流来应用。时间间隔可以在计量处理中的分组级别应用,或者在流级别聚合之后应用,例如,通过每n秒选择到达导出处理的流。
Random Flow sampling is based on a random process that requires the calculation of random numbers. One can differentiate between n-out-of-N and probabilistic Flow sampling.
随机流采样基于需要计算随机数的随机过程。可以区分n取n和概率流量采样。
In n-out-of-N Sampling, n elements are selected out of the parent population, which consists of N elements. One example would be to generate n different random numbers in the range [1,N] and select all Flows that have a Flow Position equal to one of the random numbers.
在n取n抽样中,从由n个元素组成的父总体中选择n个元素。一个示例是在[1,n]范围内生成n个不同的随机数,并选择流位置等于其中一个随机数的所有流。
In probabilistic Sampling, the decision of whether or not a Flow is selected is made in accordance with a predefined selection probability. For probabilistic Sampling, the Sample Size can vary for different trials. The selection probability does not necessarily have to be the same for each Flow. Therefore, a difference between uniform probabilistic sampling (with the same selection probability for all Flows) and non-uniform probabilistic sampling (where the selection probability can vary for different Flows) is recognized. For non-uniform probabilistic Flow sampling, the sampling probability may be adjusted according to the Flow Record content. An example would be to increase the selection probability of large-volume Flows over small-volume Flows, as described in [DuLT01].
在概率抽样中,根据预定义的选择概率决定是否选择流。对于概率抽样,不同试验的样本量可能不同。对于每个流,选择概率不一定必须相同。因此,统一概率抽样(所有流的选择概率相同)和非统一概率抽样(不同流的选择概率可能不同)之间存在差异。对于非均匀概率流量采样,可根据流量记录内容调整采样概率。例如,如[DuLT01]所述,增加大体积流量相对于小体积流量的选择概率。
The Flow-state dependent Intermediate Flow Selection Process can be a deterministic or random Intermediate Flow Selection Process, based on the Flow Record content and the Flow state that may be kept additionally for each of the Flows. External processes may update counters, bounds, and timers for each of the Flow Records, and the Intermediate Flow Selection Process utilizes this information for the selection decision. A review of Flow-state dependent Intermediate
依赖于流状态的中间流选择过程可以是基于流记录内容和可以为每个流另外保持的流状态的确定性或随机中间流选择过程。外部进程可以为每个流记录更新计数器、边界和计时器,中间流选择进程利用此信息进行选择决策。流态相关中间体综述
Flow Selection Process techniques that aim at the selection of the most frequent items by keeping additional Flow state information can be found in [CoHa08]. The Flow-state dependent Intermediate Flow Selection Process can only be applied after packet aggregation, when a packet has been assigned to a Flow. The Intermediate Flow Selection Process then decides, based on the Flow state for each Flow, whether it is kept in the Flow Cache or not. Two Flow-state dependent Intermediate Flow Selection Process Algorithms are described here:
通过保留额外的流状态信息来选择最频繁项目的流选择过程技术可在[CoHa08]中找到。流状态相关的中间流选择过程只能在分组聚合之后应用,此时分组已分配给流。然后,中间流选择过程根据每个流的流状态决定它是否保存在流缓存中。这里描述了两种依赖于流状态的中间流选择过程算法:
The Frequent algorithm [KaPS03] is a technique that aims at the selection of all flows that at least exceed a 1/k fraction of the Observed Packet Stream. The algorithm has only a Flow Cache of size k-1, and each Flow in the Flow Cache has an additional counter. The counter is incremented each time a packet belonging to the Flow in the Flow Cache is observed. If the observed packet does not belong to any Flow, all counters are decremented; if any of the Flow counters has a value of zero, the Flow is replaced with a Flow formed from the new packet.
频繁算法[KaPS03]是一种旨在选择至少超过观察到的分组流的1/k部分的所有流的技术。该算法只有一个大小为k-1的流缓存,流缓存中的每个流都有一个额外的计数器。每次观察到属于流缓存中的流的数据包时,计数器都会递增。如果观察到的数据包不属于任何流,则所有计数器都将递减;如果任何流计数器的值为零,则该流将替换为由新数据包形成的流。
Lossy counting is a selection technique that identifies all Flows whose packet count exceeds a certain percentage of the whole observed packet stream (e.g., 5% of all packets) with a certain estimation error e. Lossy counting separates the observed packet stream in windows of size N=1/e, where N is an amount of consecutive packets. For each observed Flow, an additional counter will be held in the Flow state. The counter is incremented each time a packet belonging to the Flow is observed, and all counters are decremented at the end of each window. Also, all Flows with a counter of zero are removed from the Flow Cache.
有损计数是一种选择技术,用于识别数据包计数超过整个观察数据包流一定百分比(例如,所有数据包的5%)且具有一定估计误差e的所有流。有损计数在大小为N=1/e的窗口中分离观察到的分组流,其中N是连续分组的数量。对于每个观察到的流量,额外的计数器将保持在流量状态。每次观察到属于流的数据包时,计数器都会增加,并且在每个窗口结束时,所有计数器都会减少。此外,计数器为零的所有流都将从流缓存中删除。
Flow-state dependent packet selection is not an Intermediate Flow Selection Process technique but a packet selection technique. Nevertheless, configuration and reporting parameters for this technique will be described in this document. An example is the "Sample and Hold" algorithm [EsVa01], which tries to implement a preference for large-volume Flows in the selection. When a packet arrives, it is selected when a Flow Record for this packet already exists. If there is no Flow Record, the packet is selected according to a certain probability that is dependent on the packet size.
流状态相关的包选择不是中间流选择过程技术,而是包选择技术。然而,本文件将描述该技术的配置和报告参数。“采样并保持”算法[EsVa01]就是一个例子,它试图在选择中实现对大流量的偏好。当数据包到达时,当该数据包的流记录已经存在时,选择该数据包。如果没有流量记录,则根据依赖于数据包大小的特定概率选择数据包。
This section describes the configuration parameters of the Flow selection techniques presented above. It provides the basis for an information model to be adopted in order to configure the Intermediate Flow Selection Process within an IPFIX Device. The information model with the Information Elements (IEs) for Intermediate Flow Selection Process configuration is described together with the reporting IEs in Section 8. Table 1 gives an overview of the defined Intermediate Flow Selection Process techniques, where they can be applied, and what their input parameters are. Depending on where the Flow selection techniques are applied, different input parameters can be configured.
本节描述了上述流量选择技术的配置参数。它为采用信息模型提供了基础,以便在IPFIX设备内配置中间流选择过程。第8节中描述了信息模型以及用于中间流选择过程配置的信息元素(IE),以及报告IE。表1给出了定义的中间流选择过程技术的概述,它们可以应用于何处,以及它们的输入参数是什么。根据应用流量选择技术的位置,可以配置不同的输入参数。
+-------------------+--------------------+--------------------------+ | Location | Selection | Selection Input | | | Technique | | +-------------------+--------------------+--------------------------+ | In the Metering | Flow-state | packet sampling | | Process | Dependent Packet | probabilities, Flow | | | Selection | Selection State, packet | | | | properties | | | | | | In the Metering | Property Match | Flow Record IEs, | | Process | Flow Filtering | Selection Interval | | | | | | In the Metering | Hash-based Flow | selection range, hash | | Process | Filtering | function, Flow Key, seed | | | | (optional) | | | | | | In the Metering | Time-based | Flow Position (derived | | Process | Systematic Flow | from arrival time of | | | sampling | packets), Flow Selection | | | | State | | | | | | In the Metering | Sequence-based | Flow Position (derived | | Process | Systematic Flow | from packet position), | | | sampling | Flow Selection State | | | | | | In the Metering | Random Flow | random number generator | | Process | sampling | or list and packet | | | | position, Flow state | | | | | | In the Exporting | Property Match | Flow Record content, | | Process/ within | Flow Filtering | filter function | | the IPFIX | | | | Mediator | | | | | | |
+-------------------+--------------------+--------------------------+ | Location | Selection | Selection Input | | | Technique | | +-------------------+--------------------+--------------------------+ | In the Metering | Flow-state | packet sampling | | Process | Dependent Packet | probabilities, Flow | | | Selection | Selection State, packet | | | | properties | | | | | | In the Metering | Property Match | Flow Record IEs, | | Process | Flow Filtering | Selection Interval | | | | | | In the Metering | Hash-based Flow | selection range, hash | | Process | Filtering | function, Flow Key, seed | | | | (optional) | | | | | | In the Metering | Time-based | Flow Position (derived | | Process | Systematic Flow | from arrival time of | | | sampling | packets), Flow Selection | | | | State | | | | | | In the Metering | Sequence-based | Flow Position (derived | | Process | Systematic Flow | from packet position), | | | sampling | Flow Selection State | | | | | | In the Metering | Random Flow | random number generator | | Process | sampling | or list and packet | | | | position, Flow state | | | | | | In the Exporting | Property Match | Flow Record content, | | Process/ within | Flow Filtering | filter function | | the IPFIX | | | | Mediator | | | | | | |
| In the Exporting | Hash-based Flow | selection range, hash | | Process/ within | Filtering | function, hash input | | the IPFIX | | (Flow Keys and other | | Mediator | | Flow properties) | | | | | | In the Exporting | Flow-state | Flow state parameters, | | Process/ within | Dependent | random number generator | | the IPFIX | Intermediate Flow | or list | | Mediator | Selection Process | | | | | | | In the Exporting | Time-based | Flow arrival time, Flow | | Process/ within | Systematic Flow | state | | the IPFIX | sampling | | | Mediator | | | | | | | | In the Exporting | Sequence-based | Flow Position, Flow | | Process/ within | Systematic Flow | state | | the IPFIX | sampling | | | Mediator | | | | | | | | In the Exporting | Random Flow | random number generator | | Process/ within | sampling | or list and Flow | | the IPFIX | | Position, Flow state | | Mediator | | | +-------------------+--------------------+--------------------------+
| In the Exporting | Hash-based Flow | selection range, hash | | Process/ within | Filtering | function, hash input | | the IPFIX | | (Flow Keys and other | | Mediator | | Flow properties) | | | | | | In the Exporting | Flow-state | Flow state parameters, | | Process/ within | Dependent | random number generator | | the IPFIX | Intermediate Flow | or list | | Mediator | Selection Process | | | | | | | In the Exporting | Time-based | Flow arrival time, Flow | | Process/ within | Systematic Flow | state | | the IPFIX | sampling | | | Mediator | | | | | | | | In the Exporting | Sequence-based | Flow Position, Flow | | Process/ within | Systematic Flow | state | | the IPFIX | sampling | | | Mediator | | | | | | | | In the Exporting | Random Flow | random number generator | | Process/ within | sampling | or list and Flow | | the IPFIX | | Position, Flow state | | Mediator | | | +-------------------+--------------------+--------------------------+
Table 1: Overview of Intermediate Flow Selection Process Techniques
表1:中间流选择工艺技术概述
This section defines what parameters are required to describe the most common Intermediate Flow Selection Process techniques.
本节定义了描述最常见的中间流选择工艺技术所需的参数。
Intermediate Flow Selection Process Parameters:
中间流程选择工艺参数:
For Property Match Filtering:
对于属性匹配筛选:
- Information Element as specified in [IANA-IPFIX]): Specifies the Information Element that is used as the property in the filter expression. Section 8 specifies the Information Elements that MUST be exported by an Intermediate Flow Selection Process using Property Match Filtering.
- [IANA-IPFIX]中指定的信息元素:指定在筛选器表达式中用作属性的信息元素。第8节指定中间流选择过程必须使用属性匹配过滤导出的信息元素。
- Selection Value or Value Interval: Specifies the value or interval of the filter expression. Packets and Flow Records that have a value equal to the Selection Value or within the Interval will be selected.
- 选择值或值间隔:指定筛选表达式的值或间隔。将选择值等于选择值或在间隔内的数据包和流记录。
For Hash-based Flow Filtering:
对于基于散列的流筛选:
- Hash Domain: Specifies the bits from the packet or Flow that are taken as the hash input to the hash function.
- 哈希域:指定数据包或流中用作哈希函数哈希输入的位。
- Hash Function: Specifies the name of the hash function that is used to calculate the hash value. Possible hash functions are BOB [RFC5475], IP Shift-XOR (IPSX) [RFC5475], and CRC-32 [Bra75].
- 哈希函数:指定用于计算哈希值的哈希函数的名称。可能的散列函数有BOB[RFC5475]、IP移位异或(IPSX)[RFC5475]和CRC-32[Bra75]。
- Hash Selection Range: Flows that have a hash value within the Hash Selection Range are selected. The Hash Selection Range can be a value interval or arbitrary hash values within the Hash Range of the hash function.
- 哈希选择范围:选择哈希值在哈希选择范围内的流。哈希选择范围可以是值间隔,也可以是哈希函数的哈希范围内的任意哈希值。
- Random Seed or Initializer Value: Some hash functions require an initializing value. In order to make the selection decision more secure, one can choose a random seed that configures the hash function.
- 随机种子或初始值设定项值:某些哈希函数需要初始化值。为了使选择决策更安全,可以选择配置哈希函数的随机种子。
For Flow-state Dependent Intermediate Flow Selection Process:
对于依赖于流状态的中间流选择过程:
- Frequency threshold: Specifies the frequency threshold s for Flow-state dependent Flow Selection techniques that try to find the most frequent items within a dataset. All Flows that exceed the defined threshold will be selected.
- 频率阈值:指定与流状态相关的流选择技术的频率阈值,这些技术尝试在数据集中查找最频繁的项。将选择超过定义阈值的所有流。
- Accuracy parameter: Specifies the accuracy parameter e for techniques that deal with the issue of mining frequent items in a dataset. The accuracy parameter defines the maximum error, i.e., no Flows that have a true frequency less than (s - e) N are selected, where s is the frequency threshold and N is the total number of packets.
- 精度参数:指定处理挖掘数据集中频繁项问题的技术的精度参数e。精度参数定义了最大错误,即没有选择真实频率小于(s-e)N的流,其中s是频率阈值,N是数据包总数。
The above list of parameters for Flow-state dependent Flow Selection techniques is suitable for the presented frequent item and lossy counting algorithms. Nevertheless, a variety of techniques exist with very specific parameters not defined here.
上述流状态相关流选择技术的参数列表适用于所提出的频繁项和有损计数算法。然而,存在各种各样的技术,这里没有定义非常具体的参数。
For Systematic time-based Flow sampling:
对于基于时间的系统流量采样:
- Interval length (in usec): Defines the length of the sampling interval during which Flows are selected.
- 间隔长度(usec):定义选择流期间的采样间隔长度。
- Spacing (in usec): Defines the spacing in usec between the end of one sampling interval and the start of the next interval.
- 间距(单位:usec):定义一个采样间隔结束与下一个间隔开始之间的间距(单位:usec)。
For Systematic count-based Flow sampling:
对于基于系统计数的流量采样:
- Interval length: Defines the number of Flows that are selected within the sampling interval.
- 间隔长度:定义在采样间隔内选择的流数。
- Spacing: Defines the spacing, in number of observed Flows, between the end of one sampling interval and the start of the next interval.
- 间距:定义一个采样间隔结束与下一个采样间隔开始之间的间距(以观测流量的数量表示)。
For random n-out-of-N Flow sampling:
对于n取n随机流量取样:
- Population Size N: The number of all Flows in the Population from which the sample is drawn.
- 总体规模N:从中抽取样本的总体中所有流的数量。
- Sampling Size n: The number of Flows that are randomly drawn from the population N.
- 抽样规模n:从总体n中随机抽取的流量数量。
For probabilistic Flow sampling:
对于概率流量抽样:
- Sampling probability p: Defines the probability by which each of the observed Flows is selected.
- 采样概率p:定义选择每个观测流的概率。
The configuration of Flow-state dependent packet selection has not been described in [RFC5475]; therefore, the parameters are defined here:
[RFC5475]中未描述流状态相关分组选择的配置;因此,参数定义如下:
For Flow-state Dependent Packet Selection:
对于流状态相关的数据包选择:
- Packet selection probability per possible Flow state interval: Defines multiple {Flow interval, packet selection probability} value pairs that configure the sampling probability, depending on the current Flow state.
- 每个可能流状态间隔的数据包选择概率:定义多个{Flow interval,Packet selection probability}值对,根据当前流状态配置采样概率。
- Additional parameters: For the configuration of Flow-state dependent packet selection, additional parameters or packet properties may be required, e.g., the packet size [EsVa01].
- 附加参数:对于流状态相关分组选择的配置,可能需要附加参数或分组属性,例如分组大小[EsVa01]。
8. Information Model for Intermediate Flow Selection Process Configuration and Reporting
8. 中间流程选择流程配置和报告的信息模型
This section specifies the Information Elements that MUST be exported by an Intermediate Flow Selection Process in order to support the interpretation of measurement results from Flow measurements. The information is mainly used to report how many packets and Flows have been observed in total and how many of them were selected. This helps, for instance, to calculate the Attained Selection Fraction (see also [RFC5476]), which is an important parameter for providing an accuracy statement. The IEs can provide reporting information about Flow Records, packets, or bytes. The reported metrics are the total number of elements and the number of selected elements. The number of dropped elements can be derived from this information.
本节规定了中间流量选择过程必须导出的信息元素,以支持流量测量结果的解释。该信息主要用于报告总共观察到多少数据包和流,以及选择了多少数据包和流。例如,这有助于计算获得的选择分数(另请参见[RFC5476]),这是提供准确性声明的一个重要参数。IEs可以提供有关流记录、数据包或字节的报告信息。报告的指标是元素总数和选定元素的数量。从该信息可以导出删除的元素数。
Table 2 shows a list of Intermediate Flow Selection Process Information Elements:
表2显示了中间流选择过程信息元素的列表:
ID Name | ID Name ----------------------------------+---------------------------------- 301 selectionSequenceID | 302 selectorID | 390 flowSelectorAlgorithm | 1 octetDeltaCount | 391 flowSelectedOctetDeltaCount | 2 packetDeltaCount | 392 flowSelectedPacketDeltaCount | 3 originalFlowsPresent | 393 flowSelectedFlowDeltaCount | 394 selectorIDTotalFlowsObserved | 395 selectorIDTotalFlowsSelected | 396 samplingFlowInterval | 397 samplingFlowSpacing | 309 samplingSize | 310 samplingPopulation | 311 samplingProbability | 398 flowSamplingTimeInterval | 399 flowSamplingTimeSpacing | 326 digestHashValue | 400 hashFlowDomain | 329 hashOutputRangeMin | 330 hashOutputRangeMax | 331 hashSelectedRangeMin | 332 hashSelectedRangeMax | 333 hashDigestOutput | 334 hashInitialiserValue | 320 absoluteError | 321 relativeError | 336 upperCILimit | 337 lowerCILimit | 338 confidenceLevel |
ID Name | ID Name ----------------------------------+---------------------------------- 301 selectionSequenceID | 302 selectorID | 390 flowSelectorAlgorithm | 1 octetDeltaCount | 391 flowSelectedOctetDeltaCount | 2 packetDeltaCount | 392 flowSelectedPacketDeltaCount | 3 originalFlowsPresent | 393 flowSelectedFlowDeltaCount | 394 selectorIDTotalFlowsObserved | 395 selectorIDTotalFlowsSelected | 396 samplingFlowInterval | 397 samplingFlowSpacing | 309 samplingSize | 310 samplingPopulation | 311 samplingProbability | 398 flowSamplingTimeInterval | 399 flowSamplingTimeSpacing | 326 digestHashValue | 400 hashFlowDomain | 329 hashOutputRangeMin | 330 hashOutputRangeMax | 331 hashSelectedRangeMin | 332 hashSelectedRangeMax | 333 hashDigestOutput | 334 hashInitialiserValue | 320 absoluteError | 321 relativeError | 336 upperCILimit | 337 lowerCILimit | 338 confidenceLevel |
Table 2: Intermediate Flow Selection Process Information Elements
表2:中间流程选择过程信息元素
IANA has registered the following IEs in the "IPFIX Information Elements" registry at http://www.iana.org/assignments/ipfix/.
IANA已在“IPFIX信息元素”注册表中注册了以下IEs:http://www.iana.org/assignments/ipfix/.
Description:
说明:
This Information Element identifies the Intermediate Flow Selection Process technique (e.g., Filtering, Sampling) that is applied by the Intermediate Flow Selection Process. Most of these techniques have parameters; configuration parameter(s) MUST be clearly specified. Further Information Elements are needed to fully specify packet selection with these methods and all their parameters. Further method identifiers may be added to the list below. It might be necessary to define new Information Elements to specify their parameters. The flowSelectorAlgorithm registry is maintained by IANA. New assignments for the registry will be administered by IANA, on a First Come First Served basis [RFC5226], subject to Expert Review [RFC5226]. Please note that the purpose of the flow selection techniques described in this document is the improvement of measurement functions as defined in the Introduction (Section 1). Before adding new flow selector algorithms, their intended purposes should be determined, especially if those purposes contradict any policies defined in [RFC2804]. The designated expert(s) should consult with the community if a request that runs counter to [RFC2804] is received. The registry can be updated when specifications of the new method(s) and any new Information Elements are provided. The group of experts must double-check the flowSelectorAlgorithm definitions and Information Elements with already-defined flowSelectorAlgorithm definitions and Information Elements for completeness, accuracy, and redundancy. Those experts will initially be drawn from the Working Group Chairs and document editors of the IPFIX and PSAMP Working Groups. The following identifiers for Intermediate Flow Selection Process Techniques are defined here:
该信息元素标识中间流选择过程应用的中间流选择过程技术(例如,过滤、采样)。这些技术大多数都有参数;必须明确指定配置参数。需要更多的信息元素来使用这些方法及其所有参数完全指定数据包选择。进一步的方法标识符可以添加到下面的列表中。可能需要定义新的信息元素来指定其参数。flowSelectorAlgorithm注册表由IANA维护。注册处的新任务将由IANA管理,先到先得[RFC5226],并接受专家评审[RFC5226]。请注意,本文件中描述的流量选择技术的目的是改进引言(第1节)中定义的测量功能。在添加新的流选择器算法之前,应确定其预期目的,尤其是当这些目的与[RFC2804]中定义的任何策略相矛盾时。如果收到与[RFC2804]相反的请求,指定专家应咨询社区。当提供新方法的规范和任何新信息元素时,可以更新注册表。专家组必须使用已定义的flowSelectorAlgorithm定义和信息元素,仔细检查flowSelectorAlgorithm定义和信息元素的完整性、准确性和冗余性。这些专家最初将来自IPFIX和PSAMP工作组的工作组主席和文件编辑。此处定义了中间流选择过程技术的以下标识符:
+----+------------------------+--------------------------+ | ID | Technique | Parameters | +----+------------------------+--------------------------+ | 1 | Systematic count-based | flowSamplingInterval | | | Sampling | flowSamplingSpacing | +----+------------------------+--------------------------+ | 2 | Systematic time-based | flowSamplingTimeInterval | | | Sampling | flowSamplingTimeSpacing | +----+------------------------+--------------------------+ | 3 | Random n-out-of-N | samplingSize | | | Sampling | samplingPopulation | +----+------------------------+--------------------------+ | 4 | Uniform probabilistic | samplingProbability | | | Sampling | | +----+------------------------+--------------------------+ | 5 | Property Match | Information Element | | | Filtering | Value Range | +----+------------------------+--------------------------+ | Hash-based Filtering | hashInitialiserValue | +----+------------------------+ hashFlowDomain | | 6 | using BOB | hashSelectedRangeMin | +----+------------------------+ hashSelectedRangeMax | | 7 | using IPSX | hashOutputRangeMin | +----+------------------------+ hashOutputRangeMax | | 8 | using CRC | | +----+------------------------+--------------------------+ | 9 | Flow-state Dependent |No agreed Parameters | | | Intermediate Flow | | | | Selection Process | | +----+------------------------+--------------------------+
+----+------------------------+--------------------------+ | ID | Technique | Parameters | +----+------------------------+--------------------------+ | 1 | Systematic count-based | flowSamplingInterval | | | Sampling | flowSamplingSpacing | +----+------------------------+--------------------------+ | 2 | Systematic time-based | flowSamplingTimeInterval | | | Sampling | flowSamplingTimeSpacing | +----+------------------------+--------------------------+ | 3 | Random n-out-of-N | samplingSize | | | Sampling | samplingPopulation | +----+------------------------+--------------------------+ | 4 | Uniform probabilistic | samplingProbability | | | Sampling | | +----+------------------------+--------------------------+ | 5 | Property Match | Information Element | | | Filtering | Value Range | +----+------------------------+--------------------------+ | Hash-based Filtering | hashInitialiserValue | +----+------------------------+ hashFlowDomain | | 6 | using BOB | hashSelectedRangeMin | +----+------------------------+ hashSelectedRangeMax | | 7 | using IPSX | hashOutputRangeMin | +----+------------------------+ hashOutputRangeMax | | 8 | using CRC | | +----+------------------------+--------------------------+ | 9 | Flow-state Dependent |No agreed Parameters | | | Intermediate Flow | | | | Selection Process | | +----+------------------------+--------------------------+
Table 3: Intermediate Flow Selection Process Techniques
表3:中间流程选择工艺技术
Abstract Data Type: unsigned16
抽象数据类型:unsigned16
ElementId: 390
元素ID:390
Data Type Semantics: identifier
数据类型语义:标识符
Status: current
状态:当前
Description:
说明:
This Information Element specifies the volume in octets of all Flows that are selected in the Intermediate Flow Selection Process since the previous report.
此信息元素指定自上次报告以来在中间流选择过程中选择的所有流的体积(以八位字节为单位)。
Abstract Data Type: unsigned64
抽象数据类型:unsigned64
ElementId: 391
元素ID:391
Units: octets
单位:八位字节
Status: current
状态:当前
Description:
说明:
This Information Element specifies the volume in packets of all Flows that were selected in the Intermediate Flow Selection Process since the previous report.
此信息元素指定自上次报告以来在中间流选择过程中选择的所有流的数据包中的体积。
Abstract Data Type: unsigned64
抽象数据类型:unsigned64
ElementId: 392
元素ID:392
Units: packets
单位:小包
Status: current
状态:当前
Description:
说明:
This Information Element specifies the number of Flows that were selected in the Intermediate Flow Selection Process since the last report.
此信息元素指定自上次报告以来在中间流选择过程中选择的流数。
Abstract Data Type: unsigned64
抽象数据类型:unsigned64
ElementId: 393
元素ID:393
Units: flows
单位:流量
Status: current
状态:当前
Description:
说明:
This Information Element specifies the total number of Flows observed by a Selector, for a specific value of SelectorID. This Information Element should be used in an Options Template scoped to the observation to which it refers. See Section 3.4.2.1 of the IPFIX protocol document [RFC7011].
此信息元素指定选择器观察到的特定SelectorID值的流总数。此信息元素应在一个选项模板中使用,该模板的作用域为它所引用的观测值。参见IPFIX协议文件[RFC7011]第3.4.2.1节。
Abstract Data Type: unsigned64
抽象数据类型:unsigned64
ElementId: 394
元素ID:394
Units: flows
单位:流量
Status: current
状态:当前
Description:
说明:
This Information Element specifies the total number of Flows selected by a Selector, for a specific value of SelectorID. This Information Element should be used in an Options Template scoped to the observation to which it refers. See Section 3.4.2.1 of the IPFIX protocol document [RFC7011].
此信息元素指定选择器为特定的SelectorID值选择的流总数。此信息元素应在一个选项模板中使用,该模板的作用域为它所引用的观测值。参见IPFIX协议文件[RFC7011]第3.4.2.1节。
Abstract Data Type: unsigned64
抽象数据类型:unsigned64
ElementId: 395
元素ID:395
Units: flows
单位:流量
Status: current
状态:当前
Description:
说明:
This Information Element specifies the number of Flows that are consecutively sampled. A value of 100 means that 100 consecutive Flows are sampled. For example, this Information Element may be used to describe the configuration of a systematic count-based Sampling Selector.
此信息元素指定连续采样的流数。值100表示对100个连续流进行采样。例如,该信息元素可用于描述基于系统计数的采样选择器的配置。
Abstract Data Type: unsigned64
抽象数据类型:unsigned64
ElementId: 396
元素ID:396
Units: flows
单位:流量
Status: current
状态:当前
Description:
说明:
This Information Element specifies the number of Flows between two "samplingFlowInterval"s. A value of 100 means that the next interval starts 100 Flows (which are not sampled) after the current "samplingFlowInterval" is over. For example, this Information Element may be used to describe the configuration of a systematic count-based Sampling Selector.
此信息元素指定两个“samplingFlowInterval”之间的流数。值100表示当前“samplingFlowInterval”结束后,下一个间隔开始100个流(未采样)。例如,该信息元素可用于描述基于系统计数的采样选择器的配置。
Abstract Data Type: unsigned64
抽象数据类型:unsigned64
ElementId: 397
元素ID:397
Units: flows
单位:流量
Status: current
状态:当前
Description:
说明:
This Information Element specifies the time interval in microseconds during which all arriving Flows are sampled. For example, this Information Element may be used to describe the configuration of a systematic time-based Sampling Selector.
此信息元素指定对所有到达流进行采样的时间间隔(以微秒为单位)。例如,该信息元素可用于描述系统的基于时间的采样选择器的配置。
Abstract Data Type: unsigned64
抽象数据类型:unsigned64
ElementId: 398
元素ID:398
Units: microseconds
单位:微秒
Status: current
状态:当前
Description:
说明:
This Information Element specifies the time interval in microseconds between two "flowSamplingTimeInterval"s. A value of 100 means that the next interval starts 100 microseconds (during which no Flows are sampled) after the current "flowsamplingTimeInterval" is over. For example, this Information Element may be used to describe the configuration of a systematic time-based Sampling Selector.
此信息元素指定两个“flowSamplingTimeInterval”之间的时间间隔(以微秒为单位)。值100表示在当前“flowsamplingTimeInterval”结束后,下一个间隔开始100微秒(在此期间没有对流进行采样)。例如,该信息元素可用于描述系统的基于时间的采样选择器的配置。
Abstract Data Type: unsigned64
抽象数据类型:unsigned64
ElementId: 399
元素ID:399
Units: microseconds
单位:微秒
Status: current
状态:当前
Description:
说明:
This Information Element specifies the Information Elements that are used by the Hash-based Flow Selector as the Hash Domain.
此信息元素指定基于哈希的流选择器用作哈希域的信息元素。
Abstract Data Type: unsigned16
抽象数据类型:unsigned16
ElementId: 400
元素ID:400
Data Type Semantics: identifier
数据类型语义:标识符
Status: Current
状态:当前
IANA has registered the following OID in the IPFIX-SELECTOR-MIB Functions subregistry at http://www.iana.org/assignments/smi-numbers according to the procedures set forth in [RFC6615].
IANA已在IPFIX-SELECTOR-MIB函数子区中注册了以下OIDhttp://www.iana.org/assignments/smi-numbers 根据[RFC6615]中规定的程序。
+---------+-----------------------+---------------------+-----------+ | Decimal | Name | Description | Reference | +---------+-----------------------+---------------------+-----------+ | 8 | flowSelectorAlgorithm | This Object | [RFC7014] | | | | Identifier | | | | | identifies the | | | | | Intermediate Flow | | | | | Selection Process | | | | | technique (e.g., | | | | | Filtering, | | | | | Sampling) that is | | | | | applied by the | | | | | Intermediate Flow | | | | | Selection Process | | +---------+-----------------------+---------------------+-----------+
+---------+-----------------------+---------------------+-----------+ | Decimal | Name | Description | Reference | +---------+-----------------------+---------------------+-----------+ | 8 | flowSelectorAlgorithm | This Object | [RFC7014] | | | | Identifier | | | | | identifies the | | | | | Intermediate Flow | | | | | Selection Process | | | | | technique (e.g., | | | | | Filtering, | | | | | Sampling) that is | | | | | applied by the | | | | | Intermediate Flow | | | | | Selection Process | | +---------+-----------------------+---------------------+-----------+
Table 4: Object Identifiers to Be Registered
表4:要注册的对象标识符
Flow data exported by Exporting Processes, and collected by Collecting Processes, can be sensitive for privacy reasons and need to be protected. Privacy considerations for collected data are provided in [RFC7011].
由于隐私原因,由导出进程导出和由收集进程收集的流数据可能是敏感的,需要加以保护。[RFC7011]中提供了收集数据的隐私注意事项。
Some of the described Intermediate Flow Selection Process techniques (e.g., Flow sampling, hash-based Flow Filtering) aim at the selection
所描述的一些中间流选择处理技术(例如,流采样、基于散列的流过滤)旨在进行选择
of a representative subset of flows in order to estimate parameters of the population. An adversary may have incentives to influence the selection of flows, for example, to circumvent accounting or to avoid the detection of packets that are part of an attack.
用于估计总体参数的代表性流量子集。对手可能有影响流选择的动机,例如,规避记帐或避免检测作为攻击一部分的数据包。
Security considerations concerning the choice of a hash function for Hash-based packet selection have been discussed in Section 6.2.3 of [RFC5475] and are also appropriate for Hash-based Flow Selection. [RFC5475] discusses the possibility of crafting Packet Streams that are disproportionately selected or can be used to discover hash function parameters. It also describes vulnerabilities of different hash functions to these attacks and discusses practices to minimize these vulnerabilities.
[RFC5475]第6.2.3节讨论了选择基于散列的数据包选择的散列函数的安全注意事项,并且也适用于基于散列的流选择。[RFC5475]讨论了制作不成比例选择的数据包流或可用于发现哈希函数参数的数据包流的可能性。它还描述了不同哈希函数对这些攻击的漏洞,并讨论了最小化这些漏洞的实践。
For other sampling approaches, an adversary can gain knowledge about the start and stop triggers in time-based systematic Sampling, e.g., by sending test packets. This knowledge might allow adversaries to modify their send schedule in such a way that their packets are disproportionately selected or not selected. For random Sampling, an input to the encryption process, like the Initialization Vector of the CBC (Cipher Block Chaining) mode, should be used to prevent an adversary from predicting the selection decision [Dw01].
对于其他采样方法,对手可以在基于时间的系统采样中获得关于启动和停止触发器的知识,例如,通过发送测试数据包。这一知识可能允许对手修改其发送计划,从而使其数据包被不成比例地选择或未被选择。对于随机抽样,加密过程的输入,如CBC(密码块链接)模式的初始化向量,应用于防止对手预测选择决定[Dw01]。
Further security threats can occur when Intermediate Flow Selection Process parameters are configured or communicated to other entities. The protocol(s) for the configuration and reporting of Intermediate Flow Selection Process parameters are out of scope for this document. Nevertheless, a set of initial requirements for future configuration and reporting protocols are stated below:
当配置中间流选择过程参数或将其传达给其他实体时,可能会出现进一步的安全威胁。用于配置和报告中间流选择过程参数的协议超出了本文件的范围。然而,未来配置和报告协议的一组初始要求如下所述:
1. Protection against disclosure of configuration information: Intermediate Flow Selection Process configuration information describes the Intermediate Flow Selection Process and its parameters. This information can be useful to attackers. Attackers may craft packets that never fit the selection criteria in order to prevent Flows from being seen by the Intermediate Flow Selection Process. They can also craft a lot of packets that fit the selection criteria and overload or bias subsequent processes. Therefore, any transmission of configuration data (e.g., to configure a process or to report its actual status) should be protected by encryption.
1. 防止配置信息泄露:中间流选择过程配置信息描述中间流选择过程及其参数。此信息可能对攻击者有用。攻击者可能会制作不符合选择标准的数据包,以防止中间流选择过程看到流。他们还可以制作大量符合选择标准的数据包,并使后续过程过载或产生偏差。因此,配置数据的任何传输(例如,配置进程或报告其实际状态)都应受到加密保护。
2. Protection against modification of configuration information: Sending incorrect configuration information to the Intermediate Flow Selection Process can lead to a malfunction of the Intermediate Flow Selection Process. Additionally, reporting incorrect configuration information from the Intermediate Flow Selection Process to other processes can lead to incorrect
2. 防止修改配置信息:向中间流选择过程发送不正确的配置信息可能导致中间流选择过程故障。此外,从中间流选择过程向其他过程报告不正确的配置信息可能会导致不正确的配置
estimations at subsequent processes. Therefore, any protocol that transmits configuration information should prevent an attacker from modifying configuration information. Data integrity can be achieved by authenticating the data.
后续过程的估计。因此,传输配置信息的任何协议都应防止攻击者修改配置信息。数据完整性可以通过验证数据来实现。
3. Protection against malicious nodes sending configuration information: The remote configuration of Intermediate Flow Selection Process techniques should be protected against access by unauthorized nodes. This can be achieved by access control lists at the device that hosts the Intermediate Flow Selection Process (e.g., IPFIX Exporter, IPFIX Mediator, or IPFIX Collector) and by source authentication. The reporting of configuration data from an Intermediate Flow Selection Process has to be protected in the same way. That means that protocols that report configuration data from the Intermediate Flow Selection Process to other processes also need to protect against unauthorized nodes reporting configuration information.
3. 防止恶意节点发送配置信息:应保护中间流选择过程技术的远程配置,防止未经授权的节点访问。这可以通过承载中间流选择过程的设备(例如,IPFIX导出器、IPFIX中介器或IPFIX收集器)上的访问控制列表和源身份验证来实现。必须以相同的方式保护来自中间流选择过程的配置数据报告。这意味着从中间流选择过程向其他过程报告配置数据的协议也需要防止未经授权的节点报告配置信息。
The security threats that originate from communicating configuration information to and from Intermediate Flow Selection Processes cannot be assessed solely with the information given in this document. A further and more detailed assessment of security threats is necessary when a specific protocol for the configuration or reporting configuration data is proposed.
不能仅使用本文档中给出的信息来评估源于与中间流选择过程之间的配置信息通信的安全威胁。当提出配置或报告配置数据的特定协议时,需要对安全威胁进行进一步和更详细的评估。
We would like to thank the IPFIX group, especially Brian Trammell, Paul Aitken, and Benoit Claise, for fruitful discussions and for proofreading the document.
我们要感谢IPFIX小组,特别是Brian Trammell、Paul Aitken和Benoit Claise,他们进行了富有成效的讨论并校对了文件。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC5475] Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F. Raspall, "Sampling and Filtering Techniques for IP Packet Selection", RFC 5475, March 2009.
[RFC5475]Zseby,T.,Molina,M.,Duffield,N.,Niccolini,S.,和F.Raspall,“IP数据包选择的采样和过滤技术”,RFC 5475,2009年3月。
[RFC5476] Claise, B., Johnson, A., and J. Quittek, "Packet Sampling (PSAMP) Protocol Specifications", RFC 5476, March 2009.
[RFC5476]Claise,B.,Johnson,A.,和J.Quittek,“数据包采样(PSAMP)协议规范”,RFC 54762009年3月。
[RFC6615] Dietz, T., Kobayashi, A., Claise, B., and G. Muenz, "Definitions of Managed Objects for IP Flow Information Export", RFC 6615, June 2012.
[RFC6615]Dietz,T.,Kobayashi,A.,Claise,B.,和G.Muenz,“IP流信息导出的托管对象定义”,RFC 66152012年6月。
[RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, September 2013.
[RFC7011]Claise,B.,Ed.,Trammell,B.,Ed.,和P.Aitken,“流量信息交换的IP流量信息导出(IPFIX)协议规范”,STD 77,RFC 7011,2013年9月。
[RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model for IP Flow Information Export (IPFIX)", RFC 7012, September 2013.
[RFC7012]Claise,B.,Ed.和B.Trammell,Ed.,“IP流信息导出(IPFIX)的信息模型”,RFC 7012,2013年9月。
[Bra75] Brayer, K., "Evaluation of 32 Degree Polynomials in Error Detection on the SATIN IV Autovon Error Patterns", National Technical Information Service, August 1975.
[Bra75]Brayer,K.,“在Saddy IV Autovon错误模式的错误检测中评估32次多项式”,国家技术信息服务局,1975年8月。
[CoHa08] Cormode, G. and M. Hadjieleftheriou, "Finding Frequent Items in Data Streams", Proceedings of the 34th International Conference on Very Large DataBases (VLDB), Auckland, New Zealand, Volume 1, Issue 2, pages 1530-1541, August 2008.
[CoHa08]Cormode,G.和M.Hadjielftheriou,“在数据流中查找频繁项”,《第34届超大数据库国际会议记录》,新西兰奥克兰,第1卷,第2期,第1530-1541页,2008年8月。
[DuLT01] Duffield, N., Lund, C., and M. Thorup, "Charging from Sampled Network Usage", ACM SIGCOMM Internet Measurement Workshop (IMW) 2001, pages 245-256, San Francisco, CA, USA, November 2001.
[Dult01] Duffield,N.,Lund,C.和M. Thorup,“从采样网络使用收费”,ACM SIGCOMM互联网测量工作坊(IMW)2001,第245-256页,旧金山,CA,美国,2001年11月。
[Dw01] Dworkin, M., "Recommendation for Block Cipher Modes of Operation - Methods and Techniques", NIST Special Publication 800-38A, December 2001.
[Dw01]Dworkin,M.“分组密码操作模式的建议-方法和技术”,NIST特别出版物800-38A,2001年12月。
[EsVa01] Estan, C. and G,. Varghese, "New Directions in Traffic Measurement and Accounting: Focusing on the Elephants, Ignoring the Mice", ACM SIGCOMM Internet Measurement Workshop (IMW) 2001, San Francisco, CA, USA, November 2001.
[EsVa01]Estan,C.和G,。Varghese,“交通测量和会计的新方向:关注大象,忽略老鼠”,ACM SIGCOMM互联网测量工作坊(IMW)2001,旧金山,CA,美国,2001年11月。
[IANA-IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities Registry", <http://www.iana.org/assignments/ipfix/>.
[IANA-IPFIX]IANA,“IP流信息导出(IPFIX)实体注册表”<http://www.iana.org/assignments/ipfix/>.
[KaPS03] Karp, R., Papadimitriou, C., and S. Shenker, "A simple algorithm for finding frequent elements in sets and bags", ACM Transactions on Database Systems, Volume 28, pages 51-55, March 2003.
[KaPS03]Karp,R.,Papadimitriou,C.,和S.Shenker,“寻找集合和包中频繁元素的简单算法”,数据库系统ACM事务,第28卷,第51-55页,2003年3月。
[MSZC10] Mai, J., Sridharan, A., Zang, H., and C. Chuah, "Fast Filtered Sampling", Computer Networks Volume 54, Issue 11, pages 1885-1898, ISSN 1389-1286, August 2010.
[MSZC10]Mai,J.,Sridharan,A.,Zang,H.,和C.Chuah,“快速过滤采样”,计算机网络第54卷,第11期,第1885-1898页,ISSN 1389-1286,2010年8月。
[MaMo02] Manku, G. and R. Motwani, "Approximate Frequency Counts over Data Streams", Proceedings of the 28th International Conference on Very Large DataBases (VLDB), Hong Kong, China, pages 346-357, August 2002.
[MAMO02] Mangu,G.和R. Motwani,“近似频率计数数据流”,第二十八届国际会议非常大的数据库(VLDB),香港,中国,第34页356页,2002年8月。
[RFC2804] IAB and IESG, "IETF Policy on Wiretapping", RFC 2804, May 2000.
[RFC2804]IAB和IESG,“IETF关于窃听的政策”,RFC28042000年5月。
[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, "Requirements for IP Flow Information Export (IPFIX)", RFC 3917, October 2004.
[RFC3917]Quitek,J.,Zseby,T.,Claise,B.,和S.Zander,“IP流信息导出(IPFIX)的要求”,RFC 39172004年10月。
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.
[RFC5226]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,2008年5月。
[RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, "Architecture for IP Flow Information Export", RFC 5470, March 2009.
[RFC5470]Sadasivan,G.,Brownlee,N.,Claise,B.,和J.Quitek,“IP流信息导出架构”,RFC 54702009年3月。
[RFC6183] Kobayashi, A., Claise, B., Muenz, G., and K. Ishibashi, "IP Flow Information Export (IPFIX) Mediation: Framework", RFC 6183, April 2011.
[RFC6183]Kobayashi,A.,Claise,B.,Muenz,G.,和K.Ishibashi,“IP流信息导出(IPFIX)中介:框架”,RFC 6183,2011年4月。
Authors' Addresses
作者地址
Salvatore D'Antonio University of Napoli "Parthenope" Centro Direzionale di Napoli Is. C4 Naples 80143 Italy
塞尔瓦托-德安东尼奥大学那不勒斯“帕特诺普”迪那波利中心。C4那不勒斯80143意大利
Phone: +39 081 5476766 EMail: salvatore.dantonio@uniparthenope.it
Phone: +39 081 5476766 EMail: salvatore.dantonio@uniparthenope.it
Tanja Zseby CAIDA/FhG FOKUS San Diego Supercomputer Center (SDSC) University of California, San Diego (UCSD) 9500 Gilman Drive La Jolla, CA 92093-0505 USA
TANJA ZSEB-CAIDA/FHG福克斯圣地亚哥超级计算机中心(SDSC)加利福尼亚大学,圣地亚哥(UCSD)9500吉尔曼驱动拉霍拉,CA 92093-0505美国
EMail: tanja.zseby@tuwien.ac.at
EMail: tanja.zseby@tuwien.ac.at
Christian Henke Tektronix Communications Berlin Wohlrabedamm 32 Berlin 13629 Germany
Christian Henke Tektronix Communications Berlin Wohlrabedamm 32 Berlin 13629 Germany
Phone: +49 17 2323 8717 EMail: christian.henke@tektronix.com
Phone: +49 17 2323 8717 EMail: christian.henke@tektronix.com
Lorenzo Peluso University of Napoli Via Claudio 21 Napoli 80125 Italy
洛伦佐Peluo大学那不勒斯经由克劳迪奥21那不勒斯80125意大利
Phone: +39 081 7683821 EMail: lorenzo.peluso@unina.it
Phone: +39 081 7683821 EMail: lorenzo.peluso@unina.it