ipfix mediation framework
play

IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 - PowerPoint PPT Presentation

IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 draft-ietf-ipfix-mediators-framework-05 Atsushi Kobayashi, Benoit Claise, Gerhard Munz, Keisuke Ishibashi 1 History Submitted -04 version on October 2009. Received comments from


  1. IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 draft-ietf-ipfix-mediators-framework-05 Atsushi Kobayashi, Benoit Claise, Gerhard Munz, Keisuke Ishibashi 1

  2. History  Submitted -04 version on October 2009.  Received comments from Dan.  In luck, Dan reviewed it along with problem statement draft. ;-)  All comments from Dan are solved in -05.  Submitted -05 version on March.  Changes from -04 to -05  Improved wordings from Gerhard’s detail review.  Feedbacks from problem statement draft  Deleted terms: IPFIX Proxy, Concentrator, Distributor, Masquerading Proxy  There are still some open issues. 2

  3. Observation Domain ID(ODID)  Does ODID from Mediator indicate the largest set of Observation Points? In some case, No, e.g., aggregation for Flow Records.   Can Collector know the ODID value from Original Exporter? Yes. An IPFIX Mediator has a function to export observation  location information. As far as privacy policy permits, the Mediator reports the  information to a Collector.  What does observation location info include? Original Exporter IP address  Observation Domain ID  If possible, port number  Different Exporting Processes on a Collector can be identified.  3

  4. How to export the information  How does Mediator export the observation location information? This information is inserted into Data Records.  This information is encoded by using “ commonPropertiesId ”  [RFC5473]. Data Records Data Records Data Records + commonProId Data Records + commonId Data Records + commonId Data Records IPFIX IPFIX Original Collector Mediator Exporter Options Data Record - commonProId IP#a - IP#a ODID#a - ODID#a PortNO.#a - PortNo.#a 4

  5. How to verify the identity of an Exporter  How does Collector verify the identity of Original Exporter? a) Mediator exports the certificate of Original Exporter.  Certificate of Original Exporter IPFIX IPFIX Original Collector Exporter Mediator IPFIX over TLS IPFIX over TLS b) Mediator exports the report to verify the identity of the  Original Exporter. I trust the Original Exporter. report IPFIX IPFIX Original Mediator Collector Exporter IPFIX over TLS IPFIX over TLS 5

  6. How to verify the confidentiality  How does Collector verify the confidentiality of Transport Session between Original Exporter and Mediator? I can not verify the confidentiality from Original Exporter. IPFIX Original IPFIX Mediator Collector Exporter IPFIX over TLS IPFIX over UDP Mediator exports the report about the confidentiality of incoming  Transport Session. Incoming Transport Session does not use TLS/DTLS. report IPFIX IPFIX Original Mediator Collector Exporter IPFIX over TLS IPFIX over UDP 6

  7. Added possible new IEs  Observation location information: Original Exporter IP address, Observation Domain ID, and  source port number about the Transport Session at Original Exporter  Certificate of an Original Exporter  Report that Mediator verifies the identity of an Original Exporter  Report about the confidentiality for incoming Transport Session between an Original Exporter and an IPFIX Mediator 7

  8. Next Step  All feedbacks from problem statement draft will be included in next version. I am preparing next version as follows.  http://www.nttv6.net/~akoba/wdiff-fk05-fk06-01.html  Need to be consistent with Mediation Protocol draft.  Submit it within April.   And then it will go to WG Last Call. 8

Recommend


More recommend