summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5476.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc5476.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc5476.txt')
-rw-r--r--doc/rfc/rfc5476.txt2523
1 files changed, 2523 insertions, 0 deletions
diff --git a/doc/rfc/rfc5476.txt b/doc/rfc/rfc5476.txt
new file mode 100644
index 0000000..c5c2d2d
--- /dev/null
+++ b/doc/rfc/rfc5476.txt
@@ -0,0 +1,2523 @@
+
+
+
+
+
+
+Network Working Group B. Claise, Ed.
+Request for Comments: 5476 A. Johnson
+Category: Standards Track Cisco Systems, Inc.
+ J. Quittek
+ NEC Europe Ltd.
+ March 2009
+
+
+ Packet Sampling (PSAMP) Protocol Specifications
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (c) 2009 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents in effect on the date of
+ publication of this document (http://trustee.ietf.org/license-info).
+ Please review these documents carefully, as they describe your rights
+ and restrictions with respect to this document.
+
+ This document may contain material from IETF Documents or IETF
+ Contributions published or made publicly available before November
+ 10, 2008. The person(s) controlling the copyright in some of this
+ material may not have granted the IETF Trust the right to allow
+ modifications of such material outside the IETF Standards Process.
+ Without obtaining an adequate license from the person(s) controlling
+ the copyright in such materials, this document may not be modified
+ outside the IETF Standards Process, and derivative works of it may
+ not be created outside the IETF Standards Process, except to format
+ it for publication as an RFC or to translate it into languages other
+ than English.
+
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 1]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+Abstract
+
+ This document specifies the export of packet information from a
+ Packet SAMPling (PSAMP) Exporting Process to a PSAMP Collecting
+ Process. For export of packet information, the IP Flow Information
+ eXport (IPFIX) protocol is used, as both the IPFIX and PSAMP
+ architecture match very well, and the means provided by the IPFIX
+ protocol are sufficient. The document specifies in detail how the
+ IPFIX protocol is used for PSAMP export of packet information.
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. Conventions Used in This Document ..........................3
+ 2. PSAMP Documents Overview ........................................4
+ 3. Terminology .....................................................4
+ 3.1. IPFIX Terminology ..........................................4
+ 3.2. PSAMP Terminology ..........................................5
+ 3.2.1. Packet Streams and Packet Content ...................5
+ 3.2.2. Selection Process ...................................6
+ 3.2.3. Reporting ...........................................7
+ 3.2.4. Metering Process ....................................8
+ 3.2.5. Exporting Process ...................................8
+ 3.2.6. PSAMP Device ........................................8
+ 3.2.7. Collector ...........................................8
+ 3.2.8. Selection Methods ...................................9
+ 3.3. IPFIX and PSAMP Terminology Comparison ....................11
+ 3.3.1. IPFIX and PSAMP Processes ..........................11
+ 3.3.2. Packet Report, Packet Interpretation, and
+ Data Record ........................................12
+ 4. Differences between PSAMP and IPFIX ............................12
+ 4.1. Architecture Point of View ................................12
+ 4.2. Protocol Point of View ....................................14
+ 4.3. Information Model Point of View ...........................14
+ 5. PSAMP Requirements versus the IPFIX Solution ...................14
+ 5.1. High-Level View of the Integration ........................15
+ 6. Using the IPFIX Protocol for PSAMP .............................16
+ 6.1. Selector ID ...............................................17
+ 6.2. The Selection Sequence ID .................................17
+ 6.3. The Exporting Process .....................................17
+ 6.4. Packet Report .............................................17
+ 6.4.1. Basic Packet Report ................................17
+ 6.4.2. Extended Packet Report .............................21
+ 6.5. Report Interpretation .....................................22
+ 6.5.1. Selection Sequence Report Interpretation ...........23
+ 6.5.2. Selector Report Interpretation .....................25
+ 6.5.2.1. Systematic Count-Based Sampling ...........25
+ 6.5.2.2. Systematic Time-Based Sampling ............27
+
+
+
+Claise, et al. Standards Track [Page 2]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ 6.5.2.3. Random n-out-of-N Sampling ................28
+ 6.5.2.4. Uniform Probabilistic Sampling ............29
+ 6.5.2.5. Property Match Filtering ..................31
+ 6.5.2.6. Hash-Based Filtering ......................33
+ 6.5.2.7. Other Selection Methods ...................36
+ 6.5.3. Selection Sequence Statistics Report
+ Interpretation .....................................37
+ 6.5.4. Accuracy Report Interpretation .....................39
+ 7. Security Considerations ........................................43
+ 8. IANA Considerations ............................................43
+ 8.1. IPFIX-Related Considerations ..............................43
+ 8.2. PSAMP-Related Considerations ..............................43
+ 9. References .....................................................44
+ 9.1. Normative References ......................................44
+ 9.2. Informative References ....................................44
+ 10. Acknowledgments ...............................................45
+
+1. Introduction
+
+ The name PSAMP is a contraction of the phrase "Packet Sampling". The
+ word "Sampling" captures the idea that only a subset of all packets
+ passing a network element will be selected for reporting. PSAMP
+ selection operations include random selection, deterministic
+ selection, and deterministic approximations to random selection
+ (Hash-based Selection).
+
+ The IP Flow Information eXport (IPFIX) protocol specified in
+ [RFC5101] exports IP traffic information [RFC5102] observed at
+ network devices. This matches the general protocol requirements
+ outlined in the PSAMP framework [RFC5474]. However, there are some
+ architectural differences between IPFIX and PSAMP in the requirements
+ for an export protocol. While the IPFIX architecture [RFC5470] is
+ focused on gathering and exporting IP traffic flow information, the
+ focus of the PSAMP framework [RFC5474] is on exporting information on
+ individual packets. This basic difference and a set of derived
+ differences in protocol requirements are outlined in Section 4.
+ Despite these differences, the IPFIX protocol is well suited for the
+ PSAMP protocol. Section 5 specifies how the IPFIX protocol is used
+ for the export of packet samples. Required extensions of the IPFIX
+ information model are specified in the PSAMP information model
+ [RFC5477].
+
+1.1. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+
+
+
+Claise, et al. Standards Track [Page 3]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+2. PSAMP Documents Overview
+
+ This document is one out of a series of documents from the PSAMP
+ group.
+
+ [RFC5474]: "A Framework for Packet Selection and Reporting" describes
+ the PSAMP framework for network elements to select subsets of packets
+ by statistical and other methods, and to export a stream of reports
+ on the selected packets to a Collector.
+
+ [RFC5475]: "Sampling and Filtering Techniques for IP Packet
+ Selection" describes the set of packet selection techniques supported
+ by PSAMP.
+
+ RFC 5476 (this document): "Packet Sampling (PSAMP) Protocol
+ Specifications" specifies the export of packet information from a
+ PSAMP Exporting Process to a PSAMP Collecting Process.
+
+ [RFC5477]: "Information Model for Packet Sampling Exports" defines an
+ information and data model for PSAMP.
+
+3. Terminology
+
+ As the IPFIX export protocol is used to export the PSAMP information,
+ the relevant IPFIX terminology from [RFC5101] is copied over in this
+ document. All terms defined in this section have their first letter
+ capitalized when used in this document. The terminology summary
+ table in Section 3.1 gives a quick overview of the relationships
+ between the different IPFIX terms. The PSAMP terminology defined
+ here is fully consistent with all terms listed in [RFC5475] and
+ [RFC5474], but only definitions that are relevant to the PSAMP
+ protocol appear here. Section 3.3 applies the PSAMP terminology to
+ the IPFIX protocol terminology.
+
+3.1. IPFIX Terminology
+
+ IPFIX-specific terminology used in this document is defined in
+ Section 2 of [RFC5101]. The only exceptions are the Metering
+ Process, Exporting Process, and the Collector terms, which are
+ defined more precisely in the PSAMP terminology section. In this
+ document, as in [RFC5101], the first letter of each IPFIX-specific
+ term is capitalized.
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 4]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ +------------------+---------------------------------------------+
+ | | contents |
+ | +--------------------+------------------------+
+ | Set | Template | record |
+ +------------------+--------------------+------------------------+
+ | Data Set | / | Data Record(s) |
+ +------------------+--------------------+------------------------+
+ | Template Set | Template Record(s) | / |
+ +------------------+--------------------+------------------------+
+ | Options Template | Options Template | / |
+ | Set | Record(s) | |
+ +------------------+--------------------+------------------------+
+
+ Figure A: Terminology Summary Table
+
+3.2. PSAMP Terminology
+
+ The PSAMP terminology section has been copied from [RFC5475].
+
+3.2.1. Packet Streams and Packet Content
+
+ * Observed Packet Stream
+
+ The Observed Packet Stream is the set of all packets observed at
+ the Observation Point.
+
+ * Packet Stream
+
+ A Packet Stream denotes a set of packets from the Observed Packet
+ Stream that flows past some specified point within the Metering
+ Process. An example of a Packet Stream is the output of the
+ Selection Process. Note that packets selected from a stream,
+ e.g., by Sampling, do not necessarily possess a property by which
+ they can be distinguished from packets that have not been
+ selected. For this reason, the term "stream" is favored over
+ "flow", which is defined as a set of packets with common
+ properties [RFC3917].
+
+ * Packet Content
+
+ The Packet Content denotes the union of the packet header (which
+ includes link layer, network layer, and other encapsulation
+ headers) and the packet payload. Note that, depending on the
+ Observation Point, the link layer information might not be
+ available.
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 5]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+3.2.2. Selection Process
+
+ * Selection Process
+
+ A Selection Process takes the Observed Packet Stream as its input
+ and selects a subset of that stream as its output.
+
+ * Selection State
+
+ A Selection Process may maintain state information for use by the
+ Selection Process. At a given time, the Selection State may
+ depend on packets observed at and before that time, and other
+ variables. Examples include:
+
+ (i) sequence numbers of packets at the input of Selectors;
+
+ (ii) a timestamp of observation of the packet at the Observation
+ Point;
+
+ (iii) iterators for pseudorandom number generators;
+
+ (iv) hash values calculated during selection;
+
+ (v) indicators of whether the packet was selected by a given
+ Selector.
+
+ Selection Processes may change portions of the Selection State as
+ a result of processing a packet. Selection state for a packet is
+ to reflect the state after processing the packet.
+
+ * Selector
+
+ A Selector defines the action of a Selection Process on a single
+ packet of its input. If selected, the packet becomes an element
+ of the output Packet Stream.
+
+ The Selector can make use of the following information in
+ determining whether a packet is selected:
+
+ (i) the Packet Content;
+
+ (ii) information derived from the packet's treatment at the
+ Observation Point;
+
+ (iii) any selection state that may be maintained by the Selection
+ Process.
+
+
+
+
+
+Claise, et al. Standards Track [Page 6]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ * Composite Selector
+
+ A Composite Selector is an ordered composition of Selectors, in
+ which the output Packet Stream issuing from one Selector forms the
+ input Packet Stream to the succeeding Selector.
+
+ * Primitive Selector
+
+ A Selector is primitive if it is not a Composite Selector.
+
+ * Selector ID
+
+ The Selector ID is the unique ID identifying a Primitive Selector.
+ The ID is unique within the Observation Domain.
+
+ * Selection Sequence
+
+ From all the packets observed at an Observation Point, only a few
+ packets are selected by one or more Selectors. The Selection
+ Sequence is a unique value per Observation Domain describing the
+ Observation Point and the Selector IDs through which the packets
+ are selected.
+
+3.2.3. Reporting
+
+ * Packet Reports
+
+ Packet Reports comprise a configurable subset of a packet's input
+ to the Selection Process, including the Packet Content,
+ information relating to its treatment (for example, the output
+ interface), and its associated selection state (for example, a
+ hash of the Packet Content).
+
+ * Report Interpretation
+
+ Report Interpretation comprises subsidiary information, relating
+ to one or more packets, that is used for interpretation of their
+ Packet Reports. Examples include configuration parameters of the
+ Selection Process.
+
+ * Report Stream
+
+ The Report Stream is the output of a Metering Process, comprising
+ two distinguished types of information: Packet Reports and Report
+ Interpretation.
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 7]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+3.2.4. Metering Process
+
+ * Metering Process
+
+ A Metering Process selects packets from the Observed Packet Stream
+ using a Selection Process, and produces as output a Report Stream
+ concerning the selected packets.
+
+ The PSAMP Metering Process can be viewed as analogous to the IPFIX
+ Metering Process [RFC5101], which produces Flow Records as its
+ output, with the difference that the PSAMP Metering Process always
+ contains a Selection Process. The relationship between PSAMP and
+ IPFIX is further described in [RFC5477] and [RFC5474].
+
+3.2.5. Exporting Process
+
+ * Exporting Process
+
+ An Exporting Process sends, in the form of Export Packets, the
+ output of one or more Metering Processes to one or more
+ Collectors.
+
+ * Export Packet
+
+ An Export Packet is a combination of Report Interpretation(s)
+ and/or one or more Packet Reports that are bundled by the
+ Exporting Process into an Export Packet for exporting to a
+ Collector.
+
+3.2.6. PSAMP Device
+
+ * PSAMP Device
+
+ A PSAMP Device is a device hosting at least an Observation Point,
+ a Selection Process, and an Exporting Process. Typically,
+ corresponding Observation Point(s), Selection Process(es), and
+ Exporting Process(es) are co-located at this device, for example,
+ at a router.
+
+3.2.7. Collector
+
+ * Collector
+
+ A Collector receives a Report Stream exported by one or more
+ Exporting Processes. In some cases, the host of the Metering
+ and/or Exporting Processes may also serve as the Collector.
+
+
+
+
+
+Claise, et al. Standards Track [Page 8]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+3.2.8. Selection Methods
+
+ * Filtering
+
+ A filter is a Selector that selects a packet deterministically
+ based on the Packet Content, or its treatment, or functions of
+ these occurring in the Selection State. Two examples are:
+
+ (i) Property Match Filtering: A packet is selected if a
+ specific field in the packet equals a predefined value.
+
+ (ii) Hash-based Selection: A Hash Function is applied to the
+ Packet Content, and the packet is selected if the result
+ falls in a specified range.
+
+ * Sampling
+
+ A Selector that is not a filter is called a Sampling
+ operation. This reflects the intuitive notion that if the
+ selection of a packet cannot be determined from its content
+ alone, there must be some type of Sampling taking place.
+
+ * Content-Independent Sampling
+
+ A Sampling operation that does not use Packet Content (or
+ quantities derived from it) as the basis for selection is
+ called a Content-independent Sampling operation. Examples
+ include systematic Sampling, and uniform pseudorandom
+ Sampling driven by a pseudorandom number whose generation
+ is independent of Packet Content. Note that in Content-
+ independent Sampling, it is not necessary to access the
+ Packet Content in order to make the selection decision.
+
+ * Content-Dependent Sampling
+
+ A Sampling operation where selection is dependent on Packet
+ Content is called a Content-dependent Sampling operation.
+ An example is pseudorandom selection according to a
+ probability that depends on the contents of a packet field.
+ Note that this is not a filter, because the selection is
+ not deterministic.
+
+ * Hash Domain
+
+ A Hash Domain is a subset of the Packet Content and the
+ packet treatment, viewed as an N-bit string for some
+ positive integer N.
+
+
+
+
+Claise, et al. Standards Track [Page 9]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ * Hash Range
+
+ A Hash Range is a set of M-bit strings for some positive
+ integer M that define the range of values the result of the
+ hash operation can take.
+
+ * Hash Function
+
+ A Hash Function defines a deterministic map from the Hash
+ Domain into the Hash Range.
+
+ * Hash Selection Range
+
+ A Hash Selection Range is a subset of the Hash Range. The
+ packet is selected if the action of the Hash Function on
+ the Hash Domain for the packet yields a result in the Hash
+ Selection Range.
+
+ * Hash-based Selection
+
+ A Hash-based Selection is Filtering specified by a Hash
+ Domain, a Hash Function, a Hash Range, and a Hash Selection
+ Range.
+
+ * Approximative Selection
+
+ Selectors in any of the above categories may be
+ approximated by operations in the same or another category
+ for the purposes of implementation. For example, uniform
+ pseudorandom Sampling may be approximated by Hash-based
+ Selection, using a suitable Hash Function and Hash Domain.
+ In this case, the closeness of the approximation depends on
+ the choice of Hash Function and Hash Domain.
+
+ * Population
+
+ A Population is a Packet Stream, or a subset of a Packet
+ Stream. A Population can be considered as a base set from
+ which packets are selected. An example is all packets in
+ the Observed Packet Stream that are observed within some
+ specified time interval.
+
+ * Population Size
+
+ The Population Size is the number of all packets in the
+ Population.
+
+
+
+
+
+Claise, et al. Standards Track [Page 10]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ * Sample Size
+
+ The Sample Size is the number of packets selected from the
+ Population by a Selector.
+
+ * Configured Selection Fraction
+
+ The Configured Selection Fraction is the expected ratio of
+ the Sample Size to the Population Size, as based on the
+ configured selection parameters.
+
+ * Attained Selection Fraction
+
+ The Attained Selection Fraction is the ratio of the actual
+ Sample Size to the Population Size. For some Sampling
+ methods, the Attained Selection Fraction can differ from
+ the Configured Selection Fraction due to, for example, the
+ inherent statistical variability in Sampling decisions of
+ probabilistic Sampling and Hash-based Selection.
+ Nevertheless, for large Population Sizes and properly
+ configured Selectors, the Attained Selection Fraction
+ usually approaches the Configured Selection Fraction.
+
+3.3. IPFIX and PSAMP Terminology Comparison
+
+ The PSAMP terminology has been specified with an IPFIX background, as
+ PSAMP and IPFIX have similar terms. However, this section clarifies
+ the terms between the IPFIX and PSAMP terminology.
+
+3.3.1. IPFIX and PSAMP Processes
+
+ Figure B indicates the sequence of the IPFIX processes (Metering and
+ Exporting) within the PSAMP Device.
+
+ +------------------+
+ | Metering Process |
+ | +-----------+ | +-----------+
+ Observed | | Selection | | | Exporting |
+ Packet--->| | Process |--------->| Process |--->Collector
+ Stream | +-----------+ | +-----------+
+ +------------------+
+
+ Figure B: PSAMP Processes
+
+ The Selection Process, which takes an Observed Packet Stream as its
+ input, is an integral part of the Metering Process. The Selection
+ Process chooses which packets from its input Packet Stream will be
+
+
+
+
+Claise, et al. Standards Track [Page 11]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ reported on by the rest of the Metering Process. Note that a
+ "Process" is not necessarily implemented as a separate CPU thread.
+
+3.3.2. Packet Report, Packet Interpretation, and Data Record
+
+ The PSAMP terminology speaks of Packet Report and Packet
+ Interpretation, while the IPFIX terminology speaks of Data Record and
+ (Options) Template Record. The PSAMP Packet Report, which comprises
+ information about the observed packet, can be viewed as analogous to
+ the IPFIX Data Record defined by a Template Record. The PSAMP Report
+ Interpretation, which comprises subsidiary information used for the
+ interpretation of the Packet Reports, can be viewed as analogous to
+ the IPFIX Data Record defined by an Options Template Record. This
+ Options Template Record contains subsidiary information, applicable
+ to the observed packet sent into the PSAMP Packet Report.
+
+4. Differences between PSAMP and IPFIX
+
+ The output of the IPFIX working group relevant for this document is
+ structured into three documents:
+
+ - IP Flow information architecture [RFC5470]
+
+ - IPFIX protocol specifications [RFC5101]
+
+ - IP Flow information export information model [RFC5102]
+
+ In the following sections, we investigate the differences between
+ IPFIX and PSAMP for each of those aspects.
+
+4.1. Architecture Point of View
+
+ Traffic Flow measurement as described in the IPFIX requirements
+ [RFC3917] and the IPFIX architecture [RFC5470] can be separated into
+ two stages: packet processing and Flow processing. Figure C
+ illustrates these stages.
+
+ In stage 1, all processing steps act on packets. Packets are
+ captured, timestamped, selected by one or more selection steps, and
+ finally forwarded to packet classification that maps packets to
+ Flows. The packets' selection steps may include Filtering and
+ Sampling functions.
+
+ In stage 2, all processing steps act on Flows. After packets are
+ classified (mapped to Flows), Flows are generated (or updated if they
+ exist already). Flow generation and update steps may be performed
+ repeatedly for aggregating Flows. Finally, Flows are exported.
+
+
+
+
+Claise, et al. Standards Track [Page 12]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Packet Sampling as described in the PSAMP framework [RFC5474] covers
+ only stage 1 of the IPFIX architecture with the packet classification
+ replaced by Packet Report export, while IPFIX covers stage 2 also, as
+ it generates Flow Records out of the selected packets.
+
+ IPFIX architecture PSAMP framework
+
+ packet header packet header
+ capturing \ capturing
+ | | |
+ timestamping | timestamping
+ | | |
+ v | v
+ +------>+ | stage 1: +------>+
+ | | > packet | |
+ | packet | processing | packet
+ | selection | | selection
+ | | | | |
+ +-------+ | +-------+
+ | | |
+ v | v
+ packet / Packet Report
+ classification \ export
+ | |
+ v |
+ +------>+ |
+ | | |
+ | Flow generation |
+ | and update | stage 2:
+ | | > Flow
+ | v | processing
+ | Flow |
+ | selection |
+ | | |
+ +-------+ |
+ | |
+ v |
+ Flow Record /
+ export
+
+ Figure C: Comparison of IPFIX Architecture and PSAMP Framework
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 13]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+4.2. Protocol Point of View
+
+ Concerning the protocol, the major difference between IPFIX and PSAMP
+ is that the IPFIX protocol exports Flow Records while the PSAMP
+ protocol exports Packet Reports. From a pure export point of view,
+ IPFIX will not distinguish a Flow Record composed of several packets
+ aggregated together from a Flow Record composed of a single packet.
+
+ So the PSAMP export can be seen as a special IPFIX Flow Record
+ containing information about a single packet.
+
+ All extensions of the IPFIX protocol that are required to satisfy the
+ PSAMP requirements have already been incorporated in the IPFIX
+ protocol [RFC5101], which was developed in parallel with the PSAMP
+ protocol. An example is the need for a data type for protocol fields
+ that have flexible length, such as an octet array. This was added to
+ the IPFIX protocol specification in order to meet the requirement of
+ the PSAMP protocol to report content of captured packets, for
+ example, the first octets of a packet.
+
+4.3. Information Model Point of View
+
+ From the information model point of view, the overlap between both
+ the IPFIX and PSAMP protocols is quite large. Most of the
+ Information Elements in the IPFIX protocol are also relevant for
+ exporting packet information, for example, all fields reporting
+ packet header properties. Only a few Information Elements, such as
+ observedFlowTotalCount (whose value will always be 1 for PSAMP),
+ etc., cannot be used in a meaningful way by the PSAMP protocol.
+ Also, IPFIX protocol requirements concerning stage 2 of Figure C do
+ not apply to the PSAMP Metering Process.
+
+ Further required extensions apply to the information model. Even if
+ the IPFIX charter speaks of Sampling, no Sampling-related Information
+ Elements are specified in [RFC5102]. The task of specifying them was
+ intentionally left for the PSAMP information model [RFC5477]. A set
+ of several additional fields is required for satisfying the
+ requirements for the PSAMP information model [RFC5475].
+
+ Exploiting the extensibility of the IPFIX information model, the
+ required extension is covered by the PSAMP information model
+ specified in [RFC5477].
+
+5. PSAMP Requirements versus the IPFIX Solution
+
+ The [RFC5474] contains PSAMP protocol requirements throughout the
+ document, with a special focus in Section 4, "Generic Requirements
+ for PSAMP", and its subsections.
+
+
+
+Claise, et al. Standards Track [Page 14]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Section 4 of [RFC5474] describes one requirement that, if not
+ directly related to the export protocol, will put some constraints on
+ it. Parallel Measurements: multiple independent Selection Processes
+ at the same entity.
+
+ [RFC5474] also describes a series of requirements specifying the
+ different Information Elements that MUST and SHOULD be reported to
+ the Collector. Nevertheless, IPFIX, being a generic export protocol,
+ can export any Information Elements as long as they are described in
+ the information model. So these requirements are mainly targeted for
+ [RFC5477].
+
+ The PSAMP protocol specification meets almost all the protocol
+ requirements stated in the PSAMP framework document [RFC5474]:
+
+ * Extensibility
+
+ * Parallel selection processes
+
+ * Encrypted packets
+
+ * Indication of information loss
+
+ * Accuracy
+
+ * Privacy
+
+ * Timeliness
+
+ * Congestion avoidance
+
+ * Secure export
+
+ * Export rate limit
+
+ * Microsecond timestamp resolution
+
+ The only requirement that is not met is Export Packet compression.
+ With the choice of IPFIX as the PSAMP export protocol, the Export
+ Packet compression option mentioned in the Section 8.5 of the
+ framework document [RFC5474] is not addressed.
+
+5.1. High-Level View of the Integration
+
+ The Template Record in the Template Set is used to describe the
+ different PSAMP Information Elements that will be exported to the
+ Collector. The Collector decodes the Template Record in the Template
+ Set and knows which Information Elements to expect when it receives
+
+
+
+Claise, et al. Standards Track [Page 15]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ the Data Records in the PSAMP Packet Report Data Set. Typically, in
+ the base level of the PSAMP functionality, the Template Set will
+ contain the input sequence number, the packet fragment (some number
+ of contiguous bytes from the start of the packet or from the start of
+ the payload), and the Selection Sequence.
+
+ The Options Template Record in the Options Template Set is used to
+ describe the different PSAMP Information Elements that concern the
+ Metering Process itself: Sampling and/or Filtering functions, and the
+ associated parameters. The Collector decodes the Options Template
+ Records in the Options Template Set and knows which Information
+ Elements to expect when it receives the Data Records in the PSAMP
+ Report Interpretation Data Set. Typically, the Options Template
+ would contain the Selection Sequence, the Sampling or Filtering
+ functions, and the Sampling or Filtering associated parameters.
+
+ PSAMP requires all the different possibilities of the IPFIX protocol
+ specifications [RFC5101], that is, the three types of Sets (Data Set,
+ Template Set, and Options Templates Set) with the two types of
+ Template Records (Template Record and Options Template Record), as
+ described in Figure A. As a consequence, PSAMP can't rely on a
+ subset of the IPFIX protocol specifications described in [RFC5101].
+ The entire IPFIX protocol specifications [RFC5101] MUST be
+ implemented for the PSAMP protocol.
+
+6. Using the IPFIX Protocol for PSAMP
+
+ In this section, we describe the usage of the IPFIX protocol for
+ PSAMP. We describe the record formats and the additional
+ requirements that must be met. PSAMP uses two different types of
+ messages:
+
+ - Packet Reports
+
+ - Report Interpretation
+
+ The format of Packet Reports is defined in IPFIX Template Records.
+ The PSAMP data is transferred as Information Elements in IPFIX Data
+ Records as described by the Template Record. There are two different
+ types of Packet Reports. Basic Packet Reports contain only the basic
+ Information Elements required for PSAMP reporting. Extended Packet
+ Reports MAY contain other Information Elements, and do not
+ necessarily include Packet Content (See section 6.4.2).
+
+ The format of Report Interpretations is defined in the IPFIX Options
+ Template Record. The Information Elements are transferred in IPFIX
+ Data Records as described by the Options Template Record. There are
+ four different types of Report Interpretation messages:
+
+
+
+Claise, et al. Standards Track [Page 16]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ - Selection Sequence Report Interpretation
+
+ - Selector Report Interpretation
+
+ - Selection Sequence Statistics Report Interpretation
+
+ - Accuracy Report Interpretation
+
+ A description and examples about the usage of those reports are given
+ below.
+
+6.1. Selector ID
+
+ The Selector ID is the unique ID identifying a Primitive Selector.
+ Each Primitive Selector MUST have a unique ID within the Observation
+ Domain. The Selector ID is represented by the selectorId Information
+ Element [RFC5477].
+
+6.2. The Selection Sequence ID
+
+ From all the packets observed at an Observation Point, a subset of
+ packets is selected by one or more Selectors. The Selection Sequence
+ is the combination of an Observation Point and one or more
+ Selector(s) through which the packets are selected. The Selection
+ Sequence ID is a unique value representing that combination. The
+ Selection Sequence ID is represented by the selectionSequenceId
+ Information Element [RFC5477].
+
+6.3. The Exporting Process
+
+ An Exporting Process MUST be able to limit the export rate according
+ to a configurable value. The Exporting Process MAY limit the export
+ rate on a per Collecting Process basis.
+
+6.4. Packet Report
+
+ For each Selection Sequence, for each selected packet, a Packet
+ Report MUST be created. The format of the Packet Report is specified
+ in a Template Record contained in a Template Set.
+
+ There are two types of Packet Report, as described in [RFC5474]: the
+ basic Packet Report and the extended Packet Report.
+
+6.4.1. Basic Packet Report
+
+ For each selected packet, the Packet Report MUST contain the
+ following information:
+
+
+
+
+Claise, et al. Standards Track [Page 17]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ - The selectionSequenceId Information Element
+ If there is a digest function in the Selection Sequence, the Packet
+ Report MUST contain the hash value (digestHashValue Information
+ Element) generated by the digest Hash Function for each selected
+ packet. If there is more than one digest function, then each hash
+ value MUST be included in the same order as they appear in the
+ Selection Sequence. If there are no digest functions in the
+ Selection Sequence, no element for the digest needs to be sent.
+
+ - Some number of contiguous bytes from the start of the packet,
+ including the packet header (which includes link layer, network
+ layer, and other encapsulation headers) and some subsequent bytes
+ of the packet payload. Alternatively, the number of contiguous
+ bytes may start at the beginning of the payload. The
+ dataLinkFrameSection, mplsLabelStackSection,
+ mplsPayloadPacketSection, ipPacketSection, and
+ ipPayloadPacketSection PSAMP Information Elements are available for
+ this use.
+
+ For each selected packet, the Packet Report SHOULD contain a time-
+ related Information Element that matches the Metering Process time
+ accuracy. Typically, the observationTimeMicroseconds Information
+ Element. Other possible Information Elements are the
+ observationTimeSeconds, the observationTimeMilliseconds, or the
+ observationTimeNanoseconds.
+
+ In the Packet Report, the PSAMP Device MUST be capable of exporting
+ the number of observed packets and the number of packets selected by
+ each instance of its Primitive Selectors (as described by the
+ non-scope Information Elements of the Selection Sequence Statistics
+ Report Interpretation), although it MAY be a configurable option not
+ to include them. If exported, the Attained Selection Fraction may be
+ calculated precisely for the Observed Packet Stream. The Packet
+ Report MAY include only the final selector packetSelected, to act as
+ an index for that Selection Sequence in the Selection Sequence
+ Statistics Report Interpretation, which also allows the calculation
+ of the Attained Selection Fraction.
+
+ The contiguous Information Elements (dataLinkFrameSection,
+ mplsLabelStackSection, mplsPayloadPacketSection, ipPacketSection, and
+ ipPayloadPacketSection) MAY be encoded with a fixed-length field or
+ with a variable-sized field. If one of these Information Elements is
+ encoded with a fixed-length field whose length is too long for the
+ number of contiguous bytes in the selected packet, padding MUST NOT
+ be used. In this case, the Exporting Process MUST export the
+ information either in a new Template Record with the correct fixed-
+ length field or in a new Template Record with a variable-length
+ field.
+
+
+
+Claise, et al. Standards Track [Page 18]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Here is an example of a basic Packet Report, with a
+ SelectionSequenceId value of 9 and dataLinkFrameSection Information
+ Element of 12 bytes, 0x4500 005B A174 0000 FF11 832E, encoded with a
+ fixed-length field.
+
+ IPFIX Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 2 | Length = 24 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 260 | Field Count = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | selectionSequenceId = 301 | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | digestHashValue = 326 | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | dataLinkFrameSection = 315 | Field Length = 12 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |observationTimeMicroseconds=324| Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 260 | Length = 32 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 9 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 0x9123 0613 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 0x4500 005B |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 0xA174 0000 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 0xFF11 832E |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | observation time ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... encoded as dateTimeMicroSeconds [RFC5101] |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure D: Example of a Basic Packet Report
+
+
+
+
+
+Claise, et al. Standards Track [Page 19]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Here is an example of a basic Packet Report, with a
+ SelectionSequenceId value of 9 and ipHeaderPacketSection Information
+ Element of 12 bytes, 0x4500 005B A174 0000 FF11 832E, encoded with a
+ variable-sized field.
+
+ IPFIX Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 2 | Length = 16 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 261 | Field Count = 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | selectionSequenceId = 301 | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ipHeaderPacketSection = 313 | Field Length = 65535 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 261 | Length = 21 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 9 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Length = 12 | 0x4500 ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... 005B | 0xA174 ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... 0000 | 0xFF11 ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... 832E |
+ +-+-+-+-+-+-+-+-+
+
+ Figure E: Example of a Basic Packet Report
+ with a Variable-Sized Field
+
+
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 20]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+6.4.2. Extended Packet Report
+
+ Alternatively to the basic Packet Report, the extended Packet Report
+ MAY contain other Information Elements related to the protocols used
+ in the packet (such as source and destination IP addresses), related
+ to the packet treatment (such as output interface, destination BGP
+ autonomous system [RFC4271]), or related to the Selection State
+ associated with the packet (such as timestamp, hash value).
+
+ It is envisaged that selection of fields for extended Packet Reports
+ may be used to reduce reporting bandwidth, in which case the option
+ to report some number of contiguous bytes from the start of the
+ packet, mandatory in the basic Packet Report, may not be exercised.
+ In this case, the Packet Content MAY be omitted. Note this
+ configuration is quite similar to an IPFIX Device for which a
+ Template Record containing information about a single packet is
+ reported.
+
+ Example of a detailed Extended Packet Report:
+
+ IPFIX Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 2 | Length = 32 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 261 | Field Count = 6 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |0| selectionSequenceId = 301 | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |0| sourceIPv4Address = 8 | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |0| destinationIPv4Address = 12 | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |0| totalLengthIPv4 = 190 | Field Length = 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |0| tcpSourcePort = 182 | Field Length = 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |0| tcpDestinationPort = 183 | Field Length = 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 21]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ The associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 261 | Length = 20 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 9 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 192.0.2.1 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 192.0.2.106 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 72 | 1372 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 80 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure F: Example of an Extended Packet Report
+
+6.5. Report Interpretation
+
+ To make full sense of the Packet Reports, there are a number of
+ additional pieces of information that must be communicated to the
+ Collector:
+
+ - The details about which Selectors and Observation Points are being
+ used within a Selection Sequence MUST be provided using the
+ Selection Sequence Report Interpretation.
+
+ - The configuration details of each Selector MUST be provided using
+ the Selector Report Interpretation.
+
+ - The Selector ID statistics MUST be provided using the Selection
+ Sequence Statistics Report Interpretation.
+
+ - The accuracies of the reported fields MUST be provided using the
+ Accuracy Report Interpretation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 22]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+6.5.1. Selection Sequence Report Interpretation
+
+ Each Packet Report contains a selectionSequenceId Information Element
+ that identifies the particular combination of Observation Point and
+ Selector(s) used for its selection. For every selectionSequenceId
+ Information Element in use, the PSAMP Device MUST export a Selection
+ Sequence Report Interpretation using an Options Template with the
+ following Information Elements:
+
+ Scope: selectionSequenceId
+ Non-Scope: one Information Element mapping the Observation Point
+ selectorId (one or more)
+
+ An Information Element representing the Observation Point would
+ typically be taken from the ingressInterface, egressInterface,
+ lineCardId, exporterIPv4Address, or exporterIPv6Address Information
+ Elements (specified in [RFC5102]), but is not limited to those: any
+ Information Element specified in [RFC5102] or [RFC5477] can
+ potentially be used. In case of more complex Observation Points
+ (such as a list of interfaces, a bus, etc.), a new Information
+ Element describing the new type of Observation Point must be
+ specified, along with an Options Template Record describing it in
+ more detail (if necessary).
+
+ If the packets are selected by a Composite Selector, the Selection
+ Sequence is composed of several Primitive Selectors. In such a case,
+ the Selection Sequence Report Interpretation MUST contain the list of
+ all the Primitive Selector IDs in the Selection Sequence. If
+ multiple Selectors are contained in the Selection Sequence Report
+ Interpretation, the selectorId's MUST be identified in the order they
+ are used.
+
+ Example of two Selection Sequences:
+
+ Selection Sequence 7 (Filter->Sampling):
+ ingressInterface 5
+ selectorId 5 (Filter, match IPV4SourceAddress 192.0.2.1)
+ selectorId 10 (Sampler, Random 1 out-of ten)
+
+ Selection Sequence 9 (Sampling->Filtering):
+ ingressInterface 5
+ selectorId 10 (Sampler, Random 1 out-of ten)
+ selectorId 5 (Filter, match IPV4SourceAddress 192.0.2.1)
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 23]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ IPFIX Options Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 3 | Length = 26 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 262 | Field Count = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope Field Count = 1 |0| selectionSequenceId = 301 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 1 Length = 4 |0| ingressInterface = 10 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| selectorId = 302 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| selectorId = 302 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 262 | Length = 36 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 7 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 5 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 5 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 10 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 9 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 5 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 10 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 5 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure G: Example of a Selection Sequence Report Interpretation
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 24]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Notes:
+
+ * There are two Records here in the same Data Set. Each record
+ defines a different Selection Sequence.
+
+ * If, for example, a different Selection Sequence is composed of
+ three Selectors, then a different Options Template with three
+ selectorId Information Elements (instead of two) must be used.
+
+6.5.2. Selector Report Interpretation
+
+ An IPFIX Data Record, defined by an Options Template Record, MUST be
+ used to send the configuration details of every Selector in use. The
+ Options Template Record MUST contain the selectorId Information
+ Element as the Scope field and the SelectorAlgorithm Information
+ Element followed by some specific configuration parameters:
+
+ Scope: selectorId
+ Non-scope: selectorAlgorithm
+ algorithm-specific Information Elements
+
+ The algorithm-specific Information Elements are specified in the
+ following subsections, depending on the selection method represented
+ by the value of the selectorAlgorithm [RFC5477].
+
+6.5.2.1. Systematic Count-Based Sampling
+
+ In systematic count-based Sampling, the start and stop triggers for
+ the Sampling interval are defined in accordance with the spatial
+ packet position (packet count) [RFC5475].
+
+ The REQUIRED algorithm-specific Information Elements in the case of
+ systematic count-based Sampling are:
+
+ samplingPacketInterval: number of packets selected in a row
+ samplingPacketSpace: number of packets between selections
+
+ Example of a simple 1 out-of 10 systematic count-based Selector
+ definition, where the samplingPacketInterval is 1 and the
+ samplingPacketSpace is 9.
+
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 25]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ IPFIX Options Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 3 | Length = 26 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 263 | Field Count = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope Field Count = 1 |0| selectorId = 302 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 1 Length = 4 |0| selectorAlgorithm = 304 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 1 |0|samplingPacketInterval = 305 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 1 |0| samplingPacketSpace = 306 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 1 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 263 | Length = 11 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 15 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 1 | 1 | 9 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure H: Example of the Selector Report Interpretation
+ for Systematic Count-Based Sampling
+
+ Notes:
+
+ * A selectorAlgorithm value of 1 represents systematic count-based
+ Sampling.
+
+ * samplingPacketInterval and samplingPacketSpace are of type
+ unsigned32 but are compressed down to one octet here, as allowed by
+ the IPFIX protocol specifications [RFC5101].
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 26]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+6.5.2.2. Systematic Time-Based Sampling
+
+ In systematic time-based Sampling, the start and stop triggers are
+ used to define the Sampling intervals [RFC5475]. The REQUIRED
+ algorithm-specific Information Elements in the case of systematic
+ time-based Sampling are:
+
+ samplingTimeInterval: time (in microseconds) when packets are
+ selected
+ samplingTimeSpace: time (in microseconds) between selections
+
+ Example of a 100 microsecond out-of 1000 microsecond systematic
+ time-based Selector definition, where the samplingTimeInterval is 100
+ and the samplingTimeSpace is 900.
+
+ IPFIX Options Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 3 | Length = 26 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 264 | Field Count = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope Field Count = 1 |0| selectorId = 302 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 1 Length = 4 |0| selectorAlgorithm = 304 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 1 |0| samplingTimeInterval = 307 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 1 |0| samplingTimeSpace = 308 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 264 | Length = 12 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 16 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 2 | 100 | 900 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure I: Example of the Selector Report Interpretation
+
+
+
+Claise, et al. Standards Track [Page 27]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ for Systematic Time-Based Sampling
+
+ Notes:
+
+ * A selectorAlgorithm value of 2 represents systematic time-based
+ Sampling.
+
+ * samplingTimeInterval and samplingTimeSpace are of type unsigned32
+ but are compressed down here.
+
+6.5.2.3. Random n-out-of-N Sampling
+
+ In random n-out-of-N Sampling, n elements are selected out of the
+ parent Population that consists of N elements [RFC5475]. The
+ REQUIRED algorithm-specific Information Elements in case of random
+ n-out-of-N Sampling are:
+
+ samplingSize: number of packets selected
+ samplingPopulation: number of packets in selection Population
+
+ Example of a 1 out-of 10 random n-out-of-N Sampling Selector:
+
+ IPFIX Options Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 3 | Length = 26 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 265 | Field Count = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope Field Count = 1 |0| selectorId = 302 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 1 Length = 4 |0| selectorAlgorithm = 304 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 1 |0| samplingSize = 309 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 1 |0| samplingPopulation = 310 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 1 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 28]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 265 | Length = 11 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 17 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 3 | 1 | 10 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure J: Example of the Selector Report Interpretation
+ for Random n-out-of-N Sampling
+
+ Notes:
+
+ * A selectorAlgorithm value of 3 represents Random n-out-of-N
+ Sampling.
+
+ * samplingSize and samplingPopulation are of type unsigned32 but are
+ compressed down to one octet here.
+
+6.5.2.4. Uniform Probabilistic Sampling
+
+ In uniform probabilistic Sampling, each element has the same
+ probability p of being selected from the parent Population [RFC5475].
+ The algorithm-specific Information Element in case of uniform
+ probabilistic Sampling is:
+
+ samplingProbability: a floating point number for the Sampling
+ probability.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 29]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Example of a 15% uniform probability Sampling Selector:
+
+ IPFIX Options Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 3 | Length = 22 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 271 | Field Count = 3 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope Field Count = 1 |0| selectorId = 302 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| selectorAlgorithm = 304 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 1 |0| samplingProbability = 311 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 271 | Length = 11 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 20 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 4 | 0.15 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ +-+-+-+-+-+-+-+-+
+
+ Figure K: Example of the Selector Report Interpretation
+ for Uniform Probabilistic Sampling
+
+ Notes:
+
+ * A selectorAlgorithm value of 4 represents Uniform Probabilistic
+ Sampling.
+
+ * samplingProbability is of type float64 but is compressed down to a
+ float32 here.
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 30]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+6.5.2.5. Property Match Filtering
+
+ This classification includes match(es) on field(s) within a packet
+ and/or on properties of the router state. With this method, a packet
+ is selected if a specific field in the packet equals a predefined
+ value.
+
+ The algorithm-specific Information Elements defining configuration
+ parameters for Property Match Filtering are taken from the full range
+ of available Information Elements.
+
+ When multiple different Information Elements are defined, the filter
+ acts as a logical AND. Note that the logical OR is not covered by
+ these PSAMP specifications. The Property Match Filtering Options
+ Template Record MUST NOT have multiple identical Information
+ Elements. The result of the filter is independent from the order of
+ the Information Elements in the Options Template Record, but the
+ order may be important for implementation purposes, as the first
+ filter will have to work at a higher rate. In any case, an
+ implementation is not constrained to respect the filter ordering as
+ long as the result is the same, and it may even implement the
+ composite Filtering in one single step.
+
+ Since encryption alters the meaning of encrypted fields, when the
+ Property Match Filtering classification is based on the encrypted
+ field(s) in the packet, it MUST be able to recognize that the
+ field(s) are not available and MUST NOT select those packets unless
+ specifically directed by the Information Element description. Even
+ if they are ignored, the encrypted packets MUST be accounted for in
+ the Selector packetsObserved Information Element [RFC5477], part of
+ the Selection Sequence Statistics Report Interpretation.
+
+ Example of a match-based filter Selector, whose rules are:
+ IPv4 Source Address = 192.0.2.1
+ IPv4 Next-Hop Address = 192.0.2.129
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 31]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ IPFIX Options Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 3 | Length = 26 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 266 | Field Count = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope Field Count = 1 |0| selectorId = 302 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 1 Length = 4 |0| selectorAlgorithm = 304 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 1 |0| sourceIPv4Address = 8 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| ipNextHopIPv4Address = 15 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 266 | Length = 11 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 21 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 5 | 192.0.2 ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... .1 | 192.0.2 ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... .129 |
+ +-+-+-+-+-+-+-+-+
+
+ Figure L: Example of the Selector Report Interpretation
+ for Match-Based and Router State Filtering
+
+ Notes:
+
+ * A selectorAlgorithm value of 5 represents Property Match Filtering.
+
+ * In this filter, there is a mix of information from the packet and
+ information from the router.
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 32]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+6.5.2.6. Hash-Based Filtering
+
+ In Hash-based Selection, a Hash Function is run on IPv4 traffic. The
+ following fields MUST be used as input to that Hash Function:
+
+ - IP identification field
+
+ - Flags field
+
+ - Fragment offset
+
+ - Source IP address
+
+ - Destination IP address
+
+ - A number of bytes from the IP payload. The number of bytes and
+ starting offset MUST be configurable if the Hash Function
+ supports it.
+
+ For the bytes taken from the IP payload, IPSX has a fixed offset of 0
+ bytes and a fixed size of 8 bytes. The number and offset of payload
+ bytes in the BOB function MUST be configurable.
+
+ The minimum configuration ranges MUST be as follows:
+
+ Number of bytes: from 8 to 32
+ Offset: from 0 to 64
+
+ If the selected payload bytes are not available and the Hash Function
+ can take a variable-sized input, then the Hash Function MUST be run
+ with the information that is available and a shorter size. Passing 0
+ as a substitute for missing payload bytes is only acceptable if the
+ Hash Function takes a fixed size as is the case with IPSX.
+
+ If the Hash Function can take an initialization value, then this
+ value MUST be configurable.
+
+ A Hash-based Selection function MAY be configurable as a digest
+ function. Any Selection Process that is configured as a digest
+ function MUST have the output value included in the basic Packet
+ Report for any selected packet.
+
+ Each Hash Function used as a Hash-based Selection Selector requires
+ its own value for the selectorAlgorithm. Currently, we have BOB (6),
+ IPSX (7), and CRC (8) defined and any MAY be used for either
+ Filtering or creating a Packet Digest. Only BOB is recommended
+ though and SHOULD be used.
+
+
+
+
+Claise, et al. Standards Track [Page 33]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ The REQUIRED algorithm-specific Information Elements in case of
+ Hash-based Selection are:
+
+ hashIPPayloadOffset - The payload offset used by a Hash-based
+ Selection Selector
+
+ hashIPPayloadSize - The payload size used by a Hash-based
+ Selection Selector
+
+ hashOutputRangeMin - One or more values for the beginning of each
+ potential output range.
+
+ hashOutputRangeMax - One or more values for the end of each
+ potential output range.
+
+ hashSelectedRangeMin - One or more values for the beginning of each
+ selected range.
+
+ hashSelectedRangeMax - One or more values for the end of each
+ selected range.
+
+ hashDigestOutput - A boolean value, TRUE if the output from this
+ Selector has been configured to be included
+ in the Packet Report as a packet digest.
+
+ Note: If more than one selection or output range needs to be sent,
+ then the minimum and maximum elements may be repeated as needed.
+ These MUST make one or more non-overlapping ranges. The elements
+ SHOULD be sent as pairs of minimum and maximum in ascending order;
+ however, if they are sent out of order, then there will only be one
+ way to interpret the ranges to produce a non-overlapping range and
+ the Collecting Process MUST be prepared to accept and decode this.
+
+ The following algorithm-specific Information Element MAY be sent, but
+ is optional for security considerations:
+
+ hashInitialiserValue - The initialiser value to the Hash Function.
+
+ Since encryption alters the meaning of encrypted fields, when the
+ Hash-based Filtering classification is based on the encrypted
+ field(s) in the packet, it MUST be able to recognize that the
+ field(s) are not available and MUST NOT select those packets. Even
+ if they are ignored, the encrypted packets MUST be accounted for in
+ the Selector packetsObserved Information Element [RFC5477], which is
+ part of the Selection Sequence Statistics Report Interpretation.
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 34]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Example of a Hash-based Filter Selector, whose configuration is:
+ Hash Function = BOB
+ Hash IP Payload Offset = 0
+ Hash IP Payload Size = 16
+ Hash Initialiser Value = 0x9A3F9A3F
+ Hash Output Range = 0 to 0xFFFFFFFF
+ Hash Selected Range = 100 to 200 and 400 to 500
+
+ IPFIX Options Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 3 | Length = 50 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 269 | Field Count = 8 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope Field Count = 1 |0| selectorId = 302 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 1 Length = 4 |0| selectorAlgorithm = 302 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 1 |0| hashIPpayloadOffset = 327 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| hashIPpayloadSize = 328 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| hashInitialiserValue = 329 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| hashOutputRangeMin = 330 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| hashOutputRangeMax = 331 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| hashSeletionRangeMin = 332 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| hashSeletionRangeMax = 333 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| hashSeletionRangeMin = 332 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| hashSeletionRangeMax = 333 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 35]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 266 | Length = 45 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 22 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 6 | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... 0 | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... 16 | 0x9A3F9A ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... 3F | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... 0 | 0xFFFFFF ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... FF | ... 100 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | ... 200 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | ... 400 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | ... 500 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... |
+ +-+-+-+-+-+-+-+-+
+
+ Figure M: Example of the Selector Report Interpretation
+ for Hash-based Filtering
+
+ Notes:
+
+ * A selectorAlgorithm value of 6 represents Hash-based Filtering
+ using the BOB algorithm.
+
+6.5.2.7. Other Selection Methods
+
+ Some potential new selection methods MAY be added. Some of the new
+ selection methods, such as non-uniform probabilistic Sampling and
+ flow-state-dependent Sampling, are described in [RFC5475], with
+ further references.
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 36]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Each new selection method MUST be assigned a unique value for the
+ selectorAlgorithm Information Element. Its configuration
+ parameter(s), along with the way to report it/them with an Options
+ Template, MUST be clearly specified.
+
+6.5.3. Selection Sequence Statistics Report Interpretation
+
+ A Selector MAY be used in multiple Selection Sequences. However,
+ each use of a Selector must be independent, so each separate logical
+ instance of a Selector MUST maintain its own individual Selection
+ State and statistics.
+
+ The Selection Sequence Statistics Report Interpretation MUST include
+ the number of observed packets (Population Size) and the number of
+ packets selected (Sample Size) by each instance of its Primitive
+ Selectors.
+
+ Within a Selection Sequence composed of several Primitive Selectors,
+ the number of packets selected for one Selector is equal to the
+ number of packets seen by the next Selector. The order of the
+ Selectors in the Selection Sequence Statistics Report Interpretation
+ MUST match the order of the Selectors in the Selection Sequence.
+
+ If the full set of statistics is not sent as part of the Basic Packet
+ Reports, the PSAMP Device MUST export a Selection Sequence Statistics
+ Report Interpretation for every Selection Sequence, using an Options
+ Template containing the following Information Elements:
+
+ Scope: selectionSequenceId
+ Non-scope: packetsObserved
+ packetsSelected (first Selector)
+ ...
+ packetsSelected (last Selector)
+
+ The packetsObserved Information Element [RFC5477] MUST contain the
+ number of packets seen at the Observation Point, and as a consequence
+ passed to the first Selector in the Selection Sequence. The
+ packetsSelected Information Element [RFC5477] contains the number of
+ packets selected by a Selector in the Selection Sequence.
+
+ The Attained Selection Fraction for the Selection Sequence is
+ calculated by dividing the number of selected packets
+ (packetsSelected Information Element) for the last Selector by the
+ number of observed packets (packetsObserved Information Element).
+ The Attained Selection Fraction can be calculated for each Selector
+ by dividing the number of packets selected for that Selector by the
+ value for the previous Selector.
+
+
+
+
+Claise, et al. Standards Track [Page 37]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ The statistics for the whole sequence SHOULD be taken at a single
+ logical point in time; the input value for a Selector MUST equal the
+ output value of the previous Selector.
+
+ The Selection Sequence Statistics Report Interpretation MUST be
+ exported periodically.
+
+ Example of Selection Sequence Statistics Report Interpretation:
+
+ Selection Sequence 7 (Filter->Sampling):
+
+ Observed 100 (observationPointId 1, Interface 5)
+ Selected 50 (selectorId 5, match IPV4SourceAddress 192.0.2.1)
+ Selected 6 (selectorId 10, Sampler: Random one out-of ten)
+
+ Selection Sequence 9 (Sampling->Filtering):
+
+ Observed 100 (observationPointId 1, Interface 5)
+ Selected 10 (selectorId 10, Sampler: Random one out-of ten)
+ Selected 3 (selectorId 5, match IPV4SourceAddress 192.0.2.1)
+
+ IPFIX Options Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 3 | Length = 26 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 267 | Field Count = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope Field Count = 1 |0| selectionSequenceId = 301 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 1 Length = 4 |0| packetsObserved = 318 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| packetsSelected = 319 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |0| packetsSelected = 319 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 38]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ The associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 267 | Length = 36 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 7 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 100 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 50 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 6 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 9 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 100 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 10 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 3 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure N: Example of the Selection Sequence Statistics
+ Report Interpretation
+
+ Notes:
+
+ * The Attained Selection Fractions for Selection Sequence 7 are:
+ Filter 10: 50/100
+ Sampler 5: 6/50
+ Number of samples selected: 6
+
+ * The Attained Selection Fractions for Selection Sequence 9 are:
+ Sampler 5: 10/100
+ Filter 10: 3/10
+ Number of samples selected: 3
+
+6.5.4. Accuracy Report Interpretation
+
+ In order for the Collecting Process to determine the inherent
+ accuracy of the reported quantities (for example, timestamps), the
+ PSAMP Device SHOULD send an Accuracy Report Interpretation.
+
+ The Accuracy Report Interpretation MUST be exported by an Options
+ Template Record with a scope that contains the Information Element
+ for which the accuracy is required. In case the accuracy is specific
+
+
+
+Claise, et al. Standards Track [Page 39]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ to a template, a second scope containing the templateId value MUST be
+ added to the Options Template Record. The accuracy SHOULD be
+ reported either with the absoluteError Information Element [RFC5477]
+ or with the relativeError Information Element [RFC5477].
+
+ Accuracy Report Interpretation using the absoluteError Information
+ Element:
+ Scope: informationElementId
+ Non-scope: absoluteError
+
+ Accuracy Report Interpretation using the absoluteError Information
+ Element and a double scope:
+ Scope: templateId
+ informationElementId
+ Non-scope: absoluteError
+
+ Accuracy Report Interpretation using the relativeError Information
+ Element:
+ Scope: informationElementId
+ Non-scope: relativeError
+
+ Accuracy Report Interpretation using the relativeError Information
+ Element and a double scope:
+ Scope: templateId
+ informationElementId
+ Non-scope: relativeError
+
+ For example, the accuracy of an Information Element whose Abstract
+ Data Type is dateTimeMilliseconds [RFC5102], for which the unit is
+ specified as milliseconds, can be specified with the absoluteError
+ Information Element with the milliseconds units. In this case, the
+ error interval is the Information Element value +/- the value
+ reported in the absoluteError.
+
+ For example, the accuracy of an Information Element to estimate the
+ accuracy of a sampled flow, for which the unit would be specified in
+ octets, can be specified with the relativeError Information Element
+ with the octet units. In this case, the error interval is the
+ Information Element value +/- the value reported in the relativeError
+ times the reported Information Element value.
+
+ An alternative to reporting either the absoluteError Information
+ Element or the relativeError Information Element in the Accuracy
+ Report Interpretation, is to report both. For this case whatever is
+ least accurate for the reported value should be used.
+
+ If the accuracy of a reported quantity changes on the Metering
+ Process, a new Accuracy Report Interpretation MUST be generated. The
+
+
+
+Claise, et al. Standards Track [Page 40]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Collecting Process MUST keep the accuracy of the latest Accuracy
+ Report Interpretation.
+
+ Example of an Accuracy Report Interpretation using the absoluteError
+ Information Element and a double scope: the timeMicroseconds
+ contained in the Template 5 has an accuracy of +/- 2 ms, represented
+ by the absoluteError Information Element.
+
+ Scope: templateId = 6
+ informationElementId = timeMicroseconds
+ Non-scope: absoluteError = 2 ms
+
+ IPFIX Options Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 3 | Length = 22 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 267 | Field Count = 3 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope Field Count = 2 |0| templateId = 145 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 1 Length = 2 |0| InformationElementId = 303 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 2 Length = 2 |0| absoluteError = 320 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 267 | Length = 12 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 5 | 324 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 2 (encoded as a float32) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure O: Example of the Selection Sequence
+ Statistics Report Interpretation
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 41]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+ Notes:
+
+ * absoluteError is of type float64 but is compressed down to a
+ float32 here.
+
+ The second example displays an Accuracy Report Interpretation using
+ the relativeError Information Element and a single scope: the
+ timeMicroseconds has an error of 5%, represented by the
+ proportionalAccuracy Information Element.
+
+ Scope: informationElementId = timeMicroseconds
+ Non-scope: relativeError = 0.05
+
+ IPFIX Options Template Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 3 | Length = 18 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID = 268 | Field Count = 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope Field Count = 1 |0| InformationElementId = 303 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 1 Length = 2 |0| relativeError= 321 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The associated IPFIX Data Record:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Set ID = 267 | Length = 10 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 324 | 0.05 ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ...(encoded as a float32) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure P: Example of the Selection Sequence
+ Statistics Report Interpretation
+
+ Notes:
+
+ * relativeError is of type float64 but is compressed down to a
+ float32 here.
+
+
+
+Claise, et al. Standards Track [Page 42]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+7. Security Considerations
+
+ As IPFIX has been selected as the PSAMP export protocol and as the
+ PSAMP security requirements are not stricter than the IPFIX security
+ requirements, refer to the IPFIX export protocol [RFC5101] for the
+ security considerations.
+
+ In the basic Packet Report, a PSAMP Device exports some number of
+ contiguous bytes from the start of the packet, including the packet
+ header (which includes link layer, network layer, and other
+ encapsulation headers) and some subsequent bytes of the packet
+ payload. The PSAMP Device SHOULD NOT export the full payload of
+ conversations, as this would mean wiretapping [RFC2804]. The PSAMP
+ Device MUST respect local privacy laws.
+
+8. IANA Considerations
+
+ The PSAMP protocol, as set out in this document, has two sets of
+ assigned numbers. Considerations for assigning them are discussed in
+ this section, using the example policies as set out in [RFC5226],
+ "Guidelines for IANA Considerations".
+
+8.1. IPFIX-Related Considerations
+
+ As the PSAMP protocol uses the IPFIX protocol, refer to the IANA
+ considerations section in [RFC5101] for the assignments of numbers
+ used in the protocol and for the numbers used in the information
+ model.
+
+8.2. PSAMP-Related Considerations
+
+ Each new selection method MUST be assigned a unique value for the
+ selectorAlgorithm Information Element [RFC5477]. Initial contents of
+ this registry are found in Section 8.2.1 in [RFC5477]. Its
+ configuration parameter(s), along with the way to report them with an
+ Options Template, MUST be clearly specified.
+
+ New assignments for the PSAMP selection method will be administered
+ by IANA, on a First Come First Served basis [RFC5226], subject to
+ Expert Review [RFC5226]. The group of experts must double check the
+ Information Elements definitions with already defined Information
+ Elements for completeness, accuracy, and redundancy. These experts
+ will initially be drawn from the Working Group Chairs and document
+ editors of the IPFIX and PSAMP Working Groups.
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 43]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC5101] Claise, B., Ed., "Specification of the IP Flow Information
+ Export (IPFIX) Protocol for the Exchange of IP Traffic Flow
+ Information", RFC 5101, January 2008.
+
+ [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J.
+ Meyer, "Information Model for IP Flow Information Export",
+ RFC 5102, January 2008.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226, May
+ 2008.
+
+ [RFC5475] Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F.
+ Raspall, "Sampling and Filtering Techniques for IP Packet
+ Selection", RFC 5475, March 2009.
+
+ [RFC5477] Dietz, T., Claise, B., Aitken, P., Dressler, F., and G.
+ Carle, "Information Model for Packet Sampling Exports", RFC
+ 5477, March 2009.
+
+9.2. Informative References
+
+ [RFC2804] IAB and IESG, "IETF Policy on Wiretapping", RFC 2804, May
+ 2000.
+
+ [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander,
+ "Requirements for IP Flow Information Export (IPFIX)", RFC
+ 3917, October 2004.
+
+ [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A Border
+ Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006.
+
+ [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
+ "Architecture for IP Flow Information Export" RFC 5470,
+ March 2009.
+
+ [RFC5474] Duffield, N., Ed., "A Framework for Packet Selection and
+ Reporting", RFC 5474, March 2009.
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 44]
+
+RFC 5476 PSAMP Protocol Specification March 2009
+
+
+10. Acknowledgments
+
+ The authors would like to thank the PSAMP group, especially Paul
+ Aitken for fruitful discussions and for proofreading the document
+ several times.
+
+Authors' Addresses
+
+ Benoit Claise
+ Cisco Systems
+ De Kleetlaan 6a b1
+ 1831 Diegem
+ Belgium
+
+ Phone: +32 2 704 5622
+ EMail: bclaise@cisco.com
+
+
+ Juergen Quittek
+ NEC Europe Ltd.
+ Network Laboratories
+ Kurfuersten-Anlage 36
+ 69115 Heidelberg
+ Germany
+
+ Phone: +49 6221 90511-15
+ EMail: quittek@nw.neclab.eu
+
+
+ Andrew Johnson
+ Cisco Systems
+ 96 Commercial Quay
+ Edinburgh EH6 6LX
+ Scotland
+
+ Phone: +44 131 561 3641
+ EMail: andrjohn@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Claise, et al. Standards Track [Page 45]
+