Dear Andrew and all, I know I am too late to make it for this version but just one small comment for wording. > =================================================================== > 6.5.2.6 Hash-Based Filtering > > In hash based selection a hash function is run on IPv4 traffic > the following fields MUST be used as input to that hash function: > - IP identification field > - Flags field > - Fragment offset > - Source IP address > - Destination IP address > - A number of bytes from the IP payload. The number of bytes > and starting offset MUST be configurable if possible. I would propose - A number of bytes from the IP payload. The number of bytes and starting offset MUST be configurable if the hash function supports it. BTW, Andrew, I very much appriciate your work on the hash functions. Now this looks really consistent. Best Regards, Thomas -- Thomas Dietz E-mail: Thomas.Dietz@netlab.nec.de Network Laboratories Phone: +49 6221 90511-28 NEC Europe Ltd. Fax: +49 6221 90511-55 Kurfuersten-Anlage 36 69115 Heidelberg, Germany http://www.netlab.nec.de > -----Original Message----- > From: owner-psamp@ops.ietf.org > [mailto:owner-psamp@ops.ietf.org] On Behalf Of Andrew Johnson > Sent: Friday, March 03, 2006 9:30 PM > To: psamp > Subject: Proposal for PSAMP-PROTO section 6.5.2.6 > > Hello all > > Below is the proposed text for the PSAMP protocol section 6.5.2.6 > (Hash-Based Filtering) and for the changes to the Basic Packet > Report to include the result of a Packet Digest Function. > > Things to note: > - The input to the hash function is mandated and fixed. > - CRC, IPSX and BOB MAY be used for filtering or packet digest. > - To ensure interoperability certain configurable ranges are > mandated. Are these ranges appropriate? > - To stop someone has snooped the hash configuration from shaping > their traffic to manipulate detection the initialisation value > is optional. Is this sufficient? Does it only work with BOB? > > > Suggested change to basic packet report text: > > =================================================================== > For each selected packet, the Packet Report MUST contain the > following information: > - ... > - The hash value (digestHashValue) generated by the digest hash > function. If there are no digest functions in the selection > sequence then no element needs to be sent. If there are more than > one digest function then each hash value must be included in > the same order as they appear in the selection sequence. > =================================================================== > > Potentially we can add this to the example: > > =================================================================== > IPFIX Template Record: > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Set ID = 2 | Length = 20 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Template ID = 260 | Field Count = 2 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | selectionPath = 321 | Field Length = 4 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | digestHashValue = 326 | Field Length = 4 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | ipHeaderPacketSection = 313 | Field Length = 12 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > The associated IPFIX Data Record: > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Set ID = 260 | Length = 24 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | 9 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | 0x9123 0613 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | 0x4500 005B | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | 0xA174 0000 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | 0xFF11 832E | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > Figure D: Example of a Basic Packet Report > =================================================================== > > Note: this means that any digest hash function must take the same > parameters as a selection hash function. I think this is currently > the best option for interoperability. > > > Secondly we will need a report to communicate the configuration > of the hash-based selector to the Collecting Process. > > =================================================================== > 6.5.2.6 Hash-Based Filtering > > In hash based selection a hash function is run on IPv4 traffic > the following fields MUST be used as input to that hash function: > - IP identification field > - Flags field > - Fragment offset > - Source IP address > - Destination IP address > - A number of bytes from the IP payload. The number of bytes > and starting offset MUST be configurable if possible. > > For the bytes taken from the IP payload, IPSX has a fixed offset > of 0 bytes and a fixed size of 8 bytes. The number and offset of > payload bytes in the BOB function MUST be configurable. If any > of the configured set of bytes from the IP payload are unavailable > then 0 MUST be used, which may result in a different value than > if the hash function is run on a subset of the input. > > The minimum configuration ranges MUST be as follows: > Number of bytes: from 8 to 32 > Offset: from 0 to 64 > > If the selected payload bytes are not available and the hash function > can take a variable sized input then the hash function MUST be run > with the information which is available and a shorter size. Passing > 0 as a substitute for missing payload bytes is only acceptable if > the hash function takes a fixed size as is the case with IPSX. > > If the hash function can take a initialisation value then this > value MUST be configurable. > > A hash-based selection function MAY be configurable as a digest > function. Any selection process which is configured as a digest > function MUST have the output value included in the basic packet > report for any selected packet. > > Each hash function used as a hash-based selector requires it's own > value for the selectorAlgorithm. Currently we have BOB (6), IPSX (7) > and CRC (8) defined and any MAY be used for either either Filtering > or creating a Packet Digest. Only BOB is recommended though and > SHOULD be used. > > The REQUIRED algorithm specific Information Elements in case of hash > based selection are: > > hashIPPayloadOffset - The configured or set payload offset > hashIPPayloadSize - The configured or set payload size > hashOutputRangeMin - One or more values for the beginning of > each potential output range. > hashOutputRangeMax - One or more values for the end of each > potential output range. > hashSelectedRangeMin - One or more values for the beginning of > each selected range. > hashSelectedRangeMax - One or more values for the end of each > selected range. > hashDigestOutput - A boolean value, TRUE if the output from > this selector has been configured to be > included in the packet report as a packet > digest. > > NOTE: If more than one selection or output range needs to be sent > then the minimum and maximum elements may be repeated as needed. > These MUST make one or more non-overlapping ranges. The elements > SHOULD be sent as pairs of minimum and maximum in ascending order, > however if they are sent out of order then there will only be one > way to interpret the ranges to produce a non-overlapping range and > the Collecting Process MUST be prepared to accept and decode this. > > The following algorithm specific Information Element MAY be sent, > but is optional for security considerations: > hashInitialiserValue - The initialiser value to the hash function. > > Example of a hash based filter Selector, whose configuration is: > Hash Function = BOB > Hash IP Payload Offset = 0 > Hash IP Payload Size = 16 > Hash Initialiser Value = 0x9A3F9A3F > Hash Output Range = 0 to 0xFFFFFFFF > Hash Selected Range = 100 to 200 and 400 to 500 > > IPFIX Options Template Record: > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Set ID = 3 | Length = 50 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Template ID = 269 | Field Count = 8 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Scope Field Count = 1 |0| selectorId = 300 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Scope 1 Length = 4 |0| selectorAlgorithm = 302 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Field Length = 1 |0| hashIPpayloadOffset = 327 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Field Length = 4 |0| hashIPpayloadSize = 328 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Field Length = 4 |0| hashInitialiserValue = 329 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Field Length = 4 |0| hashOutputRangeMin = 330 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Field Length = 4 |0| hashOutputRangeMax = 331 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Field Length = 4 |0| hashSeletionRangeMin = 332 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Field Length = 4 |0| hashSeletionRangeMax = 333 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Field Length = 4 |0| hashSeletionRangeMin = 332 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Field Length = 4 |0| hashSeletionRangeMax = 333 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Field Length = 4 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > Associated IPFIX Data Record: > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Set ID = 266 | Length = 45 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | 22 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | 6 | ... | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | ... 0 | ... | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | ... 16 | 0x9A3F9A ... | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | ... 3F | ... | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | ... 0 | 0xFFFFFF ... | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | ... FF | ... 100 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | ... | ... 200 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | ... | ... 400 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | ... | ... 500 | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | ... | > +-+-+-+-+-+-+-+-+ > > Figure K: Example of the Selector Report Interpretation, > for Hash Based Filtering > > Notes: > * A selectorAlgorithm value of 6 represents hash-based Filtering > using the BOB algorithm. > > =================================================================== > > > -- > to unsubscribe send a message to psamp-request@ops.ietf.org with > the word 'unsubscribe' in a single line as the message text body. > archive: <http://ops.ietf.org/lists/psamp/> >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature