[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSAMP: ipHeaderPacketSection and mplsLabelStackSection

To: psamp <psamp@ops.ietf.org>
Subject: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
From: Paul Aitken <paitken@cisco.com>
Date: Fri, 24 Mar 2006 02:33:09 +0000
In-reply-to: <440C206A.9050902@cisco.com>
References: <440C206A.9050902@cisco.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.10) Gecko/20050811 Fedora/1.7.10-1.2.1.legacy

Dear psampers,

As I presented in yesterday's PSAMP WG meeting, PSAMP-INFO has one openissue which must be solved:

  Should the ipHeaderPacketSection and mplsLabelStackSection also
  report payload contents if the specified section length is longer
  than the IP header or stack size, respectively?

Actually, it also applies to the dataLinkFrameSection which "carries thefirst n octets from the data link frame of a sampled packet."

- but if sufficient length is specified, does it continue on to alsoreport the L3 header and even the L3 payload?

Sometimes capture of some octets of the payload information is veryuseful - eg, to capture the UDP/TCP port numbers, or for protocol analysis.

But in yesterday's WG meeting, it was pointed out that there may bescenarios where capture of payload information is undesireable and maybeeven illegal. So clearly we need to find a way to control access to thepayload information.

So below, I present two possible solutions for discussion. Others may bepossible too.

Please express your opinions immediately so we can resolve and closethis issue.


Thanks.


(1) Use multiple information elements, eg:

    ipPacketSection            - IP header, continuing into the payload
    ipHeaderPacketSection      - IP header only
    ipPayloadPacketSection     - IP payload only

    dataLinkFrameSection       - data link frame, continuing into L3
    dataLinkHeaderFrameSection - data link header only

    mplsPacketSection          - MPLS label stack, cont into payload
    mplsLabelStackSection      - MPLS label stack only
    mplsPayloadPacketSection   - MPLS payload only


    - export of the relevant IEs can be ommitted
      when access to payload information is undesireable.

    - how can you capture port or protocol information
      without knowing some payload bytes?

(2) Use the existing information elements, with an application specificconfiguration knob controlling whether they continue into the nextsection or not:


    ipHeaderPacketSection    - IP header, optionally cont into payload
    ipPayloadPacketSection   - IP payload only

    dataLinkFrameSection     - data link frame, continuing into L3

    mplsLabelStackSection    - MPLS label stack, opt cont into payload
    mplsPayloadPacketSection - MPLS payload only


    - how will the exporter report whether or not
      the configuration knob is set? With another IE?

Regarding the length of packet sections, the common rule (regardless ofthe IE definition) is that the exact amount of requested octets must beexported as was defined in the template (ie, no padding short sectionswith zero), else a new template must be sent either with the availablelength or using variable length encoding.


--
Paul Aitken
Cisco Systems Ltd, Edinburgh, Scotland.

--
to unsubscribe send a message to psamp-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/psamp/>

Follow-Ups:
- Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
  - From: Thomas Dietz <Thomas.Dietz@netlab.nec.de>

References:
- PSAMP: ipHeaderPacketSection and mplsLabelStackSection
  - From: Paul Aitken <paitken@cisco.com>

Prev by Date: Re: [ipfix] Source ID -> Observation Domain Id?
Next by Date: Re: [ipfix] Source ID -> Observation Domain Id?
Previous by thread: Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
Next by thread: Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
Index(es):
- Date
- Thread