[11:35:14] --- paitken has joined
[11:38:31] --- paitken has left
[12:28:08] --- paitken has joined
[12:29:12] --- paitken has left
[14:15:41] --- paitken has joined
[14:29:29] --- ggm has joined
[14:32:27] <ggm> Dave in the chair
[14:32:34] <ggm> Nevil can't be here, may join by jabber
[14:32:36] --- poepping has joined
[14:32:48] <ggm> website info http://ipfix.doit.wisc.edu
[14:33:08] <ggm> slides at http://ipfix.doit.wisc.edu/IETF61/
[14:33:41] <ggm> 3 rfc's related or product, happened since last meeting. 3917, reqts draft, 3954 NetFlow V9, 3955 Eval draft.
[14:34:16] <ggm> Agenda: arch changes & issues, IPFIX over TCP, Proto changes, open issues, Info model, Applicability Statement, Per-packet info export.
[14:34:59] <ggm> new issues: interop testing, review/update WG milestones.
[14:35:04] --- gww has joined
[14:35:07] <ggm> First up: Arch draft.
[14:35:22] <ggm> architecture-04
[14:35:38] <ggm> [slide 2/8 overview]
[14:36:04] <ggm> [slide 3/8 editorial changes]
[14:36:14] <ggm> lots of editorial changes. make it clearer, easier to understand.
[14:36:32] <ggm> restructuring., introduced new IPFIX functional/logical blocks
[14:36:38] <ggm> added info model overview
[14:36:55] <ggm> number of days ago, met with Benoit to go through changes
[14:37:03] <ggm> [slide 4/8 tech changes]
[14:37:29] <ggm> things as WG evolved over time, doc needed revision for
[14:37:45] <ggm> definitions work.
[14:37:52] <ggm> proto draft should have normative references
[14:37:58] <ggm> [slide 5/8 tech changes 2]
[14:38:05] <ggm> changed to use documentation prefix for examples.
[14:38:25] <ggm> removed flow aggs, flow recording process. added collection process. rewrote overview
[14:38:35] <ggm> [slide 6/8 tech changes 3]
[14:38:44] <ggm> designed to be independent of transport
[14:38:55] <ggm> refer to proto doc to see advantages/disadavantages
[14:38:59] --- Yoshifumi Atarashi has joined
[14:39:00] --- Yoshifumi Atarashi has left: Disconnected
[14:39:07] <ggm> IANA considerations issues address.
[14:39:13] <ggm> [slide7/8 open issues]
[14:39:25] <ggm> ARCH-03 options template/data use?
[14:39:29] --- Yoshifumi Atarashi has joined
[14:39:41] <ggm> ARCH-12 security considerations. need text.. need authors
[14:39:47] <ggm> [slide 8/8 whats next]
[14:39:52] <ggm> need more people to review.
[14:40:03] <ggm> need non-IPFIX people to read and comment.
[14:40:16] <ggm> if no text for -03 and -12 issue, can be forgotten.
[14:40:22] <ggm> (we're in wrapup mode)
[14:40:35] <ggm> nevil to publish 04 asap after comment.
[14:40:42] <ggm> will then start WG last call.
[14:41:06] <ggm> if challenging things, give text
[14:41:18] <ggm> Benoit comments, on work of the other day?
[14:41:20] <ggm> Benoit.
[14:41:22] <ggm> 3 small issues.
[14:41:36] <ggm> 1st one, defn of flow key(s) list of inf element, or set of those? needs clarification
[14:41:45] <ggm> 2nd text missing on time, 3 levels of granularity
[14:42:03] <ggm> sections 9/10 could improve text.
[14:42:13] <ggm> (third)
[14:42:20] <ggm> Dave
[14:43:03] <ggm> folks working on netflow V9, protocol have been using 'key' to mean one field of these concatonated fields. opposite approach, consider it mapping into set of column names in a relational DB, don't want to confusepeople reading doc.
[14:43:50] <ggm> the 9/10 is a major structural issue with the doc. long lived, working on it for a couple of years, stuff giving overview, then more overview so some duplication. eg could use review for duplicate content. need to straighten it up in own WG last call, not give to IESG in rediculous form. but have done work
[14:44:10] <ggm> Next: Simon Leinen, IPFIX over TCP
[14:44:42] <ggm> draft-leinen-ipfix-tcp-01.txt
[14:44:49] <ggm> changes
[14:45:23] <ggm> exporter connects to collecter, aligns to SCTP mapping.
[14:45:28] <ggm> added section on how to use TLS.
[14:45:42] <ggm> special, no negotiation, must be pre-configured OOB
[14:45:47] <ggm> remaining issues.
[14:45:52] --- ggm has left
[14:45:58] --- ggm has joined
[14:46:15] <ggm> not TCP specific issues.
[14:46:38] <ggm> TCP says cannot export at required rate, how to deal with it. too specific, too much detail
[14:47:06] <ggm> structure of draft is different to UDP/SCTP homework to change, but yet to do: like mine better!
[14:47:10] <ggm> issues? compare?
[14:47:23] <ggm> have to be resolved one way or the other.
[14:47:29] <ggm> Dave acceptable to have different structure?
[14:47:38] <ggm> Simon would look funny. possible to change either.
[14:48:08] <ggm> I don't use standard terminology in PC way. nits. matter of taste. no ambiguity. precise terms makes doc harder to read but consistency says ...
[14:48:43] <ggm> ways forward. Talked to Benoit. try to get issues resolved. alignment of structure, by end of Nov. put into main protocol doc, as addition to WG doc.
[14:49:01] <ggm> Benoit: protocol draft
[14:50:18] <ggm> Went for major changes since last IETF. 2 new versions. input came from Stewart Bryant, Simon. Observe not much feedback from Mark/Ganesh. removed two authors, on draft from 00 but no contribution, not replying, removed them.
[14:50:27] <ggm> Issues closed in 05:
[14:50:35] <ggm> Proto1 flowset to set.
[14:50:51] <ggm> Proto2 removed confusion with information elements, removed types
[14:51:13] <ggm> Proto[16-19] scope issues big changes applied.
[14:51:28] <ggm> Proto27 examples changed. got rid of historical things
[14:51:59] <ggm> Terminology issue in agreement with Arch draft.
[14:52:06] <ggm> Examples now use private IP as per RFC3300.
[14:52:18] <ggm> Dave: exporter clarifications?
[14:52:31] <ggm> Benoit if initiating transport session, that will be the exporting process which does that.
[14:52:44] <ggm> Dave we turn number of instances of exporter into IPFIX device
[14:53:38] <ggm> [unnnamed] some boxes, better to speak about processes, process is more precise terminology, not that nice to use in text.
[14:53:49] <ggm> Dave always an IPFIX device? but not always an exporter.
[14:54:19] <ggm> Benoit padding definitions improved. 'shorter than any allowable flow data record in this data set' -similar sentence for all
[14:54:33] <ggm> new text about measurement parameters.
[14:55:09] <ggm> as discussed in SanDiego removed MUST/SHOULD/MAY normatives. made some spelling/editorial changes. IPR etc
[14:55:16] <ggm> Closed in V6.
[14:55:56] <ggm> Proto21. metering process statistics. new proposal, agreement with mauritzio for 3 stats
[14:56:04] <ggm> Proto26 added IANA considerations
[14:56:37] <ggm> Proto24 remove base types, specify in network byte order, canonical format
[14:56:49] <ggm> Proto35. fix definitions drift with Arch document.
[14:57:14] <ggm> Variable length elements, couldn't handle 255 byte length.
[14:57:31] <ggm> Simon Leinen change to handle 65536 octets
[14:57:40] <ggm> Open issues in V6 draft
[14:58:13] <ggm> TCP section. restructure. use correct terminology, capitalizations. if makes sense to use his, will adopt it for UDP/SCTP. want to keep all the same.
[14:58:33] <ggm> Proto31. SCTP needs improved text for sequence number, source ID.
[14:58:45] <ggm> Proto32 SCTP has contradictory sentences.
[14:59:06] <ggm> Proto33 what to do with sourceID not understood., error? discard? reset? log? needs to be well described
[14:59:12] <ggm> (really one issue: SCTP)
[14:59:42] <ggm> Proto23. finalize time details. text right now is not correct. propose new text. propose new way to do time, more optimal
[15:00:23] <ggm> Proto25 template management section has basic info about UDP, but its the exception. SCTP is the must. decide to consider only SCTP, make UDP exceptions in its section.
[15:01:13] <ggm> Proto44. IANA assigned port. for all proto Simon thinks we don't need that. want feedback. arguments are slow down WG effort. need more than one port on collector. potentially, assigned port is source of attacks
[15:01:19] <ggm> Simon. dont have experience but worried
[15:01:28] <ggm> Dave. sounds like possible to get number if we want it. not an issue
[15:01:51] --- gww has left
[15:02:37] <ggm> ggm: need port. filters/ACLS in simple firewalls
[15:02:55] <ggm> Jurgen. should have it. not big effort.
[15:03:07] <ggm> [jurgen is unnamed person above btw. I just forgot his name]
[15:03:15] <ggm> Dave will do port.
[15:03:31] <ggm> Proto36. ent specific info elems, for scope and non-scope
[15:03:47] <ggm> Proto38 IPFIX-INFO elem consistency. not yet defined elements
[15:04:29] <ggm> Proto39. template ID max. do we wrap around? 16 bits 'enough' but have to forsee the case. what will collector think? new data set with wrong ID!
[15:05:22] <ggm> Proto34. security expert review needde
[15:05:30] <ggm> Proto30 review requirements RFC3917
[15:05:32] <ggm> could be done in last call
[15:05:44] <ggm> Proposal.
[15:06:22] <ggm> charter targets for flows. thats why we have rquirements RFC for flow-related apps. but now we have templates, we can export any kind of info. flow related, psamp report, packets, MIB variables. ..
[15:06:37] --- nevil has joined
[15:06:42] <ggm> why not change meaning of acronym to IP Flexible Inf. eXport.
[15:07:02] <ggm> any blocking factors in charter? no.. up to us. people may not know about this proto for accounting and info. export
[15:08:04] <ggm> Simon. can see this. talking to somebody when netconf came out. well, know testing devices, can use proto to config. also to export text results, real time streams. look at this. risk, too many baggages. designed for this. should think about the the apps good for, not so good for.
[15:08:32] --- faw has joined
[15:08:58] <ggm> Dave. to clarify. does it conflict with charter to change name. Bert says can have WG differnt to name, but have to decide if this is out of scope. don't like changing name, work for 3 years has been validating this task. taking on new responsibilities, flexible, not sure would design this way for general tx protocol.
[15:09:12] <ggm> Benoit agree with this, but didn't target flexible but is, so why not use it?
[15:09:32] <ggm> Can export anything you want, inf. elem, whatever you want, define elem, ith will give it to you.
[15:10:06] <nevil> Sorry to be late joining, I have students sitting an exam this morning :-)
[15:11:18] <ggm> Jurgen have lot of sympathy, from PSAMP, use proto, IP source of flow, can we use this inf for flow, packets. don't think its the best idea. want to say defining flexible, apply to flow. I think going to affect? progress. have to go back to reqts, only looked at flow export requirements. have to change proto doc. split. many parts clearly dedicated to metering. would have to split. 2 probably. good idea, but. not at this time. go forward. revision, can use proto in other places then time to change it, not at this stage.
[15:11:30] <ggm> [if I find time, will let dave know youre here]
[15:11:56] <ggm> [unnamed person] agree. can do more with IPFIX, but having original intention reflects reqts doc important. dont change the name. can use for more
[15:12:13] --- sleinen has joined
[15:12:48] <ggm> [unnamed other person] wont change name later on. either now or never. decide if reasonable to use IPFIX for other thgs. have request from people to use this. seems to make sense to me to go ahead, do it. even if protocol is not ideal for all exported data. is usable for more than just flow data
[15:13:17] <sleinen> The last unnamed person was Chris Elliott
[15:13:30] <ggm> [third unnamed person] will have to explain in applicability statement, more inclusive, usually exclusive [I know this person but forgot his name]
[15:14:10] <ggm> Benoit I agree with comments. Jurgen mentions have to go back to requirements I dont think so. Agree with applicability statement. only if THINK applicable to you will read this. some people will overlook.
[15:14:15] <ggm> Bert not as AD:
[15:15:03] <ggm> was discussed in hallway. chat with WG chairs over lunch. looking through docs, if you were talking about assigning a port, doesnt delay doc, but if I search for string FLOW happens many times. so its global change from FLOW to FLEXIBLE. FLEXIBLE records, data, quite an editing task even if good idea.
[15:15:17] <ggm> Benoit. only change Acronym, not substance
[15:15:23] <ggm> Bert its nonsense. just a title!
[15:15:47] <ggm> Benoit. nobody knows about IPFIX, could export whatever they want.
[15:16:27] <ggm> [unnamed person 4] good idea to use it, eg for interface counters, MIB, real life, use lot of things to pull these counters
[15:17:43] <ggm> Dave. ask Benoit or proponents to flesh this out a bit more. indiv. submission. from what hearing change only in name is not a change, if to address issues needs broadening, background info, but do applicability statement as flexible protocol eg HTTP as ubiquitous protocol. argument not used because of name is not neccessarily shown by precedent
[15:17:53] <ggm> Benoit open issues to discuss?
[15:18:15] <ggm> draft by end of month. please review.
[15:18:39] <ggm> [I told dave you're here Nevil[
[15:19:05] <ggm> IPFIX Information model. Juergen.
[15:19:28] <ggm> Juergen. not satisfied with doc last time. not in good shape. just worked on document, not on info model. minor changes to elems
[15:19:41] <ggm> added RFC boilerplate
[15:19:56] <nevil> Thanks George. I agree with Bert on WG name. Better to get RFCs done as they are, then (as Juergen said) can make other RFC to extend system by adding new sections of info elements
[15:20:19] <ggm> made separation between delta and total counters clear in text
[15:20:48] <ggm> added section on Inf Elem ID space. added tables.ranges of assigned, reserved, vendor-defined.
[15:22:06] <ggm> grouped elements by contents. header stuff, properties of metering/export proceses, min/max flow properties, and Counters (group names)
[15:23:04] <ggm> Action items.
[15:23:52] <ggm> not many open issues. actions: missing Inf.Elems. check against requirements document. review IE definitions.
[15:24:13] <ggm> need to revise extensibility section.
[15:24:40] <nevil> One other remark (I think Dave put it on the agenda): it would be good to see some IPFIX interoperability testing get under way
[15:24:53] <ggm> Open issue, how to add new data types.
[15:24:57] <ggm> [yes, its on the agenda]
[15:25:23] <ggm> [do you want any of this said?]
[15:25:42] <ggm> will take ideas on data type addtions to ML
[15:26:11] <ggm> next revision before christmas, then thnk ready for WG last call
[15:26:14] <nevil> [Only if you think it will add to the discussion, when it comes up ;-)]
[15:27:24] <ggm> Dave just did vote, 6 in favour of namechange, 12 against.
[15:27:47] <ggm> Tania, IPFIX applicability update
[15:27:51] <ggm> short update
[15:28:36] <ggm> included new sections. on IDMEF (intrusian detection), PSAMP Where not to use IPFIX (planned) .
[15:28:41] <ggm> corrections and comments.
[15:28:44] <ggm> copyrights.
[15:28:45] <ggm> open issues.
[15:29:14] <ggm> IPFIX and IPV6, and RMON, and TEWG. need volunteers to write on RMON/TEWG
[15:29:24] <ggm> what else is needed? looked at other applicability statements.
[15:29:38] <ggm> found lot of 'intended use' IPFIX can do a lot.
[15:29:45] <ggm> advantages to other protocols, we have some stuff on that.
[15:29:58] <ggm> scaleeablity/limitations. not yet, but can do in the 'not to use IPFIX' section
[15:30:42] <ggm> unusual cases/special case uses. have some examples. -detail can vary. Q is what do we need now? more or different? I dont think so. have lot of potential use, relations to other frameworks.
[15:31:14] <ggm> maybe more details on scenarios. example message exchange, example messages. typical or special? would lik to focus on special. explain how to do it
[15:31:39] <ggm> have had exchange with Nevil, planned teleconf. (next week?) for input
[15:31:44] <ggm> Dave Questions?
[15:32:19] <nevil> !! try to keep it as a fairly short, 'intro to IPFIX' document !!
[15:32:43] <ggm> benefit to work in area long time.
[15:32:51] <ggm> ggm want simple examples
[15:32:52] <nevil> !! yes, teleconf would be a good idea. We'll arrange that by email
[15:33:18] <ggm> Tania important to have flow in there.
[15:33:27] <ggm> [ok will break in and say]
[15:34:07] <ggm> [done]
[15:34:45] <ggm> [she said she's already mailed you about it]
[15:34:59] <nevil> ok, tnx george
[15:35:10] <ggm> Elisa Boschi. Use of IPFIX for export of per-packet info.
[15:35:52] <ggm> [slide overview] -problem statement, solutions, example, one-way delay measurement, PSAMP, evaluation, conclusions
[15:35:58] <ggm> [slide problem statement]
[15:36:48] <ggm> idea is, there are measurements, need to export info as packets instead of flows. can be done using IPFIX. one way to consider the packet as a very small flow. one packet flow. export flow records. but could also use two different records, separating the flow info and the pakcet information.
[15:36:54] <ggm> [slide export recs with packet info]
[15:37:17] <ggm> if use flow records, some data, referring to flow, repeated all the time. high degree of redundancy. shared attribs.
[15:37:37] <ggm> [slide separate templates]
[15:38:01] <ggm> by just reporting flow info as pointer into packet info,
[15:38:10] <ggm> [slide example, one-way packet measurement delay]
[15:38:40] <ggm> need two measurement points, one, each end of path, capture packets, assign ID, pick timestamps, export values to collecter, evaluate delay by difference of timestamps.
[15:38:50] <ggm> [slide OWD example templates]
[15:39:13] <ggm> dont need to repeat values, just indexes.
[15:39:23] <ggm> [slide PSAMP]
[15:39:57] <ggm> PSAMP good example, packets being exported not flow. in this case, already agreed to use IPFIX to do export. satisfies requirements, good match to arch.
[15:40:16] <ggm> proposed using flow records. but flow+packet reduces redundency. better solution for PSAMP.
[15:40:20] <ggm> [slide evaluation]
[15:40:27] <ggm> pro and cons.
[15:40:50] <ggm> pro. reduced data. 16 vs 28 bytes per packet. less storage needed at collecter.
[15:41:12] <ggm> con. extra processing power, collector has to process records of two templates, corelation (additional post processing cost)
[15:42:27] <ggm> [slide showing savings]
[15:42:30] <ggm> [slide conclusions]
[15:43:07] <ggm> proposed solution makes small change, reduces overhead. want to do as separate draft? or integrate into IPFIX, or PSAMP
[15:44:57] <ggm> [unnamed person] extension introduces new IDs. already extensible so not a new change
[15:45:51] <ggm> Dave. like inventing new template. another way to use it, using existing template is to prefill with fixed values. messge type. send data pre-fill it, stick on template, change way downloaded.
[15:47:24] <ggm> Dave. people from NEC talked about impl inside their work. Thierry with is work. know of those participants.
[15:47:39] <ggm> Juergen. thinking about interop event.
[15:47:56] <ggm> Dave. if people interested can mail chairs, will set up fixed list of participants, how to do, timelines.
[15:48:17] <ggm> Review of WG milestones. update
[15:49:02] <ggm> propose taking arch, infomodel, applic and protocol, all to WG last calls up to March IETF. update dates to April 6 2005. month after March meeting, allow regroup once more after WGlast call, get them back. comments?
[15:49:07] <ggm> need fresh eyes
[15:49:34] <ggm> breadth instead of peephole reviewing needed. (compiler metaphor)
[15:51:15] <ggm> [wow. is we done?]
[15:51:24] <ggm> [we is done]
[15:51:38] <nevil> goed zo!
[15:51:45] --- faw has left
[15:51:50] <ggm> [toggle switch] G 700000
[15:52:01] <nevil> THanks very much for your - as always - impecable scribing george :)
[15:52:12] <ggm> heh. if you knew what they were REALLY saying... :-)
[15:52:19] --- Yoshifumi Atarashi has left
[15:52:25] <nevil> Don;t worry, I trust you
[15:52:57] <ggm> hope you make March IETF or Paris!
[15:53:26] --- ggm has left
[15:54:53] --- nevil has left: Disconnected
[16:04:21] --- paitken has left: Disconnected
[16:06:55] --- poepping has left
[16:11:06] --- sleinen has left