Data Collection Protocols: PSAMP

The Packet Sampling (PSAMP) working group history started soon after the IPFIX working group creation: the IETF 53 meeting in March 2002 held the first BOF. There was a clear need to define a standard set of capabilities for network elements to sample subsets of packets by statistical and other methods—specifically, on the high-end routers where monitoring every packet was practically impossible. The focus of the working group was to

  • Specify a set of selection operations by which packets are sampled.

  • Specify the information that is to be made available for reporting on sampled packets.

  • Describe protocols by which information on sampled packets is reported to applications.

  • Describe protocols by which packet selection and reporting are configured.

The PSAMP working group was created but did not limit the selection operations to packet sampling, as its name may imply; it also covered the filtering and hashing functions. PSAMP addressed the standardization of the metering process, one component that was not addressed by the IPFIX working group.

The RFC draft Sampling and Filtering Techniques for IP Packet Selection covers all sampling and filtering techniques described in Chapter 2, plus some additional ones:

  • Systematic sampling (also known as deterministic sampling)

  • Random n-out-of-N sampling, random probabilistic sampling

  • Uniform probabilistic sampling, nonuniform probabilistic sampling

  • Nonuniform flow state-dependent sampling

  • Mask/match filtering and hash-based selection

  • Stratified sampling

PSAMP Protocol Specifications

For export of PSAMP packet information, the IPFIX protocol is used. The IPFIX protocol is well suited for this purpose, because the IPFIX architecture matches the PSAMP architecture very well, and the means provided by the IPFIX protocol are sufficient.

Concerning the protocol, the major difference between IPFIX and PSAMP is that the IPFIX protocol exports flow records while the PSAMP protocol exports packet records because there is no notion of a flow in PSAMP. The exported packet records, called "packet reports" in the PSAMP terminology, must contain the following:

  • The input sequence number.

  • Some number of contiguous bytes from the start of the packet, including the packet header (which includes link layer, network layer, and other encapsulation headers), plus some subsequent bytes of the packet payload.

Optionally, the packet reports may contain the following:

  • A field related to the observed protocols (IPv4, IPV6, transport protocols, MPLS)

  • A field related to the packet treatment

  • A field associated with the packet (for example, timestamps)

From a pure export point of view, the IPFIX protocol does not distinguish a flow record composed of several aggregated packets from a flow record composed of a single packet (a PSAMP packet report). So the PSAMP export is a special IPFIX Flow Record containing information about a single packet. Even if the IPFIX export protocol was developed with the notion of a flow record in mind, it is a generic export protocol and is well suited for PSAMP.

Because the developments of the IPFIX and PSAMP drafts were carried out in parallel, all PSAMP requirements regarding the IPFIX protocol were introduced directly in the IPFIX protocol specification. Extensions of the IPFIX protocol needed by PSAMP are rather limited. A basic requirement is the need for a data type for protocol fields that have a flexible length, such as an octet array. This is needed by the PSAMP protocol for reporting content of captured packets because the hash-based selection for trajectory sampling requires the first few bytes of payload. Because the different encapsulation headers might modify the total packet length, IPFIX specifies the notion of flexible length field type, referred to as the "Variable-Length Information Element" in the IPFIX protocol specifications.

From an information model point of view, the overlap of both protocols is still quite large. Most of the field types in the IPFIX protocol also apply to PSAMP—for example, all the packet header field types. Because the IPFIX information model is rather limited concerning sampling, and because specific field types are required to fully describe the different PSAMP techniques, a set of several additional field types specific to PSAMP will be published as an RFC (currently work in progress, <draft-ietf-psamp-info-05.txt>) PSAMP Information Model, exploiting the extensibility of the IPFIX information model.

The authors think that over time, boundaries will fade between PSAMP and IPFIX from an export and information element point of view and that the IPFIX information elements well beyond flow records and packet sampling-related information will be registered. In other words, the IFPIX and PSAMP efforts will probably merge over time.

PSAMP References

Table 3-8 lists the RFCs that describe PSAMP.

Table 3-8. PSAMP References
[(*)]InformationalA Framework for Packet Selection and ReportingFramework, components of the architecture, and requirements
[(*)]InformationalSampling and Filtering Techniques for IP Packet SelectionSampling and filtering techniques, with the required parameters
[(*)]StandardPacket Sampling (PSAMP) Protocol SpecificationsThe protocol itself
[(*)]StandardDefinitions of Managed Objects for Packet SamplingMIB managed objects for the PSAMP protocol
[(*)]StandardInformation Model for Packet Sampling ExportsThe information elements exported by the protocol

[(*)] IETF draft, work in progress: will be published as RFC.

Part II: Implementations on the Cisco Devices