Minutes of the RTFM Working Group, Munich, Thursday 14 August 97

Reported by Greg Ruth and Stephen Stibler

The WG's new charter (which has been approved by IESG) was reviewed; it
is very much the same as the old one, but with a much stronger emphasis
on security.  A new goal of the WG is to share our experience with traffic
measurement and accounting with other groups.

Nevil Brownlee reported on the current state of NeTraMet.  A new
release has been available in beta since May 97.  It implements all the
features of our current MIB draft, and NeMaC (NeTraMet's manager)
provides much better checking for invalid rule sets.  The PC version of
the meter uses 32-bit addressing, greatly increasing the number of
flows it can handle.  Nevil is working on a NeTraMet front-end for
Cisco NetFlow data.

Sig Handelman reported briefly on the state of the IBM Meter
implementation.  Since last IETF they have implemented the current MIB
and are testing several new attributes.

There were three short presentations of work in traffic flow
measurement:

 * Siegfried Loeffler described "Fluid," a Java version of Nifty (an
   X-windows analysis program distributed with NeTraMet).  This uses 
   Java SNMP classes from Advent Networks, together with their Secure
   Applet Server (which runs on the Web server and serves as a proxy 
   to allow other hosts to do SNMP interactions with an SNMP agent,
   in this case a NeTraMet meter).  Fluid displays the current traffic
   on the network in real time inside a Web Browser.  It reads about
   300 flow records in 10 seconds, which is fast enough for it to be
   a useful tool for overseeing a network.  Siegfried would like to
   see other people continue this work. A URL for Fluid is http://www.
   mathematik.uni-stuttgart.de/~floeff/diplom/ietfslides/index.htm
   
 * Nevil presented a set of slides from Massimiliano Cansona at Cefriel
   in Italy.  These describe work done by Matteo Snidero on measuring
   RSVP-controlled flows.  He has produced a program which uses RSVP
   request packets to build up a matrix of information about RSVP
   sessions.  Whenever this table changes the program writes a NeTraMet
   rule set which is downloaded to a NeTraMet meter.  The meter has
   been extended with two new attributes - IsRSVP and 
   FlowTokenBucketRate.  These are set by the rules for flows with RSVP
   reservations, and collected by a meter reader along with the 
   measured packet and byte counts.  This allows an analysis
   application to see how actual usage compares with the RSVP request.
   This work is being continued at Cefriel; their URL is
   http://www.cefriel.it/ntw.
   
 * Sig presented a set of slides from John Stewart and John Robinson
   in Ottawa.  They have produced MultiMON, an IP multicast monitor,
   and have released version 1.1 to the community for testing.
   MultiMON allows one to see (on a pie chart) what types of multicast
   traffic are running.  It allows one to join and monitor multicast
   conferences, and will produce plots indicating how RTCP streams are
   performing.  This work is continuing; we hope it will prove useful
   to RTFM as we strive to produce extended attributes for multicast.   
   MultiMON's URL is http://www.merci.crc.doc.ca/mbone/MultiMON.
    
The current Meter MIB draft contains the corrections discussed in
Memphis.  A final version (with minor editorial changes) will be
published shortly.  This will go to WG last call, before being
submitted to IESG for publication as a Proposed Standard RFC.

To complement the new Meter MIB we need to revise the Architecture RFC.
Nevil summarised the changes needed, and pointed out that - apart from
a proper 'Security Considerations' section - only very small changes
are needed.  After further discussion, the WG agreed that the editors
will produce a list of proposed changes for discussion on the mailing
list, then publish a new 'Architecture' Draft.  This will be followed
by a WG last call, leading to submission as a Proposed Standard.

The latest 'New Attributes' draft was discussed; this has been extended
to include a method of implementing 'distribution-valued' attributes,
proposes ten such attributes, i.e. To/From Packet Size, InterArrival
Time, Turnaround Time, Byte- and Packet-Rate.  Nevil gave a brief
presentation on implementation experience with these.

The numbering of attributes was discussed; we propose to reserve 1..63
for 'Basic Meter' attributes, 65..127 for 'Extended' attributes, and
129..255 for 'Experimental' (user-defined) attributes.  It was pointed
out that it should be possible to determine which attributes are
implemented on a meter.

Attributes derived from TCP headers were discussed; we need a
small group of TCP wizards to consider this and send a proposal to the
mailing list.

Security-related attributes were discussed.  It would be useful to
count the number of different values appearing in RTFM attributes
(e.g. destination port numbers for specified source/destination
peer address pairs); this will be investigated.

The WG's Goals and Milestones were reviewed, but do not need changing
at this time.