Internet-Draft Network Telemetry Framework October 2021
Song, et al. Expires 10 April 2022 [Page]
Workgroup:
OPSAWG
Internet-Draft:
draft-ietf-opsawg-ntf-08
Published:
Intended Status:
Informational
Expires:
Authors:
H. Song
Futurewei
F. Qin
China Mobile
P. Martinez-Julia
NICT
L. Ciavaglia
Nokia
A. Wang
China Telecom

Network Telemetry Framework

Abstract

Network telemetry is a technology for gaining network insight and facilitating efficient and automated network management. It encompasses various techniques for remote data generation, collection, correlation, and consumption. This document describes an architectural framework for network telemetry, motivated by challenges that are encountered as part of the operation of networks and by the requirements that ensue. This document clarifies the terminologies and classifies the modules and components of a network telemetry system from several different perspectives. The framework and taxonomy help to set a common ground for the collection of related work and provide guidance for related technique and standard developments.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 10 April 2022.

Table of Contents

1. Introduction

Network visibility is the ability of management tools to see the state and behavior of a network, which is essential for successful network operation. Network Telemetry revolves around network data that can help provide insights about the current state of the network, including network devices, forwarding, control, and management planes, and that can be generated and obtained through a variety of techniques, including but not limited to network instrumentation and measurements, and that can be processed for purposes ranging from service assurance to network security using a wide variety of techniques including machine learning, data analysis, and correlation. In this document, Network Telemetry refer to both the data itself (i.e., "Network Telemetry Data"), and the techniques and processes used to generate, export, collect, and consume that data for use by potentially automated management applications. Network telemetry extends beyond the historical network Operations, Administration, and Management (OAM) techniques and expects to support better flexibility, scalability, accuracy, coverage, and performance.

However, the term "network telemetry" lacks an unambiguous definition. The scope and coverage of it cause confusion and misunderstandings. It is beneficial to clarify the concept and provide a clear architectural framework for network telemetry, so we can articulate the technical field, and better align the related techniques and standard works.

To fulfill such an undertaking, we first discuss some key characteristics of network telemetry which set a clear distinction from the conventional network OAM and show that some conventional OAM technologies can be considered a subset of the network telemetry technologies. We then provide an architectural framework for network telemetry which includes four modules, each concerned with a different category of telemetry data and corresponding procedures. All the modules are internally structured in the same way, including components that allow to configure data sources with regards to what data to generate and how to make that available to client applications, components that instrument the underlying data sources, and components that perform the actual rendering, encoding, and exporting of the generated data. We show how the network telemetry framework can benefit the current and future network operations. Based on the distinction of modules and function components, we can map the existing and emerging techniques and protocols into the framework. The framework can also simplify the tasks for designing, maintaining, and understanding a network telemetry system. At last, we outline the evolution stages of the network telemetry system and discuss the potential security concerns.

The purpose of the framework and taxonomy is to set a common ground for the collection of related work and provide guidance for future technique and standard developments. To the best of our knowledge, this document is the first such effort for network telemetry in industry standards organizations.

2. Glossary

Before further discussion, we list some key terminology and acronyms used in this document. We make an intended differentiation between the terms of network telemetry and OAM. However, it should be understood that there is not a hard-line distinction between the two concepts. Rather, network telemetry is considered as an extension of OAM. It covers all the existing OAM protocols but puts more emphasis on the newer and emerging techniques and protocols concerning all aspects of network data from acquisition to consumption.

AI:
Artificial Intelligence. In network domain, AI refers to the machine-learning based technologies for automated network operation and other tasks.
AM:
Alternate Marking, a flow performance measurement method, specified in [RFC8321].
BMP:
BGP Monitoring Protocol, specified in [RFC7854].
DPI:
Deep Packet Inspection, referring to the techniques that examines packet beyond packet L3/L4 headers.
gNMI:
gRPC Network Management Interface, a network management protocol from OpenConfig Operator Working Group, mainly contributed by Google. See [gnmi] for details.
GPB:
Google Protocol Buffer, an extensible mechanism for serializing structured data.
gRPC:
gRPC Remote Procedure Call, a open source high performance RPC framework that gNMI is based on. See [grpc] for details.
IPFIX:
IP Flow Information Export Protocol, specified in [RFC7011].
IOAM:
In-situ OAM, a dataplane on-path telemetry technique.
JSON:
An open standard file format and data interchange format that uses human-readable text to store and transmit data objects.
MIB:
Management Information Base, a database used for managing the entities in a network.
NETCONF:
Network Configuration Protocol, specified in [RFC6241].
NetFlow:
A Cisco protocol for flow record collecting, described in [RFC3594].
Network Telemetry:
The process and instrumentation for acquiring and utilizing network data remotely for network monitoring and operation. A general term for a large set of network visibility techniques and protocols, concerning aspects like data generation, collection, correlation, and consumption. Network telemetry addresses the current network operation issues and enables smooth evolution toward future intent-driven autonomous networks.
NMS:
Network Management System, referring to applications that allow network administrators to manage a network.
OAM:
Operations, Administration, and Maintenance. A group of network management functions that provide network fault indication, fault localization, performance information, and data and diagnosis functions. Most conventional network monitoring techniques and protocols belong to network OAM.
PBT:
Postcard-Based Telemetry, a dataplane on-path telemetry technique.
SMIv2
Structure of Management Information Version 2, defining MIB objects, specified in [RFC2578].
SNMP:
Simple Network Management Protocol. Version 1 and 2 are specified in [RFC1157] and [RFC3416], respectively.
YANG:
YANG is a data modeling language for the definition of data sent over network management protocols such as the NETCONF and RESTCONF. YANG is defined in [RFC6020] and [RFC7950].
YANG ECA
A YANG model for Event-Condition-Action policies, defined in [I-D.wwx-netmod-event-yang].
YANG-Push:
A mechanism that allows subscriber applications to request a stream of updates from a YANG datastore on a network device. Details are specified in [RFC8641] and [RFC8639].

3. Background

The term "big data" is used to describe the extremely large volume of data sets that can be analyzed computationally to reveal patterns, trends, and associations. Networks are undoubtedly a source of big data because of their scale and the volume of network traffic they forward. It is easy to see that network operations can benefit from network big data to gather insights into flows without breaching privacy.

Today one can access advanced big data analytics capability through a plethora of commercial and open source platforms (e.g., Apache Hadoop), tools (e.g., Apache Spark), and techniques (e.g., machine learning). Thanks to the advance of computing and storage technologies, network big data analytics gives network operators an opportunity to gain network insights and move towards network autonomy. Some operators start to explore the application of Artificial Intelligence (AI) to make sense of network data. Software tools can use the network data to detect and react on network faults, anomalies, and policy violations, as well as predicting future events. In turn, the network policy updates for planning, intrusion prevention, optimization, and self-healing may be applied.

It is conceivable that an autonomic network [RFC7575] is the logical next step for network evolution following Software Defined Network (SDN), aiming to reduce (or even eliminate) human labor, make more efficient use of network resources, and provide better services more aligned with customer requirements. The related technique of Intent-based Networking (IBN) [I-D.irtf-nmrg-ibn-concepts-definitions] requires network visibility and telemetry data in order to ensure that the network is behaving as intended.

However, while the data processing capability is improved and applications are hungry for more data, the networks lag behind in extracting and translating network data into useful and actionable information in efficient ways. The system bottleneck is shifting from data consumption to data supply. Both the number of network nodes and the traffic bandwidth keep increasing at a fast pace. The network configuration and policy change at smaller time slots than before. More subtle events and fine-grained data through all network planes need to be captured and exported in real time. In a nutshell, it is a challenge to get enough high-quality data out of the network in a manner that is efficient, timely, and flexible. Therefore, we need to survey the existing technologies and protocols and identify any potential gaps.

In the remainder of this section, first we clarify the scope of network data (i.e., telemetry data) concerned in the context. Then, we discuss several key use cases for today's and future network operations. Next, we show why the current network OAM techniques and protocols are insufficient for these use cases. The discussion underlines the need of new methods, techniques, and protocols, as well as the extensions of existing ones, which we assign under the umbrella term - Network Telemetry.

3.1. Telemetry Data Coverage

Any information that can be extracted from networks (including data plane, control plane, and management plane) and used to gain visibility or as basis for actions is considered telemetry data. It includes statistics, event records and logs, snapshots of state, configuration data, etc. It also covers the outputs of any active and passive measurements [RFC7799]. In some cases, raw data is processed in network before being sent to a data consumer. Such processed data is also considered telemetry data. The value of telemetry data varies. Less but higher quality data are often better than lots of low quality data. A classification of telemetry data is provided in Section 4.

3.2. Use Cases

The following set of use cases is essential for network operations. While the list is by no means exhaustive, it is enough to highlight the requirements for data velocity, variety, volume, and veracity in networks.

3.3. Challenges

For a long time, network operators have relied upon SNMP [RFC3416], Command-Line Interface (CLI), or Syslog to monitor the network. Some other OAM techniques as described in [RFC7276] are also used to facilitate network troubleshooting. These conventional techniques are not sufficient to support the above use cases for the following reasons:

These challenges were addressed by newer standards and techniques (e.g., IPFIX/Netflow, PSAMP, IOAM, and YANG-Push) and more are emerging. These standards and techniques need to be recognized and accommodated in a new framework.

3.4. Network Telemetry

Network telemetry has emerged as a mainstream technical term to refer to the network data collection and consumption techniques. Several network telemetry techniques and protocols (e.g., IPFIX [RFC7011] and gRPC [grpc]) have been widely deployed. Network telemetry allows separate entities to acquire data from network devices so that data can be visualized and analyzed to support network monitoring and operation. Network telemetry covers the conventional network OAM and has a wider scope. It is expected that network telemetry can provide the necessary network insight for autonomous networks and address the shortcomings of conventional OAM techniques.

Network telemetry usually assumes machines as data consumers rather than human operators. Hence, the network telemetry can directly trigger the automated network operation, while in contrast some conventional OAM tools are designed and used to help human operators to monitor and diagnose the networks and guide manual network operations. Such a proposition leads to very different techniques.

Although new network telemetry techniques are emerging and subject to continuous evolution, several characteristics of network telemetry have been well accepted. Note that network telemetry is intended to be an umbrella term covering a wide spectrum of techniques, so the following characteristics are not expected to be held by every specific technique.

In addition, an ideal network telemetry solution may also have the following features or properties:

It is worth noting that a network telemetry system should not be intrusive to normal network operations by avoiding the pitfall of the "observer effect". That is, it should not change the network behavior and affect the forwarding performance. Otherwise, the whole purpose of network telemetry is compromised.

Although in many cases a system for network telemetry involves a remote data collecting and consuming entity, it is important to understand that there are no inherent assumptions about how a system should be architected. Telemetry data producers and consumers can work in distributed or peer-to-peer fashions rather than assuming a centralized data consuming entity. In such cases, a network node can be the direct consumer of telemetry data from other nodes.

3.5. The Necessity of a Network Telemetry Framework

Network data analytics and machine-learning technologies are applied for network operation automation, relying on abundant and coherent data from networks. Data acquisition that is limited to a single source and static in nature will in many cases not be sufficient to meet an application's telemetry data needs. As a result, multiple data sources, involving a variety of techniques and standards, will need to be integrated. It is desirable to have a framework that classifies and organizes different telemetry data source and types, defines different components of a network telemetry system and their interactions, and helps coordinate and integrate multiple telemetry approaches across layers. This allows flexible combinations of data for different applications, while normalizing and simplifying interfaces. In detail, such a framework would benefit application development for the following reasons:

A telemetry framework collects together all of the telemetry-related works from different sources and working groups within IETF. This makes it possible to assemble a comprehensive network telemetry system and to avoid repetitious or redundant work. The framework should cover the concepts and components from the standardization perspective. This document describes the modules which make up a network telemetry framework and decomposes the telemetry system into a set of distinct components that existing and future work can easily map to.

4. Network Telemetry Framework

The top level network telemetry framework partitions the network telemetry into four modules based on the telemetry data object source and represents their relationship. At the next level, the framework decomposes each module into separate components. Each of the modules follows the same underlying structure, with one component dedicated to the configuration of data subscriptions and data sources, a second component dedicated to encoding and exporting data, and a third component instrumenting the generation of telemetry related to the underlying resources. Throughout the framework, the same set of abstract data acquiring mechanisms and data types (Section 4.3)are applied. The two-level architecture with the uniform data abstraction helps accurately pinpoint a protocol or technique to its position in a network telemetry system or disaggregate a network telemetry system into manageable parts.

4.1. Top Level Modules

Telemetry can be applied on the forwarding plane, the control plane, and the management plane in a network, as well as other sources out of the network, as shown in Figure 1. Therefore, we categorize the network telemetry into four distinct modules with each having its own interface to Network Operation Applications.

                +------------------------------+
                |                              |
                |       Network Operation      |<-------+
                |          Applications        |        |
                |                              |        |
                +------------------------------+        |
                        ^          ^       ^            |
                        |          |       |            |
                        V          V       |            V
                +--------------+-----------|---+  +-----------+
                |              | Control   |   |  |           |
                |              | Plane     |   |  | External  |
                |            <--->         |   |  | Data and  |
                |              | Telemetry |   |  | Event     |
                |  Management  |       ^   V   |  | Telemetry |
                |  Plane       +-------|-------+  |           |
                |  Telemetry   |       V       |  +-----------+
                |              | Forwarding    |
                |              | Plane         |
                |            <--->             |
                |              | Telemetry     |
                |              |               |
                +--------------+---------------+
Figure 1: Modules in Layer Category of NTF

The rationale of this partition lies in the different telemetry data objects which result in different data source and export locations. Such differences have profound implications on in-network data programming and processing capability, data encoding and transport protocol, and required data bandwidth and latency. Data can be sent directly, or proxied via the control and management planes. There are advantages/disadvantages to both approaches.

We summarize the major differences of the four modules in the following table. They are compared from six angles:

  • Data Object
  • Data Export Location
  • Data Model
  • Data Encoding
  • Telemetry Protocol
  • Transport Method

Data Object is the target and source of each module. Because the data source varies, the location where data is mostly conveniently exported also varies. For example, forwarding plane data mainly originates as data exported from the forwarding ASICs, while control plane data mainly originates from the protocol daemons running on the control CPU(s). For convenience and efficiency, it is preferred to export the data off the device from locations near the source. Because the locations that can export data have different capabilities, different choices of data model, encoding, and transport method are made to balance the performance and cost. For example, the forwarding chip has high throughput but limited capacity for processing complex data and maintaining states, while the main control CPU is capable of complex data and state processing, but has limited bandwidth for high throughput data. As a result, the suitable telemetry protocol for each module can be different. Some representative techniques are shown in the corresponding table blocks to highlight the technical diversity of these modules. Note that the selected techniques just reflect the de-facto state of the art and are not exhaustive. The key point is that one cannot expect to use a universal protocol to cover all the network telemetry requirements.

+---------+--------------+--------------+---------------+-----------+
| Module  | Control      | Management   | Forwarding    | External  |
|         | Plane        | Plane        | Plane         | Data      |
+---------+--------------+--------------+---------------+-----------+
|Object   | control      | config. &    | flow & packet | terminal, |
|         | protocol &   | operation    | QoS, traffic  | social &  |
|         | signaling,   | state        | stat., buffer | environ-  |
|         | RIB, ACL     |              | & queue stat.,| mental    |
|         |              |              | ACL, FIB      |           |
+---------+--------------+--------------+---------------+-----------+
|Export   | main control | main control | fwding chip   | various   |
|Location | CPU,         | CPU          | or linecard   |           |
|         | linecard CPU |              | CPU; main     |           |
|         | or fwding    |              | control CPU   |           |
|         | chip         |              | unlikely      |           |
+---------+--------------+--------------+---------------+-----------+
|Data     | YANG,        | YANG, MIB,   | template,     | YANG,     |
|Model    | custom       | syslog,      | YANG,         | custom    |
|         |              |              | custom        |           |
+---------+--------------+--------------+---------------+-----------+
|Data     | GPB, JSON,   | GPB, JSON,   | plain         | GPB, JSON |
|Encoding | XML, plain   | XML          |               | XML, plain|
+---------+--------------+--------------+---------------+-----------+
|Protocol | gRPC,NETCONF,| gRPC,NETCONF,| IPFIX, mirror,| gRPC      |
|         | IPFIX,mirror |              | gRPC, NETFLOW |           |
+---------+--------------+--------------+---------------+-----------+
|Transport| HTTP, TCP,   | HTTP, TCP    | UDP           | HTTP,TCP  |
|         | UDP          |              |               | UDP       |
+---------+--------------+--------------+---------------+-----------+


Figure 2: Comparison of the Data Object Modules

Note that the interaction with the applications that consume network telemetry data can be indirect. Some in-device data transfer is possible. For example, in the management plane telemetry, the management plane will need to acquire data from the data plane. Some of the operational states can only be derived from data plane data sources such as the interface status and statistics. As another example, obtaining control plane telemetry data may require the ability to access the Forwarding Information Base (FIB) of the data plane.

On the other hand, an application may involve more than one plane and interact with multiple planes simultaneously. For example, an SLA compliance application may require both the data plane telemetry and the control plane telemetry.

The requirements and challenges for each module are summarized as follows (note that the requirements may pertain across all telemetry modules; however, we emphasize those that are most pronounced for a particular plane).

4.1.1. Management Plane Telemetry

The management plane of network elements interacts with the Network Management System (NMS), and provides information such as performance data, network logging data, network warning and defects data, and network statistics and state data. The management plane includes many protocols, including some that are considered "legacy", such as SNMP and syslog. Regardless the protocol, management plane telemetry must address the following requirements:

  • Convenient Data Subscription: An application should have the freedom to choose the data export means such as the data types (as described in Figure 4) and the export means and frequency (e.g., on-change or periodic subscription).
  • Structured Data: For automatic network operation, machines will replace human for network data comprehension. Data modeling languages, such as YANG, can efficiently describe structured data and normalize data encoding and transformation.
  • High Speed Data Transport: In order to keep up with the velocity of information, a server needs to be able to send large amounts of data at high frequency. Compact encoding formats or data compression schemes are needed to compress the data and improve the data transport efficiency. The subscription mode, by replacing the query mode, reduces the interactions between clients and servers and helps to improve the server's efficiency.

4.1.2. Control Plane Telemetry

The control plane telemetry refers to the health condition monitoring of different network control protocols at all layers of the protocol stack. Keeping track of the operational status of these protocols is beneficial for detecting, localizing, and even predicting various network issues, as well as network optimization, in real-time and with fine granularity. Some particular challenges and issues faced by the control plane telemetry are as follows:

  • One challenging problem for the control plane telemetry is how to correlate the End-to-End (E2E) Key Performance Indicators (KPI) to a specific layer's KPIs. For example, an IPTV user may describe his User Experience (UE) by the video fluency and definition. Then in case of an unusually poor UE KPI or a service disconnection, it is non-trivial to delimit and pinpoint the issue in the responsible protocol layer (e.g., the Transport Layer or the Network Layer), the responsible protocol (e.g., ISIS or BGP at the Network Layer), and finally the responsible device(s) with specific reasons.
  • Traditional OAM-based approaches for control plane KPI measurement include Ping (L3), Traceroute (L3), Y.1731 (L2), and so on. One common issue behind these methods is that they only measure the KPIs instead of reflecting the actual running status of these protocols, making them less effective or efficient for control plane troubleshooting and network optimization.
  • An example of the control plane telemetry is the BGP monitoring protocol (BMP), it is currently used for monitoring the BGP routes and enables rich applications, such as BGP peer analysis, AS analysis, prefix analysis, and security analysis. However, the monitoring of other layers, protocols and the cross-layer, cross-protocol KPI correlations are still in their infancy (e.g., the IGP monitoring is not as exensive as BMP), which require further research.

4.1.3. Forwarding Plane Telemetry

An effective forwarding plane telemetry system relies on the data that the network device can expose. The quality, quantity, and timeliness of data must meet some stringent requirements. This raises some challenges to the network data plane devices where the first hand data originates.

  • A data plane device's main function is user traffic processing and forwarding. While supporting network visibility is important, the telemetry is just an auxiliary function, and it should strive to not impede normal traffic processing and forwarding (i.e., the forwarding behavior should not be altered and the tradeoff between forwarding and telemtry should be well balanced).
  • Network operation applications require end-to-end visibility across various sources, which can result in a huge volume of data. However, the sheer quantity of data must not exhaust the network bandwidth, regardless of the data delivery approach (i.e., whether through in-band or out-of-band channels).
  • The data plane devices must provide timely data with the minimum possible delay. Long processing, transport, storage, and analysis delay can impact the effectiveness of the control loop and even render the data useless.
  • The data should be structured and labeled, and easy for applications to parse and consume. At the same time, the data types needed by applications can vary significantly. The data plane devices need to provide enough flexibility and programmability to support the precise data provision for applications.
  • The data plane telemetry should support incremental deployment and work even though some devices are unaware of the system.

Although not specific to the forwarding plane, these challenges are more difficult to the forwarding plane because of the limited resource and flexibility. Data plane programmability is essential to support network telemetry. Newer data plane forwarding chips are equipped with advanced telemetry features and provide flexibility to support customized telemetry functions.

Technique Taxonomy: concerning about how one instruments the telemetry, there can be multiple possible dimensions to classify the forwarding plane telemetry techniques.

  • Active, Passive, and Hybrid: This dimension concerns about the end-to-end measurement. Active and passive methods (as well as the hybrid types) are well documented in [RFC7799]. Passive methods include TCPDUMP, IPFIX [RFC7011], sflow, and traffic mirroring. These methods usually have low data coverage. The bandwidth cost is very high in order to improve the data coverage. On the other hand, active methods include Ping, OWAMP [RFC4656], TWAMP [RFC5357], and Cisco's SLA Protocol [RFC6812]. These methods are intrusive and only provide indirect network measurements. Hybrid methods, including in-situ OAM [I-D.ietf-ippm-ioam-data], Alternate-Marking (AM) [RFC8321], and Multipoint Alternate Marking [I-D.ietf-ippm-multipoint-alt-mark], provide a well-balanced and more flexible approach. However, these methods are also more complex to implement.
  • In-Band and Out-of-Band: Telemetry data carried in user packets before being exported to a data collector is considered in-band (e.g., in-situ OAM [I-D.ietf-ippm-ioam-data]). Telemetry data that is directly exported to a data collector without modifying user packets is considered out-of-band (e.g., the postcard-based approach described in Appendix). It is also possible to have hybrid methods, where only the telemetry instruction or partial data is carried by user packets (e.g., AM [RFC8321]).
  • End-to-End and In-Network: End-to-End methods start from, and end at, the network end hosts (e.g., Ping). In-Network methods work in networks and are transparent to end hosts. However, if needed, In-Network methods can be easily extended into end hosts.
  • Data Subject: Depending on the telemetry objective, the methods can be flow-based (e.g., in-situ OAM [I-D.ietf-ippm-ioam-data]), path-based (e.g., Traceroute), and node-based (e.g., IPFIX [RFC7011]). The various data objects can be packet, flow record, measurement, states, and signal.

4.1.4. External Data Telemetry

Events that occur outside the boundaries of the network system are another important source of network telemetry. Correlating both internal telemetry data and external events with the requirements of network systems, as presented in [I-D.pedro-nmrg-anticipated-adaptation], provides a strategic and functional advantage to management operations.

As with other sources of telemetry information, the data and events must meet strict requirements, especially in terms of timeliness, which is essential to properly incorporate external event information into network management applications. The specific challenges are described as follows:

  • The role of the external event detector can be played by multiple elements, including hardware (e.g. physical sensors, such as seismometers) and software (e.g. Big Data sources that analyze streams of information, such as Twitter messages). Thus, the transmitted data must support different shapes but, at the same time, follow a common but extensible schema.
  • Since the main function of the external event detectors is to perform the notifications, their timeliness is assumed. However, once messages have been dispatched, they must be quickly collected and inserted into the control plane with variable priority, which is higher for important sources and events and lower for secondary ones.
  • The schema used by external detectors must be easily adopted by current and future devices and applications. Therefore, it must be easily mapped to current data models, such as in terms of YANG.

Organizing both internal and external telemetry information together will be key for the general exploitation of the management possibilities of current and future network systems, as reflected in the incorporation of cognitive capabilities to new hardware and software (virtual) elements.

4.2. Second Level Function Components

The telemetry module as each plane can be further partitioned into five distinct conceptual components:

  • Data Query, Analysis, and Storage: This component works at the application layer. It is normally a part of the network management system at the receiver side. On the one hand, it is responsible for issuing data requirements. The data of interest can be modeled data through configuration or custom data through programming. The data requirements can be queries for one-shot data or subscriptions for events or streaming data. On the other hand, it receives, stores, and processes the returned data from network devices. Data analysis can be interactive to initiate further data queries. This component can reside in either network devices or remote controllers. It can be centralized and distributed, and involve one or more instances.
  • Data Configuration and Subscription: This component manages data queries on devices. It determines the protocol and channel for applications to acquire desired data. This component is also responsible for configuring the desired data that might not be directly available form data sources. The subscription data can be described by models, templates, or programs.
  • Data Encoding and Export: This component determines how telemetry data is delivered to the data analysis and storage component with access control. The data encoding and the transport protocol may vary due to the data export location.
  • Data Generation and Processing: The requested data needs to be captured, filtered, processed, and formatted in network devices from raw data sources. This may involve in-network computing and processing on either the fast path or the slow path in network devices.
  • Data Object and Source: This component determines the monitoring objects and original data sources provisioned in device. A data source usually just provides raw data which needs further processing. Each data source can be considered a probe. Some data sources can be dynamically installed, while others will be more static.
                  +----------------------------------------+
                +----------------------------------------+ |
                |                                        | |
                |    Data Query, Analysis, & Storage     | |
                |                                        | +
                +-------+++ -----------------------------+
                        |||                   ^^^
                        |||                   |||
                        ||V                   |||
                     +--+V--------------------+++------------+
                  +-----V---------------------+------------+ |
                +---------------------+-------+----------+ | |
                | Data Configuration  |                  | | |
                | & Subscription      | Data Encoding    | | |
                | (model, template,   | & Export         | | |
                | & program)          |                  | | |
                +---------------------+------------------| | |
                |                                        | | |
                |           Data Generation              | | |
                |           & Processing                 | | |
                |                                        | | |
                +----------------------------------------| | |
                |                                        | | |
                |       Data Object and Source           | |-+
                |                                        |-+
                +----------------------------------------+


Figure 3: Components in the Network Telemetry Framework

4.3. Data Acquisition Mechanism and Type Abstraction

Broadly speaking, network data can be acquired through subscription (push) and query (poll). A subscription is a contract between publisher and subscriber. After initial setup, the subscribed data is automatically delivered to registered subscribers until the subscription expires. There are two variations of subscription. The subscriptions can be either pre-defined, or the subscribers are allowed to configure and tailor the published data to their specific needs.

In contrast, queries are used when a client expects immediate and one-off feedback from network devices. The queried data may be directly extracted from some specific data source, or synthesized and processed from raw data. Queries work well for interactive network telemetry applications.

In general, data can be pulled (i.e., queried) whenever needed, but in many cases, pushing the data (i.e., subscription) is more efficient, and can reduce the latency of a client detecting a change. From the data consumer point of view, there are four types of data from network devices that a telemetry data consumer can subscribe or query:

  • Simple Data: The data that are steadily available from some datastore or static probes in network devices.
  • Derived Data: The data need to be synthesized or processed in network from raw data from one or more network devices. The data processing function can be statically or dynamically loaded into network devices.
  • Event-triggered Data: The data are conditionally acquired based on the occurrence of some events. For example, a network interface changing its operational state from up to down can be a trigger event. Such data can be actively pushed through subscription or passively polled through query. There are many ways to model events, including using Finite State Machine (FSM) or Event Condition Action (ECA) [I-D.wwx-netmod-event-yang].
  • Streaming Data: The data are continuously generated. It can be time series or the dump of databases. For example, an interface packet counter is exported every second. The streaming data reflect realtime network states and metrics and require large bandwidth and processing power. The streaming data are always actively pushed to the subscribers.

The above data types are not mutually exclusive. Rather, they are often composite. Derived data is composed of simple data; Event-triggered data can be simple or derived; streaming data can be based on some recurring event. The relationships of these data types are illustrated in Figure 4.


   +----------------------+     +-----------------+
   | Event-triggered Data |<----+ Streaming Data  |
   +-------+---+----------+     +-----+---+-------+
           |   |                      |   |
           |   |                      |   |
           |   |   +--------------+   |   |
           |   +-->| Derived Data |<--+   |
           |       +------+------ +       |
           |              |               |
           |              V               |
           |       +--------------+       |
           +------>| Simple  Data |<------+
                   +--------------+

Figure 4: Data Type Relationship

Subscription usually deals with event-triggered data and streaming data, and query usually deals with simple data and derived data. But the other ways are also possible. Advanced network telemetry techniques are designed mainly for event-triggered or streaming data subscription, and derived data query.

4.4. Mapping Existing Mechanisms into the Framework

The following table shows how the existing mechanisms (mainly published in IETF and with the emphasis on the latest new technologies) are positioned in the framework. Given the vast body of existing work, we cannot provide an exhaustive list, so the mechanisms in the tables should be considered as just examples. Also, some comprehensive protocols and techniques may cover multiple aspects or modules of the framework, so a name in a block only emphasizes one particular characteristic of it. More details about some listed mechanisms can be found in Appendix A.


     +-------------+-----------------+---------------+--------------+
     |             | Management      | Control       | Forwarding   |
     |             | Plane           | Plane         | Plane        |
     +-------------+-----------------+---------------+--------------+
     | data config.| gNMI, NETCONF,  | gNMI, NETCONF,| NETCONF,     |
     | & subscribe | SNMP, YANG-Push | YANG-Push     | YANG-Push    |
     +-------------+-----------------+---------------+--------------+
     | data gen. & | MIB,            | YANG          | IOAM, PSAMP  |
     | process     | YANG            |               | PBT, AM,     |
     +-------------+-----------------+---------------+--------------+
     | data encode.| gRPC, HTTP, TCP | BMP, TCP      | IPFIX, UDP   |
     | & export    |                 |               |              |
     +-------------+-----------------+---------------+--------------+


Figure 5: Existing Work Mapping II

5. Evolution of Network Telemetry Applications

Network telemetry is an evolving technical area. As the network moves towards the automated operation, network telemetry applications undergo several stages of evolution which add new layer of requirements to the underlying network telemetry techniques. Each stage is built upon the techniques adopted by the previous stages plus some new requirements.

Stage 0 - Static Telemetry:
The telemetry data source and type are determined at design time. The network operator can only configure how to use it with limited flexibility.
Stage 1 - Dynamic Telemetry:
The custom telemetry data can be dynamically programmed or configured at runtime without interrupting the network operation, allowing a tradeoff among resource, performance, flexibility, and coverage.
Stage 2 - Interactive Telemetry:
The network operator can continuously customize and fine tune the telemetry data in real time to reflect the network operation's visibility requirements. Compared with Stage 1, the changes are frequent based on the real-time feedback. At this stage, some tasks can be automated, but human operators still need to sit in the middle to make decisions.
Stage 3 - Closed-loop Telemetry:
The telemetry is free from the interference of human operators, except for generating the reports. The intelligent network operation engine automatically issues the telemetry data requests, analyzes the data, and updates the network operations in closed control loops.

Existing technologies are ready for stage 0 and stage 1. Individual stage 2 and stage 3 applications are also possible now. However, the future autonomic networks may need a comprehensive operation management system which works at stage 2 and stage 3 to cover all the network operation tasks. A well-defined network telemetry framework is the first step towards this direction.

6. Security Considerations

The complexity of network telemetry raises significant security implications. For example, telemetry data can be manipulated to exhaust various network resources at each plane as well as the data consumer; falsified or tampered data can mislead the decision making and paralyze networks; wrong configuration and programming for telemetry is equally harmful. The telemetry data is highly sensitive, which exposes a lot of information about the network and its configuration. Some of that information can make designing attacks against the network much easier (e.g., exact details of what software and patches have been installed), and allows an attacker to determine whether a device may be subject to unprotected security vulnerability.

Given that this document has proposed a framework for network telemetry and the telemetry mechanisms discussed are more extensive (in both message frequency and traffic amount) than the conventional network OAM concepts, we must also reflect that various new security considerations may also arise. A number of techniques already exist for securing the forwarding plane, the control plane, and the management plane in a network, but it is important to consider if any new threat vectors are now being enabled via the use of network telemetry procedures and mechanisms.

Security considerations for networks that use telemetry methods may include:

Some of the security considerations highlighted above may be minimized or negated with policy management of network telemetry. In a network telemetry deployment it would be advantageous to separate telemetry capabilities into different classes of policies, i.e., Role Based Access Control and Event-Condition-Action policies. Also, potential conflicts between network telemetry mechanisms must be detected accurately and resolved quickly to avoid unnecessary network telemetry traffic propagation escalating into an unintended or intended denial of service attack.

Further study of the security issues will be required, and it is expected that the secuirty mechanisms and protocols are developed and deployed along with a network telemetry system.

In addition to security, privacy is also an important issue. Network telemetry means to improve the network operation which can ultimately benefit end user's quality of experience. The network operators must be held accountable and strive for a balance between managing the network and maintaining the user privacy of that network.

7. IANA Considerations

This document includes no request to IANA.

8. Contributors

The other contributors of this document are listed as follows.

9. Acknowledgments

We would like to thank Rob Wilton, Greg Mirsky, Randy Presuhn, Joe Clarke, Victor Liu, James Guichard, Uri Blumenthal, Giuseppe Fioccola, Yunan Gu, Parviz Yegani, Young Lee, Qin Wu, and many others who have provided helpful comments and suggestions to improve this document.

10. Informative References

[gnmi]
"gNMI - gRPC Network Management Interface", <https://github.com/openconfig/reference/tree/master/rpc/gnmi>.
[grpc]
"gPPC, A high performance, open-source universal RPC framework", <https://grpc.io>.
[I-D.ietf-grow-bmp-adj-rib-out]
Evens, T., Bayraktar, S., Lucente, P., Mi, P., and S. Zhuang, "Support for Adj-RIB-Out in the BGP Monitoring Protocol (BMP)", Work in Progress, Internet-Draft, draft-ietf-grow-bmp-adj-rib-out-07, , <https://www.ietf.org/archive/id/draft-ietf-grow-bmp-adj-rib-out-07.txt>.
[I-D.ietf-grow-bmp-local-rib]
Evens, T., Bayraktar, S., Bhardwaj, M., and P. Lucente, "Support for Local RIB in BGP Monitoring Protocol (BMP)", Work in Progress, Internet-Draft, draft-ietf-grow-bmp-local-rib-13, , <https://www.ietf.org/archive/id/draft-ietf-grow-bmp-local-rib-13.txt>.
[I-D.ietf-ippm-ioam-data]
Brockners, F., Bhandari, S., and T. Mizrahi, "Data Fields for In-situ OAM", Work in Progress, Internet-Draft, draft-ietf-ippm-ioam-data-14, , <https://www.ietf.org/archive/id/draft-ietf-ippm-ioam-data-14.txt>.
[I-D.ietf-ippm-multipoint-alt-mark]
Fioccola, G., Cociglio, M., Sapio, A., and R. Sisto, "Multipoint Alternate-Marking Method for Passive and Hybrid Performance Monitoring", Work in Progress, Internet-Draft, draft-ietf-ippm-multipoint-alt-mark-09, , <https://www.ietf.org/archive/id/draft-ietf-ippm-multipoint-alt-mark-09.txt>.
[I-D.ietf-netconf-distributed-notif]
Zhou, T., Zheng, G., Voit, E., Graf, T., and P. Francois, "Subscription to Distributed Notifications", Work in Progress, Internet-Draft, draft-ietf-netconf-distributed-notif-02, , <https://www.ietf.org/archive/id/draft-ietf-netconf-distributed-notif-02.txt>.
[I-D.ietf-netconf-udp-notif]
Zheng, G., Zhou, T., Graf, T., Francois, P., and P. Lucente, "UDP-based Transport for Configured Subscriptions", Work in Progress, Internet-Draft, draft-ietf-netconf-udp-notif-03, , <https://www.ietf.org/archive/id/draft-ietf-netconf-udp-notif-03.txt>.
[I-D.irtf-nmrg-ibn-concepts-definitions]
Clemm, A., Ciavaglia, L., Granville, L. Z., and J. Tantsura, "Intent-Based Networking - Concepts and Definitions", Work in Progress, Internet-Draft, draft-irtf-nmrg-ibn-concepts-definitions-05, , <https://www.ietf.org/archive/id/draft-irtf-nmrg-ibn-concepts-definitions-05.txt>.
[I-D.kumar-rtgwg-grpc-protocol]
Kumar, A., Kolhe, J., Ghemawat, S., and L. Ryan, "gRPC Protocol", Work in Progress, Internet-Draft, draft-kumar-rtgwg-grpc-protocol-00, , <https://www.ietf.org/archive/id/draft-kumar-rtgwg-grpc-protocol-00.txt>.
[I-D.openconfig-rtgwg-gnmi-spec]
Shakir, R., Shaikh, A., Borman, P., Hines, M., Lebsack, C., and C. Morrow, "gRPC Network Management Interface (gNMI)", Work in Progress, Internet-Draft, draft-openconfig-rtgwg-gnmi-spec-01, , <https://www.ietf.org/archive/id/draft-openconfig-rtgwg-gnmi-spec-01.txt>.
[I-D.pedro-nmrg-anticipated-adaptation]
Martinez-Julia, P., "Exploiting External Event Detectors to Anticipate Resource Requirements for the Elastic Adaptation of SDN/NFV Systems", Work in Progress, Internet-Draft, draft-pedro-nmrg-anticipated-adaptation-02, , <https://www.ietf.org/archive/id/draft-pedro-nmrg-anticipated-adaptation-02.txt>.
[I-D.song-ippm-postcard-based-telemetry]
Song, H., Mirsky, G., Filsfils, C., Abdelsalam, A., Zhou, T., Li, Z., Shin, J., and K. Lee, "Postcard-based On-Path Flow Data Telemetry using Packet Marking", Work in Progress, Internet-Draft, draft-song-ippm-postcard-based-telemetry-10, , <https://www.ietf.org/archive/id/draft-song-ippm-postcard-based-telemetry-10.txt>.
[I-D.song-opsawg-dnp4iq]
Song, H. and J. Gong, "Requirements for Interactive Query with Dynamic Network Probes", Work in Progress, Internet-Draft, draft-song-opsawg-dnp4iq-01, , <https://www.ietf.org/archive/id/draft-song-opsawg-dnp4iq-01.txt>.
[I-D.song-opsawg-ifit-framework]
Song, H., Qin, F., Chen, H., Jin, J., and J. Shin, "In-situ Flow Information Telemetry", Work in Progress, Internet-Draft, draft-song-opsawg-ifit-framework-15, , <https://www.ietf.org/archive/id/draft-song-opsawg-ifit-framework-15.txt>.
[I-D.wwx-netmod-event-yang]
Wu, Q., Bryskin, I., Birkholz, H., Liu, X., and B. Claise, "A YANG Data model for ECA Policy Management", Work in Progress, Internet-Draft, draft-wwx-netmod-event-yang-10, , <https://www.ietf.org/archive/id/draft-wwx-netmod-event-yang-10.txt>.
[RFC1157]
Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol (SNMP)", RFC 1157, DOI 10.17487/RFC1157, , <https://www.rfc-editor.org/info/rfc1157>.
[RFC2578]
McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, DOI 10.17487/RFC2578, , <https://www.rfc-editor.org/info/rfc2578>.
[RFC2981]
Kavasseri, R., Ed., "Event MIB", RFC 2981, DOI 10.17487/RFC2981, , <https://www.rfc-editor.org/info/rfc2981>.
[RFC3416]
Presuhn, R., Ed., "Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3416, DOI 10.17487/RFC3416, , <https://www.rfc-editor.org/info/rfc3416>.
[RFC3594]
Duffy, P., "PacketCable Security Ticket Control Sub-Option for the DHCP CableLabs Client Configuration (CCC) Option", RFC 3594, DOI 10.17487/RFC3594, , <https://www.rfc-editor.org/info/rfc3594>.
[RFC3877]
Chisholm, S. and D. Romascanu, "Alarm Management Information Base (MIB)", RFC 3877, DOI 10.17487/RFC3877, , <https://www.rfc-editor.org/info/rfc3877>.
[RFC4656]
Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. Zekauskas, "A One-way Active Measurement Protocol (OWAMP)", RFC 4656, DOI 10.17487/RFC4656, , <https://www.rfc-editor.org/info/rfc4656>.
[RFC5357]
Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", RFC 5357, DOI 10.17487/RFC5357, , <https://www.rfc-editor.org/info/rfc5357>.
[RFC6020]
Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, , <https://www.rfc-editor.org/info/rfc6020>.
[RFC6241]
Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, , <https://www.rfc-editor.org/info/rfc6241>.
[RFC6812]
Chiba, M., Clemm, A., Medley, S., Salowey, J., Thombare, S., and E. Yedavalli, "Cisco Service-Level Assurance Protocol", RFC 6812, DOI 10.17487/RFC6812, , <https://www.rfc-editor.org/info/rfc6812>.
[RFC7011]
Claise, B., Ed., Trammell, B., Ed., and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, DOI 10.17487/RFC7011, , <https://www.rfc-editor.org/info/rfc7011>.
[RFC7276]
Mizrahi, T., Sprecher, N., Bellagamba, E., and Y. Weingarten, "An Overview of Operations, Administration, and Maintenance (OAM) Tools", RFC 7276, DOI 10.17487/RFC7276, , <https://www.rfc-editor.org/info/rfc7276>.
[RFC7540]
Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext Transfer Protocol Version 2 (HTTP/2)", RFC 7540, DOI 10.17487/RFC7540, , <https://www.rfc-editor.org/info/rfc7540>.
[RFC7575]
Behringer, M., Pritikin, M., Bjarnason, S., Clemm, A., Carpenter, B., Jiang, S., and L. Ciavaglia, "Autonomic Networking: Definitions and Design Goals", RFC 7575, DOI 10.17487/RFC7575, , <https://www.rfc-editor.org/info/rfc7575>.
[RFC7799]
Morton, A., "Active and Passive Metrics and Methods (with Hybrid Types In-Between)", RFC 7799, DOI 10.17487/RFC7799, , <https://www.rfc-editor.org/info/rfc7799>.
[RFC7854]
Scudder, J., Ed., Fernando, R., and S. Stuart, "BGP Monitoring Protocol (BMP)", RFC 7854, DOI 10.17487/RFC7854, , <https://www.rfc-editor.org/info/rfc7854>.
[RFC7950]
Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, , <https://www.rfc-editor.org/info/rfc7950>.
[RFC8321]
Fioccola, G., Ed., Capello, A., Cociglio, M., Castaldelli, L., Chen, M., Zheng, L., Mirsky, G., and T. Mizrahi, "Alternate-Marking Method for Passive and Hybrid Performance Monitoring", RFC 8321, DOI 10.17487/RFC8321, , <https://www.rfc-editor.org/info/rfc8321>.
[RFC8639]
Voit, E., Clemm, A., Gonzalez Prieto, A., Nilsen-Nygaard, E., and A. Tripathy, "Subscription to YANG Notifications", RFC 8639, DOI 10.17487/RFC8639, , <https://www.rfc-editor.org/info/rfc8639>.
[RFC8641]
Clemm, A. and E. Voit, "Subscription to YANG Notifications for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641, , <https://www.rfc-editor.org/info/rfc8641>.

Appendix A. A Survey on Existing Network Telemetry Techniques

In this non-normative appendix, we provide an overview of some existing techniques and standard proposals for each network telemetry module.

A.1. Management Plane Telemetry

A.1.1. Push Extensions for NETCONF

NETCONF [RFC6241] is a popular network management protocol recommended by IETF. Its core strength is for managing configuration, but can also be used for data collection. YANG-Push [RFC8641] [RFC8639] extends NETCONF and enables subscriber applications to request a continuous, customized stream of updates from a YANG datastore. Providing such visibility into changes made upon YANG configuration and operational objects enables new capabilities based on the remote mirroring of configuration and operational state. Moreover, distributed data collection mechanism [I-D.ietf-netconf-distributed-notif] via UDP based publication channel [I-D.ietf-netconf-udp-notif] provides enhanced efficiency for the NETCONF based telemetry.

A.1.2. gRPC Network Management Interface

gRPC Network Management Interface (gNMI) [I-D.openconfig-rtgwg-gnmi-spec] is a network management protocol based on the gRPC [I-D.kumar-rtgwg-grpc-protocol] RPC (Remote Procedure Call) framework. With a single gRPC service definition, both configuration and telemetry can be covered. gRPC is an HTTP/2 [RFC7540] based open source micro service communication framework. It provides a number of capabilities which are well-suited for network telemetry, including:

  • Full-duplex streaming transport model combined with a binary encoding mechanism provides good telemetry efficiency.
  • gRPC provides higher-level features consistency across platforms that common HTTP/2 libraries typically do not. This characteristic is especially valuable for the fact that telemetry data collectors normally reside on a large variety of platforms.
  • The built-in load-balancing and failover mechanism.

A.2. Control Plane Telemetry

A.2.1. BGP Monitoring Protocol

BGP Monitoring Protocol (BMP) [RFC7854] is used to monitor BGP sessions and is intended to provide a convenient interface for obtaining route views.

The BGP routing information is collected from the monitored device(s) to the BMP monitoring station by setting up the BMP TCP session. The BGP peers are monitored by the BMP Peer Up and Peer Down Notifications. The BGP routes (including Adjacency_RIB_In [RFC7854], Adjacency_RIB_out [I-D.ietf-grow-bmp-adj-rib-out], and Local_Rib [I-D.ietf-grow-bmp-local-rib] are encapsulated in the BMP Route Monitoring Message and the BMP Route Mirroring Message, providing both an initial table dump and real-time route updates. In addition, BGP statistics are reported through the BMP Stats Report Message, which could be either timer triggered or event-driven. Future BMP extensions could further enrich BGP monitoring applications.

A.3. Data Plane Telemetry

A.3.1. The Alternate Marking (AM) technology

The Alternate Marking method enables efficient measurements of packet loss, delay, and jitter both in IP and Overlay Networks, as presented in [RFC8321] and [I-D.ietf-ippm-multipoint-alt-mark].

This technique can be applied to point-to-point and multipoint-to-multipoint flows. Alternate Marking creates batches of packets by alternating the value of 1 bit (or a label) of the packet header. These batches of packets are unambiguously recognized over the network and the comparison of packet counters for each batch allows the packet loss calculation. The same idea can be applied to delay measurement by selecting ad hoc packets with a marking bit dedicated for delay measurements.

Alternate Marking method needs two counters each marking period for each flow under monitor. For instance, by considering n measurement points and m monitored flows, the order of magnitude of the packet counters for each time interval is n*m*2 (1 per color).

Since networks offer rich sets of network performance measurement data (e.g packet counters), traditional approaches run into limitations. The bottleneck is the generation and export of the data and the amount of data that can be reasonably collected from the network. In addition, management tasks related to determining and configuring which data to generate lead to significant deployment challenges.

The Multipoint Alternate Marking approach, described in [I-D.ietf-ippm-multipoint-alt-mark], aims to resolve this issue and make the performance monitoring more flexible in case a detailed analysis is not needed.

An application orchestrates network performance measurements tasks across the network to allow for optimized monitoring. The application can choose how roughly or precisely to configure measurement points depending on the application's requirements.

Using Alternate Marking, it is possible to monitor a Multipoint Network without in depth examination by using the Network Clustering (subnetworks that are portions of the entire network that preserve the same property of the entire network, called clusters). So in the case that there is packet loss or the delay is too high then the specific filtering criteria could be applied to gather a more detailed analysis by using a different combination of clusters up to a per-flow measurement as described in Alternate-Marking (AM) [RFC8321].

In summary, an application can configure end-to-end network monitoring. If the network does not experience issues, this approximate monitoring is good enough and is very cheap in terms of network resources. However, in case of problems, the application becomes aware of the issues from this approximate monitoring and, in order to localize the portion of the network that has issues, configures the measurement points more extensively, allowing more detailed monitoring to be performed. After the detection and resolution of the problem, the initial approximate monitoring can be used again.

A.3.2. Dynamic Network Probe

Hardware-based Dynamic Network Probe (DNP) [I-D.song-opsawg-dnp4iq] proposes a programmable means to customize the data that an application collects from the data plane. A direct benefit of DNP is the reduction of the exported data. A full DNP solution covers several components including data source, data subscription, and data generation. The data subscription needs to define the derived data which can be composed and derived from the raw data sources. The data generation takes advantage of the moderate in-network computing to produce the desired data.

While DNP can introduce unforeseeable flexibility to the data plane telemetry, it also faces some challenges. It requires a flexible data plane that can be dynamically reprogrammed at run-time. The programming API is yet to be defined.

A.3.3. IP Flow Information Export (IPFIX) protocol

Traffic on a network can be seen as a set of flows passing through network elements. IP Flow Information Export (IPFIX) [RFC7011] provides a means of transmitting traffic flow information for administrative or other purposes. A typical IPFIX enabled system includes a pool of Metering Processes that collects data packets at one or more Observation Points, optionally filters them and aggregates information about these packets. An Exporter then gathers each of the Observation Points together into an Observation Domain and sends this information via the IPFIX protocol to a Collector.

A.3.4. In-Situ OAM

Traditional passive and active monitoring and measurement techniques are either inaccurate or resource-consuming. It is preferable to directly acquire data associated with a flow's packets when the packets pass through a network. In-situ OAM (iOAM) [I-D.ietf-ippm-ioam-data], a data generation technique, embeds a new instruction header to user packets and the instruction directs the network nodes to add the requested data to the packets. Thus, at the path end, the packet's experience gained on the entire forwarding path can be collected. Such firsthand data is invaluable to many network OAM applications.

However, iOAM also faces some challenges. The issues on performance impact, security, scalability and overhead limits, encapsulation difficulties in some protocols, and cross-domain deployment need to be addressed.

A.3.5. Postcard Based Telemetry

PBT [I-D.song-ippm-postcard-based-telemetry] is a proposed complementary technique to IOAM. PBT directly exports data at each node through an independent packet. At the cost of higher bandwidth overhead and the need for data correlation, PBT shows several advantages over IOAM. It can also help to identify packet drop location in case a packet is dropped on its forwarding path.

A.4. External Data and Event Telemetry

A.4.1. Sources of External Events

To ensure that the information provided by external event detectors and used by the network management solutions is meaningful for management purposes, the network telemetry framework must ensure that such detectors (sources) are easily connected to the management solutions (sinks). This requires the specification of a list of potential external data sources that could be of interest in network management and match it to the connectors and/or interfaces required to connect them.

Categories of external event sources that may be of interest to network management include::

  • Smart objects and sensors. With the consolidation of the Internet of Things~(IoT) any network system will have many smart objects attached to its physical surroundings and logical operation environments. Most of these objects will be essentially based on sensors of many kinds (e.g. temperature, humidity, presence) and the information they provide can be very useful for the management of the network, even when they are not specifically deployed for such purpose. Elements of this source type will usually provide a specific protocol for interaction, especially one of those protocols related to IoT, such as the Constrained Application Protocol (CoAP).
  • Online news reporters. Several online news services have the ability to provide enormous quantity of information about different events occurring in the world. Some of those events can impact on the network system managed by a specific framework and, therefore, such information may be of interest to the management solution. For instance, diverse security reports, such as the Common Vulnerabilities and Exposures (CVE), can be issued by the corresponding authority and used by the management solution to update the managed system if needed. Instead of a specific protocol and data format, the sources of this kind of information usually follow a relaxed but structured format. This format will be part of both the ontology and information model of the telemetry framework.
  • Global event analyzers. The advance of Big Data analyzers provides a huge amount of information and, more interestingly, the identification of events detected by analyzing many data streams from different origins. In contrast with the other types of sources, which are focused on specific events, the detectors of this source type will detect generic events. For example, a sports event takes place and some unexpected movement makes it highly interesting and many people connects to sites that are reporting on the event. The underlying networks supporting the services that cover the event can be affected by such situation so their management solutions should be aware of it. In contrast with the other source types, a new information model, format, and reporting protocol is required to integrate the detectors of this type with the management solution.

Additional types of detector types can be added to the system but they will be generally the result of composing the properties offered by these main classes.

A.4.2. Connectors and Interfaces

For allowing external event detectors to be properly integrated with other management solutions, both elements must expose interfaces and protocols that are subject to their particular objective. Since external event detectors will be focused on providing their information to their main consumers, which generally will not be limited to the network management solutions, the framework must include the definition of the required connectors for ensuring the interconnection between detectors (sources) and their consumers within the management systems (sinks) are effective.

In some situations, the interconnection between the external event detectors and the management system is via the management plane. For those situations there will be a special connector that provides the typical interfaces found in most other elements connected to the management plane. For instance, the interfaces could accomplish this with a specific data model (YANG) and specific telemetry protocol, such as NETCONF, YANG-Push, or gRPC.

Authors' Addresses

Haoyu Song
Futurewei
2330 Central Expressway
Santa Clara,
United States of America
Fengwei Qin
China Mobile
No. 32 Xuanwumenxi Ave., Xicheng District
Beijing, 100032
P.R. China
Pedro Martinez-Julia
NICT
4-2-1, Nukui-Kitamachi, Tokyo
184-8795
Japan
Laurent Ciavaglia
Nokia
91460 Villarceaux
France
Aijun Wang
China Telecom
Beiqijia Town, Changping District
Beijing, 102209
P.R. China