Network Working Group P. Calato Internet-Draft Riverstone Networks Inc Expires: August 16, 2004 J. Meyer PayPal J. Quittek NEC Europe Ltd. February 16, 2004 Information Model for IP Flow Information Export draft-ietf-ipfix-info-03 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 16, 2004. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This memo defines and information model for the IP Flow Information eXport (IPFIX) protocol. It is used by the IPFIX protocol for encoding measured traffic information and information related to the traffic observation point, the traffic metering process and the exporting process. Although developed for the IPFIX protcol, the model is defined in an open way that easily allows using it in other protocols, interfaces, and applications. Calato, et al. Expires August 16, 2004 [Page 1] Internet-Draft IPFIX Information Model February 2004 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Properties of IPFIX Protocol Fields . . . . . . . . . . . . 5 3. Type Space . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1 octet . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2 unsigned16 . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.3 unsigned32 . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.4 unsigned64 . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.5 float32 . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.6 boolean . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.7 octetArray . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.8 string . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.9 dateTimeSeconds . . . . . . . . . . . . . . . . . . . . . . 8 3.10 dataTimeMicroSeconds . . . . . . . . . . . . . . . . . . . . 8 3.11 ipv4Address . . . . . . . . . . . . . . . . . . . . . . . . 8 3.12 ipv6Address . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Flow Attributes . . . . . . . . . . . . . . . . . . . . . . 9 4.1 octetCount . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.2 packetCount . . . . . . . . . . . . . . . . . . . . . . . . 9 4.3 flowCount . . . . . . . . . . . . . . . . . . . . . . . . . 9 4.4 protocolIdentifier . . . . . . . . . . . . . . . . . . . . . 9 4.5 classOfService . . . . . . . . . . . . . . . . . . . . . . . 10 4.6 tcpControlBits . . . . . . . . . . . . . . . . . . . . . . . 11 4.7 sourcePort . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.8 sourceAddressV4 . . . . . . . . . . . . . . . . . . . . . . 11 4.9 sourceMask . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.10 ingressInterface . . . . . . . . . . . . . . . . . . . . . . 12 4.11 destinationPort . . . . . . . . . . . . . . . . . . . . . . 12 4.12 destinationAddressV4 . . . . . . . . . . . . . . . . . . . . 13 4.13 destinationMask . . . . . . . . . . . . . . . . . . . . . . 13 4.14 egressInterface . . . . . . . . . . . . . . . . . . . . . . 13 4.15 ipNextHopAddressV4 . . . . . . . . . . . . . . . . . . . . . 13 4.16 sourceAsNumber . . . . . . . . . . . . . . . . . . . . . . . 14 4.17 destinationAsNumber . . . . . . . . . . . . . . . . . . . . 14 4.18 bgpNextHopAddressV4 . . . . . . . . . . . . . . . . . . . . 14 4.19 mcPacketsSent . . . . . . . . . . . . . . . . . . . . . . . 15 4.20 mcOctetsSent . . . . . . . . . . . . . . . . . . . . . . . . 15 4.21 flowEndTime . . . . . . . . . . . . . . . . . . . . . . . . 15 4.22 flowCreationTime . . . . . . . . . . . . . . . . . . . . . . 15 4.23 sourceAddressV6 . . . . . . . . . . . . . . . . . . . . . . 15 4.24 destinationAddressV6 . . . . . . . . . . . . . . . . . . . . 15 4.25 anotherSourceMask . . . . . . . . . . . . . . . . . . . . . 16 4.26 destinationMask . . . . . . . . . . . . . . . . . . . . . . 16 4.27 flowLabel . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.28 icmpTypeCode . . . . . . . . . . . . . . . . . . . . . . . . 17 4.29 igmpType . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.30 samplingInterval . . . . . . . . . . . . . . . . . . . . . . 17 Calato, et al. Expires August 16, 2004 [Page 2] Internet-Draft IPFIX Information Model February 2004 4.31 samplingAlgorithm . . . . . . . . . . . . . . . . . . . . . 17 4.32 flowReportingInterval . . . . . . . . . . . . . . . . . . . 18 4.33 flowIdleTimeout . . . . . . . . . . . . . . . . . . . . . . 18 4.34 exportedOctetCount . . . . . . . . . . . . . . . . . . . . . 18 4.35 exportedPacketCount . . . . . . . . . . . . . . . . . . . . 18 4.36 exportedFlowCount . . . . . . . . . . . . . . . . . . . . . 19 4.37 ipVersion . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.38 ipNextHopAddressV6 . . . . . . . . . . . . . . . . . . . . . 19 4.39 bgpNextHopAddressV6 . . . . . . . . . . . . . . . . . . . . 20 4.40 bgpNextHopAsNumber . . . . . . . . . . . . . . . . . . . . . 20 4.41 ipNextHopAsNumber . . . . . . . . . . . . . . . . . . . . . 20 4.42 exporterAddressV4 . . . . . . . . . . . . . . . . . . . . . 20 4.43 exporterAddressV6 . . . . . . . . . . . . . . . . . . . . . 21 4.44 droppedOctetCount . . . . . . . . . . . . . . . . . . . . . 21 4.45 droppedPacketCount . . . . . . . . . . . . . . . . . . . . . 21 4.46 flowEndReason . . . . . . . . . . . . . . . . . . . . . . . 21 5. Extending the Information Model . . . . . . . . . . . . . . 23 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . 24 7. Security Considerations . . . . . . . . . . . . . . . . . . 25 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 Normative Reference . . . . . . . . . . . . . . . . . . . . 27 Informative Reference . . . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 29 A. Formal Specification of IPFIX Fields . . . . . . . . . . . . 30 B. Formal Specification of Abstract Data Types . . . . . . . . 43 Intellectual Property and Copyright Statements . . . . . . . 53 Calato, et al. Expires August 16, 2004 [Page 3] Internet-Draft IPFIX Information Model February 2004 1. Introduction The IP Flow Information eXport (IPFIX) protocol serves for transmitting information related to measured IP traffic over the Internet. The protocol specification in [IPFIX-PROTO] defines how information elements are transmitted. For information elements, it specifies the encoding of a set of basic data types. However, the list of fields that can be transmitted by the protocol, such as flow attributes (source IP address, number of packets, etc.) and information about the metering and exporting process (packet observation point, smapling rate, flow timeout interval, etc.), is not specified in [IPFIX-PROTO]. This document complements the IPFIX protocol specification by providing the IPFIX information model. The main part of this document is Section 5 defines the (extensible) list of fields to be transmitted by the IPFIX protcol. Section 2 defines a template for specifying IPFIX fields that is used in Section 4. Section 3 defines the set of abstract data types that are available for IPFIX fields. Section 5 discusses extensibility of the IPFIX information model. The main bodies of Sections 2, 3 and 4 were generated from XML documents. The XML-based specification of template, abstract data types and IPFIX fields can be used for automatically checking syntactical correctness of the specification of IPFIX fields. Further it can be used for generating IPFIX protocol implementation code that deals with processing IPFIX fields. Also code for applications that further process traffic information transmitted via the IPFIX protocol can be generated with the XML specification of IPFIX fields. For that reason, the XML document that served as source for Section 4 and the XML schema that served as source for Sections 2 and 3 are attached to this document in Appendices A and B. Note that although partially generated from the attached XML documents, the main body of this document is normative while the appendices are informational. Calato, et al. Expires August 16, 2004 [Page 4] Internet-Draft IPFIX Information Model February 2004 2. Properties of IPFIX Protocol Fields Fields of the IPFIX protocol carrying information about traffic measurement are modeled as elements of the IPFIX information model and specified in Section 4. For defining the fields, a template is used that is specified below. All fields specified for the IPFIX protocol either in this document or by an extension MUST have the following properties defined: name - A unique and meaningful name for the field. The preferred spelling for the name is to use mixed case if the name is compound, with an initial lower case letter. (E.g. "sourceIpAddress"). fieldType - A numeric identifier administered by IANA. This is used for compact identification of an information item when encoding templates in the protocol. description - The semantics of this information element. Describes how this field is derived from the flow or other information available to the observer. dataType - One of the types listed in the "Type Space" section. The type space for attributes is constrained to facilitate implementation. The existing type space does however encompass most basic types used in modern programming languages, as well as some derived types (such as IPAddress) which are common to this domain and useful to distinguish. dataTypeSemantics - The integral types may be qualified by additional semantic details. Qualifying the fields as 'quantity', 'counter', 'identifier' or 'flags'. applicability - to be done ... status - to be done ... All fields specified for the IPFIX protocol either in this document or by an extension MAY have the following properties defined: vendorId - When extension is done outside of the scope of the IANA IPFIX fieldId range, a vendorId MUST be provided. This identifier is based on IANA assigned enterprise identifiers. usage - to be done ... Calato, et al. Expires August 16, 2004 [Page 5] Internet-Draft IPFIX Information Model February 2004 units - If the field is a measure of some kind, the units identify what the measure is. enumeratedRange - Some items may have a specific set of numeric identifiers associated with a set of discrete values this element may take. The meaning of each discrete value and a human readable name should be assigned. range - Some elements may only be able to take on a restricted set of values which can be expressed as a range (e.g. 0 through 511 inclusive). If this is the case, the valid inclusive range should be specified. reference - Identifies additional specifications which more precisely define this item or provide additional context for its use. Calato, et al. Expires August 16, 2004 [Page 6] Internet-Draft IPFIX Information Model February 2004 3. Type Space The following subsections describe the abstract data types that can be used for the specification of IPFIX fields in Section 4. 3.1 octet The type "unsignedByte" represents a non-negative integer value in the range of 0 to 255. 3.2 unsigned16 The type "unsigned16" represents a non-negative integer value in the range of 0 to 65535. 3.3 unsigned32 The type "unsigned32" represents a non-negative integer value in the range of 0 to 4294967295. 3.4 unsigned64 The type "unsigned64" represents a non-negative integer value in the range of 0 to 18446744073709551615. 3.5 float32 The type "float32" corresponds to an IEEE single-precision 32-bit floating point type. 3.6 boolean The type "boolean" represents a binary value. 3.7 octetArray The type "octetArray" represents a finite length string of octets. 3.8 string The type "string" represents a finite length string of valid characters from the Unicode character encoding set. Unicode allows for ASCII and many other international character sets to be used. It is expected that strings will be encoded in UTF-8 format, which is identical in encoding for USASCII characters, but also accomodates other Unicode multibyte characters. Calato, et al. Expires August 16, 2004 [Page 7] Internet-Draft IPFIX Information Model February 2004 3.9 dateTimeSeconds The type "dateTimeSeconds" represents a time value having a precision of seconds and normalized to the GMT timezone. Such types are in common use on many operating systems and have the advantage that they can be stored in 32-bit integers. 3.10 dataTimeMicroSeconds The type "dateTimeSeconds" represents a time value having a precision of microseconds and normalized to the GMT timezone. 3.11 ipv4Address The type "ipv4Addr" represents a value of an IPv4 address. These addresses are typically stored as 32-bit integers. 3.12 ipv6Address The type "ipv6Addr" represents a value of an IPv6 address. Calato, et al. Expires August 16, 2004 [Page 8] Internet-Draft IPFIX Information Model February 2004 4. Flow Attributes 4.1 octetCount Description: The number of observed octets. Abstract Data Type: unsigned64 Field Id: 1 Units: octets 4.2 packetCount Description: The number of observed packets. Abstract Data Type: unsigned64 Field Id: 2 Units: packets 4.3 flowCount Description: The number of (aggregated) flows. Abstract Data Type: unsigned64 Field Id: 3 Units: flows 4.4 protocolIdentifier Description: The protocol number that identifies the IP packet payload. Protocol numbers are defined in the IANA Protocol Numbers registry. In Internet Protocol version 4 (IPv4) this is carried in the "Protocol" field. In Internet Protocol version 6 (IPv6) this is carried in the "Next Header" field. Abstract Data Type: octet Data Type Semantics: identifier Calato, et al. Expires August 16, 2004 [Page 9] Internet-Draft IPFIX Information Model February 2004 Field Id: 4 Reference: See RFC 791 for the specification of the IPv4 protocol field. See RFC 1883 for the specification of the IPv6 protocol field. See list of protocol numbers assigned by IANA at http://www.iana.org/ assignments/protocol-numbers. 4.5 classOfService Description: The class of service. The definition of classOfService is dependent on the protocol being observed. Those considered here are: * For IPv4 packets the class of service is given by the value of the type of service field in the IPv4 packet header. * For IPv6 packets the class of service is given by the value of the traffic class field in the IPv6 packet header. * For MPLS the class of service is given by the value of the experimental use (Exp) field in label stack entries. The Exp field has a length of 3 bits. These are mapped to the three least valued bits of the classOfService octet. All other bits of the octet are set to zero. * For VLAN the class of service is given by the value of the type of the user_priority field as defined in IEEE802.1q[802.1q] and IEEE 802.1p[802.1p]. EDITORS' NOTE: THIS NEEDS FURTHER WORK Abstract Data Type: octet Data Type Semantics: identifier Field Id: 5 Reference: See RFC 791 for the definition of the IPv4 TOS field. See RFC 2460 for the definition of the IPv6 traffic class field. See RFC 3032 for the definition of the Exp field in label stack entries. See Calato, et al. Expires August 16, 2004 [Page 10] Internet-Draft IPFIX Information Model February 2004 IEEE802.1q and IEEE 802.1p for the definition of the VLAN user_priority field. 4.6 tcpControlBits Description: The TCP control bits seen for this flow. Note that a 0 value for each bit only indicates that the flag was not detected (i.e. it may have occurred but was not detected by the reporting CCE). EDITORS' NOTE: THIS NEEDS FURTHER WORK. The bit mapping needs to be specified. Abstract Data Type: octet Data Type Semantics: flags Field Id: 6 Reference: See RFC 793 for a definiton of the TCP control bits in the TCP header. 4.7 sourcePort Description: A source port number in the UDP or TCP header, respectively. Abstract Data Type: unsigned16 Data Type Semantics: identifier Field Id: 7 Reference: See RFC 768 for the definiton of the UDP source port field. See RFC 793 for the definiton of the TCP source port field. Additional information on defined UDP and TCP port numbers can be found at http://www.iana.org/assignments/port-numbers. 4.8 sourceAddressV4 Description: The IPv4 source address in the IPv4 packet header. Abstract Data Type: ipv4Address Calato, et al. Expires August 16, 2004 [Page 11] Internet-Draft IPFIX Information Model February 2004 Field Id: 8 Reference: See RFC 791 for the definition of the IPv4 source address field. 4.9 sourceMask Description: The number of contiguous bits that are relevant in the source address field of the IP packet header (i.e. the subnet mask in slash notation). Abstract Data Type: octet Field Id: 9 Units: bits 4.10 ingressInterface Description: The index of the IP interface (ifIndex) where packets of a flow are being received. Abstract Data Type: unsigned32 Data Type Semantics: identifier Field Id: 10 Reference: See RFC 2863 for the definition of the ifIndex object. 4.11 destinationPort Description: A destination port number in the UDP or TCP header, respectively. Abstract Data Type: unsigned16 Data Type Semantics: identifier Field Id: 11 Reference: See RFC 768 for the definiton of the UDP destination port field. See RFC 793 for the definiton of the TCP destination port field. Additional information on defined UDP and TCP port numbers can be Calato, et al. Expires August 16, 2004 [Page 12] Internet-Draft IPFIX Information Model February 2004 found at http://www.iana.org/assignments/port-numbers. 4.12 destinationAddressV4 Description: The IPv4 destination address in the IPv4 packet header. Abstract Data Type: ipv4Address Field Id: 12 Reference: See RFC 791 for the definition of the IPv4 destination address field. 4.13 destinationMask Description: The number of contiguous bits that are relevant in the destination address field of the IP packet header (i.e. the subnet mask in slash notation). Abstract Data Type: octet Field Id: 13 Units: bits 4.14 egressInterface Description: The index of the IP interface (ifIndex) where packets of a flow are being sent. Abstract Data Type: unsigned32 Data Type Semantics: identifier Field Id: 14 Reference: See RFC 2863 for the definition of the ifIndex object. 4.15 ipNextHopAddressV4 Description: The IPv4 address of the next IP hop to which packets are forwarded. Calato, et al. Expires August 16, 2004 [Page 13] Internet-Draft IPFIX Information Model February 2004 Abstract Data Type: ipv4Address Field Id: 15 4.16 sourceAsNumber Description: The autonomous system (AS) number of the source address in the IP packet header. Abstract Data Type: unsigned16 Data Type Semantics: identifier Field Id: 16 Reference: See RFC 1771 for a description of BGB-4 and see RFC 1930 a definition of the AS number. 4.17 destinationAsNumber Description: The autonomous system (AS) number of the destination address in the IP packet header. Abstract Data Type: unsigned16 Data Type Semantics: identifier Field Id: 17 Reference: See RFC 1771 for a description of BGB-4 and see RFC 1930 a definition of the AS number. 4.18 bgpNextHopAddressV4 Description: The IPv4 address of the next BGP hop to which packets are forwarded. Abstract Data Type: ipv4Address Data Type Semantics: identifier Field Id: 18 Reference: See RFC 1771 for a description of BGB-4 and see RFC 1930 a definition of the AS number. Calato, et al. Expires August 16, 2004 [Page 14] Internet-Draft IPFIX Information Model February 2004 4.19 mcPacketsSent Description: The number of sent multicast packets. Abstract Data Type: unsigned64 Field Id: 19 Units: packets 4.20 mcOctetsSent Description: The number of sent multicast octets. Abstract Data Type: unsigned64 Field Id: 20 Units: octets 4.21 flowEndTime Description: The timestamp of the last packet of a flow. Abstract Data Type: dateTimeSeconds Field Id: 21 4.22 flowCreationTime Description: The timestamp of the first packet of a flow. Abstract Data Type: dateTimeSeconds Field Id: 22 4.23 sourceAddressV6 Description: IPv6 source address taken from the packet header. Abstract Data Type: ipv6Address Field Id: 27 4.24 destinationAddressV6 Calato, et al. Expires August 16, 2004 [Page 15] Internet-Draft IPFIX Information Model February 2004 Description: IPv6 destination address taken from the packet header. Abstract Data Type: ipv6Address Field Id: 28 4.25 anotherSourceMask Description: The number of contiguous bits that are relevant in the source address field of the IP packet header (i.e. the subnet mask in slash notation). This redundant field has the same semantics as field 9. Abstract Data Type: octet Field Id: 29 Units: bits 4.26 destinationMask Description: The number of contiguous bits that are relevant in the destination address field of the IP packet header (i.e. the subnet mask in slash notation). This redundant field has the same semantics as field 13. Abstract Data Type: octet Field Id: 30 Units: bits 4.27 flowLabel Description: The Flow Label of the IPv6 packet header. Abstract Data Type: unsigned32 Field Id: 31 Reference: See RFC 2460 for a definition of the flow label field in the IPv6 packet header. Calato, et al. Expires August 16, 2004 [Page 16] Internet-Draft IPFIX Information Model February 2004 4.28 icmpTypeCode Description: Type and Code of the ICMP message. Abstract Data Type: unsigned16 Field Id: 32 Reference: See RFC 792 for a definition of the ICMP type and code fields. 4.29 igmpType Description: The type field of the IGMP message. Abstract Data Type: octet Field Id: 33 Reference: See RFC 2236 for a definition of the IGMP type field. 4.30 samplingInterval Description: Number of packets received as a ratio of number of packets sampled. For example a value of 100 would mean that one packet in 100 was sampled. EDITORS' NOTE: This will be replaced by the PSAMP INFO MODEL Abstract Data Type: unsigned32 Field Id: 34 Units: packets 4.31 samplingAlgorithm Description: The following sampling algorithms are defined: * 1 Deterministic sampling * 2 Random Sampling Calato, et al. Expires August 16, 2004 [Page 17] Internet-Draft IPFIX Information Model February 2004 * 3 Time-based sampling EDITORS' NOTE: This will be replaced by the PSAMP INFO MODEL Abstract Data Type: octet Data Type Semantics: identifier Field Id: 35 4.32 flowReportingInterval Description: Interval between reports for an active flow. Abstract Data Type: unsigned16 Field Id: 36 Units: seconds 4.33 flowIdleTimeout Description: A flow is considered to be timed out if not packet belonging to the flow has been observed for the number of seconds specified by this field. Abstract Data Type: unsigned16 Field Id: 37 Units: seconds 4.34 exportedOctetCount Description: The number of octets reported by the exporting process. Abstract Data Type: unsigned64 Field Id: 40 Units: octets 4.35 exportedPacketCount Calato, et al. Expires August 16, 2004 [Page 18] Internet-Draft IPFIX Information Model February 2004 Description: The number of packets reported by the exporting process. Abstract Data Type: unsigned64 Field Id: 41 Units: packets 4.36 exportedFlowCount Description: The number of flows reported by the exporting process. Abstract Data Type: unsigned64 Field Id: 42 Units: flows 4.37 ipVersion Description: The IP version field given in the IP header. Abstract Data Type: octet Field Id: 60 Units: flows Reference: See RFC 791 for a definition of the version field in the IPv6 packet header. See RFC 2460 for a definition of the version field in the IPv6 packet header. Additional information on defined version numbers can be found at http://www.iana.org/assignments/ version-numbers. 4.38 ipNextHopAddressV6 Description: The IPv6 address of the next IP hop to which packets are forwarded. Abstract Data Type: ipv6Address Field Id: 62 Calato, et al. Expires August 16, 2004 [Page 19] Internet-Draft IPFIX Information Model February 2004 4.39 bgpNextHopAddressV6 Description: The IPv6 address of the next BGP hop to which packets are forwarded. Abstract Data Type: ipv6Address Data Type Semantics: identifier Field Id: 63 Reference: See RFC 1771 for a description of BGB-4 and see RFC 1930 a definition of the AS number. 4.40 bgpNextHopAsNumber Description: The autonomous system (AS) number of the next BGP hop the packets are sent to. Abstract Data Type: unsigned16 Data Type Semantics: identifier Field Id: 80 Reference: See RFC 1771 for a description of BGB-4 and see RFC 1930 a definition of the AS number. 4.41 ipNextHopAsNumber Description: The autonomous system (AS) number of the next IP hop the packets are sent to. Abstract Data Type: unsigned16 Data Type Semantics: identifier Field Id: 81 Reference: See RFC 1771 for a description of BGB-4 and see RFC 1930 a definition of the AS number. 4.42 exporterAddressV4 Calato, et al. Expires August 16, 2004 [Page 20] Internet-Draft IPFIX Information Model February 2004 Description: The IPv4 address of the flow exporter. This is used by the collecter to identify the exporter in cases where the identity of the exporter may have been obscured by the use of a proxy. Abstract Data Type: ipv4Address Field Id: 82 4.43 exporterAddressV6 Description: The IPv6 address of the flow exporter. This is used by the collecter to identify the exporter in cases where the identity of the exporter may have been obscured by the use of a proxy. Abstract Data Type: ipv4Address Field Id: 83 4.44 droppedOctetCount Description: The number of octets dropped. Abstract Data Type: unsigned64 Field Id: 84 Units: octets 4.45 droppedPacketCount Description: The number of packets dropped. Abstract Data Type: unsigned64 Field Id: 84 Units: packets 4.46 flowEndReason Description: The number of packets dropped. * idle timeout Calato, et al. Expires August 16, 2004 [Page 21] Internet-Draft IPFIX Information Model February 2004 * end of flow detected (e.g. TCP FIN) * forced end * cache full EDITORS' NOTE: This needs to be defined as an enumerated range. Abstract Data Type: octet Field Id: 84 Calato, et al. Expires August 16, 2004 [Page 22] Internet-Draft IPFIX Information Model February 2004 5. Extending the Information Model A key requirement for IPFIX is to allow for extending the set of information items which are reported for flows. This section defines the mechanism for extending this set. The IPFIX protocol carries flow records defined by a template. Multiple templates may be defined for a dialog between an exporter and a collector. A given template identifies the information items and their order. The means of identification of information items in a template is via a field ID. Field Id's are unique identifiers administered by IANA. Extension is done by defining new Information elements, including the set of necessary information and possibly additional optional information for each element. Each new information item MUST be assigned a unique fieldId as part of its definition. These unique field ids are the connection between the record structure communicated by the protocol using templates and a consuming application. Vendor specific extensions may be made by vendors with IANA enterprise ID assignments, without registering specific field ID's with IANA. In these cases the field definiton must specify the vendor ID as well as the vendor-specified field ID and other mandatory field properties. Before creating vendor-specific fields, the general applicability of such information elements should be considered. For generally applicable fields using IETF and IANA mechanisms for extendind the information model is recommended. Calato, et al. Expires August 16, 2004 [Page 23] Internet-Draft IPFIX Information Model February 2004 6. IANA Considerations IANA has to create a new registry for IPFIX fields ID's. Appendix B defines an XML schema which may be used to create consistent machine readable extensions to the IPFIX information model. This schema introduces a new namaspace, which will be assigned by IANA according to RFC 3688. Currently the name space for this schema is identified as http://www.ietf.org/ipfix. Calato, et al. Expires August 16, 2004 [Page 24] Internet-Draft IPFIX Information Model February 2004 7. Security Considerations The IPFIX information model itself does not directly introduce security issues. Rather it defines a set of attributes which may for privacy or business issues be considered sensitive information. The underlying protocol used to exchange the information described here must therefor apply appropriate procedures to guarantee the integrity and confidentiality of the exported information. Such protocols are defined in separate documents. Specifically the IPFIX Protocol document. Calato, et al. Expires August 16, 2004 [Page 25] Internet-Draft IPFIX Information Model February 2004 8. Acknowledgements The editors thank Stewart Bryant for a lot of useful input on the field definitions. Also many thanks to Thomas Dietz for developing the XSLT scripts that generate large portions of the text part of this document from the XML appendices. Calato, et al. Expires August 16, 2004 [Page 26] Internet-Draft IPFIX Information Model February 2004 Normative Reference [1] Claise, B., Fullmer, M., Calato, P. and R. Penno, "IPFIX Protocol Specification", IETF draft work in progress, January 2004, . Calato, et al. Expires August 16, 2004 [Page 27] Internet-Draft IPFIX Information Model February 2004 Informative Reference [2] Quittek, J., Zseby, T., Claise, B. and S. Zander, "Requirements for IP Flow Information Export", IETF draft work in progress, January 2004, . [3] Sadasivan, G. and N. Brownlee, "Architecture Model for IP Flow Information Export", IETF draft work in progress, October 2003, . [4] Zseby, T., Penno, R., Claise, B. and N. Brownlee, "IPFIX Applicability", IETF draft work in progress, October 2003, . [5] Claise, B., "Cisco Systems NetFlow Services Export Version 9", IETF draft work in progress, June 2003, . [6] World Wide Web Consortium, "Extensible Markup Language (XML) 1.0", W3C XML, February 1998, . [7] World Wide Web Consortium, "XML Schema Part 1: Structures", W3C XML, May 2001, . [8] World Wide Web Consortium, "XML Schema Part 2: Datatypes", W3C XML, May 2001, . [9] Internet Protocol Detail Record Organization, "Network Data Management - Usage (NDM-U) For IP-Based Services Version 3.1.1", October 2002, . [10] Brownlee, N. and A. Blount, "Accounting Attributes and Record Formats", RFC 2924, Sept. 2000, . [11] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June 1999, . [12] Hollenbeck, S., Rose, M. and L. Masinter, "Guidelines for the Use of Extensible Markup Language (XML) within IETF Protocols", RFC 3470, January 2003, . Calato, et al. Expires August 16, 2004 [Page 28] Internet-Draft IPFIX Information Model February 2004 [13] Pras, A. and J. Schoenwaelder, "On the Difference between Information Models and Data Models", RFC 3444, January 2003, . [14] Mealling, M., "The IETF XML Registry", RFC 3688, January 2004, . Authors' Addresses Paul Calato Riverstone Networks Inc 5200 Great America Parkway Santa Clara, CA 95054 US Phone: +1 603 557-6913 EMail: calato@riverstonenet.com URI: http://www.riverstonenet.com Jeff Meyer PayPal 2211 N. First St. San Jose, CA 95131-2021 US Phone: +1 408 976-9149 EMail: jemeyer@paypal.com URI: http://www.paypal.com Juergen Quittek NEC Europe Ltd. Kurfuersten-Anlage 36 Heidelberg 69115 Germany Phone: +49 6221 90511-15 EMail: quittek@netlab.nec.de URI: http://www.netlab.nec.de/ Calato, et al. Expires August 16, 2004 [Page 29] Internet-Draft IPFIX Information Model February 2004 Appendix A. Formal Specification of IPFIX Fields This appendix contains a formal description of the IPFIX information model XML document. Note that this appendix is of informational nature, while the text in section 4 generated from this appendix is normative. Using a formal and machine readable syntax for the Information model enables the creation of IPFIX aware tools which can automatically adapt to extensions to the information model, by simply reading updated information model specifications. The wide availability of XML aware tools and libraries for client devices is a primary consideration for this choice. In particular libraries for parsing XML documents are readily available. Also mechanisms such as the Extensible Stylesheet Language (XSL) allow for transforming a source XML document into other documents. This draft was authored in XML and transformed according to RFC2629. It should be noted that the use of XML in exporters, collectors or other tools is not mandatory for the deployment of IPFIX. In particular exporting processes do not produce or consume XML as part of their operation. It is expected that IPFIX collectors MAY take advantage of the machine readability of the Information Model vs. hardcoding their behavior or inventing proprietary means for accomodating extensions. The number of observed octets. octets The number of observed packets. packets The number of (aggregated) flows. flows The protocol number that identifies the IP packet payload. Protocol numbers are defined in the IANA Protocol Numbers registry. In Internet Protocol version 4 (IPv4) this is carried in the "Protocol" field. In Internet Protocol version 6 (IPv6) this is carried in the "Next Header" field. See RFC 791 for the specification of the IPv4 protocol field. See RFC 1883 for the specification of the IPv6 protocol field. See list of protocol numbers assigned by IANA at http://www.iana.org/assignments/protocol-numbers. The class of service. The definition of classOfService is dependent on the protocol being observed. Those considered here are: For IPv4 packets the class of service is given by the value of the type of service field in the IPv4 packet header. For IPv6 packets the class of service is given by the Calato, et al. Expires August 16, 2004 [Page 31] Internet-Draft IPFIX Information Model February 2004 value of the traffic class field in the IPv6 packet header. For MPLS the class of service is given by the value of the experimental use (Exp) field in label stack entries. The Exp field has a length of 3 bits. These are mapped to the three least valued bits of the classOfService octet. All other bits of the octet are set to zero. For VLAN the class of service is given by the value of the type of the user_priority field as defined in IEEE802.1q[802.1q] and IEEE 802.1p[802.1p]. EDITORS' NOTE: THIS NEEDS FURTHER WORK See RFC 791 for the definition of the IPv4 TOS field. See RFC 2460 for the definition of the IPv6 traffic class field. See RFC 3032 for the definition of the Exp field in label stack entries. See IEEE802.1q and IEEE 802.1p for the definition of the VLAN user_priority field. The TCP control bits seen for this flow. Note that a 0 value for each bit only indicates that the flag was not detected (i.e. it may have occurred but was not detected by the reporting CCE). EDITORS' NOTE: THIS NEEDS FURTHER WORK. The bit mapping needs to be specified. See RFC 793 for a definiton of the TCP control bits in the TCP header. A source port number in the UDP or TCP header, respectively. See RFC 768 for the definiton of the UDP source port field. See RFC 793 for the definiton of the TCP source port field. Additional information on defined UDP and TCP port numbers can be found at http://www.iana.org/assignments/port-numbers. The IPv4 source address in the IPv4 packet header. See RFC 791 for the definition of the IPv4 source address field. The number of contiguous bits that are relevant in the source address field of the IP packet header (i.e. the subnet mask in slash notation). bits The index of the IP interface (ifIndex) where packets of a flow are being received. See RFC 2863 for the definition of the ifIndex object. A destination port number in the UDP or TCP header, respectively. See RFC 768 for the definiton of the UDP destination port field. See RFC 793 for the definiton of the TCP destination port field. Additional information on defined UDP and TCP port numbers can be found at http://www.iana.org/assignments/port-numbers. The IPv4 destination address in the IPv4 packet header. See RFC 791 for the definition of the IPv4 destination address field. The number of contiguous bits that are relevant in the destination address field of the IP packet header (i.e. the subnet mask in slash notation). bits The index of the IP interface (ifIndex) where packets of a flow are being sent. Calato, et al. Expires August 16, 2004 [Page 34] Internet-Draft IPFIX Information Model February 2004 See RFC 2863 for the definition of the ifIndex object. The IPv4 address of the next IP hop to which packets are forwarded. The autonomous system (AS) number of the source address in the IP packet header. See RFC 1771 for a description of BGB-4 and see RFC 1930 a definition of the AS number. The autonomous system (AS) number of the destination address in the IP packet header. See RFC 1771 for a description of BGB-4 and see RFC 1930 a definition of the AS number. The IPv4 address of the next BGP hop to which packets are forwarded. See RFC 1771 for a description of BGB-4 and Calato, et al. Expires August 16, 2004 [Page 35] Internet-Draft IPFIX Information Model February 2004 see RFC 1930 a definition of the AS number. The number of sent multicast packets. packets The number of sent multicast octets. octets The timestamp of the last packet of a flow. The timestamp of the first packet of a flow. IPv6 source address taken from the packet header. IPv6 destination address taken from the packet header. Calato, et al. Expires August 16, 2004 [Page 36] Internet-Draft IPFIX Information Model February 2004 The number of contiguous bits that are relevant in the source address field of the IP packet header (i.e. the subnet mask in slash notation). This redundant field has the same semantics as field 9. bits The number of contiguous bits that are relevant in the destination address field of the IP packet header (i.e. the subnet mask in slash notation). This redundant field has the same semantics as field 13. bits The Flow Label of the IPv6 packet header. See RFC 2460 for a definition of the flow label field in the IPv6 packet header. Type and Code of the ICMP message. See RFC 792 for a definition of the ICMP type and code fields. The type field of the IGMP message. See RFC 2236 for a definition of the IGMP type field. Number of packets received as a ratio of number of packets sampled. For example a value of 100 would mean that one packet in 100 was sampled. EDITORS' NOTE: This will be replaced by the PSAMP INFO MODEL packets The following sampling algorithms are defined: 1 Deterministic sampling 2 Random Sampling 3 Time-based sampling EDITORS' NOTE: This will be replaced by the PSAMP INFO MODEL Interval between reports for an active flow. seconds Calato, et al. Expires August 16, 2004 [Page 38] Internet-Draft IPFIX Information Model February 2004 A flow is considered to be timed out if not packet belonging to the flow has been observed for the number of seconds specified by this field. seconds The number of octets reported by the exporting process. octets The number of packets reported by the exporting process. packets The number of flows reported by the exporting process. flows The IP version field given in the IP header. flows See RFC 791 for a definition of the version field in the IPv6 packet header. See RFC 2460 for a definition of the version field in the IPv6 packet header. Calato, et al. Expires August 16, 2004 [Page 39] Internet-Draft IPFIX Information Model February 2004 Additional information on defined version numbers can be found at http://www.iana.org/assignments/version-numbers. The IPv6 address of the next IP hop to which packets are forwarded. The IPv6 address of the next BGP hop to which packets are forwarded. See RFC 1771 for a description of BGB-4 and see RFC 1930 a definition of the AS number. The autonomous system (AS) number of the next BGP hop the packets are sent to. See RFC 1771 for a description of BGB-4 and see RFC 1930 a definition of the AS number. The autonomous system (AS) number of the next IP hop the packets are sent to. Calato, et al. Expires August 16, 2004 [Page 40] Internet-Draft IPFIX Information Model February 2004 See RFC 1771 for a description of BGB-4 and see RFC 1930 a definition of the AS number. The IPv4 address of the flow exporter. This is used by the collecter to identify the exporter in cases where the identity of the exporter may have been obscured by the use of a proxy. The IPv6 address of the flow exporter. This is used by the collecter to identify the exporter in cases where the identity of the exporter may have been obscured by the use of a proxy. The number of octets dropped. octets The number of packets dropped. packets The number of packets dropped. Calato, et al. Expires August 16, 2004 [Page 41] Internet-Draft IPFIX Information Model February 2004 idle timeout end of flow detected (e.g. TCP FIN) forced end cache full EDITORS' NOTE: This needs to be defined as an enumerated range. Calato, et al. Expires August 16, 2004 [Page 42] Internet-Draft IPFIX Information Model February 2004 Appendix B. Formal Specification of Abstract Data Types This appendix containfs a formal description of the abstract data types to be used for IPFIX fields and a formal description of the template used for defining IPFIX fields. Note that this appendix is of informational nature, while the text in sections 2 and 3 generated from this appendix is normative. The type "unsignedByte" represents a non-negative integer value in the range of 0 to 255. The type "unsigned16" represents a non-negative integer value in the range of 0 to 65535. The type "unsigned32" represents a non-negative integer value in the range of 0 to 4294967295. The type "unsigned64" represents a non-negative integer value in the range of 0 to 18446744073709551615. Calato, et al. Expires August 16, 2004 [Page 43] Internet-Draft IPFIX Information Model February 2004 The type "float32" corresponds to an IEEE single-precision 32-bit floating point type. The type "boolean" represents a binary value. The type "octetArray" represents a finite length string of octets. The type "string" represents a finite length string of valid characters from the Unicode character encoding set. Unicode allows for ASCII and many other international character sets to be used. It is expected that strings will be encoded in UTF-8 format, which is identical in encoding for USASCII characters, but also accomodates other Unicode multibyte characters. The type "dateTimeSeconds" represents a time value having a precision of seconds and normalized to the GMT timezone. Such types are in common use on many operating systems and have the advantage that they Calato, et al. Expires August 16, 2004 [Page 44] Internet-Draft IPFIX Information Model February 2004 can be stored in 32-bit integers. The type "dateTimeSeconds" represents a time value having a precision of microseconds and normalized to the GMT timezone. The type "ipv4Addr" represents a value of an IPv4 address. These addresses are typically stored as 32-bit integers. The type "ipv6Addr" represents a value of an IPv6 address. A quantity value represents a discrete measured value pertaining to the record. This is distinguished from counters which represent an ongoing measured value whose "odometer" reading is captured as part of a given record. If no semantic qualifier is given, the integral fields should behave as a quantity. Calato, et al. Expires August 16, 2004 [Page 45] Internet-Draft IPFIX Information Model February 2004 A measurement which is ongoing from the perspective of the exporter. Basically the same semantics as counters in SNMP. Counters are unsigned and wrap back to zero after reaching the limit of the type. E.g. an unsigned64 with counter semantics will continue to increment until reaching the value of 2**64 - 1. At this point the next increment will wrap its value to zero and continue counting from zero. An integral value which serves as an identifier. Specifically mathematical operations on two identifiers (aside from the equality operation) are meaningless. E.g. Autonomous System Id 1 * Autonomous System Id 2 is meaningless. An integral value which actually represents a set of bit fields. Logical operations are appropriate on such values, but not other mathematical operations. Flags should always be of an unsigned type. Used for fields that are applicable to flow records only. Calato, et al. Expires August 16, 2004 [Page 46] Internet-Draft IPFIX Information Model February 2004 Used for fields that are applicable to option records only. Used for fields that are applicable to flow records as well as to option records. Indicates that the field definition is that the definition is current and valid. Indicates that the field definition is obsolete, but it permits new/continued implementation in order to foster interoperability with older/existing implementations. Calato, et al. Expires August 16, 2004 [Page 47] Internet-Draft IPFIX Information Model February 2004 Indicates that the field definition is obsolete and should not be implemented and/or can be removed if previously implemented. to be done ... to be done ... to be done ... Calato, et al. Expires August 16, 2004 [Page 48] Internet-Draft IPFIX Information Model February 2004 The semantics of this information element. Describes how this field is derived from the flow or other information available to the observer. to be done ... If the field is a measure of some kind, the units identify what the measure is. Identifies additional specifications which more precisely define this item or provide additional context for its use. Some items may have a specific set of numeric Calato, et al. Expires August 16, 2004 [Page 49] Internet-Draft IPFIX Information Model February 2004 identifiers associated with a set of discrete values this element may take. The meaning of each discrete value and a human readable name should be assigned. Some elements may only be able to take on a restricted set of values which can be expressed as a range (e.g. 0 through 511 inclusive). If this is the case, the valid inclusive range should be specified. A unique and meaningful name for the field. The preferred spelling for the name is to use mixed case if the name is compound, with an initial lower case letter. (E.g. "sourceIpAddress"). One of the types listed in the "Type Space" section. The type space for attributes is constrained to facilitate implementation. The existing type space does however encompass most basic types used in modern programming languages, as well as some derived types (such as IPAddress) which are common to this domain and useful to distinguish. Calato, et al. Expires August 16, 2004 [Page 50] Internet-Draft IPFIX Information Model February 2004 The integral types may be qualified by additional semantic details. Qualifying the fields as 'quantity', 'counter', 'identifier' or 'flags'. A numeric identifier administered by IANA. This is used for compact identification of an information item when encoding templates in the protocol. When extension is done outside of the scope of the IANA IPFIX fieldId range, a vendorId MUST be provided. This identifier is based on IANA assigned enterprise identifiers. to be done ... to be done ... Calato, et al. Expires August 16, 2004 [Page 51] Internet-Draft IPFIX Information Model February 2004 Calato, et al. Expires August 16, 2004 [Page 52] Internet-Draft IPFIX Information Model February 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2004). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION Calato, et al. Expires August 16, 2004 [Page 53] Internet-Draft IPFIX Information Model February 2004 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Calato, et al. Expires August 16, 2004 [Page 54]