Internet DRAFT - draft-fu-ipfix-network-security

draft-fu-ipfix-network-security







IPFIX Working Group                                                T. Fu
Internet-Draft                                                    Huawei
Intended status: Standards Track                                D. Zhang
Expires: October 30, 2015
                                                                   D. He
                                                                  L. Xia
                                                                  Huawei
                                                          April 28, 2015


   IPFIX Information Elements for inspecting network security issues
                   draft-fu-ipfix-network-security-01

Abstract

   IPFIX protocol has been used to carry Information Elements, which are
   defined to measure the traffic information and information related to
   the traffic observation point, traffic metering process and the
   exporting process.  Network or device status are checked through
   analysing neccessary observed information.  Although most of the
   existing Information Elements are useful for network security
   inspection, they are still not sufficient to determine the reasons
   behind observed events such as for DDOS attack, ICMP attack, and
   fragment attack.  To allow administrators making effective and quick
   response to the attacks, this document extends the standard
   Information Elements and describes the formats for inspecting network
   security.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 30, 2015.







Fu, et al.              Expires October 30, 2015                [Page 1]

Internet-Draft       IPFIX IEs for network security           April 2015


Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Information Elements and use cases  . . . . . . . . . . . . .   4
     3.1.  Information Elements  . . . . . . . . . . . . . . . . . .   4
     3.2.  Packet upstream/downstream counters . . . . . . . . . . .   9
     3.3.  ICMP echo/echo reply counters . . . . . . . . . . . . . .   9
     3.4.  Fragment statistic  . . . . . . . . . . . . . . . . . . .   9
     3.5.  Application error code  . . . . . . . . . . . . . . . . .  10
     3.6.  Extended value of FlowEndReason . . . . . . . . . . . . .  10
   4.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . . . .  10
     4.1.  IPFIX . . . . . . . . . . . . . . . . . . . . . . . . . .  10
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  13
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .  13
     7.2.  Informative References  . . . . . . . . . . . . . . . . .  13
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  13

1.  Terminology

   IPFIX-specific terminology (Information Element, Template, Template
   Record, Options Template Record, Template Set, Collector, Exporter,
   Data Record, etc.) used in this document is defined in Section 2 of
   [RFC7011].  As in [RFC7011], these IPFIX-specific terms have the
   first letter of a word capitalized.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].





Fu, et al.              Expires October 30, 2015                [Page 2]

Internet-Draft       IPFIX IEs for network security           April 2015


2.  Introduction

   As network security issues arising dramatically nowadays, network
   administrators are eager to detect and identify attacks as early as
   possible, generate countermeasurements with high agility.  Due to the
   enormous amount of network attack types, metrics useful for attack
   detection are as diverse as attack patterns themselves.  Moreover,
   attacking methods are evolved rapidly, which brings challenges to
   designing detect mechanism.

   The IPFIX requirement [RFC3917] points out that one of the target
   applications of IPFIX is atack and intrusion detection.  The IPFIX
   Protocol [RFC7011] defines a generic exchange mechanism for flow
   information and events.  It supports source-triggered exporting of
   information due to the push model approach other than exporting upon
   flow-end or fixed time intervals.The IPFIX Information Model
   [RFC5102] defines a list of standard Information Elements (IEs) which
   can be carried by the IPFIX protocol.  Eventhough the existing
   standard IEs are useful to check the status/events of the traffic,
   they are not sufficient to help network administrators identify
   categories of the attacks.  The scanty information will result in an
   inaccurate analysis and slowing down the effective response towards
   network attacks.

   For instance, CC (Challenge Collapsar) attack is a typical
   application layer DDoS attack, which mainly attacks the dynamic pages
   of web server.  It makes the web server's resources exhausted and
   paralyzed, so the server will be denial of service.  Because CC
   attacker imitates normal users' behavior pretty well by using
   different real IP addresses with relatively completive access process
   (even with low speed), it makes the attack concealed well compared
   with traditional network layer DDoS (e.g.  SYN-Flood, etc).  In
   addition, the attacker often manipulates the attack behind the scenes
   by non-direct communicate with target server, so the attack is not
   easy to be tracked and discovered.  It would be useful to collect
   application status information for application layer attacks.  In
   this case, CC attack is likely to happen if a large number of non 2XX
   HTTP status code replied from the server are observed.

   Fragment attack employs unexpected formats of fragmentation, which
   will result in errors such as fragmentation buffer full, fragment
   overlapped, fragment incomplete.  Existing IPFIX fragmentation
   metrics includes fragmentOffset, fragmentIdentification,
   fragmentFlags, which only indicate the attributes of a single
   fragment, and are not suitable for attack detection.  Integrated
   measurements are needed to provide an holistic review of the session.
   Furthermore ICMP flow model has features such as the ICMP Echo/Echo
   Reply dominate the whole traffic flow, ICMP packet interval is



Fu, et al.              Expires October 30, 2015                [Page 3]

Internet-Draft       IPFIX IEs for network security           April 2015


   usually not too short (normally 1 pkt/s).  The current ICMP
   information elements of IPFIX contains the ICMP type and code for
   both IPv4 and IPv6, however they are for a single ICMP packet rather
   than statistical property of the ICMP session.  Further metrics like
   the cumulated sum of various counters should be calculated based on
   sampling method defined by the Packet SAMPling (PSAMP) protocol [RFC
   5477].  Similar problems occur in TCP, UDP, SNMP and DNS attack, it
   would be useful to derive the number of the upstream and downstream
   packets separately and over time in order to detect the anomalies of
   the network.

   Upon the above discussions and per IPFIX applicability [RFC 5472],
   derived metrics are useful to provide sufficient evidence about
   security incident.  A wisely chosen sets of derived metrics will
   allow direct exporting with minimal resource consumption.  This
   document extends the IPFIX Information model and defines Information
   Elements (IEs) that SHOULD be used to identify different attack
   categories, the standardization of those IEs will improve the network
   security and will support the offline analysis of data from different
   operators in the future.

3.  Information Elements and use cases

   This section presents the information elements that are useful for
   attack detection, the IPFIX templates could contain a subset of the
   Information Elements(IEs) shown in Table 1 depending upon the attack
   under concern of the network administrator.  For example a session
   creation template contains

   {sourceIPv4Address, destinationIpv4Address, sourceTransportPort,
   destinationTransportPort, protocolIdentifier, pktUpstreamCount,
   pktDownstreamCount, selectorAlgorithm, samplingPacketInterval,
   samplingPacketSpace}

   An example of the actual event data record is shown below in a
   readable form

   {192.168.0.201, 192.168.0.1, 51132, 80, 7, 67, 87, 3, 100,1000}

3.1.  Information Elements

   The following is the table of all the IEs that a device would need to
   export for attack statistic analysis.  The formats of the IEs and the
   IPFIX IDs are listed below.  Most of the IEs are defined in [IPFIX-
   IANA], while some of the IPFIX IE's ID are not assigned yet, and
   hence the detailed explanation of these fields are presented in the
   following sections.  The recommended registrations to IANA is
   described the IANA considerations section.



Fu, et al.              Expires October 30, 2015                [Page 4]

Internet-Draft       IPFIX IEs for network security           April 2015


   +---------------------------+--------------+-------+----------------+
   | Field Name                | Size (bits)  | IANA  | Description    |
   |                           |              | IPFIX |                |
   |                           |              | ID    |                |
   +---------------------------+--------------+-------+----------------+
   | sourceIPv4Address         | 32           | 8     | Source IPv4    |
   |                           |              |       | Address        |
   | destinationIPv4Address    | 32           | 12    | Destination    |
   |                           |              |       | IPv4 Address   |
   | sourceTransportPort       | 16           | 7     | Source Port    |
   | destinationTransportPort  | 16           | 11    | Destination    |
   |                           |              |       | port           |
   | protocolIdentifier        | 8            | 4     | Transport      |
   |                           |              |       | protocol       |
   | packetDeltaCount          | 64           | 2     | The number of  |
   |                           |              |       | incoming       |
   |                           |              |       | packets since  |
   |                           |              |       | the previous   |
   |                           |              |       | report (if     |
   |                           |              |       | any) for this  |
   |                           |              |       | Flow at the    |
   |                           |              |       | Observation    |
   |                           |              |       | Point          |
   | pktUpstreamCount          | 64           | TBD   | Upstream       |
   |                           |              |       | packet counter |
   | pktDownstreamCount        | 64           | TBD   | Downstream     |
   |                           |              |       | packet counter |
   | octetUpstreamCount        | 64           | TBD   | Upstream octet |
   |                           |              |       | counter        |
   | octetDownstreamCount      | 64           | TBD   | Downstream     |
   |                           |              |       | octet counter  |
   | tcpSynTotalCount          | 64           | 218   | The total      |
   |                           |              |       | number of      |
   |                           |              |       | packets of     |
   |                           |              |       | this Flow with |
   |                           |              |       | TCP            |
   |                           |              |       | "Synchronize   |
   |                           |              |       | sequence       |
   |                           |              |       | numbers" (SYN) |
   |                           |              |       | flag set       |
   | tcpFinTotalCount          | 64           | 219   | The total      |
   |                           |              |       | number of      |
   |                           |              |       | packets of     |
   |                           |              |       | this Flow with |
   |                           |              |       | TCP "No more   |
   |                           |              |       | data from      |
   |                           |              |       | sender" (FIN)  |
   |                           |              |       | flag set       |



Fu, et al.              Expires October 30, 2015                [Page 5]

Internet-Draft       IPFIX IEs for network security           April 2015


   | tcpRstTotalCount          | 64           | 220   | The total      |
   |                           |              |       | number of      |
   |                           |              |       | packets of     |
   |                           |              |       | this Flow with |
   |                           |              |       | TCP "Reset the |
   |                           |              |       | connection"    |
   |                           |              |       | (RST) flag     |
   |                           |              |       | set.           |
   | tcpPshTotalCount          | 64           | 221   | The total      |
   |                           |              |       | number of      |
   |                           |              |       | packets of     |
   |                           |              |       | this Flow with |
   |                           |              |       | TCP "Push      |
   |                           |              |       | Function"      |
   |                           |              |       | (PSH) flag     |
   |                           |              |       | set.           |
   | tcpAckTotalCount          | 64           | 222   | The total      |
   |                           |              |       | number of      |
   |                           |              |       | packets of     |
   |                           |              |       | this Flow with |
   |                           |              |       | TCP "Acknowled |
   |                           |              |       | gment field    |
   |                           |              |       | significant"   |
   |                           |              |       | (ACK) flag     |
   |                           |              |       | set.           |
   | tcpUrgTotalCount          | 64           | 223   | The total      |
   |                           |              |       | number of      |
   |                           |              |       | packets of     |
   |                           |              |       | this Flow with |
   |                           |              |       | TCP "Urgent    |
   |                           |              |       | Pointer field  |
   |                           |              |       | significant"   |
   |                           |              |       | (URG) flag     |
   |                           |              |       | set.           |
   | tcpControlBits            | 8            | 6     | TCP control    |
   |                           |              |       | bits observed  |
   |                           |              |       | for packets of |
   |                           |              |       | this Flow      |
   | flowEndReason             | 8            | 136   | The reason for |
   |                           |              |       | Flow           |
   |                           |              |       | termination    |
   | minimumIpTotalLength      | 64           | 25    | Length of the  |
   |                           |              |       | smallest       |
   |                           |              |       | packet         |
   |                           |              |       | observed for   |
   |                           |              |       | this Flow      |
   | maximumIpTotalLength      | 64           | 26    | Length of the  |
   |                           |              |       | largest packet |



Fu, et al.              Expires October 30, 2015                [Page 6]

Internet-Draft       IPFIX IEs for network security           April 2015


   |                           |              |       | observed for   |
   |                           |              |       | this Flow      |
   | flowStartSeconds          | dateTimeSeco | 150   | The absolute   |
   |                           | nds          |       | timestamp of   |
   |                           |              |       | the first      |
   |                           |              |       | packet of this |
   |                           |              |       | Flow           |
   | flowEndSeconds            | dateTimeSeco | 151   | The absolute   |
   |                           | nds          |       | timestamp of   |
   |                           |              |       | the last       |
   |                           |              |       | packet of this |
   |                           |              |       | Flow           |
   | flowStartMilliseconds     | dateTimeMill | 152   | The absolute   |
   |                           | iseconds     |       | timestamp of   |
   |                           |              |       | the first      |
   |                           |              |       | packet of this |
   |                           |              |       | Flow           |
   | flowEndMilliseconds       | dateTimeMill | 153   | The absolute   |
   |                           | iseconds     |       | timestamp of   |
   |                           |              |       | the last       |
   |                           |              |       | packet of this |
   |                           |              |       | Flow           |
   | flowStartMicroseconds     | dateTimeMicr | 154   | The absolute   |
   |                           | oseconds     |       | timestamp of   |
   |                           |              |       | the first      |
   |                           |              |       | packet of this |
   |                           |              |       | Flow           |
   | flowEndMicroseconds       | dateTimeMicr | 155   | The absolute   |
   |                           | oseconds     |       | timestamp of   |
   |                           |              |       | the last       |
   |                           |              |       | packet of this |
   |                           |              |       | Flow           |
   | applicationErrorCodeCount | 32           | TBD   | Number of      |
   |                           |              |       | packets with   |
   |                           |              |       | application    |
   |                           |              |       | error code     |
   |                           |              |       | detected       |
   | fragmentFlags             | 8            | 197   | Fragmentation  |
   |                           |              |       | properties     |
   |                           |              |       | indicated by   |
   |                           |              |       | flags in the   |
   |                           |              |       | IPv4 packet    |
   |                           |              |       | header or the  |
   |                           |              |       | IPv6 Fragment  |
   |                           |              |       | header,        |
   |                           |              |       | respectively   |
   | fragmentIncompleteCount   | 32           | TBD   | Counter of     |
   |                           |              |       | incomplete     |



Fu, et al.              Expires October 30, 2015                [Page 7]

Internet-Draft       IPFIX IEs for network security           April 2015


   |                           |              |       | fragments      |
   | fragmentFirstTooShortCoun | 32           | TBD   | Number of      |
   | t                         |              |       | packets with   |
   |                           |              |       | first fragment |
   |                           |              |       | too short      |
   | fragmentOffsettErrorCount | 32           | TBD   | Number of      |
   |                           |              |       | fragments with |
   |                           |              |       | offset error   |
   | fragmentFlagErrorCount    | 32           | TBD   | Number of      |
   |                           |              |       | fragments with |
   |                           |              |       | flag error     |
   | icmpTypeIPv4              | 8            | 176   | Type of the    |
   |                           |              |       | IPv4 ICMP      |
   |                           |              |       | message        |
   | icmpCodeIPv4              | 8            | 177   | Code of the    |
   |                           |              |       | IPv4 ICMP      |
   |                           |              |       | message        |
   | icmpTypeIPv6              | 8            | 178   | Type of the    |
   |                           |              |       | IPv6 ICMP      |
   |                           |              |       | message        |
   | icmpCodeIPv6              | 8            | 179   | Code of the    |
   |                           |              |       | IPv6 ICMP      |
   |                           |              |       | message        |
   | icmpEchoCount             | 32           | TBD   | The number fo  |
   |                           |              |       | ICMP echo.     |
   | icmpEchoReplyCount        | 32           | TBD   | The number of  |
   |                           |              |       | ICMP echo      |
   |                           |              |       | reply.         |
   | selectorAlgorithm         | 16           | 304   | This           |
   |                           |              |       | Information    |
   |                           |              |       | Element        |
   |                           |              |       | identifies the |
   |                           |              |       | packet         |
   |                           |              |       | selection      |
   |                           |              |       | methods (e.g., |
   |                           |              |       | Filtering,     |
   |                           |              |       | Sampling) that |
   |                           |              |       | are applied by |
   |                           |              |       | the Selection  |
   |                           |              |       | Process.       |
   | samplingPacketInterval    | 32           | 305   | The number of  |
   |                           |              |       | packets that   |
   |                           |              |       | are            |
   |                           |              |       | consecutively  |
   |                           |              |       | sampled        |
   | samplingPacketSpace       | 32           | 306   | The number of  |
   |                           |              |       | packets        |
   |                           |              |       | between two "s |



Fu, et al.              Expires October 30, 2015                [Page 8]

Internet-Draft       IPFIX IEs for network security           April 2015


   |                           |              |       | amplingPacketI |
   |                           |              |       | nterval"s.     |
   +---------------------------+--------------+-------+----------------+

                    Table 1: Information Element table

3.2.  Packet upstream/downstream counters

   A sudden increase of Flow from different sources to one destination
   may be caused by an attack on a specific host or network node using
   spoofed addresses.  However it may be cased by legitimate users who
   seek access to a recently published web content.  Only reporting the
   total packet number is not sufficient to indicate whether attacks
   occur, as it lacks details to separate good packets from abnormoal
   packets. as a result, upstream and downstream packets should be
   monitored seperately so that upstream to downstream packet number
   ratio can be use to detect successful connections. pktUpstreamCount
   and pktDownstreamCount are added to IPFIX to represent the cumulated
   upstream and downstream packet number respectively.

3.3.  ICMP echo/echo reply counters

   An unusual ratio of ICMP echo to ICMP echo reply packets can refer to
   ICMP attack.  However the existing set of IPFIX IEs provides the type
   and code of ICMP packet, countinuously export the information will
   result in serious resource consumption at the exporter, the collector
   and the bandwith.  The number of echo and echo reply packets in a
   Flow can be derived for the Observation Domain in a specific time
   interval or once the ratio exceeds threshold.  The basic metrics
   icmpEchoCount and icmpEchoReplyCount are defined as new IPFIX
   Information Elements.

3.4.  Fragment statistic

   Typical fragment attack includes fragmentation buffer full, fragment
   overlapped, fragment incomplete.  Existing IPFIX fragmentation
   metrics includes fragmentIdentification,fragmentOffset,
   fragmentFlags, which are not sufficient to identify errors, and are
   not suitable for early attack detection.  Integrated measurements are
   needed to provide an holistic review of the flow.
   fragmentIncompleteCount checks the number of incomplete fragmentation
   ,fragmentFirstTooShortCount verifies the number of fragments with
   first fragment too short, fragmentOffsetErrorCount checks the number
   of fragments with offset error, and fragmentFlagErrorCount detect
   early whether the fragmentation is caused by a malicious attack.






Fu, et al.              Expires October 30, 2015                [Page 9]

Internet-Draft       IPFIX IEs for network security           April 2015


3.5.  Application error code

   The application layer attack requires IPFIX protocol capture packet
   payload.  An initial consideration of the application error code
   comes from the HTTP status code except 2XX successful code.  Other
   application layer protocol error code are also supported.  The error
   code list can be expanded in the future as necessary.  The data
   record will have the corresponding error code value to identify the
   error that is being logged.

3.6.  Extended value of FlowEndReason

   There are 5 defined reasons for Flow termination, with values ranging
   from 0x01 to 0x05:

   0x01: idle timeout

   0x02: active timeout

   0x03: end of Flow detected

   0x04: forced end

   0x05: lack of resources

   There is an additional reason caused by state machine anomaly.  When
   FIN/SYN is sent, but no ACK is replied after a waiting timeout, the
   existing five reasons do not match this case.Therefore, a new value
   is proposed to extend the FlowEndReason, which is 0x06: protocol
   exception timeout.

4.  Encoding

4.1.  IPFIX

   This document uses IPFIX as the encoding mechanism to monitor
   security events.  However, the information that is logged SHOULD be
   the same irrespective of what kind of encoding scheme is used.  IPFIX
   is chosen, because it is an IETF standard that meets all the needs
   for a reliable logging mechanism and one of its targets are for
   security applications.  IPFIX provides the flexibility to the logging
   device to define the data sets that it is logging.  The IEs specified
   for logging MUST be the same irrespective of the encoding mechanism
   used.







Fu, et al.              Expires October 30, 2015               [Page 10]

Internet-Draft       IPFIX IEs for network security           April 2015


5.  IANA Considerations

   The following information elements are requested from IANA IPFIX
   registry.

   Name : pktUpstreamCount

   Description: The number of the upstream packets for this Flow at the
   Observation Point since the Metering Process (re-)initialization for
   this Observation Point.

   Abstract Data Type: unsigned64

   Data Type Semantics: TBD

   Name: pktDownstreamCount

   Description: The number of the downstream packets for this Flow at
   the Observation Point since the Metering Process (re-)initialization
   for this Observation Point.

   Abstract Data Type: unsigned64

   Data Type Semantics: TBD

   Name: octetUpstreamCount

   Description: The total number of octets in upstream packets for this
   Flow at the Observation Point since the Metering Process
   (re-)initialization for this Observation Point.  The number of octets
   includes IP header(s) and IP payload.

   Abstract Data Type: unsigned64

   Data Type Semantics: TBD

   Name : octetDownstreamCount

   Description: The total number of octets in downstream packets for
   this Flow at the Observation Point since the Metering Process
   (re-)initialization for this Observation Point.  The number of octets
   includes IP header(s) and IP payload.

   Abstract Data Type: unsigned64

   Data Type Semantics: TBD

   Name: applicationErrorCodeCount



Fu, et al.              Expires October 30, 2015               [Page 11]

Internet-Draft       IPFIX IEs for network security           April 2015


   Description: This Information Element identifies the number of
   packets with application layer error code detected.

   Abstract Data Type: unsigned32

   Data Type Semantics: TBD

   Name: fragmentIncompleteCount

   Description: This Information Element is the counter of incomplete
   fragments.

   Abstract Data Type: unsigned32

   Data Type Semantics: TBD

   Name: fragmentFirstTooShortCount

   Description: This Information Element indicates the number of packets
   with first fragment too shortt.

   Abstract Data Type: unsigned32

   Data Type Semantics: TBD

   Name: fragmentOffsetErrorCount

   Description: This Information Element specifies number of fragments
   with offset error.

   Abstract Data Type: unsigned32

   Data Type Semantics: TBD

   Name: fragmentFlagErrorCount

   Description: This Information Element specifies number of fragments
   with offset error.When the DF bit and MF bit of the fragment flag are
   set in the same fragment, there is an error at the fragment flag.

   Abstract Data Type: unsigned32

   Data Type Semantics: TBD

   A new values is added to FlowEndReason:

   0x06: protocol exception timeout




Fu, et al.              Expires October 30, 2015               [Page 12]

Internet-Draft       IPFIX IEs for network security           April 2015


   The flow was terminated due to protocol state machine anomaly and
   unexpected timeout.

6.  Security Considerations

   No additional security considerations are introduced in this
   document.  The same security considerations as for the IPFIX protocol
   [RFC7011] apply.

7.  References

7.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3971]  Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
              Neighbor Discovery (SEND)", RFC 3971, March 2005.

   [RFC5102]  Quittek, J., Bryant, S., Claise, B., Aitken, P., and J.
              Meyer, "Information Model for IP Flow Information Export",
              RFC 5102, January 2008.

   [RFC5472]  Zseby, T., Boschi, E., Brownlee, N., and B. Claise, "IP
              Flow Information Export (IPFIX) Applicability", RFC 5472,
              March 2009.

   [RFC5477]  Dietz, T., Claise, B., Aitken, P., Dressler, F., and G.
              Carle, "Information Model for Packet Sampling Exports",
              RFC 5477, March 2009.

   [RFC7011]  Claise, B., Trammell, B., and P. Aitken, "Specification of
              the IP Flow Information Export (IPFIX) Protocol for the
              Exchange of Flow Information", STD 77, RFC 7011, September
              2013.

7.2.  Informative References

   [IPFIX-IANA]
              IANA, "IPFIX Information Elements registry",
              <http://www.iana.org/assignments/ipfix>.

Authors' Addresses








Fu, et al.              Expires October 30, 2015               [Page 13]

Internet-Draft       IPFIX IEs for network security           April 2015


   Tianfu Fu
   Huawei
   Q11, Huanbao Yuan, 156 Beiqing Road, Haidian District
   Beijing  100095
   China

   Email: futianfu@huawei.com


   Dacheng Zhang

   Email: dacheng.zhang@gmail.com


   Danping He
   Huawei
   Q14, Huanbao Yuan, 156 Beiqing Road, Haidian District
   Beijing  100095
   China

   Email: ana.hedanping@huawei.com


   Liang Xia (Frank)
   Huawei
   No.101, Software Avenue, Yuhuatai District
   Nanjing, Jiangsu  210012
   China

   Email: frank.xialiang@huawei.com





















Fu, et al.              Expires October 30, 2015               [Page 14]