IPFIX Working Group B. Trammell Internet-Draft CERT/NetSA Intended status: Informational E. Boschi Expires: July 21, 2007 Hitachi Europe January 17, 2007 Bidirectional Flow Export using IPFIX draft-ietf-ipfix-biflow-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on July 21, 2007. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document describes an efficient method for exporting bidirectional flow (Biflow) information using the IP Flow Information Export (IPFIX) protocol, representing each Biflow using a single Flow Record. Trammell & Boschi Expires July 21, 2007 [Page 1] Internet-Draft IPFIX Biflow Export January 2007 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Rationale and History . . . . . . . . . . . . . . . . . . . . 4 4. Biflow Semantics . . . . . . . . . . . . . . . . . . . . . . . 5 5. Direction Assignment . . . . . . . . . . . . . . . . . . . . . 7 5.1. Direction by Initiator . . . . . . . . . . . . . . . . . . 7 6. Direction by Perimeter . . . . . . . . . . . . . . . . . . . . 8 7. Arbitrary Direction . . . . . . . . . . . . . . . . . . . . . 9 8. Record Representation . . . . . . . . . . . . . . . . . . . . 9 8.1. Reverse Information Element Private Enterprise Number . . 10 8.2. Enterprise-Specific Reverse Information Elements . . . . . 11 8.3. biflowDirection Information Element . . . . . . . . . . . 12 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 10. Security Considerations . . . . . . . . . . . . . . . . . . . 13 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 12.1. Normative References . . . . . . . . . . . . . . . . . . . 13 12.2. Informative References . . . . . . . . . . . . . . . . . . 14 Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 Intellectual Property and Copyright Statements . . . . . . . . . . 19 Trammell & Boschi Expires July 21, 2007 [Page 2] Internet-Draft IPFIX Biflow Export January 2007 1. Introduction Many flow analysis tasks benefit from association of the upstream and downstream flows of a bidirectional communication, e.g., separating answered and unanswered TCP requests, calculating round trip times, etc. Metering processes that are not part of an asymmetric routing infrastructure, especially those deployed within a single Observation Domain through which bidirectional traffic flows, are well positioned to observe bidirectional flows (Biflows). In such topologies, the total resource requirements for Biflow assembly are often lower if the Biflows are assembled at the Metering Process as opposed to the Collecting Process. IPFIX requires only information model extensions to be complete as a solution for exporting Biflow data. To that end, we propose a Biflow export method using a single Flow Record per Biflow in this document. This method requires additional Information Elements to represent the reverse direction of each biflow. This method is motivated by an exploration of other possible methods of Biflow export using IPFIX; however, these methods have important drawbacks, as discussed in the Rationale and History section. 2. Terminology Capitalized terms used in this document that are defined in the Terminology section of the IPFIX Protocol draft [I-D.ietf-ipfix-protocol] are to be interpreted as defined there. The following additional terms are defined in terms of the protocol document terminology. Directional Key Field: A Directional Key Field is a single field in a Flow Key as defined in the IPFIX Protocol draft [I-D.ietf-ipfix-protocol] that is specifically associated with a single endpoint of the flow. sourceIPv4Address and destinationTransportPort are example common directional key fields. Non-directional Key Field: A Non-directional Key Field is a single field within a Flow Key as defined in the IPFIX Protocol draft [I-D.ietf-ipfix-protocol] that is not specifically associated with either endpoint of the flow. protocolIdentifier is an example common non-directional key field. Uniflow (Unidirectional Flow): A Uniflow is a Flow as defined in the IPFIX Protocol draft [I-D.ietf-ipfix-protocol], restricted such that the Flow is composed only of packets sent from a single endpoint to another single endpoint. Trammell & Boschi Expires July 21, 2007 [Page 3] Internet-Draft IPFIX Biflow Export January 2007 Biflow (Bidirectional Flow): A Biflow is a Flow as defined in the IPFIX Protocol draft [I-D.ietf-ipfix-protocol], composed of packets sent in both directions between two endpoints. A Biflow is composed from two Uniflows such that: 1. each Non-directional Key Field of each Uniflow is identical to its counterpart in the other, and 2. each Directional Key Field of each Uniflow is identical to its reverse direction counterpart in the other A Biflow contains two Non-Key Fields for each value it represents associated with a single direction or endpoint: one for the forward direction and one for the reverse direction, as defined below. Biflow Source: The source of a Biflow is the endpoint identified by the source Directional Key Fields in the biflow. Biflow Destination: The destination of a Biflow is the endpoint identified by the destination Directional Key Fields in the biflow. Forward direction (of a Biflow): The direction of a Biflow composed of packets sent by the Biflow Source. Values associated with the forward direction of a Biflow are represented using normal Information Elements. In other words, a Uniflow may be defined as a Biflow having only a forward direction. Reverse direction (of a Biflow): The direction of a Biflow composed of packets sent by the Biflow Destination. Values associated with the reverse direction of a Biflow are represented using reverse Information Elements, as defined below. Reverse Information Element: An Information Element defined as corresponding to a normal Information Element, but associated with the reverse direction of a Biflow. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 3. Rationale and History In selecting the Single Record Biflow export method described in this document as the recommendation for bidirectional flow export using IPFIX, we considered several other possible methods. Trammell & Boschi Expires July 21, 2007 [Page 4] Internet-Draft IPFIX Biflow Export January 2007 The first and most obvious would be simply to export biflows as two uniflows adjacent in the record stream; a Collecting Process could then reassemble them with minimal state requirements. However, this has the drawbacks that it is merely an informal arrangement the Collecting Process cannot rely upon, and that it is not bandwidth- efficient, duplicating the export of flow key data in each uniflow record. We then considered the method outlined in Reducing Redundancy in IPFIX and PSAMP Reports [I-D.ietf-ipfix-reducing-redundancy] for reducing this bandwidth inefficiency. This would also formally link the two uniflows into a single construct, by exporting the flow key as Common Properties then exporting each direction's information as Specific Properties. However, it would do so at the expense of additional overhead to transmit the commonPropertiesId, and additional state management requirements at both the Collecting and Exporting Process. A proposal was made on the IPFIX mailing list to use the Multiple Information Element feature of the protocol to export forward and reverse counters using identical Information Element in the same Flow Record. In this approach, the first instance of a counter would represent the forward direction, and the second instance of the same counter would represent the reverse. This had the disadvantage of conflicting with the presently defined semantics for these counters, and was as such abandoned. 4. Biflow Semantics As stated in the Terminology section above, a Biflow is simply a Flow representing packets flowing in both directions between two endpoints on a network. There are compelling reasons to treat Biflows as single entities (as opposed to merely ad-hoc combinations of Uniflow halves) within IPFIX. First, as most application-layer network protocols are inherently bidirectional, a Biflow-based data model more accurately represents the behavior of the network, and enables easier application of flow data to answering interesting questions about network behavior. Second, exporting Biflow data can result in improved export efficiency by eliminating the duplication of Flow Key data in an IPFIX message stream, and improve collection efficiency by removing the burden of biflow matching from the Collecting Process where possible. Biflows are somewhat more semantically complicated than Uniflows. First, when handling Uniflows, the semantics of "source" and "destination" Information Elements are clearly defined by the semantics of the underlying packet header data: the source Trammell & Boschi Expires July 21, 2007 [Page 5] Internet-Draft IPFIX Biflow Export January 2007 Information Elements represent the source header fields, and the destination Information Elements represent the destination header fields. When representing Biflows with single IPFIX Data Records, the definitions of source and destination must be chosen more carefully. As in the Terminology section above, we define the Source of a Biflow to be that identified by the source Directional Key Field(s), and the Destination of the Biflow to be that identified by the destination Directional Key Field(s). Note that, for IANA-registered Information Elements or those defined by the IPFIX Information Model [I-D.ietf-ipfix-info], Source Key Fields are represented by Information Elements whose names begin with "source", and Destination Key Fields are represented by Information Elements whose names begin with "destination"; it is recommended that vendor-specific information elements follow these conventions, as well. Methods for assignment of Source and Destination by the Metering and Exporting Processes are described in the following section. As the Source and Destination of a Biflow are defined in terms of its Directional Keys, Biflow values are also split info "forward" and "reverse" directions. As in the Terminology section above, the Forward direction of a Biflow is composed of packets sent by the Biflow Source, and the Reverse direction of a Biflow is composed of packets sent by the Destination. In other words, the two directions of a Biflow may be roughly thought of as the two Uniflow halves that were matched to compose the Biflow. A Biflow record, then, contains each Flow Key record once, and both forward and reverse direction information elements for each non-key field. The Reverse direction values are represented by Reverse Information Elements. The representation of these Reverse Information Elements within Templates is detailed in section 5. A Flow Record may be considered to be a Biflow Record by the Collecting Process if it contains at least one Reverse Information Element AND at least one Directional Key Field. Flow Records containing Reverse Information Elements but no Directional Key Fields are illegal, and MUST be dropped by the Collecting Process. The Collecting Process SHOULD log the receipt of illegal Biflow Flow Records. Note that since the IPFIX information model makes no distinction between zeroes and null values, if a given flow has no reverse direction, it may only be unambiguously represented as a Biflow Flow Record if all its Reverse Information Elements are counters. Exporting Processes SHOULD switch to a Template containing no Reverse Information Elements when exporting flows without a reverse direction. Trammell & Boschi Expires July 21, 2007 [Page 6] Internet-Draft IPFIX Biflow Export January 2007 By the definition of Observation Domain in section 2 of the IPFIX Protocol draft [I-D.ietf-ipfix-protocol], Biflows may be composed only of packets observed within the same Observation Domain. This implies that Metering Processes that build Biflows out of Uniflow halves must ensure that the two Uniflow halves were observed within the same Observation Domain. 5. Direction Assignment Due to the variety of flow measurement applications and restrictions on Metering Process deployment, one single method of assigning the directions of a Biflow will not apply in all cases. The following sections describe three methods of direction assignment, and recommend them based upon Metering Process position and measurement application requirements. As the method selection is dependent on Metering Process position, it is sufficient to configure the direction assignment method at Collecting and Exporting Processes out-of-band. However, for Exporting Processes that use multiple direction selection methods, or for Collecting Processes accepting data from Exporting Processes using a variety of methods, a biflowDirection Information Element is provided for optional representation of direction assignment information. Regardless of the direction assignment method selected, the Exporting Process MAY export additional information about each Biflow (e.g., TCP flags information, high-precision timestamps) in order to assist the Collecting Process in determining the flow initiator or revising the Metering Process' direction selection. 5.1. Direction by Initiator If the measurement application requires the determination of the initator and responder of a given communication, the Metering Process SHOULD define the Biflow Source to be the initiator of the Biflow, where possible. This can be roughly approximated by a Metering Process observing packets in both directions simply assuming the first packet seen in a given Biflow is the packet initiating the flow. A Metering Process may improve upon this method by using knowledge of the transport or application protocols (e.g., TCP flags, DNS question/answer counts) to better approximate the flow-initiating packet. Note that direction assignment by initiator is most easily done by a single Metering Process positioned on a local link layer, or a single Metering Process observing bidirectional packet flows at a symmetric Trammell & Boschi Expires July 21, 2007 [Page 7] Internet-Draft IPFIX Biflow Export January 2007 perimeter routing point. Note also that if Biflows are exported after being matched among multiple Metering Processes, the clocks of the Metering Processes MUST be synchronized such that the first packet seen can be determined. +-------+ +-------+ | N0 | | N1 | +---+---+ +---+---+ | | +---------+ <===+=====+=====+======>+ access +<===> Internet | | router | +---+---+ +---------+ | MP | +---+---+ Local Link Metering Process Position +-------+ +-------+ | N0 | | N1 | +---+---+ +---+---+ | | +---------+ <===+===========+======>+ access +<===> Internet | router | | +----+--+ +----+ MP | +-------+ Symmetric Routing Point Metering Process Position 6. Direction by Perimeter If the measurement application is deployed at a network perimeter, such that there is a stable set of addresses that can be defined as "inside" that perimeter, and there is no measurement application requirement to determine the initiator and responder of a given communication, then the Metering Process SHOULD assign the Biflow Source to be the endpoint outside the perimeter. No facility is provided for exporting the address set which defines the interior of a perimeter; this set may be deduced by the Collecting Process observing the set of Biflow destination addresses. Trammell & Boschi Expires July 21, 2007 [Page 8] Internet-Draft IPFIX Biflow Export January 2007 +---------+ Local Net ====>+ access +====> Internet | router | +----+----+ | +---+---+ | MP | +---+---+ | +----+----+ | access | Local Net <====+ router +<==== Internet +---------+ Perimeter Metering Process Position 7. Arbitrary Direction If the measurement application is deployed in a network core, such that there is no stable set of addresses defining a perimeter (e.g., due to BGP updates) and no requirement or ability to determine the initiator or responder of a given communication, then the Metering Process MAY assign the Biflow Source and Biflow Destination endpoints arbitrarily. In this case, the Metering Process SHOULD be consistent in its choice of direction. Arbitrary direction assignment MAY use Flow Key fields, for example the interface number, in order to maintain this consistency. | V +----+----+ +---------+ <===+ core | | core +===> | router +<========>+ router | ===>+ +---+---+ | +<=== +-----+ MP | +----+----+ +-------+ | V Transit/Core Metering Process Position 8. Record Representation As noted above, Biflows are exported using a single Flow Record, each of which contains the Flow Key fields once, and both forward and Trammell & Boschi Expires July 21, 2007 [Page 9] Internet-Draft IPFIX Biflow Export January 2007 reverse direction information elements for each non-key field. The IPFIX Information Model is extended to provide a "reverse" Information Element counterpart to each presently defined "forward" Information Element, as required by any Information Element that may be a non-key field in a Biflow. 8.1. Reverse Information Element Private Enterprise Number Reverse Information Elements are specified as a separate "dimension" in the Information Element space, by having IANA assign a single Private Enterprise Number (PEN) to this draft, and to define that PEN to signify "IPFIX Reverse Information Element" (the Reverse PEN). This reverse PEN would serve as a "reverse direction flag" in the template; each Information Element number within this PEN space would be assigned to the reverse counterpart of the corresponding IANA- assigned public Information Element number. In other words, to generate a reverse information element in a template corresponding to a given forward information element, simply set the enterprise bit and define the Information Element within the Reverse PEN space, as in the figure below. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| flowStartSeconds 150 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ forward | | reverse V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| (rev) flowStartSeconds 150 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | reverse PEN TBA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 5: Example Mapping between Forward and Reverse IEs using Reverse PEN As the Reverse Information Element dimension is treated explicitly as such, new Information Elements can be added freely to the IANA- managed space without concern for whether a reverse element should also be added. Aside from the initial allocation of an enterprise number for this purpose, there is no additional maintenance overhead for supporting reverse information elements in the information model. Note that certain Information Elements in the IPFIX Information Model [I-D.ietf-ipfix-info] are not reversible; that is, they are semantically meaningless as reverse Information Elements. A Trammell & Boschi Expires July 21, 2007 [Page 10] Internet-Draft IPFIX Biflow Export January 2007 Collecting Process MUST note the Information Element identifier of any Information Element so used as a Reverse Information Element, and MAY discard that Information Element from the Flow Record, as with unassigned Information Elements as in section 9 of the IPFIX Protocol draft [I-D.ietf-ipfix-protocol]. Non-reversible Information Elements represent properties of the Biflow record as a whole, or are intended for internal the use of the IPFIX Protocol itself. They therefore cannot by definition be associated with a single direction or endpoint of the flow. The following specific Information Elements are not reversible: 1. Identifiers defined in section 5.1 of the Information Model which cannot be associated with a single direction of Uniflow collection: flowId (5.1.7), templateId (5.1.8), observationDomainId (5.1.9), and commonPropertiesId (5.1.11). 2. Process configuration elements defined in section 5.2 of the Information Model. 3. Process statistics elements defined in section 5.3 of the Information Model. 4. paddingOctets (5.12.1). 5. biflowDirection (defined in section 6.3 of this document). Any future addition to the Information Element Registry by IANA which meets the criteria defined above SHOULD also be considered to be non- reversible by the Collecting Process. Note that Information Elements commonly used as Flow Keys (e.g. header fields defined in sections 5.4 and 5.5 of the Information Model) are not necessarily non-reversible, as they may be used as value fields in certain contexts, as when associating ICMP error messages with the flows that caused them. 8.2. Enterprise-Specific Reverse Information Elements Note that the Reverse PEN defined above is only available for allocating reverse counterparts of IANA-registered IPFIX Information Elements. No facility is provided for allocating reverse counterparts of enterprise-specific Information Elements. The allocation of enterprise-specific Information Elements for IPFIX is left to the discretion of the enterprise allocating them. Note that, as enterprise-specific Information Elements are designed for the internal use of private enterprises, the lack of any guidance or Trammell & Boschi Expires July 21, 2007 [Page 11] Internet-Draft IPFIX Biflow Export January 2007 standard on Information Element allocation policies poses no interoperability issues. However, if a private enterprise's own Information Element registry anticipates the allocation of reversible Information Elements, and the use of this specification for the export of Biflow data, that registry MAY reserve one of the fifteen available bits in the Information Element ID to signify the reverse direction. For example, if the most sigificant bit were selected, this would reserve Information Element IDs 0x4000 to 0x7FFF for the reverse direction of Information Element IDs 0x0000 to 0x3FFF. 8.3. biflowDirection Information Element Description: A description of the biflow direction assignment method used to assign source and destination to this flow. This Information Element MAY be present in a Flow Data Record, or applied to all flows exporter from an an Exporting Process or Observation Domain using IPFIX Options. If this Information Element is not present in a Flow Record or associated with a flow via scope, it is assumed that the configuration of the biflow direction assignment method is done out-of-band. This field may take the following values: +-------+------------------+----------------------------------------+ | Value | Name | Description | +-------+------------------+----------------------------------------+ | 0x00 | arbitrary | Direction was assigned arbitrarily. | | 0x01 | initiator | The Biflow Source is the flow | | | | initiator, as determined by the | | | | Metering Process' best effort to | | | | detect the initiator. | | 0x02 | reverseInitiator | The Biflow Destination is the flow | | | | initiator, as determined by the | | | | Metering Process' best effort to | | | | detect the initiator. This value is | | | | provided for the convenience of | | | | Exporting Processes to revise an | | | | initiator estimate without re-encoding | | | | the Biflow Record. | | 0x03 | perimeter | The Biflow Source is the endpoint | | | | outside of a defined perimeter. The | | | | perimeter's definition is implicit in | | | | the set of Biflow Source and Biflow | | | | Destination addresses exported in the | | | | Biflow Records. | +-------+------------------+----------------------------------------+ Trammell & Boschi Expires July 21, 2007 [Page 12] Internet-Draft IPFIX Biflow Export January 2007 Abstract Data Type: octet ElementId: TBD Status: Proposed 9. IANA Considerations This document specifies the creation of a new dimension in the information element space defined by the IPFIX Information Model [I-D.ietf-ipfix-info]. This new dimension is defined by the allocation of a new Private Enterprise Number (PEN). The Internet Assigned Numbers Authority (IANA) is requested to allocate this PEN and to assign it to this draft, with the draft authors as the point of contact. Additionally, IANA is requested to register the biflowDirection Information Element defined within this draft, and to allocate an IPFIX Information Element number for it. 10. Security Considerations The same security considerations as for the IPFIX Protocol [I-D.ietf-ipfix-protocol] apply. 11. Acknowledgments We would like to thank Lutz Mark, Juergen Quittek, Andrew Johnson, Paul Aitken, Benoit Claise, and Carsten Schmoll for their contributions and comments. Special thanks to Michelle Cotton for her assistance in navigating the IANA process for enterprise number assignment. 12. References 12.1. Normative References [I-D.ietf-ipfix-protocol] Claise, B., "Specification of the IPFIX Protocol for the Exchange", draft-ietf-ipfix-protocol-24 (work in progress), November 2006. [I-D.ietf-ipfix-info] Quittek, J., "Information Model for IP Flow Information Trammell & Boschi Expires July 21, 2007 [Page 13] Internet-Draft IPFIX Biflow Export January 2007 Export", draft-ietf-ipfix-info-14 (work in progress), October 2006. 12.2. Informative References [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, "Requirements for IP Flow Information Export (IPFIX)", RFC 3917, October 2004. [I-D.ietf-ipfix-as] Zseby, T., "IPFIX Applicability", draft-ietf-ipfix-as-10 (work in progress), August 2006. [I-D.ietf-ipfix-reducing-redundancy] Boschi, E., "Reducing redundancy in IPFIX and PSAMP reports", draft-ietf-ipfix-reducing-redundancy-01 (work in progress), October 2006. [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Appendix A. Example The following example describes a biflow record as specified in section 6, above. The "IPFIX Reverse Information Element" PEN is assigned for the purpose of differentiating forward from reverse information elements. This private enterprise number is denoted as TBA, as it has not yet been assigned by IANA (Cf. section 7). The information exported in this case is: o The start time of the flow: flowStartSeconds in the IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4 octets o The reverse start time of the flow: flowStartSeconds in the IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4 octets, and the enterprise bit set to 1. The following PEN is the Reverse PEN (not yet assigned, indicated with TBA in the draft) o The IPv4 source IP address: sourceIPv4Address in the IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4 octets Trammell & Boschi Expires July 21, 2007 [Page 14] Internet-Draft IPFIX Biflow Export January 2007 o The IPv4 destination IP address:destinationIPv4Address in the IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4 octets o The source port: sourceTransportPort in the IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 2 octets o The destination port: destinationTransportPort in the IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 2 octets o The protocol identifier: protocolIdentifier in the IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 1 octet o The number of octets of the Flow: octetTotalCount in the IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4 octets o The reverse number of octets of the Flow: octetTotalCount in the IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4 octets, and the enterprise bit set to 1. The following PEN is the Reverse PEN (not yet assigned, indicated with TBA in the draft) o The number of packets of the Flow: octetTotalCount in the IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4 octets o The reverse number of packets of the Flow: octetTotalCount in the IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4 octets, and the enterprise bit set to 1. The following PEN is the Reverse PEN (not yet assigned, indicated with TBA in the draft) and the resulting template would look like the diagram below: Trammell & Boschi Expires July 21, 2007 [Page 15] Internet-Draft IPFIX Biflow Export January 2007 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 64 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID >= 256 | Field Count = 11 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| flowStartSeconds 150 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| flowStartSeconds 150 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | reverse PEN TBA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv4Address 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv4Address 12 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceTransportPort 7 | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationTransportPort 11 | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| protocolIdentifier 4 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| octetTotalCount 85 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| octetTotalCount 85 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | reverse PEN TBA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| packetTotalCount 86 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| packetTotalCount 86 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | reverse PEN TBA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 6: Single Record Biflow Template Set The following example data record represents a typical HTTP transaction. Its format is defined by the example template, above. Trammell & Boschi Expires July 21, 2007 [Page 16] Internet-Draft IPFIX Biflow Export January 2007 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID >= 256 | Length = 41 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 2006-02-01 17:00:00 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 2006-02-01 17:00:01 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.0.2.2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 192.0.2.3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 32770 | 80 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 6 | 18000 . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . | 128000 . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . | 65 . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . | 110 . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . | +-+-+-+-+-+-+-+-+ Figure 7: Single Record Biflow Data Set Authors' Addresses Brian H. Trammell CERT Network Situational Awareness Software Engineering Institute 4500 Fifth Avenue Pittsburgh, PA 15213 US Phone: +1 412 268 9748 Email: bht@cert.org Trammell & Boschi Expires July 21, 2007 [Page 17] Internet-Draft IPFIX Biflow Export January 2007 Elisa Boschi Hitachi Europe SAS Immeuble Le Theleme 1503 Route les Dolines 06560 Valbonne France Phone: +33 4 89874100 Email: elisa.boschi@hitachi-eu.com Trammell & Boschi Expires July 21, 2007 [Page 18] Internet-Draft IPFIX Biflow Export January 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Trammell & Boschi Expires July 21, 2007 [Page 19]