Internet DRAFT - draft-arokiarajseda-ipfix-data-export-yang-model
draft-arokiarajseda-ipfix-data-export-yang-model
Network Working Group A. Arokiaraj
Internet-Draft Nokia
Intended status: Standards Track M. Seda
Expires: 2 March 2023 Calix
29 August 2022
YANG model for Data Export over IP Flow Information Export (IPFIX)
Protocol
draft-arokiarajseda-ipfix-data-export-yang-model-02
Abstract
This document defines a YANG model for data export via the IP Flow
Information Export (IPFIX) protocol. The YANG model in this document
conforms to the Network Management Datastore Architecture (NMDA)
defined in RFC 8342.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 2 March 2023.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Arokiaraj & Seda Expires 2 March 2023 [Page 1]
�
Internet-Draft IPFIX Data Export Data Models August 2022
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3
2. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Structure of the Configuration Data Model . . . . . . . . . . 4
3.1. Data Exporter Decomposition . . . . . . . . . . . . . . . 4
4. Configuration and State Parameters . . . . . . . . . . . . . 4
4.1. Exporting Process List . . . . . . . . . . . . . . . . . 5
4.1.1. Exporter Subtree . . . . . . . . . . . . . . . . . . 6
4.1.2. Options List . . . . . . . . . . . . . . . . . . . . 7
4.2. Security Subtree . . . . . . . . . . . . . . . . . . . . 7
4.3. Transport Session Subtree . . . . . . . . . . . . . . . . 10
4.4. Template State List . . . . . . . . . . . . . . . . . . . 11
4.5. Template List . . . . . . . . . . . . . . . . . . . . . . 13
5. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1. ietf-ipfix-data-export . . . . . . . . . . . . . . . . . 14
5.1.1. ietf-ipfix-data-export YANG module . . . . . . . . . 14
5.1.2. ietf-ipfix-data-export Module Structure . . . . . . . 36
5.1.3. ietf-ipfix-data-export Model Example . . . . . . . . 39
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
7. Security Considerations . . . . . . . . . . . . . . . . . . . 41
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 42
9. Normative References . . . . . . . . . . . . . . . . . . . . 42
10. Informative References . . . . . . . . . . . . . . . . . . . 43
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44
1. Introduction
A device may be exporting statistics and other data for the
consumption of a collector. An operator may wish to take the data
and analyze it for trend analysis purposes or other usages (e.g.,
collect octet counts every 5 minutes for service level agreement
purposes or collect reported device temperature for network health
purposes). This data can be streamed using IPFIX protocol to an
IPFIX collector that supports analytics tools. The IPFIX protocol
may be used to transport data such as:
* Statistics from interfaces and sessions: YANG models define
statistics that can be retrieved via protocols such as NETCONF
[RFC6241] or RESTCONF [RFC8040].
* State data that can be used to correlate the statisticis.
Arokiaraj & Seda Expires 2 March 2023 [Page 2]
�
Internet-Draft IPFIX Data Export Data Models August 2022
This document defines a YANG data model [RFC7950] for the management
of the IPFIX exporting processes and templates. The data model
includes configuration data and state data (status information and
counters for the collection of statistics).
This data model is inspired from the Configuration Data Model for the
IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP)
Protocols defined in [RFC6728].
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
The following terms that are defined in RFC7011 are not redefined
here:
* Observation Domain * Exporting Process * Exporter * IPFIX Device *
Collecting Process * Collector * Template * IPFIX Message * Template
Record * Data Record * Options Template Record * Set * Template Set *
Options Template Set * Data Set * Information Element * Transport
Session
1.2. Tree Diagrams
Tree diagrams used in this document follow the notation defined in
[RFC8340].
2. Objectives
This section describes some of the design objectives for the model
presented in this RFC.
* The model should focus purely on the requirements for a data
export mechanism and not involve packet sampling, selection or
collection process.
* References to physical and logical interface should be as simple
as possible (e.g., through a leafref).
* The model should support TLS over TCP - a reliable and secure
transport mechanism.
* The data model should provide suffient state and statistics
information for a network operator to monitor the individual
transport sessions.
Arokiaraj & Seda Expires 2 March 2023 [Page 3]
�
Internet-Draft IPFIX Data Export Data Models August 2022
* The data model should provide reference in the template and
Information Element (IE) id state information to correlate it to
the configuration.
3. Structure of the Configuration Data Model
3.1. Data Exporter Decomposition
Figure 1 shows the main components of the model that are involved in
data export. The data model uses a list of templates, each
identified by a unique name. Each template in turn refers to one or
more exporting processes that will use that will use the template for
data export. In a device that has a resource instance capable of
reporting data through IPFIX, a data template is created and applied
to that resource instance.
The data model also uses a list of exporting processes that contains
various TCP exporter related parameters and the export destinations.
Each exporting-process is identified by a unique name. An exporting-
process also maintains the state and statistics data for each of its
transport-session.
+---------------------------------+
| module:ietf-ipfix-data-export |
|---------------------------------|
+---------------------------------+
^
|
1 |
+----------+----------+ +---------------+
| list:template | | list:resource |
|---------------------|------------->+---------------|
+----------+----------+ 0..* +---------------+
|
0..* | exporting-process-ref
v
+-------------------------+
| list:exporting-process |
|-------------------------|
+-------------------------+
Figure 1: Data Exporter Model
4. Configuration and State Parameters
This section specifies the configuration and state parameters of the
configuration data model separately for each list.
Arokiaraj & Seda Expires 2 March 2023 [Page 4]
�
Internet-Draft IPFIX Data Export Data Models August 2022
4.1. Exporting Process List
The exporting process list in Figure 2) specifies destinations to
which the state and statistics data are to be exported. The
destination list includes the exporter. The order in which
destination instances appear has a specific meaning only if the
export-mode parameter is set to "fallback".
The exporting process list also contains the identifier of the
exporting process (exporting-process-id). This parameter corresponds
to the information element exportingProcessId [IANA-IPFIX]. Its
occurrence helps to associate exporting process reliability
statistics exported according to the IPFIX protocol specification
[RFC7011] with the corresponding object of the Exporting Process
list.
+--rw exporting-process* [name] {exporter}?
+--rw name string
+--rw enabled? boolean
+--rw export-mode? identityref
+--rw destination* [name]
| +--rw name string
| +--rw exporter
| ...
+--rw options* [name]
| +--rw name string
| +--rw options-type identityref
| +--rw options-timeout? uint32
+--ro exporting-process-id? uint32
Figure 2: Exporting Process List
The exporting process parameters are defined as follows:
enabled Enables the exporting-process to begin exporting data.
export-mode Determines to which configured destination(s) the
incoming data records are exported. The following parameter
values are specified by the configuration data model:
* parallel: every data record is exported to all configured
destinations in parallel
* load-balancing: every data record is exported to exactly one
configured destination according to a device-specific load-
balancing policy
* fallback: every data record is exported to exactly one
configured destination according to the fallback policy
described below
Arokiaraj & Seda Expires 2 March 2023 [Page 5]
�
Internet-Draft IPFIX Data Export Data Models August 2022
If export-mode is set to "fallback", the first destination instance
defines the primary destination, the second destination instance
defines the secondary destination, and so on. If the exporting
process fails to export data records to the primary destination, it
tries to export them to the secondary one. If the secondary
destination fails as well, it continues with the tertiary, etc.
The reporting of information with options templates is defined with
objects of the options list.
4.1.1. Exporter Subtree
The exporter subtree shown in Figure 3 contains the configuration
parameters of a TCP export destination.
Transport Layer Security (TLS) SHOULD be used unless the data is not
sensitive and the data is being transported over a closed network.
Using the "ietf-tls-client" Module described in
[I-D.ietf-netconf-tls-client-server], Transport Layer Security (TLS)
is enabled and configured for this export destination.
The transport session subtree is specified in Figure 6.
+--rw exporter
+--rw ipfix-version? uint16
+--rw source
| +--rw (source-method)?
| +--:(interface)
| | +--rw interface? if:interface-ref
| +--:(source-address)
| +--rw source-address? inet:host
+--rw destination
| +--rw (destination-method)
| +--:(destination-address)
| +--rw destination-address? inet:host
+--rw destination-port? inet:port-number
+--rw send-buffer-size? uint32
+--rw rate-limit? uint32
+--rw connection-timeout? uint32
+--rw retry-schedule? uint32
+--rw security
| ...
+--ro transport-session
...
Figure 3: Exporter Subtree
Arokiaraj & Seda Expires 2 March 2023 [Page 6]
�
Internet-Draft IPFIX Data Export Data Models August 2022
4.1.2. Options List
The Options list in Figure 4 defines the type of specific information
to be reported, such as statistics and filtering parameters, etc.
[RFC7011] and [RFC5476] specify several types of reporting
information that may be exported.
+--rw options* [name]
+--rw name string
+--rw options-type identityref
+--rw options-timeout? uint32
Figure 4: Options List
The following parameter values are specified by the configuration
data model:
exporting-reliability Export of exporting process reliability
statistics using the exporting process reliability statistics
options template [RFC7011].
accuracy Export of accuracy report interpretation [RFC5476].
reducing-redundancy Enables the utilization of options templates to
reduce redundancy in the exported data records according to
[RFC5473]. The exporting process decides when to apply these
options templates.
extended-type-information Export of extended type information for
enterprise-specific information elements used in the exported
templates [RFC5610].
The exporting process MUST choose a template definition according to
the options type and available options data. The options-timeout
parameter specifies the reporting interval (in milliseconds) for
periodic export of the option data. A parameter value of zero means
that the export of the option data is not triggered periodically, but
whenever the available option data has changed. This is the typical
setting for options types accuracy and reducing-redundancy. If
options-timeout is not configured by the user, it is set by the
monitoring device.
4.2. Security Subtree
[RFC7011] mandates strong mutual authentication of exporting
processes as follows. Figure 5 shows the Security subtree which is
used in the exporting process's list to enable and configure TLS for
IPFIX.
Arokiaraj & Seda Expires 2 March 2023 [Page 7]
�
Internet-Draft IPFIX Data Export Data Models August 2022
If TLS is enabled, the endpoint must use TLS [RFC8446] since the
transport protocol is TCP. To prevent on-path-attacks from impostor
collecting processes or the export of data to an unauthorized
collecting process, strong mutual authentication via asymmetric keys
must be used for TLS.
This model uses the TLS client part of the TLS client server YANG
model being defined by [I-D.ietf-netconf-tls-client-server].
=============== NOTE: '\' line wrapping per RFC 8792 ================
+--rw security
| +--rw client-identity!
| | +--rw (auth-type)
| | +--:(certificate) {client-ident-x509-cert}?
| | | +--rw certificate
| | | +--rw (local-or-keystore)
| | | +--:(local)
| | | | {local-definitions-supporte\
d,asymmetric-keys}?
| | | | +--rw local-definition
| | | +--:(keystore)
| | | {central-keystore-supported\
,asymmetric-keys}?
| | | +--rw keystore-reference
| | | +--rw asymmetric-key?
| | | | ks:asymmetric-key-ref
| | | | {central-keystore-supp\
orted,asymmetric-keys}?
| | | +--rw certificate? leafref
| | +--:(raw-public-key)
| | | {client-ident-raw-public-key}?
| | | +--rw raw-private-key
| | | +--rw (local-or-keystore)
| | | +--:(local)
| | | | {local-definitions-supporte\
d,asymmetric-keys}?
| | | | +--rw local-definition
| | | +--:(keystore)
| | | {central-keystore-supported\
,asymmetric-keys}?
| | | +--rw keystore-reference?
| | | ks:asymmetric-key-ref
| | +--:(tls12-psk) {client-ident-tls12-psk}?
| | | +--rw tls12-psk
| | | +--rw (local-or-keystore)
| | | | +--:(local)
| | | | | {local-definitions-supporte\
Arokiaraj & Seda Expires 2 March 2023 [Page 8]
�
Internet-Draft IPFIX Data Export Data Models August 2022
d,symmetric-keys}?
| | | | | +--rw local-definition
| | | | +--:(keystore)
| | | | {central-keystore-supported\
,symmetric-keys}?
| | | | +--rw keystore-reference?
| | | | ks:symmetric-key-ref
| | | +--rw id? string
| | +--:(tls13-epsk) {client-ident-tls13-epsk}?
| | +--rw tls13-epsk
| | +--rw (local-or-keystore)
| | | +--:(local)
| | | | {local-definitions-supporte\
d,symmetric-keys}?
| | | | +--rw local-definition
| | | +--:(keystore)
| | | {central-keystore-supported\
,symmetric-keys}?
| | | +--rw keystore-reference?
| | | ks:symmetric-key-ref
| | +--rw external-identity string
| | +--rw hash
| | | tlscmn:epsk-supported-hash
| | +--rw context? string
| | +--rw target-protocol? uint16
| | +--rw target-kdf? uint16
| +--rw server-authentication
| | +--rw ca-certs! {server-auth-x509-cert}?
| | +--rw ee-certs! {server-auth-x509-cert}?
| | +--rw raw-public-keys! {server-auth-raw-public-k\
ey}?
| | +--rw tls12-psks? empty
| | | {server-auth-tls12-psk}?
| | +--rw tls13-epsks? empty
| | {server-auth-tls13-epsk}?
| +--rw hello-params {tlscmn:hello-params}?
| +--rw keepalives {tls-client-keepalives}?
| +--rw peer-allowed-to-send? empty
| +--rw test-peer-aliveness!
| +--rw max-wait? uint16
| +--rw max-attempts? uint8
Figure 5: Security Subtree
Arokiaraj & Seda Expires 2 March 2023 [Page 9]
�
Internet-Draft IPFIX Data Export Data Models August 2022
4.3. Transport Session Subtree
The Transport Session subtree contains state data about transport
sessions originating from an exporting process. The parameters might
appear to be a duplication of the configuration parameters. But
configuration might contain only one or none of the data
corresponding to the state parameters listed here.
=============== NOTE: '\' line wrapping per RFC 8792 ================
+--ro transport-session
+--ro name? string
+--ro source-address? inet:host
+--ro destination-address? inet:host
+--ro source-port? inet:port-number
+--ro destination-port? inet:port-number
+--ro status? transport-session-stat\
us
+--ro rate? yang:gauge32
+--ro bytes? yang:counter64
+--ro messages? yang:counter64
+--ro discarded-messages? yang:counter64
+--ro data-records? yang:counter64
+--ro templates? yang:counter32
+--ro options-templates? yang:counter32
+--ro start-time? yang:date-and-time
+--ro discontinuity-time? yang:date-and-time
+--ro template* [name]
...
Figure 6: Transport Session Subtree
The following attributes are supported:
source-address, destination-address Source-address contains the IP
address of the exporter, and destination-address contains the IP
addresses of the collector.
source-port, destination-port These state parameters contain the
transport-protocol port numbers of the exporter and the collector
of the transport session.
status Status of the transport session, which can be one of the
following:
* inactive: transport session is established, but no IPFIX
messages are currently transferred (e.g., because this is a
backup (secondary) session)
Arokiaraj & Seda Expires 2 March 2023 [Page 10]
�
Internet-Draft IPFIX Data Export Data Models August 2022
* active: transport session is established and transfers IPFIX
messages
* unknown: transport session status cannot be determined;
rate The number of bytes per second transmitted by the exporting
process.
bytes, messages, data-records, templates, options-templates The
number of bytes, IPFIX messages, data records, template records,
and options template records transmitted by the exporting process
in this specific transport-session. Discontinuities in the values
of these counters can occur at re-initialization of the management
system, and at other times as indicated by the value of
discontinuity-time.
discarded-messages This parameter indicates the number of messages
that could not be sent due to internal buffer overflows, network
congestion, routing issues, etc.Discontinuities in the value of
this counter can occur at re-initialization of the management
system, and at other times as indicated by the value of
discontinuity-time.
start-time Timestamp of the start of the given transport session.
discontinuity-time Timestamp of the most recent occasion at which
one or more of the transport session counters suffered a
discontinuity. The time is absolute.
Note that the values of the state parameters destination-address and
destination-port match the values of the configuration parameters
destination-address and destination-port of the exporter when
present.
The Transport Session subtree includes Template list that contains
the state and statistics about the templates transmitted on the given
transport session. The Template list is specified in Figure 7.
4.4. Template State List
Figure 7 shows the Template list which contains state data about
templates used by an exporting process in a specific transport
session. A template may be part of more than one exporting process
and so the template state node is maintained separately for every
exporting process. The field list contains the state data about
Information Elements (IE) of the template.
Arokiaraj & Seda Expires 2 March 2023 [Page 11]
�
Internet-Draft IPFIX Data Export Data Models August 2022
The exporting process may modify the data being exported to enable a
more efficient transmission or storage under the condition that no
information is changed or suppressed. For example, the exporting
process may shorten the length of a field according to the rules of
reduced size encoding [RFC7011]. The exporting process may also
export certain fields in a separate data record as described in
[RFC5473]. Hence the need for some data to be maintained separately
in state node though they are part of the configuration node.
+--ro template* [name]
+--ro name string
+--ro observation-domain-id? uint32
+--ro id? uint16
+--ro set-id? uint16
+--ro access-time? yang:date-and-time
+--ro data-records? yang:counter64
+--ro discontinuity-time? yang:date-and-time
+--ro field* [name]
+--ro name string
+--ro ie-id? ie-id-type
+--ro ie-length? uint16
+--ro ie-enterprise-number? uint32
+--ro is-scope? empty
Figure 7: Template State List
observation-domain-id The identifier of the observation domain for
which this template is defined.
id This number indicates the template identifier in the IPFIX
Message.
set-id This number indicates the set identifier of this template.
Currently, there are two values defined [RFC7011]. The value 2 is
used for sets containing template definitions. The value 3 is
used for sets containing options template definitions.
access-time This parameter contains the time when this (Options)
Template was last sent to the Collector.
data-records The number of transmitted data records exported by this
(options) template in this particular transport-session since the
(options) template was defined.
discontinuity-time Timestamp of the most recent occasion at which
the counter data-records suffered a discontinuity. The time is
absolute.
Arokiaraj & Seda Expires 2 March 2023 [Page 12]
�
Internet-Draft IPFIX Data Export Data Models August 2022
ie-id, ie-length, ie-enterprise-number Information Element
identifier, length, and enterprise number of a field in the
exported template. If this is not an enterprise-specific
Information Element, ie-enterprise-number is zero.
is-scope If this state parameter is present, this is a scope field.
This parameter is only available for options templates (i.e., if
setId is 3).
4.5. Template List
The template list in Figure 8 specifies the data template to be
applied to resource or set of resources. The template list is mapped
to a list of exporting processes that would use the template to
export data and provides state information about the template records
across all exporting processes.
=============== NOTE: '\' line wrapping per RFC 8792 ================
+--rw template* [name]
+--rw name string
+--rw enabled? boolean
+--rw export-interval? uint32
+--rw observation-domain-id? uint32
+--rw field-layout
| +--rw field* [name]
| +--rw name string
| +--rw (identifier)
| | +--:(ie-name)
| | | +--rw ie-name? string
| | +--:(ie-id)
| | +--rw ie-id? ie-id-type
| +--rw ie-length? uint16
| +--rw ie-enterprise-number? uint32
+--rw exporting-process*
| -> /ipfix-data-export/exporting-process/name {export\
er}?
+--rw (resource-identifier)?
| +--:(resource-instance)
| +--rw resource-instance* resource
+--ro data-records? yang:counter64
+--ro discontinuity-time? yang:date-and-time
Figure 8: Data Export Class
The following attributes are supported:
enabled Enables the template so that specified data may be exported.
Arokiaraj & Seda Expires 2 March 2023 [Page 13]
�
Internet-Draft IPFIX Data Export Data Models August 2022
export-interval The interval (in seconds) for periodical export of
data records.
observation-domain-id The Observation Domain that is locally unique
to an Exporting Process
field-layout The IPFIX template to be applied to the resource. The
following attributes are configurable:
* ie-id: Identifies the Information Element identifier.
* ie-enterprise-number: Identifies the enterprise identifier of
the Information Element. If 0, the enterprise ID is an IANA
based Information Element.
* ie-length: Identifies the length of the Information Element.
exporting-process A template may be mapped to one or more exporting-
process instances.
resource A template may be applied to one or more resource instances
(e.g., different interface instances on a line card)
The following state information is available:
data-records Reports the number of data records generated for this
data template across all exporting processes.
discontinuity-time Timestamp of the most recent occasion at which
the counter data records suffered a discontinuity.
5. YANG Modules
This document defines the ietf-ipfix-data-export YANG module.
5.1. ietf-ipfix-data-export
The ietf-ipfix-data-export YANG module defines an exporting-process
based on TCP and a template list.
5.1.1. ietf-ipfix-data-export YANG module
This YANG Module imports typedefs from [RFC6991] and [RFC8343].
<CODE BEGINS> file "ietf-ipfix-data-export@2018-11-15.yang"
Arokiaraj & Seda Expires 2 March 2023 [Page 14]
�
Internet-Draft IPFIX Data Export Data Models August 2022
module ietf-ipfix-data-export {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export";
prefix ipfixde;
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-yang-types {
prefix yang;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-interfaces {
prefix if;
reference
"RFC 8343: A YANG Model for Interface Management";
}
import ietf-tls-client {
prefix tlsc;
reference
"I-D.ietf-netconf-tls-client-server:
YANG Groupings for TLS Clients and TLS Servers";
}
organization
"IETF";
contact
"Web: TBD
List: TBD
Editor: Marta Seda
<mailto:marta.seda@calix.com>
Editor: Anand Arokiaraj
<mailto:anand.arokiaraj@nokia.com>";
// RFC Ed.: replace XXXX with actual RFC numbers and
// remove this note.
Arokiaraj & Seda Expires 2 March 2023 [Page 15]
�
Internet-Draft IPFIX Data Export Data Models August 2022
description
"This module contains a collection of YANG definitions for the
management exporting data over IPFIX.
This data model is designed for the Network Management Datastore
Architecture defined in RFC 8342.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.
Copyright (c) 2021 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices.";
revision 2022-08-12 {
description
"Initial revision.";
reference
"RFC XXXX: YANG Data Model for the IP Flow Information Export
(IPFIX) Data Export";
}
feature exporter {
description
"If supported, the Exporting Device can be used as
an Exporter. Exporting Processes can be configured.";
}
feature if-mib {
description
"This feature indicates that the device implements
the IF-MIB.";
reference
"RFC 2863: The Interfaces Group MIB";
}
Arokiaraj & Seda Expires 2 March 2023 [Page 16]
�
Internet-Draft IPFIX Data Export Data Models August 2022
identity export-mode {
description
"Base identity for different usages of export
destinations configured for an Exporting Process.";
reference
"RFC 6728, Section 4.4 (exportMode)";
}
identity parallel {
base export-mode;
description
"Parallel export of Data Records to all destinations configured
for the Exporting Process.";
reference
"RFC 6728, Section 4.4 (exportMode)";
}
identity load-balancing {
base export-mode;
description
"Load-balancing between the different destinations
configured for the Exporting Process.";
reference
"RFC 6728, Section 4.4 (exportMode)";
}
identity fallback {
base export-mode;
description
"Export to the primary destination (i.e., the first
destination configured for the Exporting Process). If the
export to the primary destination fails, the Exporting Process
tries to export to the secondary destination. If the
secondary destination fails as well, it continues with the
tertiary, etc.";
reference
"RFC 6728, Section 4.4 (exportMode)";
}
identity options-type {
description
"Base identity for report types exported with
options templates.";
}
identity exporting-reliability {
base options-type;
description
Arokiaraj & Seda Expires 2 March 2023 [Page 17]
�
Internet-Draft IPFIX Data Export Data Models August 2022
"Exporting Process Reliability Statistics.";
reference
"RFC 7011, Section 4.3";
}
identity reducing-redundancy {
base options-type;
description
"Enables the utilization of Options Templates to reduce
redundancy in the exported Data Records.";
reference
"RFC 5473";
}
identity extended-type-information {
base options-type;
description
"Export of extended type information for enterprise-specific
Information Elements used in the exported Templates.";
reference
"RFC 5610";
}
typedef ie-id-type {
type uint16 {
range "1..32767";
}
description
"Type for Information Element identifiers.";
}
typedef transport-session-status {
type enumeration {
enum "inactive" {
value 0;
description
"This value MUST be used for Transport Sessions that are
specified in the system but currently not active.
The value can be used for Transport Sessions that are
backup (secondary) sessions.";
}
enum "active" {
value 1;
description
"This value MUST be used for Transport Sessions that are
currently active and transmitting or receiving data.";
}
Arokiaraj & Seda Expires 2 March 2023 [Page 18]
�
Internet-Draft IPFIX Data Export Data Models August 2022
enum "unknown" {
value 2;
description
"This value MUST be used if the status of the Transport
Sessions cannot be detected by the device.
This value should be avoided as far as possible.";
}
}
description
"Status of a Transport Session.";
reference
"RFC 6728, Section 4.7 (status)";
}
typedef resource {
type instance-identifier {
require-instance false;
}
description
"A resource from which data will be exported.";
}
grouping transport-session-state-parameters {
description
"State parameters of a Transport Session originating from an
Exporting Process.";
reference
"RFC 7011; RFC 6615, Section 8 (ipfixTransportSessionEntry,
ipfixTransportSessionStatsEntry)";
leaf name {
type string;
description
"The name of the interface.
An implementation MAY map this leaf to the ifName
MIB object. Such an implementation needs to use some
mechanism to handle the differences in size and characters
allowed between this leaf and ifName. The definition of
such a mechanism is outside the scope of this document.";
reference
"RFC 2863: The Interfaces Group MIB - ifName";
}
leaf source-address {
type inet:host;
description
Arokiaraj & Seda Expires 2 March 2023 [Page 19]
�
Internet-Draft IPFIX Data Export Data Models August 2022
"The source address of the Exporter of the IPFIX Transport
Session.";
reference
"RFC 6728, Section 4.7 (sourceAddress);
RFC 4960, Section 6.4";
}
leaf destination-address {
type inet:host;
description
"The destination address of the path that is selected by the
Exporter to send IPFIX messages to the Collector.
It is possible that if an FQDN address
is configured it resolves into many addresses.";
reference
"RFC 6728, Section 4.7 (destinationAddress);
RFC 4960, Section 6.4";
}
leaf source-port {
type inet:port-number;
description
"The transport-protocol port number of the Exporter of the
IPFIX Transport Session.";
reference
"RFC 6728, Section 4.7 (sourcePort).";
}
leaf destination-port {
type inet:port-number;
description
"The TCP port number of the Collector of the IPFIX Transport
Session.";
reference
"RFC 6728, Section 4.7 (destinationPort)";
}
leaf status {
type transport-session-status;
description
"Status of the Transport Session.";
reference
"RFC 6728, Section 4.7 (status)";
}
leaf rate {
type yang:gauge32;
Arokiaraj & Seda Expires 2 March 2023 [Page 20]
�
Internet-Draft IPFIX Data Export Data Models August 2022
units "bytes per second";
description
"The number of bytes per second transmitted by the
Exporting Process.";
reference
"RFC 6728, Section 4.7 (rate)";
}
leaf bytes {
type yang:counter64;
units "bytes";
description
"The number of bytes transmitted by the Exporting Process.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (bytes)";
}
leaf messages {
type yang:counter64;
units "IPFIX Messages";
description
"The number of messages transmitted by the Exporting
Process.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (messages)";
}
leaf discarded-messages {
type yang:counter64;
units "IPFIX Messages";
description
"This parameter indicates the number of messages that could
not be sent due to internal buffer overflows, network
congestion, routing issues, etc.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (discardedMessages)";
Arokiaraj & Seda Expires 2 March 2023 [Page 21]
�
Internet-Draft IPFIX Data Export Data Models August 2022
}
leaf data-records {
type yang:counter64;
units "Data Records";
description
"The number of Data Records transmitted by the Exporting
Process.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (records)";
}
leaf templates {
type yang:counter32;
units "Templates";
description
"The number of Templates transmitted by the Exporting
Process.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (templates)";
}
leaf options-templates {
type yang:counter32;
units "Options Templates";
description
"The number of Option Templates transmitted by the Exporting
Process.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (optionsTemplates)";
}
leaf start-time {
type yang:date-and-time;
description
"Timestamp of the start of the given Transport Session.";
Arokiaraj & Seda Expires 2 March 2023 [Page 22]
�
Internet-Draft IPFIX Data Export Data Models August 2022
}
leaf discontinuity-time {
type yang:date-and-time;
description
"Timestamp of the most recent occasion at which one or more
of the Transport Session counters suffered a
discontinuity.";
reference
"RFC 6728, Section 4.7 (transportSessionDiscontinuityTime)";
}
}
grouping export-template-state-parameters {
description
"State parameters of a (Options) Template used by an Exporting
Process in a specific Transport Session.";
reference
"RFC 7011; RFC 6728, Section 4.8 (Template Class)";
list template {
key "name";
description
"This list contains the Templates and Options Templates that
are transmitted by the Exporting Process.
Withdrawn or invalidated (Options) Templates MUST be removed
from this list.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the
template.";
}
leaf observation-domain-id {
type uint32;
description
"The ID of the Observation Domain for which this Template
is defined.";
reference
"RFC 6728, Section 4.8 (observationDomainId).";
}
leaf id {
type uint16 {
range "256..65535";
Arokiaraj & Seda Expires 2 March 2023 [Page 23]
�
Internet-Draft IPFIX Data Export Data Models August 2022
}
description
"This number indicates the Template ID in the IPFIX
message.";
reference
"RFC 6728, Section 4.8 (templateId).";
}
leaf set-id {
type uint16 {
range "2..3 | 256..65535";
}
description
"This number indicates the Set ID of the Template.
A value of 2 is reserved for Template Sets. A value of 3
is reserved for Options Template Sets. Values from 4 to
255 are reserved for future use. Values 256 and above
are used for Data Sets. The Set ID values of 0 and 1 are
not used for historical reasons.";
reference
"RFC 7011, Section 3.3.2;
RFC 6728, Section 4.8 (setId)";
}
leaf access-time {
type yang:date-and-time;
description
"This parameter contains the time when this (Options)
Template was last sent to the Collector(s).";
reference
"RFC 6728, Section 4.8 (accessTime).";
}
leaf data-records {
type yang:counter64;
description
"The number of transmitted Data Records defined by this
(Options) Template.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.8 (templateDataRecords).";
}
leaf discontinuity-time {
type yang:date-and-time;
Arokiaraj & Seda Expires 2 March 2023 [Page 24]
�
Internet-Draft IPFIX Data Export Data Models August 2022
description
"Timestamp of the most recent occasion at which the counter
data-records suffered a discontinuity.";
reference
"RRFC 6728, Section 4.8 (templateDiscontinuityTime).";
}
list field {
key "name";
description
"This list contains the (Options) Template fields of which
the (Options) Template is defined.
The order of the list corresponds to the order
of the fields in the (Option) Template Record.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the
template field.";
}
leaf ie-id {
type ie-id-type;
description
"This parameter indicates the Information Element
identifier of the field.";
reference
"RFC 7011; RFC 6728, Section 4.8 (ieId).";
}
leaf ie-length {
type uint16;
units "octets";
description
"This parameter indicates the length of the Information
Element of the field.";
reference
"RFC 7011; RFC 6728, Section 4.8 (ieLength).";
}
leaf ie-enterprise-number {
type uint32;
description
"This parameter indicates the IANA enterprise number of
the authority defining the Information Element
identifier.
Arokiaraj & Seda Expires 2 March 2023 [Page 25]
�
Internet-Draft IPFIX Data Export Data Models August 2022
If the Information Element is not enterprise-specific,
this state parameter is zero.";
reference
"RFC 6728, Section 4.8 (ieEnterpriseNumber);
IANA registry for Private Enterprise Numbers,
http://www.iana.org/assignments/enterprise-numbers.";
}
leaf is-scope {
when "../../set-id = 3" {
description
"This parameter is available for Options Templates
(Set ID is 3).";
}
type empty;
description
"If present, this is a scope field.";
reference
"RFC 6728, Section 4.8 (isScope).";
}
}
}
}
grouping exporter-parameters {
description
"Parameters of an exporter.";
leaf ipfix-version {
type uint16;
default '10';
description
"IPFIX version number.";
reference
"RFC 7011.";
}
container source {
description
"Configuration corresponding to how exporter's source IP
address is specified.";
choice source-method {
description
"Method to configure the source address of the exporter
or the interface to be used by the exporter.
Note that it is expected that other methods be available.
Arokiaraj & Seda Expires 2 March 2023 [Page 26]
�
Internet-Draft IPFIX Data Export Data Models August 2022
Those methods can augment this choice.";
case interface {
leaf interface {
type if:interface-ref;
description
"The interface to be used by the Exporting Process.";
}
}
case source-address {
leaf source-address {
type inet:host;
description
"The source IP address or hostname used by the
Exporting Process.";
}
}
}
}
container destination {
description
"Configuration corresponding to how exporter's destination IP
address is specified.";
choice destination-method {
mandatory true;
description
"Method to configuring the destination address of the
Collection Process to which IPFIX Messages are sent.
Note it is expected that if other methods are available
that they would augment from this statement.";
case destination-address {
leaf destination-address {
type inet:host;
description
"The destination IP address or hostname of the
Collecting Process to which IPFIX Messages are sent.
A hostname may resolve to one or more IP
addresses.";
}
}
}
}
Arokiaraj & Seda Expires 2 March 2023 [Page 27]
�
Internet-Draft IPFIX Data Export Data Models August 2022
leaf destination-port {
type inet:port-number;
description
"If not configured by the user, the Exporting Device uses
the default port number for IPFIX, which is 4739 without TLS
and 4740 if TLS is activated.";
}
leaf send-buffer-size {
type uint32;
units "bytes";
description
"Size of the socket send buffer.
If not configured by the user, this parameter is set by
the Exporting Device.";
reference
"RFC 6728, Section 4.4.3 (sendBufferSize).";
}
leaf rate-limit {
type uint32;
units "bytes per second";
description
"Maximum number of bytes per second the Exporting Process may
export to the given destination. The number of bytes is
calculated from the lengths of the IPFIX Messages exported.
If not configured, no rate limiting is performed.";
reference
"RFC 6728, Section 4.4.3 (rateLimit).";
}
leaf connection-timeout {
type uint32;
units seconds;
description
"Time after which the exporting process deems the TCP
connection to have failed.";
reference
"RFC 7011, Sections 10.4.4 and 10.4.5.";
}
leaf retry-schedule {
type uint32 {
range "60..max";
}
units seconds;
description
Arokiaraj & Seda Expires 2 March 2023 [Page 28]
�
Internet-Draft IPFIX Data Export Data Models August 2022
"Time after which the exporting process retries the TCP
connection to a collector.";
reference
"RFC 7011, Section 10.4.4.";
}
container security {
description
"Security related parameters.";
uses tlsc:tls-client-grouping;
}
}
grouping exporting-process-parameters {
description
"Parameters of an Exporting Process.";
leaf export-mode {
type identityref {
base export-mode;
}
default 'fallback';
description
"This parameter determines to which configured destination(s)
the incoming Data Records are exported.";
}
list destination {
key "name";
min-elements 1;
ordered-by user;
description
"List of export destinations.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the export
destination.";
}
container exporter {
description
"Exporter parameters.";
uses exporter-parameters;
Arokiaraj & Seda Expires 2 March 2023 [Page 29]
�
Internet-Draft IPFIX Data Export Data Models August 2022
container transport-session {
config false;
description
"Transport session state data.";
uses transport-session-state-parameters;
uses export-template-state-parameters;
}
}
}
list options {
key "name";
description
"List of options reported by the Exporting Process.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the
option.";
}
uses options-parameters;
}
}
grouping options-parameters {
description
"Parameters specifying the data export using an Options
Template.";
leaf options-type {
type identityref {
base options-type;
}
mandatory true;
description
"Type of the exported options data.";
}
leaf options-timeout {
type uint32;
units "milliseconds";
description
"Time interval for periodic export of the options data. If
set to zero, the export is triggered when the options data
has changed.
Arokiaraj & Seda Expires 2 March 2023 [Page 30]
�
Internet-Draft IPFIX Data Export Data Models August 2022
If not configured by the user, this parameter is set by the
Exporting Device.";
}
}
grouping data-template-parameters {
description
"Field Layout parameters.";
leaf observation-domain-id {
type uint32;
default 0;
description
"An identifier of an Observation Domain that is locally
unique to an Exporting Process (see RFC 7011 Section 3.1).
Typically, this Information Element is for limiting the
scope of other Information Elements.
A value of 0 indicates that no specific Observation Domain
is identified by this Information Element.";
}
container field-layout {
description
"Field Layout parameters.";
list field {
key name;
min-elements 1;
description
"Superset of statistics field names or special field-names
(e.g., timestamps, etc) for interpreting statistics that
are included in the Data Records generated by the
device.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the
field.";
}
choice identifier {
mandatory true;
description
"The Information Element to be added to the template.";
Arokiaraj & Seda Expires 2 March 2023 [Page 31]
�
Internet-Draft IPFIX Data Export Data Models August 2022
case ie-name {
leaf ie-name {
type string;
description
"Name of the Information Element.";
}
}
case ie-id {
leaf ie-id {
type ie-id-type;
description
"ID of the Information Element.";
}
}
}
leaf ie-length {
type uint16;
units octets;
description
"Length of the field in which the Information Element is
encoded. A value of 65535 specifies a variable-length
Information Element. For Information Elements of
integer and float type, the field length MAY be set to a
smaller value than the standard length of the abstract
data type if the rules of reduced size encoding are
fulfilled.
If not configured by the user, this parameter is set by
the Exporting Device.";
reference
"RFC 7011, Section 6.2";
}
leaf ie-enterprise-number {
type uint32;
default 0;
description
"If this parameter is zero, the Information Element is
registered in the IANA registry of IPFIX Information
Elements or unspecified (if the Informational Element is
not IANA registered).
If this parameter is configured with a non-zero private
enterprise number, the Information Element is
enterprise-specific.";
reference
Arokiaraj & Seda Expires 2 March 2023 [Page 32]
�
Internet-Draft IPFIX Data Export Data Models August 2022
"RFC 7011; RFC 5103;
IANA registry for Private Enterprise Numbers,
http://www.iana.org/assignments/enterprise-numbers;
IANA registry for IPFIX Entities,
http://www.iana.org/assignments/ipfix";
}
}
}
}
container ipfix-data-export {
description
"IPFIX data export node.";
list exporting-process {
if-feature exporter;
key "name";
description
"List of Exporting Processes of the IPFIX Exporting Device
for which configuration will be applied.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the
Exporting Process.";
}
leaf enabled {
type boolean;
default "true";
description
"If true, this Exporting Process is enabled for
exporting.";
}
uses exporting-process-parameters;
leaf exporting-process-id {
type uint32;
config false;
description
"The identifier of the Exporting Process. This parameter
corresponds to the Information Element exportingProcessId.
Its occurrence helps to associate Exporting Process
parameters with Exporing Process statistics exported by
the Exporting Device using the Exporting Process
Reliability Statistics Template as defined by the IPFIX
Arokiaraj & Seda Expires 2 March 2023 [Page 33]
�
Internet-Draft IPFIX Data Export Data Models August 2022
protocol specification.";
reference
"RFC 7011, Section 4.3; IANA registry for IPFIX
Entities, http://www.iana.org/assignments/ipfix.";
}
}
list template {
key name;
description
"List of data templates of the Exporting Device.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the data
template.";
}
leaf enabled {
type boolean;
default "true";
description
"If true, this template is enabled and the specified data
is able to be exported.";
}
leaf export-interval {
type uint32;
units "seconds";
description
"This parameter configures the interval (in seconds) for
periodical export of Data Records.
If not configured by the user, the Exporting Device
sets this parameter.";
}
uses data-template-parameters;
leaf-list exporting-process {
if-feature exporter;
type leafref {
path "/ipfix-data-export"
+ "/exporting-process/name";
}
description
"Data Records are exported by all Exporting Processes in
Arokiaraj & Seda Expires 2 March 2023 [Page 34]
�
Internet-Draft IPFIX Data Export Data Models August 2022
the list.";
}
choice resource-identifier {
description
"Method to select the resources from which the Data
Records are to be exported.
Note that it is expected that other methods be available.
Those methods can augment this choice.";
case resource-instance {
leaf-list resource-instance {
type resource;
description
"Data Records are sourced from all the resources in
this list.";
}
}
}
leaf data-records {
type yang:counter64;
units "Data Records";
config false;
description
"The number of Data Records generated for this template.
Discontinuities in the value of this counter can occur
at re-initialization of the management system, and at
other times as indicated by the value of Discontinuity
Time.";
}
leaf discontinuity-time {
type yang:date-and-time;
config false;
description
"Timestamp of the most recent occasion at which the
counter data records suffered a discontinuity.";
}
}
}
}
<CODE ENDS>
Arokiaraj & Seda Expires 2 March 2023 [Page 35]
�
Internet-Draft IPFIX Data Export Data Models August 2022
5.1.2. ietf-ipfix-data-export Module Structure
This document defines the YANG module "ietf-ipfix-data-export", which
has the following tentative structure:
=============== NOTE: '\' line wrapping per RFC 8792 ================
module: ietf-ipfix-data-export
+--rw ipfix-data-export
+--rw exporting-process* [name] {exporter}?
| +--rw name string
| +--rw enabled? boolean
| +--rw export-mode? identityref
| +--rw destination* [name]
| | +--rw name string
| | +--rw exporter
| | +--rw ipfix-version? uint16
| | +--rw source
| | | +--rw (source-method)?
| | | +--:(interface)
| | | | +--rw interface? if:interface-ref
| | | +--:(source-address)
| | | +--rw source-address? inet:host
| | +--rw destination
| | | +--rw (destination-method)
| | | +--:(destination-address)
| | | +--rw destination-address? inet:host
| | +--rw destination-port? inet:port-number
| | +--rw send-buffer-size? uint32
| | +--rw rate-limit? uint32
| | +--rw connection-timeout? uint32
| | +--rw retry-schedule? uint32
| | +--rw security
| | | +--rw client-identity!
| | | | +--rw (auth-type)
| | | | +--:(certificate) {client-ident-x509-cert}?
| | | | | +--rw certificate
| | | | | +--rw (local-or-keystore)
| | | | | +--:(local)
| | | | | | {local-definitions-supporte\
d,asymmetric-keys}?
| | | | | | +--rw local-definition
| | | | | +--:(keystore)
| | | | | {central-keystore-supported\
,asymmetric-keys}?
| | | | | +--rw keystore-reference
| | | | | +--rw asymmetric-key?
| | | | | | ks:asymmetric-key-ref
Arokiaraj & Seda Expires 2 March 2023 [Page 36]
�
Internet-Draft IPFIX Data Export Data Models August 2022
| | | | | | {central-keystore-supp\
orted,asymmetric-keys}?
| | | | | +--rw certificate? leafref
| | | | +--:(raw-public-key)
| | | | | {client-ident-raw-public-key}?
| | | | | +--rw raw-private-key
| | | | | +--rw (local-or-keystore)
| | | | | +--:(local)
| | | | | | {local-definitions-supporte\
d,asymmetric-keys}?
| | | | | | +--rw local-definition
| | | | | +--:(keystore)
| | | | | {central-keystore-supported\
,asymmetric-keys}?
| | | | | +--rw keystore-reference?
| | | | | ks:asymmetric-key-ref
| | | | +--:(tls12-psk) {client-ident-tls12-psk}?
| | | | | +--rw tls12-psk
| | | | | +--rw (local-or-keystore)
| | | | | | +--:(local)
| | | | | | | {local-definitions-supporte\
d,symmetric-keys}?
| | | | | | | +--rw local-definition
| | | | | | +--:(keystore)
| | | | | | {central-keystore-supported\
,symmetric-keys}?
| | | | | | +--rw keystore-reference?
| | | | | | ks:symmetric-key-ref
| | | | | +--rw id? string
| | | | +--:(tls13-epsk) {client-ident-tls13-epsk}?
| | | | +--rw tls13-epsk
| | | | +--rw (local-or-keystore)
| | | | | +--:(local)
| | | | | | {local-definitions-supporte\
d,symmetric-keys}?
| | | | | | +--rw local-definition
| | | | | +--:(keystore)
| | | | | {central-keystore-supported\
,symmetric-keys}?
| | | | | +--rw keystore-reference?
| | | | | ks:symmetric-key-ref
| | | | +--rw external-identity string
| | | | +--rw hash
| | | | | tlscmn:epsk-supported-hash
| | | | +--rw context? string
| | | | +--rw target-protocol? uint16
| | | | +--rw target-kdf? uint16
| | | +--rw server-authentication
Arokiaraj & Seda Expires 2 March 2023 [Page 37]
�
Internet-Draft IPFIX Data Export Data Models August 2022
| | | | +--rw ca-certs! {server-auth-x509-cert}?
| | | | +--rw ee-certs! {server-auth-x509-cert}?
| | | | +--rw raw-public-keys! {server-auth-raw-public-k\
ey}?
| | | | +--rw tls12-psks? empty
| | | | | {server-auth-tls12-psk}?
| | | | +--rw tls13-epsks? empty
| | | | {server-auth-tls13-epsk}?
| | | +--rw hello-params {tlscmn:hello-params}?
| | | +--rw keepalives {tls-client-keepalives}?
| | | +--rw peer-allowed-to-send? empty
| | | +--rw test-peer-aliveness!
| | | +--rw max-wait? uint16
| | | +--rw max-attempts? uint8
| | +--ro transport-session
| | +--ro name? string
| | +--ro source-address? inet:host
| | +--ro destination-address? inet:host
| | +--ro source-port? inet:port-number
| | +--ro destination-port? inet:port-number
| | +--ro status? transport-session-stat\
us
| | +--ro rate? yang:gauge32
| | +--ro bytes? yang:counter64
| | +--ro messages? yang:counter64
| | +--ro discarded-messages? yang:counter64
| | +--ro data-records? yang:counter64
| | +--ro templates? yang:counter32
| | +--ro options-templates? yang:counter32
| | +--ro start-time? yang:date-and-time
| | +--ro discontinuity-time? yang:date-and-time
| | +--ro template* [name]
| | +--ro name string
| | +--ro observation-domain-id? uint32
| | +--ro id? uint16
| | +--ro set-id? uint16
| | +--ro access-time? yang:date-and-time
| | +--ro data-records? yang:counter64
| | +--ro discontinuity-time? yang:date-and-time
| | +--ro field* [name]
| | +--ro name string
| | +--ro ie-id? ie-id-type
| | +--ro ie-length? uint16
| | +--ro ie-enterprise-number? uint32
| | +--ro is-scope? empty
| +--rw options* [name]
| | +--rw name string
| | +--rw options-type identityref
Arokiaraj & Seda Expires 2 March 2023 [Page 38]
�
Internet-Draft IPFIX Data Export Data Models August 2022
| | +--rw options-timeout? uint32
| +--ro exporting-process-id? uint32
+--rw template* [name]
+--rw name string
+--rw enabled? boolean
+--rw export-interval? uint32
+--rw observation-domain-id? uint32
+--rw field-layout
| +--rw field* [name]
| +--rw name string
| +--rw (identifier)
| | +--:(ie-name)
| | | +--rw ie-name? string
| | +--:(ie-id)
| | +--rw ie-id? ie-id-type
| +--rw ie-length? uint16
| +--rw ie-enterprise-number? uint32
+--rw exporting-process*
| -> /ipfix-data-export/exporting-process/name {export\
er}?
+--rw (resource-identifier)?
| +--:(resource-instance)
| +--rw resource-instance* resource
+--ro data-records? yang:counter64
+--ro discontinuity-time? yang:date-and-time
5.1.3. ietf-ipfix-data-export Model Example
The configuration example configures a field-layout template to
export Ethernet statistics from eth0 and eth1.
Arokiaraj & Seda Expires 2 March 2023 [Page 39]
�
Internet-Draft IPFIX Data Export Data Models August 2022
<ipfix-data-export
xmlns="urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export">
<exporting-process>
<name>ipfix data exporter</name>
<destination>
<name>ipfix-collector</name>
<exporter>
<source>
<source-address>192.100.2.1</source-address>
</source>
<destination>
<destination-address>proxy1.sys.com</destination-address>
</destination>
</exporter>
</destination>
<options>
<name>Options 1</name>
<options-type>extended-type-information</options-type>
<options-timeout>0</options-timeout>
</options>
</exporting-process>
</ipfix-data-export>
6. IANA Considerations
This document registers 1 URI in the "IETF XML Registry". [RFC3688].
Following the format in RFC 3688, the following registrations have
been made.
URI: urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export
Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace.
This document registers 1 YANG module in the "YANG Module Names"
registry. Following the format in [RFC7950], the following have been
registered.
Name: ietf-ipfix-data-export
Namespace: urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export
Prefix: ipfixde
Reference: RFC XXXX: YANG Data Model for the IP Flow Information
Export (IPFIX) Protocol Data Export
Arokiaraj & Seda Expires 2 March 2023 [Page 40]
�
Internet-Draft IPFIX Data Export Data Models August 2022
7. Security Considerations
The YANG module specified in this document defines a schema for data
that is designed to be accessed via network management protocols such
as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer
is the secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
is HTTPS, and the mandatory-to-implement secure transport is TLS
[RFC8446].
The NETCONF access control model [RFC8341] provides the means to
restrict access for particular NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content.
There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the
default). These data nodes may be considered sensitive or vulnerable
in some network environments. Write operations (e.g., NETCONF edit-
config) to these data nodes without proper protection can have a
negative effect on network operations. These are the subtrees and
data nodes and their sensitivity/vulnerability:
* /ipfix-data-export/exporting-process: The configuration parameters
in this subtree specify Collectors to which Data Records are
exported. Write access to this subtree allows exporting
potentially sensitive information to illegitimate Collectors.
Furthermore, TLS parameters can be changed, which may affect the
mutual authentication between Exporters and Collectors as well as
the encrypted transport of the data.
* /ipfix-data-export/template: The configuration parameters in this
subtree specify the fields included in the data export. Write
access to this subtree allows adding fields which may cause export
of sensitive configuration and/or statistics.
Some of the readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or
notification) to these data nodes. These are the subtrees and data
nodes and their sensitivity/vulnerability:
* /ipfix-data-export/exporting-process: Parameters in this subtree
may be sensitive because they reveal information about the network
infrastructure and the outgoing IPFIX Transport Sessions. For
example, it discloses the IP addresses of Collectors as well as
the deployed TLS configuration, which may facilitate the
interception of outgoing IPFIX Messages.
Arokiaraj & Seda Expires 2 March 2023 [Page 41]
�
Internet-Draft IPFIX Data Export Data Models August 2022
* /ipfix-data-export/template: Parameters in this subtree may be
sensitive because they reveal information about the Monitoring
Device itself and the observed traffic. For example, the counters
data-records allow inferring the number of packets.
8. Acknowledgments
The authors would like to thank Benoit Claise, Joe Clarke, Gerhard
Muenz, Rob Wilton, Joey Boyd and William Lupton for their
contributions towards creation of this document and associated YANG
data models.
9. Normative References
[I-D.ietf-netconf-tls-client-server]
Watsen, K., "YANG Groupings for TLS Clients and TLS
Servers", Work in Progress, Internet-Draft, draft-ietf-
netconf-tls-client-server-29, 18 July 2022,
<https://datatracker.ietf.org/api/v1/doc/document/draft-
ietf-netconf-tls-client-server/>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>.
[RFC5476] Claise, B., Ed., Johnson, A., and J. Quittek, "Packet
Sampling (PSAMP) Protocol Specifications", RFC 5476,
DOI 10.17487/RFC5476, March 2009,
<https://www.rfc-editor.org/info/rfc5476>.
[RFC5610] Boschi, E., Trammell, B., Mark, L., and T. Zseby,
"Exporting Type Information for IP Flow Information Export
(IPFIX) Information Elements", RFC 5610,
DOI 10.17487/RFC5610, July 2009,
<https://www.rfc-editor.org/info/rfc5610>.
[RFC6728] Muenz, G., Claise, B., and P. Aitken, "Configuration Data
Model for the IP Flow Information Export (IPFIX) and
Packet Sampling (PSAMP) Protocols", RFC 6728,
DOI 10.17487/RFC6728, October 2012,
<https://www.rfc-editor.org/info/rfc6728>.
[RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken,
"Specification of the IP Flow Information Export (IPFIX)
Protocol for the Exchange of Flow Information", STD 77,
RFC 7011, DOI 10.17487/RFC7011, September 2013,
<https://www.rfc-editor.org/info/rfc7011>.
Arokiaraj & Seda Expires 2 March 2023 [Page 42]
�
Internet-Draft IPFIX Data Export Data Models August 2022
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>.
10. Informative References
[IANA-IPFIX]
IANA, "IP Flow Information Export (IPFIX) Entities",
<https://www.iana.org/assignments/ipfix>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC5473] Boschi, E., Mark, L., and B. Claise, "Reducing Redundancy
in IP Flow Information Export (IPFIX) and Packet Sampling
(PSAMP) Reports", RFC 5473, DOI 10.17487/RFC5473, March
2009, <https://www.rfc-editor.org/info/rfc5473>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>.
Arokiaraj & Seda Expires 2 March 2023 [Page 43]
�
Internet-Draft IPFIX Data Export Data Models August 2022
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>.
[RFC8343] Bjorklund, M., "A YANG Data Model for Interface
Management", RFC 8343, DOI 10.17487/RFC8343, March 2018,
<https://www.rfc-editor.org/info/rfc8343>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
Authors' Addresses
Anand Arokiaraj
Nokia
Email: anand.arokiaraj@nokia.com
Marta Seda
Calix
Email: marta.seda@calix.com
Arokiaraj & Seda Expires 2 March 2023 [Page 44]
