Network Working Group A. Yourtchenko Internet-Draft P. Aitken Intended status: Informational B. Claise Expires: January 12, 2012 Cisco Systems, Inc. July 11, 2011 IPFIX Cisco Vendor Specific Information Elements draft-yourtchenko-cisco-ies-01 Abstract This document describes some additional Information Elements of Cisco Systems, Inc. that are not listed in RFC3954. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 12, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Yourtchenko, et al. Expires January 12, 2012 [Page 1] Internet-Draft IPFIX Cisco Information Elements July 2011 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Information Elements . . . . . . . . . . . . . . . . . . . . . 3 3.1. fsFlowEntryTotalCount . . . . . . . . . . . . . . . . . . 3 3.2. samplingInterval . . . . . . . . . . . . . . . . . . . . . 3 3.3. samplingAlgorithm . . . . . . . . . . . . . . . . . . . . 4 3.4. engineType . . . . . . . . . . . . . . . . . . . . . . . . 4 3.5. engineId . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.6. ipv4RouterSc . . . . . . . . . . . . . . . . . . . . . . . 5 3.7. flowSamplerId . . . . . . . . . . . . . . . . . . . . . . 5 3.8. flowSamplerMode . . . . . . . . . . . . . . . . . . . . . 5 3.9. flowSamplerRandomInterval . . . . . . . . . . . . . . . . 5 3.10. classId . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.11. samplerName . . . . . . . . . . . . . . . . . . . . . . . 6 3.12. flagsAndSamplerId . . . . . . . . . . . . . . . . . . . . 6 3.13. forwardingStatus . . . . . . . . . . . . . . . . . . . . . 6 3.14. srcTrafficIndex . . . . . . . . . . . . . . . . . . . . . 8 3.15. dstTrafficIndex . . . . . . . . . . . . . . . . . . . . . 8 3.16. className . . . . . . . . . . . . . . . . . . . . . . . . 8 3.17. layer2packetSectionOffset . . . . . . . . . . . . . . . . 9 3.18. layer2packetSectionSize . . . . . . . . . . . . . . . . . 9 3.19. layer2packetSectionData . . . . . . . . . . . . . . . . . 9 4. Other Information Elements . . . . . . . . . . . . . . . . . . 9 4.1. Application Information IEs . . . . . . . . . . . . . . . 10 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . . 11 Appendix A. XML Specification of IPFIX Information Elements . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 Yourtchenko, et al. Expires January 12, 2012 [Page 2] Internet-Draft IPFIX Cisco Information Elements July 2011 1. Introduction The section 4 of [RFC5102] defines the IPFIX Information Elements in the range of 1-127 to be compatible with the NetFlow version 9 fields, as specified in the "Cisco Systems NetFlow Services Export Version 9" [RFC3954]. As [RFC3954] was specified in 2004, it does not contain all NetFlow version 9 specific fields in the range 1-127. The question was asked whether IPFIX Devices should exclusively report the IPFIX IANA IEs [IPFIX-IANA] ? In other words, when upgrading from a NetFlow metering process to an IPFIX Metering Process, should the IPFIX Devices stop reporting NetFlow version 9 specific IEs that were not registered in IANA [IPFIX-IANA] ? This document is intended to fill the gap in this IE range. That way, IPFIX implementations could export all the IEs specified in IANA, regardless of the range. 2. Terminology IPFIX-specific terminology used in this document is defined in Section 2 of [RFC5101]. As in [RFC5101], these IPFIX-specific terms have the first letter of a word capitalized when used in this document. 3. Information Elements 3.1. fsFlowEntryTotalCount Description: This Information Element specifies the current number of all Flow Records that form the parent population as input to the Flow Selection Process. Abstract Data Type: unsigned64 ElementId: 3 Semantics: quantity Status: current Units: flows RFC EDITOR NOTE: if the Flow Selection Techniques document [I-D.ietf-ipfix-flow-selection-tech] is published before this, then remove this entry. This Information Element is similar to 'fsFlowEntryTotalCount' there. 3.2. samplingInterval Yourtchenko, et al. Expires January 12, 2012 [Page 3] Internet-Draft IPFIX Cisco Information Elements July 2011 Description: When using sampled NetFlow, the rate at which packets are sampled - e.g. a value of 100 indicates that one of every 100 packets is sampled. Deprecated in favor of 305 samplingPacketInterval. Abstract Data Type: unsigned32 ElementId: 34 Semantics: quantity Status: deprecated Units: packets 3.3. samplingAlgorithm Description: The type of algorithm used for sampled NetFlow: 0x01 Deterministic Sampling, 0x02 Random Sampling. The values are not compatible with the selectorAlgorithm field, where "Deterministic" has been replaced by "Systematic count-based" (1) or "Systematic time-based" (2), and "Random" is (3). Conversion is required, see PSAMP parameters [PSAMP-IANA]. Deprecated in favor of 304 selectorAlgorithm. Abstract Data Type: unsigned8 ElementId: 35 Semantics: identifier Status: deprecated 3.4. engineType Description: Type of flow switching engine in a router/switch: RP = 0, VIP/ Line card = 1, PFC/DFC = 2. Reserved for internal use on the collector. Abstract Data Type: unsigned8 ElementId: 38 Semantics: identifier Status: deprecated 3.5. engineId Description: VIP or line card slot number of the flow switching engine in a router/switch. Reserved for internal use on the collector. Abstract Data Type: unsigned8 ElementId: 39 Semantics: identifier Yourtchenko, et al. Expires January 12, 2012 [Page 4] Internet-Draft IPFIX Cisco Information Elements July 2011 Status: deprecated 3.6. ipv4RouterSc Description: This is a platform-specific field. It is used to store the address of a router that is being shortcut when performing the MultiLayer Switching. Abstract Data Type: ipv4Address ElementId: 43 Semantics: ipv4Address Status: deprecated Reference: [CCO-MLS] describes the MultiLayer Switching. 3.7. flowSamplerId Description: The unique identifier associated with samplerName. Deprecated in favor of 302 selectorId. Abstract Data Type: unsigned8 ElementId: 48 Semantics: identifier Status: deprecated 3.8. flowSamplerMode Description: The type of algorithm used for sampling data: 0x01 - deterministic, 0x02 - random sampling. Use with flowSamplerRandomInterval. Deprecated in favor of 304 selectorAlgorithm. The values are not compatible: selectorAlgorithm=3 is random sampling. Abstract Data Type: unsigned8 ElementId: 49 Semantics: identifier Status: deprecated 3.9. flowSamplerRandomInterval Description: Packet interval at which to sample - in case of random sampling. Used in connection with flowSamplerMode 0x02 (random sampling) value. Deprecated in favour of 305 samplingPacketInterval. Abstract Data Type: unsigned32 Yourtchenko, et al. Expires January 12, 2012 [Page 5] Internet-Draft IPFIX Cisco Information Elements July 2011 ElementId: 50 Semantics: quantity Status: deprecated 3.10. classId Description: Characterizes the traffic class, i.e. QoS treatment. Deprecated in favour of 302 selectorId. Abstract Data Type: unsigned8 ElementId: 51 Semantics: identifier Status: deprecated 3.11. samplerName Description: Name of the flow sampler. Deprecated in favor of 335 selectorName. Abstract Data Type: string ElementId: 84 Status: deprecated 3.12. flagsAndSamplerId Description: Flow flags and the value of the sampler ID (flowSamplerId) combined in one bitmapped field. Reserved for internal use on the collector. Abstract Data Type: unsigned32 ElementId: 87 Semantics: identifier Status: deprecated 3.13. forwardingStatus Description: The field describes the forwarding status of the flow and any attached reasons. The Reduced Size Encoding rules as per [RFC5101] apply. The basic encoding is 8 bits. The future extensions could add one or three bytes. The layout of the basic encoding is as follows: MSB - 0 1 2 3 4 5 6 7 - LSB +---+---+---+---+---+---+---+---+ | Status| Reason code or flags | Yourtchenko, et al. Expires January 12, 2012 [Page 6] Internet-Draft IPFIX Cisco Information Elements July 2011 +---+---+---+---+---+---+---+---+ Status: 00b = Unknown 01b = Forwarded 10b = Dropped 11b = Consumed Reason Code (status = 01b, Forwarded) 01 000000b = 64 = Unknown 01 000001b = 65 = Fragmented 01 000010b = 66 = Not Fragmented Reason Code (status = 10b, Dropped) 10 000000b = 128 = Unknown 10 000001b = 129 = ACL deny 10 000010b = 130 = ACL drop 10 000011b = 131 = Unroutable 10 000100b = 132 = Adjacency 10 000101b = 133 = Fragmentation and DF set 10 000110b = 134 = Bad header checksum 10 000111b = 135 = Bad total Length 10 001000b = 136 = Bad header length 10 001001b = 137 = bad TTL 10 001010b = 138 = Policer 10 001011b = 139 = WRED 10 001100b = 140 = RPF 10 001101b = 141 = For us 10 001110b = 142 = Bad output interface 10 001111b = 143 = Hardware Reason Code (status = 11b, Consumed) 11 000000b = 192 = Unknown 11 000001b = 193 = Punt Adjacency 11 000010b = 194 = Incomplete Adjacency 11 000011b = 195 = For us Examples: value : 0x40 = 64 binary: 01000000 decode: 01 -> Forward 000000 -> No further information Yourtchenko, et al. Expires January 12, 2012 [Page 7] Internet-Draft IPFIX Cisco Information Elements July 2011 value : 0x89 = 137 binary: 10001001 decode: 10 -> Drop 001001 -> Fragmentation and DF set Abstract Data Type: unsigned32 ElementId: 89 Semantics: identifier Status: current Reference: See NetFlow Version 9 Record Format [CCO-NF9FMT]. 3.14. srcTrafficIndex Description: BGP Policy Accounting Source Traffic Index Abstract Data Type: unsigned32 ElementId: 92 Semantics: identifier Status: current Reference: BGP policy accounting as described in [CCO-BGPPOL] 3.15. dstTrafficIndex Description: BGP Policy Accounting Destination Traffic Index Abstract Data Type: unsigned32 ElementId: 93 Semantics: identifier Status: current Reference: BGP policy accounting as described in [CCO-BGPPOL] 3.16. className Description: Traffic Class Name, associated with the classId Information Element. Deprecated in favor of 335 selectorName. Abstract Data Type: string ElementId: 100 Status: deprecated Yourtchenko, et al. Expires January 12, 2012 [Page 8] Internet-Draft IPFIX Cisco Information Elements July 2011 3.17. layer2packetSectionOffset Description: Layer 2 packet section offset. Potentially a generic packet section offset. Abstract Data Type: unsigned16 ElementId: 102 Semantics: quantity Status: current EDITOR'S NOTE: [I-D.kashima-ipfix-data-link-layer-monitoring] contains a corresponding field 'sectionOffset' with a better description. One solution is to assign the value 102 for the 'sectionOffset' in [I-D.kashima-ipfix-data-link-layer-monitoring]. 3.18. layer2packetSectionSize Description: Layer 2 packet section size. Potentially a generic packet section size. Abstract Data Type: unsigned16 ElementId: 103 Semantics: quantity Status: current EDITOR'S NOTE: [I-D.kashima-ipfix-data-link-layer-monitoring] contains a corresponding field 'sectionObservedOctets' with a better description. One solution is to assign the value 103 to 'sectionObservedOctets' in [I-D.kashima-ipfix-data-link-layer-monitoring]. 3.19. layer2packetSectionData Description: Layer 2 packet section data. Abstract Data Type: octetArray ElementId: 104 Status: current EDITOR's NOTE: [I-D.kashima-ipfix-data-link-layer-monitoring] contains a corresponding field 'dataLinkFrameSection' with a better description. One solution is to assign the value 104 to 'dataLinkFrameSection' in [I-D.kashima-ipfix-data-link-layer-monitoring]. 4. Other Information Elements Yourtchenko, et al. Expires January 12, 2012 [Page 9] Internet-Draft IPFIX Cisco Information Elements July 2011 4.1. Application Information IEs ElementId: 101 ElementId: 94 .. 97 Please refer to the Export of Application Information in IPFIX [I-D.claise-export-application-info-in-ipfix] 5. IANA Considerations This document specifies several new IPFIX Information Elements in the IPFIX Information Element registry as defined in Section 3 above. The following Information Elements must be assigned: o Information Element Number 3 for the fsFlowEntryTotalCount Information Element o Information Element Number 34 for the samplingInterval Information Element o Information Element Number 35 for the samplingAlgorithm Information Element o Information Element Number 38 for the engineType Information Element o Information Element Number 39 for the engineId Information Element o Information Element Number 43 for the ipv4RouterSc Information Element o Information Element Number 48 for the flowSamplerId Information Element o Information Element Number 49 for the flowSamplerMode Information Element o Information Element Number 50 for the flowSamplerRandomInterval Information Element o Information Element Number 51 for the classId Information Element o Information Element Number 84 for the samplerName Information Element o Information Element Number 87 for the flagsAndSamplerId Information Element o Information Element Number 89 for the forwardingStatus Information Element o Information Element Number 92 for the srcTrafficIndex Information Element o Information Element Number 93 for the dstTrafficIndex Information Element o Information Element Number 100 for the className Information Element Yourtchenko, et al. Expires January 12, 2012 [Page 10] Internet-Draft IPFIX Cisco Information Elements July 2011 o Information Element Number 102 for the layer2packetSectionOffset Information Element o Information Element Number 103 for the layer2packetSectionSize Information Element o Information Element Number 104 for the layer2packetSectionData Information Element 6. Security Considerations This document specifies the definitions and does not alter the security considerations of the base protocol. Please refer to the security considerations sections of RFC 3954 [RFC3954] and RFC 5102 [RFC5102]. 7. References 7.1. Normative References [RFC5101] Claise, B., "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", RFC 5101, January 2008. 7.2. Informative References [CCO-BGPPOL] Cisco, "BGP Policy Accounting and BGP Policy Accounting Output Interface Accounting Features", . [CCO-MLS] Cisco, "IP MultiLayer Switching Sample Configuration", . [CCO-NF9FMT] Cisco, "NetFlow version 9 Flow-Record format", . [I-D.claise-export-application-info-in-ipfix] Claise, B., Aitken, P., and N. Ben-Dvora, "Export of Application Information in IPFIX", draft-claise-export-application-info-in-ipfix-01 (work in progress), March 2011. [I-D.ietf-ipfix-flow-selection-tech] Yourtchenko, et al. Expires January 12, 2012 [Page 11] Internet-Draft IPFIX Cisco Information Elements July 2011 D'Antonio, S., Zseby, T., Henke, C., and L. Peluso, "Flow Selection Techniques", draft-ietf-ipfix-flow-selection-tech-06 (work in progress), May 2011. [I-D.kashima-ipfix-data-link-layer-monitoring] Kashima, S., Nakata, K., and A. Kobayashi, "Information Elements for Data Link Layer Traffic Measurement", draft-kashima-ipfix-data-link-layer-monitoring-05 (work in progress), March 2011. [IPFIX-IANA] IANA, "IP Flow Information Export (IPFIX) Entities", . [PSAMP-IANA] IANA, "Packet Sampling (PSAMP) Parameters", . [RFC3954] Claise, B., "Cisco Systems NetFlow Services Export Version 9", RFC 3954, October 2004. [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, "Information Model for IP Flow Information Export", RFC 5102, January 2008. Appendix A. XML Specification of IPFIX Information Elements This Information Element specifies the current number of all Flow Records that form the parent population as input to the Flow Selection Process. Yourtchenko, et al. Expires January 12, 2012 [Page 12] Internet-Draft IPFIX Cisco Information Elements July 2011 When using sampled NetFlow, the rate at which packets are sampled - e.g. a value of 100 indicates that one of every 100 packets is sampled. Deprecated in favor of 305 samplingPacketInterval. The type of algorithm used for sampled NetFlow: 0x01 Deterministic Sampling, 0x02 Random Sampling. The values are not compatible with the selectorAlgorithm field, where "Deterministic" has been replaced by "Systematic count-based" (1) or "Systematic time-based" (2), and "Random" is (3). Conversion is required, see PSAMP parameters. Deprecated in favor of 304 selectorAlgorithm. Type of flow switching engine in a router/switch: RP = 0, VIP/Line card = 1, PFC/DFC = 2. Reserved for internal use on the collector. Yourtchenko, et al. Expires January 12, 2012 [Page 13] Internet-Draft IPFIX Cisco Information Elements July 2011 VIP or line card slot number of the flow switching engine in a router/switch. Reserved for internal use on the collector. This is a platform-specific field. It is used to store the address of a router that is being shortcut when performing the MultiLayer Switching. The unique identifier associated with samplerName. Deprecated in favor of 302 selectorId. The type of algorithm used for sampling data: 0x01 - deterministic, 0x02 - random sampling. Use with flowSamplerRandomInterval. Deprecated in favor of 304 selectorAlgorithm. The values are not compatible: selectorAlgorithm=3 is random sampling. Yourtchenko, et al. Expires January 12, 2012 [Page 14] Internet-Draft IPFIX Cisco Information Elements July 2011 Packet interval at which to sample - in case of random sampling. Used in connection with flowSamplerMode 0x02 (random sampling) value. Deprecated in favour of 305 samplingPacketInterval. Characterizes the traffic class, i.e. QoS treatment. Deprecated in favour of 302 selectorId. Name of the flow sampler. Deprecated in favor of 335 selectorName. Flow flags and the value of the sampler ID (flowSamplerId) combined in one bitmapped field. Reserved for internal use on the collector. The field describes the forwarding status of the flow and any attached reasons. The Reduced Size Encoding rules as per apply. Yourtchenko, et al. Expires January 12, 2012 [Page 15] Internet-Draft IPFIX Cisco Information Elements July 2011 The basic encoding is 8 bits. The future extensions could add one or three bytes. The layout of the basic encoding is as follows: MSB - 0 1 2 3 4 5 6 7 - LSB +---+---+---+---+---+---+---+---+ | Status| Reason code or flags | +---+---+---+---+---+---+---+---+ Status: 00b = Unknown 01b = Forwarded 10b = Dropped 11b = Consumed Reason Code (status = 01b, Forwarded) 01 000000b = 64 = Unknown 01 000001b = 65 = Fragmented 01 000010b = 66 = Not Fragmented Reason Code (status = 10b, Dropped) 10 000000b = 128 = Unknown 10 000001b = 129 = ACL deny 10 000010b = 130 = ACL drop 10 000011b = 131 = Unroutable 10 000100b = 132 = Adjacency 10 000101b = 133 = Fragmentation and DF set 10 000110b = 134 = Bad header checksum 10 000111b = 135 = Bad total Length 10 001000b = 136 = Bad header length 10 001001b = 137 = bad TTL 10 001010b = 138 = Policer 10 001011b = 139 = WRED 10 001100b = 140 = RPF 10 001101b = 141 = For us 10 001110b = 142 = Bad output interface 10 001111b = 143 = Hardware Reason Code (status = 11b, Consumed) 11 000000b = 192 = Unknown 11 000001b = 193 = Punt Adjacency 11 000010b = 194 = Incomplete Adjacency Yourtchenko, et al. Expires January 12, 2012 [Page 16] Internet-Draft IPFIX Cisco Information Elements July 2011 11 000011b = 195 = For us Examples: value : 0x40 = 64 binary: 01000000 decode: 01 -> Forward 000000 -> No further information value : 0x89 = 137 binary: 10001001 decode: 10 -> Drop 001001 -> Fragmentation and DF set BGP Policy Accounting Source Traffic Index BGP Policy Accounting Destination Traffic Index Traffic Class Name, associated with the classId Information Element. Deprecated in favor of 335 selectorName. Layer 2 packet section offset. Potentially a generic packet section offset. Layer 2 packet section size. Potentially a generic packet section size. Layer 2 packet section data. Authors' Addresses Andrew Yourtchenko Cisco Systems, Inc. De Kleetlaan, 7 Brussels, Diegem B-1831 Belgium Phone: +32 2 704 5494 Email: ayourtch@cisco.com Yourtchenko, et al. Expires January 12, 2012 [Page 18] Internet-Draft IPFIX Cisco Information Elements July 2011 Paul Aitken Cisco Systems, Inc. 96 Commercial Quay Edinburgh EH6 6LX Scotland Phone: +44 131 561 3616 Email: paitken@cisco.com Benoit Claise Cisco Systems, Inc. De Kleetlaan, 6a b1 Diegem B-1831 Belgium Phone: +32 2 704 5622 Email: bclaise@cisco.com Yourtchenko, et al. Expires January 12, 2012 [Page 19]