idnits 2.17.1 draft-claise-netflow-9-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == There is 1 instance of lines with non-ascii characters in the document. == The page length should not exceed 58 lines per page, but there was 26 longer pages, the longest (page 2) being 61 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 29 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 10 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The "Author's Address" (or "Authors' Addresses") section title is misspelled. == Line 431 has weird spacing: '...seconds since...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 2004) is 7316 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'RFC2401' is defined on line 1385, but no explicit reference was found in the text ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 2960 (Obsoleted by RFC 4960) -- Duplicate reference: RFC2960, mentioned in 'RFC2401', was also mentioned in 'RFC2960'. ** Obsolete normative reference: RFC 2960 (ref. 'RFC2401') (Obsoleted by RFC 4960) == Outdated reference: A later version (-16) exists of draft-ietf-ipfix-reqs-15 Summary: 7 errors (**), 0 flaws (~~), 9 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft 3 Document: draft-claise-netflow-9-08.txt Editor B. Claise 4 Category: Informational Cisco Systems 5 Expires: October 2004 April 2004 7 Cisco Systems NetFlow Services Export Version 9 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. Internet-Drafts are draft documents valid for a maximum of 18 six months and may be updated, replaced, or obsolete by other 19 documents at any time. It is inappropriate to use Internet-Drafts 20 as reference material or to cite them other than as "work in 21 progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 Abstract 30 This document specifies the data export format for version 9 of 31 Cisco Systems' NetFlow services, for use by implementations on the 32 network elements and/or matching collector programs. The version 9 33 export format uses templates to provide access to observations 34 of IP packet flows in a flexible and extensible manner. A template 35 defines a collection of fields, with corresponding descriptions of 36 structure and semantics 38 Conventions used in this document 40 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 41 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in 42 this document are to be interpreted as described in RFC 2119 43 [RFC2119]. 45 Table of Contents 47 1. Introduction..................................................2 48 2. Terminology...................................................3 49 2.1 Terminology Summary Table.................................5 50 3. NetFlow High-Level Picture on the Exporter....................6 51 3.1 The NetFlow Process on the Exporter.......................6 52 3.2 Flow Expiration...........................................6 53 3.3 Transport Protocol........................................6 55 4. Packet Layout.................................................7 56 5. Export Packet Format..........................................8 57 5.1 Header Format.............................................8 58 5.2 Template FlowSet Format...................................9 59 5.3 Data FlowSet Format......................................11 60 6. Options......................................................12 61 6.1 Options Template FlowSet Format..........................12 62 6.2 Options Data Record Format...............................14 63 7. Template Management..........................................15 64 8. Field Type Definitions.......................................16 65 9. The Collector Side...........................................22 66 10. Security Considerations.....................................23 67 10.1 Disclosure of Flow Information Data.....................23 68 10.2 Forgery of Flow Records or Template Records.............24 69 10.3 Attacks on the NetFlow Collector........................24 70 11. Examples....................................................24 71 11.1 Packet Header Example...................................25 72 11.2 Template FlowSet Example................................25 73 11.3 Data FlowSet Example....................................26 74 11.4 Options Template FlowSet Example........................27 75 11.5 Data FlowSet with Options Data Records Example..........28 76 12. References..................................................28 77 13. Authors.....................................................29 78 14. Acknowledgments.............................................29 80 1. Introduction 82 Cisco Systems' NetFlow services provide network administrators with 83 access to IP flow information from their data networks. Network 84 elements (routers and switches) gather flow data and export it to 85 collectors. The collected data provides fine-grained metering for 86 highly flexible and detailed resource usage accounting. 88 A flow is defined as a unidirectional sequence of packets with some 89 common properties that pass through a network device. These 90 collected flows are exported to an external device, the NetFlow 91 collector. Network flows are highly granular; for example, flow 92 records include details such as IP addresses, packet and byte 93 counts, timestamps, Type of Service (ToS), application ports, input 94 and output interfaces, etc. 96 Exported NetFlow data is used for a variety of purposes, including 97 enterprise accounting and departmental chargebacks, ISP billing, 98 data warehousing, network monitoring, capacity planning, application 99 monitoring and profiling, user monitoring and profiling, security 100 analysis, and data mining for marketing purposes. 102 This document specifies NetFlow version 9. It describes the 103 implementation specifications both from network element and NetFlow 104 collector points of view. These specifications should help the 105 deployment of NetFlow version 9 across different platforms and 106 different vendors by limiting the interoperability risks. The 107 NetFlow export format version 9 uses templates to provide access to 108 observations of IP packet flows in a flexible and extensible manner. 110 A template defines a collection of fields, with corresponding 111 descriptions of structure and semantics. 113 The template-based approach provides the following advantages: 115 - New fields can be added to NetFlow flow records without 116 changing the structure of the export record format. With previous 117 NetFlow versions, adding a new field in the flow record implied a 118 new version of the export protocol format and a new version of the 119 NetFlow collector that supported the parsing of the new export 120 protocol format. 122 - Templates that are sent to the NetFlow collector contain the 123 structural information about the exported flow record fields; 124 therefore, if the NetFlow collector does not understand the 125 semantics of new fields, it can still interpret the flow record. 127 - Because the template mechanism is flexible, it allows the 128 export of only the required fields from the flows to the NetFlow 129 collector. This helps to reduce the exported flow data volume and 130 provides possible memory savings for the exporter and NetFlow 131 collector. Sending only the required information can also reduce 132 network load. 134 The IETF IPFIX Working Group (IP Flow Information eXport) is 135 developing a new protocol, based on the version 9 of Cisco Systems' 136 NetFlow services. Some enhancements in different domains 137 (congestion aware transport protocol, built-in security, etc... ) 138 have been incorporated in this new IPFIX protocol. Refer to the 139 IPFIX Working Group documents for more details. 141 2. Terminology 143 Various terms used in this document are described in this section. 144 Note that the terminology summary table in Section 2.1 gives a 145 quick overview of the relationships between some of the different 146 terms defined. 148 Observation Point 149 An Observation Point is a location in the network where IP packets 150 can be observed; for example, one or a set of interfaces on a 151 network device like a router. Every Observation Point is associated 152 with an Observation Domain. 154 Observation Domain 155 The set of Observation Points that is the largest aggregatable set 156 of flow information at the network device with NetFlow services 157 enabled is termed an Observation Domain. For example, a router line 158 card composed of several interfaces with each interface being an 159 Observation Point. 161 IP Flow or Flow 162 An IP Flow, also called a Flow, is defined as a set of IP packets 163 passing an Observation Point in the network during a certain time 164 interval. All packets that belong to a particular Flow have a set 165 of common properties derived from the data contained in the packet 166 and from the packet treatment at the Observation Point. 168 Flow Record 169 A Flow Record provides information about an IP Flow observed at an 170 Observation Point. In this document, the Flow Data Records are also 171 referred to as NetFlow services data and NetFlow data. 173 Exporter 174 A device (for example, a router) with the NetFlow services enabled, 175 the Exporter monitors packets entering an Observation Point and 176 creates Flows from these packets. The information from these Flows 177 is exported in the form of Flow Records to the NetFlow Collector. 179 NetFlow Collector 180 The NetFlow Collector receives Flow Records from one or more 181 Exporters. It processes the received Export Packet(s); that is, it 182 parses and stores the Flow Record information. Flow Records can be 183 optionally aggregated before being stored on the hard disk. 184 The NetFlow Collector is also referred to as the Collector in this 185 document. 187 Export Packet 188 An Export Packet is a packet originating at the Exporter that 189 carries the Flow Records of this Exporter and whose destination is 190 the NetFlow Collector. 192 Packet Header 193 The Packet Header is the first part of an Export Packet. The Packet 194 Header provides basic information about the packet such as the 195 NetFlow version, number of records contained within the packet, and 196 sequence numbering. 198 Template Record 199 A Template Record defines the structure and interpretation of 200 fields in a Flow Data Record. 202 Flow Data Record 203 A Flow Data Record is a data record that contains values of the 204 Flow parameters corresponding to a Template Record. 206 Options Template Record 207 An Options Template Record defines the structure and interpretation 208 of fields in an Options Data Record, including defining the scope 209 within which the Options Data Record is relevant. 211 Options Data Record 212 The data record that contains values and scope information of the 213 Flow measurement parameters, corresponding to an Options Template 214 Record. 216 FlowSet 217 FlowSet is a generic term for a collection of Flow Records that 218 have a similar structure. In an Export Packet, one or more FlowSets 219 follow the Packet Header. There are three different types of 220 FlowSets: Template FlowSet, Options Template FlowSet, and Data 221 FlowSet. 223 Template FlowSet 224 A Template FlowSet is one or more Template Records that have been 225 grouped together in an Export Packet. 227 Options Template FlowSet 228 An Options Template FlowSet is one or more Options Template Records 229 that have been grouped together in an Export Packet. 231 Data FlowSet 232 A Data FlowSet is one or more records, of the same type, that are 233 grouped together in an Export Packet. Each record is either a Flow 234 Data Record or an Options Data Record previously defined by a 235 Template Record or an Options Template Record. 237 2.1 Terminology Summary Table 239 +------------------+---------------------------------------------+ 240 | | Contents | 241 | +--------------------+------------------------+ 242 | FlowSet | Template Record | Data Record | 243 +------------------+--------------------+------------------------+ 244 | | | Flow Data Record(s) | 245 | Data FlowSet | / | or | 246 | | | Options Data Record(s) | 247 +------------------+--------------------+------------------------+ 248 | Template FlowSet | Template Record(s) | / | 249 +------------------+--------------------+------------------------+ 250 | Options Template | Options Template | / | 251 | FlowSet | Record(s) | | 252 +------------------+--------------------+------------------------+ 254 A Data FlowSet is composed of an Options Data Record(s) or Flow 255 Data Record(s). No Template Record is included. 256 A Template Record defines the Flow Data Record, and an Options 257 Template Record defines the Options Data Record. 259 A Template FlowSet is composed of Template Record(s). No Flow or 260 Options Data Record is included. 262 An Options Template FlowSet is composed of Options Template 263 Record(s). No Flow or Options Data Record is included. 265 3. NetFlow High-Level Picture on the Exporter 267 3.1 The NetFlow Process on the Exporter 269 The NetFlow process on the Exporter is responsible for the creation 270 of Flows from the observed IP packets. The details of this process 271 are beyond the scope of this document. 273 3.2 Flow Expiration 275 A Flow is considered to be inactive if no packets belonging to the 276 Flow have been observed at the Observation Point for a given 277 timeout. If any packet is seen within the timeout, the flow is 278 considered an active flow. 279 A Flow can be exported under the following conditions: 281 1. If the Exporter can detect the end of a Flow. For example, if 282 the FIN or RST bit is detected in a TCP [RFC793] connection, the 283 Flow Record is exported. 285 2. If the Flow has been inactive for a certain period of time. 286 This inactivity timeout SHOULD be configurable at the Exporter, 287 with a minimum value of 0 for an immediate expiration. 289 3. For long-lasting Flows, the Exporter SHOULD export the Flow 290 Records on a regular basis. This timeout SHOULD be configurable 291 at the Exporter. 293 4. If the Exporter experiences internal constraints, a Flow MAY 294 be forced to expire prematurely; for example, counters wrapping 295 or low memory. 297 3.3 Transport Protocol 299 To achieve efficiency in terms of processing at the Exporter while 300 handling high volumes of Export Packets, the NetFlow Export Packets 301 are encapsulated into UDP [RFC768] datagrams for export to the 302 NetFlow Collector. However, NetFlow version 9 has been designed to 303 be transport protocol independent. Hence, it can also operate over 304 congestion-aware protocols such as SCTP [RFC2960]. 306 Note that the Exporter can export to multiple Collectors, using 307 independent transport protocols. 309 UDP [RFC768] is a non congestion-aware protocol, so when deploying 310 NetFlow version 9 in a congestion-sensitive environment, make the 311 connection between Exporter and NetFlow Collector through a 312 dedicated link. This ensures that any burstiness in the NetFlow 313 traffic affects only this dedicated link. When the NetFlow 314 Collector can not be placed within a one-hop distance from the 315 Exporter or when the export path from the Exporter to the NetFlow 316 Collector can not be exclusively used for the NetFlow Export 317 Packets, the export path should be designed so that it can always 318 sustain the maximum burstiness of NetFlow traffic from the 319 Exporter. Note that the congestion can occur on the Exporter in 320 case the export path speed is too low. 322 4. Packet Layout 324 An Export Packet consists of a Packet Header followed by one or 325 more FlowSets. The FlowSets can be any of the possible three types: 326 Template, Data, or Options Template. 328 +--------+-------------------------------------------+ 329 | | +----------+ +---------+ +----------+ | 330 | Packet | | Template | | Data | | Options | | 331 | Header | | FlowSet | | FlowSet | | Template | ... | 332 | | | | | | | FlowSet | | 333 | | +----------+ +---------+ +----------+ | 334 +--------+-------------------------------------------+ 335 Export Packet 337 A FlowSet ID is used to distinguish the different types of 338 FlowSets. FlowSet IDs lower than 256 are reserved for special 339 FlowSets, such as the Template FlowSet (ID 0) and the Options 340 Template FlowSet (ID 1). The Data FlowSets have a FlowSet ID 341 greater than 255. 343 The format of the Template, Data, and Options Template FlowSets 344 will be discussed later in this document. The Exporter MUST code all 345 binary integers of the Packet Header and the different FlowSets in 346 network byte order (also known as the big-endian byte ordering). 348 Following are some examples of export packets: 350 1. An Export Packet consisting of interleaved Template, Data, and 351 Options Template FlowSets-A newly created Template is exported as 352 soon as possible. So if there is already an Export Packet with a 353 Data FlowSet that is being prepared for export, the Template and 354 Option FlowSets are also interleaved with this information, subject 355 to availability of space. 357 Export Packet: 358 +--------+--------------------------------------------------------+ 359 | | +----------+ +---------+ +-----------+ +---------+ | 360 | Packet | | Template | | Data | | Options | | Data | | 361 | Header | | FlowSet | | FlowSet | ... | Template | | FlowSet | | 362 | | | | | | | FlowSet | | | | 363 | | +----------+ +---------+ +-----------+ +---------+ | 364 +--------+--------------------------------------------------------+ 366 2. An Export Packet consisting entirely of Data FlowSets-After the 367 appropriate Template Records have been defined and transmitted to 368 the NetFlow Collector device, the majority of Export Packets 369 consists solely of Data FlowSets. 371 Export Packet: 372 +--------+----------------------------------------------+ 373 | | +---------+ +---------+ +---------+ | 374 | Packet | | Data | ... | Data | ... | Data | | 375 | Header | | FlowSet | ... | FlowSet | ... | FlowSet | | 376 | | +---------+ +---------+ +---------+ | 377 +--------+----------------------------------------------+ 379 3. An Export Packet consisting entirely of Template and Options 380 Template FlowSets-The Exporter MAY transmit a packet containing 381 Template and Options Template FlowSets periodically to help ensure 382 that the NetFlow Collector has the correct Template Records and 383 Options Template Records when the corresponding Flow Data records 384 are received. 386 Export Packet: 387 +--------+-------------------------------------------------+ 388 | | +----------+ +----------+ +----------+ | 389 | Packet | | Template | | Template | | Options | | 390 | Header | | FlowSet | ... | FlowSet | ... | Template | | 391 | | | | | | | FlowSet | | 392 | | +----------+ +----------+ +----------+ | 393 +--------+-------------------------------------------------+ 395 5. Export Packet Format 397 5.1 Header Format 399 The Packet Header format in this version is the same as that 400 defined in the previous versions. 402 0 1 2 3 403 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 404 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 405 | Version Number | Count | 406 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 407 | sysUpTime | 408 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 409 | UNIX Secs | 410 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 411 | Sequence Number | 412 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 413 | Source ID | 414 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 416 Packet Header Field Descriptions 418 Version 419 Version of Flow Record format exported in this packet. The 420 value of this field is 9 for the current version. 422 Count 423 The total number of records in the Export Packet, which is 424 the sum of Options FlowSet records, Template FlowSet 425 records, and Data FlowSet records. 427 sysUpTime 428 Time in milliseconds since this device was first booted. 430 UNIX Secs 431 Time in seconds since 0000 UTC 1970, at which the Export 432 Packet leaves the Exporter 434 Sequence Number 435 Incremental sequence counter of all Export Packets sent from 436 the current Observation Domain by the Exporter. This value 437 MUST be cumulative, and SHOULD be used by the Collector to 438 identify whether any Export Packets have been missed. 440 Source ID 441 A 32-bit value that identifies the Exporter Observation 442 Domain. NetFlow Collectors SHOULD use the combination of the 443 source IP address and the Source ID field to separate 444 different export streams originating from the same Exporter. 446 5.2 Template FlowSet Format 448 One of the essential elements in the NetFlow format is the Template 449 FlowSet. Templates greatly enhance the flexibility of the Flow 450 Record format because they allow the NetFlow Collector to process 451 Flow Records without necessarily knowing the interpretation of all 452 the data in the Flow Record. The format of the Template FlowSet is 453 as follows: 455 0 1 2 3 456 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 457 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 458 | FlowSet ID = 0 | Length | 459 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 460 | Template ID 1 | Field Count | 461 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 462 | Field Type 1 | Field Length 1 | 463 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 464 | Field Type 2 | Field Length 2 | 465 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 466 | ... | ... | 467 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 468 | Field Type N | Field Length N | 469 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 470 | Template ID 2 | Field Count | 471 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 472 | Field Type 1 | Field Length 1 | 473 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 474 | Field Type 2 | Field Length 2 | 475 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 476 | ... | ... | 477 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 478 | Field Type M | Field Length M | 479 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 480 | ... | ... | 481 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 482 | Template ID K | Field Count | 483 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 484 | ... | ... | 485 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 487 Template FlowSet Field Descriptions 489 FlowSet ID 490 FlowSet ID value of 0 is reserved for the Template FlowSet. 492 Length 493 Total length of this FlowSet. Because an individual Template 494 FlowSet MAY contain multiple Template Records, the Length 495 value MUST be used to determine the position of the next 496 FlowSet record, which could be any type of FlowSet. Length 497 is the sum of the lengths of the FlowSet ID, the Length 498 itself, and all Template Records within this FlowSet. 500 Template ID 501 Each of the newly generated Template Records is given a 502 unique Template ID. This uniqueness is local to the 503 Observation Domain that generated the Template ID. 504 Template IDs 0-255 are reserved for Template FlowSets, 505 Options FlowSets, and other reserved FlowSets yet to be 506 created. Template IDs of Data FlowSets are numbered from 256 507 to 65535. 509 Field Count 510 Number of fields in this Template Record. Because a Template 511 FlowSet usually contains multiple Template Records, this 512 field allows the Collector to determine the end of the 513 current Template Record and the start of the next. 515 Field Type 516 A numeric value that represents the type of the field. Refer 517 to the "Field Type Definitions" section. 519 Field Length 520 The length of the corresponding Field Type, in bytes. Refer 521 to the "Field Type Definitions" section. 523 5.3 Data FlowSet Format 525 The format of the Data FlowSet is as follows: 527 0 1 2 3 528 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 529 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 530 | FlowSet ID = Template ID | Length | 531 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 532 | Record 1 - Field Value 1 | Record 1 - Field Value 2 | 533 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 534 | Record 1 - Field Value 3 | ... | 535 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 536 | Record 2 - Field Value 1 | Record 2 - Field Value 2 | 537 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 538 | Record 2 - Field Value 3 | ... | 539 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 540 | Record 3 - Field Value 1 | ... | 541 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 542 | ... | Padding | 543 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 545 Data FlowSet Field Descriptions 547 FlowSet ID = Template ID 548 Each Data FlowSet is associated with a FlowSet ID. The 549 FlowSet ID maps to a (previously generated) Template ID. The 550 Collector MUST use the FlowSet ID to find the corresponding 551 Template Record and decode the Flow Records from the 552 FlowSet. 554 Length 555 The length of this FlowSet. Length is the sum of the lengths 556 of the FlowSet ID, Length itself, all Flow Records within 557 this FlowSet, and the padding bytes, if any. 559 Record N - Field Value M 560 The remainder of the Data FlowSet is a collection of Flow 561 Data Record(s), each containing a set of field values. The 562 Type and Length of the fields have been previously defined 563 in the Template Record referenced by the FlowSet ID or 564 Template ID. 566 Padding 567 The Exporter SHOULD insert some padding bytes so that the 568 subsequent FlowSet starts at a 4-byte aligned boundary. It 569 is important to note that the Length field includes the 570 padding bytes. Padding SHOULD be using zeros. 572 Interpretation of the Data FlowSet format can be done only if the 573 Template FlowSet corresponding to the Template ID is available at 574 the Collector. 576 6. Options 578 6.1 Options Template FlowSet Format 580 The Options Template Record (and its corresponding Options Data 581 Record) is used to supply information about the NetFlow process 582 configuration or NetFlow process specific data, rather than 583 supplying information about IP Flows. 584 For example, the Options Template FlowSet can report the sample 585 rate of a specific interface, if sampling is supported, along with 586 the sampling method used. 588 The format of the Options Template FlowSet follows. 590 0 1 2 3 591 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 592 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 593 | FlowSet ID = 1 | Length | 594 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 595 | Template ID | Option Scope Length | 596 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 597 | Option Length | Scope 1 Field Type | 598 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 599 | Scope 1 Field Length | ... | 600 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 601 | Scope N Field Length | Option 1 Field Type | 602 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 603 | Option 1 Field Length | ... | 604 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 605 | Option M Field Length | Padding | 606 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 608 Options Template FlowSet Field Definitions 609 FlowSet ID = 1 610 A FlowSet ID value of 1 is reserved for the Options 611 Template. 613 Length 614 Total length of this FlowSet. Each Options Template FlowSet 615 MAY contain multiple Options Template Records. Thus, the 616 Length value MUST be used to determine the position of the 617 next FlowSet record, which could be either a Template 618 FlowSet or Data FlowSet. 619 Length is the sum of the lengths of the FlowSet ID, the 620 Length itself, and all Options Template Records within this 621 FlowSet Template ID. 623 Template ID 624 Template ID of this Options Template. This value is greater 625 than 255. 627 Option Scope Length 628 The length in bytes of any Scope field definition contained 629 in the Options Template Record (The use of "Scope" is 630 described below). 632 Option Length 633 The length (in bytes) of any options field definitions 634 contained in this Options Template Record. 636 Scope 1 Field Type 637 The relevant portion of the Exporter/NetFlow process to 638 which the Options Template Record refers. 639 Currently defined values are: 640 1 System 641 2 Interface 642 3 Line Card 643 4 Cache 644 5 Template 645 For example, the NetFlow process can be implemented on a 646 per-interface basis, so if the Options Template Record were 647 reporting on how the NetFlow process is configured, the 648 Scope for the report would be 2 (interface). The associated 649 interface ID would then be carried in the associated Options 650 Data FlowSet. The Scope can be limited further by listing 651 multiple scopes that all must match at the same time. Note 652 that the Scope fields always precede the Option fields. 654 Scope 1 Field Length 655 The length (in bytes) of the Scope field, as it would appear 656 in an Options Data Record. 658 Option 1 Field Type 659 A numeric value that represents the type of field that would 660 appear in the Options Template Record. Refer to the Field 661 Type Definitions section. 663 Option 1 Field Length 664 The length (in bytes) of the Option field. 666 Padding 667 The Exporter SHOULD insert some padding bytes so that the 668 subsequent FlowSet starts at a 4-byte aligned boundary. It 669 is important to note that the Length field includes the 670 padding bytes. Padding SHOULD be using zeros. 672 6.2 Options Data Record Format 674 The Options Data Records are sent in Data FlowSets, on a regular 675 basis, but not with every Flow Data Record. How frequently these 676 Options Data Records are exported is configurable. See the 677 "Templates Management" section for more details. 679 The format of the Data FlowSet containing Options Data Records 680 follows. 682 0 1 2 3 683 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 684 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 685 | FlowSet ID = Template ID | Length | 686 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 687 | Record 1 - Scope 1 Value |Record 1 - Option Field 1 Value| 688 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 689 |Record 1 - Option Field 2 Value| ... | 690 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 691 | Record 2 - Scope 1 Value |Record 2 - Option Field 1 Value| 692 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 693 |Record 2 - Option Field 2 Value| ... | 694 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 695 | Record 3 - Scope 1 Value |Record 3 - Option Field 1 Value| 696 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 697 |Record 3 - Option Field 2 Value| ... | 698 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 699 | ... | Padding | 700 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 702 Options Data Records of the Data FlowSet Field Descriptions 704 FlowSet ID = Template ID 705 A FlowSet ID precedes each group of Options Data Records 706 within a Data FlowSet. The FlowSet ID maps to a previously 707 generated Template ID corresponding to this Options Template 708 Record. The Collector MUST use the FlowSet ID to map the 709 appropriate type and length to any field values that follow. 711 Length 712 The length of this FlowSet. 713 Length is the sum of the lengths of the FlowSet ID, Length 714 itself, all the Options Data Records within this FlowSet, 715 and the padding bytes, if any. 717 Record N - Option Field M Value 718 The remainder of the Data FlowSet is a collection of Flow 719 Records, each containing a set of scope and field values. 720 The type and length of the fields were previously defined in 721 the Options Template Record referenced by the FlowSet ID or 722 Template ID. 724 Padding 725 The Exporter SHOULD insert some padding bytes so that the 726 subsequent FlowSet starts at a 4-byte aligned boundary. It 727 is important to note that the Length field includes the 728 padding bytes. Padding SHOULD be using zeros. 730 The Data FlowSet format can be interpreted only if the Options 731 Template FlowSet corresponding to the Template ID is available at 732 the Collector. 734 7. Template Management 736 Flow Data records that correspond to a Template Record MAY appear 737 in the same and/or subsequent Export Packets. The Template Record 738 is not necessarily carried in every Export Packet. As such, the 739 NetFlow Collector MUST store the Template Record to interpret the 740 corresponding Flow Data Records that are received in subsequent 741 data packets. 743 A NetFlow Collector that receives Export Packets from several 744 Observation Domains from the same Exporter MUST be aware that the 745 uniqueness of the Template ID is not guaranteed across Observation 746 Domains. 748 The Template IDs must remain constant for the life of the NetFlow 749 process on the Exporter. If the Exporter or the NetFlow process 750 restarts for any reason, all information about Templates will be 751 lost and new Template IDs will be created. Template IDs are thus 752 not guaranteed to be consistent across an Exporter or NetFlow 753 process restart. 755 A newly created Template record is assigned an unused Template ID 756 from the Exporter. If the template configuration is changed, the 757 current Template ID is abandoned and SHOULD NOT be reused until the 758 NetFlow process or Exporter restarts. If a Collector should receive 759 a new definition for an already existing Template ID, it MUST 760 discard the previous template definition and use the new one. 762 If a configured Template Record on the Exporter is deleted, and re- 763 configured with exactly the same parameters, the same Template ID 764 COULD be reused. 766 The Exporter sends the Template FlowSet and Options Template 767 FlowSet under the following conditions: 769 1. After a NetFlow process restarts, the Exporter MUST NOT send any 770 Data FlowSet without sending the corresponding Template FlowSet 771 and the required Options Template FlowSet in a previous packet 772 or including it in the same Export Packet. It MAY transmit the 773 Template FlowSet and Options Template FlowSet, without any Data 774 FlowSets, in advance to help ensure that the Collector will have 775 the correct Template Record before receiving the first Flow or 776 Options Data Record. 778 2. In the event of configuration changes, the Exporter SHOULD send 779 the new template definitions at an accelerated rate. In such a 780 case, it MAY transmit the changed Template Record(s) and Options 781 Template Record(s), without any data, in advance to help ensure 782 that the Collector will have the correct template information 783 before receiving the first data. 785 3. On a regular basis, the Exporter MUST send all the Template 786 Records and Options Template Records to refresh the Collector. 787 Template IDs have a limited lifetime at the Collector and MUST 788 be periodically refreshed. 789 Two approaches are taken to make sure that Templates get 790 refreshed at the Collector: 791 * Every N number of Export Packets. 792 * On a time basis, so every N number of minutes. 793 Both options MUST be configurable by the user on the Exporter. 794 When one of these expiry conditions is met, the Exporter MUST 795 send the Template FlowSet and Options Template. 797 4. In the event of a clock configuration change on the Exporter, 798 the Exporter SHOULD send the template definitions at an 799 accelerated rate. 801 8. Field Type Definitions 803 The following table describes all the field type definitions that 804 an Exporter MAY support. The fields are a selection of Packet 805 Header fields, lookup results (for example, the autonomous system 806 numbers or the subnet masks), and properties of the packet such as 807 length. 809 Field Type Value Length Description 810 (bytes) 812 Incoming counter with 813 length N x 8 bits for the 814 IN_BYTES 1 N number of bytes associated 815 with an IP Flow. By default 816 N is 4 818 Incoming counter with 819 length N x 8 bits for the 820 IN_PKTS 2 N number of packets 821 associated with an IP Flow. 822 By default N is 4 824 FLOWS 3 N Number of Flows 825 that were aggregated; 826 by default N is 4 828 PROTOCOL 4 1 IP protocol byte 830 Type of service byte 831 TOS 5 1 setting when entering 832 the incoming interface 834 TCP flags; cumulative of 835 TCP_FLAGS 6 1 all the TCP flags seen in 836 this Flow 838 TCP/UDP source port number 839 L4_SRC_PORT 7 2 (for example, FTP, Telnet, 840 or equivalent) 842 IPV4_SRC_ADDR 8 4 IPv4 source address 844 The number of contiguous 845 bits in the source subnet 846 SRC_MASK 9 1 mask (i.e. the mask in 847 slash notation) 849 Input interface index. 850 INPUT_SNMP 10 N By default N is 2, but 851 higher values can be used 853 TCP/UDP destination port 854 L4_DST_PORT 11 2 number (for example, FTP, 855 Telnet, or equivalent) 857 IPV4_DST_ADDR 12 4 IPv4 destination address 859 The number of contiguous 860 bits in the destination 861 DST_MASK 13 1 subnet mask (i.e. the mask 862 in slash notation) 864 Output interface index. 866 OUTPUT_SNMP 14 N By default N is 2, but 867 higher values can be used 869 IPV4_NEXT_HOP 15 4 IPv4 address of the next- 870 hop router 872 Source BGP autonomous 873 SRC_AS 16 N system number where N could 874 be 2 or 4. By default N is 875 2 877 Destination BGP autonomous 878 DST_AS 17 N system number where N could 879 be 2 or 4. By default N is 880 2 882 BGP_IPV4_NEXT_HOP 18 4 Next-hop router's IP 883 address in the BGP domain 885 IP multicast outgoing 886 packet counter with length 887 MUL_DST_PKTS 19 N N x 8 bits for packets 888 associated with the IP 889 Flow. By default N is 4 891 IP multicast outgoing 892 Octet (byte) counter with 893 length N x 8 bits for the 894 MUL_DST_BYTES 20 N number of bytes associated 895 with the IP Flow. By 896 default N is 4 898 sysUptime in msec at which 899 LAST_SWITCHED 21 4 the last packet of this 900 Flow was switched 902 sysUptime in msec at which 903 FIRST_SWITCHED 22 4 the first packet of this 904 Flow was switched 906 Outgoing counter with 907 length N x 8 bits for the 908 OUT_BYTES 23 N number of bytes associated 909 with an IP Flow. By 910 default N is 4 912 Outgoing counter with 913 length N x 8 bits for the 914 OUT_PKTS 24 N number of packets 915 associated with an IP Flow. 916 By default N is 4 918 IPV6_SRC_ADDR 27 16 IPv6 source address 920 IPV6_DST_ADDR 28 16 IPv6 destination address 922 IPV6_SRC_MASK 29 1 Length of the IPv6 source 923 mask in contiguous bits 925 Length of the IPv6 926 IPV6_DST_MASK 30 1 destination mask in 927 contiguous bits 929 IPV6_FLOW_LABEL 31 3 IPv6 flow label as per 930 RFC 2460 definition 932 Internet Control Message 933 ICMP_TYPE 32 2 Protocol (ICMP) packet 934 type; reported as 935 ICMP Type * 256 + ICMP code 937 MUL_IGMP_TYPE 33 1 Internet Group Management 938 Protocol (IGMP) packet type 940 When using sampled NetFlow, 941 the rate at which packets 942 SAMPLING_INTERVAL 34 4 are sampled; for example, a 943 value of 100 indicates that 944 one of every hundred 945 packets is sampled 947 For sampled NetFlow 948 platform-wide: 949 SAMPLING_ALGORITHM 35 1 0x01 deterministic sampling 950 0x02 random sampling 951 Use in connection with 952 SAMPLING_INTERVAL 954 Timeout value (in seconds) 955 FLOW_ACTIVE_TIMEOUT 36 2 for active flow entries 956 in the NetFlow cache 958 Timeout value (in seconds) 959 FLOW_INACTIVE_TIMEOUT 37 2 for inactive Flow entries 960 in the NetFlow cache 962 Type of Flow switching 963 ENGINE_TYPE 38 1 engine (route processor, 964 linecard, etc...) 966 ENGINE_ID 39 1 ID number of the Flow 967 switching engine 968 Counter with length 969 N x 8 bits for the number 970 TOTAL_BYTES_EXP 40 N of bytes exported by the 971 Observation Domain. By 972 default N is 4 974 Counter with length 975 N x 8 bits for the number 976 TOTAL_PKTS_EXP 41 N of packets exported by the 977 Observation Domain. By 978 default N is 4 980 Counter with length 981 N x 8 bits for the number 982 TOTAL_FLOWS_EXP 42 N of Flows exported by the 983 Observation Domain. By 984 default N is 4 986 MPLS_TOP_LABEL_TYPE 46 1 MPLS Top Label Type: 987 0x00 UNKNOWN 988 0x01 TE-MIDPT 989 0x02 ATOM 990 0x03 VPN 991 0x04 BGP 992 0x05 LDP 994 Forwarding Equivalent Class 995 MPLS_TOP_LABEL_IP_ADDR 47 4 corresponding to the MPLS 996 Top Label 998 FLOW_SAMPLER_ID 48 1 Identifier shown 999 in "show flow-sampler" 1001 The type of algorithm used 1002 for sampling data: 1003 FLOW_SAMPLER_MODE 49 1 0x02 random sampling 1004 Use in connection with 1005 FLOW_SAMPLER_MODE 1007 Packet interval at which to 1008 FLOW_SAMPLER_RANDOM_INTERVAL 50 4 sample. Use in connection 1009 with FLOW_SAMPLER_MODE 1011 Type of Service byte 1012 DST_TOS 55 1 setting when exiting 1013 outgoing interface 1015 SRC_MAC 56 6 Source MAC Address 1017 DST_MAC 57 6 Destination MAC Address 1019 Virtual LAN identifier 1021 SRC_VLAN 58 2 associated with ingress 1022 interface 1024 Virtual LAN identifier 1025 DST_VLAN 59 2 associated with egress 1026 interface 1028 Internet Protocol Version 1029 Set to 4 for IPv4, set to 6 1030 IP_PROTOCOL_VERSION 60 1 for IPv6. If not present in 1031 the template, then version 1032 4 is assumed 1034 Flow direction: 1035 DIRECTION 61 1 0 - ingress flow 1036 1 � egress flow 1038 IPV6_NEXT_HOP 62 16 IPv6 address of the 1039 next-hop router 1041 BPG_IPV6_NEXT_HOP 63 16 Next-hop router in the BGP 1042 domain 1044 Bit-encoded field 1045 IPV6_OPTION_HEADERS 64 4 identifying IPv6 option 1046 headers found in the flow 1048 MPLS_LABEL_1 70 3 MPLS label at position 1 in 1049 the stack 1051 MPLS_LABEL_2 71 3 MPLS label at position 2 in 1052 the stack 1054 MPLS_LABEL_3 72 3 MPLS label at position 3 in 1055 the stack 1057 MPLS_LABEL_4 73 3 MPLS label at position 4 in 1058 the stack 1060 MPLS_LABEL_5 74 3 MPLS label at position 5 in 1061 the stack 1063 MPLS_LABEL_6 75 3 MPLS label at position 6 in 1064 the stack 1066 MPLS_LABEL_7 76 3 MPLS label at position 7 in 1067 the stack 1069 MPLS_LABEL_8 77 3 MPLS label at position 8 in 1070 the stack 1072 MPLS_LABEL_9 78 3 MPLS label at position 9 in 1073 the stack 1075 MPLS_LABEL_10 79 3 MPLS label at position 10 1076 in the stack 1078 The value field is a numeric identifier for the field type. 1079 The following value fields are reserved for proprietary field 1080 types: 25, 26, 43 to 45, 51 to 54, and 65 to 69. 1082 When extensibility is required, the new field types will be added 1083 to the list. The new field types have to be updated on the Exporter 1084 and Collector but the NetFlow export format would remain unchanged. 1085 Refer to the latest documentation at http://www.cisco.com for the 1086 newly updated list. 1088 In some cases the size of a field type is fixed by definition, for 1089 example PROTOCOL, or IPV4_SRC_ADDR. However in other cases they are 1090 defined as a variant type. This improves the memory efficiency in 1091 the collector and reduces the network bandwidth requirement between 1092 the Exporter and the Collector. As an example, in the case 1093 IN_BYTES, on an access router it might be sufficient to use a 32 1094 bit counter (N = 4), whilst on a core router a 64 bit counter (N = 1095 8) would be required. 1097 All counters and counter-like objects are unsigned integers of 1098 size N * 8 bits. 1100 9. The Collector Side 1102 The Collector receives Template Records from the Exporter, normally 1103 before receiving Flow Data Records (or Options Data Records). The 1104 Flow Data Records (or Options Data Records) can then be decoded and 1105 stored locally on the devices. If the Template Records have not 1106 been received at the time Flow Data Records (or Options Data 1107 Records) are received, the Collector SHOULD store the Flow Data 1108 Records (or Options Data Records) and decode them after the 1109 Template Records are received. A Collector device MUST NOT assume 1110 that the Data FlowSet and the associated Template FlowSet (or 1111 Options Template FlowSet) are exported in the same Export Packet. 1113 The Collector MUST NOT assume that one and only one Template 1114 FlowSet is present in an Export Packet. 1116 The life of a template at the Collector is limited to a fixed 1117 refresh timeout. Templates not refreshed from the Exporter within 1118 the timeout are expired at the Collector. The Collector MUST NOT 1119 attempt to decode the Flow or Options Data Records with an expired 1120 Template. At any given time the Collector SHOULD maintain the 1121 following for all the current Template Records and Options Template 1122 Records: Exporter, Observation Domain, Template ID, Template 1123 Definition, Last Received. 1125 Note that the Observation Domain is identified by the Source ID 1126 field from the Export Packet. 1127 In the event of a clock configuration change on the Exporter, the 1128 Collector SHOULD discard all Template Records and Options Template 1129 Records associated with that Exporter, in order for Collector to 1130 learn the new set of fields: Exporter, Observation Domain, Template 1131 ID, Template Definition, Last Received. 1133 Template IDs are unique per Exporter and per Observation Domain. 1135 If the Collector receives a new Template Record (for example, in 1136 the case of an Exporter restart) it MUST immediately override the 1137 existing Template Record. 1139 Finally, note that the Collector MUST accept padding in the Data 1140 FlowSet and Options Template FlowSet, which means for the Flow Data 1141 Records, the Options Data Records and the Template Records. 1142 Refer to the terminology summary table in Section 2.1. 1144 10. Security Considerations 1146 The NetFlow version 9 protocol was designed with the expectation 1147 that the Exporter and Collector would remain within a single 1148 private network. However the NetFlow version 9 protocol might be 1149 used to transport Flow Records over the public Internet which 1150 exposes the Flow Records to a number of security risks. For example 1151 an attacker might capture, modify or insert Export Packets. There 1152 is therefore a risk that IP Flow information might be captured or 1153 forged, or that attacks might be directed at the NetFlow Collector. 1155 The designers of NetFlow Version 9 did not impose any 1156 confidentiality, integrity or authentication requirements on the 1157 protocol because this reduced the efficiency of the implementation 1158 and it was believed at the time that the majority of deployments 1159 would confine the Flow Records to private networks, with the 1160 Collector(s) and Exporter(s) in close proximity. 1162 The IPFIX protocol (IP Flow Information eXport), which has chosen 1163 the NetFlow version 9 protocol as the base protocol, addresses the 1164 security considerations discussed in this section. See the security 1165 section of IPFIX requirement draft [IPFIX-REQ] for more 1166 information. 1168 10.1 Disclosure of Flow Information Data 1170 Because the NetFlow Version 9 Export Packets are not encrypted, the 1171 observation of Flow Records can give an attacker information about 1172 the active flows in the network, communication endpoints and 1173 traffic patterns. This information can be used both to spy on user 1174 behavior and to plan and conceal future attacks. 1176 The information that an attacker could derive from the interception 1177 of Flow Records depends on the Flow definition. For example, a Flow 1178 Record containing the source and destination IP addresses might 1179 reveal privacy sensitive information regarding the end user's 1180 activities, whilst a Flow Record only containing the source and 1181 destination IP network would be less revealing. 1183 10.2 Forgery of Flow Records or Template Records 1185 If Flow Records are used in accounting and/or security 1186 applications, there may be a strong incentive to forge exported 1187 Flow Records (for example to defraud the service provider, or to 1188 prevent the detection of an attack). This can be done either by 1189 altering the Flow Records on the path between the Observer and the 1190 Collector, or by injecting forged Flow Records that pretend to be 1191 originated by the Exporter. 1193 An attacker could forge Templates and/or Options Templates and 1194 thereby try to confuse the NetFlow Collector, rendering it unable 1195 to decode the Export Packets. 1197 10.3 Attacks on the NetFlow Collector 1199 Denial of service attacks on the NetFlow Collector can consume so 1200 many resources from the machine that, the Collector is unable to 1201 capture or decode some NetFlow Export Packets. Such hazards are not 1202 explicitly addressed by the NetFlow Version 9 protocol, although 1203 the normal methods used to protect a server from a DoS attack will 1204 mitigate the problem. 1206 11. Examples 1208 Let us consider the example of an Export Packet composed of a 1209 Template FlowSet, a Data FlowSet (which contains three Flow Data 1210 Records), an Options Template FlowSet, and a Data FlowSet (which 1211 contains two Options Data Records). 1213 Export Packet: 1215 +--------+---------------------------------------------. . . 1216 | | +--------------+ +-----------------------+ 1217 | Packet | | Template | | Data | 1218 | Header | | FlowSet | | FlowSet | . . . 1219 | | | (1 Template) | | (3 Flow Data Records) | 1220 | | +--------------+ +-----------------------+ 1221 +--------+---------------------------------------------. . . 1223 . . .+-------------------------------------------------+ 1224 +------------------+ +--------------------------+ | 1225 | Options | | Data | | 1226 . . .| Template FlowSet | | FlowSet | | 1227 | (1 Template) | | (2 Options Data Records) | | 1228 +------------------+ +--------------------------+ | 1229 . . .--------------------------------------------------+ 1231 11.1 Packet Header Example 1233 The Packet Header is composed of: 1235 0 1 2 3 1236 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1237 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1238 | Version = 9 | Count = 7 | 1239 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1240 | sysUpTime | 1241 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1242 | UNIX Secs | 1243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1244 | Sequence Number | 1245 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1246 | Source ID | 1247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1249 11.2 Template FlowSet Example 1251 We want to report the following Field Types: 1252 - The source IP address (IPv4), so the length is 4 1253 - The destination IP address (IPv4), so the length is 4 1254 - The next-hop IP address (IPv4), so the length is 4 1255 - The number of bytes of the Flow 1256 - The number of packets of the Flow 1258 Therefore, the Template FlowSet is composed of the following: 1260 0 1 2 3 1261 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1262 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1263 | FlowSet ID = 0 | Length = 28 bytes | 1264 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1265 | Template ID 256 | Field Count = 5 | 1266 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1267 | IP_SRC_ADDR = 8 | Field Length = 4 | 1268 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1269 | IP_DST_ADDR = 12 | Field Length = 4 | 1270 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1271 | IP_NEXT_HOP = 15 | Field Length = 4 | 1272 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1273 | IN_PKTS = 2 | Field Length = 4 | 1274 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1275 | IN_BYTES = 1 | Field Length = 4 | 1276 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1278 11.3 Data FlowSet Example 1280 In this example, we report the following three Flow Records: 1282 Src IP addr. | Dst IP addr. | Next Hop addr. | Packet | Bytes 1283 | | | Number | Number 1284 --------------------------------------------------------------- 1285 198.168.1.12 | 10.5.12.254 | 192.168.1.1 | 5009 | 5344385 1286 192.168.1.27 | 10.5.12.23 | 192.168.1.1 | 748 | 388934 1287 192.168.1.56 | 10.5.12.65 | 192.168.1.1 | 5 | 6534 1288 0 1 2 3 1289 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1290 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1291 | FlowSet ID = 256 | Length = 64 | 1292 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1293 | 198.168.1.12 | 1294 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1295 | 10.5.12.254 | 1296 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1297 | 192.168.1.1 | 1298 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1299 | 5009 | 1300 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1301 | 5344385 | 1302 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1303 | 192.168.1.27 | 1304 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1305 | 10.5.12.23 | 1306 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1307 | 192.168.1.1 | 1308 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1309 | 748 | 1310 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1311 | 388934 | 1312 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1313 | 192.168.1.56 | 1314 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1315 | 10.5.12.65 | 1316 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1317 | 192.168.1.1 | 1318 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1319 | 5 | 1320 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1321 | 6534 | 1322 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1324 Note that padding was not necessary in this example. 1326 11.4 Options Template FlowSet Example 1328 Per line card (the Exporter is composed of two line cards), we want 1329 to report the following Field Types: 1330 - Total number of Export Packets 1331 - Total number of exported Flows 1333 The format of the Options Template FlowSet is as follows: 1335 0 1 2 3 1336 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1337 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1338 | FlowSet ID = 1 | Length = 24 | 1339 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1340 | Template ID 257 | Option Scope Length = 4 | 1341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1342 | Option Length = 8 | Scope 1 Field Type = 3 | 1343 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1344 | Scope 1 Field Length = 2 | TOTAL_EXP_PKTS_SENT = 41 | 1345 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1346 | Field Length = 2 | TOTAL_FLOWS_EXP = 42 | 1347 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1348 | Field Length = 2 | Padding | 1349 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1351 11.5 Data FlowSet with Options Data Records Example 1353 In this example, we report the following two records: 1355 Line Card ID | Export Packet| Export Flow 1356 ------------------------------------------ 1357 Line Card 1 | 345 | 10201 1358 Line Card 2 | 690 | 20402 1360 0 1 2 3 1361 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1362 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1363 | FlowSet ID = 257 | Length = 16 | 1364 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1365 | 1 | 345 | 1366 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1367 | 10201 | 2 | 1368 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1369 | 690 | 20402 | 1370 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1372 12. References 1374 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1375 Requirement Levels" RFC 2119, March 1997 1377 [RFC768] Postel, J., "User Datagram Protocol" RFC 768, August 1980 1379 [RFC793] "TRANSMISSION CONTROL PROTOCOL DARPA INTERNET PROGRAM 1380 PROTOCOL SPECIFICATION" RFC 793, September 1981 1382 [RFC2960] Stewart, R. et al, "Stream Control Transmission 1383 Protocol" RFC 2960, October 2000 1385 [RFC2401] Kent, S. Atkinson, R. "Security Architecture for the 1386 Internet Protocol" RFC 2960, November 1998 1388 [IPFIX-REQ] Quittek, J, Zseby, T, Claise, B, Zander, S, 1389 "Requirements for IP Flow Information Export" 1390 draft-ietf-ipfix-reqs-15.txt, January 2004 1392 13. Authors 1394 This document was jointly written by Vamsidhar Valluri, Martin 1395 Djernaes, Ganesh Sadasivan, and Benoit Claise. 1397 14. Acknowledgments 1399 I would like to thank Pritam Shah, Paul Kohler, Dmitri Bouianovski 1400 and Stewart Bryant for their valuable technical feedback. 1402 Authors Addresses 1404 Benoit Claise 1405 Cisco Systems 1406 De Kleetlaan 6a b1 1407 1831 Diegem 1408 Belgium 1409 Phone: +32 2 704 5622 1410 E-mail: bclaise@cisco.com 1412 Ganesh Sadasivan 1413 Cisco Systems, Inc. 1414 3750 Cisco Way 1415 San Jose, CA 95134 1416 USA 1417 Phone: +1 408 527-0251 1418 E-mail: gsadasiv@cisco.com 1420 Vamsi Valluri 1421 Cisco Systems, Inc. 1422 510 McCarthy Blvd. 1423 San Jose, CA 95035 1424 USA 1425 Phone: +1 408 525-1835 1426 E-mail: vvalluri@cisco.com 1428 Martin Djernaes 1429 Cisco Systems, Inc. 1430 510 McCarthy Blvd. 1431 San Jose, CA 95035 1432 USA 1433 Phone: +1 408 853-1676 1434 E-mail: djernaes@cisco.com