idnits 2.17.1 draft-ietf-ipfix-info-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1.a on line 21. -- Found old boilerplate from RFC 3978, Section 5.5 on line 4811. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 4788. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 4795. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 4801. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 12 instances of too long lines in the document, the longest one being 5 characters in excess of 72. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 280: '...future extension MUST have the followi...' RFC 2119 keyword, line 300: '...rmation Elements MUST have the followi...' RFC 2119 keyword, line 311: '...cific identifier MUST be made globally...' RFC 2119 keyword, line 318: '...future extension MAY have the followin...' RFC 2119 keyword, line 556: '...rise identifiers MUST be registered as...' (16 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 942 has weird spacing: '...tets in packe...' == Line 4091 has weird spacing: '...tets in packe...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 30, 2005) is 6868 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-ipfix-architecture' is defined on line 2323, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-ipfix-as' is defined on line 2329, but no explicit reference was found in the text == Unused Reference: 'IEEE.802-11.1999' is defined on line 2339, but no explicit reference was found in the text == Unused Reference: 'IEEE.802-3.2002' is defined on line 2348, but no explicit reference was found in the text == Unused Reference: 'IEEE.P802-1Q.2003' is defined on line 2356, but no explicit reference was found in the text == Unused Reference: 'RFC0768' is defined on line 2372, but no explicit reference was found in the text == Unused Reference: 'RFC0791' is defined on line 2375, but no explicit reference was found in the text == Unused Reference: 'RFC0792' is defined on line 2378, but no explicit reference was found in the text == Unused Reference: 'RFC0793' is defined on line 2381, but no explicit reference was found in the text == Unused Reference: 'RFC1771' is defined on line 2384, but no explicit reference was found in the text == Unused Reference: 'RFC1930' is defined on line 2387, but no explicit reference was found in the text == Unused Reference: 'RFC2236' is defined on line 2391, but no explicit reference was found in the text == Unused Reference: 'RFC2402' is defined on line 2394, but no explicit reference was found in the text == Unused Reference: 'RFC2406' is defined on line 2397, but no explicit reference was found in the text == Unused Reference: 'RFC2460' is defined on line 2400, but no explicit reference was found in the text == Unused Reference: 'RFC2463' is defined on line 2403, but no explicit reference was found in the text == Unused Reference: 'RFC2547' is defined on line 2407, but no explicit reference was found in the text == Unused Reference: 'RFC2629' is defined on line 2410, but no explicit reference was found in the text == Unused Reference: 'RFC2863' is defined on line 2413, but no explicit reference was found in the text == Unused Reference: 'RFC2960' is defined on line 2416, but no explicit reference was found in the text == Unused Reference: 'RFC3031' is defined on line 2421, but no explicit reference was found in the text == Unused Reference: 'RFC3032' is defined on line 2424, but no explicit reference was found in the text == Unused Reference: 'RFC3036' is defined on line 2428, but no explicit reference was found in the text == Unused Reference: 'RFC3667' is defined on line 2434, but no explicit reference was found in the text == Unused Reference: 'RFC3668' is defined on line 2437, but no explicit reference was found in the text == Unused Reference: 'RFC3917' is defined on line 2440, but no explicit reference was found in the text == Outdated reference: A later version (-26) exists of draft-ietf-ipfix-protocol-12 == Outdated reference: A later version (-12) exists of draft-ietf-ipfix-architecture-07 == Outdated reference: A later version (-12) exists of draft-ietf-ipfix-as-04 -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 1771 (Obsoleted by RFC 4271) -- Obsolete informational reference (is this intentional?): RFC 2402 (Obsoleted by RFC 4302, RFC 4305) -- Obsolete informational reference (is this intentional?): RFC 2406 (Obsoleted by RFC 4303, RFC 4305) -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 2463 (Obsoleted by RFC 4443) -- Obsolete informational reference (is this intentional?): RFC 2547 (Obsoleted by RFC 4364) -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) -- Obsolete informational reference (is this intentional?): RFC 2960 (Obsoleted by RFC 4960) -- Obsolete informational reference (is this intentional?): RFC 3036 (Obsoleted by RFC 5036) -- Obsolete informational reference (is this intentional?): RFC 3667 (Obsoleted by RFC 3978) -- Obsolete informational reference (is this intentional?): RFC 3668 (Obsoleted by RFC 3979) Summary: 7 errors (**), 0 flaws (~~), 33 warnings (==), 19 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Quittek 3 Internet-Draft NEC 4 Expires: November 28, 2005 S. Bryant 5 B. Claise 6 Cisco Systems 7 J. Meyer 8 PayPal 9 May 30, 2005 11 Information Model for IP Flow Information Export 12 draft-ietf-ipfix-info-07 14 Status of this Memo 16 This document is an Internet-Draft and is subject to all provisions 17 of section 3 of RFC 3667. By submitting this Internet-Draft, each 18 author represents that any applicable patent or other IPR claims of 19 which he or she is aware have been or will be disclosed, and any of 20 which he or she becomes aware will be disclosed, in accordance with 21 Section 6 of BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as 26 Internet-Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt. 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 39 This Internet-Draft will expire on November 28, 2005. 41 Copyright Notice 43 Copyright (C) The Internet Society (2005). 45 Abstract 47 This memo defines an information model for the IP Flow Information 48 eXport (IPFIX) protocol. It is used by the IPFIX protocol for 49 encoding measured traffic information and information related to the 50 traffic Observation Point, the traffic Metering Process and the 51 Exporting Process. Although developed for the IPFIX protocol, the 52 model is defined in an open way that easily allows using it in other 53 protocols, interfaces, and applications. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6 58 2. Properties of IPFIX Protocol Information Elements . . . . . 7 59 2.1 Information Elements Specification Template . . . . . . . 7 60 2.2 Scope of Information Elements . . . . . . . . . . . . . . 8 61 2.3 Naming Conventions for Information Elements . . . . . . . 8 62 3. Type Space . . . . . . . . . . . . . . . . . . . . . . . . . 10 63 3.1 Data Types . . . . . . . . . . . . . . . . . . . . . . . . 10 64 3.1.1 octet . . . . . . . . . . . . . . . . . . . . . . . . 10 65 3.1.2 unsigned16 . . . . . . . . . . . . . . . . . . . . . . 10 66 3.1.3 unsigned32 . . . . . . . . . . . . . . . . . . . . . . 10 67 3.1.4 unsigned64 . . . . . . . . . . . . . . . . . . . . . . 10 68 3.1.5 float32 . . . . . . . . . . . . . . . . . . . . . . . 10 69 3.1.6 boolean . . . . . . . . . . . . . . . . . . . . . . . 10 70 3.1.7 macAddress . . . . . . . . . . . . . . . . . . . . . . 11 71 3.1.8 octetArray . . . . . . . . . . . . . . . . . . . . . . 11 72 3.1.9 string . . . . . . . . . . . . . . . . . . . . . . . . 11 73 3.1.10 dateTimeSeconds . . . . . . . . . . . . . . . . . . 11 74 3.1.11 dateTimeMilliSeconds . . . . . . . . . . . . . . . . 11 75 3.1.12 dateTimeMicroSeconds . . . . . . . . . . . . . . . . 11 76 3.1.13 dateTimeNanoSeconds . . . . . . . . . . . . . . . . 11 77 3.1.14 ipv4Address . . . . . . . . . . . . . . . . . . . . 11 78 3.1.15 ipv6Address . . . . . . . . . . . . . . . . . . . . 11 79 3.2 Data Type Semantics . . . . . . . . . . . . . . . . . . . 12 80 3.2.1 quantity . . . . . . . . . . . . . . . . . . . . . . . 12 81 3.2.2 totalCounter . . . . . . . . . . . . . . . . . . . . . 12 82 3.2.3 deltaCounter . . . . . . . . . . . . . . . . . . . . . 12 83 3.2.4 identifier . . . . . . . . . . . . . . . . . . . . . . 12 84 3.2.5 flags . . . . . . . . . . . . . . . . . . . . . . . . 12 85 4. Information Element Identifiers . . . . . . . . . . . . . . 13 86 5. Information Elements . . . . . . . . . . . . . . . . . . . . 16 87 5.1 Identifiers . . . . . . . . . . . . . . . . . . . . . . . 16 88 5.1.1 lineCardId . . . . . . . . . . . . . . . . . . . . . . 17 89 5.1.2 portId . . . . . . . . . . . . . . . . . . . . . . . . 17 90 5.1.3 ingressInterface . . . . . . . . . . . . . . . . . . . 17 91 5.1.4 egressInterface . . . . . . . . . . . . . . . . . . . 17 92 5.1.5 meteringProcessId . . . . . . . . . . . . . . . . . . 18 93 5.1.6 exportingProcessId . . . . . . . . . . . . . . . . . . 18 94 5.1.7 flowId . . . . . . . . . . . . . . . . . . . . . . . . 18 95 5.1.8 templateId . . . . . . . . . . . . . . . . . . . . . . 18 96 5.1.9 sourceId . . . . . . . . . . . . . . . . . . . . . . . 19 97 5.2 Metering and Exporting Process Properties . . . . . . . . 19 98 5.2.1 exporterIPv4Address . . . . . . . . . . . . . . . . . 19 99 5.2.2 exporterIPv6Address . . . . . . . . . . . . . . . . . 20 100 5.2.3 exportedMessageTotalCount . . . . . . . . . . . . . . 20 101 5.2.4 exportedOctetTotalCount . . . . . . . . . . . . . . . 20 102 5.2.5 exportedFlowTotalCount . . . . . . . . . . . . . . . . 20 103 5.2.6 observedFlowTotalCount . . . . . . . . . . . . . . . . 21 104 5.2.7 ignoredPacketTotalCount . . . . . . . . . . . . . . . 21 105 5.2.8 ignoredOctetTotalCount . . . . . . . . . . . . . . . . 21 106 5.2.9 notSentFlowTotalCount . . . . . . . . . . . . . . . . 21 107 5.2.10 notSentPacketTotalCount . . . . . . . . . . . . . . 22 108 5.2.11 notSentOctetTotalCount . . . . . . . . . . . . . . . 22 109 5.2.12 flowKeyIndicator . . . . . . . . . . . . . . . . . . 22 110 5.3 IP Header Fields . . . . . . . . . . . . . . . . . . . . . 23 111 5.3.1 ipVersion . . . . . . . . . . . . . . . . . . . . . . 23 112 5.3.2 sourceIPv4Address . . . . . . . . . . . . . . . . . . 24 113 5.3.3 sourceIPv6Address . . . . . . . . . . . . . . . . . . 24 114 5.3.4 sourceIPv4Mask . . . . . . . . . . . . . . . . . . . . 24 115 5.3.5 sourceIPv6Mask . . . . . . . . . . . . . . . . . . . . 24 116 5.3.6 sourceIPv4Prefix . . . . . . . . . . . . . . . . . . . 24 117 5.3.7 sourceIPv6Prefix . . . . . . . . . . . . . . . . . . . 25 118 5.3.8 destinationIPv4Address . . . . . . . . . . . . . . . . 25 119 5.3.9 destinationIPv6Address . . . . . . . . . . . . . . . . 25 120 5.3.10 destinationIPv4Mask . . . . . . . . . . . . . . . . 25 121 5.3.11 destinationIPv6Mask . . . . . . . . . . . . . . . . 25 122 5.3.12 destinationIPv4Prefix . . . . . . . . . . . . . . . 26 123 5.3.13 destinationIPv6Prefix . . . . . . . . . . . . . . . 26 124 5.3.14 classOfServiceIPv4 . . . . . . . . . . . . . . . . . 26 125 5.3.15 classOfServiceIPv6 . . . . . . . . . . . . . . . . . 26 126 5.3.16 postClassOfServiceIPv4 . . . . . . . . . . . . . . . 27 127 5.3.17 postClassOfServiceIPv6 . . . . . . . . . . . . . . . 27 128 5.3.18 flowLabelIPv6 . . . . . . . . . . . . . . . . . . . 27 129 5.3.19 identificationIPv4 . . . . . . . . . . . . . . . . . 27 130 5.3.20 protocolIdentifier . . . . . . . . . . . . . . . . . 28 131 5.3.21 fragmentOffsetIPv4 . . . . . . . . . . . . . . . . . 28 132 5.4 Transport Header Fields . . . . . . . . . . . . . . . . . 28 133 5.4.1 sourceTransportPort . . . . . . . . . . . . . . . . . 29 134 5.4.2 destinationTransportPort . . . . . . . . . . . . . . . 29 135 5.4.3 icmpTypeCodeIPv4 . . . . . . . . . . . . . . . . . . . 29 136 5.4.4 icmpTypeCodeIPv6 . . . . . . . . . . . . . . . . . . . 30 137 5.4.5 igmpType . . . . . . . . . . . . . . . . . . . . . . . 30 138 5.5 Sub-IP Header Fields . . . . . . . . . . . . . . . . . . . 30 139 5.5.1 sourceMacAddress . . . . . . . . . . . . . . . . . . . 31 140 5.5.2 postDestinationMacAddr . . . . . . . . . . . . . . . . 31 141 5.5.3 vlanId . . . . . . . . . . . . . . . . . . . . . . . . 31 142 5.5.4 postVlanId . . . . . . . . . . . . . . . . . . . . . . 31 143 5.5.5 destinationMacAddress . . . . . . . . . . . . . . . . 31 144 5.5.6 postSourceMacAddress . . . . . . . . . . . . . . . . . 32 145 5.5.7 wlanChannelId . . . . . . . . . . . . . . . . . . . . 32 146 5.5.8 wlanSsid . . . . . . . . . . . . . . . . . . . . . . . 32 147 5.5.9 mplsLabelStackEntry1 . . . . . . . . . . . . . . . . . 32 148 5.5.10 mplsLabelStackEntry2 . . . . . . . . . . . . . . . . 33 149 5.5.11 mplsLabelStackEntry3 . . . . . . . . . . . . . . . . 33 150 5.5.12 mplsLabelStackEntry4 . . . . . . . . . . . . . . . . 33 151 5.5.13 mplsLabelStackEntry5 . . . . . . . . . . . . . . . . 34 152 5.5.14 mplsLabelStackEntry6 . . . . . . . . . . . . . . . . 34 153 5.5.15 mplsLabelStackEntry7 . . . . . . . . . . . . . . . . 34 154 5.5.16 mplsLabelStackEntry8 . . . . . . . . . . . . . . . . 34 155 5.5.17 mplsLabelStackEntry9 . . . . . . . . . . . . . . . . 35 156 5.5.18 mplsLabelStackEntry10 . . . . . . . . . . . . . . . 35 157 5.6 Derived Packet Properties . . . . . . . . . . . . . . . . 35 158 5.6.1 ipNextHopIPv4Address . . . . . . . . . . . . . . . . . 36 159 5.6.2 ipNextHopIPv6Address . . . . . . . . . . . . . . . . . 36 160 5.6.3 bgpSourceAsNumber . . . . . . . . . . . . . . . . . . 36 161 5.6.4 bgpDestinationAsNumber . . . . . . . . . . . . . . . . 36 162 5.6.5 bgpNextAdjacentAsNumber . . . . . . . . . . . . . . . 37 163 5.6.6 bgpPrevAdjacentAsNumber . . . . . . . . . . . . . . . 37 164 5.6.7 bgpNextHopIPv4Address . . . . . . . . . . . . . . . . 38 165 5.6.8 bgpNextHopIPv6Address . . . . . . . . . . . . . . . . 38 166 5.6.9 mplsTopLabelType . . . . . . . . . . . . . . . . . . . 38 167 5.6.10 mplsTopLabelIPv4Address . . . . . . . . . . . . . . 38 168 5.6.11 mplsTopLabelIPv6Address . . . . . . . . . . . . . . 39 169 5.7 Min/Max Flow Properties . . . . . . . . . . . . . . . . . 39 170 5.7.1 minimumPacketLength . . . . . . . . . . . . . . . . . 39 171 5.7.2 maximumPacketLength . . . . . . . . . . . . . . . . . 39 172 5.7.3 minimumTtl . . . . . . . . . . . . . . . . . . . . . . 40 173 5.7.4 maximumTtl . . . . . . . . . . . . . . . . . . . . . . 40 174 5.7.5 ipv6OptionHeaders . . . . . . . . . . . . . . . . . . 40 175 5.7.6 tcpControlBits . . . . . . . . . . . . . . . . . . . . 41 176 5.8 Flow Time Stamps . . . . . . . . . . . . . . . . . . . . . 41 177 5.8.1 flowStartSeconds . . . . . . . . . . . . . . . . . . . 42 178 5.8.2 flowEndSeconds . . . . . . . . . . . . . . . . . . . . 42 179 5.8.3 flowStartMilliSeconds . . . . . . . . . . . . . . . . 42 180 5.8.4 flowEndMilliSeconds . . . . . . . . . . . . . . . . . 43 181 5.8.5 flowStartMicroSeconds . . . . . . . . . . . . . . . . 43 182 5.8.6 flowEndMicroSeconds . . . . . . . . . . . . . . . . . 43 183 5.8.7 flowStartNanoSeconds . . . . . . . . . . . . . . . . . 43 184 5.8.8 flowEndNanoSeconds . . . . . . . . . . . . . . . . . . 43 185 5.8.9 flowStartDeltaMicroSeconds . . . . . . . . . . . . . . 44 186 5.8.10 flowEndDeltaMicroSeconds . . . . . . . . . . . . . . 44 187 5.8.11 systemInitTimeMilliSeconds . . . . . . . . . . . . . 44 188 5.8.12 flowStartSysUpTime . . . . . . . . . . . . . . . . . 44 189 5.8.13 flowEndSysUpTime . . . . . . . . . . . . . . . . . . 44 190 5.9 Per-Flow Counters . . . . . . . . . . . . . . . . . . . . 45 191 5.9.1 octetDeltaCount . . . . . . . . . . . . . . . . . . . 45 192 5.9.2 postOctetDeltaCount . . . . . . . . . . . . . . . . . 46 193 5.9.3 octetTotalCount . . . . . . . . . . . . . . . . . . . 46 194 5.9.4 postOctetTotalCount . . . . . . . . . . . . . . . . . 46 195 5.9.5 packetDeltaCount . . . . . . . . . . . . . . . . . . . 46 196 5.9.6 postPacketDeltaCount . . . . . . . . . . . . . . . . . 47 197 5.9.7 packetTotalCount . . . . . . . . . . . . . . . . . . . 47 198 5.9.8 postPacketTotalCount . . . . . . . . . . . . . . . . . 47 199 5.9.9 droppedOctetDeltaCount . . . . . . . . . . . . . . . . 47 200 5.9.10 droppedPacketDeltaCount . . . . . . . . . . . . . . 48 201 5.9.11 droppedOctetTotalCount . . . . . . . . . . . . . . . 48 202 5.9.12 droppedPacketTotalCount . . . . . . . . . . . . . . 48 203 5.9.13 postMulticastPacketCount . . . . . . . . . . . . . . 49 204 5.9.14 postMulticastOctetCount . . . . . . . . . . . . . . 49 205 5.10 Miscellaneous Flow Properties . . . . . . . . . . . . . 49 206 5.10.1 flowActiveTimeOut . . . . . . . . . . . . . . . . . 49 207 5.10.2 flowInactiveTimeout . . . . . . . . . . . . . . . . 50 208 5.10.3 flowEndReason . . . . . . . . . . . . . . . . . . . 50 209 5.10.4 flowDurationMilliSeconds . . . . . . . . . . . . . . 50 210 5.10.5 flowDurationMicroSeconds . . . . . . . . . . . . . . 50 211 6. Extending the Information Model . . . . . . . . . . . . . . 51 212 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 52 213 8. Security Considerations . . . . . . . . . . . . . . . . . . 53 214 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 54 215 10. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . 55 216 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 56 217 11.1 Normative Reference . . . . . . . . . . . . . . . . . . . 56 218 11.2 Informative Reference . . . . . . . . . . . . . . . . . . 56 219 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 58 220 A. Formal Specification of IPFIX Information Element . . . . . 60 221 B. Formal Specification of Abstract Data Types . . . . . . . . 97 222 Intellectual Property and Copyright Statements . . . . . . . 108 224 1. Introduction 226 The IP Flow Information eXport (IPFIX) protocol serves for 227 transmitting information related to measured IP traffic over the 228 Internet. The protocol specification in [I-D.ietf-ipfix-protocol] 229 defines how Information Elements are transmitted. For Information 230 Elements, it specifies the encoding of a set of basic data types. 231 However, the list of Information Elements that can be transmitted by 232 the protocol, such as flow attributes (source IP address, number of 233 packets, etc.) and information about the Metering and Exporting 234 Process (packet Observation Point, sampling rate, flow timeout 235 interval, etc.), is not specified in [I-D.ietf-ipfix-protocol]. 237 This document complements the IPFIX protocol specification by 238 providing the IPFIX information model. IPFIX-specific terminology 239 used in this document is defined in section 3 of 240 [I-D.ietf-ipfix-protocol]. As in [I-D.ietf-ipfix-protocol], these 241 IPFIX-specific terms have the first letter of a word capitalized when 242 used in this document. 244 The main part of this document is section 5 defining the (extensible) 245 list of Information Elements to be transmitted by the IPFIX protocol. 246 Section 2 defines a template for specifying IPFIX Information 247 Elements in section 4. Section 3 defines the set of abstract data 248 types that are available for IPFIX Information Elements. Section 5 249 discusses extensibility of the IPFIX information model. 251 The main bodies of sections 2, 3 and 4 were generated from XML 252 documents. The XML-based specification of template, abstract data 253 types and IPFIX Information Elements can be used for automatically 254 checking syntactical correctness of the specification of IPFIX 255 Information Elements. It can further be used for generating IPFIX 256 protocol implementation code that deals with processing IPFIX 257 Information Elements. Also code for applications that further 258 process traffic information transmitted via the IPFIX protocol can be 259 generated with the XML specification of IPFIX Information Elements. 261 For that reason, the XML document that served as source for section 4 262 and the XML schema that served as source for sections 2 and 3 are 263 attached to this document in Appendices A and B. 265 Note that although partially generated from the attached XML 266 documents, the main body of this document is normative while the 267 appendices are informational. 269 2. Properties of IPFIX Protocol Information Elements 271 2.1 Information Elements Specification Template 273 Information in messages of the IPFIX protocol is modeled in terms of 274 Information Elements of the IPFIX information model. IPFIX 275 Information Elements are specified in section 4. For specifying 276 these Information Elements, a template is used that is described 277 below. 279 All Information Elements specified for the IPFIX protocol either in 280 this document or by any future extension MUST have the following 281 properties defined: 283 name - A unique and meaningful name for the Information Element. 285 description - The semantics of this Information Element. Describes 286 how this Information Element is derived from the flow or other 287 information available to the observer. 289 dataType - One of the types listed in section 3.1 of this document or 290 in a future extension of the information model. The type space 291 for attributes is constrained to facilitate implementation. The 292 existing type space does however encompass most basic types used 293 in modern programming languages, as well as some derived types 294 (such as ipv4Address) which are common to this domain and useful 295 to distinguish. 297 status - The status of the specification of this Information Element. 298 Allowed values are 'current', 'deprecated', and 'obsolete'. 300 Enterprise-specific Information Elements MUST have the following 301 property defined: 303 enterpriseId - Enterprises may wish to define Information Elements 304 without registering them with IANA, for example for 305 enterprise-internal purposes. For such Information Elements the 306 Information Element identifier described above is not sufficient 307 when the Information Element is used outside the enterprise. If 308 specifications of enterprise-specific Information Elements are 309 made public and/or if enterprise-specific identifiers are used by 310 the IPFIX protocol outside the enterprise, then the 311 enterprise-specific identifier MUST be made globally unique by 312 combining it with an enterprise identifier. Valid values for the 313 enterpriseId are defined by IANA as SMI network management private 314 enterprise codes. They are defined at 315 http://www.iana.org/assignments/enterprise-numbers. 317 All Information Elements specified for the IPFIX protocol either in 318 this document or by any future extension MAY have the following 319 properties defined: 321 dataTypeSemantics - The integral types may be qualified by additional 322 semantic details. Valid values for the data type semantics are 323 specified in section 3.2 of this document or in a future extension 324 of the information model. 326 units - If the Information Element is a measure of some kind, the 327 units identify what the measure is. 329 range - Some Information Elements may only be able to take on a 330 restricted set of values which can be expressed as a range (e.g. 331 0 through 511 inclusive). If this is the case, the valid 332 inclusive range should be specified. 334 reference - Identifies additional specifications which more precisely 335 define this item or provide additional context for its use. 337 2.2 Scope of Information Elements 339 By default, most Information Elements have a scope specified in their 340 definitions. 342 o The Information Elements defined in section 5.2 have a default of 343 "a specific Metering Process" or of "a specific Exporting 344 Process", respectively. 345 o The Information Elements defined in sections 5.3 - 5.9 have a 346 scope of "a specific flow". 348 Within Data Records defined by Option Templates, the IPFIX protocol 349 allows further limiting of the Information Element scope. The new 350 scope is specified by one or more scope fields and defined as the 351 combination of all specified scope values. 353 2.3 Naming Conventions for Information Elements 355 The following naming conventions were used for naming Information 356 Elements in this document. It is recommended that extensions of the 357 model use the same conventions. 359 o Names of Information Elements start with non-capitalized letters. 360 o Composed names use capital letters for the first letter of each 361 component (except for the first one). All other letters are 362 non-capitalized, even for acronyms. Exceptions are made for 363 acronyms containing non-capitalized letter, such as 'IPv4' and 364 'IPv6'. Examples are sourceMacAddress and destinationIPv4Address. 365 o Middleboxes [RFC3234] may change flow properties, such as the DSCP 366 value or the source IP address. There are different Information 367 Elements required for the original values of these properties and 368 for the modified values. As a general rule, it is recommended 369 that names for Information Elements containing the original 370 properties have no specific prefix while names of Information 371 Elements containing the modified properties have the prefix 372 "post", for example, postClassOfServiceIPv4. 374 3. Type Space 376 This section describes the abstract data types that can be used for 377 the specification of IPFIX Information Elements in section 4. 378 Section 3.1 describes the set of data types. 380 Data types octet, unsigned16, unsigned32, and unsigned64 are integral 381 data types. As described in section 3.2, their data type semantics 382 can be further specified, for example, by 'totalCounter', 383 'deltaCounter', 'identifier' or 'flags'. 385 3.1 Data Types 387 This section describes the set of valid data types of the IPFIX 388 information model. Note that further data types may be specified by 389 future protocol extensions. 391 3.1.1 octet 393 The type "octet" represents a non-negative integer value in the range 394 of 0 to 255. 396 3.1.2 unsigned16 398 The type "unsigned16" represents a non-negative integer value in the 399 range of 0 to 65535. 401 3.1.3 unsigned32 403 The type "unsigned32" represents a non-negative integer value in the 404 range of 0 to 4294967295. 406 3.1.4 unsigned64 408 The type "unsigned64" represents a non-negative integer value in the 409 range of 0 to 18446744073709551615. 411 3.1.5 float32 413 The type "float32" corresponds to an IEEE single-precision 32-bit 414 floating point type as defined in [IEEE.754.1985]. 416 3.1.6 boolean 418 The type "boolean" represents a binary value. The only allowed 419 values are "true" and false. 421 3.1.7 macAddress 423 The type "macAddress" represents a string of 6 octets. 425 3.1.8 octetArray 427 The type "octetArray" represents a finite length string of octets. 429 3.1.9 string 431 The type "string" represents a finite length string of valid 432 characters from the Unicode character encoding set 433 [ISO.10646-1.1993]. Unicode allows for ASCII [ISO.646.1991] and many 434 other international character sets to be used. It is expected that 435 strings will be encoded in UTF-8 format, which is identical in 436 encoding for ASCII characters, but also accommodates other Unicode 437 multi-byte characters. 439 3.1.10 dateTimeSeconds 441 The type "dateTimeSeconds" represents a time value having a precision 442 of seconds and normalized to the GMT time zone. 444 3.1.11 dateTimeMilliSeconds 446 The type "dateTimeMilliSeconds" represents a time value having a 447 precision of milliseconds and normalized to the GMT time zone. 449 3.1.12 dateTimeMicroSeconds 451 The type "dateTimeMicroSeconds" represents a time value having a 452 precision of microseconds and normalized to the GMT time zone. 454 3.1.13 dateTimeNanoSeconds 456 The type "dateTimeNanoSeconds" represents a time value having a 457 precision of nanoseconds and normalized to the GMT time zone. 459 3.1.14 ipv4Address 461 The type "ipv4Address" represents a value of an IPv4 address. 463 3.1.15 ipv6Address 465 The type "ipv6Address" represents a value of an IPv6 address. 467 3.2 Data Type Semantics 469 This section describes the set of valid data type semantics of the 470 IPFIX information model. Note that further data type semantics may 471 be specified by future protocol extensions. 473 3.2.1 quantity 475 A quantity value represents a discrete measured value pertaining to 476 the record. This is distinguished from counters which represent an 477 ongoing measured value whose "odometer" reading is captured as part 478 of a given record. If no semantic qualifier is given, the 479 Information Elements that have an integral data type should behave as 480 a quantity. 482 3.2.2 totalCounter 484 An integral value reporting the value of a counter. Basically the 485 same semantics as counters in SNMP. Counters are unsigned and wrap 486 back to zero after reaching the limit of the type. For example, an 487 unsigned64 with counter semantics will continue to increment until 488 reaching the value of 2**64 - 1. At this point the next increment 489 will wrap its value to zero and continue counting from zero. A 490 running counter counts independently of the export of its value. 492 3.2.3 deltaCounter 494 An integral value reporting the value of a counter. Basically the 495 same semantics as counters in SNMP. Counters are unsigned and wrap 496 back to zero after reaching the limit of the type. For example, an 497 unsigned64 with counter semantics will continue to increment until 498 reaching the value of 2**64 - 1. At this point the next increment 499 will wrap its value to zero and continue counting from zero. A delta 500 counter is reset to zero each time its value is exported. 502 3.2.4 identifier 504 An integral value which serves as an identifier. Specifically 505 mathematical operations on two identifiers (aside from the equality 506 operation) are meaningless. For example, Autonomous System ID 1 * 507 Autonomous System ID 2 is meaningless. 509 3.2.5 flags 511 An integral value which actually represents a set of bit fields. 512 Logical operations are appropriate on such values, but not other 513 mathematical operations. Flags should always be of an unsigned type. 515 4. Information Element Identifiers 517 All Information Elements defined in section 5 of this document or in 518 future extensions of the IPFIX information model have their 519 identifiers assigned by IANA. Their identifiers can be retrieved at 520 http://www.iana.org/assignments/ipfix-element-numbers. 522 EDITORIAL NOTE: this URL needs probably to be updated after IANA 523 created a URL for IPFIX Information Elements 525 The value of these identifiers are in the range of 1 - 32767. Within 526 this range, Information Element identifier values in the sub-range of 527 1-127 are compatible with field types used by NetFlow version 9 528 [RFC3954]. 530 +---------------------------------+---------------------------------+ 531 | Range of IANA-assigned | Description | 532 | Information Element identifiers | | 533 +---------------------------------+---------------------------------+ 534 | 0 | Reserved. | 535 | | | 536 | 1 - 127 | Information Element identifiers | 537 | | compatible with NetFlow version | 538 | | 9 field types [RFC3954]. | 539 | | | 540 | 128 - 32767 | Further Information Element | 541 | | identifiers. | 542 +---------------------------------+---------------------------------+ 544 Enterprise-specific Information Element identifiers have the same 545 range of 1-32767, but they are coupled with an additional enterprise 546 identifier. 548 Enterprise-specific identifiers can be chosen by an enterprise 549 arbitrarily within the range of 1-32767. The same identifier may be 550 assigned by other enterprises for different purposes. 552 Still, Collecting Processes can distinguish these Information 553 Elements because the Information Element identifier is coupled with 554 an enterprise identifier. 556 Enterprise identifiers MUST be registered as SMI network management 557 private enterprise code numbers with IANA. The registry can be found 558 at http://www.iana.org/assignments/enterprise-numbers. 560 The following list gives an overview of the Information Element 561 identifiers that are specified in section 5 and are not compatible 562 with field types used by NetFlow version 9 [RFC3954] 563 +-------+-------------------------+-------+-------------------------+ 564 | ID | Name | ID | Name | 565 +-------+-------------------------+-------+-------------------------+ 566 | 1 | octetDeltaCount | 43 | RESERVED | 567 | 2 | packetDeltaCount | 44 | sourceIPv4Prefix | 568 | 3 | observedFlowTotalCount | 45 | destinationIPv4Prefix | 569 | 4 | protocolIdentifier | 46 | mplsTopLabelType | 570 | 5 | classOfServiceIPv4 | 47 | mplsTopLabelIPv4Address | 571 | 6 | tcpControlBits | 48-51 | RESERVED | 572 | 7 | sourceTransportPort | 52 | minimumTtl | 573 | 8 | sourceIPv4Address | 53 | maximumTtl | 574 | 9 | sourceIPv4Mask | 54 | identificationIPv4 | 575 | 10 | ingressInterface | 55 | postClassOfServiceIPv4 | 576 | 11 | destinationTransportPort| 56 | sourceMacAddress | 577 | 12 | destinationIPv4Address | 57 | postDestinationMacAddr | 578 | 13 | destinationIPv4Mask | 58 | vlanID | 579 | 14 | egressInterface | 59 | postVlanId | 580 | 15 | ipNextHopIPv4Address | 60 | ipVersion | 581 | 16 | bgpSourceAsNumber | 61 | RESERVED | 582 | 17 | bgpDestinationAsNumber | 62 | ipNextHopIPv6Address | 583 | 18 | bgpNexthopIPv4Address | 63 | bgpNexthopIPv6Address | 584 | 19 | postMulticastPacketCount| 64 | ipv6OptionHeaders | 585 | 20 | postMulticastOctetCount | 65-69 | RESERVED | 586 | 21 | flowEndSysUpTime | 70 | mplsLabelStackEntry1 | 587 | 22 | flowStartSysUpTime | 71 | mplsLabelStackEntry2 | 588 | 23 | postOctetDeltaCount | 72 | mplsLabelStackEntry3 | 589 | 24 | postPacketDeltaCount | 73 | mplsLabelStackEntry4 | 590 | 25 | minimumPacketLength | 74 | mplsLabelStackEntry5 | 591 | 26 | maximumPacketLength | 75 | mplsLabelStackEntry6 | 592 | 27 | sourceIPv6Address | 76 | mplsLabelStackEntry7 | 593 | 28 | destinationIPv6Address | 77 | mplsLabelStackEntry8 | 594 | 29 | sourceIPv6Mask | 78 | mplsLabelStackEntry9 | 595 | 30 | destinationIPv6Mask | 79 | mplsLabelStackEntry10 | 596 | 31 | flowLabelIPv6 | 80 | destinationMacAddress | 597 | 32 | icmpTypeCodeIPv4 | 81 | postSourceMacAddress | 598 | 33 | igmpType | 82-84 | RESERVED | 599 | 34-35 | RESERVED | 85 | octetTotalCount | 600 | 36 | flowActiveTimeOut | 86 | packetTotalCount | 601 | 37 | flowInactiveTimeout | 87 | RESERVED | 602 | 38-39 | RESERVED | 88 | fragmentOffsetIPv4 | 603 | 40 | exportedOctetTotalCount |89-127 | RESERVED | 604 | 41 | exportedMessageTotalCount| | | 605 | 42 | exportedFlowTotalCount | | | 606 +-------+-------------------------+-------+-------------------------+ 608 The following list gives an overview of the Information Element 609 identifiers that are specified in section 5 and extend the list of 610 Information Element identifiers specified already in [RFC3954]. 612 +-----+---------------------------+-----+---------------------------+ 613 | ID | Name | ID | Name | 614 +-----+---------------------------+-----+---------------------------+ 615 | 128 | bgpNextAdjacentAsNumber | 150 | flowStartSeconds | 616 | 129 | bgpPrevAdjacentAsNumber | 151 | flowEndSeconds | 617 | 130 | exporterIPv4Address | 152 | flowStartMilliSeconds | 618 | 131 | exporterIPv6Address | 153 | flowEndMilliSeconds | 619 | 132 | droppedOctetDeltaCount | 154 | flowStartMicroSeconds | 620 | 133 | droppedPacketDeltaCount | 155 | flowEndMicroSeconds | 621 | 134 | droppedOctetTotalCount | 156 | flowStartNanoSeconds | 622 | 135 | droppedPacketTotalCount | 157 | flowEndNanoSeconds | 623 | 136 | flowEndReason | 158 | flowStartDeltaMicroSeconds| 624 | 137 | classOfServiceIPv6 | 159 | flowEndDeltaMicroSeconds | 625 | 138 | postClassOfServiceIPv6 | 160 | systemInitTimeMilliSeconds| 626 | 139 | icmpTypeCodeIPv6 | 161 | flowDurationMilliSeconds | 627 | 140 | mplsTopLabelIPv6Address | 162 | flowDurationMicroSeconds | 628 | 141 | lineCardId | 163 | ignoredPacketTotalCount | 629 | 142 | portId | 164 | ignoredOctetTotalCount | 630 | 143 | meteringProcessId | 165 | notSentFLowTotalCount | 631 | 144 | exportingProcessId | 166 | notSentPacketTotalCount | 632 | 145 | templateId | 167 | notSentOctetTotalCount | 633 | 146 | wlanChannelId | 168 | destinationIPv6Prefix | 634 | 147 | wlanSsid | 169 | sourceIPv6Prefix | 635 | 148 | flowId | 170 | postOctetTotalCount | 636 | 149 | sourceId | 171 | postPacketTotalCount | 637 | | | 172 | flowKeyIndicator | 638 +-----+---------------------------+-----+---------------------------+ 640 5. Information Elements 642 This section describes the flow attributes of the IPFIX information 643 model. The elements are grouped into 9 groups according to their 644 semantics and their applicability: 646 1. Identifiers 647 2. Metering and Exporting Process Properties 648 3. IP Header Fields 649 4. Transport Header Fields 650 5. Sub-IP Header Fields 651 6. Derived Packet Properties 652 7. Min/Max Flow Properties 653 8. Flow Time Stamps 654 9. Per-Flow Counters 655 10. Miscellaneous Flow Properties 657 The Information Elements that are derived from fields of packets or 658 from packet treatment, such as the Information Elements in groups 659 3.-6., can serve as Flow Keys used for mapping packets to flows. But 660 they also may contain values that are not constant for a single flow. 661 For example a flow using a certain source IPv4 address as flow key 662 has sourceIPv4Address as constant property but may have 663 destinationIPv4Address as a property that changes from packet to 664 packet. 666 For such Information Elements that are derived from fields of packets 667 or from packet treatment, the IPFIX information model makes the 668 general assumption that their value is determined by the first packet 669 observed for the corresponding Flow, unless the description of the 670 Information Element explicitly specifies a different semantics. This 671 simple rule allows writing all Information Elements related to header 672 fields once when the first packet of the flow is observed. For 673 further observed packets of the same flow, only flow properties that 674 depend on more than one packet, such as the Information Elements in 675 groups 7.-9., need to be updated. 677 5.1 Identifiers 679 Information Elements grouped in the table below are identifying 680 components of the IPFIX architecture, of an IPFIX device, or of the 681 IPFIX protocol. All of them have an integral data type and data type 682 semantics "identifier" as described in section 3.2.4. 684 Typically, some of them are used for limiting scopes of other 685 Information Elements. However, also other Information Elements MAY 686 be used for limiting scopes. Note also that all Information Elements 687 listed below MAY be used for other purposes than limiting scopes. 689 +-----+---------------------------+-----+---------------------------+ 690 | ID | Name | ID | Name | 691 +-----+---------------------------+-----+---------------------------+ 692 | 141 | lineCardId | 143 | meteringProcessId | 693 | 142 | portId | 144 | exportingProcessId | 694 | 10 | ingressInterface | 148 | flowId | 695 | 14 | egressInterface | 145 | templateId | 696 | | | 149 | sourceId | 697 +-----+---------------------------+-----+---------------------------+ 699 5.1.1 lineCardId 701 Description: 702 A locally unique identifier of a line card at an IPFIX Device 703 hosting an Observation Point. Typically, this Information Element 704 is used for limiting the scope of other Information Elements. 705 Abstract Data Type: unsigned32 706 Data Type Semantics: identifier 707 ElementId: 141 708 Status: current 710 5.1.2 portId 712 Description: 713 A locally unique identifier of a line port at an IPFIX Device 714 hosting an Observation Point. Typically, this Information Element 715 is used for limiting the scope of other Information Elements. 716 Abstract Data Type: unsigned32 717 Data Type Semantics: identifier 718 ElementId: 142 719 Status: current 721 5.1.3 ingressInterface 723 Description: 724 The index of the IP interface (ifIndex) where packets of this Flow 725 are being received. 726 Abstract Data Type: unsigned32 727 Data Type Semantics: identifier 728 ElementId: 10 729 Status: current 730 Reference: See RFC 2863 for the definition of the ifIndex object. 732 5.1.4 egressInterface 733 Description: 734 The index of the IP interface (ifIndex) where packets of this Flow 735 are being sent. 736 Abstract Data Type: unsigned32 737 Data Type Semantics: identifier 738 ElementId: 14 739 Status: current 740 Reference: See RFC 2863 for the definition of the ifIndex object. 742 5.1.5 meteringProcessId 744 Description: 745 A locally unique identifier of a Metering Process at an IPFIX 746 Device. Typically, this Information Element is used for limiting 747 the scope of other Information Elements. 748 Abstract Data Type: unsigned32 749 Data Type Semantics: identifier 750 ElementId: 143 751 Status: current 753 5.1.6 exportingProcessId 755 Description: 756 A locally unique identifier of an Exporting Process at an IPFIX 757 Device. Typically, this Information Element is used for limiting 758 the scope of other Information Elements. 759 Abstract Data Type: unsigned32 760 Data Type Semantics: identifier 761 ElementId: 144 762 Status: current 764 5.1.7 flowId 766 Description: 767 An identifier of a Flow that is locally unique to an Exporting 768 Process. Typically, this Information Element is used for limiting 769 the scope of other Information Elements. 770 Abstract Data Type: unsigned32 771 Data Type Semantics: identifier 772 ElementId: 148 773 Status: current 775 5.1.8 templateId 777 Description: 779 An identifier of a Template that is locally unique to an Exporting 780 Process. Typically, this Information Element is used for limiting 781 the scope of other Information Elements. 782 Abstract Data Type: unsigned32 783 Data Type Semantics: identifier 784 ElementId: 145 785 Status: current 787 5.1.9 sourceId 789 Description: 790 An identifier of an Observation Domain that is locally unique to 791 an Exporting Process. Typically, this Information Element is used 792 for limiting the scope of other Information Elements. 793 Abstract Data Type: unsigned32 794 Data Type Semantics: identifier 795 ElementId: 149 796 Status: current 798 5.2 Metering and Exporting Process Properties 800 Information Elements in this section describe static and dynamic 801 properties of the Metering Process and/or the Exporting Process. The 802 set of these Information Elements is listed in the table below 804 +-----+---------------------------+-----+---------------------------+ 805 | ID | Name | ID | Name | 806 +-----+---------------------------+-----+---------------------------+ 807 | 130 | exporterIPv4Address | 163 | ignoredPacketTotalCount | 808 | 131 | exporterIPv6Address | 164 | ignoredOctetTotalCount | 809 | 41 | exportedMessageTotalCount | 165 | notSentFLowTotalCount | 810 | 40 | exportedOctetTotalCount | 166 | notSentPacketTotalCount | 811 | 42 | exportedFlowTotalCount | 167 | notSentOctetTotalCount | 812 | 3 | observedFlowTotalCount | 172 | flowKeyIndicator | 813 +-----+---------------------------+-----+---------------------------+ 815 5.2.1 exporterIPv4Address 817 Description: 818 The IPv4 address used by the Exporting Process. This is used by 819 the Collector to identify the Exporter in cases where the identity 820 of the Exporter may have been obscured by the use of a proxy. 821 Abstract Data Type: ipv4Address 822 Data Type Semantics: identifier 823 ElementId: 130 824 Status: current 826 5.2.2 exporterIPv6Address 828 Description: 829 The IPv6 address used by the Exporting Process. This is used by 830 the Collector to identify the Exporter in cases where the identity 831 of the Exporter may have been obscured by the use of a proxy. 832 Abstract Data Type: ipv6Address 833 Data Type Semantics: identifier 834 ElementId: 131 835 Status: current 837 5.2.3 exportedMessageTotalCount 839 Description: 840 The total number of IPFIX Messages that the Exporting Process 841 successfully sent since the Exporting Process (re-)initialization 842 to the Collecting Process receiving a report that contains this 843 Information Element. 844 Abstract Data Type: unsigned64 845 Data Type Semantics: totalCounter 846 ElementId: 41 847 Status: current 848 Units: messages 850 5.2.4 exportedOctetTotalCount 852 Description: 853 The total number of octets that the Exporting Process successfully 854 sent since the Exporting Process (re-)initialization to the 855 Collecting Process receiving a report that contains this 856 Information Element. The value of this Information Element is 857 calculated by summing up the IPFIX Message header length values of 858 all IPFIX messages that were successfully sent to the Collecting 859 Process receiving a report that contains this Information Element. 860 Abstract Data Type: unsigned64 861 Data Type Semantics: totalCounter 862 ElementId: 40 863 Status: current 864 Units: octets 866 5.2.5 exportedFlowTotalCount 867 Description: 868 The total number of Flows Records reported that the Exporting 869 Process successfully sent as Data Records since the Exporting 870 Process (re-)initialization to the Collecting Process receiving a 871 report that contains this Information Element. 872 Abstract Data Type: unsigned64 873 Data Type Semantics: totalCounter 874 ElementId: 42 875 Status: current 876 Units: Flows 878 5.2.6 observedFlowTotalCount 880 Description: 881 The total number of Flows observed in the Observation Domain since 882 the Metering Process (re-)initialization for this Observation 883 Point. 884 Abstract Data Type: unsigned64 885 Data Type Semantics: totalCounter 886 ElementId: 3 887 Status: current 888 Units: Flows 890 5.2.7 ignoredPacketTotalCount 892 Description: 893 The total number of observed IP packets that the Metering Process 894 did not process. 895 Abstract Data Type: unsigned64 896 Data Type Semantics: totalCounter 897 ElementId: 163 898 Status: current 899 Units: packets 901 5.2.8 ignoredOctetTotalCount 903 Description: 904 The total number of octets in observed IP packets that the 905 Metering Process did not process. 906 Abstract Data Type: unsigned64 907 Data Type Semantics: totalCounter 908 ElementId: 164 909 Status: current 910 Units: octets 912 5.2.9 notSentFlowTotalCount 913 Description: 914 The total number of Flow Records that were generated by the 915 Metering Process and but dropped by the Metering Process or by the 916 Exporting Process instead of sending it to the Collecting Process. 917 There are several potential reasons for this including resource 918 shortage and special Flow export policies. 919 Abstract Data Type: unsigned64 920 Data Type Semantics: totalCounter 921 ElementId: 165 922 Status: current 923 Units: Flows 925 5.2.10 notSentPacketTotalCount 927 Description: 928 The total number of packets in Flow Records that were generated by 929 the Metering Process and but dropped by the Metering Process or by 930 the Exporting Process instead of sending it to the Collecting 931 Process. There are several potential reasons for this including 932 resource shortage and special flow export policies. 933 Abstract Data Type: unsigned64 934 Data Type Semantics: totalCounter 935 ElementId: 166 936 Status: current 937 Units: packets 939 5.2.11 notSentOctetTotalCount 941 Description: 942 The total number of octets in packets in Flow Records that were 943 generated by the Metering Process and but dropped by the Metering 944 Process or by the Exporting Process instead of sending it to the 945 Collecting Process. There are several potential reasons for this 946 including resource shortage and special Flow export policies. 947 Abstract Data Type: unsigned64 948 Data Type Semantics: totalCounter 949 ElementId: 167 950 Status: current 951 Units: octets 953 5.2.12 flowKeyIndicator 955 Description: 956 This set of bit fields is used for marking the Information 957 Elements of a Data Record that serve as Flow Key. Each bit 958 represents an Information Element in the Data Record with the n-th 959 bit representing the n-th Information Element. A set bit with 960 value 1 indicates that the corresponding Information element is a 961 Flow Key of the reported Flow. A value of 0 indicates that this 962 is not the case. If the Data Record contains more than 64 963 Information Elements, the corresponding Template SHOULD be 964 designed such that all Flow Keys are among the first 64 965 Information Elements, because the flowKeyIndicator only contains 966 64 bits. If the Data Record contains less than 64 Information 967 Elements, then the bits in the flowKeyIndicator for which no 968 corresponding Information Element exists SHOULD have the value 0. 969 Abstract Data Type: unsigned64 970 Data Type Semantics: flags 971 ElementId: 172 972 Status: current 974 5.3 IP Header Fields 976 Information Elements in this section indicate values of IP header 977 fields or are derived from IP header field values in combination with 978 further information. 980 +-----+---------------------------+-----+---------------------------+ 981 | ID | Name | ID | Name | 982 +-----+---------------------------+-----+---------------------------+ 983 | 60 | ipVersion | 45 | destinationIPv4Prefix | 984 | 8 | sourceIPv4Address | 168 | destinationIPv6Prefix | 985 | 27 | sourceIPv6Address | 5 | classOfServiceIPv4 | 986 | 9 | sourceIPv4Mask | 137 | classOfServiceIPv6 | 987 | 29 | sourceIPv6Mask | 55 | postClassOfServiceIPv4 | 988 | 44 | sourceIPv4Prefix | 138 | postClassOfServiceIPv6 | 989 | 169 | sourceIPv6Prefix | 31 | flowLabelIPv6 | 990 | 12 | destinationIPv4Address | 54 | identificationIPv4 | 991 | 28 | destinationIPv6Address | 4 | protocolIdentifier | 992 | 13 | destinationIPv4Mask | 88 | fragmentOffsetIPv4 | 993 | 30 | destinationIPv6Mask | | | 994 +-----+---------------------------+-----+---------------------------+ 996 5.3.1 ipVersion 998 Description: The IP version field in the IP packet header. 999 Abstract Data Type: octet 1000 Data Type Semantics: identifier 1001 ElementId: 60 1002 Status: current 1003 Reference: 1004 See RFC 791 for a definition of the version field in the IPv4 1005 packet header. See RFC 2460 for a definition of the version field 1006 in the IPv6 packet header. Additional information on defined 1007 version numbers can be found at 1008 http://www.iana.org/assignments/version-numbers. 1010 5.3.2 sourceIPv4Address 1012 Description: 1013 The IPv4 source address in the IP packet header. 1014 Abstract Data Type: ipv4Address 1015 Data Type Semantics: identifier 1016 ElementId: 8 1017 Status: current 1018 Reference: See RFC 791 for the definition of the IPv4 source address 1019 field. 1021 5.3.3 sourceIPv6Address 1023 Description: 1024 The IPv6 source address in the IP packet header. 1025 Abstract Data Type: ipv6Address 1026 Data Type Semantics: identifier 1027 ElementId: 27 1028 Status: current 1030 5.3.4 sourceIPv4Mask 1032 Description: 1033 The number of contiguous bits that are relevant in the 1034 sourceIPv4Prefix Information Element. 1035 Abstract Data Type: octet 1036 ElementId: 9 1037 Status: current 1038 Units: bits 1039 Range: The valid range is 0-32. 1041 5.3.5 sourceIPv6Mask 1043 Description: 1044 The number of contiguous bits that are relevant in the 1045 sourceIPv6Prefix Information Element. 1046 Abstract Data Type: octet 1047 ElementId: 29 1048 Status: current 1049 Units: bits 1050 Range: The valid range is 0-128. 1052 5.3.6 sourceIPv4Prefix 1053 Description: 1054 IPv4 source address prefix. 1055 Abstract Data Type: ipv4Address 1056 ElementId: 44 1057 Status: current 1059 5.3.7 sourceIPv6Prefix 1061 Description: 1062 IPv6 source address prefix. 1063 Abstract Data Type: ipv4Address 1064 ElementId: 169 1065 Status: current 1067 5.3.8 destinationIPv4Address 1069 Description: 1070 The IPv4 destination address in the IP packet header. 1071 Abstract Data Type: ipv4Address 1072 Data Type Semantics: identifier 1073 ElementId: 12 1074 Status: current 1075 Reference: See RFC 791 for the definition of the IPv4 destination 1076 address field. 1078 5.3.9 destinationIPv6Address 1080 Description: 1081 The IPv6 destination address in the IP packet header. 1082 Abstract Data Type: ipv6Address 1083 Data Type Semantics: identifier 1084 ElementId: 28 1085 Status: current 1087 5.3.10 destinationIPv4Mask 1089 Description: 1090 The number of contiguous bits that are relevant in the 1091 destinationIPv4Prefix Information Element. 1092 Abstract Data Type: octet 1093 ElementId: 13 1094 Status: current 1095 Units: bits 1096 Range: The valid range is 0-32. 1098 5.3.11 destinationIPv6Mask 1099 Description: 1100 The number of contiguous bits that are relevant in the 1101 destinationIPv6Prefix Information Element. 1102 Abstract Data Type: octet 1103 ElementId: 30 1104 Status: current 1105 Units: bits 1106 Range: The valid range is 0-128. 1108 5.3.12 destinationIPv4Prefix 1110 Description: 1111 IPv4 destination address prefix. 1112 Abstract Data Type: ipv4Address 1113 ElementId: 45 1114 Status: current 1116 5.3.13 destinationIPv6Prefix 1118 Description: 1119 IPv6 destination address prefix. 1120 Abstract Data Type: ipv4Address 1121 ElementId: 168 1122 Status: current 1124 5.3.14 classOfServiceIPv4 1126 Description: 1127 The value of the IPv4 TOS field in the IP packet header. 1128 Abstract Data Type: octet 1129 Data Type Semantics: identifier 1130 ElementId: 5 1131 Status: current 1132 Reference: See RFC 791 for the definition of the IPv4 TOS field. 1134 5.3.15 classOfServiceIPv6 1136 Description: 1137 The value of the IPv6 traffic class field in the IP packet header. 1138 Abstract Data Type: octet 1139 Data Type Semantics: identifier 1140 ElementId: 137 1141 Status: current 1142 Reference: See RFC 2460 for the definition of the IPv6 traffic class 1143 field. 1145 5.3.16 postClassOfServiceIPv4 1147 Description: 1148 The value of the IPv4 TOS field in the IP packet header after 1149 packet treatment by a middlebox function. 1150 Abstract Data Type: octet 1151 Data Type Semantics: identifier 1152 ElementId: 55 1153 Status: current 1154 Reference: See RFC 791 for the definition of the IPv4 TOS field. See 1155 RFC 3234 for the definition of middleboxes. 1157 5.3.17 postClassOfServiceIPv6 1159 Description: 1160 The value of the IPv6 traffic class field in the IP packet header 1161 after packet treatment by a middlebox function. 1162 Abstract Data Type: octet 1163 Data Type Semantics: identifier 1164 ElementId: 138 1165 Status: current 1166 Reference: See RFC 2460 for the definition of the IPv6 traffic class 1167 field. 1169 5.3.18 flowLabelIPv6 1171 Description: 1172 The value of the IPv6 Flow Label field in the IP packet header. 1173 Abstract Data Type: unsigned32 1174 Data Type Semantics: identifier 1175 ElementId: 31 1176 Status: current 1177 Reference: See RFC 2460 for a definition of the flow label field in 1178 the IPv6 packet header. 1180 5.3.19 identificationIPv4 1182 Description: 1183 The value of the IPv4 packet identification field in the IP packet 1184 header. 1185 Abstract Data Type: unsigned16 1186 Data Type Semantics: identifier 1187 ElementId: 54 1188 Status: current 1189 Reference: See RFC 791 for the definition of the IPv4 identification 1190 field. 1192 5.3.20 protocolIdentifier 1194 Description: 1195 The value of the protocol number in the IP packet header. The 1196 protocol number identifies the IP packet payload type. Protocol 1197 numbers are defined in the IANA Protocol Numbers registry. 1198 In Internet Protocol version 4 (IPv4) this is carried in the 1199 "Protocol" field. In Internet Protocol version 6 (IPv6) this is 1200 carried in the "Next Header" field in the last extension header of 1201 the packet. 1202 Abstract Data Type: octet 1203 Data Type Semantics: identifier 1204 ElementId: 4 1205 Status: current 1206 Reference: 1207 See RFC 791 for the specification of the IPv4 protocol field. See 1208 RFC 2460 for the specification of the IPv6 protocol field. See 1209 list of protocol numbers assigned by IANA at 1210 http://www.iana.org/assignments/protocol-numbers. 1212 5.3.21 fragmentOffsetIPv4 1214 Description: 1215 The value of the IPv4 fragment offset field in the IP packet 1216 header. 1217 Abstract Data Type: unsigned16 1218 Data Type Semantics: identifier 1219 ElementId: 88 1220 Status: current 1221 Reference: 1222 See RFC 791 for the specification of the IPv4 fragment offset. 1224 5.4 Transport Header Fields 1226 The set of Information Elements related to transport header fields 1227 includes the Information Elements listed in the table below. 1229 +-----+---------------------------+-----+---------------------------+ 1230 | ID | Name | ID | Name | 1231 +-----+---------------------------+-----+---------------------------+ 1232 | 7 | sourceTransportPort | 32 | icmpTypeCodeIPv4 | 1233 | 11 | destinationTransportPort | 139 | icmpTypeCodeIPv6 | 1234 | | | 33 | igmpType | 1235 +-----+---------------------------+-----+---------------------------+ 1237 5.4.1 sourceTransportPort 1239 Description: 1240 The source port identifier in the transport header. For the 1241 transport protocols UDP, TCP and SCTP this is the source port 1242 number given in the respective header. This field MAY also be 1243 used for future transport protocols that have 16 bit source port 1244 identifiers. 1245 Abstract Data Type: unsigned16 1246 Data Type Semantics: identifier 1247 ElementId: 7 1248 Status: current 1249 Reference: 1250 See RFC 768 for the definition of the UDP source port field. See 1251 RFC 793 for the definition of the TCP source port field. See RFC 1252 2960 for the definition of SCTP. 1253 Additional information on defined UDP and TCP port numbers can be 1254 found at http://www.iana.org/assignments/port-numbers. 1256 5.4.2 destinationTransportPort 1258 Description: 1259 The destination port identifier in the transport header. For the 1260 transport protocols UDP, TCP and SCTP this is the destination port 1261 number given in the respective header. This field MAY also be 1262 used for future transport protocols that have 16 bit destination 1263 port identifiers. 1264 Abstract Data Type: unsigned16 1265 Data Type Semantics: identifier 1266 ElementId: 11 1267 Status: current 1268 Reference: 1269 See RFC 768 for the definition of the UDP source port field. See 1270 RFC 793 for the definition of the TCP source port field. See RFC 1271 2960 for the definition of SCTP. 1272 Additional information on defined UDP and TCP port numbers can be 1273 found at http://www.iana.org/assignments/port-numbers. 1275 5.4.3 icmpTypeCodeIPv4 1277 Description: 1278 Type and Code of the IPv4 ICMP message. The combination of both 1279 values is reported as (ICMP type * 256) + ICMP code. 1280 Abstract Data Type: unsigned16 1281 Data Type Semantics: identifier 1282 ElementId: 32 1283 Status: current 1284 Reference: See RFC 792 for a definition of the IPv4 ICMP type and 1285 code fields. 1287 5.4.4 icmpTypeCodeIPv6 1289 Description: 1290 Type and Code of the IPv6 ICMP message. The combination of both 1291 values is reported as (ICMP type * 256) + ICMP code. 1292 Abstract Data Type: unsigned16 1293 Data Type Semantics: identifier 1294 ElementId: 139 1295 Status: current 1296 Reference: See RFC 2463 for a definition of the IPv6 ICMP type and 1297 code fields. 1299 5.4.5 igmpType 1301 Description: The type field of the IGMP message. 1302 Abstract Data Type: octet 1303 Data Type Semantics: identifier 1304 ElementId: 33 1305 Status: current 1306 Reference: See RFC 2236 for a definition of the IGMP type field. 1308 5.5 Sub-IP Header Fields 1310 The set of Information Elements related to Sub-IP header fields 1311 includes the Information Elements listed in the table below. 1313 +-----+---------------------------+-----+---------------------------+ 1314 | ID | Name | ID | Name | 1315 +-----+---------------------------+-----+---------------------------+ 1316 | 56 | sourceMacAddress | 70 | mplsLabelStackEntry1 | 1317 | 57 | postDestinationMacAddr | 71 | mplsLabelStackEntry2 | 1318 | 58 | vlanId | 72 | mplsLabelStackEntry3 | 1319 | 59 | postVlanId | 73 | mplsLabelStackEntry4 | 1320 | 80 | destinationMacAddress | 74 | mplsLabelStackEntry5 | 1321 | 81 | postSourceMacAddress | 75 | mplsLabelStackEntry6 | 1322 | 146 | wlanChannelId | 76 | mplsLabelStackEntry7 | 1323 | 147 | wlanSsid | 77 | mplsLabelStackEntry8 | 1324 | | | 78 | mplsLabelStackEntry9 | 1325 | | | 79 | mplsLabelStackEntry10 | 1326 +-----+---------------------------+-----+---------------------------+ 1328 5.5.1 sourceMacAddress 1330 Description: 1331 The IEEE 802 source MAC address field. 1332 Abstract Data Type: macAddress 1333 Data Type Semantics: identifier 1334 ElementId: 56 1335 Status: current 1336 Reference: See IEEE.802-3.2002. 1338 5.5.2 postDestinationMacAddr 1340 Description: 1341 The IEEE 802 destination MAC address field after processing by a 1342 middlebox function. 1343 Abstract Data Type: macAddress 1344 Data Type Semantics: identifier 1345 ElementId: 57 1346 Status: current 1347 Reference: See IEEE.802-3.2002. 1349 5.5.3 vlanId 1351 Description: 1352 The IEEE 802.1Q VLAN identifier (VID) extracted from the Tag 1353 Control Information field that was attached to the IP packet. 1354 Abstract Data Type: unsigned16 1355 Data Type Semantics: identifier 1356 ElementId: 58 1357 Status: current 1358 Reference: See IEEE.802-1Q.2003. 1360 5.5.4 postVlanId 1362 Description: 1363 The IEEE 802.1Q VLAN identifier (VID) extracted from the Tag 1364 Control Information field that was attached to the IP packet after 1365 processing by a middlebox function. 1366 Abstract Data Type: unsigned16 1367 Data Type Semantics: identifier 1368 ElementId: 59 1369 Status: current 1370 Reference: See IEEE.802-1Q.2003. 1372 5.5.5 destinationMacAddress 1373 Description: 1374 The IEEE 802 destination MAC address field. 1375 Abstract Data Type: macAddress 1376 Data Type Semantics: identifier 1377 ElementId: 80 1378 Status: current 1379 Reference: See IEEE.802-3.2002. 1381 5.5.6 postSourceMacAddress 1383 Description: 1384 The IEEE 802 source MAC address field. after processing by a 1385 middlebox function. 1386 Abstract Data Type: macAddress 1387 Data Type Semantics: identifier 1388 ElementId: 81 1389 Status: current 1390 Reference: See IEEE.802-3.2002. 1392 5.5.7 wlanChannelId 1394 Description: 1395 The identifier of the 802.11 (WiFi) channel used. 1396 Abstract Data Type: octet 1397 Data Type Semantics: identifier 1398 ElementId: 146 1399 Status: current 1400 Reference: See IEEE.802-11.1999. 1402 5.5.8 wlanSsid 1404 Description: 1405 The Service Set IDentifier (SSID) identifying an 802.11 (Wi-Fi) 1406 network used. According to IEEE.802-11.1999 the SSID is encoded 1407 into a string of up to 32 characters. 1408 Abstract Data Type: string 1409 ElementId: 147 1410 Status: current 1411 Reference: See IEEE.802-11.1999. 1413 5.5.9 mplsLabelStackEntry1 1415 Description: 1416 The label, exp and s fields from the outermost MPLS label stack 1417 entry, i.e. the last label that was pushed. 1419 0 1 2 1420 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 1422 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1423 | Label | Exp |S| 1424 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1426 Label: Label Value, 20 bits 1427 Exp: Experimental Use, 3 bits 1428 S: Bottom of Stack, 1 bit 1430 Abstract Data Type: unsigned32 1431 Data Type Semantics: identifier 1432 ElementId: 70 1433 Status: current 1434 Reference: See RFC 3032. 1436 5.5.10 mplsLabelStackEntry2 1438 Description: 1439 The label, exp, and s fields from the label stack entry that was 1440 pushed immediately before the label stack entry that would be 1441 reported by mplsLabelStackEntry1. See the definition of 1442 mplsLabelStackEntry1 for further details. 1443 Abstract Data Type: unsigned32 1444 Data Type Semantics: identifier 1445 ElementId: 71 1446 Status: current 1447 Reference: See RFC 3032. 1449 5.5.11 mplsLabelStackEntry3 1451 Description: 1452 The label, exp, and s fields from the label stack entry that was 1453 pushed immediately before the label stack entry that would be 1454 reported by mplsLabelStackEntry2. See the definition of 1455 mplsLabelStackEntry1 for further details. 1456 Abstract Data Type: unsigned32 1457 Data Type Semantics: identifier 1458 ElementId: 72 1459 Status: current 1460 Reference: See RFC 3032. 1462 5.5.12 mplsLabelStackEntry4 1464 Description: 1465 The label, exp, and s fields from the label stack entry that was 1466 pushed immediately before the label stack entry that would be 1467 reported by mplsLabelStackEntry3. See the definition of 1468 mplsLabelStackEntry1 for further details. 1470 Abstract Data Type: unsigned32 1471 Data Type Semantics: identifier 1472 ElementId: 73 1473 Status: current 1474 Reference: See RFC 3032. 1476 5.5.13 mplsLabelStackEntry5 1478 Description: 1479 The label, exp, and s fields from the label stack entry that was 1480 pushed immediately before the label stack entry that would be 1481 reported by mplsLabelStackEntry4. See the definition of 1482 mplsLabelStackEntry1 for further details. 1483 Abstract Data Type: unsigned32 1484 Data Type Semantics: identifier 1485 ElementId: 74 1486 Status: current 1487 Reference: See RFC 3032. 1489 5.5.14 mplsLabelStackEntry6 1491 Description: 1492 The label, exp, and s fields from the label stack entry that was 1493 pushed immediately before the label stack entry that would be 1494 reported by mplsLabelStackEntry5. See the definition of 1495 mplsLabelStackEntry1 for further details. 1496 Abstract Data Type: unsigned32 1497 Data Type Semantics: identifier 1498 ElementId: 75 1499 Status: current 1500 Reference: See RFC 3032. 1502 5.5.15 mplsLabelStackEntry7 1504 Description: 1505 The label, exp, and s fields from the label stack entry that was 1506 pushed immediately before the label stack entry that would be 1507 reported by mplsLabelStackEntry6. See the definition of 1508 mplsLabelStackEntry1 for further details. 1509 Abstract Data Type: unsigned32 1510 Data Type Semantics: identifier 1511 ElementId: 76 1512 Status: current 1513 Reference: See RFC 3032. 1515 5.5.16 mplsLabelStackEntry8 1516 Description: 1517 The label, exp, and s fields from the label stack entry that was 1518 pushed immediately before the label stack entry that would be 1519 reported by mplsLabelStackEntry7. See the definition of 1520 mplsLabelStackEntry1 for further details. 1521 Abstract Data Type: unsigned32 1522 Data Type Semantics: identifier 1523 ElementId: 77 1524 Status: current 1525 Reference: See RFC 3032. 1527 5.5.17 mplsLabelStackEntry9 1529 Description: 1530 The label, exp, and s fields from the label stack entry that was 1531 pushed immediately before the label stack entry that would be 1532 reported by mplsLabelStackEntry8. See the definition of 1533 mplsLabelStackEntry1 for further details. 1534 Abstract Data Type: unsigned32 1535 Data Type Semantics: identifier 1536 ElementId: 78 1537 Status: current 1538 Reference: See RFC 3032. 1540 5.5.18 mplsLabelStackEntry10 1542 Description: 1543 The label, exp, and s fields from the label stack entry that was 1544 pushed immediately before the label stack entry that would be 1545 reported by mplsLabelStackEntry9. See the definition of 1546 mplsLabelStackEntry1 for further details. 1547 Abstract Data Type: unsigned32 1548 Data Type Semantics: identifier 1549 ElementId: 79 1550 Status: current 1551 Reference: See RFC 3032. 1553 5.6 Derived Packet Properties 1555 The set of Information Elements derived from values of header fields 1556 and further information includes the Information Elements listed in 1557 the table below. 1559 +-----+---------------------------+-----+---------------------------+ 1560 | ID | Name | ID | Name | 1561 +-----+---------------------------+-----+---------------------------+ 1562 | 15 | ipNextHopIPv4Address | 18 | bgpNextHopIPv4Address | 1563 | 62 | ipNextHopIPv6Address | 63 | bgpNextHopIPv6Address | 1564 | 16 | bgpSourceAsNumber | 46 | mplsTopLabelType | 1565 | 17 | bgpDestinationAsNumber | 47 | mplsTopLabelIPv4Address | 1566 | 128 | bgpNextAdjacentAsNumber | 140 | mplsTopLabelIPv6Address | 1567 | 129 | bgpPrevAdjacentAsNumber | | | 1568 +-----+---------------------------+-----+---------------------------+ 1570 5.6.1 ipNextHopIPv4Address 1572 Description: 1573 The IPv4 address of the next IPv4 hop. 1574 Abstract Data Type: ipv4Address 1575 Data Type Semantics: identifier 1576 ElementId: 15 1577 Status: current 1579 5.6.2 ipNextHopIPv6Address 1581 Description: 1582 The IPv6 address of the next IPv6 hop. 1583 Abstract Data Type: ipv6Address 1584 Data Type Semantics: identifier 1585 ElementId: 62 1586 Status: current 1588 5.6.3 bgpSourceAsNumber 1590 Description: 1591 The autonomous system (AS) number of the source IP address. If AS 1592 path information for this Flow is only available as unordered AS 1593 set (and not as ordered AS sequence), then the value of this 1594 Information Element is 0. 1595 Abstract Data Type: unsigned16 1596 Data Type Semantics: identifier 1597 ElementId: 16 1598 Status: current 1599 Reference: See RFC 1771 for a description of BGP-4 and see RFC 1930 1600 for a definition of the AS number. 1602 5.6.4 bgpDestinationAsNumber 1603 Description: 1604 The autonomous system (AS) number of the destination IP address. 1605 If AS path information for this Flow is only available as 1606 unordered AS set (and not as ordered AS sequence), then the value 1607 of this Information Element is 0. 1608 Abstract Data Type: unsigned16 1609 Data Type Semantics: identifier 1610 ElementId: 17 1611 Status: current 1612 Reference: See RFC 1771 for a description of BGP-4 and see RFC 1930 1613 for a definition of the AS number. 1615 5.6.5 bgpNextAdjacentAsNumber 1617 Description: 1618 The autonomous system (AS) number of the first AS in the AS path 1619 to the destination IP address. The path is deduced by looking up 1620 the destination IP address of the Flow in the BGP routing 1621 information base. If AS path information for this Flow is only 1622 available as unordered AS set (and not as ordered AS sequence), 1623 then the value of this Information Element is 0. 1624 Abstract Data Type: unsigned16 1625 Data Type Semantics: identifier 1626 ElementId: 128 1627 Status: current 1628 Reference: See RFC 1771 for a description of BGP-4 and see RFC 1930 1629 for a definition of the AS number. 1631 5.6.6 bgpPrevAdjacentAsNumber 1633 Description: 1634 The autonomous system (AS) number of the last AS in the AS path 1635 from the source IP address. The path is deduced by looking up the 1636 source IP address of the Flow in the BGP routing information base. 1637 If AS path information for this Flow is only available as 1638 unordered AS set (and not as ordered AS sequence), then the value 1639 of this Information Element is 0. In case of BGP asymmetry, the 1640 bgpSrcAdjacentASNumber might not be able to report the correct 1641 value. 1642 Abstract Data Type: unsigned16 1643 Data Type Semantics: identifier 1644 ElementId: 129 1645 Status: current 1646 Reference: See RFC 1771 for a description of BGP-4 and see RFC 1930 1647 for a definition of the AS number. 1649 5.6.7 bgpNextHopIPv4Address 1651 Description: 1652 The IPv4 address of the next (adjacent) BGP hop. 1653 Abstract Data Type: ipv4Address 1654 Data Type Semantics: identifier 1655 ElementId: 18 1656 Status: current 1657 Reference: See RFC 1771 for a description of BGP-4 and 1659 5.6.8 bgpNextHopIPv6Address 1661 Description: 1662 The IPv6 address of the next (adjacent) BGP hop. 1663 Abstract Data Type: ipv6Address 1664 Data Type Semantics: identifier 1665 ElementId: 63 1666 Status: current 1667 Reference: See RFC 1771 for a description of BGP-4. 1669 5.6.9 mplsTopLabelType 1671 Description: 1672 This field identifies the control protocol that allocated the top 1673 of stack label. Defined values for this field include: 1675 - 0x01 TE-MIDPT: Any TE tunnel mid-point or tail label 1676 - 0x02 Pseudowire: Any PWE3 or Cisco AToM based label 1677 - 0x03 VPN: Any label associated with VPN 1678 - 0x04 BGP: Any label associated with BGP or BGP routing 1679 - 0x05 LDP: Any label associated with dynamically assigned 1680 labels using LDP 1682 Abstract Data Type: octet 1683 Data Type Semantics: identifier 1684 ElementId: 46 1685 Status: current 1686 Reference: See RFC 3031 for the MPLS label structure. See RFC 2547 1687 for the association of MPLS labels with VPNs. See RFC 1771 for 1688 BGP and BGP routing. See RFC 3036 for LDP. and IP addresses. 1690 5.6.10 mplsTopLabelIPv4Address 1692 Description: 1693 The IPv4 address of the system that the MPLS top label will cause 1694 this Flow to be forwarded to. 1696 Abstract Data Type: ipv4Address 1697 Data Type Semantics: identifier 1698 ElementId: 47 1699 Status: current 1700 Reference: See RFC 3031 for the association between MPLS labels and 1701 IP addresses. 1703 5.6.11 mplsTopLabelIPv6Address 1705 Description: 1706 The IPv6 address of the system that the MPLS top label will cause 1707 this Flow to be forwarded to. 1708 Abstract Data Type: ipv6Address 1709 Data Type Semantics: identifier 1710 ElementId: 140 1711 Status: current 1712 Reference: See RFC 3031 for the association between MPLS labels and 1713 IP addresses. 1715 5.7 Min/Max Flow Properties 1717 Information Elements in this section are results of minimum or 1718 maximum operations over all packets of a flow. 1720 +-----+---------------------------+-----+---------------------------+ 1721 | ID | Name | ID | Name | 1722 +-----+---------------------------+-----+---------------------------+ 1723 | 25 | minimumPacketLength | 64 | ipv6OptionHeaders | 1724 | 26 | maximumPacketLength | 6 | tcpControlBits | 1725 | 52 | minimumTtl | | | 1726 | 53 | maximumTtl | | | 1727 +-----+---------------------------+-----+---------------------------+ 1729 5.7.1 minimumPacketLength 1731 Description: 1732 Length of the smallest packet observed for this Flow. 1733 Abstract Data Type: unsigned16 1734 ElementId: 25 1735 Status: current 1736 Units: octets 1738 5.7.2 maximumPacketLength 1739 Description: 1740 Length of the largest packet observed for this Flow. 1741 Abstract Data Type: unsigned16 1742 ElementId: 26 1743 Status: current 1744 Units: octets 1746 5.7.3 minimumTtl 1748 Description: 1749 Minimum TTL value observed for any packet in this Flow. 1750 Abstract Data Type: octet 1751 ElementId: 52 1752 Status: current 1754 5.7.4 maximumTtl 1756 Description: 1757 Maximum TTL value observed for any packet in this Flow. 1758 Abstract Data Type: octet 1759 ElementId: 53 1760 Status: current 1762 5.7.5 ipv6OptionHeaders 1764 Description: 1765 IPv6 options in the IP packet headers of this Flow. The 1766 information is encoded in a set of bit fields. For each IPv6 1767 option header there is a bit in this set. The bit is set if any 1768 observed packet of this Flow contains the corresponding IPv6 1769 option header. 1771 bit IPv6 Option Definition 1773 0 Reserved 1774 1 44 Fragmentation header - not first fragment 1775 2 43 Routing header 1776 3 44 Fragment header - first fragment 1777 4 Unknown Layer 4 header (compressed, 1778 encrypted, not supported) 1779 5 Reserved 1780 6 0 Hop-by-hop option header 1781 7 60 Destination option header 1782 8 108 Payload compression header 1783 9 51 Authentication Header 1784 10 50 Encrypted security payload 1785 11 to 31 Reserved 1787 Abstract Data Type: unsigned32 1788 Data Type Semantics: flags 1789 ElementId: 64 1790 Status: current 1791 Reference: See RFC 2460 for the general definition of IPv6 extensions 1792 headers and for the specification of the hop-by-hop options 1793 header, the routing header, the fragment header, and the 1794 destination options header. See RFC 2402 for the specification of 1795 the authentication header. See RFC 2406 for the specification of 1796 the encapsulating security payload. 1798 5.7.6 tcpControlBits 1800 Description: 1801 TCP control bits observed for packets of this Flow. The 1802 information is encoded in a set of bit fields. For each TCP 1803 control bit there is a bit in this set. A bit is set to 1 if any 1804 observed packet of this Flow has the corresponding TCP control bit 1805 set to 1. A value of 0 for a bit indicates that the corresponding 1806 bit was not set in any of the observed packets of this Flow. 1808 0 1 2 3 4 5 6 7 1809 +-----+-----+-----+-----+-----+-----+-----+-----+ 1810 | Reserved | URG | ACK | PSH | RST | SYN | FIN | 1811 +-----+-----+-----+-----+-----+-----+-----+-----+ 1813 Reserved: Reserved for future use by TCP. Must be zero. 1814 URG: Urgent Pointer field significant 1815 ACK: Acknowledgment field significant 1816 PSH: Push Function 1817 RST: Reset the connection 1818 SYN: Synchronize sequence numbers 1819 FIN: No more data from sender 1821 Abstract Data Type: octet 1822 Data Type Semantics: flags 1823 ElementId: 6 1824 Status: current 1825 Reference: See RFC 793 for a definition of the TCP control bits in 1826 the TCP header. 1828 5.8 Flow Time Stamps 1830 Information Elements in this section are time stamps of events. 1832 Time stamps flowStartSeconds, flowEndSeconds, flowStartMilliSeconds, 1833 flowEndMilliSeconds, flowStartMicroSeconds, flowEndMicroSeconds, 1834 flowStartNanoSeconds, flowEndNanoSeconds, and 1835 systemInitTimeMilliSeconds are absolute and have a well defined fixed 1836 time base, such as, for example, the number of seconds since 0000 UTC 1837 Jan 1st 1970. 1839 Time stamps flowStartDeltaMicroSeconds and flowEndDeltaMicroSeconds 1840 are relative time stamps only valid within the scope of a single 1841 IPFIX message. They contain the negative time offsets relative to 1842 the export time specified in the IPFIX Message header. 1844 Time stamps flowStartSysUpTime and flowEndSysUpTime are relative time 1845 stamps indicating the time relative to the last (re-)initialization 1846 of the IPFIX device. For reporting the time of the last 1847 (re-)initialization, systemInitTimeMilliSeconds can be reported, for 1848 example, in Data Records defined by Option Templates. 1850 +-----+---------------------------+-----+---------------------------+ 1851 | ID | Name | ID | Name | 1852 +-----+---------------------------+-----+---------------------------+ 1853 | 150 | flowStartSeconds | 156 | flowStartNanoSeconds | 1854 | 151 | flowEndSeconds | 157 | flowEndNanoSeconds | 1855 | 152 | flowStartMilliSeconds | 158 | flowStartDeltaMicroSeconds| 1856 | 153 | flowEndMilliSeconds | 159 | flowEndDeltaMicroSeconds | 1857 | 154 | flowStartMicroSeconds | 160 | systemInitTimeMilliSeconds| 1858 | 155 | flowEndMicroSeconds | 22 | flowStartSysUpTime | 1859 | | | 21 | flowEndSysUpTime | 1860 +-----+---------------------------+-----+---------------------------+ 1862 5.8.1 flowStartSeconds 1864 Description: The absolute timestamp of the first packet of this Flow. 1865 Abstract Data Type: dateTimeSeconds 1866 ElementId: 150 1867 Status: current 1868 Units: seconds 1870 5.8.2 flowEndSeconds 1872 Description: The absolute timestamp of the last packet of this Flow. 1873 Abstract Data Type: dateTimeSeconds 1874 ElementId: 151 1875 Status: current 1876 Units: seconds 1878 5.8.3 flowStartMilliSeconds 1879 Description: The absolute timestamp of the first packet of this Flow. 1880 Abstract Data Type: dateTimeMilliSeconds 1881 ElementId: 152 1882 Status: current 1883 Units: milliseconds 1885 5.8.4 flowEndMilliSeconds 1887 Description: The absolute timestamp of the last packet of this Flow. 1888 Abstract Data Type: dateTimeMilliSeconds 1889 ElementId: 153 1890 Status: current 1891 Units: milliseconds 1893 5.8.5 flowStartMicroSeconds 1895 Description: The absolute timestamp of the first packet of this Flow. 1896 Abstract Data Type: dateTimeMicroSeconds 1897 ElementId: 154 1898 Status: current 1899 Units: microseconds 1901 5.8.6 flowEndMicroSeconds 1903 Description: The absolute timestamp of the last packet of this Flow. 1904 Abstract Data Type: dateTimeMicroSeconds 1905 ElementId: 155 1906 Status: current 1907 Units: microseconds 1909 5.8.7 flowStartNanoSeconds 1911 Description: The absolute timestamp of the first packet of this Flow. 1912 Abstract Data Type: dateTimeNanoSeconds 1913 ElementId: 156 1914 Status: current 1915 Units: nanoseconds 1917 5.8.8 flowEndNanoSeconds 1919 Description: The absolute timestamp of the last packet of this Flow. 1920 Abstract Data Type: dateTimeNanoSeconds 1921 ElementId: 157 1922 Status: current 1923 Units: nanoseconds 1925 5.8.9 flowStartDeltaMicroSeconds 1927 Description: This is a relative time stamp only valid within the 1928 scope of a single IPFIX message. It contains the negative time 1929 offset of the first observed packet of this Flow relative to the 1930 export time specified in the IPFIX Message header. 1931 Abstract Data Type: unsigned32 1932 ElementId: 158 1933 Status: current 1934 Units: microseconds 1935 Reference: See [I-D.ietf-ipfix-protocol] for the definition of the 1936 IPFIX Message header. 1938 5.8.10 flowEndDeltaMicroSeconds 1940 Description: This is a relative time stamp only valid within the 1941 scope of a single IPFIX message. It contains the negative time 1942 offset of the last observed packet of this Flow relative to the 1943 export time specified in the IPFIX Message header. 1944 Abstract Data Type: unsigned32 1945 ElementId: 159 1946 Status: current 1947 Units: microseconds 1948 Reference: See [I-D.ietf-ipfix-protocol] for the definition of the 1949 IPFIX Message header. 1951 5.8.11 systemInitTimeMilliSeconds 1953 Description: The absolute timestamp of the last (re-)initialization 1954 of the IPFIX device. 1955 Abstract Data Type: dateTimeMilliSeconds 1956 ElementId: 160 1957 Status: current 1958 Units: milliseconds 1960 5.8.12 flowStartSysUpTime 1962 Description: The relative timestamp of the first packet of this Flow. 1963 It indicates the number of milliseconds since the last 1964 (re-)initialization of the IPFIX device (sysUpTime). 1965 Abstract Data Type: unsigned32 1966 ElementId: 22 1967 Status: current 1968 Units: milliseconds 1970 5.8.13 flowEndSysUpTime 1971 Description: The relative timestamp of the last packet of this Flow. 1972 It indicates the number of milliseconds since the last 1973 (re-)initialization of the IPFIX device (sysUpTime). 1974 Abstract Data Type: unsigned32 1975 ElementId: 21 1976 Status: current 1977 Units: milliseconds 1979 5.9 Per-Flow Counters 1981 Information Elements in this section are counters all having integer 1982 values. Their values may change for every report they are used in. 1983 They cannot serve as part of a flow key used for mapping packets to 1984 flows. However, potentially they can be used for selecting exported 1985 flows, for example, by only exporting flows with more than a 1986 threshold number of observed octets. 1988 There are running counters and delta counters. Delta counters are 1989 reset to zero each time their values are exported. Running counters 1990 continue counting independently of the Exporting Process. 1992 There are per-flow counters and counters related to the Metering 1993 Process and/or the Exporting Process. Per-flow counters are flow 1994 properties that potentially change each time a packet belonging to 1995 the flow is observed. The set of per-flow counters includes the 1996 Information Elements listed in the table below. 1998 +-----+---------------------------+-----+---------------------------+ 1999 | ID | Name | ID | Name | 2000 +-----+---------------------------+-----+---------------------------+ 2001 | 1 | octetDeltaCount | 132 | droppedOctetDeltaCount | 2002 | 23 | postOctetDeltaCount | 133 | droppedPacketDeltaCount | 2003 | 85 | octetTotalCount | 134 | droppedOctetTotalCount | 2004 | 170 | postOctetTotalCount | 135 | droppedPacketTotalCount | 2005 | 2 | packetDeltaCount | 19 | postMulticastPacketCount | 2006 | 24 | postPacketDeltaCount | 20 | postMulticastOctetCount | 2007 | 86 | packetTotalCount | | | 2008 | 161 | postPacketTotalCount | | | 2009 +-----+---------------------------+-----+---------------------------+ 2011 5.9.1 octetDeltaCount 2013 Description: 2014 The number of octets since the previous report (if any) in 2015 incoming packets for this Flow at the Observation Point. The 2016 number of octets include IP header(s) and IP payload. 2018 Abstract Data Type: unsigned64 2019 Data Type Semantics: deltaCounter 2020 ElementId: 1 2021 Status: current 2022 Units: octets 2024 5.9.2 postOctetDeltaCount 2026 Description: 2027 The number of octets since the previous report (if any) in 2028 outgoing packets for this Flow at the Observation Point. The 2029 number of octets include IP header(s) and IP payload. 2030 Abstract Data Type: unsigned64 2031 Data Type Semantics: deltaCounter 2032 ElementId: 23 2033 Status: current 2034 Units: octets 2036 5.9.3 octetTotalCount 2038 Description: 2039 The total number of octets in incoming packets for this Flow at 2040 the Observation Point since the Metering Process 2041 (re-)initialization for this Observation Point. The number of 2042 octets include IP header(s) and IP payload. 2043 Abstract Data Type: unsigned64 2044 Data Type Semantics: totalCounter 2045 ElementId: 85 2046 Status: current 2047 Units: octets 2049 5.9.4 postOctetTotalCount 2051 Description: 2052 The total number of octets in outgoing packets for this Flow at 2053 the Observation Point since the Metering Process 2054 (re-)initialization for this Observation Point. The number of 2055 octets include IP header(s) and IP payload. 2056 Abstract Data Type: unsigned64 2057 Data Type Semantics: totalCounter 2058 ElementId: 170 2059 Status: current 2060 Units: octets 2062 5.9.5 packetDeltaCount 2063 Description: 2064 The number of incoming packets since the previous report (if any) 2065 for this Flow at the Observation Point. 2066 Abstract Data Type: unsigned64 2067 Data Type Semantics: deltaCounter 2068 ElementId: 2 2069 Status: current 2070 Units: packets 2072 5.9.6 postPacketDeltaCount 2074 Description: 2075 The number of outgoing packets since the previous report (if any) 2076 for this Flow at the Observation Point. 2077 Abstract Data Type: unsigned64 2078 Data Type Semantics: deltaCounter 2079 ElementId: 24 2080 Status: current 2081 Units: packets 2083 5.9.7 packetTotalCount 2085 Description: 2086 The total number of incoming packets for this Flow at the 2087 Observation Point since the Metering Process (re-)initialization 2088 for this Observation Point. 2089 Abstract Data Type: unsigned64 2090 Data Type Semantics: totalCounter 2091 ElementId: 86 2092 Status: current 2093 Units: packets 2095 5.9.8 postPacketTotalCount 2097 Description: 2098 The total number of outgoing packets for this Flow at the 2099 Observation Point since the Metering Process (re-)initialization 2100 for this Observation Point. 2101 Abstract Data Type: unsigned64 2102 Data Type Semantics: totalCounter 2103 ElementId: 171 2104 Status: current 2105 Units: packets 2107 5.9.9 droppedOctetDeltaCount 2108 Description: 2109 The number of octets since the previous report (if any) in packets 2110 of this Flow dropped by packet treatment. The number of octets 2111 include IP header(s) and IP payload. 2112 Abstract Data Type: unsigned64 2113 Data Type Semantics: deltaCounter 2114 ElementId: 132 2115 Status: current 2116 Units: octets 2118 5.9.10 droppedPacketDeltaCount 2120 Description: 2121 The number of packets since the previous report (if any) of this 2122 Flow dropped by packet treatment. 2123 Abstract Data Type: unsigned64 2124 Data Type Semantics: deltaCounter 2125 ElementId: 133 2126 Status: current 2127 Units: packets 2129 5.9.11 droppedOctetTotalCount 2131 Description: 2132 The total number of octets in packets of this Flow dropped by 2133 packet treatment since the Metering Process (re-)initialization 2134 for this Observation Point. The number of octets include IP 2135 header(s) and IP payload. 2136 Abstract Data Type: unsigned64 2137 Data Type Semantics: totalCounter 2138 ElementId: 134 2139 Status: current 2140 Units: octets 2142 5.9.12 droppedPacketTotalCount 2144 Description: 2145 The number of packets of this Flow dropped by packet treatment 2146 since the Metering Process (re-)initialization for this 2147 Observation Point. 2148 Abstract Data Type: unsigned64 2149 Data Type Semantics: totalCounter 2150 ElementId: 135 2151 Status: current 2152 Units: packets 2154 5.9.13 postMulticastPacketCount 2156 Description: 2157 The number of outgoing multicast packets since the previous report 2158 (if any) created for packets of this Flow by an adjacent multicast 2159 daemon. Note that typically not all of the created packets can be 2160 observed at the Observation Point of this Flow. 2161 Abstract Data Type: unsigned64 2162 Data Type Semantics: deltaCounter 2163 ElementId: 19 2164 Status: current 2165 Units: packets 2167 5.9.14 postMulticastOctetCount 2169 Description: 2170 The number of octets since the previous report (if any) in 2171 outgoing multicast packets created for packets of this Flow by an 2172 adjacent multicast daemon. Note that typically not all of the 2173 created packets can be observed at the Observation Point of this 2174 Flow. The number of octets include IP header(s) and IP payload. 2175 Abstract Data Type: unsigned64 2176 Data Type Semantics: deltaCounter 2177 ElementId: 20 2178 Status: current 2179 Units: octets 2181 5.10 Miscellaneous Flow Properties 2183 +-----+---------------------------+-----+---------------------------+ 2184 | ID | Name | ID | Name | 2185 +-----+---------------------------+-----+---------------------------+ 2186 | 36 | flowActiveTimeOut | 161 | flowDurationMilliSeconds | 2187 | 37 | flowInactiveTimeout | 162 | flowDurationMicroSeconds | 2188 | 136 | flowEndReason | | | 2189 +-----+---------------------------+-----+---------------------------+ 2191 5.10.1 flowActiveTimeOut 2193 Description: 2194 The number of seconds after which an active Flow is timed out 2195 anyway, even if there is still a continuous flow of packets. 2196 Abstract Data Type: unsigned16 2197 ElementId: 36 2198 Status: current 2199 Units: seconds 2201 5.10.2 flowInactiveTimeout 2203 Description: 2204 A Flow is considered to be timed out if no packets belonging to 2205 the Flow have been observed for the number of seconds specified by 2206 this field. 2207 Abstract Data Type: unsigned16 2208 ElementId: 37 2209 Status: current 2210 Units: seconds 2212 5.10.3 flowEndReason 2214 Description: 2215 The reason for flow termination. The range of values includes 2216 Abstract Data Type: octet 2217 Data Type Semantics: identifier 2218 ElementId: 136 2219 Status: current 2221 5.10.4 flowDurationMilliSeconds 2223 Description: The difference between in time between the observation 2224 of the first packet of this Flow and the observation of the last 2225 packet of this Flow. 2226 Abstract Data Type: unsigned32 2227 ElementId: 161 2228 Status: current 2229 Units: milliseconds 2231 5.10.5 flowDurationMicroSeconds 2233 Description: The difference between in time between the observation 2234 of the first packet of this Flow and the observation of the last 2235 packet of this Flow. 2236 Abstract Data Type: unsigned32 2237 ElementId: 162 2238 Status: current 2239 Units: microseconds 2241 6. Extending the Information Model 2243 A key requirement for IPFIX is to allow for extending the set of 2244 Information Elements which are reported. This section defines the 2245 mechanism for extending this set. 2247 Extension is done by defining new Information Elements. Each new 2248 information item MUST be assigned a unique Information Element 2249 identifier as part of its definition. These unique Information 2250 Element identifiers are the connection between the record structure 2251 communicated by the protocol using templates and a consuming 2252 application. For generally applicable Information Elements using 2253 IETF and IANA mechanisms for extending the information model is 2254 recommended. 2256 Names of new Information Elements SHOULD be chosen according to the 2257 naming conventions given in section 2.3. 2259 For extensions, the type space defined in section 3 can be used. If 2260 required, new data types can be added. New data types SHOULD be 2261 defined in IETF standards track documents. 2263 Enterprises may wish to define Information Elements without 2264 registering them with IANA. IPFIX explicitly supports 2265 enterprise-specific Information Elements. Enterprise-specific 2266 Information Elements as described in sections 2.1 and 4. 2268 However, before creating enterprise-specific Information Elements, 2269 the general applicability of such Information Elements should be 2270 considered. IPFIX does not support enterprise-specific data types. 2272 7. IANA Considerations 2274 IANA has to create a new registry for IPFIX Information Element 2275 identifiers. Names of new Information Elements MUST follow the 2276 naming conventions specified in section 2.3. 2278 Appendix B defines an XML schema which may be used to create 2279 consistent machine readable extensions to the IPFIX information 2280 model. This schema introduces a new namespace, which will be 2281 assigned by IANA according to RFC 3688. Currently the name space for 2282 this schema is identified as http://www.ietf.org/ipfix. 2284 8. Security Considerations 2286 The IPFIX information model itself does not directly introduce 2287 security issues. Rather it defines a set of attributes which may for 2288 privacy or business issues be considered sensitive information. 2290 The underlying protocol used to exchange the information described 2291 here must therefore apply appropriate procedures to guarantee the 2292 integrity and confidentiality of the exported information. Such 2293 protocols are defined in separate documents, specifically the IPFIX 2294 protocol document [I-D.ietf-ipfix-protocol]. 2296 9. Acknowledgements 2298 The editors thank Paul Callato for creating the initial version of 2299 this document, Thomas Dietz for developing the XSLT scripts that 2300 generate large portions of the text part of this document from the 2301 XML appendices, and Paul Aitken for a very detailed review that 2302 helped improving the document significantly. 2304 10. Open Issues 2306 o Is the prefix "post" appropriate for packets leaving the 2307 observation domain? What about packets generated in the 2308 observation domain? 2309 o octet count including MPLS header: Does the octet count concern IP 2310 packets only or also sub-IP layers such as MPLS? 2312 11. References 2314 11.1 Normative Reference 2316 [I-D.ietf-ipfix-protocol] 2317 Claise, B., "IPFIX Protocol Specification", 2318 draft-ietf-ipfix-protocol-12 (work in progress), April 2319 2005. 2321 11.2 Informative Reference 2323 [I-D.ietf-ipfix-architecture] 2324 Sadasivan, G., Brownlee, N., Claise, B. and J. Quittek, 2325 "Architecture for IP Flow Information Export", 2326 draft-ietf-ipfix-architecture-07 (work in progress), March 2327 2005. 2329 [I-D.ietf-ipfix-as] 2330 Zseby, T., Boschi, E., Brownlee, N. and B. Claise, "IPFIX 2331 Applicability", draft-ietf-ipfix-as-04 (work in progress), 2332 February 2005. 2334 [IEEE.754.1985] 2335 Institute of Electrical and Electronics Engineers, 2336 "Standard for Binary Floating-Point Arithmetic", IEEE 2337 Standard 754, August 1985. 2339 [IEEE.802-11.1999] 2340 "Information technology - Telecommunications and 2341 information exchange between systems - Local and 2342 metropolitan area networks - Specific requirements - Part 2343 11: Wireless LAN Medium Access Control (MAC) and Physical 2344 Layer (PHY) specifications", IEEE Standard 802.11, 1999, 2345 . 2348 [IEEE.802-3.2002] 2349 "Information technology - Telecommunications and 2350 information exchange between systems - Local and 2351 metropolitan area networks - Specific requirements - Part 2352 3: Carrier sense multiple access with collision detection 2353 (CSMA/CD) access method and physical layer 2354 specifications"", IEEE Standard 802.3, September 2002. 2356 [IEEE.P802-1Q.2003] 2357 Institute of Electrical and Electronics Engineers, "Local 2358 and Metropolitan Area Networks: Virtual Bridged Local Area 2359 Networks", IEEE Standard 802.1Q, March 2003. 2361 [ISO.10646-1.1993] 2362 International Organization for Standardization, 2363 "Information Technology - Universal Multiple-octet coded 2364 Character Set (UCS) - Part 1: Architecture and Basic 2365 Multilingual Plane", ISO Standard 10646-1, May 1993. 2367 [ISO.646.1991] 2368 International Organization for Standardization, 2369 "Information technology - ISO 7-bit coded character set 2370 for information interchange", ISO Standard 646, 1991. 2372 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 2373 August 1980. 2375 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 2376 1981. 2378 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 2379 RFC 792, September 1981. 2381 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC 2382 793, September 1981. 2384 [RFC1771] Rekhter, Y. and T. Li, "A Border Gateway Protocol 4 2385 (BGP-4)", RFC 1771, March 1995. 2387 [RFC1930] Hawkinson, J. and T. Bates, "Guidelines for creation, 2388 selection, and registration of an Autonomous System (AS)", 2389 BCP 6, RFC 1930, March 1996. 2391 [RFC2236] Fenner, W., "Internet Group Management Protocol, Version 2392 2", RFC 2236, November 1997. 2394 [RFC2402] Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2395 2402, November 1998. 2397 [RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security 2398 Payload (ESP)", RFC 2406, November 1998. 2400 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 2401 (IPv6) Specification", RFC 2460, December 1998. 2403 [RFC2463] Conta, A. and S. Deering, "Internet Control Message 2404 Protocol (ICMPv6) for the Internet Protocol Version 6 2405 (IPv6) Specification", RFC 2463, December 1998. 2407 [RFC2547] Rosen, E. and Y. Rekhter, "BGP/MPLS VPNs", RFC 2547, March 2408 1999. 2410 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 2411 June 1999. 2413 [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group 2414 MIB", RFC 2863, June 2000. 2416 [RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C., 2417 Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, M., 2418 Zhang, L. and V. Paxson, "Stream Control Transmission 2419 Protocol", RFC 2960, October 2000. 2421 [RFC3031] Rosen, E., Viswanathan, A. and R. Callon, "Multiprotocol 2422 Label Switching Architecture", RFC 3031, January 2001. 2424 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., 2425 Farinacci, D., Li, T. and A. Conta, "MPLS Label Stack 2426 Encoding", RFC 3032, January 2001. 2428 [RFC3036] Andersson, L., Doolan, P., Feldman, N., Fredette, A. and 2429 B. Thomas, "LDP Specification", RFC 3036, January 2001. 2431 [RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and 2432 Issues", RFC 3234, February 2002. 2434 [RFC3667] Bradner, S., "IETF Rights in Contributions", RFC 3667, 2435 February 2004. 2437 [RFC3668] Bradner, S., "Intellectual Property Rights in IETF 2438 Technology", RFC 3668, February 2004. 2440 [RFC3917] Quittek, J., Zseby, T., Claise, B. and S. Zander, 2441 "Requirements for IP Flow Information Export (IPFIX)", RFC 2442 3917, October 2004. 2444 [RFC3954] Claise, B., "Cisco Systems NetFlow Services Export Version 2445 9", RFC 3954, October 2004. 2447 Authors' Addresses 2449 Juergen Quittek 2450 NEC 2451 Kurfuersten-Anlage 36 2452 Heidelberg 69115 2453 Germany 2455 Phone: +49 6221 90511-15 2456 EMail: quittek@netlab.nec.de 2457 URI: http://www.netlab.nec.de/ 2459 Stewart Bryant 2460 Cisco Systems 2461 250, Longwater, Green Park 2462 Reading RG2 6GB 2463 United Kingdom 2465 EMail: stbryant@cisco.com 2467 Benoit Claise 2468 Cisco Systems 2469 De Kleetlaan 6a b1 2470 Diegem 1831 2471 Belgium 2473 Phone: +32 2 704 5622 2474 EMail: bclaise@cisco.com 2476 Jeff Meyer 2477 PayPal 2478 2211 N. First St. 2479 San Jose, CA 95131-2021 2480 US 2482 Phone: +1 408 976-9149 2483 EMail: jemeyer@paypal.com 2484 URI: http://www.paypal.com 2486 Appendix A. Formal Specification of IPFIX Information Element 2488 This appendix contains a formal description of the IPFIX information 2489 model XML document. Note that this appendix is of informational 2490 nature, while the text in section 4 generated from this appendix is 2491 normative. 2493 Using a formal and machine readable syntax for the Information model 2494 enables the creation of IPFIX aware tools which can automatically 2495 adapt to extensions to the information model, by simply reading 2496 updated information model specifications. 2498 The wide availability of XML aware tools and libraries for client 2499 devices is a primary consideration for this choice. In particular 2500 libraries for parsing XML documents are readily available. Also 2501 mechanisms such as the Extensible Stylesheet Language (XSL) allow for 2502 transforming a source XML document into other documents. This draft 2503 was authored in XML and transformed according to RFC2629. 2505 It should be noted that the use of XML in Exporters, Collectors or 2506 other tools is not mandatory for the deployment of IPFIX. In 2507 particular Exporting Processes do not produce or consume XML as part 2508 of their operation. It is expected that IPFIX Collectors MAY take 2509 advantage of the machine readability of the Information Model vs. 2510 hard coding their behavior or inventing proprietary means for 2511 accommodating extensions. 2513 2515 2519 2520 The IP version field in the IP packet header. 2521 2522 2523 2524 See RFC 791 for a definition of the version field in the 2525 IPv4 packet header. 2526 See RFC 2460 for a definition of the version field in the 2527 IPv6 packet header. 2528 Additional information on defined version numbers 2529 can be found at 2530 http://www.iana.org/assignments/version-numbers. 2531 2533 2534 2536 2540 2541 2542 The IPv4 source address in the IP packet header. 2543 2544 2545 2546 See RFC 791 for the definition of the IPv4 source address 2547 field. 2548 2549 2551 2555 2556 2557 The IPv6 source address in the IP packet header. 2558 2559 2560 2562 2565 2566 2567 The number of contiguous bits that are relevant in the 2568 sourceIPv4Prefix Information Element. 2569 2570 2571 bits 2572 0-32 2573 2575 2578 2579 2580 The number of contiguous bits that are relevant in the 2581 sourceIPv6Prefix Information Element. 2582 2583 2584 bits 2585 0-128 2586 2588 2591 2592 2593 IPv4 source address prefix. 2594 2595 2596 2598 2601 2602 2603 IPv6 source address prefix. 2604 2605 2606 2608 2612 2613 2614 The IPv4 destination address in the IP packet header. 2615 2616 2617 2618 See RFC 791 for the definition of the IPv4 destination address 2619 field. 2620 2621 2623 2627 2628 2629 The IPv6 destination address in the IP packet header. 2630 2631 2632 2634 2637 2638 2639 The number of contiguous bits that are relevant in the 2640 destinationIPv4Prefix Information Element. 2641 2642 2643 bits 2644 0-32 2645 2647 2650 2651 2652 The number of contiguous bits that are relevant in the 2653 destinationIPv6Prefix Information Element. 2654 2655 2656 bits 2657 0-128 2658 2660 2663 2664 IPv4 destination address prefix. 2665 2666 2668 2671 2672 IPv6 destination address prefix. 2673 2674 2676 2680 2681 2682 The value of the IPv4 TOS field in the IP packet header. 2683 2684 2685 2686 See RFC 791 for the definition of the IPv4 TOS field. 2687 2688 2690 2694 2695 2696 The value of the IPv6 traffic class field in the IP packet header. 2697 2698 2699 2700 See RFC 2460 for the definition of the IPv6 traffic class 2701 field. 2702 2703 2705 2709 2710 2711 The value of the IPv4 TOS field in the IP packet header 2712 after packet treatment by a middlebox function. 2713 2714 2715 2716 See RFC 791 for the definition of the IPv4 TOS field. 2717 See RFC 3234 for the definition of middleboxes. 2718 2719 2721 2726 2727 2728 The value of the IPv6 traffic class field in the IP packet 2729 header after packet treatment by a middlebox function. 2730 2731 2732 2733 See RFC 2460 for the definition of the IPv6 traffic class 2734 field. 2735 2736 2738 2742 2743 2744 The value of the IPv6 Flow Label field in the IP packet header. 2745 2746 2747 2748 See RFC 2460 for a definition of the flow label field in the 2749 IPv6 packet header. 2750 2751 2753 2757 2758 2759 The value of the IPv4 packet identification field 2760 in the IP packet header. 2761 2762 2763 2764 See RFC 791 for the definition of the IPv4 identification 2765 field. 2766 2767 2769 2773 2774 2775 The value of the protocol number in the IP packet header. 2776 The protocol number identifies the IP packet payload type. 2777 Protocol numbers are defined in the IANA Protocol Numbers 2778 registry. 2780 2781 In Internet Protocol version 4 (IPv4) this is carried in the 2782 "Protocol" field. In Internet Protocol version 6 (IPv6) this 2783 is carried in the "Next Header" field in the last extension 2784 header of the packet. 2785 2786 2787 2788 See RFC 791 for the specification of the IPv4 protocol field. 2789 See RFC 2460 for the specification of the IPv6 protocol field. 2790 See list of protocol numbers assigned by IANA at 2791 http://www.iana.org/assignments/protocol-numbers. 2792 2793 2794 2796 2800 2801 2802 The value of the IPv4 fragment offset field 2803 in the IP packet header. 2804 2805 2806 2807 2808 See RFC 791 for the specification of the IPv4 fragment offset. 2809 2810 2811 2813 2817 2818 2819 The source port identifier in the transport header. 2820 For the transport 2821 protocols UDP, TCP and SCTP this is the source port number 2822 given in the respective header. This field MAY also be used 2823 for future transport protocols that have 16 bit source port 2824 identifiers. 2825 2826 2827 2828 2829 See RFC 768 for the definition of the UDP source port field. 2830 See RFC 793 for the definition of the TCP source port field. 2831 See RFC 2960 for the definition of SCTP. 2832 2833 Additional information on defined UDP and TCP port numbers can 2834 be found at http://www.iana.org/assignments/port-numbers. 2835 2836 2837 2839 2843 2844 2845 The destination port identifier in the transport header. 2846 For the transport protocols UDP, TCP and SCTP this is the 2847 destination port number given in the respective header. 2848 This field MAY also be used for future transport protocols 2849 that have 16 bit destination port identifiers. 2850 2851 2852 2853 2854 See RFC 768 for the definition of the UDP source port field. 2855 See RFC 793 for the definition of the TCP source port field. 2856 See RFC 2960 for the definition of SCTP. 2858 2859 Additional information on defined UDP and TCP port numbers can 2860 be found at http://www.iana.org/assignments/port-numbers. 2861 2862 2863 2865 2869 2870 2871 Type and Code of the IPv4 ICMP message. The combination of 2872 both values is reported as (ICMP type * 256) + ICMP code. 2873 2874 2875 2876 See RFC 792 for a definition of the IPv4 ICMP type and code 2877 fields. 2878 2879 2881 2885 2886 2887 Type and Code of the IPv6 ICMP message. The combination of 2888 both values is reported as (ICMP type * 256) + ICMP code. 2889 2890 2891 2892 See RFC 2463 for a definition of the IPv6 ICMP type and code 2893 fields. 2894 2895 2897 2901 2902 The type field of the IGMP message. 2903 2904 2905 See RFC 2236 for a definition of the IGMP type field. 2906 2907 2909 2913 2914 2915 The IEEE 802 source MAC address field. 2916 2917 2918 2919 See IEEE.802-3.2002. 2920 2921 2923 2927 2928 2929 The IEEE 802 destination MAC address field 2930 after processing by a middlebox function. 2931 2932 2933 2934 See IEEE.802-3.2002. 2935 2936 2938 2942 2943 2944 The IEEE 802.1Q VLAN identifier (VID) extracted from the Tag 2945 Control Information field that was attached to the IP packet. 2946 2947 2948 2949 See IEEE.802-1Q.2003. 2950 2951 2953 2957 2958 2959 The IEEE 802.1Q VLAN identifier (VID) extracted from the Tag 2960 Control Information field that was attached to the IP packet 2961 after processing by a middlebox function. 2962 2963 2964 2965 See IEEE.802-1Q.2003. 2967 2968 2970 2974 2975 2976 The IEEE 802 destination MAC address field. 2977 2978 2979 2980 See IEEE.802-3.2002. 2981 2982 2984 2988 2989 2990 The IEEE 802 source MAC address field. 2991 after processing by a middlebox function. 2992 2993 2994 2995 See IEEE.802-3.2002. 2996 2997 2999 3003 3004 3005 The identifier of the 802.11 (WiFi) channel used. 3006 3007 3008 3009 See IEEE.802-11.1999. 3010 3011 3013 3016 3017 3018 The Service Set IDentifier (SSID) identifying an 802.11 3019 (Wi-Fi) network used. According to IEEE.802-11.1999 the 3020 SSID is encoded into a string of up to 32 characters. 3021 3022 3023 3024 See IEEE.802-11.1999. 3025 3026 3028 3032 3033 3034 The label, exp and s fields from the outermost MPLS label 3035 stack entry, i.e. the last label that was pushed. 3036 3037 3038 0 1 2 3039 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 3040 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3041 | Label | Exp |S| 3042 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3044 Label: Label Value, 20 bits 3045 Exp: Experimental Use, 3 bits 3046 S: Bottom of Stack, 1 bit 3047 3048 3049 3050 See RFC 3032. 3051 3052 3054 3058 3059 3060 The label, exp, and s fields from the label stack entry that 3061 was pushed immediately before the label stack entry that would 3062 be reported by mplsLabelStackEntry1. See the definition of 3063 mplsLabelStackEntry1 for further details. 3064 3065 3066 3067 See RFC 3032. 3068 3069 3071 3075 3076 3077 The label, exp, and s fields from the label stack entry that 3078 was pushed immediately before the label stack entry that would 3079 be reported by mplsLabelStackEntry2. See the definition of 3080 mplsLabelStackEntry1 for further details. 3081 3082 3083 3084 See RFC 3032. 3085 3086 3088 3092 3093 3094 The label, exp, and s fields from the label stack entry that 3095 was pushed immediately before the label stack entry that would 3096 be reported by mplsLabelStackEntry3. See the definition of 3097 mplsLabelStackEntry1 for further details. 3098 3099 3100 3101 See RFC 3032. 3102 3103 3105 3109 3110 3111 The label, exp, and s fields from the label stack entry that 3112 was pushed immediately before the label stack entry that would 3113 be reported by mplsLabelStackEntry4. See the definition of 3114 mplsLabelStackEntry1 for further details. 3115 3116 3117 3118 See RFC 3032. 3119 3120 3122 3126 3127 3128 The label, exp, and s fields from the label stack entry that 3129 was pushed immediately before the label stack entry that would 3130 be reported by mplsLabelStackEntry5. See the definition of 3131 mplsLabelStackEntry1 for further details. 3132 3133 3134 3135 See RFC 3032. 3136 3137 3139 3143 3144 3145 The label, exp, and s fields from the label stack entry that 3146 was pushed immediately before the label stack entry that would 3147 be reported by mplsLabelStackEntry6. See the definition of 3148 mplsLabelStackEntry1 for further details. 3149 3150 3151 3152 See RFC 3032. 3153 3154 3156 3160 3161 3162 The label, exp, and s fields from the label stack entry that 3163 was pushed immediately before the label stack entry that would 3164 be reported by mplsLabelStackEntry7. See the definition of 3165 mplsLabelStackEntry1 for further details. 3166 3167 3168 3169 See RFC 3032. 3170 3171 3173 3177 3178 3179 The label, exp, and s fields from the label stack entry that 3180 was pushed immediately before the label stack entry that would 3181 be reported by mplsLabelStackEntry8. See the definition of 3182 mplsLabelStackEntry1 for further details. 3183 3184 3185 3186 See RFC 3032. 3187 3188 3190 3194 3195 3196 The label, exp, and s fields from the label stack entry that 3197 was pushed immediately before the label stack entry that would 3198 be reported by mplsLabelStackEntry9. See the definition of 3199 mplsLabelStackEntry1 for further details. 3200 3201 3202 3203 See RFC 3032. 3204 3205 3206 3210 3211 3212 The IPv4 address of the next IPv4 hop. 3213 3214 3215 3217 3221 3222 3223 The IPv6 address of the next IPv6 hop. 3224 3225 3226 3228 3245 3249 3250 3251 The autonomous system (AS) number of the source IP address. 3252 If AS path information for this Flow is only available as 3253 unordered AS set (and not as ordered AS sequence), 3254 then the value of this Information Element is 0. 3255 3256 3257 3258 See RFC 1771 for a description of BGP-4 and 3259 see RFC 1930 for a definition of the AS number. 3260 3261 3263 3267 3268 3269 The autonomous system (AS) number of the destination IP 3270 address. If AS path information for this Flow is only 3271 available as unordered AS set (and not as ordered AS 3272 sequence), then the value of this Information Element is 0. 3273 3274 3275 3276 See RFC 1771 for a description of BGP-4 and 3277 see RFC 1930 for a definition of the AS number. 3278 3279 3281 3285 3286 3287 The autonomous system (AS) number of the first AS in the AS 3288 path to the destination IP address. The path is deduced 3289 by looking up the destination IP address of the Flow in the 3290 BGP routing information base. If AS path information for 3291 this Flow is only available as unordered AS set (and not as 3292 ordered AS sequence), 3293 then the value of this Information Element is 0. 3294 3295 3296 3297 See RFC 1771 for a description of BGP-4 and 3298 see RFC 1930 for a definition of the AS number. 3299 3300 3301 3305 3306 3307 The autonomous system (AS) number of the last AS in the AS 3308 path from the source IP address. The path is deduced 3309 by looking up the source IP address of the Flow in the BGP 3310 routing information base. If AS path information for this 3311 Flow is only available as unordered AS set (and not as 3312 ordered AS sequence), then the value of this Information 3313 Element is 0. In case of BGP asymmetry, the 3314 bgpSrcAdjacentASNumber might not be 3315 able to report the correct value. 3316 3317 3318 3319 See RFC 1771 for a description of BGP-4 and 3320 see RFC 1930 for a definition of the AS number. 3321 3322 3324 3328 3329 3330 The IPv4 address of the next (adjacent) BGP hop. 3331 3332 3333 3334 See RFC 1771 for a description of BGP-4 and 3335 3336 3338 3342 3343 3344 The IPv6 address of the next (adjacent) BGP hop. 3345 3346 3347 3348 See RFC 1771 for a description of BGP-4. 3350 3351 3353 3357 3358 3359 This field identifies the control protocol that allocated the 3360 top of stack label. Defined values for this field include: 3361 3362 - 0x01 TE-MIDPT: Any TE tunnel mid-point or tail label 3363 - 0x02 Pseudowire: Any PWE3 or Cisco AToM based label 3364 - 0x03 VPN: Any label associated with VPN 3365 - 0x04 BGP: Any label associated with BGP or BGP routing 3366 - 0x05 LDP: Any label associated with dynamically assigned 3367 labels using LDP 3368 3369 3370 3371 3372 See RFC 3031 for the MPLS label structure. 3373 See RFC 2547 for the association of MPLS labels with VPNs. 3374 See RFC 1771 for BGP and BGP routing. 3375 See RFC 3036 for LDP. 3376 and IP addresses. 3377 3378 3380 3384 3385 3386 The IPv4 address of the system that the MPLS top label will 3387 cause this Flow to be forwarded to. 3388 3389 3390 3391 See RFC 3031 for the association between MPLS labels 3392 and IP addresses. 3393 3394 3396 3400 3401 3402 The IPv6 address of the system that the MPLS top label will 3403 cause this Flow to be forwarded to. 3404 3405 3406 3407 See RFC 3031 for the association between MPLS labels 3408 and IP addresses. 3409 3410 3412 3416 3417 3418 The IPv4 address used by the Exporting Process. This is used 3419 by the Collector to identify the Exporter in cases where the 3420 identity of the Exporter may have been obscured by the use of 3421 a proxy. 3422 3423 3424 3426 3430 3431 3432 The IPv6 address used by the Exporting Process. This is used 3433 by the Collector to identify the Exporter in cases where the 3434 identity of the Exporter may have been obscured by the use of 3435 a proxy. 3436 3437 3438 3440 3443 3444 3445 Length of the smallest packet observed for this Flow. 3447 3448 3449 octets 3450 3452 3455 3456 3457 Length of the largest packet observed for this Flow. 3458 3459 3460 octets 3461 3463 3466 3467 3468 Minimum TTL value observed for any packet in this Flow. 3469 3470 3471 3473 3476 3477 3478 Maximum TTL value observed for any packet in this Flow. 3479 3480 3481 3483 3487 3488 3489 IPv6 options in the IP packet headers of this Flow. 3490 The information is encoded in a set of bit fields. 3491 For each IPv6 option header there is a bit in this 3492 set. The bit is set if any observed packet of this 3493 Flow contains the corresponding IPv6 option header. 3494 3495 3496 bit IPv6 Option Definition 3498 0 Reserved 3499 1 44 Fragmentation header - not first fragment 3500 2 43 Routing header 3501 3 44 Fragment header - first fragment 3502 4 Unknown Layer 4 header (compressed, 3503 encrypted, not supported) 3504 5 Reserved 3505 6 0 Hop-by-hop option header 3506 7 60 Destination option header 3507 8 108 Payload compression header 3508 9 51 Authentication Header 3509 10 50 Encrypted security payload 3510 11 to 31 Reserved 3511 3512 3513 3514 See RFC 2460 for the general definition of IPv6 extensions 3515 headers and for the specification of the hop-by-hop options 3516 header, the routing header, the fragment header, and the 3517 destination options header. 3518 See RFC 2402 for the specification of the authentication 3519 header. 3520 See RFC 2406 for the specification of the encapsulating 3521 security payload. 3522 3523 3525 3529 3530 3531 TCP control bits observed for packets of this Flow. 3532 The information is encoded in a set of bit fields. 3533 For each TCP control bit there is a bit in this 3534 set. A bit is set to 1 if any observed packet of this 3535 Flow has the corresponding TCP control bit set to 1. 3536 A value of 0 for a bit indicates that the corresponding 3537 bit was not set in any of the observed packets 3538 of this Flow. 3539 3540 3541 0 1 2 3 4 5 6 7 3542 +-----+-----+-----+-----+-----+-----+-----+-----+ 3543 | Reserved | URG | ACK | PSH | RST | SYN | FIN | 3544 +-----+-----+-----+-----+-----+-----+-----+-----+ 3546 Reserved: Reserved for future use by TCP. Must be zero. 3547 URG: Urgent Pointer field significant 3548 ACK: Acknowledgment field significant 3549 PSH: Push Function 3550 RST: Reset the connection 3551 SYN: Synchronize sequence numbers 3552 FIN: No more data from sender 3553 3554 3555 See RFC 793 for a definition of the TCP control bits 3556 in the TCP header. 3557 3559 3562 3563 The absolute timestamp of the first packet of this Flow. 3564 3565 seconds 3566 3568 3571 3572 The absolute timestamp of the last packet of this Flow. 3573 3574 seconds 3575 3577 3580 3581 The absolute timestamp of the first packet of this Flow. 3582 3583 milliseconds 3584 3586 3589 3590 The absolute timestamp of the last packet of this Flow. 3592 3593 milliseconds 3594 3596 3599 3600 The absolute timestamp of the first packet of this Flow. 3601 3602 microseconds 3603 3605 3608 3609 The absolute timestamp of the last packet of this Flow. 3610 3611 microseconds 3612 3614 3617 3618 The absolute timestamp of the first packet of this Flow. 3619 3620 nanoseconds 3621 3623 3626 3627 The absolute timestamp of the last packet of this Flow. 3628 3629 nanoseconds 3630 3632 3635 3636 This is a relative time stamp only valid within the scope 3637 of a single IPFIX message. It contains the negative time 3638 offset of the first observed packet of this Flow relative 3639 to the export time specified in the IPFIX Message header. 3641 3642 3643 See [I-D.ietf-ipfix-protocol] for the definition of the IPFIX 3644 Message header. 3645 3646 microseconds 3647 3649 3652 3653 This is a relative time stamp only valid within the scope 3654 of a single IPFIX message. It contains the negative time 3655 offset of the last observed packet of this Flow relative 3656 to the export time specified in the IPFIX Message header. 3657 3658 3659 See [I-D.ietf-ipfix-protocol] for the definition of the IPFIX 3660 Message header. 3661 3662 microseconds 3663 3665 3668 3669 The absolute timestamp of the last (re-)initialization of the 3670 IPFIX device. 3671 3672 milliseconds 3673 3675 3678 3679 The relative timestamp of the first packet of this Flow. 3680 It indicates the number of milliseconds since the 3681 last (re-)initialization of the IPFIX device (sysUpTime). 3682 3683 milliseconds 3684 3686 3690 3691 The relative timestamp of the last packet of this Flow. 3692 It indicates the number of milliseconds since the 3693 last (re-)initialization of the IPFIX device (sysUpTime). 3694 3695 milliseconds 3696 3698 3701 3702 3703 The number of seconds after which an active Flow is timed out 3704 anyway, even if there is still a continuous flow of packets. 3705 3706 3707 seconds 3708 3710 3713 3714 3715 A Flow is considered to be timed out if no packets belonging 3716 to the Flow have been observed for the number of seconds 3717 specified by this field. 3718 3719 3720 seconds 3721 3723 3727 3728 3729 The reason for flow termination. The range of values includes 3730 3731 0x01: idle timeout 3732 0x02: active timeout 3733 0x03: end of flow detected (e.g. TCP FIN) 3734 0x04: forced end 3735 0x05: cache full 3736 3737 3739 3740 3742 3745 3746 The difference between in time between the observation of the 3747 first packet of this Flow and the observation of the last 3748 packet of this Flow. 3749 3750 milliseconds 3751 3753 3756 3757 The difference between in time between the observation of the 3758 first packet of this Flow and the observation of the last 3759 packet of this Flow. 3760 3761 microseconds 3762 3764 3768 3769 3770 The number of octets since the previous report (if any) 3771 in incoming packets for this Flow at the Observation Point. 3772 The number of octets include IP header(s) and IP payload. 3773 3774 3775 octets 3776 3778 3782 3783 3784 The number of octets since the previous report (if any) 3785 in outgoing packets for this Flow at the Observation Point. 3786 The number of octets include IP header(s) and IP payload. 3788 3789 3790 octets 3791 3793 3797 3798 3799 The total number of octets in incoming packets 3800 for this Flow at the Observation Point since the Metering 3801 Process (re-)initialization for this Observation Point. The 3802 number of octets include IP header(s) and IP payload. 3803 3804 3805 octets 3806 3808 3812 3813 3814 The total number of octets in outgoing packets 3815 for this Flow at the Observation Point since the Metering 3816 Process (re-)initialization for this Observation Point. The 3817 number of octets include IP header(s) and IP payload. 3818 3819 3820 octets 3821 3823 3827 3828 3829 The number of incoming packets since the previous report 3830 (if any) for this Flow at the Observation Point. 3831 3832 3833 packets 3834 3835 3839 3840 3841 The number of outgoing packets since the previous report 3842 (if any) for this Flow at the Observation Point. 3843 3844 3845 packets 3846 3848 3852 3853 3854 The total number of incoming packets for this Flow 3855 at the Observation Point since the Metering Process 3856 (re-)initialization for this Observation Point. 3857 3858 3859 packets 3860 3862 3866 3867 3868 The total number of outgoing packets for this Flow 3869 at the Observation Point since the Metering Process 3870 (re-)initialization for this Observation Point. 3871 3872 3873 packets 3874 3876 3880 3881 3882 The number of octets since the previous report (if any) 3883 in packets of this Flow dropped by packet treatment. 3884 The number of octets include IP header(s) and IP payload. 3885 3886 3887 octets 3888 3890 3894 3895 3896 The number of packets since the previous report (if any) 3897 of this Flow dropped by packet treatment. 3898 3899 3900 packets 3901 3903 3907 3908 3909 The total number of octets in packets of this Flow dropped 3910 by packet treatment since the Metering Process 3911 (re-)initialization for this Observation Point. 3912 The number of octets include IP header(s) and IP payload. 3913 3914 3915 octets 3916 3918 3922 3923 3924 The number of packets of this Flow dropped by packet 3925 treatment since the Metering Process 3926 (re-)initialization for this Observation Point. 3927 3928 3929 packets 3930 3931 3935 3936 3937 The number of outgoing multicast packets since the 3938 previous report (if any) created for packets 3939 of this Flow by an adjacent multicast daemon. 3940 Note that typically not all of the created packets can be 3941 observed at the Observation Point of this Flow. 3942 3943 3944 packets 3945 3947 3951 3952 3953 The number of octets since the previous report (if any) 3954 in outgoing multicast packets created 3955 for packets of this Flow by an adjacent multicast daemon. 3956 Note that typically not all of the created packets can be 3957 observed at the Observation Point of this Flow. 3958 The number of octets include IP header(s) and IP payload. 3959 3960 3961 octets 3962 3964 3968 3969 3970 The total number of IPFIX Messages that the Exporting Process 3971 successfully sent since the Exporting Process (re-)initialization 3972 to the Collecting Process receiving a report that contains 3973 this Information Element. 3974 3975 3976 messages 3977 3978 3982 3983 3984 The total number of octets that the Exporting Process 3985 successfully sent since the Exporting Process 3986 (re-)initialization to the Collecting Process receiving a report 3987 that contains this Information Element. The value of this 3988 Information Element is calculated by summing up the IPFIX 3989 Message header length values of all IPFIX messages that 3990 were successfully sent to the Collecting Process receiving 3991 a report that contains this Information Element. 3992 3993 3994 octets 3995 3997 4001 4002 4003 The total number of Flows Records reported that the Exporting 4004 Process successfully sent as Data Records since the Exporting 4005 Process (re-)initialization to the Collecting Process receiving a 4006 report that contains this Information Element. 4007 4008 4009 Flows 4010 4012 4016 4017 4018 The total number of Flows observed in the Observation Domain 4019 since the Metering Process (re-)initialization for this 4020 Observation Point. 4021 4022 4023 Flows 4024 4025 4029 4030 4031 The total number of observed IP packets that the 4032 Metering Process did not process. 4033 4034 4035 packets 4036 4038 4042 4043 4044 The total number of octets in observed IP packets 4045 that the Metering Process did not process. 4046 4047 4048 octets 4049 4051 4055 4056 4057 The total number of Flow Records that were generated by the 4058 Metering Process and but dropped by the Metering Process or 4059 by the Exporting Process 4060 instead of sending it to the Collecting Process. 4061 There are several potential reasons for this including 4062 resource shortage and special Flow export policies. 4063 4064 4065 Flows 4066 4068 4072 4073 4074 The total number of packets in Flow Records that were 4075 generated by the Metering Process and but dropped 4076 by the Metering Process or by the Exporting Process 4077 instead of sending it to the Collecting Process. 4078 There are several potential reasons for this including 4079 resource shortage and special flow export policies. 4080 4081 4082 packets 4083 4085 4089 4090 4091 The total number of octets in packets in Flow Records 4092 that were generated by the Metering Process and but 4093 dropped by the Metering Process or by the Exporting 4094 Process instead of sending it to the Collecting Process. 4095 There are several potential reasons for this including 4096 resource shortage and special Flow export policies. 4097 4098 4099 octets 4100 4102 4106 4107 4108 This set of bit fields is used for marking the Information 4109 Elements of a Data Record that serve as Flow Key. Each bit 4110 represents an Information Element in the Data Record with 4111 the n-th bit representing the n-th Information Element. 4112 A set bit with value 1 indicates that the corresponding 4113 Information element is a Flow Key of the reported Flow. 4114 A value of 0 indicates that this is not the case. If the 4115 Data Record contains more than 64 Information Elements, the 4116 corresponding Template SHOULD be designed such that all Flow 4117 Keys are among the first 64 Information Elements, because the 4118 flowKeyIndicator only contains 64 bits. If the Data Record 4119 contains less than 64 Information Elements, then the bits in 4120 the flowKeyIndicator for which no corresponding Information 4121 Element exists SHOULD have the value 0. 4122 4123 4124 4126 4130 4131 4132 A locally unique identifier of a line card at an IPFIX 4133 Device hosting an Observation Point. Typically, this 4134 Information Element is used for limiting the scope 4135 of other Information Elements. 4136 4137 4138 4140 4144 4145 4146 A locally unique identifier of a line port at an IPFIX 4147 Device hosting an Observation Point. Typically, this 4148 Information Element is used for limiting the scope 4149 of other Information Elements. 4150 4151 4152 4154 4158 4159 4160 The index of the IP interface (ifIndex) where packets of 4161 this Flow are being received. 4162 4163 4164 4165 See RFC 2863 for the definition of the ifIndex object. 4166 4167 4168 4172 4173 4174 The index of the IP interface (ifIndex) where packets of 4175 this Flow are being sent. 4176 4177 4178 4179 See RFC 2863 for the definition of the ifIndex object. 4180 4181 4183 4187 4188 4189 A locally unique identifier of a Metering Process 4190 at an IPFIX Device. Typically, this 4191 Information Element is used for limiting the scope 4192 of other Information Elements. 4193 4194 4195 4197 4201 4202 4203 A locally unique identifier of an Exporting Process 4204 at an IPFIX Device. Typically, this 4205 Information Element is used for limiting the scope 4206 of other Information Elements. 4207 4208 4209 4211 4215 4216 4217 An identifier of a Flow that is locally unique to an 4218 Exporting Process. Typically, this Information Element is 4219 used for limiting the scope of other Information Elements. 4220 4221 4222 4224 4228 4229 4230 An identifier of a Template that is locally unique to an 4231 Exporting Process. Typically, this Information Element is 4232 used for limiting the scope of other Information Elements. 4233 4234 4235 4237 4241 4242 4243 An identifier of an Observation Domain that is locally 4244 unique to an Exporting Process. Typically, this Information 4245 Element is used for limiting the scope of other Information 4246 Elements. 4247 4248 4249 4251 4253 Appendix B. Formal Specification of Abstract Data Types 4255 This appendix containfs a formal description of the abstract data 4256 types to be used for IPFIX Information Elements and a formal 4257 description of the template used for defining IPFIX Information 4258 Elements. Note that this appendix is of informational nature, while 4259 the text in sections 2 and 3 generated from this appendix is 4260 normative. 4262 4263 4264 4269 4270 4271 4272 4273 The type "octet" represents a 4274 non-negative integer value in the range of 0 to 255. 4275 4276 4277 4279 4280 4281 The type "unsigned16" represents a 4282 non-negative integer value in the range of 0 to 65535. 4283 4284 4285 4287 4288 4289 The type "unsigned32" represents a 4290 non-negative integer value in the range of 0 to 4291 4294967295. 4292 4293 4294 4296 4297 4298 The type "unsigned64" represents a 4299 non-negative integer value in the range of 0 to 4300 18446744073709551615. 4301 4302 4303 4305 4306 4307 The type "float32" corresponds to an IEEE 4308 single-precision 32-bit floating point type as defined 4309 in [IEEE.754.1985]. 4310 4311 4312 4314 4315 4316 The type "boolean" represents a binary 4317 value. The only allowed values are "true" and false. 4318 4319 4320 4322 4323 4324 The type "macAddress" represents a 4325 string of 6 octets. 4326 4327 4328 4330 4331 4332 The type "octetArray" represents a finite 4333 length string of octets. 4334 4335 4336 4338 4339 4340 4341 The type "string" represents a finite length string 4342 of valid characters from the Unicode character encoding 4343 set [ISO.10646-1.1993]. Unicode allows for ASCII 4344 [ISO.646.1991] and many other international character 4345 sets to be used. It is expected that strings will be 4346 encoded in UTF-8 format, which is identical in encoding 4347 for ASCII characters, but also accommodates other Unicode 4348 multi-byte characters. 4349 4350 4351 4353 4354 4355 4356 The type "dateTimeSeconds" represents a time value 4357 having a precision of seconds and normalized to the 4358 GMT time zone. 4359 4360 4361 4363 4364 4365 The type "dateTimeMilliSeconds" represents 4366 a time value having a precision of milliseconds and 4367 normalized to the GMT time zone. 4368 4369 4370 4372 4373 4374 The type "dateTimeMicroSeconds" represents 4375 a time value having a precision of microseconds and 4376 normalized to the GMT time zone. 4377 4378 4379 4381 4382 4383 The type "dateTimeNanoSeconds" represents a 4384 time value having a precision of nanoseconds and 4385 normalized to the GMT time zone. 4386 4387 4388 4390 4391 4392 The type "ipv4Address" represents a value 4393 of an IPv4 address. 4394 4395 4397 4399 4400 4401 The type "ipv6Address" represents a value 4402 of an IPv6 address. 4403 4404 4405 4406 4407 4409 4410 4411 4412 4413 4414 A quantity value represents a discrete 4415 measured value pertaining to the record. This is 4416 distinguished from counters which represent an ongoing 4417 measured value whose "odometer" reading is captured as 4418 part of a given record. If no semantic qualifier is 4419 given, the Information Elements that have an integral 4420 data type should behave as a quantity. 4421 4422 4423 4425 4426 4427 4428 An integral value reporting the value of a counter. 4429 Basically the same semantics as counters in SNMP. 4430 Counters are unsigned and wrap back to zero after 4431 reaching the limit of the type. For example, an 4432 unsigned64 with counter semantics will continue to 4433 increment until reaching the value of 2**64 - 1. At 4434 this point the next increment will wrap its value to 4435 zero and continue counting from zero. A running counter 4436 counts independently of the export of its value. 4437 4438 4439 4441 4442 4443 4444 An integral value reporting the value of a counter. 4446 Basically the same semantics as counters in SNMP. 4447 Counters are unsigned and wrap back to zero after 4448 reaching the limit of the type. For example, an 4449 unsigned64 with counter semantics will continue to 4450 increment until reaching the value of 2**64 - 1. At 4451 this point the next increment will wrap its value to 4452 zero and continue counting from zero. A delta counter 4453 is reset to zero each time its value is exported. 4454 4455 4456 4458 4459 4460 4461 An integral value which serves as an identifier. 4462 Specifically mathematical operations on two 4463 identifiers (aside from the equality operation) are 4464 meaningless. For example, Autonomous System ID 1 * 4465 Autonomous System ID 2 is meaningless. 4466 4467 4468 4470 4471 4472 4473 An integral value which actually represents a set of 4474 bit fields. Logical operations are appropriate on 4475 such values, but not other mathematical operations. 4476 Flags should always be of an unsigned type. 4477 4478 4479 4480 4481 4483 4484 4485 4486 4487 4488 Used for Information Elements that are applicable to 4489 flow records only. 4490 4491 4492 4493 4494 4495 4496 Used for Information Elements that are applicable to 4497 option records only. 4498 4499 4500 4502 4503 4504 4505 Used for Information Elements that are applicable to 4506 flow records as well as to option records. 4507 4508 4509 4510 4511 4513 4514 4515 4516 4517 4518 Indicates that the Information Element definition 4519 is that the definition is current and valid. 4520 4521 4522 4524 4525 4526 4527 Indicates that the Information Element definition is 4528 obsolete, but it permits new/continued implementation 4529 in order to foster interoperability with older/existing 4530 implementations. 4531 4532 4533 4535 4536 4537 4538 Indicates that the Information Element definition is 4539 obsolete and should not be implemented and/or can be 4540 removed if previously implemented. 4542 4543 4544 4545 4546 4548 4554 4555 4556 4558 4559 4560 4562 4563 to be done ... 4564 4565 4566 4567 4569 4570 4571 4573 4574 to be done ... 4575 4576 4577 4579 4580 to be done ... 4581 4582 4583 4584 4586 4587 4588 4589 4590 4591 4592 4594 4595 4596 The semantics of this Information Element. 4597 Describes how this Information Element is 4598 derived from the flow or other information 4599 available to the observer. 4600 4601 4602 4603 4611 4613 4614 4615 If the Information Element is a measure of some 4616 kind, the units identify what the measure is. 4617 4618 4619 4621 4623 4624 4625 Identifies additional specifications which more 4626 precisely define this item or provide additional 4627 context for its use. 4628 4629 4630 4632 4647 4649 4650 4651 Some Information Elements may only be able to 4652 take on a restricted set of values which can be 4653 expressed as a range (e.g. 0 through 511 4654 inclusive). If this is the case, the valid 4655 inclusive range should be specified. 4656 4657 4658 4659 4661 4662 4663 4664 A unique and meaningful name for the Information 4665 Element. 4666 4667 4668 4670 4672 4673 4674 One of the types listed in section 3.1 of this 4675 document or in a future extension of the 4676 information model. The type space for attributes 4677 is constrained to facilitate implementation. The 4678 existing type space does however encompass most 4679 basic types used in modern programming languages, 4680 as well as some derived types (such as ipv4Address) 4681 which are common to this domain and useful 4682 to distinguish. 4683 4684 4685 4686 4688 4689 4690 The integral types may be qualified by additional 4691 semantic details. Valid values for the data type 4692 semantics are specified in section 3.2 of this 4693 document or in a future extension of the 4694 information model. 4695 4696 4697 4699 4701 4702 4703 A numeric identifier of the Information Element. 4704 If this identifier is used without an enterprise 4705 identifier (see below), then it is globally unique 4706 and the list of allowed values is administered by IANA. 4707 It is used for compact identification of an 4708 Information Element when encoding templates in the 4709 protocol. 4710 4711 4712 4714 4716 4717 4718 Enterprises may wish to define Information Elements 4719 without registering them with IANA, for example for 4720 enterprise-internal purposes. For such Information 4721 Elements the Information Element identifier described 4722 above is not sufficient when the Information Element 4723 is used outside the enterprise. If specifications 4724 of enterprise-specific Information Elements are made 4725 public and/or if enterprise-specific identifiers are 4726 used by the IPFIX protocol outside the enterprise, 4727 then the enterprise-specific identifier MUST be made 4728 globally unique by combining it with an enterprise 4729 identifier. Valid values for the enterpriseId are 4730 defined by IANA as SMI network management private 4731 enterprise codes. They are defined at 4732 http://www.iana.org/assignments/enterprise-numbers. 4733 4735 4736 4738 4740 4741 This propoerty of an Information 4742 Element indicates in which kind of records the 4743 Information Element can be used. 4744 Allowed values for this property are 'data', 4745 'option', and 'all'. 4746 4747 4749 4751 4752 The status of the specification of this 4753 Information Element. Allowed values are 'current', 4754 'deprecated', and 'obsolete'. 4755 4756 4757 4759 4761 4762 to be done ... 4763 4764 4766 4767 4768 4769 4771 4772 4774 4775 4776 4777 4779 Intellectual Property Statement 4781 The IETF takes no position regarding the validity or scope of any 4782 Intellectual Property Rights or other rights that might be claimed to 4783 pertain to the implementation or use of the technology described in 4784 this document or the extent to which any license under such rights 4785 might or might not be available; nor does it represent that it has 4786 made any independent effort to identify any such rights. Information 4787 on the procedures with respect to rights in RFC documents can be 4788 found in BCP 78 and BCP 79. 4790 Copies of IPR disclosures made to the IETF Secretariat and any 4791 assurances of licenses to be made available, or the result of an 4792 attempt made to obtain a general license or permission for the use of 4793 such proprietary rights by implementers or users of this 4794 specification can be obtained from the IETF on-line IPR repository at 4795 http://www.ietf.org/ipr. 4797 The IETF invites any interested party to bring to its attention any 4798 copyrights, patents or patent applications, or other proprietary 4799 rights that may cover technology that may be required to implement 4800 this standard. Please address the information to the IETF at 4801 ietf-ipr@ietf.org. 4803 Disclaimer of Validity 4805 This document and the information contained herein are provided on an 4806 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 4807 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 4808 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 4809 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 4810 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 4811 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 4813 Copyright Statement 4815 Copyright (C) The Internet Society (2005). This document is subject 4816 to the rights, licenses and restrictions contained in BCP 78, and 4817 except as set forth therein, the authors retain all their rights. 4819 Acknowledgment 4821 Funding for the RFC Editor function is currently provided by the 4822 Internet Society.