[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-boschi-ipfix-exporting-type) 00 01 02 03 04 05 RFC 5610

IPFIX Working Group                                            E. Boschi
Internet-Draft                                            Hitachi Europe
Intended status: Standards Track                             B. Trammell
Expires: August 28, 2008                                      CERT/NetSA
                                                                 L. Mark
                                                                T. Zseby
                                                        Fraunhofer FOKUS
                                                       February 25, 2008


       Exporting Type Information for IPFIX Information Elements
                 draft-ietf-ipfix-exporting-type-01.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 28, 2008.

Copyright Notice

   Copyright (C) The IETF Trust (2008).

Abstract

   This document describes an extension to IPFIX to allow the encoding
   of IPFIX Information Model properties within an IPFIX Message stream,
   to allow the export of extended type information for enterprise-
   specific Information Elements.  This format is designed to facilitate



Boschi, et al.           Expires August 28, 2008                [Page 1]

Internet-Draft           IPFIX Type Information            February 2008


   interoperability and reusability among a wide variety of applications
   and tools.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  IPFIX Documents Overview . . . . . . . . . . . . . . . . .  4
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Type Information Export  . . . . . . . . . . . . . . . . . . .  5
     3.1.  informationElementDataType . . . . . . . . . . . . . . . .  5
     3.2.  informationElementDescription  . . . . . . . . . . . . . .  6
     3.3.  informationElementName . . . . . . . . . . . . . . . . . .  6
     3.4.  informationElementRangeBegin . . . . . . . . . . . . . . .  6
     3.5.  informationElementRangeEnd . . . . . . . . . . . . . . . .  7
     3.6.  informationElementSemantics  . . . . . . . . . . . . . . .  7
     3.7.  informationElementUnits  . . . . . . . . . . . . . . . . .  8
     3.8.  privateEnterpriseNumber  . . . . . . . . . . . . . . . . .  9
     3.9.  Information Element Type Options Template  . . . . . . . .  9
     3.10. Data Type and Semantics Restrictions . . . . . . . . . . . 11
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 13
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 14
   Appendix A.  Examples  . . . . . . . . . . . . . . . . . . . . . . 14
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17
   Intellectual Property and Copyright Statements . . . . . . . . . . 19






















Boschi, et al.           Expires August 28, 2008                [Page 2]

Internet-Draft           IPFIX Type Information            February 2008


1.  Introduction

   The IPFIX protocol specification allows the creation of enterprise-
   specific Information Elements to easily extend the protocol to meet
   requirements which aren't covered by the existing Information Model.
   However, IPFIX Templates provide only the ability to export the size
   of the fields defined by these Information Elements; there is no
   mechanism to provide full type information for these Information
   Elements as is defined for the Information Elements in the IPFIX
   Information Model.

   This limits the interoperability of enterprise-specific Information
   Elements.  It is not possible to use analysis tools on IPFIX records
   containing these partially defined Information Elements that have not
   been developed with a priori knowledge of their types, since such
   tools will not be able to decode them; these tools can only treat and
   store them as opaque octet arrays.  However, if richer information is
   available, additional operations such as efficient storage, display,
   and limited analysis of records containing enterprise-specific
   Information Elements become possible, even for Collecting Processes
   that had not been specifically developed to understand them.

   This document proposes a mechanism to encode the full set of
   properties available for the definition of Information Elements
   within the IPFIX Information Model inline within an IPFIX Message
   stream using IPFIX Options.  This mechanism may be used to fully
   define type information for Information Elements used within a
   message stream, without resort to an external reference or reliance
   on out-of-band configuration.

   Note that the solution described in this draft is only for providing
   interoperability for enterprise specific information elements that
   are not yet standardized.  The solution introduces overhead and does
   not lead to real interoperability as provided by standards.
   Therefore we highly recommend to standardize all new information
   elements by registering them with IANA.  Standardization is
   straightforward.  The type information that needs to be specified in
   order to support the proposed solution provides a perfect basis for
   the description required for standardizing the information element.

   We assume that the proposed solution is mainly used in the following
   two situations: a) for information elements for very specific
   solutions or in very specific environments for which a
   standardization might not seem necessary because only few users are
   using it or b) temporarily for new information elements before they
   are standardized or to first investigate whether they become popular
   enough to become standardized.




Boschi, et al.           Expires August 28, 2008                [Page 3]

Internet-Draft           IPFIX Type Information            February 2008


   It might happen that information elements previously described by the
   proposed exporting type information later become a standard
   information element.  In some environments old and new version of the
   information element can coexist.  A translation between information
   elements expressed by the described solution and standardized
   information elements is not necessary.  Collectors will act in
   accordance to their capabilities and ignore messages that they do not
   support.

1.1.  IPFIX Documents Overview

   "Specification of the IPFIX Protocol for the Exchange of IP Traffic
   Flow Information" [RFC5101] (informally, the IPFIX Protocol document)
   and its associated documents define the IPFIX Protocol, which
   provides network engineers and administrators with access to IP
   traffic flow information.

   "Architecture for IP Flow Information Export" [I-D.ietf-ipfix-arch]
   (the IPFIX Architecture document) defines the architecture for the
   export of measured IP flow information out of an IPFIX Exporting
   Process to an IPFIX Collecting Process, and the basic terminology
   used to describe the elements of this architecture, per the
   requirements defined in "Requirements for IP Flow Information Export"
   [RFC3917].  The IPFIX Protocol document [RFC5101] then covers the
   details of the method for transporting IPFIX Data Records and
   Templates via a congestion-aware transport protocol from an IPFIX
   Exporting Process to an IPFIX Collecting Process.

   "Information Model for IP Flow Information Export" [RFC5102]
   (informally, the IPFIX Information Model document) describes the
   Information Elements used by IPFIX, including details on Information
   Element naming, numbering, and data type encoding.

   This document references the Protocol and Architecture documents for
   terminology and extends the IPFIX Information Model to provide new
   Information Elements for the representation of Information Element
   properties.


2.  Terminology

   Terms used in this document that are defined in the Terminology
   section of the IPFIX Protocol [RFC5101] document are to be
   interpreted as defined there.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].



Boschi, et al.           Expires August 28, 2008                [Page 4]

Internet-Draft           IPFIX Type Information            February 2008


3.  Type Information Export

   This section describes the mechanism used to encode Information
   Element type information within an IPFIX Message stream.  This
   mechanism consists of an Options Template Record used to define
   Information Element type records, and a set of Information Elements
   required by these type records.  We first specify the necessary
   Information Elements, followed by the Information Element Type
   Options Template itself.  Note that Information Element type records
   require one Information Element, informationElementId, that is
   defined in the PSAMP Information Model [I-D.ietf-psamp-info].

3.1.  informationElementDataType

   Description:   A description of the storage type of an IPFIX
      information element.  These correspond to the abstract data types
      defined in section 3.1 of the IPFIX Information Model [RFC5102];
      see that section for more information on the types described
      below.  This field may take the following values:

                     +-------+----------------------+
                     | Value | Description          |
                     +-------+----------------------+
                     | 0x00  | octetArray           |
                     | 0x01  | unsigned8            |
                     | 0x02  | unsigned16           |
                     | 0x03  | unsigned32           |
                     | 0x04  | unsigned64           |
                     | 0x05  | signed8              |
                     | 0x06  | signed16             |
                     | 0x07  | signed32             |
                     | 0x08  | signed64             |
                     | 0x09  | float32              |
                     | 0x0A  | float64              |
                     | 0x0B  | boolean              |
                     | 0x0C  | macAddress           |
                     | 0x0D  | string               |
                     | 0x0E  | dateTimeSeconds      |
                     | 0x0F  | dateTimeMilliseconds |
                     | 0x10  | dateTimeMicroseconds |
                     | 0x11  | dateTimeNanoseconds  |
                     | 0x12  | ipv4Address          |
                     | 0x13  | ipv6Address          |
                     +-------+----------------------+

      These types are registered in the IANA IPFIX Information Element
      Data Type subregistry.  This subregistry is intended to assign
      numbers for type names, not to provide a mechanism for adding data



Boschi, et al.           Expires August 28, 2008                [Page 5]

Internet-Draft           IPFIX Type Information            February 2008


      types to the IPFIX Protocol, and as such requires a Standards
      Action [RFC2434] to modify.

   Abstract Data Type:   unsigned8

   ElementId:   TBD1

   Status:   Proposed

   Reference:   Section 3.1 of the IPFIX Information Model [RFC5102]

3.2.  informationElementDescription

   Description:   A string containing a human-readable description of an
      Information Element.

   Abstract Data Type:   string

   Data Type Semantics:   identifier

   ElementId:   TBD2

   Status:   Proposed

3.3.  informationElementName

   Description:   A string containing the name of an Information
      Element.

   Abstract Data Type:   string

   Data Type Semantics:   identifier

   ElementId:   TBD3

   Status:   Proposed

3.4.  informationElementRangeBegin

   Description:   Contains the inclusive low end of the range of
      acceptable values for an Information Element.  Not valid and
      SHOULD be ignored by a Collecting Process unless
      informationElementRangeEnd is also available for the same
      Information Element.







Boschi, et al.           Expires August 28, 2008                [Page 6]

Internet-Draft           IPFIX Type Information            February 2008


   Abstract Data Type:   unsigned64

   Data Type Semantics:   quantity

   ElementId:   TBD4

   Status:   Proposed

3.5.  informationElementRangeEnd

   Description:   Contains the inclusive high end of the range of
      acceptable values for an Information Element.  Not valid and
      SHOULD be ignored by a Collecting Process unless
      informationElementRangeBegin is also available for the same
      Information Element.

   Abstract Data Type:   unsigned64

   Data Type Semantics:   quantity

   ElementId:   TBD5

   Status:   Proposed

3.6.  informationElementSemantics

   Description:   A description of the semantics of an IPFIX information
      element.  These correspond to the data type semantics defined in
      section 3.2 of the IPFIX Information Model [RFC5102]; see that
      section for more information on the types described below.  This
      field may take the following values; the special value 0x00 (none)
      is used to note that no semantics apply to the field; it cannot be
      manipulated by a Collecting Process or File Reader that does not
      understand it a priori.

                         +-------+--------------+
                         | Value | Description  |
                         +-------+--------------+
                         | 0x00  | none         |
                         | 0x01  | quantity     |
                         | 0x02  | totalCounter |
                         | 0x03  | deltaCounter |
                         | 0x04  | identifier   |
                         | 0x05  | flags        |
                         +-------+--------------+

      These semantics are registered in the IANA IPFIX Information
      Element Semantics subregistry.  This subregistry is intended to



Boschi, et al.           Expires August 28, 2008                [Page 7]

Internet-Draft           IPFIX Type Information            February 2008


      assign numbers for semantics names, not to provide a mechanism for
      adding semantics to the IPFIX Protocol, and as such requires a
      Standards Action [RFC2434] to modify.

   Abstract Data Type:   unsigned8

   ElementId:   TBD6

   Status:   Proposed

   Reference:   Section 3.2 of the IPFIX Information Model [RFC5102]

3.7.  informationElementUnits

   Description:   A description of the units of an IPFIX Information
      Element.  These correspond to the units implicitly defined in the
      Information Element definitions in section 5 of the IPFIX
      Information Model [RFC5102]; see that section for more information
      on the types described below.  This field may take the following
      values; the special value 0x00 (none) is used to note that the
      field is unitless.

          +--------+---------------+---------------------------+
          | Value  | Name          | Notes                     |
          +--------+---------------+---------------------------+
          | 0x0000 | none          |                           |
          | 0x0001 | bits          |                           |
          | 0x0002 | octets        |                           |
          | 0x0003 | packets       |                           |
          | 0x0004 | flows         |                           |
          | 0x0005 | seconds       |                           |
          | 0x0006 | milliseconds  |                           |
          | 0x0007 | microseconds  |                           |
          | 0x0008 | nanoseconds   |                           |
          | 0x0009 | 4-octet words | for IPv4 header length    |
          | 0x000A | messages      | for reliability reporting |
          | 0x000B | hops          | for TTL                   |
          | 0x000C | entries       | for MPLS label stack      |
          +--------+---------------+---------------------------+

      These types are registered in the IANA IPFIX Information Element
      Units subregistry; new types may be added on a First Come First
      Served [RFC2434] basis.

   Abstract Data Type:   unsigned16






Boschi, et al.           Expires August 28, 2008                [Page 8]

Internet-Draft           IPFIX Type Information            February 2008


   ElementId:   TBD7

   Status:   Proposed

   Reference:   Section 5 of the IPFIX Information Model [RFC5102]

3.8.  privateEnterpriseNumber

   Description:   A private enterprise number used to scope an
      informationElementID, as would appear in an IPFIX Template Record.
      This element can be used to scope properties to a specific
      Information Element.  If the Enterprise ID bit of the
      corresponding Information Element is cleared (has the value 0),
      this IE should be set to 0.  The presence of a non-zero value in
      this IE implies that the Enterprise ID bit of the corresponding
      Information Element is set (has the value 1).

   Abstract Data Type:   unsigned32

   Data Type Semantics:   identifier

   ElementId:   TBD8

   Status:   Proposed

   Reference:   Section 3.4.1 of the IPFIX Protocol [RFC5101]

3.9.  Information Element Type Options Template

   The Information Element Type Options Template attaches type
   information to Information Elements used within Template Records, as
   scoped to an Observation Domain within a Transport Session.  This
   provides a mechanism for representing an IPFIX Information Model
   inline within an IPFIX Message stream.  Data Records described by
   this template are referred to as Information Element type records.

   In deployments in which interoperability across vendor
   implementations of IPFIX is important, an Exporting Process exporting
   data using Templates containing enterprise-specific Information
   Elements SHOULD export an Information Element type record for each
   enterprise-specific Information Element it exports.  Collecting
   Processes MAY use these type records to improve handling of unknown
   enterprise-specific Information Elements.  Exporting Processes using
   enterprise-specific Information Elements to implement proprietary
   features MAY omit type records for those Information Elements.

   Information Element type records MUST be handled by Collecting
   Processes as scoped to the Transport Session in which they are sent;



Boschi, et al.           Expires August 28, 2008                [Page 9]

Internet-Draft           IPFIX Type Information            February 2008


   this facility is not intended to provide a method for the permanent
   definition of Information Elements.

   Similarly, for security reasons, type information for a given
   Information Element MUST NOT be re-defined by Information Element
   type records, and a Collecting Process MUST NOT allow an Information
   Element type record to replace its own internal definition of an
   Information Element.  Information Element type records SHOULD NOT be
   duplicated within a Transport Session, but once an Information
   Element type record has been exported for a given Information Element
   within a given Transport Session, all subsequent type records for
   that Information Element MUST be identical.  Conflicting semantic or
   type information MUST be ignored by a Collecting Process.

   The template SHOULD contain the following Information Elements as
   defined in the PSAMP Information Model [I-D.ietf-psamp-info] and in
   this document, above:

   +-------------------------------+-----------------------------------+
   | IE                            | Description                       |
   +-------------------------------+-----------------------------------+
   | informationElementID          | The Information Element           |
   |                               | identifier of the Information     |
   |                               | Element within the specified      |
   |                               | Template this record describes.   |
   |                               | This Information Element MUST be  |
   |                               | defined as a Scope Field.  See    |
   |                               | the PSAMP Information Model       |
   |                               | [I-D.ietf-psamp-info] for a       |
   |                               | definition of this field.         |
   | privateEnterpriseNumber       | The Private Enterprise number of  |
   |                               | the Information Element within    |
   |                               | the specified Template this       |
   |                               | record describes.  This           |
   |                               | Information Element MUST be       |
   |                               | defined as a Scope Field.         |
   | informationElementDataType    | The storage type of the specified |
   |                               | Information Element.              |
   | informationElementSemantics   | The semantic type of the          |
   |                               | specified Information Element.    |
   | informationElementUnits       | The units of the specified        |
   |                               | Information Element.  This        |
   |                               | element MAY be omitted if the     |
   |                               | Information Element is a unitless |
   |                               | quantity, or a not a quantity or  |
   |                               | counter.                          |





Boschi, et al.           Expires August 28, 2008               [Page 10]

Internet-Draft           IPFIX Type Information            February 2008


   | informationElementRangeBegin  | The low end of the range of       |
   |                               | acceptable values for the         |
   |                               | specified Information Element.    |
   |                               | This element MAY be omitted if    |
   |                               | the Information Element's         |
   |                               | acceptable range is defined by    |
   |                               | its data type.                    |
   | informationElementRangeEnd    | The high end of the range of      |
   |                               | acceptable values for the         |
   |                               | specified Information Element.    |
   |                               | This element MAY be omitted if    |
   |                               | the Information Element's         |
   |                               | acceptable range is defined by    |
   |                               | its data type.                    |
   | informationElementName        | The name of the specified         |
   |                               | Information Element.              |
   | informationElementDescription | A human readable description of   |
   |                               | the specified Information         |
   |                               | Element.  This element MAY be     |
   |                               | omitted in the interest of export |
   |                               | efficiency.                       |
   +-------------------------------+-----------------------------------+

3.10.  Data Type and Semantics Restrictions

   Note that the informationElementSemantics values are primarily
   intended to differentiate semantic interpretation of numeric values,
   and that not all combinations of the informationElementDataType and
   informationElementSemantics Information Elements are valid; e.g., a
   counter cannot be encoded as an IPv4 address.  Any
   informationElementSemantics value is valid for unsigned
   informationElementDataType values ("unsigned8", "unsigned16",
   "unsigned32", or "unsigned64").  Any informationElementSemantics
   value except flags is valid for signed informationElementDataType
   values ("signed8", "signed16", "signed32", or "signed64").  Any
   informationElementSemantics value except "identifier" or "flags" is
   valid for floating-point informationElementDataType values ("float32"
   or "float64").  Only the informationElementSemantics value "none" is
   valid for all other other informationElementDataType values
   ("octetArray", "boolean", "macAddress", "string", "dateTimeSeconds",
   "dateTimeMilliseconds", "dateTimeMicroseconds",
   "dateTimeNanoseconds", "ipv4Address", or "ipv6Address").

   Information Element type records containing invalid combinations of
   informationElementSemantics and informationElementDataType MUST NOT
   be sent by Exporting Processes, and MUST be ignored by Collecting
   Processes.




Boschi, et al.           Expires August 28, 2008               [Page 11]

Internet-Draft           IPFIX Type Information            February 2008


   Future standards actions that modify the Information Element Data
   Type subregistry or the Information Element Semantics subregistry
   should contain a Data Type and Semantics Restrictions sections such
   as this one to define allowable combinations of type and semantics
   information.


4.  Security Considerations

   The same security considerations as for the IPFIX Protocol [RFC5101]
   apply.


5.  IANA Considerations

   This document specifies the creation of several new IPFIX Information
   Elements in the IPFIX Information Element registry located at
   http://www.iana.org/assignments/ipfix, as defined in section 3 above.
   IANA has assigned the following Information Element numbers for their
   respective Information Elements as specified below:

   o  Information Element Number TBD1 for the informationElementDataType
      Information Element

   o  Information Element Number TBD2 for the
      informationElementDescription Information Element

   o  Information Element Number TBD3 for the informationElementName
      Information Element

   o  Information Element Number TBD4 for the
      informationElementRangeBegin Information Element

   o  Information Element Number TBD5 for the informationElementRangeEnd
      Information Element

   o  Information Element Number TBD6 for the
      informationElementSemantics Information Element

   o  Information Element Number TBD7 for the informationElementUnits
      Information Element

   o  Information Element Number TBD8 for the privateEnterpriseNumber
      Information Element

   o  [NOTE for IANA: The text TBD1, TBD2, TBD3, TBD4, TBD5, TBD6, TBD7,
      and TBD8 should be replaced with the respective assigned
      Information Element numbers where they appear in this document.]



Boschi, et al.           Expires August 28, 2008               [Page 12]

Internet-Draft           IPFIX Type Information            February 2008


   IANA has created an Information Element Data Type subregistry for the
   values defined for the informationElementSemantics Information
   Element.  Entries may be added to this subregistry subject to a
   Standards Action [RFC2434].

   [NOTE for IANA: Please create a new Information Element Data Type
   subregistry as specified in the paragraph above, with values taken
   from section 3.1 of this document.]

   IANA has created an Information Element Semantics subregistry for the
   values defined for the informationElementSemantics Information
   Element.  Entries may be added to this subregistry subject to a
   Standards Action [RFC2434].

   [NOTE for IANA: Please create a new Information Element Semantics
   subregistry as specified in the paragraph above, with values taken
   from section 3.6 of this document.]

   IANA has created an Information Element Units subregistry for the
   values defined for the informationElementUnits Information Element.
   Entries may be added to this subregistry on an Expert Review
   [RFC2434] basis.

   [NOTE for IANA: Please create a new Information Element Units
   subregistry as specified in the paragraph above, with values taken
   from section 3.7 of this document.]


6.  Acknowledgements

   Thanks to Paul Aitken for the detailed technical review, and to David
   Moore for first raising this issue to the IPFIX mailing list.


7.  References

7.1.  Normative References

   [RFC5101]  Claise, B., "Specification of the IP Flow Information
              Export (IPFIX) Protocol for the Exchange of IP Traffic
              Flow Information", RFC 5101, January 2008.

   [RFC5102]  Quittek, J., Bryant, S., Claise, B., Aitken, P., and J.
              Meyer, "Information Model for IP Flow Information Export",
              RFC 5102, January 2008.

   [I-D.ietf-psamp-info]
              Dietz, T., Claise, B., Aitken, P., Dressler, F., and G.



Boschi, et al.           Expires August 28, 2008               [Page 13]

Internet-Draft           IPFIX Type Information            February 2008


              Carle, "Information Model for Packet Sampling Exports",
              draft-ietf-psamp-info-08 (work in progress),
              February 2008.

7.2.  Informative References

   [RFC3917]  Quittek, J., Zseby, T., Claise, B., and S. Zander,
              "Requirements for IP Flow Information Export (IPFIX)",
              RFC 3917, October 2004.

   [I-D.ietf-ipfix-arch]
              Sadasivan, G. and N. Brownlee, "Architecture Model for IP
              Flow Information Export", draft-ietf-ipfix-arch-02 (work
              in progress), October 2003.

   [RFC5103]  Trammell, B. and E. Boschi, "Bidirectional Flow Export
              Using IP Flow Information Export (IPFIX)", RFC 5103,
              January 2008.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
              October 1998.


Appendix A.  Examples

   The following example illustrates how the type information extension
   mechanism defined in this document may be used to describe the
   semantics of enterprise-specific Information Elements.  The
   Information Elements used in this example are as follows:

   o  initialTCPFlags, CERT (PEN 6871) private IE 14, 1 octet, the TCP
      flags on the first TCP packet in the flow.

   o  unionTCPFlags, CERT (PEN 6871) private IE 15, 1 octet, the union
      of the TCP flags on all packets after the first TCP packet in the
      flow.

   An Exporting Process exporting flows containing these Information
   Elements might use a Template like the following:








Boschi, et al.           Expires August 28, 2008               [Page 14]

Internet-Draft           IPFIX Type Information            February 2008


                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Set ID = 2           |          Length =  52         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Template ID = 256        |        Field Count = 9        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |0| flowStartSeconds        150 |       Field Length =  4       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |0| sourceIPv4Address         8 |       Field Length =  4       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |0| destinationIPv4Address   12 |       Field Length =  4       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |0| sourceTransportPort       7 |       Field Length =  2       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |0| destinationTransportPort 11 |       Field Length =  2       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |0| octetTotalCount          85 |       Field Length =  4       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |1| (initialTCPFlags)        14 |       Field Length =  1       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                            PEN 6871                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |1| (unionTCPFlags)          15 |       Field Length =  1       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                            PEN 6871                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |0| protocolIdentifier        4 |       Field Length =  1       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

              Figure 1: Template with Enterprise-Specific IEs

   However, a Collecting Process receiving Data Sets described by this
   Template can only treat the enterprise-specific Information Elements
   as opaque octets; specifically, there is no hint to the collector
   that they contain flag information.  To use the type information
   extension mechanism to address this problem, the Exporting Process
   would first export the Information Element Type Options Template
   described in section 3.9 above:












Boschi, et al.           Expires August 28, 2008               [Page 15]

Internet-Draft           IPFIX Type Information            February 2008


                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Set ID = 3           |          Length =  26         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Template ID = 257        |        Field Count = 4        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Scope Field Count = 2      |0| priv.EnterpriseNumber  TBD8 |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Field Length = 4        |0| informationElementId    303 |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Field Length = 2        |0| inf.El.DataType        TBD1 |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Field Length = 1        |0| inf.El.Semantics       TBD6 |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Field Length = 1        |0| inf.El.Name            TBD3 |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Field Length = 65536      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

        Figure 2: Example Information Element Type Options Template

   Then, the Exporting Process would then export two records described
   by the Example Information Element Type Options Template to describe
   the enterprise-specific Information Elements:


























Boschi, et al.           Expires August 28, 2008               [Page 16]

Internet-Draft           IPFIX Type Information            February 2008


                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Set ID = 257         |          Length =  50         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                            PEN 6871                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           IE 14               |0x01 unsigned8 |0x05 flags     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   15 length   |                                               |
   +-+-+-+-+-+-+-+-+                                               |
   |                      "initialTCPFlags"                        |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                            PEN 6871                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           IE 15               |0x01 unsigned8 |0x05 flags     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   13 length   |                                               |
   +-+-+-+-+-+-+-+-+        "unionTCPFlags"                        |
   |                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

               Figure 3: Type Information Extension Example


Authors' Addresses

   Elisa Boschi
   Hitachi Europe
   c/o ETH Zurich
   Gloriastrasse 35
   8092 Zurich
   Switzerland

   Phone: +41 44 6327057
   Email: elisa.boschi@hitachi-eu.com













Boschi, et al.           Expires August 28, 2008               [Page 17]

Internet-Draft           IPFIX Type Information            February 2008


   Brian H. Trammell
   CERT Network Situational Awareness
   Software Engineering Institute
   4500 Fifth Avenue
   Pittsburgh, Pennsylvania  15213
   United States

   Phone: +1 412 268 9748
   Email: bht@cert.org


   Lutz Mark
   Fraunhofer Institute for Open Communication Systems
   Kaiserin-Augusta-Allee 31
   10589 Berlin
   Germany

   Phone: +49 30 3463 7306
   Email: lutz.mark@fokus.fraunhofer.de


   Tanja Zseby
   Fraunhofer Institute for Open Communication Systems
   Kaiserin-Augusta-Allee 31
   10589 Berlin
   Germany

   Phone: +49 30 3463 7153
   Email: tanja.zseby@fokus.fraunhofer.de






















Boschi, et al.           Expires August 28, 2008               [Page 18]

Internet-Draft           IPFIX Type Information            February 2008


Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Boschi, et al.           Expires August 28, 2008               [Page 19]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/