[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 RFC 5102

Network Working Group                                          P. Calato
Internet-Draft                                   Riverstone Networks Inc
Expires: February 10, 2004                                      J. Meyer
                                                         Hewlett-Packard
                                                              J. Quittek
                                                         NEC Europe Ltd.
                                                         August 12, 2003


            Information Model for IP Flow Information Export
                        draft-ietf-ipfix-info-01

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on February 10, 2004.

Copyright Notice

   Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

   This document defines and information and data model for the IP Flow
   Information export (IPFIX) protocol. It is used by the IPFIX protocol
   for encoding measured traffic information and information related to
   the traffic measurement process. Although developed for the IPFIX
   protcol, the model is defined in an open way that easily allows using
   it in other protocols, interfaces, and applications.






Calato, et al.         Expires February 10, 2004                [Page 1]


Internet-Draft          IPFIX Information Model              August 2003


Table of Contents

   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   4
   2.   Scope  . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   3.   Properties of an IPFIX Flow Attribute  . . . . . . . . . . .   6
   4.   Type Space . . . . . . . . . . . . . . . . . . . . . . . . .   8
   4.1  int  . . . . . . . . . . . . . . . . . . . . . . . . . . . .   8
   4.2  unsignedInt  . . . . . . . . . . . . . . . . . . . . . . . .   8
   4.3  long . . . . . . . . . . . . . . . . . . . . . . . . . . . .   8
   4.4  unsignedLong . . . . . . . . . . . . . . . . . . . . . . . .   8
   4.5  float  . . . . . . . . . . . . . . . . . . . . . . . . . . .   8
   4.6  double . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   4.7  hexBinary  . . . . . . . . . . . . . . . . . . . . . . . . .   9
   4.8  string . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   4.9  boolean  . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   4.10 byte . . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   4.11 unsignedByte . . . . . . . . . . . . . . . . . . . . . . . .   9
   4.12 short  . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   4.13 unsignedShort  . . . . . . . . . . . . . . . . . . . . . . .   9
   4.14 dateTime . . . . . . . . . . . . . . . . . . . . . . . . . .  10
   4.15 ipdr:dateTimeMsec  . . . . . . . . . . . . . . . . . . . . .  10
   4.16 ipdr:ipV4Addr  . . . . . . . . . . . . . . . . . . . . . . .  10
   4.17 ipdr:ipV6Addr  . . . . . . . . . . . . . . . . . . . . . . .  10
   4.18 ipdr:UUID  . . . . . . . . . . . . . . . . . . . . . . . . .  10
   4.19 ipdr:dateTimeUsec  . . . . . . . . . . . . . . . . . . . . .  11
   5.   Extending the Information Model  . . . . . . . . . . . . . .  12
   6.   Flow Attributes  . . . . . . . . . . . . . . . . . . . . . .  13
   6.1  sourceAddress  . . . . . . . . . . . . . . . . . . . . . . .  13
   6.2  sourceAddressV6  . . . . . . . . . . . . . . . . . . . . . .  13
   6.3  destinationAddress . . . . . . . . . . . . . . . . . . . . .  13
   6.4  destinationAddressV6 . . . . . . . . . . . . . . . . . . . .  13
   6.5  protocolIdentifier . . . . . . . . . . . . . . . . . . . . .  13
   6.6  sourcePort . . . . . . . . . . . . . . . . . . . . . . . . .  14
   6.7  destinationPort  . . . . . . . . . . . . . . . . . . . . . .  14
   6.8  ingressPort  . . . . . . . . . . . . . . . . . . . . . . . .  14
   6.9  egressPort . . . . . . . . . . . . . . . . . . . . . . . . .  15
   6.10 packetCount  . . . . . . . . . . . . . . . . . . . . . . . .  15
   6.11 byteCount  . . . . . . . . . . . . . . . . . . . . . . . . .  15
   6.12 classOfService . . . . . . . . . . . . . . . . . . . . . . .  16
   6.13 flowLabel  . . . . . . . . . . . . . . . . . . . . . . . . .  16
   6.14 flowCreationTime . . . . . . . . . . . . . . . . . . . . . .  16
   6.15 flowEndTime  . . . . . . . . . . . . . . . . . . . . . . . .  17
   6.16 sourceAS . . . . . . . . . . . . . . . . . . . . . . . . . .  17
   6.17 destinationAS  . . . . . . . . . . . . . . . . . . . . . . .  17
   6.18 nextHopAS  . . . . . . . . . . . . . . . . . . . . . . . . .  17
   6.19 tcpControlBits . . . . . . . . . . . . . . . . . . . . . . .  18
   6.20 ipV4SourceExporterAddress  . . . . . . . . . . . . . . . . .  18
   6.21 ipV6SourceExporterAddress  . . . . . . . . . . . . . . . . .  18



Calato, et al.         Expires February 10, 2004                [Page 2]


Internet-Draft          IPFIX Information Model              August 2003


   6.22 droppedPacketCount . . . . . . . . . . . . . . . . . . . . .  19
   6.23 samplingInterval . . . . . . . . . . . . . . . . . . . . . .  19
   6.24 samplingAlgorithm  . . . . . . . . . . . . . . . . . . . . .  20
   6.25 flowEndState . . . . . . . . . . . . . . . . . . . . . . . .  20
   6.26 droppedByteCount . . . . . . . . . . . . . . . . . . . . . .  20
   7.   The Benefits of a Formal Machine Readable Information
        Model  . . . . . . . . . . . . . . . . . . . . . . . . . . .  21
   8.   Security Considerations  . . . . . . . . . . . . . . . . . .  22
        References . . . . . . . . . . . . . . . . . . . . . . . . .  23
        Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  24
   A.   IPFIX IPDR Service Definition  . . . . . . . . . . . . . . .  25
        Intellectual Property and Copyright Statements . . . . . . .  36







































Calato, et al.         Expires February 10, 2004                [Page 3]


Internet-Draft          IPFIX Information Model              August 2003


1. Introduction

   Many applications e.g., intrusion detection, traffic engineering, and
   accounting among others require the monitoring, measuring of IP
   traffic flows. It is hence important to have a standard way of
   exporting information related to IP flows. This document defines the
   base set of attributes which may be used when exporting IP flow
   information. It also defines the mechanism by which new data items
   may be added without changing the underlying exchange protocol.










































Calato, et al.         Expires February 10, 2004                [Page 4]


Internet-Draft          IPFIX Information Model              August 2003


2. Scope

   This document defines an information model for the IP Flow
   Information eXport (IPFIX) protocol. The model consists of of a set
   of information elements, each one defining a single attribute of a
   flow. For each individual attribute, the semantics is clearly
   specified and a data type is assigned to it.












































Calato, et al.         Expires February 10, 2004                [Page 5]


Internet-Draft          IPFIX Information Model              August 2003


3. Properties of an IPFIX Flow Attribute

   Flow attributes are modeled as information elements of the IPFIX
   information model. Each information element models a single flow
   attribute.

   For defining flow attributes, a template is used.

   Information elements defined in this specification, or by extension
   MUST have the following properties defined:

      Name - a unique and meaningful name for the field. The preferred
      spelling for the name is to use mixed case if the name is
      compound, with an initial lower case letter. (E.g.
      "sourceIpAddress").

      Description - the semantics of this information element. Describes
      how this field is derived from the flow or other information
      available to the observer.

      Type - one of the types listed in the following section, "The Type
      Space". The type space for attributes is constrained to facilitate
      implementation. The existing type space does however encompass
      most basic types used in modern programming languages, as well as
      some derived types (such as IPAddress) which are common to this
      domain and useful to distinguish.

      FieldId - a numeric identifier administered by IANA. This is used
      for compact identification of an information item when encoding
      templates in the protocol.

   Information elements defined in this specification, or by extension
   MAY have the following properties defined:

      Vendor ID - when extension is done outside of the scope of the
      IANA IPFIX fieldId range, a vendorId MUST be provided.  This
      identifier is based on IANA assigned enterprise identifiers.

      Reference - identifies additional specifications which more
      precisely define this item or provide additional context for its
      use.

      Units - if the field is a measure of some kind, the units identify
      what the measure is.

      Enumerated range - some items may have a specific set of numeric
      identifiers associated with a set of discrete values this element
      may take.  The meaning of each discrete value and a human readable



Calato, et al.         Expires February 10, 2004                [Page 6]


Internet-Draft          IPFIX Information Model              August 2003


      name should be assigned.

      Range - some elements may only be able to take on a restricted set
      of values which can be expressed as a range (e.g. 0 through 511
      inclusive). If this is the case, the valid inclusive range should
      be specified.













































Calato, et al.         Expires February 10, 2004                [Page 7]


Internet-Draft          IPFIX Information Model              August 2003


4. Type Space

   The following subsections describe the basic types from which the
   types of all IPFIX attributes should be constructed.

   By describing attributs in terms of a well defined type space, versus
   describing these details in each element declaration, greater
   consistency of the existing information model is expected. This
   should also simplify the process of extending the information model
   over time, and maintain this consistency.

   Still any attribute is free to restrict the type assigned to it
   further than the general type description in this section does.

   Please note that a protocol implementation may use other types as
   long as each of the types defined below are supported with their
   entire range. For example, the type short can be encoded within the
   type long.

   The type names used are copied from the namespace defined by
   XML-Schema Datatypes.  There are a few types which are useful to
   distinguish in the context of IPFIX, which do not exist in the
   XML-Schema namespace.  The type extensions used by IPDR.org's NDM-U
   Specification, addresses these gaps and is called out in the list
   with the "ipdr:" namespace qualifier.

4.1 int

   The type "int" represents a integer numeric value in the range of
   -2147483648 to 2147483647. (i.e. a 32-bit integer)

4.2 unsignedInt

   The type "unsignedInt" represents an integer value in the range of 0
   to 4294967295. (i.e. a 32-bit unsigned integer)

4.3 long

   The type "long" represents an integer value in the range of
   9223372036854775807 to -9223372036854775808. (i.e. a 64-bit integer)

4.4 unsignedLong

   The type "unsignedLong" represents an integer value in the range of 0
   to 18446744073709551615. (i.e. a 64-bit unsigned integer)

4.5 float




Calato, et al.         Expires February 10, 2004                [Page 8]


Internet-Draft          IPFIX Information Model              August 2003


   The type "float" corresponds to an IEEE single-precision 32-bit
   floating point type.

4.6 double

   The double datatype corresponds to IEEE double-precision 64-bit
   floating point type

4.7 hexBinary

   The type "hexBinary" represents a finite length string of octets.
   Note the name reflects the mechanism used in XML documents to
   represent the value using ASCII characters.

4.8 string

   The type "string" represents a finite length string of valid
   characters from the Unicode character encoding set. Unicode allows
   for ASCII and many other international character sets to be used. It
   is expected that strings will be encoded in UTF-8 format, which is
   identical in encoding for USASCII characters, but also accomodates
   other Unicode multibyte characters.

4.9 boolean

   The type "boolean" represents the values for binary logic. (i.e.
   "true/false" or "1/0").

4.10 byte

   The type "byte" represents a integer numeric value in the range of
   -128 to 127. (i.e. an 8-bit integer)

4.11 unsignedByte

   The type "unsignedByte" represents a non-negative integer numeric
   value in the range of 0 to 255. (i.e. an 8-bit unsigned integer)

4.12 short

   The type "short" represents a integer numeric value in the range of
   32767 to 32768. (i.e. an 16-bit integer)

4.13 unsignedShort

   The type "unsignedShort" represents a non-negative integer numeric
   value in the range of 0 to 65535. (i.e. an 16-bit unsigned integer)




Calato, et al.         Expires February 10, 2004                [Page 9]


Internet-Draft          IPFIX Information Model              August 2003


4.14 dateTime

   The "dateTime" type represents a specific instant of time. It is
   further restricted from the basic XML dateTime type to having a
   precision of seconds and normalized to the GMT timezone. Such types
   are in common use on many Operating Systems and have the advantage
   that they can be stored in 32-bit integers.

4.15 ipdr:dateTimeMsec

   The "dateTimeMsec" type is defined in the IPDR namespace. It
   represents a specific instant of time. It is further restricted from
   the basic XML dateTime type to having a precision of milliseconds and
   normalized to the GMT timezone.

   Such types are in common use on many Operating Systems and have the
   advantage that they can be stored in 64-bit integers.

4.16 ipdr:ipV4Addr

   The "ipV4Addr" type indicates the value is an IP version 4 address.
   These addresses are typically stored as 32-bit integers on systems.

4.17 ipdr:ipV6Addr

   The "ipV6Addr" type indicates the value is an IP version 6 address.
   IPv6 addresses are octet strings of length 16.

4.18 ipdr:UUID

   The "UUID" type represents a universal unique id as defined in the
   OSF specification for Distributed Computing Environment (DCE). It's
   definition can be found in the OSF CAE Specification, Document C706,
   1997, Appendix A, located at: http://www.opengroup.org/onlinepubs/
   009629399/

   UUIDs are equivalent to Globally Unique Identifiers (GUIDs) used by
   Microsoft.

   UUIDs are 16 byte quantities which are generated in such a way that
   systems can independently generate their values, but still have a
   guarantee of global uniqueness of the generated value.

   UUID's are typically written in the form
   f81d4fae-7dec-11d0-a765-00a0c91e6bf6. Which merely shows in
   hexadecimal the 16 byte value. Separators are introduced to segment
   the hex value into groupings of 4, 2, 2, 2 and 6 bytes.




Calato, et al.         Expires February 10, 2004               [Page 10]


Internet-Draft          IPFIX Information Model              August 2003


   An open source C implementation of UUID generation is available in
   the appendix of the IETF draft, draftleach-uuids-guids-01.txt. This
   draft has expired, but an archived copy is available at: http://
   www.ipdr.org/public/draft-leach-uuids-guids-01.txt

   Note: the IETF draft was allowed to expire because the group
   considered the OSF work a referenceable standard and did not chose to
   duplicate it.

4.19 ipdr:dateTimeUsec

   The dateTimeUsec type is defined in the IPDR namespace. It represents
   a specific instant of time. It is further restricted from the basic
   XML dateTime type to having a precision of microseconds and
   normalized to the GMT timezone.




































Calato, et al.         Expires February 10, 2004               [Page 11]


Internet-Draft          IPFIX Information Model              August 2003


5. Extending the Information Model

   A key requirement for IPFIX is to allow for extending the set of
   information items which are reported for flows. This section defines
   the mechanism for extending this set.

   The IPFIX protocol carries flow records defined by a template.
   Multiple templates may be defined for a dialog between an exporter
   and a collector. A given template identifies the information items
   and their order. The means of identification of information items in
   a template is via a field ID. Field Id's are unique identifiers
   administered by IANA (ed. ? true for vendor specific fields?).

   Extension is done by defining new Information elements, including the
   set of necessary information and possibly additional optional
   information for each element. Each new information item MUST be
   assigned a unique fieldId as part of its definition. These unique
   field ids are the connection between the record structure
   communicated by the protocol using templates and a consuming
   application.































Calato, et al.         Expires February 10, 2004               [Page 12]


Internet-Draft          IPFIX Information Model              August 2003


6. Flow Attributes

6.1 sourceAddress

   Description:

   IPv4 source address taken from the packet header.

   Type:  The sourceAddress element is of type ipdr:ipV4Addr.

   Field Id:  8

6.2 sourceAddressV6

   Description:

   IPv6 source address taken from the packet header.

   Type:  The sourceAddressV6 element is of type ipdr:ipV6Addr.

   Field Id:  27

6.3 destinationAddress

   Description:

   IPv4 destination address taken from the packet header.

   Type:  The destinationAddress element is of type ipdr:ipV4Addr.

   Field Id:  12

6.4 destinationAddressV6

   Description:

   IPv6 destination address taken from the packet header.

   Type:  The destinationAddressV6 element is of type ipdr:ipV6Addr.

   Field Id:  28

6.5 protocolIdentifier

   Description:

   Protocol number identified in the IP packet.




Calato, et al.         Expires February 10, 2004               [Page 13]


Internet-Draft          IPFIX Information Model              August 2003


   In the Internet Protocol version 4 (IPv4) [RFC791] there is a field,
   called "Protocol", to identify the next level protocol.  This is an 8
   bit field.  In Internet Protocol version 6 (IPv6) [RFC1883] this
   field is called the "Next Header" field.

   These numbers are administered by IANA.

   Type:  The protocolIdentifier element is of type int.

   Reference:  Additional information on this element can be found at
   http://www.iana.org/assignments/protocol-numbers.

   Field Id:  4

6.6 sourcePort

   Description:

   This information element is used to report  UDP source port [see RFC
   768] or TCP source port [see RFC 793] as taken from the IP header.

   Type:  The sourcePort element is of type unsignedShort.

   Field Id:  7

6.7 destinationPort

   Description:

   This information element is used to report  UDP destination port [see
   RFC 768] or TCP destination port [see RFC 793] as taken from the IP
   header.

   Type:  The destinationPort element is of type unsignedShort.

   Field Id:  11

6.8 ingressPort

   Description:

   The ifIndex where the packets for the flow are being received.
   ifIndex is defined by RFC 2233.

   Type:  The ingressPort element is of type unsignedShort.

   Field Id:  10




Calato, et al.         Expires February 10, 2004               [Page 14]


Internet-Draft          IPFIX Information Model              August 2003


6.9 egressPort

   Description:

   The ifIndex where the packets for the flow are exiting. ifIndex is
   defined by RFC 2233.

   Type:  The egressPort element is of type unsignedShort.

   Field Id:  14

6.10 packetCount

   Description:

   Contains the count of packets sent and received associated with the
   identified flow.

   The packet count can be for packets received (towards source) or
   packets sent (towards destination) or both (bi-directional flow).

   The packet count can be a running counter and is the count from the
   beginning of the flow establishment.

   The packet count can be a delta counter and is the count since the
   last report for this flow.

   Type:  The packetCount element is of type int.

   Units:  The unit of measure is  packets.

   Field Id:  2

6.11 byteCount

   Description:

   Contains the count of octets sent and received associated with the
   identified flow.

   The byte count can be for bytes received (towards source) or bytes
   sent (towards destination) or both (bi-directional flow).

   The byte count can be a running counter and is the count from the
   beginning of the flow establishment.

   The byte count can be a delta counter and is the count since the last
   report for this flow.



Calato, et al.         Expires February 10, 2004               [Page 15]


Internet-Draft          IPFIX Information Model              August 2003


   Type:  The byteCount element is of type int.

   Units:  The unit of measure is  bytes.

   Field Id:  1

6.12 classOfService

   Description:

   The class of service associated with a flow.

   Class of Service Received

   Class of Service Transmitted

   1. IPv4, CoS value is defined by ToS in RFC 791 2. IPv6, CoS value is
   defined by Traffic Class in RFC 2460 3. MPLS, CoS value is defined by
   Exp in RFC 3032 4. VLAN, CoS value is defined by user_priority in
   IEEE802.1q[802.1q] and IEEE 802.1p[802.1p]

   Type:  The classOfService element is of type byte.

   Field Id:  5

6.13 flowLabel

   Description:

   The Flow Label information element contains the IPV6 Flow Label
   information as defined by RFC 2460.

   Type:  The flowLabel element is of type int.

   Field Id:  31

6.14 flowCreationTime

   Description:

   The timestamp of the first packet of the flow.  (Ed. note:  current
   NFv9 protocol uses sysuptime vs. direct time.  Not interesting from
   an info model perspective, an artifact (and an annoying one from a
   consumer perspective) of the protocol implementation details. How to
   address?)

   Type:  The flowCreationTime element is of type dateTime.




Calato, et al.         Expires February 10, 2004               [Page 16]


Internet-Draft          IPFIX Information Model              August 2003


   Field Id:  21

6.15 flowEndTime

   Description:

   The timestamp of the last packet of the flow.  (Ed. note:  current
   NFv9 protocol uses sysuptime vs. direct time.  Not interesting from
   an info model perspective, an artifact (and an annoying one from a
   consumer perspective) of the protocol implementation details. How to
   address?)

   Type:  The flowEndTime element is of type dateTime.

   Field Id:  22

6.16 sourceAS

   Description:

   The Autonomous System (AS) numbers for the source address associated
   with a flow. Autonomous System (AS) number is defined by RFC 1930 and
   RFC 1771 (BGP-4):

   Type:  The sourceAS element is of type int.

   Field Id:  16

6.17 destinationAS

   Description:

   The Autonomous System (AS) numbers for the destination address
   associated wit a flow. Autonomous System (AS) number is defined by
   RFC 1930 and RFC 1771 (BGP-4).

   Type:  The destinationAS element is of type int.

   Field Id:  17

6.18 nextHopAS

   Description:

   The Autonomous System (AS) numbers for the next hop IP. Autonomous
   System (AS) number is defined by RFC 1930 and RFC 1771 (BGP-4).

   Type:  The nextHopAS element is of type int.



Calato, et al.         Expires February 10, 2004               [Page 17]


Internet-Draft          IPFIX Information Model              August 2003


   Field Id:  -1

6.19 tcpControlBits

   Description:

   The TCP control bits seen for this flow. Note a 0 value for each bit
   only indicates that the flag was not detected (i.e. it may have
   occurred but was not detected by the reporting CCE). TCP Control Bits
   are defined by RFC 793.

   Type:  The tcpControlBits element is of type int.

   Field Id:  6

6.20 ipV4SourceExporterAddress

   Description:

   The IPV4 address of the Exporter reporting the flow. This information
   is used by applications to later correlate the ingress/egress port
   with a specific Exporter. It is also used to maintain the source
   Exporter information when there is an intermediate proxy. For
   example, given the picture below:



                  SW1 --------    P1 ------ Collector
                                  ^
                                  |
                  SW2----------   |

   Flows coming from SW1 and SW2 through proxy P1 would look to the
   Collector like the same Exporter connection. With the Source Exporter
   in the message the original Exporter  address is maintained.

   Type:  The ipV4SourceExporterAddress element is of type
   ipdr:ipV4Addr.

   Field Id:  -1

6.21 ipV6SourceExporterAddress

   Description:

   The IPv4 address of the Exporter reporting  the flow. This
   information is used by applications to later correlate the ingress/
   egress port with a specific Exporter. It is also used to maintain the



Calato, et al.         Expires February 10, 2004               [Page 18]


Internet-Draft          IPFIX Information Model              August 2003


   source Exporter information when there is an intermediate proxy. For
   example, given the picture below:



                  SW1 --------    P1 ------ Collector
                                  ^
                                  |
                  SW2----------   |

   Flows coming from SW1 and SW2 through proxy P1 would look to the
   Collector like the same Exporter connection. With the Source Exporter
   in the message the original Exporter  address is maintained.

   Type:  The ipV6SourceExporterAddress element is of type
   ipdr:ipV6Addr.

   Field Id:  -1

6.22 droppedPacketCount

   Description:

   Contains the count of packets dropped at the observation point
   associated with the identified flow.

   The dropped packet count can be a running counter and is the count
   from the beginning of the flow establishment.

   The dropped packet count can be a delta counter and is the count
   since the last report for this flow.

   Type:  The droppedPacketCount element is of type int.

   Units:  The unit of measure is  packets.

   Field Id:  -1

6.23 samplingInterval

   Description:

   When using Sampling, the rate at which packets is sampled. For
   example, a value of 100 indicates that one of every hundred packets
   is sampled.

   Type:  The samplingInterval element is of type int.




Calato, et al.         Expires February 10, 2004               [Page 19]


Internet-Draft          IPFIX Information Model              August 2003


   Field Id:  34

6.24 samplingAlgorithm

   Description:

   The type of algorithm used for sampling data. Currently, the only
   sampling algorithm defined  is: 0x02 packet-sampling

   Type:  The samplingAlgorithm element is of type int.

   Field Id:  35

6.25 flowEndState

   Description:

   The reason the flow has ended. 1. Inactivity timeout 2. End of flow
   detected (e.g. TCP FIN) 3. Forced end ???? 4. Cache full
   [enumerations in IPDR service def schemas are recommended to be of
   form string, w/ integer values (for Compact format) defined via
   annotation]

   Type:  The flowEndState element is of type int.

   Field Id:  -1

6.26 droppedByteCount

   Description:

   Contains the count of octets dropped at the observation point
   associated with the identified flow.

   The dropped byte count can be a running counter and is the count from
   the beginning of the flow establishment.

   The byte count can be a delta counter and is the count since the last
   report for this flow.

   Type:  The droppedByteCount element is of type int.

   Units:  The unit of measure is  bytes.

   Field Id:  -1






Calato, et al.         Expires February 10, 2004               [Page 20]


Internet-Draft          IPFIX Information Model              August 2003


7. The Benefits of a Formal Machine Readable Information Model

   Appendix A. expresses the IPFIX Information model as an XML-Schema.
   Using a formal and machine readable syntax for the Information model
   enables the creation of IPFIX aware tools which can automatically
   adapt to extensions to the information model, by simply reading
   updated information model specifications.

   The use of XML-Schema as the formal specification language is modeled
   after the techniques employed by the IPDR NDM-U specification.

   The wide availability of XML aware tools and libraries for client
   devices is a primary consideration for this choice.  In particular
   libraries for parsing XML documents are readily available.  Also
   mechanisms such as the Extensible Stylesheet Language (XSL) allow for
   transforming a source XML document into other documents.  This draft
   was initially authored in XML and transformed according to RFC2629.

   It should be noted that the use of XML in exporters, collectors or
   other tools is not mandatory for the deployment of IPFIX.  In
   particular exporting processes do not produce or consume XML as part
   of their operation.  It is expected that IPFIX collectors MAY take
   advantage of the machine readability of the Information Model vs.
   hardcoding their behavior or inventing proprietary means for
   accomodating extensions.


























Calato, et al.         Expires February 10, 2004               [Page 21]


Internet-Draft          IPFIX Information Model              August 2003


8. Security Considerations

   The IPFIX information model itself does not directly introduce
   security issues. Rather it defines a set of attributes which may for
   privacy or business issues be considered sensitive information.

   The underlying protocol used to exchange the information described
   here must therefor apply appropriate procedures to guarantee the
   integrity and confidentiality of the exported information.  Such
   protocols are defined in separate documents. Specifically the IPFIX
   Protocol document.








































Calato, et al.         Expires February 10, 2004               [Page 22]


Internet-Draft          IPFIX Information Model              August 2003


References

   [1]   Quittek, J., "Requirements for IP Flow Information Export",
         IETF draft work in progress, August 2003, <http://www.ietf.org/
         internet-drafts/draft-ietf-ipfix-reqs-10.txt>.

   [2]   Sadasivan, G. and N. Brownlee, "Architecture Model for IP Flow
         Information Export", IETF draft work in progress, June 2003,
         <http://www.ietf.org/internet-drafts/
         draft-ietf-ipfix-arch-01.txt>.

   [3]   Zseby, T., Penno, R., Claise, B. and N. Brownlee, "IPFIX
         Applicability", IETF draft work in progress, June 2003, <http:/
         /www.ietf.org/internet-drafts/draft-ietf-ipfix-as-00.txt>.

   [4]   Claise, B., Fullmer, M., Calato, P. and R. Penno, "IPFIX
         Protocol Specification", IETF draft work in progress, June
         2003, <http://www.ietf.org/internet-drafts/
         draft-ietf-ipfix-protocol-00.txt>.

   [5]   Claise, B., "Cisco Systems NetFlow Services Export Version 9",
         IETF draft work in progress, June 2003, <http://www.ietf.org/
         internet-drafts/draft-claise-netflow-9-02.txt>.

   [6]   World Wide Web Consortium, "Extensible Markup Language (XML)
         1.0", W3C XML, February 1998, <http://www.w3.org/TR/1998/
         REC-xml-19980210>.

   [7]   World Wide Web Consortium, "XML Schema Part 1: Structures", W3C
         XML, May 2001, <http://www.w3.org/TR/2001/
         REC-xmlschema-1-20010502/>.

   [8]   World Wide Web Consortium, "XML Schema Part 2: Datatypes", W3C
         XML, May 2001, <http://www.w3.org/TR/2001/
         REC-xmlschema-2-20010502/datatypes.html>.

   [9]   Internet Protocol Detail Record Organization, "Network Data
         Management - Usage (NDM-U) For IP-Based Services Version
         3.1.1", October 2002, <http://www.ipdr.org/documents/
         NDM-U_3.1.1.pdf>.

   [10]  Brownlee, N. and A. Blount, "Accounting Attributes and Record
         Formats", RFC 2924, Sept. 2000, <http://www.ietf.org/rfc/
         rfc2924.txt>.

   [11]  Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June
         1999, <http://xml.resource.org/public/rfc/html/rfc2629.html>.




Calato, et al.         Expires February 10, 2004               [Page 23]


Internet-Draft          IPFIX Information Model              August 2003


   [12]  Hollenbeck, S., Rose, M. and L. Masinter, "Guidelines for the
         Use of Extensible Markup Language (XML) within IETF Protocols",
         RFC 3470, January 2003, <http://www.ietf.org/rfc/rfc3470.txt>.

   [13]  Pras, A. and J. Schoenwaelder, "On the Difference between
         Information Models and Data Models", RFC 3444, January 2003,
         <http://www.ietf.org/rfc/rfc3444.txt>.


Authors' Addresses

   Paul Calato
   Riverstone Networks Inc
   5200 Great America Parkway
   Santa Clara, CA  95054
   US

   Phone: +1 603 557-6913
   EMail: calato@riverstonenet.com
   URI:   http://www.riverstonenet.com


   Jeff Meyer
   Hewlett-Packard
   19420 Homestead Rd.
   Cupertino, CA  95014
   US

   Phone: +1 408 447-3477
   EMail: jeff.meyer2@hp.com
   URI:   http://www.hp.com


   Juergen Quittek
   NEC Europe Ltd.
   Adenauerplatz 6
   Heidelberg  69115
   Germany

   Phone: +49 6221 90511-15
   EMail: quittek@ccrle.nec.de
   URI:   http://www.neceurope.com/









Calato, et al.         Expires February 10, 2004               [Page 24]


Internet-Draft          IPFIX Information Model              August 2003


Appendix A. IPFIX IPDR Service Definition

   This proposal does not currently address possible IANA implications
   associated with XML Namespace URIs. The use of Namespaces as an
   extension mechanism implies that an IANA registered Namespace URI
   should be available and that directory names below this base URI be
   assigned for relevant IETF specifications. The author is not aware of
   this mechanism today. Alternatively IPDR.org could fulfill this role.
   The sample uses the IPDR.org namespace.

   The normative status of this appendix versus the section "Flow
   Attributes" is a point of discussion.  The "Flow Attributes" section
   is simply machine generated from the formal XML document below.  As
   such using the formal XML document would seem preferable.  However
   historical conventions and IETF's overall level of XML adoption may
   lead to selection of the human readable text in the "Flow Attributes"
   section as being preferable as normative.



   <schema xmlns:ipdr="http://www.ipdr.org/namespaces/ipdr"
           xmlns:ipfix="http://www.iana.org/namespaces/ipfix">

   <annotation>
     <documentation>
     <t>
     This document defines a subset of the identified IPFIX data
     model as XML Schema elements and complexTypes.  This schema
     definition is compatable with the IPDR Service Definition
     format, enabling flow information to be represented as XML
     or binary documents.  And defines the format used when streaming
     flow information to a recording system.
     </t>
     </documentation>
   </annotation>


   <element name="sourceAddress" type="ipdr:ipV4Addr">
   <annotation>
     <documentation>
     <t>
      IPv4 source address taken from the packet header.
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>8</ipfix:fieldId>
     </appinfo>
   </annotation>



Calato, et al.         Expires February 10, 2004               [Page 25]


Internet-Draft          IPFIX Information Model              August 2003


   </element>


   <element name="sourceAddressV6" type="ipdr:ipV6Addr">
   <annotation>
     <documentation>
     <t>
      IPv6 source address taken from the packet header.
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>27</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>


   <element name="destinationAddress" type="ipdr:ipV4Addr">
   <annotation>
     <documentation>
     <t>
      IPv4 destination address taken from the packet header.
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>12</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>


   <element name="destinationAddressV6" type="ipdr:ipV6Addr">
   <annotation>
     <documentation>
     <t>
      IPv6 destination address taken from the packet header.
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>28</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>


   <element name="protocolIdentifier" type="int">
   <annotation>
     <documentation>



Calato, et al.         Expires February 10, 2004               [Page 26]


Internet-Draft          IPFIX Information Model              August 2003


      <t>
      Protocol number identified in the IP packet.
      </t><t>
      In the Internet Protocol version 4 (IPv4) [RFC791] there is a field,
      called "Protocol", to identify the next level protocol.  This is an 8
      bit field.  In Internet Protocol version 6 (IPv6) [RFC1883] this field
      is called the "Next Header" field.
      </t><t>
      These numbers are administered by IANA.
      </t>
     </documentation>
     <appinfo>
       <ipdr:reference>http://www.iana.org/assignments/protocol-numbers</ipdr:reference>
     </appinfo>
     <appinfo>
       <ipfix:fieldId>4</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>

   <element name="sourcePort" type="unsignedShort">
   <annotation>
     <documentation>
     <t>
      This information element is used to report  UDP source port [see
      RFC 768] or TCP source port [see RFC 793] as taken from the IP
      header.
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>7</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>

   <element name="destinationPort" type="unsignedShort">
   <annotation>
     <documentation>
     <t>
      This information element is used to report  UDP destination port
      [see RFC 768] or TCP destination port [see RFC 793] as taken from
      the IP header.
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>11</ipfix:fieldId>
     </appinfo>
   </annotation>



Calato, et al.         Expires February 10, 2004               [Page 27]


Internet-Draft          IPFIX Information Model              August 2003


   </element>

   <element name="ingressPort" type="unsignedShort">
   <annotation>
     <documentation>
     <t>
      The ifIndex where the packets for the flow are being received.
      ifIndex is defined by RFC 2233.
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>10</ipfix:fieldId>
     </appinfo></annotation>
   </element>

   <element name="egressPort" type="unsignedShort">
   <annotation>
     <documentation>
     <t>
      The ifIndex where the packets for the flow are exiting. ifIndex is
      defined by RFC 2233.
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>14</ipfix:fieldId>
     </appinfo></annotation>
   </element>

   <element name="packetCount" type="int">
   <annotation>
     <documentation>
     <t>
      Contains the count of packets sent and received associated with
      the identified flow.
     </t><t>
      The packet count can be for packets received (towards source) or
      packets sent (towards destination) or both (bi-directional flow).
     </t><t>
      The packet count can be a running counter and is the count from
      the beginning of the flow establishment.
     </t><t>
      The packet count can be a delta counter and is the count since the
      last report for this flow.
     </t>
     </documentation>
     <appinfo>
       <ipdr:units>packets</ipdr:units>
     </appinfo>



Calato, et al.         Expires February 10, 2004               [Page 28]


Internet-Draft          IPFIX Information Model              August 2003


     <appinfo>
       <ipfix:fieldId>2</ipfix:fieldId>
     </appinfo></annotation>
   </element>

   <element name="byteCount" type="int">
   <annotation>
     <documentation>
      <t>
      Contains the count of octets sent and received associated with the
      identified flow.
      </t><t>
      The byte count can be for bytes received (towards source) or bytes
      sent (towards destination) or both (bi-directional flow).
      </t><t>
      The byte count can be a running counter and is the count from the
      beginning of the flow establishment.
      </t><t>
      The byte count can be a delta counter and is the count since the
      last report for this flow.
      </t>
     </documentation>
     <appinfo>
       <ipdr:units>bytes</ipdr:units>
     </appinfo>
     <appinfo>
       <ipfix:fieldId>1</ipfix:fieldId>
     </appinfo></annotation>
   </element>

   <element name="classOfService" type="byte">
   <annotation>
     <documentation>
      <t>
      The class of service associated with a flow.
      </t><t>
      Class of Service Received
      </t><t>
      Class of Service Transmitted
      </t><t>
         1. IPv4, CoS value is defined by ToS in RFC 791
         2. IPv6, CoS value is defined by Traffic Class in RFC 2460
         3. MPLS, CoS value is defined by Exp in RFC 3032
         4. VLAN, CoS value is defined by user_priority in
            IEEE802.1q[802.1q] and IEEE 802.1p[802.1p]
      </t>
     </documentation>
     <appinfo>



Calato, et al.         Expires February 10, 2004               [Page 29]


Internet-Draft          IPFIX Information Model              August 2003


       <ipfix:fieldId>5</ipfix:fieldId>
     </appinfo></annotation>
   </element>

   <element name="flowLabel" type="int">
   <annotation>
     <documentation>
      <t>
      The Flow Label information element contains the IPV6 Flow Label
      information as defined by RFC 2460.
      </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>31</ipfix:fieldId>
     </appinfo></annotation>
   </element>

   <element name="flowCreationTime" type="dateTime">
   <annotation>
     <documentation>
     <t>
      The timestamp of the first packet of the flow.  (Ed. note:  current NFv9
      protocol uses sysuptime vs. direct time.  Not interesting from an info
      model perspective, an artifact (and an annoying one from a consumer
      perspective) of the protocol implementation details. How to address?)
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>21</ipfix:fieldId>
     </appinfo></annotation>
   </element>


   <element name="flowEndTime" type="dateTime">
   <annotation>
     <documentation>
     <t>
      The timestamp of the last packet of the flow.  (Ed. note:  current NFv9
      protocol uses sysuptime vs. direct time.  Not interesting from an info
      model perspective, an artifact (and an annoying one from a consumer
      perspective) of the protocol implementation details. How to address?)
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>22</ipfix:fieldId>
     </appinfo></annotation>
   </element>




Calato, et al.         Expires February 10, 2004               [Page 30]


Internet-Draft          IPFIX Information Model              August 2003


   <element name="sourceAS" type="int">
   <annotation>
     <documentation>
     <t>
      The Autonomous System (AS) numbers for the source address
      associated with a flow. Autonomous System (AS) number is defined
      by RFC 1930 and RFC 1771 (BGP-4):
      </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>16</ipfix:fieldId>
     </appinfo></annotation>
   </element>

   <element name="destinationAS" type="int">
   <annotation>
     <documentation>
     <t>
      The Autonomous System (AS) numbers for the destination address
      associated wit a flow. Autonomous System (AS) number is defined by
      RFC 1930 and RFC 1771 (BGP-4).
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>17</ipfix:fieldId>
     </appinfo></annotation>
   </element>

   <element name="nextHopAS" type="int">
   <annotation>
     <documentation>
     <t>
      The Autonomous System (AS) numbers for the next hop IP. Autonomous
      System (AS) number is defined by RFC 1930 and RFC 1771 (BGP-4).
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>-1</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>

   <element name="tcpControlBits" type="int">
   <annotation>
     <documentation>
     <t>
      The TCP control bits seen for this flow. Note a 0 value for each
      bit only indicates that the flag was not detected (i.e. it may



Calato, et al.         Expires February 10, 2004               [Page 31]


Internet-Draft          IPFIX Information Model              August 2003


      have occurred but was not detected by the reporting CCE). TCP
      Control Bits are defined by RFC 793.
      </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>6</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>

   <element name="ipV4SourceExporterAddress" type="ipdr:ipV4Addr">
   <annotation>
     <documentation>
     <t>
      The IPV4 address of the Exporter reporting the flow. This
      information is used by applications to later correlate the
      ingress/egress port with a specific Exporter. It is also used to
      maintain the source Exporter information when there is an
      intermediate proxy. For example, given the picture below:
     </t><t><figure><artwork xml:space="preserve">

                  SW1 --------    P1 ------ Collector
                                  ^
                                  |
                  SW2----------   |
      </artwork></figure></t><t>
      Flows coming from SW1 and SW2 through proxy P1 would look to the
      Collector like the same Exporter
      connection. With the Source Exporter in the message the original
      Exporter  address is maintained.
      </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>-1</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>

   <element name="ipV6SourceExporterAddress" type="ipdr:ipV6Addr">
   <annotation>
     <documentation>
     <t>
      The IPv4 address of the Exporter reporting  the flow. This
      information is used by applications to later correlate the
      ingress/egress port with a specific Exporter. It is also used to
      maintain the source Exporter information when there is an
      intermediate proxy. For example, given the picture below:
     </t><t><figure><artwork xml:space="preserve">



Calato, et al.         Expires February 10, 2004               [Page 32]


Internet-Draft          IPFIX Information Model              August 2003


                  SW1 --------    P1 ------ Collector
                                  ^
                                  |
                  SW2----------   |
      </artwork></figure></t><t>
      Flows coming from SW1 and SW2 through proxy P1 would look to the
      Collector like the same Exporter
      connection. With the Source Exporter in the message the original
      Exporter  address is maintained.
      </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>-1</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>

   <element name="droppedPacketCount" type="int">
   <annotation>
     <documentation>
     <t>
      Contains the count of packets dropped at the observation point
      associated with the identified flow.
     </t><t>
      The dropped packet count can be a running counter and is the count
      from the beginning of the flow establishment.
     </t><t>
      The dropped packet count can be a delta counter and is the count
      since the last report for this flow.
     </t>
     </documentation>
     <appinfo>
       <ipdr:units>packets</ipdr:units>
     </appinfo>
     <appinfo>
       <ipfix:fieldId>-1</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>

   <element name="samplingInterval" type="int">
   <annotation>
     <documentation>
     <t>
      When using Sampling, the rate at which packets is sampled. For
      example, a value of 100 indicates that one of every hundred
      packets is sampled.
      </t>



Calato, et al.         Expires February 10, 2004               [Page 33]


Internet-Draft          IPFIX Information Model              August 2003


     </documentation>
     <appinfo>
       <ipfix:fieldId>34</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>

   <element name="samplingAlgorithm" type="int">
   <annotation>
     <documentation>
     <t>
      The type of algorithm used for sampling data. Currently, the only
      sampling algorithm defined  is:
      0x02 packet-sampling
     </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>35</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>

   <element name="flowEndState" type="int">
   <annotation>
     <documentation>
     <t>
      The reason the flow has ended.
           1. Inactivity timeout
           2. End of flow detected (e.g. TCP FIN)
           3. Forced end ????
           4. Cache full

      [enumerations in IPDR service def schemas are recommended to be
       of form string, w/ integer values (for Compact format)
       defined via annotation]
      </t>
     </documentation>
     <appinfo>
       <ipfix:fieldId>-1</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>

   <element name="droppedByteCount" type="int">
   <annotation>
     <documentation>
      <t>
      Contains the count of octets dropped at the observation point



Calato, et al.         Expires February 10, 2004               [Page 34]


Internet-Draft          IPFIX Information Model              August 2003


      associated with the identified flow.
      </t><t>
      The dropped byte count can be a running counter and is the count
      from the beginning of the flow establishment.
      </t><t>
      The byte count can be a delta counter and is the count since the
      last report for this flow.
      </t>
     </documentation>
     <appinfo>
       <ipdr:units>bytes</ipdr:units>
     </appinfo>
     <appinfo>
       <ipfix:fieldId>-1</ipfix:fieldId>
     </appinfo>
   </annotation>
   </element>

   </schema>
































Calato, et al.         Expires February 10, 2004               [Page 35]


Internet-Draft          IPFIX Information Model              August 2003


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11. Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive
   Director.


Full Copyright Statement

   Copyright (C) The Internet Society (2003). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION



Calato, et al.         Expires February 10, 2004               [Page 36]


Internet-Draft          IPFIX Information Model              August 2003


   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.











































Calato, et al.         Expires February 10, 2004               [Page 37]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/