Internet Engineering Task Force (IETF) A. Yourtchenko Request for Comments: 7270 P. Aitken Category: Informational B. Claise ISSN: 2070-1721 Cisco Systems, Inc. June 2014 Cisco-Specific Information Elements Reused in IP Flow Information Export (IPFIX) Abstract This document describes some additional IP Flow Information Export (IPFIX) Information Elements in the range of 1-127, which is the range compatible with field types used by NetFlow version 9 in RFC 3954, as specified in the IPFIX Information Model in RFC 7012. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7270. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Yourtchenko, et al. Informational [Page 1] RFC 7270 Cisco Information Elements June 2014 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Information Elements Overview . . . . . . . . . . . . . . . . 3 4. Information Elements . . . . . . . . . . . . . . . . . . . . 4 4.1. samplingInterval . . . . . . . . . . . . . . . . . . . . 4 4.2. samplingAlgorithm . . . . . . . . . . . . . . . . . . . . 4 4.3. engineType . . . . . . . . . . . . . . . . . . . . . . . 5 4.4. engineId . . . . . . . . . . . . . . . . . . . . . . . . 5 4.5. ipv4RouterSc . . . . . . . . . . . . . . . . . . . . . . 5 4.6. samplerId . . . . . . . . . . . . . . . . . . . . . . . . 6 4.7. samplerMode . . . . . . . . . . . . . . . . . . . . . . . 6 4.8. samplerRandomInterval . . . . . . . . . . . . . . . . . . 6 4.9. classId . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.10. samplerName . . . . . . . . . . . . . . . . . . . . . . . 7 4.11. flagsAndSamplerId . . . . . . . . . . . . . . . . . . . . 7 4.12. forwardingStatus . . . . . . . . . . . . . . . . . . . . 8 4.13. srcTrafficIndex . . . . . . . . . . . . . . . . . . . . . 9 4.14. dstTrafficIndex . . . . . . . . . . . . . . . . . . . . . 10 4.15. className . . . . . . . . . . . . . . . . . . . . . . . . 10 4.16. layer2packetSectionOffset . . . . . . . . . . . . . . . . 10 4.17. layer2packetSectionSize . . . . . . . . . . . . . . . . . 10 4.18. layer2packetSectionData . . . . . . . . . . . . . . . . . 11 5. Other Information Elements . . . . . . . . . . . . . . . . . 11 5.1. Performance Metrics IEs . . . . . . . . . . . . . . . . . 11 5.2. Application Information IEs . . . . . . . . . . . . . . . 11 5.3. IEs Assigned for NetFlow v9 Compatibility . . . . . . . . 11 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . 13 Appendix A. XML Specification of IPFIX Information Elements . . 15 1. Introduction Section 4 of [RFC7012] defines the IPFIX Information Elements (IEs) in the range of 1-127 to be compatible with the NetFlow version 9 fields, as specified in "Cisco Systems NetFlow Services Export Version 9" [RFC3954]. As [RFC3954] was published in 2004, it does not contain all NetFlow version 9 field types in the range of 1-127. The question was asked whether IPFIX Devices should exclusively report the IANA IPFIX IEs [IANA-IPFIX]. In other words, when upgrading from a NetFlow Metering Process to an IPFIX Metering Process, should the IPFIX Devices stop reporting IEs specific to NetFlow version 9 that were not registered in IANA [IANA-IPFIX]? Yourtchenko, et al. Informational [Page 2] RFC 7270 Cisco Information Elements June 2014 This document is intended to fill the gap in this IE range. It describes some additional IPFIX Information Elements in the range of 1-127, which is the range compatible with field types used by NetFlow version 9 in [RFC3954], as specified in the IPFIX Information Model [RFC7012]. With this, IPFIX implementations could export all the Information Elements specified in IANA [IANA-IPFIX], regardless of the range. This document follows the rules in "Guidelines for Authors and Reviewers of IP Flow Export (IPFIX) Information Elements" [RFC7013]. This document does not extend [RFC3954]. The IPFIX Protocol [RFC7011] has its own Information Model ([RFC7012] and IANA [IANA-IPFIX]), which is extensible upon application to IANA, subject to expert review by IE-DOCTORS [RFC7013]. This document extends the IPFIX Information Model. 2. Terminology IPFIX-specific terminology used in this document is defined in Section 2 of [RFC7011]. As in [RFC7011], these IPFIX-specific terms have the first letter of a word capitalized when used in this document. 3. Information Elements Overview The following Information Elements are discussed in the sections below: +----+-----------------------+-----+---------------------------+ | ID | Name | ID | Name | +----+-----------------------+-----+---------------------------+ | 34 | samplingInterval | 84 | samplerName | | 35 | samplingAlgorithm | 87 | flagsAndSamplerId | | 38 | engineType | 89 | forwardingStatus | | 39 | engineId | 92 | srcTrafficIndex | | 43 | ipv4RouterSc | 93 | dstTrafficIndex | | 48 | samplerId | 100 | className | | 49 | samplerMode | 102 | layer2packetSectionOffset | | 50 | samplerRandomInterval | 103 | layer2packetSectionSize | | 51 | classId | 104 | layer2packetSectionData | +----+-----------------------+-----+---------------------------+ Table 1 Yourtchenko, et al. Informational [Page 3] RFC 7270 Cisco Information Elements June 2014 4. Information Elements 4.1. samplingInterval Description: Deprecated in favor of 305 samplingPacketInterval. When using sampled NetFlow, the rate at which packets are sampled -- e.g., a value of 100 indicates that one of every 100 packets is sampled. Abstract Data Type: unsigned32 ElementId: 34 Semantics: quantity Status: deprecated Units: packets 4.2. samplingAlgorithm Description: Deprecated in favor of 304 selectorAlgorithm. The type of algorithm used for sampled NetFlow: 1 - Deterministic Sampling, 2 - Random Sampling. The values are not compatible with the selectorAlgorithm IE, where "Deterministic" has been replaced by "Systematic count-based" (1) or "Systematic time-based" (2), and "Random" is (3). Conversion is required; see "Packet Sampling (PSAMP) Parameters" [IANA-PSAMP]. Abstract Data Type: unsigned8 ElementId: 35 Semantics: identifier Status: deprecated Yourtchenko, et al. Informational [Page 4] RFC 7270 Cisco Information Elements June 2014 4.3. engineType Description: Type of flow switching engine in a router/switch: RP = 0, VIP/Line card = 1, PFC/DFC = 2. Reserved for internal use on the Collector. Abstract Data Type: unsigned8 ElementId: 38 Semantics: identifier Status: deprecated 4.4. engineId Description: Versatile Interface Processor (VIP) or line card slot number of the flow switching engine in a router/switch. Reserved for internal use on the Collector. Abstract Data Type: unsigned8 ElementId: 39 Semantics: identifier Status: deprecated 4.5. ipv4RouterSc Description: This is a platform-specific field for the Catalyst 5000/Catalyst 6000 family. It is used to store the address of a router that is being shortcut when performing MultiLayer Switching. Abstract Data Type: ipv4Address ElementId: 43 Semantics: default Yourtchenko, et al. Informational [Page 5] RFC 7270 Cisco Information Elements June 2014 Status: deprecated Reference: [CCO-MLS] describes MultiLayer Switching. 4.6. samplerId Description: Deprecated in favor of 302 selectorId. The unique identifier associated with samplerName. Abstract Data Type: unsigned8 ElementId: 48 Semantics: identifier Status: deprecated 4.7. samplerMode Description: Deprecated in favor of 304 selectorAlgorithm. The values are not compatible: selectorAlgorithm=3 is random sampling. The type of algorithm used for sampling data: 1 - Deterministic, 2 - Random Sampling. Use with samplerRandomInterval. Abstract Data Type: unsigned8 ElementId: 49 Semantics: identifier Status: deprecated 4.8. samplerRandomInterval Description: Deprecated in favor of 305 samplingPacketInterval. Packet interval at which to sample -- in case of random sampling. Used in connection with the samplerMode 0x02 (random sampling) value. Abstract Data Type: unsigned32 ElementId: 50 Yourtchenko, et al. Informational [Page 6] RFC 7270 Cisco Information Elements June 2014 Semantics: quantity Status: deprecated 4.9. classId Description: Deprecated in favor of 302 selectorId. Characterizes the traffic class, i.e., QoS treatment. Abstract Data Type: unsigned8 ElementId: 51 Semantics: identifier Status: deprecated 4.10. samplerName Description: Deprecated in favor of 335 selectorName. Name of the flow sampler. Abstract Data Type: string ElementId: 84 Status: deprecated 4.11. flagsAndSamplerId Description: Flow flags and the value of the sampler ID (samplerId) combined in one bitmapped field. Reserved for internal use on the Collector. Abstract Data Type: unsigned32 ElementId: 87 Semantics: identifier Status: deprecated Yourtchenko, et al. Informational [Page 7] RFC 7270 Cisco Information Elements June 2014 4.12. forwardingStatus Description: This Information Element describes the forwarding status of the flow and any attached reasons. The reduced-size encoding rules as per [RFC7011] apply. The basic encoding is 8 bits. The future extensions could add one or three bytes. The layout of the basic encoding is as follows: MSB - 0 1 2 3 4 5 6 7 - LSB +---+---+---+---+---+---+---+---+ | Status| Reason code or flags | +---+---+---+---+---+---+---+---+ Status: 00b = Unknown 01b = Forwarded 10b = Dropped 11b = Consumed Reason Code (status = 01b, Forwarded) 01 000000b = 64 = Unknown 01 000001b = 65 = Fragmented 01 000010b = 66 = Not Fragmented Reason Code (status = 10b, Dropped) 10 000000b = 128 = Unknown 10 000001b = 129 = ACL deny 10 000010b = 130 = ACL drop 10 000011b = 131 = Unroutable 10 000100b = 132 = Adjacency 10 000101b = 133 = Fragmentation and DF set 10 000110b = 134 = Bad header checksum 10 000111b = 135 = Bad total Length 10 001000b = 136 = Bad header length 10 001001b = 137 = bad TTL 10 001010b = 138 = Policer 10 001011b = 139 = WRED 10 001100b = 140 = RPF 10 001101b = 141 = For us 10 001110b = 142 = Bad output interface 10 001111b = 143 = Hardware Yourtchenko, et al. Informational [Page 8] RFC 7270 Cisco Information Elements June 2014 Reason Code (status = 11b, Consumed) 11 000000b = 192 = Unknown 11 000001b = 193 = Punt Adjacency 11 000010b = 194 = Incomplete Adjacency 11 000011b = 195 = For us Examples: value : 0x40 = 64 binary: 01000000 decode: 01 -> Forward 000000 -> No further information value : 0x89 = 137 binary: 10001001 decode: 10 -> Drop 001001 -> Fragmentation and DF set Abstract Data Type: unsigned32 ElementId: 89 Semantics: identifier Status: current Reference: See "NetFlow Version 9 Flow-Record Format" [CCO-NF9FMT]. 4.13. srcTrafficIndex Description: BGP Policy Accounting Source Traffic Index. Abstract Data Type: unsigned32 ElementId: 92 Semantics: identifier Status: current Reference: BGP policy accounting as described in [CCO-BGPPOL]. Yourtchenko, et al. Informational [Page 9] RFC 7270 Cisco Information Elements June 2014 4.14. dstTrafficIndex Description: BGP Policy Accounting Destination Traffic Index. Abstract Data Type: unsigned32 ElementId: 93 Semantics: identifier Status: current Reference: BGP policy accounting as described in [CCO-BGPPOL]. 4.15. className Description: Deprecated in favor of 335 selectorName. Traffic Class Name, associated with the classId Information Element. Abstract Data Type: string ElementId: 100 Status: deprecated 4.16. layer2packetSectionOffset Description: Deprecated in favor of 409 sectionOffset. Layer 2 packet section offset. Potentially a generic packet section offset. Abstract Data Type: unsigned16 ElementId: 102 Semantics: quantity Status: deprecated 4.17. layer2packetSectionSize Description: Deprecated in favor of 312 dataLinkFrameSize. Layer 2 packet section size. Potentially a generic packet section size. Yourtchenko, et al. Informational [Page 10] RFC 7270 Cisco Information Elements June 2014 Abstract Data Type: unsigned16 ElementId: 103 Semantics: quantity Status: deprecated 4.18. layer2packetSectionData Description: Deprecated in favor of 315 dataLinkFrameSection. Layer 2 packet section data. Abstract Data Type: octetArray ElementId: 104 Status: deprecated 5. Other Information Elements 5.1. Performance Metrics IEs ElementId: 65 .. 69 Performance metrics will need a consolidation in the industry, based on [RFC6390]. Once this consolidation happens, via a separate document the IEs 65-69 will either be assigned in the IANA registry or their status will be deprecated. 5.2. Application Information IEs ElementId: 94 .. 96 ElementId: 101 Please refer to [RFC6759]. 5.3. IEs Assigned for NetFlow v9 Compatibility ElementId: 105..127 These element IDs are not covered by this document and are left "as is", i.e., for NetFlow v9 compatibility. Yourtchenko, et al. Informational [Page 11] RFC 7270 Cisco Information Elements June 2014 6. IANA Considerations This document specifies several new IPFIX Information Elements in IANA's "IPFIX Information Elements" registry [IANA-IPFIX] as summarized in Section 3 and detailed in Section 4 above. The following Information Elements have been assigned: o IE Number 34 for the samplingInterval IE o IE Number 35 for the samplingAlgorithm IE o IE Number 38 for the engineType IE o IE Number 39 for the engineId IE o IE Number 43 for the ipv4RouterSc IE o IE Number 48 for the samplerId IE o IE Number 49 for the samplerMode IE o IE Number 50 for the samplerRandomInterval IE o IE Number 51 for the classId IE o IE Number 84 for the samplerName IE o IE Number 87 for the flagsAndSamplerId IE o IE Number 89 for the forwardingStatus IE o IE Number 92 for the srcTrafficIndex IE o IE Number 93 for the dstTrafficIndex IE o IE Number 100 for the className IE o IE Number 102 for the layer2packetSectionOffset IE o IE Number 103 for the layer2packetSectionSize IE o IE Number 104 for the layer2packetSectionData IE Yourtchenko, et al. Informational [Page 12] RFC 7270 Cisco Information Elements June 2014 7. Security Considerations This document specifies the definitions of several Information Elements and does not alter the security considerations of the base protocol. Please refer to the security considerations sections of [RFC3954] and [RFC7012]. 8. References 8.1. Normative References [RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, September 2013. 8.2. Informative References [CCO-BGPPOL] Cisco, "BGP Policy Accounting and BGP Policy Accounting Output Interface Accounting Features", December 2005, . [CCO-MLS] Cisco, "IP MultiLayer Switching Sample Configuration", November 2007, . [CCO-NF9FMT] Cisco, "NetFlow Version 9 Flow-Record Format", May 2011, . [IANA-IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", . [IANA-PSAMP] IANA, "Packet Sampling (PSAMP) Parameters", . [RFC3954] Claise, B., "Cisco Systems NetFlow Services Export Version 9", RFC 3954, October 2004. [RFC6390] Clark, A. and B. Claise, "Guidelines for Considering New Performance Metric Development", BCP 170, RFC 6390, October 2011. Yourtchenko, et al. Informational [Page 13] RFC 7270 Cisco Information Elements June 2014 [RFC6759] Claise, B., Aitken, P., and N. Ben-Dvora, "Cisco Systems Export of Application Information in IP Flow Information Export (IPFIX)", RFC 6759, November 2012. [RFC7012] Claise, B. and B. Trammell, "Information Model for IP Flow Information Export (IPFIX)", RFC 7012, September 2013. [RFC7013] Trammell, B. and B. Claise, "Guidelines for Authors and Reviewers of IP Flow Information Export (IPFIX) Information Elements", BCP 184, RFC 7013, September 2013. Yourtchenko, et al. Informational [Page 14] RFC 7270 Cisco Information Elements June 2014 Appendix A. XML Specification of IPFIX Information Elements Deprecated in favor of 305 samplingPacketInterval. When using sampled NetFlow, the rate at which packets are sampled -- e.g., a value of 100 indicates that one of every 100 packets is sampled. Deprecated in favor of 304 selectorAlgorithm. The type of algorithm used for sampled NetFlow: 1 - Deterministic Sampling, 2 - Random Sampling. The values are not compatible with the selectorAlgorithm IE, where "Deterministic" has been replaced by "Systematic count-based" (1) or "Systematic time-based" (2), and "Random" is (3). Conversion is required; see [IANA-PSAMP] PSAMP parameters. Type of flow switching engine in a router/switch: RP = 0, VIP/Line card = 1, PFC/DFC = 2. Reserved for internal use on the Collector. Yourtchenko, et al. Informational [Page 15] RFC 7270 Cisco Information Elements June 2014 Versatile Interface Processor (VIP) or line card slot number of the flow switching engine in a router/switch. Reserved for internal use on the Collector. This is a platform-specific field for the Catalyst 5000/Catalyst 6000 family. It is used to store the address of a router that is being shortcut when performing MultiLayer Switching. http://www.cisco.com/en/US/products/hw/switches/ps700/ products_configuration_example09186a00800ab513.shtml describes MultiLayer Switching. Deprecated in favor of 302 selectorId. The unique identifier associated with samplerName. Yourtchenko, et al. Informational [Page 16] RFC 7270 Cisco Information Elements June 2014 Deprecated in favor of 304 selectorAlgorithm. The values are not compatible: selectorAlgorithm=3 is random sampling. The type of algorithm used for sampled NetFlow: 1 - Deterministic Sampling, 2 - Random Sampling. Use with samplerRandomInterval. Deprecated in favor of 305 samplingPacketInterval. Packet interval at which to sample -- in case of random sampling. Used in connection with the samplerMode 0x02 (random sampling) value. Deprecated in favor of 302 selectorId. Characterizes the traffic class, i.e., QoS treatment. Deprecated in favor of 335 selectorName. Name of the flow sampler. Flow flags and the value of the sampler ID (samplerId) combined Yourtchenko, et al. Informational [Page 17] RFC 7270 Cisco Information Elements June 2014 in one bitmapped field. Reserved for internal use on the Collector. This Information Element describes the forwarding status of the flow and any attached reasons. The reduced-size encoding rules as per [RFC7011] apply. The basic encoding is 8 bits. The future extensions could add one or three bytes. The layout of the basic encoding is as follows: MSB - 0 1 2 3 4 5 6 7 - LSB +---+---+---+---+---+---+---+---+ | Status| Reason code or flags | +---+---+---+---+---+---+---+---+ Status: 00b = Unknown 01b = Forwarded 10b = Dropped 11b = Consumed Reason Code (status = 01b, Forwarded) 01 000000b = 64 = Unknown 01 000001b = 65 = Fragmented 01 000010b = 66 = Not Fragmented Reason Code (status = 10b, Dropped) 10 000000b = 128 = Unknown 10 000001b = 129 = ACL deny 10 000010b = 130 = ACL drop 10 000011b = 131 = Unroutable 10 000100b = 132 = Adjacency 10 000101b = 133 = Fragmentation and DF set 10 000110b = 134 = Bad header checksum 10 000111b = 135 = Bad total Length 10 001000b = 136 = Bad header length Yourtchenko, et al. Informational [Page 18] RFC 7270 Cisco Information Elements June 2014 10 001001b = 137 = bad TTL 10 001010b = 138 = Policer 10 001011b = 139 = WRED 10 001100b = 140 = RPF 10 001101b = 141 = For us 10 001110b = 142 = Bad output interface 10 001111b = 143 = Hardware Reason Code (status = 11b, Consumed) 11 000000b = 192 = Unknown 11 000001b = 193 = Punt Adjacency 11 000010b = 194 = Incomplete Adjacency 11 000011b = 195 = For us Examples: value : 0x40 = 64 binary: 01000000 decode: 01 -> Forward 000000 -> No further information value : 0x89 = 137 binary: 10001001 decode: 10 -> Drop 001001 -> Fragmentation and DF set See http://www.cisco.com/en/US/technologies/tk648/tk362/ technologies_white_paper09186a00800a3db9.html - NetFlow Version 9 Flow-Record Format. BGP Policy Accounting Source Traffic Index. BGP policy accounting as described in http://www.cisco.com/en/US/tech/tk365/ technologies_tech_note09186a0080094e88.shtml Yourtchenko, et al. Informational [Page 19] RFC 7270 Cisco Information Elements June 2014 BGP Policy Accounting Destination Traffic Index. BGP policy accounting as described in http://www.cisco.com/en/US/tech/tk365/ technologies_tech_note09186a0080094e88.shtml Deprecated in favor of 335 selectorName. Traffic Class Name, associated with the classId Information Element. Deprecated in favor of 409 sectionOffset. Layer 2 packet section offset. Potentially a generic packet section offset. Deprecated in favor of 312 dataLinkFrameSize. Layer 2 packet section size. Potentially a generic packet section size. Yourtchenko, et al. Informational [Page 20] RFC 7270 Cisco Information Elements June 2014 Deprecated in favor of 315 dataLinkFrameSection. Layer 2 packet section data. Authors' Addresses Andrew Yourtchenko Cisco Systems, Inc. De Kleetlaan, 7 Brussels, Diegem B-1831 Belgium Phone: +32 2 704 5494 EMail: ayourtch@cisco.com Paul Aitken Cisco Systems, Inc. 96 Commercial Quay Edinburgh EH6 6LX Scotland Phone: +44 131 561 3616 EMail: paitken@cisco.com Benoit Claise Cisco Systems, Inc. De Kleetlaan, 6a b1 Diegem B-1831 Belgium Phone: +32 2 704 5622 EMail: bclaise@cisco.com Yourtchenko, et al. Informational [Page 21]