Network Working GroupInternet Engineering Task Force (IETF) B. Claise, Ed.Internet DraftRequest for Comments: 7012 Cisco Systems, Inc. Obsoletes: 5102 B. Trammell, Ed. Category: Standards Track ETH ZurichExpires: August 16, 2013 February 12,ISSN: 2070-1721 September 2013 Information Model for IP Flow InformationeXportExport (IPFIX)draft-ietf-ipfix-information-model-rfc5102bis-10.txtAbstract This document defines thedatatypesdata types and management policy for the information model for the IP Flow InformationeXportExport (IPFIX) protocol. This information model is maintained as the IANAIPFIX"IPFIX InformationElement Registry,Elements" registry, the initial contents of which were defined by RFC 5102. This information model is used by the IPFIXProtocolprotocol for encoding measured traffic information and information related to the traffic Observation Point, the traffic Metering Process, and the Exporting Process. Although this model was developed for the IPFIXProtocol, the modelprotocol, it is defined in an open way thateasilyallowsusingit to be easily used in other protocols, interfaces, and applications. This document obsoletes RFC 5102. Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet-Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 16, 2013.http://www.rfc-editor.org/info/rfc7012. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3....................................................3 1.1. Changes since RFC 5102. . . . . . . . . . . . . . . . . . 4.....................................4 1.2. IPFIX Documents Overview. . . . . . . . . . . . . . . . . 4...................................4 2. Properties of IPFIX Protocol Information Elements. . . . . . 5...............5 2.1. Information Element Specification Template. . . . . . . . 5.................5 2.2. Scope of Information Elements. . . . . . . . . . . . . . 7..............................7 2.3. Naming Conventions for Information Elements. . . . . . . 7................8 3. Type Space. . . . . . . . . . . . . . . . . . . . . . . . . . 8......................................................9 3.1. Abstract Data Types. . . . . . . . . . . . . . . . . . . 8........................................9 3.1.1. unsigned8. . . . . . . . . . . . . . . . . . . . . . 9...........................................9 3.1.2. unsigned16. . . . . . . . . . . . . . . . . . . . . . 9..........................................9 3.1.3. unsigned32. . . . . . . . . . . . . . . . . . . . . . 9..........................................9 3.1.4. unsigned64. . . . . . . . . . . . . . . . . . . . . . 9..........................................9 3.1.5. signed8. . . . . . . . . . . . . . . . . . . . . . . 9............................................10 3.1.6. signed16. . . . . . . . . . . . . . . . . . . . . . . 9...........................................10 3.1.7. signed32. . . . . . . . . . . . . . . . . . . . . . . 9...........................................10 3.1.8. signed64. . . . . . . . . . . . . . . . . . . . . . . 9...........................................10 3.1.9. float32. . . . . . . . . . . . . . . . . . . . . . . 10............................................10 3.1.10. float64. . . . . . . . . . . . . . . . . . . . . . . 10...........................................10 3.1.11. boolean. . . . . . . . . . . . . . . . . . . . . . . 10...........................................10 3.1.12. macAddress. . . . . . . . . . . . . . . . . . . . . 10........................................10 3.1.13. octetArray. . . . . . . . . . . . . . . . . . . . . 10........................................10 3.1.14. string. . . . . . . . . . . . . . . . . . . . . . . 10............................................11 3.1.15. dateTimeSeconds. . . . . . . . . . . . . . . . . . . 10...................................11 3.1.16. dateTimeMilliseconds. . . . . . . . . . . . . . . . 10..............................11 3.1.17. dateTimeMicroseconds. . . . . . . . . . . . . . . . 10..............................11 3.1.18. dateTimeNanoseconds. . . . . . . . . . . . . . . . . 11...............................11 3.1.19. ipv4Address. . . . . . . . . . . . . . . . . . . . . 11.......................................11 3.1.20. ipv6Address. . . . . . . . . . . . . . . . . . . . . 11.......................................11 3.1.21. basicList. . . . . . . . . . . . . . . . . . . . . . 11.........................................11 3.1.22. subTemplateList. . . . . . . . . . . . . . . . . . . 11...................................11 3.1.23. subTemplateMultiList. . . . . . . . . . . . . . . . 11..............................12 3.2. Data Type Semantics. . . . . . . . . . . . . . . . . . . 11.......................................12 3.2.1. quantity. . . . . . . . . . . . . . . . . . . . . . . 11...........................................12 3.2.2. totalCounter. . . . . . . . . . . . . . . . . . . . . 12.......................................12 3.2.3. deltaCounter. . . . . . . . . . . . . . . . . . . . . 12.......................................12 3.2.4. identifier. . . . . . . . . . . . . . . . . . . . . . 12.........................................13 3.2.5. flags. . . . . . . . . . . . . . . . . . . . . . . . 12..............................................13 4. Information Element Identifiers. . . . . . . . . . . . . . . 13................................13 5. Information Elements. . . . . . . . . . . . . . . . . . . . . 13...........................................14 6. Extending the Information Model. . . . . . . . . . . . . . . 15................................15 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . 15............................................15 7.1. IPFIX Information Elements. . . . . . . . . . . . . . . . 16................................16 7.2. MPLS Label Type Identifier. . . . . . . . . . . . . . . . 16................................17 7.3. XML Namespace and Schema. . . . . . . . . . . . . . . . . 17..................................17 7.4. Addition, Revision, and Deprecation. . . . . . . . . . . 17.......................18 8. Security Considerations. . . . . . . . . . . . . . . . . . . 18........................................19 9.Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19Acknowledgments ................................................19 10. References. . . . . . . . . . . . . . . . . . . . . . . . . 19....................................................19 10.1. Normative References. . . . . . . . . . . . . . . . . . 19.....................................19 10.2. Informative References. . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 Contributors' Addresses . . . . . . . . . . . . . . . . . . . . . 22...................................20 Contributors ......................................................23 1. Introduction The IP Flow InformationeXportExport (IPFIX) protocol serves as a means for transmitting information related to network traffic measurement. Theprotocol specification in [RFC5101bis]IPFIX Protocol Specification [RFC7011] defines how Information Elements aretransmitted. For Information Elements, ittransmitted and also specifies the encoding of a set of basic datatypes.types for these Information Elements. However, the list of Information Elements that can be transmitted by the protocol, such as Flow attributes (source IP address, number of packets, etc.) and information about the Metering Process and Exporting Process (packet Observation Point, sampling rate, Flow timeout interval, etc.), is not specified in[RFC5101bis].[RFC7011]. The IANAIPFIX"IPFIX InformationElementElements" registry[IPFIX-IANA][IANA-IPFIX] is the current complete reference for IPFIX Information Elements. The initial values for this registry were provided by [RFC5102]. This document complements the IPFIXprotocol specification [RFC5101bis]Protocol Specification [RFC7011] by providing an overview of the IPFIX information model and specifying data types for it. IPFIX-specific terminology used in this document is defined in Section 2 of[RFC5101bis].[RFC7011]. As in[RFC5101bis],[RFC7011], these IPFIX-specific terms have the first letter of a word capitalized when used in this document. The use of the term 'information model' is not fully in line with the definition of this term in [RFC3444], as the IPFIX information model does not specify relationships between InformationElements. NorElements, nor doesthe IPFIX information modelit specify a concrete encoding of InformationElements; forElements. For an encoding suitable for use with the IPFIX protocol, see[RFC5101bis].[RFC7011]. Besides the encoding used by the IPFIX protocol, other encodings of IPFIX Information Elements can be applied, for example, XML-based encodings. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.1. Changes since RFC 5102 This document obsoletes the Proposed Standard revision of the IPFIXProtocol Specificationinformation model specification [RFC5102]. The following changes have been made to this document with respect to the previous document: -All outstandingAt the time of this publication, technical and editorial erratafiled on thereported for [RFC5102]as of publication timehave beencorrected.reviewed and addressed as needed. - All referencesintoto [RFC5101] have been updated to[RFC5101bis],[RFC7011], reflecting changesin that document as necessary.to [RFC5101]. - InformationelementElement definitions have been removed, as the reference for these is now[IPFIX-IANA];[IANA-IPFIX]; a historical note on categorizations ofinformation elementsInformation Elements as defined in [RFC5102] has been retained insectionSection 5. - The process for modifying[IPFIX-IANA][IANA-IPFIX] has beenimproved,improved and is now described in[IPFIX-IE-DOCTORS];[RFC7013]; Section 6 has been updated accordingly, and a newsectionSection 7.3givesprovides IANA considerations for this process. - Definitions of timestamp data types have been clarified. - Appendices A and B have beenremovedremoved. 1.2. IPFIX Documents Overview The IPFIX protocol provides network administrators with access to network flow information. The architecture for the export of measured flow information out of an IPFIX Exporting Process to a Collecting Process is defined in [RFC5470], per the requirements defined in [RFC3917]. The IPFIX Protocol Specification[RFC5101bis][RFC7011] defines how IPFIXdata recordsData Records and templates are carried via a number of transport protocols from IPFIX Exporting Processes to IPFIX Collecting Processes. Four IPFIX optimizations/extensions are currently specified: abandwidth savingbandwidth-saving method for the IPFIX protocolin[RFC5473], an efficient method for exporting bidirectional flowsin[RFC5103], a method for the definition and export of complex data structuresin[RFC6313], and the specification of the Protocolforon IPFIXMediationsMediators [IPFIX-MED-PROTO] based on the IPFIX Mediation Framework [RFC6183]. IPFIX has a formal description of IPFIX InformationElements,Elements -- theirname, typenames, data types, and additional semanticinformation,information -- as specified in thisdocument, with thedocument. The export of the Information Element types is specified in [RFC5610]. [RFC6728] specifies a data model for configuring and monitoring devices that are IPFIX andPSAMPPacket Sampling (PSAMP) compliantdevicesusing theNETCONF protocol,Network Configuration Protocol (NETCONF), while [RFC6615] specifiesaMIBmodulemodules for monitoring. In terms of development, [RFC5153] provides guidelines for the implementation and use of the IPFIX protocol, while [RFC5471] provides guidelines for testing. Finally, [RFC5472] describes whattypetypes of applications can use the IPFIX protocol and how they can use the information provided. It furthermore shows how the IPFIX framework relates to other architectures and frameworks. 2. Properties of IPFIX Protocol Information Elements 2.1. Information Element Specification Template Information in messages of the IPFIX protocol is modeled in terms of Information Elements of the IPFIX information model. The IPFIX Information Elements mentioned in Section 5 are specified in[IPFIX- IANA].[IANA-IPFIX]. All Information Elements specified for the IPFIX protocol MUST have the following propertiesdefined.defined: name - A unique and meaningful name for the Information Element. elementId - A numeric identifier of the Information Element. If this identifier is used without an enterprise identifier (see[RFC5101bis][RFC7011] and the definition of enterpriseId listed below), then it is globallyuniqueunique, and the list of allowed values is administered by IANA. It is used for compact identification of an Information Element when encoding Templates in the protocol. description - The semantics of this Information Element. Describes how this Information Element is derived from the Flow or other information available to the observer. Information Elements of dataType string or octetArraywhichthat have length constraints (fixed length, minimum and/or maximum length) MUST note these constraints in theirdescription.descriptions. dataType - One of the types listed in Section 3.1 of this document or registered in the IANAIPFIX"IPFIX Information Element DataTypes registry.Types" subregistry. The type space for attributes is constrained to facilitate implementation. The existing type space encompasses most primitive types used in modern programming languages, as well as some derived types (such as ipv4Address) that are common to this domain. status - The status of the specification of this Information Element. Allowed values are 'current' and 'deprecated'. Allnewly-definednewly defined Information Elements have 'current' status. The process for moving Information Elements to the 'deprecated' status is defined in Section5.25.3 of[IPFIX-IE-DOCTORS].[RFC7013]. Enterprise-specific Information Elements MUST have the following property defined: enterpriseId - Enterprises may wish to define Information Elements without registering them with IANA, for example, forenterprise-internalenterprise- internal purposes. For such Information Elements, the Information Element identifier described above is not sufficient when the Information Element is used outside the enterprise. If specifications of enterprise-specific Information Elements are made public and/or if enterprise-specific identifiers are used by the IPFIX protocol outside the enterprise, then theenterprise-specificenterprise- specific identifier MUST be made globally unique by combining it with an enterprise identifier. Valid values for the enterpriseId are defined by IANA as Structure of Management Information (SMI) network management private enterprise numbers, defined at[PEN-IANA].[IANA-PEN]. All Information Elements specified for the IPFIX protocol either in this document or by any future extension MAY have the following properties defined: dataTypeSemantics - The integral types are qualified by additional semantic details. Valid values for the data type semantics are either specified in Section 3.2 of this document or will be specified in a future extension of the information model. units - If the Information Element is a measure of some kind, the units identify what the measure is. range - Some Information Elements may only be able to take on a restricted set of values that can be expressed as a range (e.g., 0 through511511, inclusive). If this is the case, the valid inclusive range SHOULD be specified; values for this Information Element outside the range are invalid and MUST NOT be exported. reference - Identifies additional specifications that more precisely define this item or provide additional context for its use. The following two Information Element properties are defined to allow the management of an InformationElementElements registry with Information Element definitions that may be updated over time, per the process defined in Section 5.2 of[IPFIX-IE-DOCTORS].[RFC7013]: revision - The revision number of an Information Element, starting at 0 for Information Elements at time ofdefinition,definition and incremented by one for each revision. date - The date of the entry of this revision of the Information Element into the registry. A template for specifying Information Elementsin Internet-Draftsis given in Section 9.1 of[IPFIX-IE-DOCTORS], and an XML Schema for specifying Information Elements in the IANA IPFIX registry [IPFIX- IANA] at [IPFIX-XML-SCHEMA].[RFC7013]. 2.2. Scope of Information Elements By default, most Information Elements have a scope specified in their definitions. Within Data Records defined byOptionOptions Templates, the IPFIX protocol allows further limiting of the Information Element scope. The new scope is specified by one or more scope fields and defined as the combination of all specified scope values; see Section 3.4.2.1 on IPFIX scopes in[RFC5101bis].[RFC7011]. 2.3. Naming Conventions for Information Elements The following naming conventions were used for naming Information Elements in this document. It is recommended that extensions of the model use the same conventions. o Names of Information Elements SHOULD be descriptive. o Names of Information Elements MUST be unique within theIANA IPFIX"IPFIX Information Elements" registry[IPFIX-IANA].[IANA-IPFIX]. Enterprise-specific Information Elements SHOULD be prefixed with a vendor name. o Names of Information Elements MUST start withnon-capitalizedlowercase letters. o Composed names MUST use capital letters for the first letter of each component (except for the first one). All other letters arenon-capitalized,lowercase, even for acronyms. Exceptions are made for acronyms containingnon-capitalizeda mixture of lowercase and capital letters, such as 'IPv4' and 'IPv6'. Examples aresourceMacAddress"sourceMacAddress" anddestinationIPv4Address."destinationIPv4Address". o Middleboxes [RFC3234] may change Flow properties, such as the DifferentiatedServiceServices Code Point (DSCP) value or the source IP address. If an IPFIX Observation Point is located in the path of a Flow before one or more middleboxes that potentially modify packets of the Flow, then it may be desirable to also report Flow properties after the modification performed by the middleboxes. An example is an Observation Point before a packet marker changing a packet's IPv4 Type of Service (TOS) field that is encoded in Information Element ipClassOfService. Then the value observed and reported by Information Element ipClassOfService is valid at the ObservationPoint,Point but not after the packet passed the packet marker. For reporting the change value of the TOS field, the IPFIX information model uses Information Elements that have a name prefix "post", for example, "postIpClassOfService". Information Elements with prefix "post" report on Flow properties that are not necessarily observed at the ObservationPoint,Point butwhichthat are obtained within the Flow's Observation Domain by other means considered to be sufficiently reliable, for example, by analyzing the packet marker's marking tables. 3. Type Space This section describes the abstract data types that can be used for the specification of IPFIX Information Elements in Section 4. Section 3.1 describes the set of abstract data types. Abstract data types unsigned8, unsigned16, unsigned32, unsigned64, signed8, signed16, signed32, and signed64 are integral data types. As described in Section 3.2, their data type semantics can be further specified, for example, by 'totalCounter', 'deltaCounter', 'identifier', or 'flags'. 3.1. Abstract Data Types This section describes the set of valid abstract data types of the IPFIX information model, independent of encoding. Note that further abstract data types may be specified by future updates to this document. Changes to the associated IPFIXInformation"Information Element DataTypesTypes" subregistry[IPFIX-IANA][IANA-IPFIX] specified in [RFC5610] require a Standards Action [RFC5226]. The current encodings of these data types for use with the IPFIX protocolisare defined in[RFC5101bis];[RFC7011]; encodings allowing the use of the IPFIX Information Elements[IPFIX-IANA][IANA-IPFIX] with other protocols may be defined in the future by referencing this document. 3.1.1. unsigned8 The type "unsigned8" represents a non-negative integer value in the range of 0 to 255. 3.1.2. unsigned16 The type "unsigned16" represents a non-negative integer value in the range of 0 to 65535. 3.1.3. unsigned32 The type "unsigned32" represents a non-negative integer value in the range of 0 to 4294967295. 3.1.4. unsigned64 The type "unsigned64" represents a non-negative integer value in the range of 0 to 18446744073709551615. 3.1.5. signed8 The type "signed8" represents an integer value in the range of -128 to 127. 3.1.6. signed16 The type "signed16" represents an integer value in the range of -32768 to 32767. 3.1.7. signed32 The type "signed32" represents an integer value in the range of -2147483648 to 2147483647. 3.1.8. signed64 The type "signed64" represents an integer value in the range of -9223372036854775808 to 9223372036854775807. 3.1.9. float32 The type "float32" corresponds to an IEEE single-precision 32-bitfloating pointfloating-point type as defined in[IEEE.754.1985].[IEEE.754.2008]. 3.1.10. float64 The type "float64" corresponds to an IEEE double-precision 64-bitfloating pointfloating-point type as defined in[IEEE.754.1985].[IEEE.754.2008]. 3.1.11. boolean The type "boolean" represents a binary value. The only allowed values are "true" and "false". 3.1.12. macAddress The type "macAddress" represents a MAC-48 address as defined in[IEEE.802-3.2002].[IEEE.802-3.2012]. 3.1.13. octetArray The type "octetArray" represents a finite-length string of octets. 3.1.14. string The type "string" represents a finite-length string of valid characters from the Unicode coded character set [ISO.10646]. Unicode incorporates ASCII [RFC20] and the characters of many other international character sets. 3.1.15. dateTimeSeconds Thedatatype "dateTimeSeconds" represents a time value expressed with second-level precision. 3.1.16. dateTimeMilliseconds Thedatatype "dateTimeMilliseconds" represents a time value expressed with millisecond-level precision. 3.1.17. dateTimeMicroseconds The type "dateTimeMicroseconds" represents a time value expressed with microsecond-level precision. 3.1.18. dateTimeNanoseconds The type "dateTimeNanoseconds" represents a time value expressed with nanosecond-level precision. 3.1.19. ipv4Address The type "ipv4Address" represents an IPv4 address. 3.1.20. ipv6Address The type "ipv6Address" represents an IPv6 address. 3.1.21. basicList The type "basicList" supports structured data export as described in [RFC6313]; seesectionSection 4.5.1 of that document for encoding details. 3.1.22. subTemplateList The type "subTemplateList" supports structured data export as described in [RFC6313]; seesectionSection 4.5.2 of that document for encoding details. 3.1.23. subTemplateMultiList The type "subTemplateMultiList" supports structured data export as described in [RFC6313]; seesectionSection 4.5.3 of that document for encoding details. 3.2. Data Type Semantics This section describes the set of valid data type semantics of the IPFIX information model. Asub-registrysubregistry of data type semantics[IPFIX-IANA][IANA-IPFIX] is established in [RFC5610]; the restrictions on the use of semantics below are compatible with those specified insectionSection 3.10 of that document. These semantics apply only to numeric types, as noted in the description of each semantic below. Further data type semantics may be specified by future updates to this document. Changes to the associatedIPFIX"IPFIX Information ElementSemantics sub-registry [IPFIX-IANA]Semantics" subregistry [IANA-IPFIX] require a Standards Action [RFC5226]. 3.2.1. quantityA"quantity" is a numeric (integral or floating point) value representing a measured value pertaining to the record. This is distinguished from counters that represent an ongoing measured value whose "odometer" reading is captured as part of a given record. This is the default semantic type of all numeric data types. 3.2.2. totalCounterAn"totalCounter" is an integral value reporting the value of a counter. Counters are unsigned and wrap back to zero after reaching the limit of the type. For example, an unsigned64 with counter semantics will continue to increment until reaching the value of 2**64 - 1. At this point, the next increment will wrap its value to zero and continue counting from zero. The semantics of a total counter is similar to the semantics of counters used inSNMP,the Simple Network Management Protocol (SNMP), such as Counter32 as defined in [RFC2578]. The only difference between total counters and counters used in SNMP is that the total counters have an initial value of 0. A total counter counts independently of the export of its value. 3.2.3. deltaCounterAn"deltaCounter" is an integral value reporting the value of a counter. Counters are unsigned and wrap back to zero after reaching the limit of the type. For example, an unsigned64 with counter semantics will continue to increment until reaching the value of 2**64 - 1. At this point, the next increment will wrap its value to zero and continue counting from zero. The semantics of a delta counter is similar to the semantics of counters used in SNMP, such as Counter32 as defined inRFC 2578[RFC2578]. The only difference between delta counters and counters used in SNMP is that the delta counters have an initial value of 0. A delta counter is reset to 0 each time it is exported and/or expires without export. 3.2.4. identifierAn"identifier" is an integral value that serves as an identifier. Specifically, mathematical operations on two identifiers (aside from the equality operation) are meaningless. For example, Autonomous System ID 1 * Autonomous System ID 2 is meaningless. Identifiers MUST be one of the signed or unsigned data types. 3.2.5. flagsAn"flags" is an integral value that represents a set of bit fields. Logical operations are appropriate on such values, butnotother mathematicaloperations.operations are not. Flags MUST always be of an unsigned data type. 4. Information Element Identifiers All Information Elements defined in the IANAIPFIX"IPFIX InformationElementElements" registry[IPFIX-IANA][IANA-IPFIX] have their identifiers assigned by IANA. Thevaluevalues of these identifiersisare in the range of 1-32767. Within this range, Information Element identifier values in the sub-range of 1-127 are compatible with field types used by NetFlow version 9 [RFC3954] for historical reasons. In general, IANA will add newly registered Information Elements to the registry, assigning the lowest available Information Element identifier in the range of 128-32767. Enterprise-specific Information Element identifiers have the same range of 1-32767, but they are coupled with an additional enterprise identifier. For enterprise-specific Information Elements, Information Element identifier 0 is also reserved.Enterprise-specificEnterprise- specific Information Element identifiers can be chosen by an enterprise arbitrarily within the range of 1-32767. The same identifier may be assigned by other enterprises for different purposes; these Information Elements are distinct because the Information Element identifier is coupled with an enterprise identifier. Enterprise identifiers are to be registered as SMI network management private enterprise code numbers with IANA. The registry can be found at[PEN-IANA].[IANA-PEN]. 5. Information Elements[IPFIX-IANA][IANA-IPFIX] is now the normative reference for IPFIX Information Elements.At the time of publication of [RFC5102], this section definedWhen [RFC5102] was published, it defined, in its Section 5, the initial contents of that registry. As a historical note, Information Elements (IEs) were organized into categories in [RFC5102] according to their semantics and their applicability; these categories were not carried forward into[IPFIX- IANA][IANA-IPFIX] as an organizing principle. The categories (with example IEs) were: 1. Identifiers(e.g.(e.g., ingressInterface) 2. Metering and Exporting Process Configuration(e.g.(e.g., exporterIPv4Address) 3. Metering and Exporting Process Statistics(e.g.(e.g., exportedOctetTotalCount) 4. IP Header Fields(e.g.(e.g., sourceIPv4Address) 5. Transport Header Fields(e.g.(e.g., sourceTransportPort) 6. Sub-IP Header Fields(e.g.(e.g., sourceMacAddress) 7. Derived Packet Properties(e.g.(e.g., bgpSourceAsNumber) 8. Min/Max Flow Properties(e.g.(e.g., minimumIpTotalLength) 9. Flow Timestamps(e.g.(e.g., flowStartTimeMilliseconds) 10. Per-Flow Counters(e.g.(e.g., octetDeltaCount) 11. Miscellaneous Flow Properties(e.g.(e.g., flowEndReason) 12. Padding (paddingOctets) Information Elements derived from fields of packets or frompacket treatmentPacket Treatment can typically serve as Flow Keys used for mapping packets to Flows. These Information Elements were placed in categories 4-7 in the original categorization. Information Elements not serving as Flow Keys may have different values for each packet in a Flow. For Information Elements with values derived frompacketsfields of packets orpacket treatment,from Packet Treatment, and for which the value may change from packet to packet within a single Flow, the exported value of an Information Element is by default determined by the first packet observed for the corresponding Flow; the description of the Information Elementmay howevermay, however, explicitly specify different semantics. This simple rule allows the writing of all Information Elements related to header fieldsonceonce, when the first packet of the Flow is observed. For further observed packets of the same Flow, only Flow properties that depend on more than one packet need to be updated; these Information Elements were placed in categories 8-11 in the original categorization. Information Elements with a name having the "post" prefix(e.g. postIpClassOfService),(e.g., postIpClassOfService) do not necessarily report properties that were actually observed at the ObservationPoint,Point but may be retrieved by other means within the Observation Domain. These Information Elements can be used if there are middlebox functions within the Observation Domain changing Flow properties after packets passed the Observation Point; they may also be reported directly by the Observation Point if the Observation Point is situatedsuch as towhere it can observe packets on both sides of the middlebox. 6. Extending the Information Model A key requirement for IPFIX is to allow for extension of the Information Model via theIANA IPFIX"IP Flow Information Export (IPFIX) Entities" registry[IPFIX-IANA].[IANA-IPFIX]. New Information Element definitions can be added to this registry subject toanExpert Review [RFC5226], with additional process considerationsdecribedas described in[IPFIX-IE-DOCTORS];[RFC7013]; that document also provides guidelines for authors and reviewers of new Information Element definitions. For new Information Elements, the type space defined in Section 3 can be used. If required, new abstract data types can be added to thedata type"IPFIX Information Element Data Types" subregistry[IPFIX-IANA][IANA-IPFIX] as defined in [RFC5610]. New abstract data types and semantics are subject to Standards Action[RFC5226],[RFC5226] and MUST be defined in IETF Standards Track documents updating this document. Enterprises may wish to define Information Elements without registering them with IANA. IPFIX explicitly supportsenterprise-specificenterprise- specific Information Elements. Enterprise-specific Information Elements are described in Sections 2.1 and 4; guidelines for using them appear in[IPFIX-IE-DOCTORS].[RFC7013]. 7. IANA Considerations As this document obsoletes [RFC5102],upon publication of this document,IANAwill updatehas updated theReference toreferences in theIPFIX"IP Flow InformationElementExport (IPFIX) Entities" registry[IPFIX-IANA],[IANA-IPFIX], theIPFIX"IPFIX MPLSLabel Typelabel type" subregistry of that registry, the urn:ietf:params:xml:ns:ipfix-info XML namespace, and the urn:ietf:params:xml:schema:ipfix-info XML schema to refer to this document. However, [RFC5102] still provides a historical reference for the initial entries in theIPFIX"IPFIX InformationElementElements" registry. Therefore, IANAwill keephas kept [RFC5102] as theRequestorrequestor of those Information Elements in theIPFIX"IPFIX InformationElementElements" registrywhichthat list [RFC5102] as theirRequestor,requestor andaddadded the following explanatory note to theIPFIX"IPFIX InformationElement registry upon publication of this document:Elements" registry: "RFCXXXX7012 has obsoleted RFC 5102; references to RFC 5102 in this registry remain as part of the historicalrecord."record". The Information Element Specification Templatein Section 2.1 contains(Section 2.1) requires two new columns not present in [RFC5102].On publication of this document,IANAwill createhas created a new Revision column in theIPFIX"IPFIX InformationElement Registry,Elements" registry and set the Revision of existing Information Elements to 0. IANAwillhas alsocreatecreated a new Date column inthe IPFIX Information Element Registry,that registry and set the Date of all existing Information Elements to the publication date of this document. To identify Information Elements with identifiers 127 or below as NetFlowv9version 9 [RFC3954] compatible,upon publication of this document,IANAwillhas set the Name of all existing Reserved Information Elements with identifier 127 or less to "Assigned for NetFlow v9compatibility",compatibility" and the Reference of those Information Elements to [RFC3954]. As IANA now has change control of the schema used for the IANAIPFIX"IPFIX InformationElement Registry [IPFIX-IANA],Elements" registry [IANA-IPFIX], IANAwill deprecatehas deprecated the previous XMLSchemaschema for the description of Information Elements urn:ietf:params:xml:schema:ipfix-info [IPFIX-XML-SCHEMA]. To support the process described in Section 7.4, IANAwill establishhas established a mailing list for communicating with theIE-DOCTORS experts,IE-DOCTORS, named ie-doctors@ietf.org. The remaining subsections of this section contain no actions for IANA. 7.1. IPFIX Information Elements This document refers to Information Elements, for which the Internet Assigned Numbers Authority (IANA) has created the IPFIXInformation Element Registry [IPFIX-IANA]."Information Elements" registry [IANA-IPFIX]. The columns of this registrymustmust, atminimumminimum, be able to store the information defined in the template detailed in Section 2.1; it may contain other information as necessary for the management of the registry. The process for making additions or other changes to theIPFIX"IPFIX InformationElement RegistryElements" registry is given in Section 7.4. 7.2. MPLS Label Type Identifier Information Element #46, named mplsTopLabelType, carries MPLS label types. Values for 5 different types have initially been defined. For ensuring the extensibility of this information, IANA has created a new subregistry for MPLS label types and filled it with the initial list from the description Information Element #46, mplsTopLabelType. New assignments for MPLS label types are administered by IANA through Expert Review [RFC5226], i.e., review by one of a group of experts designated by an IETF Area Director. The group of experts mustdouble checkdouble-check the label type definitions withalready definedalready-defined label types for completeness, accuracy, and redundancy. The specification of new MPLS label types MUST be published using a well-established and persistent publication medium. 7.3. XML Namespace and Schema The prior version of this document [RFC5102] specified an XML schema for IPFIX Information Element definitions[IPFIX-XML-SCHEMA], which[IPFIX-XML-SCHEMA] that was used in the generation of the document text itself. When the IANAIPFIX"IPFIX InformationElementElements" registry[IPFIX-IANA][IANA-IPFIX] was created, change control on the registry and the schema used to validate it passed to IANA. The use of a machine-readable syntax for the registry enables the creation of IPFIX tools that can automatically adapt to extensions to the information model. It should be noted that the use of XML in Exporters, Collectors, or other tools is not mandatory for the deployment of IPFIX. In particular, Exporting Processes do not produce or consume XML as part of their operation. IPFIX Collectors MAY take advantage of the machine-readability of the information modelvs. hard codingversus hard-coding their behavior or inventing proprietary means for accommodating extensions. However,Collectors SHOULD NOT poll the IANA registry [IPFIX-IANA] directly at runtime,in order to avoid unnecessary load on the IANA infrastructure serving theregistry.registry, Collectors SHOULD NOT poll the IANA registry [IANA-IPFIX] directly at runtime. The reference to the current schema is embedded in the registry[IPFIX-IANA];[IANA-IPFIX]; this schema may change from time to time as necessary to support the maintenance of the registry. As such, the schema urn:ietf:params:xml:schema:ipfix-info [IPFIX-XML-SCHEMA] specified in [RFC5102] has been deprecated. 7.4. Addition, Revision, and Deprecation New assignments forIPFIXthe "IPFIX InformationElementsElements" registry are administered by IANA through Expert Review [RFC5226]. These experts are referred to as IE-DOCTORSexperts,and are appointed by the IESG. The process they follow is defined in[IPFIX-IE-DOCTORS].[RFC7013]. Information Element identifiers in the range of 1-127 are compatible with field types used by NetFlow version 9 [RFC3954] for historicalreasons,reasons and must not be assigned unless the Information Element is compatible with the NetFlow version 9 protocol, as determined byanone of the IE-DOCTORSexpertdesignated by the IESG as aNetflowNetFlow version 9 expert. Future assignments added to theIPFIX"IPFIX InformationElement Registry whichElements" registry that require subregistries for enumerated values(e.g. section 7.2, below)(e.g., Section 7.2) must have those subregistries added simultaneously with the new assignment; additions to these subregistries must be subject to Expert Review [RFC5226]. Unless specified at assignment time, the experts for the subregistry will be the same as for the "IPFIX InformationElementElements" registry as a whole. When IANA receives a request to add, revise, or deprecate an Information Element in theIPFIX"IPFIX InformationElements Registry,Elements" registry, it forwards the request to the IE-DOCTORSexpertsfor review. When IANA receives an approval for a request to add an Information Element definition from theIE-DOCTORS experts,IE-DOCTORS, it adds that Information Element to the registry. The approved request may include changes made by the requestor and/or reviewers as compared to the original request. When IANA receives an approval for a request to revise an Information Element definition from theIE-DOCTORS experts,IE-DOCTORS, it changes that Information Element's definition in theregistry,registry and updates the Revision and Date columns as appropriate. The approved request may include changes from the original request. If the original Information Element was added to the registry with IETF consensus (i.e., was defined by an RFC), the revision will require IETF consensus as well. When IANA receives an approval for a request to deprecate an Information Element definition from theIE-DOCTORS experts,IE-DOCTORS, it changes that Information Element's definition in theregistry,registry and updates the Revision and Date columns as appropriate. The approved request may include changes from the original request. If the original Information Element was added to the registry with IETF consensus (i.e., was defined by an RFC), the deprecation will require IETF consensus as well. 8. Security Considerations The IPFIX information model itself does not directly introduce security issues. Rather, it defines a set of attributes thatmaymay, for privacy or businessissuesissues, be considered sensitive information. For example, exporting values of header fields may make attacks possible for the receiver of thisinformation, whichinformation; this would otherwise only be possible for direct observers of the reported Flows along the data path. The underlying protocol used to exchange the information described here must therefore apply appropriate procedures to guarantee the integrity and confidentiality of the exported information. These protocols are defined in separate documents, specifically the IPFIX protocol document[RFC5101bis].[RFC7011]. 9.AcknowledgementsAcknowledgments This document is substantially based on[RFC5102]; the[RFC5102]. The editors thank the authors of thatdocument,document; those authors are listed below as contributors. Special thanks go to PaulAitken,Aitken for the detailed review. Finally, the authors thank the IPFIX WG chairs: Nevil Brownlee and Juergen Quittek. 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6313] Claise, B., Dhandapani, G., Aitken,P,P., and S. Yates, "Export of Structured Data in IP Flow Information Export (IPFIX)",RFC6313,RFC 6313, July 2011.[RFC5101bis][RFC7011] Claise, B.,and B.Ed., Trammell,Editors,B., Ed., and P. Aitken, "Specification of the IP Flow InformationeXportExport (IPFIX) Protocol for the Exchange ofIP TrafficFlow Information",draft-ietf- ipfix-protocol-rfc5101bis-04, Work in Progress, December 2012. [IPFIX-IE-DOCTORS]STD 77, RFC 7011, September 2013. [RFC7013] Trammell, B., and B. Claise, "Guidelines for Authors and Reviewers ofIPFIXIP Flow Information Export (IPFIX) Information Elements",draft-ietf- ipfix-ie-doctors-07, Work in Progress, October 2012.BCP 184, RFC 7013, September 2013. 10.2. Informative References[IEEE.802-3.2002] Insitute[IANA-IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", <http://www.iana.org/assignments/ipfix/>. [IEEE.754.2008] Institute of Electrical and Electronics Engineers,"Information technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements - Part 3: Carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer specifications","IEEE Standard for Floating-Point Arithmetic", IEEE Standard802.3, September 2002. [IEEE.754.1985]754, August 2008. [IEEE.802-3.2012] Institute of Electrical and Electronics Engineers,"Standard"IEEE Standard forBinary Floating-Point Arithmetic",Ethernet", IEEE Standard754, August 1985.802.3, 2012. [IPFIX-MED-PROTO] Claise, B., Kobayashi, A., and B. Trammell, "Operation of the IP Flow Information Export (IPFIX) Protocol on IPFIX Mediators", Work in Progress, July 2013. [IPFIX-XML-SCHEMA] IANA, "IETF XML Registry", <http://www.iana.org/assignments/xml-registry/>. [ISO.10646] International Organization for Standardization, "Information technology - Universal Coded Character Set (UCS)", ISO/IEC10646:2012(E), June10646:2012, November 2012. [IANA-PEN] IANA, "Private Enterprise Numbers", <http://www.iana.org/assignments/enterprise-numbers>. [RFC20]V.Cerf, V., "ASCII format for Network Interchange", RFC 20, October 1969. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June 1999.[RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and Issues", RFC 3234, February 2002. [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between Information Models and Data Models", RFC 3444, January 2003.[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004.[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, "Requirements for IP Flow Information Export (IPFIX)", RFC 3917, October 2004. [RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export Version 9", RFC 3954, October 2004. [RFC5101] Claise, B.,Bryant, S., Leinen, S., Dietz, T., and Trammell, B.,Ed., "Specification of theIPFIXIP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", RFC 5101, January 2008. [RFC5102] Quittek, J., Bryant,S.S., Claise, B., Aitken, P., and J. Meyer,J.,"Information Model for IP Flow Information Export", RFC 5102, January 2008. [RFC5103] Trammell,B.,B. and E. Boschi, "Bidirectional Flow Export Using IP Flow Information Export (IPFIX)", RFC 5103, January 2008. [RFC5153] Boschi, E., Mark, L.,QuittekQuittek, J., Stiemerling, M., and P. Aitken, "IP Flow Information Export (IPFIX) Implementation Guidelines",RFC5153,RFC 5153, April 2008. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, "Architecture for IP Flow Information Export",RFC5470,RFC 5470, March 2009. [RFC5471] Schmoll, C., Aitken, P., and B. Claise, "Guidelines for IP Flow Information Export (IPFIX) Testing",RFC5471,RFC 5471, March 2009. [RFC5472] Zseby, T., Boschi, E., Brownlee, N., and B. Claise, "IP Flow Information Export (IPFIX) Applicability",RFC5472,RFC 5472, March 2009. [RFC5473] Boschi, E., Mark, L., and B. Claise, "Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports",RFC5473,RFC 5473, March 2009. [RFC5610] Boschi, E., Trammell, B., Mark, L., and T. Zseby, "Exporting Type Information for IP Flow Information Export (IPFIX) Information Elements", RFC 5610, July 2009. [RFC6183] Kobayashi, A., Claise, B., Muenz,G,G., and K. Ishibashi, "IP Flow Information Export (IPFIX) Mediation: Framework",RFC6183,RFC 6183, April 2011. [RFC6615] Dietz, T., Ed., Kobayashi, A., Claise, B., and G. Muenz, "Definitions of Managed Objects for IP Flow Information Export",RFC6615,RFC 6615, June 2012. [RFC6728] Muenz, G., Claise, B., and P. Aitken, "Configuration Data Model forIPFIX and PSAMP", RFC 6728, October 2012. [IPFIX-MED-PROTO] Claise, B., Kobayashi, A., and B. Trammell, "Operation ofthe IP Flow Information Export (IPFIX)Protocol on IPFIX Mediators", draft-ietf-ipfix-mediation-protocol-02, Work in Progress, Julyand Packet Sampling (PSAMP) Protocols", RFC 6728, October 2012.[IPFIX-IANA] http://www.iana.org/assignments/ipfix/ipfix.xml [PEN-IANA] http://www.iana.org/assignments/enterprise-numbers [IPFIX-XML-SCHEMA] http://www.iana.org/assignments/xml- registry/schema/ipfix.xsd Authors' Addresses Benoit Claise (Ed.) Cisco Systems De Kleetlaan 6a b1 1831 Diegem Belgium Phone: +32 2 704 5622 EMail: bclaise@cisco.com Brian Trammell (Ed.) Swiss Federal Institute of Technology Zurich Gloriastrasse 35 8092 Zurich Switzerland Phone: +41 44 632 70 13 EMail: trammell@tik.ee.ethz.ch Contributors' AddressesContributors Juergen Quittek NEC Kurfuersten-Anlage 36 Heidelberg 69115 Germany Phone: +49 6221 90511-15 EMail: quittek@nw.neclab.eu URI: http://www.neclab.eu/ Stewart Bryant Cisco Systems, Inc.250, Longwater Ave., Green Park Reading RG2 6GB10 New Square, Bedfont Lakes Feltham, Middlesex TW18 8HA United Kingdom EMail: stbryant@cisco.com Paul Aitken Cisco Systems, Inc. 96 Commercial Quay Edinburgh EH6 6LX Scotland Phone: +44 131 561 3616 EMail: paitken@cisco.com Jeff Meyer PayPal 2211 N. First St. San Jose, CA 95131-2021 US Phone: +1 408 976-9149 EMail: jemeyer@paypal.com URI: http://www.paypal.com Authors' Addresses Benoit Claise (editor) Cisco Systems, Inc. De Kleetlaan 6a b1 1831 Diegem Belgium Phone: +32 2 704 5622 EMail: bclaise@cisco.com Brian Trammell (editor) Swiss Federal Institute of Technology Zurich Gloriastrasse 35 8092 Zurich Switzerland Phone: +41 44 632 70 13 EMail: trammell@tik.ee.ethz.ch