IPFIX Cisco Vendor Specific Information Elements
draft-yourtchenko-cisco-ies-01

Abstract

This document describes some additional Information Elements of Cisco Systems, Inc. that are not listed in RFC3954.

Status of this Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on January 12, 2012.

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

1. Introduction
2. Terminology
3. Information Elements
3.1. fsFlowEntryTotalCount
3.2. samplingInterval
3.3. samplingAlgorithm
3.4. engineType
3.5. engineId
3.6. ipv4RouterSc
3.7. flowSamplerId
3.8. flowSamplerMode
3.9. flowSamplerRandomInterval
3.10. classId
3.11. samplerName
3.12. flagsAndSamplerId
3.13. forwardingStatus
3.14. srcTrafficIndex
3.15. dstTrafficIndex
3.16. className
3.17. layer2packetSectionOffset
3.18. layer2packetSectionSize
3.19. layer2packetSectionData
4. Other Information Elements
4.1. Application Information IEs
5. IANA Considerations
6. Security Considerations
7. References
7.1. Normative References
7.2. Informative References
Appendix A. XML Specification of IPFIX Information Elements
Authors' Addresses

1. Introduction

The section 4 of [RFC5102] defines the IPFIX Information Elements in the range of 1-127 to be compatible with the NetFlow version 9 fields, as specified in the "Cisco Systems NetFlow Services Export Version 9" [RFC3954]. As [RFC3954] was specified in 2004, it does not contain all NetFlow version 9 specific fields in the range 1-127. The question was asked whether IPFIX Devices should exclusively report the IPFIX IANA IEs [IPFIX-IANA] ? In other words, when upgrading from a NetFlow metering process to an IPFIX Metering Process, should the IPFIX Devices stop reporting NetFlow version 9 specific IEs that were not registered in IANA [IPFIX-IANA] ?

This document is intended to fill the gap in this IE range. That way, IPFIX implementations could export all the IEs specified in IANA, regardless of the range.

2. Terminology

IPFIX-specific terminology used in this document is defined in Section 2 of [RFC5101]. As in [RFC5101], these IPFIX-specific terms have the first letter of a word capitalized when used in this document.

3. Information Elements

3.1. fsFlowEntryTotalCount

Description:: This Information Element specifies the current number of all Flow Records that form the parent population as input to the Flow Selection Process.
Abstract Data Type:: unsigned64
ElementId:: 3
Semantics:: quantity
Status:: current
Units:: flows
RFC EDITOR NOTE:: if the Flow Selection Techniques document [I-D.ietf-ipfix-flow-selection-tech] is published before this, then remove this entry. This Information Element is similar to 'fsFlowEntryTotalCount' there.

3.2. samplingInterval

Description:: When using sampled NetFlow, the rate at which packets are sampled - e.g. a value of 100 indicates that one of every 100 packets is sampled. Deprecated in favor of 305 samplingPacketInterval.
Abstract Data Type:: unsigned32
ElementId:: 34
Semantics:: quantity
Status:: deprecated
Units:: packets

3.3. samplingAlgorithm

Description:: The type of algorithm used for sampled NetFlow: 0x01 Deterministic Sampling, 0x02 Random Sampling. The values are not compatible with the selectorAlgorithm field, where "Deterministic" has been replaced by "Systematic count-based" (1) or "Systematic time-based" (2), and "Random" is (3). Conversion is required, see PSAMP parameters [PSAMP-IANA]. Deprecated in favor of 304 selectorAlgorithm.
Abstract Data Type:: unsigned8
ElementId:: 35
Semantics:: identifier
Status:: deprecated

3.4. engineType

Description:: Type of flow switching engine in a router/switch: RP = 0, VIP/Line card = 1, PFC/DFC = 2. Reserved for internal use on the collector.
Abstract Data Type:: unsigned8
ElementId:: 38
Semantics:: identifier
Status:: deprecated

3.5. engineId

Description:: VIP or line card slot number of the flow switching engine in a router/switch. Reserved for internal use on the collector.
Abstract Data Type:: unsigned8
ElementId:: 39
Semantics:: identifier
Status:: deprecated

3.6. ipv4RouterSc

Description:: This is a platform-specific field. It is used to store the address of a router that is being shortcut when performing the MultiLayer Switching.
Abstract Data Type:: ipv4Address
ElementId:: 43
Semantics:: ipv4Address
Status:: deprecated
Reference:: [CCO-MLS] describes the MultiLayer Switching.

3.7. flowSamplerId

Description:: The unique identifier associated with samplerName. Deprecated in favor of 302 selectorId.
Abstract Data Type:: unsigned8
ElementId:: 48
Semantics:: identifier
Status:: deprecated

3.8. flowSamplerMode

Description:: The type of algorithm used for sampling data: 0x01 - deterministic, 0x02 - random sampling. Use with flowSamplerRandomInterval. Deprecated in favor of 304 selectorAlgorithm. The values are not compatible: selectorAlgorithm=3 is random sampling.
Abstract Data Type:: unsigned8
ElementId:: 49
Semantics:: identifier
Status:: deprecated

3.9. flowSamplerRandomInterval

Description:: Packet interval at which to sample - in case of random sampling. Used in connection with flowSamplerMode 0x02 (random sampling) value. Deprecated in favour of 305 samplingPacketInterval.
Abstract Data Type:: unsigned32
ElementId:: 50
Semantics:: quantity
Status:: deprecated

3.10. classId

Description:: Characterizes the traffic class, i.e. QoS treatment. Deprecated in favour of 302 selectorId.
Abstract Data Type:: unsigned8
ElementId:: 51
Semantics:: identifier
Status:: deprecated

3.11. samplerName

Description:: Name of the flow sampler. Deprecated in favor of 335 selectorName.
Abstract Data Type:: string
ElementId:: 84
Status:: deprecated

3.12. flagsAndSamplerId

Description:: Flow flags and the value of the sampler ID (flowSamplerId) combined in one bitmapped field. Reserved for internal use on the collector.
Abstract Data Type:: unsigned32
ElementId:: 87
Semantics:: identifier
Status:: deprecated

3.13. forwardingStatus

   The basic encoding is 8 bits. The future extensions 
   could add one or three bytes. The layout of the basic 
   encoding is as follows:
   
      MSB -   0   1   2   3   4   5   6   7   - LSB
            +---+---+---+---+---+---+---+---+
            | Status|  Reason code or flags |
            +---+---+---+---+---+---+---+---+

   Status:
   
   00b = Unknown
   01b = Forwarded
   10b = Dropped
   11b = Consumed
   
   
   Reason Code (status = 01b, Forwarded)
   
   01 000000b = 64 = Unknown
   01 000001b = 65 = Fragmented
   01 000010b = 66 = Not Fragmented
   
   Reason Code (status = 10b, Dropped)
   
   10 000000b = 128 = Unknown
   10 000001b = 129 = ACL deny
   10 000010b = 130 = ACL drop
   10 000011b = 131 = Unroutable
   10 000100b = 132 = Adjacency
   10 000101b = 133 = Fragmentation and DF set
   10 000110b = 134 = Bad header checksum
   10 000111b = 135 = Bad total Length
   10 001000b = 136 = Bad header length
   10 001001b = 137 = bad TTL
   10 001010b = 138 = Policer
   10 001011b = 139 = WRED
   10 001100b = 140 = RPF
   10 001101b = 141 = For us
   10 001110b = 142 = Bad output interface
   10 001111b = 143 = Hardware
   
   Reason Code (status = 11b, Consumed)
   
   11 000000b = 192 = Unknown
   11 000001b = 193 = Punt Adjacency
   11 000010b = 194 = Incomplete Adjacency
   11 000011b = 195 = For us
   
   Examples:
   
     value : 0x40 = 64
     binary: 01000000
     decode: 01        -> Forward
               000000  -> No further information
   
     value : 0x89 = 137
     binary: 10001001
     decode: 10        -> Drop
               001001  -> Fragmentation and DF set

Description:: The field describes the forwarding status of the flow and any attached reasons. The Reduced Size Encoding rules as per [RFC5101] apply.
Abstract Data Type:: unsigned32
ElementId:: 89
Semantics:: identifier
Status:: current
Reference:: See NetFlow Version 9 Record Format [CCO-NF9FMT].

3.14. srcTrafficIndex

Description:: BGP Policy Accounting Source Traffic Index
Abstract Data Type:: unsigned32
ElementId:: 92
Semantics:: identifier
Status:: current
Reference:: BGP policy accounting as described in [CCO-BGPPOL]

3.15. dstTrafficIndex

Description:: BGP Policy Accounting Destination Traffic Index
Abstract Data Type:: unsigned32
ElementId:: 93
Semantics:: identifier
Status:: current
Reference:: BGP policy accounting as described in [CCO-BGPPOL]

3.16. className

Description:: Traffic Class Name, associated with the classId Information Element. Deprecated in favor of 335 selectorName.
Abstract Data Type:: string
ElementId:: 100
Status:: deprecated

3.17. layer2packetSectionOffset

Description:: Layer 2 packet section offset. Potentially a generic packet section offset.
Abstract Data Type:: unsigned16
ElementId:: 102
Semantics:: quantity
Status:: current
EDITOR'S NOTE:: [I-D.kashima-ipfix-data-link-layer-monitoring] contains a corresponding field 'sectionOffset' with a better description. One solution is to assign the value 102 for the 'sectionOffset' in [I-D.kashima-ipfix-data-link-layer-monitoring].

3.18. layer2packetSectionSize

Description:: Layer 2 packet section size. Potentially a generic packet section size.
Abstract Data Type:: unsigned16
ElementId:: 103
Semantics:: quantity
Status:: current
EDITOR'S NOTE:: [I-D.kashima-ipfix-data-link-layer-monitoring] contains a corresponding field 'sectionObservedOctets' with a better description. One solution is to assign the value 103 to 'sectionObservedOctets' in [I-D.kashima-ipfix-data-link-layer-monitoring].

3.19. layer2packetSectionData

Description:: Layer 2 packet section data.
Abstract Data Type:: octetArray
ElementId:: 104
Status:: current
EDITOR's NOTE:: [I-D.kashima-ipfix-data-link-layer-monitoring] contains a corresponding field 'dataLinkFrameSection' with a better description. One solution is to assign the value 104 to 'dataLinkFrameSection' in [I-D.kashima-ipfix-data-link-layer-monitoring].

4. Other Information Elements

4.1. Application Information IEs

ElementId: 101

ElementId: 94 .. 97

Please refer to the Export of Application Information in IPFIX [I-D.claise-export-application-info-in-ipfix]

5. IANA Considerations

This document specifies several new IPFIX Information Elements in the IPFIX Information Element registry as defined in Section 3 above. The following Information Elements must be assigned:

Information Element Number 3 for the fsFlowEntryTotalCount Information Element
Information Element Number 34 for the samplingInterval Information Element
Information Element Number 35 for the samplingAlgorithm Information Element
Information Element Number 38 for the engineType Information Element
Information Element Number 39 for the engineId Information Element
Information Element Number 43 for the ipv4RouterSc Information Element
Information Element Number 48 for the flowSamplerId Information Element
Information Element Number 49 for the flowSamplerMode Information Element
Information Element Number 50 for the flowSamplerRandomInterval Information Element
Information Element Number 51 for the classId Information Element
Information Element Number 84 for the samplerName Information Element
Information Element Number 87 for the flagsAndSamplerId Information Element
Information Element Number 89 for the forwardingStatus Information Element
Information Element Number 92 for the srcTrafficIndex Information Element
Information Element Number 93 for the dstTrafficIndex Information Element
Information Element Number 100 for the className Information Element
Information Element Number 102 for the layer2packetSectionOffset Information Element
Information Element Number 103 for the layer2packetSectionSize Information Element
Information Element Number 104 for the layer2packetSectionData Information Element

6. Security Considerations

This document specifies the definitions and does not alter the security considerations of the base protocol. Please refer to the security considerations sections of RFC 3954 [RFC3954] and RFC 5102 [RFC5102].

7. References

7.1. Normative References

[RFC5101]

Claise, B., "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", RFC 5101, January 2008.

7.2. Informative References

[RFC3954]	Claise, B., "Cisco Systems NetFlow Services Export Version 9", RFC 3954, October 2004.
[RFC5102]	Quittek, J., Bryant, S., Claise, B., Aitken, P. and J. Meyer, "Information Model for IP Flow Information Export", RFC 5102, January 2008.
[PSAMP-IANA]	IANA, "Packet Sampling (PSAMP) Parameters", .
[IPFIX-IANA]	IANA, "IP Flow Information Export (IPFIX) Entities", .
[I-D.ietf-ipfix-flow-selection-tech]	D'Antonio, S, Zseby, T, Henke, C and L Peluso, "Flow Selection Techniques", Internet-Draft draft-ietf-ipfix-flow-selection-tech-06, May 2011.
[I-D.claise-export-application-info-in-ipfix]	Claise, B, Aitken, P and N Ben-Dvora, "Export of Application Information in IPFIX", Internet-Draft draft-claise-export-application-info-in-ipfix-01, March 2011.
[I-D.kashima-ipfix-data-link-layer-monitoring]	Kashima, S, Nakata, K and A Kobayashi, "Information Elements for Data Link Layer Traffic Measurement", Internet-Draft draft-kashima-ipfix-data-link-layer-monitoring-05, March 2011.
[CCO-NF9FMT]	Cisco, "NetFlow version 9 Flow-Record format", .
[CCO-BGPPOL]	Cisco, "BGP Policy Accounting and BGP Policy Accounting Output Interface Accounting Features", .
[CCO-MLS]	Cisco, "IP MultiLayer Switching Sample Configuration", .

Appendix A. XML Specification of IPFIX Information Elements

<?xml version="1.0" encoding="UTF-8"?>

<fieldDefinitions xmlns="urn:ietf:params:xml:ns:ipfix-info"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:schemaLocation="urn:ietf:params:xml:ns:ipfix-info
                ipfix-info.xsd">

  <field name="fsFlowEntryTotalCount" dataType="unsigned64"
             group=""
             dataTypeSemantics="quantity"
             elementId="3" applicability="flow" status="current">
    <description>
        <paragraph>
        This Information Element specifies the current number of all 
        Flow Records that form the parent population as input to the 
        Flow Selection Process.
        </paragraph>
    </description>
  </field>
  <field name="samplingInterval" dataType="unsigned32"
             group=""
             dataTypeSemantics="quantity"
             elementId="34" applicability="flow" status="deprecated">
    <description>
        <paragraph>
        When using sampled NetFlow, the rate at which packets are 
        sampled - e.g. a value of 100 indicates that one of every 100 
        packets is sampled. Deprecated in favor of 305 
        samplingPacketInterval. 
        </paragraph>
    </description>
  </field>
  <field name="samplingAlgorithm" dataType="unsigned8"
             group=""
             dataTypeSemantics="identifier"
             elementId="35" applicability="flow" status="deprecated">
    <description>
        <paragraph>
        The type of algorithm used for sampled NetFlow: 0x01 
        Deterministic Sampling, 0x02 Random Sampling. The values are not 
        compatible with the selectorAlgorithm field, where 
        "Deterministic" has been replaced by "Systematic count-based" 
        (1) or "Systematic time-based" (2), and "Random" is (3). 
        Conversion is required, see PSAMP parameters. Deprecated in 
        favor of 304 selectorAlgorithm.
        </paragraph>
    </description>
  </field>
  <field name="engineType" dataType="unsigned8"
             group=""
             dataTypeSemantics="identifier"
             elementId="38" applicability="flow" status="deprecated">
    <description>
        <paragraph>
        Type of flow switching engine in a router/switch: RP = 0, 
        VIP/Line card = 1, PFC/DFC = 2. Reserved for internal use on the 
        collector.
        </paragraph>
    </description>
  </field>
  <field name="engineId" dataType="unsigned8"
             group=""
             dataTypeSemantics="identifier"
             elementId="39" applicability="flow" status="deprecated">
    <description>
        <paragraph>
        VIP or line card slot number of the flow switching engine in a 
        router/switch. Reserved for internal use on the collector.
        </paragraph>
    </description>
  </field>
  <field name="ipv4RouterSc" dataType="ipv4Address"
             group=""
             dataTypeSemantics="ipv4Address"
             elementId="43" applicability="flow" status="deprecated">
    <description>
        <paragraph>
        This is a platform-specific field. It is used to store the 
        address of a router that is being shortcut when performing the 
        MultiLayer Switching. 
        </paragraph>
    </description>
  </field>
  <field name="flowSamplerId" dataType="unsigned8"
             group=""
             dataTypeSemantics="identifier"
             elementId="48" applicability="flow" status="deprecated">
    <description>
        <paragraph>
        The unique identifier associated with samplerName. Deprecated in 
        favor of 302 selectorId.
        </paragraph>
    </description>
  </field>
  <field name="flowSamplerMode" dataType="unsigned8"
             group=""
             dataTypeSemantics="identifier"
             elementId="49" applicability="flow" status="deprecated">
    <description>
        <paragraph>
        The type of algorithm used for sampling data: 0x01 - 
        deterministic, 0x02 - random sampling. Use with 
        flowSamplerRandomInterval. Deprecated in favor of 304 
        selectorAlgorithm. The values are not compatible: 
        selectorAlgorithm=3 is random sampling.
        </paragraph>
    </description>
  </field>
  <field name="flowSamplerRandomInterval" dataType="unsigned32"
             group=""
             dataTypeSemantics="quantity"
             elementId="50" applicability="flow" status="deprecated">
    <description>
        <paragraph>
        Packet interval at which to sample - in case of random sampling. 
        Used in connection with flowSamplerMode 0x02 (random sampling) 
        value. Deprecated in favour of 305 samplingPacketInterval. 
        </paragraph>
    </description>
  </field>
  <field name="classId" dataType="unsigned8"
             group=""
             dataTypeSemantics="identifier"
             elementId="51" applicability="flow" status="deprecated">
    <description>
        <paragraph>
        Characterizes the traffic class, i.e. QoS treatment. Deprecated 
        in favour of 302 selectorId.
        </paragraph>
    </description>
  </field>
  <field name="samplerName" dataType="string"
             group=""
             dataTypeSemantics=""
             elementId="84" applicability="flow" status="deprecated">
    <description>
        <paragraph>
         Name of the flow sampler. Deprecated in favor of 335 
        selectorName.
        </paragraph>
    </description>
  </field>
  <field name="flagsAndSamplerId" dataType="unsigned32"
             group=""
             dataTypeSemantics="identifier"
             elementId="87" applicability="flow" status="deprecated">
    <description>
        <paragraph>
        Flow flags and the value of the sampler ID (flowSamplerId) 
        combined in one bitmapped field. Reserved for internal use on 
        the collector.
        </paragraph>
    </description>
  </field>
  <field name="forwardingStatus" dataType="unsigned32"
             group=""
             dataTypeSemantics="identifier"
             elementId="89" applicability="flow" status="current">
    <description>
        <paragraph>
        The field describes the forwarding status of the flow and any 
        attached reasons. The Reduced Size Encoding rules as per  apply.
        </paragraph>
        <artwork>
           The basic encoding is 8 bits. The future extensions 
           could add one or three bytes. The layout of the basic 
           encoding is as follows:
           
              MSB -   0   1   2   3   4   5   6   7   - LSB
                    +---+---+---+---+---+---+---+---+
                    | Status|  Reason code or flags |
                    +---+---+---+---+---+---+---+---+
           Status:
           
           00b = Unknown
           01b = Forwarded
           10b = Dropped
           11b = Consumed
           
           
           Reason Code (status = 01b, Forwarded)
           
           01 000000b = 64 = Unknown
           01 000001b = 65 = Fragmented
           01 000010b = 66 = Not Fragmented
           
           Reason Code (status = 10b, Dropped)
           
           10 000000b = 128 = Unknown
           10 000001b = 129 = ACL deny
           10 000010b = 130 = ACL drop
           10 000011b = 131 = Unroutable
           10 000100b = 132 = Adjacency
           10 000101b = 133 = Fragmentation and DF set
           10 000110b = 134 = Bad header checksum
           10 000111b = 135 = Bad total Length
           10 001000b = 136 = Bad header length
           10 001001b = 137 = bad TTL
           10 001010b = 138 = Policer
           10 001011b = 139 = WRED
           10 001100b = 140 = RPF
           10 001101b = 141 = For us
           10 001110b = 142 = Bad output interface
           10 001111b = 143 = Hardware
           
           Reason Code (status = 11b, Consumed)
           
           11 000000b = 192 = Unknown
           11 000001b = 193 = Punt Adjacency
           11 000010b = 194 = Incomplete Adjacency
           11 000011b = 195 = For us
           
           Examples:
           
             value : 0x40 = 64
             binary: 01000000
             decode: 01        -> Forward
                       000000  -> No further information
           
             value : 0x89 = 137
             binary: 10001001
             decode: 10        -> Drop
                       001001  -> Fragmentation and DF set
        </artwork>
    </description>
  </field>
  <field name="srcTrafficIndex" dataType="unsigned32"
             group=""
             dataTypeSemantics="identifier"
             elementId="92" applicability="flow" status="current">
    <description>
        <paragraph>
        BGP Policy Accounting Source Traffic Index
        </paragraph>
    </description>
  </field>
  <field name="dstTrafficIndex" dataType="unsigned32"
             group=""
             dataTypeSemantics="identifier"
             elementId="93" applicability="flow" status="current">
    <description>
        <paragraph>
        BGP Policy Accounting Destination Traffic Index
        </paragraph>
    </description>
  </field>
  <field name="className" dataType="string"
             group=""
             dataTypeSemantics=""
             elementId="100" applicability="flow" status="deprecated">
    <description>
        <paragraph>
        Traffic Class Name, associated with the classId Information 
        Element. Deprecated in favor of 335 selectorName.
        </paragraph>
    </description>
  </field>
  <field name="layer2packetSectionOffset" dataType="unsigned16"
             group=""
             dataTypeSemantics="quantity"
             elementId="102" applicability="flow" status="current">
    <description>
        <paragraph>
        Layer 2 packet section offset. Potentially a generic packet 
        section offset.
        </paragraph>
    </description>
  </field>
  <field name="layer2packetSectionSize" dataType="unsigned16"
             group=""
             dataTypeSemantics="quantity"
             elementId="103" applicability="flow" status="current">
    <description>
        <paragraph>
        Layer 2 packet section size. Potentially a generic packet 
        section size.
        </paragraph>
    </description>
  </field>
  <field name="layer2packetSectionData" dataType="octetArray"
             group=""
             dataTypeSemantics=""
             elementId="104" applicability="flow" status="current">
    <description>
        <paragraph>
        Layer 2 packet section data.
        </paragraph>
    </description>
  </field>
</fieldDefinitions>

Authors' Addresses

Andrew Yourtchenko Cisco Systems, Inc. De Kleetlaan, 7 Brussels, Diegem B-1831 Belgium Phone: +32 2 704 5494 EMail: ayourtch@cisco.com

Paul Aitken Cisco Systems, Inc. 96 Commercial Quay Edinburgh, EH6 6LX Scotland Phone: +44 131 561 3616 EMail: paitken@cisco.com

Benoit Claise Cisco Systems, Inc. De Kleetlaan, 6a b1 Diegem B-1831 Belgium Phone: +32 2 704 5622 EMail: bclaise@cisco.com