summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3954.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc3954.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc3954.txt')
-rw-r--r--doc/rfc/rfc3954.txt1851
1 files changed, 1851 insertions, 0 deletions
diff --git a/doc/rfc/rfc3954.txt b/doc/rfc/rfc3954.txt
new file mode 100644
index 0000000..53dccd3
--- /dev/null
+++ b/doc/rfc/rfc3954.txt
@@ -0,0 +1,1851 @@
+
+
+
+
+
+
+Network Working Group B. Claise, Ed.
+Request for Comments: 3954 Cisco Systems
+Category: Informational October 2004
+
+
+ Cisco Systems NetFlow Services Export Version 9
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2004).
+
+IESG Note
+
+ This RFC documents the NetFlow services export protocol Version 9 as
+ it was when submitted to the IETF as a basis for further work in the
+ IPFIX WG.
+
+ This RFC itself is not a candidate for any level of Internet
+ Standard. The IETF disclaims any knowledge of the fitness of this
+ RFC for any purpose, and in particular notes that it has not had
+ complete IETF review for such things as security, congestion control,
+ or inappropriate interaction with deployed protocols. The RFC Editor
+ has chosen to publish this document at its discretion.
+
+Abstract
+
+ This document specifies the data export format for version 9 of Cisco
+ Systems' NetFlow services, for use by implementations on the network
+ elements and/or matching collector programs. The version 9 export
+ format uses templates to provide access to observations of IP packet
+ flows in a flexible and extensible manner. A template defines a
+ collection of fields, with corresponding descriptions of structure
+ and semantics.
+
+Table of Contents
+
+ 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2.1. Terminology Summary Table . . . . . . . . . . . . . . . 6
+ 3. NetFlow High-Level Picture on the Exporter. . . . . . . . . . 6
+ 3.1. The NetFlow Process on the Exporter . . . . . . . . . . 6
+ 3.2. Flow Expiration . . . . . . . . . . . . . . . . . . . . 7
+
+
+
+Claise Informational [Page 1]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ 3.3. Transport Protocol. . . . . . . . . . . . . . . . . . . 7
+ 4. Packet Layout . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 5. Export Packet Format. . . . . . . . . . . . . . . . . . . . . 9
+ 5.1. Header Format . . . . . . . . . . . . . . . . . . . . . 9
+ 5.2. Template FlowSet Format . . . . . . . . . . . . . . . . 11
+ 5.3. Data FlowSet Format . . . . . . . . . . . . . . . . . . 13
+ 6. Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
+ 6.1. Options Template FlowSet Format . . . . . . . . . . . . 14
+ 6.2. Options Data Record Format. . . . . . . . . . . . . . . 16
+ 7. Template Management . . . . . . . . . . . . . . . . . . . . . 17
+ 8. Field Type Definitions. . . . . . . . . . . . . . . . . . . . 18
+ 9. The Collector Side. . . . . . . . . . . . . . . . . . . . . . 25
+ 10. Security Considerations . . . . . . . . . . . . . . . . . . . 26
+ 10.1. Disclosure of Flow Information Data . . . . . . . . . . 26
+ 10.2. Forgery of Flow Records or Template Records . . . . . . 26
+ 10.3. Attacks on the NetFlow Collector. . . . . . . . . . . . 27
+ 11. Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . 27
+ 11.1. Packet Header Example . . . . . . . . . . . . . . . . . 28
+ 11.2. Template FlowSet Example. . . . . . . . . . . . . . . . 28
+ 11.3. Data FlowSet Example. . . . . . . . . . . . . . . . . . 29
+ 11.4. Options Template FlowSet Example. . . . . . . . . . . . 30
+ 11.5. Data FlowSet with Options Data Records Example. . . . . 30
+ 12. References. . . . . . . . . . . . . . . . . . . . . . . . . . 31
+ 12.1. Normative References. . . . . . . . . . . . . . . . . . 31
+ 12.2. Informative References. . . . . . . . . . . . . . . . . 31
+ 13. Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
+ 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31
+ 15. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . 32
+ 16. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 33
+
+1. Introduction
+
+ Cisco Systems' NetFlow services provide network administrators with
+ access to IP flow information from their data networks. Network
+ elements (routers and switches) gather flow data and export it to
+ collectors. The collected data provides fine-grained metering for
+ highly flexible and detailed resource usage accounting.
+
+ A flow is defined as a unidirectional sequence of packets with some
+ common properties that pass through a network device. These
+ collected flows are exported to an external device, the NetFlow
+ collector. Network flows are highly granular; for example, flow
+ records include details such as IP addresses, packet and byte counts,
+ timestamps, Type of Service (ToS), application ports, input and
+ output interfaces, etc.
+
+ Exported NetFlow data is used for a variety of purposes, including
+ enterprise accounting and departmental chargebacks, ISP billing, data
+
+
+
+Claise Informational [Page 2]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ warehousing, network monitoring, capacity planning, application
+ monitoring and profiling, user monitoring and profiling, security
+ analysis, and data mining for marketing purposes.
+
+ This document specifies NetFlow version 9. It describes the
+ implementation specifications both from network element and NetFlow
+ collector points of view. These specifications should help the
+ deployment of NetFlow version 9 across different platforms and
+ different vendors by limiting the interoperability risks. The
+ NetFlow export format version 9 uses templates to provide access to
+ observations of IP packet flows in a flexible and extensible manner.
+
+ A template defines a collection of fields, with corresponding
+ descriptions of structure and semantics.
+
+ The template-based approach provides the following advantages:
+
+ - New fields can be added to NetFlow flow records without
+ changing the structure of the export record format. With
+ previous NetFlow versions, adding a new field in the flow
+ record implied a new version of the export protocol format and
+ a new version of the NetFlow collector that supported the
+ parsing of the new export protocol format.
+
+ - Templates that are sent to the NetFlow collector contain the
+ structural information about the exported flow record fields;
+ therefore, if the NetFlow collector does not understand the
+ semantics of new fields, it can still interpret the flow
+ record.
+
+ - Because the template mechanism is flexible, it allows the
+ export of only the required fields from the flows to the
+ NetFlow collector. This helps to reduce the exported flow data
+ volume and provides possible memory savings for the exporter
+ and NetFlow collector. Sending only the required information
+ can also reduce network load.
+
+ The IETF IPFIX Working Group (IP Flow Information eXport) is
+ developing a new protocol, based on the version 9 of Cisco Systems'
+ NetFlow services. Some enhancements in different domains (congestion
+ aware transport protocol, built-in security, etc... ) have been
+ incorporated in this new IPFIX protocol. Refer to the IPFIX Working
+ Group documents for more details.
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in BCP 14, RFC 2119
+ [RFC2119].
+
+
+
+Claise Informational [Page 3]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+2. Terminology
+
+ Various terms used in this document are described in this section.
+ Note that the terminology summary table in Section 2.1 gives a quick
+ overview of the relationships between some of the different terms
+ defined.
+
+ Observation Point
+ An Observation Point is a location in the network where IP packets
+ can be observed; for example, one or a set of interfaces on a network
+ device like a router. Every Observation Point is associated with an
+ Observation Domain.
+
+ Observation Domain
+ The set of Observation Points that is the largest aggregatable set of
+ flow information at the network device with NetFlow services enabled
+ is termed an Observation Domain. For example, a router line card
+ composed of several interfaces with each interface being an
+ Observation Point.
+
+ IP Flow or Flow
+ An IP Flow, also called a Flow, is defined as a set of IP packets
+ passing an Observation Point in the network during a certain time
+ interval. All packets that belong to a particular Flow have a set of
+ common properties derived from the data contained in the packet and
+ from the packet treatment at the Observation Point.
+
+ Flow Record
+ A Flow Record provides information about an IP Flow observed at an
+ Observation Point. In this document, the Flow Data Records are also
+ referred to as NetFlow services data and NetFlow data.
+
+ Exporter
+ A device (for example, a router) with the NetFlow services enabled,
+ the Exporter monitors packets entering an Observation Point and
+ creates Flows from these packets. The information from these Flows
+ is exported in the form of Flow Records to the NetFlow Collector.
+
+ NetFlow Collector
+ The NetFlow Collector receives Flow Records from one or more
+ Exporters. It processes the received Export Packet(s); that is, it
+ parses and stores the Flow Record information. Flow Records can be
+ optionally aggregated before being stored on the hard disk. The
+ NetFlow Collector is also referred to as the Collector in this
+ document.
+
+
+
+
+
+
+Claise Informational [Page 4]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Export Packet
+ An Export Packet is a packet originating at the Exporter that carries
+ the Flow Records of this Exporter and whose destination is the
+ NetFlow Collector.
+
+ Packet Header
+ The Packet Header is the first part of an Export Packet. The Packet
+ Header provides basic information about the packet such as the
+ NetFlow version, number of records contained within the packet, and
+ sequence numbering.
+
+ Template Record
+ A Template Record defines the structure and interpretation of fields
+ in a Flow Data Record.
+
+ Flow Data Record
+ A Flow Data Record is a data record that contains values of the Flow
+ parameters corresponding to a Template Record.
+
+ Options Template Record
+ An Options Template Record defines the structure and interpretation
+ of fields in an Options Data Record, including defining the scope
+ within which the Options Data Record is relevant.
+
+ Options Data Record
+ The data record that contains values and scope information of the
+ Flow measurement parameters, corresponding to an Options Template
+ Record.
+
+ FlowSet
+ FlowSet is a generic term for a collection of Flow Records that have
+ a similar structure. In an Export Packet, one or more FlowSets
+ follow the Packet Header. There are three different types of
+ FlowSets: Template FlowSet, Options Template FlowSet, and Data
+ FlowSet.
+
+ Template FlowSet
+ A Template FlowSet is one or more Template Records that have been
+ grouped together in an Export Packet.
+
+ Options Template FlowSet
+ An Options Template FlowSet is one or more Options Template Records
+ that have been grouped together in an Export Packet.
+
+
+
+
+
+
+
+
+Claise Informational [Page 5]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Data FlowSet
+ A Data FlowSet is one or more records, of the same type, that are
+ grouped together in an Export Packet. Each record is either a Flow
+ Data Record or an Options Data Record previously defined by a
+ Template Record or an Options Template Record.
+
+2.1. Terminology Summary Table
+
+ +------------------+---------------------------------------------+
+ | | Contents |
+ | +--------------------+------------------------+
+ | FlowSet | Template Record | Data Record |
+ +------------------+--------------------+------------------------+
+ | | | Flow Data Record(s) |
+ | Data FlowSet | / | or |
+ | | | Options Data Record(s) |
+ +------------------+--------------------+------------------------+
+ | Template FlowSet | Template Record(s) | / |
+ +------------------+--------------------+------------------------+
+ | Options Template | Options Template | / |
+ | FlowSet | Record(s) | |
+ +------------------+--------------------+------------------------+
+
+ A Data FlowSet is composed of an Options Data Record(s) or Flow Data
+ Record(s). No Template Record is included. A Template Record defines
+ the Flow Data Record, and an Options Template Record defines the
+ Options Data Record.
+
+ A Template FlowSet is composed of Template Record(s). No Flow or
+ Options Data Record is included.
+
+ An Options Template FlowSet is composed of Options Template
+ Record(s). No Flow or Options Data Record is included.
+
+3. NetFlow High-Level Picture on the Exporter
+
+3.1. The NetFlow Process on the Exporter
+
+ The NetFlow process on the Exporter is responsible for the creation
+ of Flows from the observed IP packets. The details of this process
+ are beyond the scope of this document.
+
+
+
+
+
+
+
+
+
+
+Claise Informational [Page 6]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+3.2. Flow Expiration
+
+ A Flow is considered to be inactive if no packets belonging to the
+ Flow have been observed at the Observation Point for a given timeout.
+ If any packet is seen within the timeout, the flow is considered an
+ active flow. A Flow can be exported under the following conditions:
+
+ 1. If the Exporter can detect the end of a Flow. For example, if
+ the FIN or RST bit is detected in a TCP [RFC793] connection,
+ the Flow Record is exported.
+
+ 2. If the Flow has been inactive for a certain period of time.
+ This inactivity timeout SHOULD be configurable at the Exporter,
+ with a minimum value of 0 for an immediate expiration.
+
+ 3. For long-lasting Flows, the Exporter SHOULD export the Flow
+ Records on a regular basis. This timeout SHOULD be
+ configurable at the Exporter.
+
+ 4. If the Exporter experiences internal constraints, a Flow MAY be
+ forced to expire prematurely; for example, counters wrapping or
+ low memory.
+
+3.3. Transport Protocol
+
+ To achieve efficiency in terms of processing at the Exporter while
+ handling high volumes of Export Packets, the NetFlow Export Packets
+ are encapsulated into UDP [RFC768] datagrams for export to the
+ NetFlow Collector. However, NetFlow version 9 has been designed to
+ be transport protocol independent. Hence, it can also operate over
+ congestion-aware protocols such as SCTP [RFC2960].
+
+ Note that the Exporter can export to multiple Collectors, using
+ independent transport protocols.
+
+ UDP [RFC768] is a non congestion-aware protocol, so when deploying
+ NetFlow version 9 in a congestion-sensitive environment, make the
+ connection between Exporter and NetFlow Collector through a dedicated
+ link. This ensures that any burstiness in the NetFlow traffic
+ affects only this dedicated link. When the NetFlow Collector can not
+ be placed within a one-hop distance from the Exporter or when the
+ export path from the Exporter to the NetFlow Collector can not be
+ exclusively used for the NetFlow Export Packets, the export path
+ should be designed so that it can always sustain the maximum
+ burstiness of NetFlow traffic from the Exporter. Note that the
+ congestion can occur on the Exporter in case the export path speed is
+ too low.
+
+
+
+
+Claise Informational [Page 7]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+4. Packet Layout
+
+ An Export Packet consists of a Packet Header followed by one or more
+ FlowSets. The FlowSets can be any of the possible three types:
+ Template, Data, or Options Template.
+
+ +--------+-------------------------------------------+
+ | | +----------+ +---------+ +----------+ |
+ | Packet | | Template | | Data | | Options | |
+ | Header | | FlowSet | | FlowSet | | Template | ... |
+ | | | | | | | FlowSet | |
+ | | +----------+ +---------+ +----------+ |
+ +--------+-------------------------------------------+
+ Export Packet
+
+ A FlowSet ID is used to distinguish the different types of FlowSets.
+ FlowSet IDs lower than 256 are reserved for special FlowSets, such as
+ the Template FlowSet (ID 0) and the Options Template FlowSet (ID 1).
+ The Data FlowSets have a FlowSet ID greater than 255.
+
+ The format of the Template, Data, and Options Template FlowSets will
+ be discussed later in this document. The Exporter MUST code all
+ binary integers of the Packet Header and the different FlowSets in
+ network byte order (also known as the big-endian byte ordering).
+
+ Following are some examples of export packets:
+
+ 1. An Export Packet consisting of interleaved Template, Data, and
+ Options Template FlowSets. Example: a newly created Template is
+ exported as soon as possible. So if there is already an Export
+ Packet with a Data FlowSet that is being prepared for export, the
+ Template and Option FlowSets are also interleaved with this
+ information, subject to availability of space.
+
+ Export Packet:
+ +--------+--------------------------------------------------------+
+ | | +----------+ +---------+ +-----------+ +---------+ |
+ | Packet | | Template | | Data | | Options | | Data | |
+ | Header | | FlowSet | | FlowSet | ... | Template | | FlowSet | |
+ | | | | | | | FlowSet | | | |
+ | | +----------+ +---------+ +-----------+ +---------+ |
+ +--------+--------------------------------------------------------+
+
+ 2. An Export Packet consisting entirely of Data FlowSets. Example:
+ after the appropriate Template Records have been defined and
+ transmitted to the NetFlow Collector device, the majority of
+ Export Packets consists solely of Data FlowSets.
+
+
+
+
+Claise Informational [Page 8]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Export Packet:
+ +--------+----------------------------------------------+
+ | | +---------+ +---------+ +---------+ |
+ | Packet | | Data | ... | Data | ... | Data | |
+ | Header | | FlowSet | ... | FlowSet | ... | FlowSet | |
+ | | +---------+ +---------+ +---------+ |
+ +--------+----------------------------------------------+
+
+ 3. An Export Packet consisting entirely of Template and Options
+ Template FlowSets. Example: the Exporter MAY transmit a packet
+ containing Template and Options Template FlowSets periodically to
+ help ensure that the NetFlow Collector has the correct Template
+ Records and Options Template Records when the corresponding Flow
+ Data records are received.
+
+ Export Packet:
+ +--------+-------------------------------------------------+
+ | | +----------+ +----------+ +----------+ |
+ | Packet | | Template | | Template | | Options | |
+ | Header | | FlowSet | ... | FlowSet | ... | Template | |
+ | | | | | | | FlowSet | |
+ | | +----------+ +----------+ +----------+ |
+ +--------+-------------------------------------------------+
+
+5. Export Packet Format
+
+5.1. Header Format
+
+ The Packet Header format is specified as:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Version Number | Count |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | sysUpTime |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | UNIX Secs |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Sequence Number |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Source ID |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+
+
+Claise Informational [Page 9]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Packet Header Field Descriptions
+
+ Version
+ Version of Flow Record format exported in this packet. The
+ value of this field is 9 for the current version.
+
+ Count
+ The total number of records in the Export Packet, which is the
+ sum of Options FlowSet records, Template FlowSet records, and
+ Data FlowSet records.
+
+ sysUpTime
+ Time in milliseconds since this device was first booted.
+
+ UNIX Secs
+ Time in seconds since 0000 UTC 1970, at which the Export Packet
+ leaves the Exporter.
+
+ Sequence Number
+ Incremental sequence counter of all Export Packets sent from
+ the current Observation Domain by the Exporter. This value
+ MUST be cumulative, and SHOULD be used by the Collector to
+ identify whether any Export Packets have been missed.
+
+ Source ID
+ A 32-bit value that identifies the Exporter Observation Domain.
+ NetFlow Collectors SHOULD use the combination of the source IP
+ address and the Source ID field to separate different export
+ streams originating from the same Exporter.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Claise Informational [Page 10]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+5.2. Template FlowSet Format
+
+ One of the essential elements in the NetFlow format is the Template
+ FlowSet. Templates greatly enhance the flexibility of the Flow
+ Record format because they allow the NetFlow Collector to process
+ Flow Records without necessarily knowing the interpretation of all
+ the data in the Flow Record. The format of the Template FlowSet is
+ as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | FlowSet ID = 0 | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID 256 | Field Count |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Type 1 | Field Length 1 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Type 2 | Field Length 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Type N | Field Length N |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID 257 | Field Count |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Type 1 | Field Length 1 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Type 2 | Field Length 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Type M | Field Length M |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID K | Field Count |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Template FlowSet Field Descriptions
+
+ FlowSet ID
+ FlowSet ID value of 0 is reserved for the Template FlowSet.
+
+
+
+
+
+
+Claise Informational [Page 11]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Length
+ Total length of this FlowSet. Because an individual Template
+ FlowSet MAY contain multiple Template Records, the Length value
+ MUST be used to determine the position of the next FlowSet
+ record, which could be any type of FlowSet. Length is the sum
+ of the lengths of the FlowSet ID, the Length itself, and all
+ Template Records within this FlowSet.
+
+ Template ID
+ Each of the newly generated Template Records is given a unique
+ Template ID. This uniqueness is local to the Observation
+ Domain that generated the Template ID. Template IDs 0-255 are
+ reserved for Template FlowSets, Options FlowSets, and other
+ reserved FlowSets yet to be created. Template IDs of Data
+ FlowSets are numbered from 256 to 65535.
+
+ Field Count
+ Number of fields in this Template Record. Because a Template
+ FlowSet usually contains multiple Template Records, this field
+ allows the Collector to determine the end of the current
+ Template Record and the start of the next.
+
+ Field Type
+ A numeric value that represents the type of the field. Refer
+ to the "Field Type Definitions" section.
+
+ Field Length
+ The length of the corresponding Field Type, in bytes. Refer to
+ the "Field Type Definitions" section.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Claise Informational [Page 12]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+5.3. Data FlowSet Format
+
+ The format of the Data FlowSet is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | FlowSet ID = Template ID | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Record 1 - Field Value 1 | Record 1 - Field Value 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Record 1 - Field Value 3 | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Record 2 - Field Value 1 | Record 2 - Field Value 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Record 2 - Field Value 3 | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Record 3 - Field Value 1 | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | Padding |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Data FlowSet Field Descriptions
+
+ FlowSet ID = Template ID
+ Each Data FlowSet is associated with a FlowSet ID. The FlowSet
+ ID maps to a (previously generated) Template ID. The Collector
+ MUST use the FlowSet ID to find the corresponding Template
+ Record and decode the Flow Records from the FlowSet.
+
+ Length
+ The length of this FlowSet. Length is the sum of the lengths
+ of the FlowSet ID, Length itself, all Flow Records within this
+ FlowSet, and the padding bytes, if any.
+
+ Record N - Field Value M
+ The remainder of the Data FlowSet is a collection of Flow Data
+ Record(s), each containing a set of field values. The Type and
+ Length of the fields have been previously defined in the
+ Template Record referenced by the FlowSet ID or Template ID.
+
+ Padding
+ The Exporter SHOULD insert some padding bytes so that the
+ subsequent FlowSet starts at a 4-byte aligned boundary. It is
+ important to note that the Length field includes the padding
+ bytes. Padding SHOULD be using zeros.
+
+
+
+
+
+Claise Informational [Page 13]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Interpretation of the Data FlowSet format can be done only if the
+ Template FlowSet corresponding to the Template ID is available at the
+ Collector.
+
+6. Options
+
+6.1. Options Template FlowSet Format
+
+ The Options Template Record (and its corresponding Options Data
+ Record) is used to supply information about the NetFlow process
+ configuration or NetFlow process specific data, rather than supplying
+ information about IP Flows.
+
+ For example, the Options Template FlowSet can report the sample rate
+ of a specific interface, if sampling is supported, along with the
+ sampling method used.
+
+ The format of the Options Template FlowSet follows.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | FlowSet ID = 1 | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID | Option Scope Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option Length | Scope 1 Field Type |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 1 Field Length | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope N Field Length | Option 1 Field Type |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option 1 Field Length | ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option M Field Length | Padding |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Options Template FlowSet Field Definitions
+
+ FlowSet ID = 1
+ A FlowSet ID value of 1 is reserved for the Options Template.
+
+ Length
+ Total length of this FlowSet. Each Options Template FlowSet
+ MAY contain multiple Options Template Records. Thus, the
+ Length value MUST be used to determine the position of the next
+ FlowSet record, which could be either a Template FlowSet or
+ Data FlowSet.
+
+
+
+Claise Informational [Page 14]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Length is the sum of the lengths of the FlowSet ID, the Length
+ itself, and all Options Template Records within this FlowSet
+ Template ID.
+
+ Template ID
+ Template ID of this Options Template. This value is greater
+ than 255.
+
+ Option Scope Length
+ The length in bytes of any Scope field definition contained in
+ the Options Template Record (The use of "Scope" is described
+ below).
+
+ Option Length
+ The length (in bytes) of any options field definitions
+ contained in this Options Template Record.
+
+ Scope 1 Field Type
+ The relevant portion of the Exporter/NetFlow process to which
+ the Options Template Record refers.
+ Currently defined values are:
+ 1 System
+ 2 Interface
+ 3 Line Card
+ 4 Cache
+ 5 Template
+ For example, the NetFlow process can be implemented on a per-
+ interface basis, so if the Options Template Record were
+ reporting on how the NetFlow process is configured, the Scope
+ for the report would be 2 (interface). The associated
+ interface ID would then be carried in the associated Options
+ Data FlowSet. The Scope can be limited further by listing
+ multiple scopes that all must match at the same time. Note
+ that the Scope fields always precede the Option fields.
+
+ Scope 1 Field Length
+ The length (in bytes) of the Scope field, as it would appear in
+ an Options Data Record.
+
+ Option 1 Field Type
+ A numeric value that represents the type of field that would
+ appear in the Options Template Record. Refer to the Field Type
+ Definitions section.
+
+ Option 1 Field Length
+ The length (in bytes) of the Option field.
+
+
+
+
+
+Claise Informational [Page 15]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Padding
+ The Exporter SHOULD insert some padding bytes so that the
+ subsequent FlowSet starts at a 4-byte aligned boundary. It is
+ important to note that the Length field includes the padding
+ bytes. Padding SHOULD be using zeros.
+
+6.2. Options Data Record Format
+
+ The Options Data Records are sent in Data FlowSets, on a regular
+ basis, but not with every Flow Data Record. How frequently these
+ Options Data Records are exported is configurable. See the
+ "Templates Management" section for more details.
+
+ The format of the Data FlowSet containing Options Data Records
+ follows.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | FlowSet ID = Template ID | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Record 1 - Scope 1 Value |Record 1 - Option Field 1 Value|
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |Record 1 - Option Field 2 Value| ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Record 2 - Scope 1 Value |Record 2 - Option Field 1 Value|
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |Record 2 - Option Field 2 Value| ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Record 3 - Scope 1 Value |Record 3 - Option Field 1 Value|
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |Record 3 - Option Field 2 Value| ... |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | ... | Padding |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Options Data Records of the Data FlowSet Field Descriptions
+
+ FlowSet ID = Template ID
+ A FlowSet ID precedes each group of Options Data Records within
+ a Data FlowSet. The FlowSet ID maps to a previously generated
+ Template ID corresponding to this Options Template Record. The
+ Collector MUST use the FlowSet ID to map the appropriate type
+ and length to any field values that follow.
+
+
+
+
+
+
+
+Claise Informational [Page 16]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Length
+ The length of this FlowSet. Length is the sum of the lengths of
+ the FlowSet ID, Length itself, all the Options Data Records
+ within this FlowSet, and the padding bytes, if any.
+
+ Record N - Option Field M Value
+ The remainder of the Data FlowSet is a collection of Flow
+ Records, each containing a set of scope and field values. The
+ type and length of the fields were previously defined in the
+ Options Template Record referenced by the FlowSet ID or
+ Template ID.
+
+ Padding
+ The Exporter SHOULD insert some padding bytes so that the
+ subsequent FlowSet starts at a 4-byte aligned boundary. It is
+ important to note that the Length field includes the padding
+ bytes. Padding SHOULD be using zeros.
+
+ The Data FlowSet format can be interpreted only if the Options
+ Template FlowSet corresponding to the Template ID is available at the
+ Collector.
+
+7. Template Management
+
+ Flow Data records that correspond to a Template Record MAY appear in
+ the same and/or subsequent Export Packets. The Template Record is
+ not necessarily carried in every Export Packet. As such, the NetFlow
+ Collector MUST store the Template Record to interpret the
+ corresponding Flow Data Records that are received in subsequent data
+ packets.
+
+ A NetFlow Collector that receives Export Packets from several
+ Observation Domains from the same Exporter MUST be aware that the
+ uniqueness of the Template ID is not guaranteed across Observation
+ Domains.
+
+ The Template IDs must remain constant for the life of the NetFlow
+ process on the Exporter. If the Exporter or the NetFlow process
+ restarts for any reason, all information about Templates will be lost
+ and new Template IDs will be created. Template IDs are thus not
+ guaranteed to be consistent across an Exporter or NetFlow process
+ restart.
+
+ A newly created Template record is assigned an unused Template ID
+ from the Exporter. If the template configuration is changed, the
+ current Template ID is abandoned and SHOULD NOT be reused until the
+
+
+
+
+
+Claise Informational [Page 17]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ NetFlow process or Exporter restarts. If a Collector should receive
+ a new definition for an already existing Template ID, it MUST discard
+ the previous template definition and use the new one.
+
+ If a configured Template Record on the Exporter is deleted, and re-
+ configured with exactly the same parameters, the same Template ID
+ COULD be reused.
+
+ The Exporter sends the Template FlowSet and Options Template FlowSet
+ under the following conditions:
+
+ 1. After a NetFlow process restarts, the Exporter MUST NOT send any
+ Data FlowSet without sending the corresponding Template FlowSet
+ and the required Options Template FlowSet in a previous packet or
+ including it in the same Export Packet. It MAY transmit the
+ Template FlowSet and Options Template FlowSet, without any Data
+ FlowSets, in advance to help ensure that the Collector will have
+ the correct Template Record before receiving the first Flow or
+ Options Data Record.
+
+ 2. In the event of configuration changes, the Exporter SHOULD send
+ the new template definitions at an accelerated rate. In such a
+ case, it MAY transmit the changed Template Record(s) and Options
+ Template Record(s), without any data, in advance to help ensure
+ that the Collector will have the correct template information
+ before receiving the first data.
+
+ 3. On a regular basis, the Exporter MUST send all the Template
+ Records and Options Template Records to refresh the Collector.
+ Template IDs have a limited lifetime at the Collector and MUST be
+ periodically refreshed. Two approaches are taken to make sure
+ that Templates get refreshed at the Collector:
+ * Every N number of Export Packets.
+ * On a time basis, so every N number of minutes.
+ Both options MUST be configurable by the user on the Exporter.
+ When one of these expiry conditions is met, the Exporter MUST send
+ the Template FlowSet and Options Template.
+
+ 4. In the event of a clock configuration change on the Exporter, the
+ Exporter SHOULD send the template definitions at an accelerated
+ rate.
+
+8. Field Type Definitions
+
+ The following table describes all the field type definitions that an
+ Exporter MAY support. The fields are a selection of Packet Header
+ fields, lookup results (for example, the autonomous system numbers or
+ the subnet masks), and properties of the packet such as length.
+
+
+
+Claise Informational [Page 18]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Field Type Value Length Description
+ (bytes)
+
+ Incoming counter with
+ length N x 8 bits for the
+ IN_BYTES 1 N number of bytes associated
+ with an IP Flow. By default
+ N is 4
+
+ Incoming counter with
+ length N x 8 bits for the
+ IN_PKTS 2 N number of packets
+ associated with an IP Flow.
+ By default N is 4
+
+ FLOWS 3 N Number of Flows
+ that were aggregated;
+ by default N is 4
+
+ PROTOCOL 4 1 IP protocol byte
+
+ Type of service byte
+ TOS 5 1 setting when entering
+ the incoming interface
+
+ TCP flags; cumulative of
+ TCP_FLAGS 6 1 all the TCP flags seen in
+ this Flow
+
+ TCP/UDP source port number
+ L4_SRC_PORT 7 2 (for example, FTP, Telnet,
+ or equivalent)
+
+ IPV4_SRC_ADDR 8 4 IPv4 source address
+
+ The number of contiguous
+ bits in the source subnet
+ SRC_MASK 9 1 mask (i.e., the mask in
+ slash notation)
+
+ Input interface index.
+ INPUT_SNMP 10 N By default N is 2, but
+ higher values can be used
+
+ TCP/UDP destination port
+ L4_DST_PORT 11 2 number (for example, FTP,
+ Telnet, or equivalent)
+
+
+
+
+Claise Informational [Page 19]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ IPV4_DST_ADDR 12 4 IPv4 destination address
+
+ The number of contiguous
+ bits in the destination
+ DST_MASK 13 1 subnet mask (i.e., the mask
+ in slash notation)
+
+ Output interface index.
+
+ OUTPUT_SNMP 14 N By default N is 2, but
+ higher values can be used
+
+ IPV4_NEXT_HOP 15 4 IPv4 address of the next-
+ hop router
+
+ Source BGP autonomous
+ SRC_AS 16 N system number where N could
+ be 2 or 4. By default N is
+ 2
+
+ Destination BGP autonomous
+ DST_AS 17 N system number where N could
+ be 2 or 4. By default N is
+ 2
+
+ BGP_IPV4_NEXT_HOP 18 4 Next-hop router's IP
+ address in the BGP domain
+
+ IP multicast outgoing
+ packet counter with length
+ MUL_DST_PKTS 19 N N x 8 bits for packets
+ associated with the IP
+ Flow. By default N is 4
+
+ IP multicast outgoing
+ Octet (byte) counter with
+ length N x 8 bits for the
+ MUL_DST_BYTES 20 N number of bytes associated
+ with the IP Flow. By
+ default N is 4
+
+ sysUptime in msec at which
+ LAST_SWITCHED 21 4 the last packet of this
+ Flow was switched
+
+ sysUptime in msec at which
+ FIRST_SWITCHED 22 4 the first packet of this
+ Flow was switched
+
+
+
+Claise Informational [Page 20]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Outgoing counter with
+ length N x 8 bits for the
+ OUT_BYTES 23 N number of bytes associated
+ with an IP Flow. By
+ default N is 4
+
+ Outgoing counter with
+ length N x 8 bits for the
+ OUT_PKTS 24 N number of packets
+ associated with an IP Flow.
+ By default N is 4
+
+ IPV6_SRC_ADDR 27 16 IPv6 source address
+
+ IPV6_DST_ADDR 28 16 IPv6 destination address
+
+ IPV6_SRC_MASK 29 1 Length of the IPv6 source
+ mask in contiguous bits
+
+ Length of the IPv6
+ IPV6_DST_MASK 30 1 destination mask in
+ contiguous bits
+
+ IPV6_FLOW_LABEL 31 3 IPv6 flow label as per
+ RFC 2460 definition
+
+ Internet Control Message
+ ICMP_TYPE 32 2 Protocol (ICMP) packet
+ type; reported as
+ ICMP Type * 256 + ICMP code
+
+ MUL_IGMP_TYPE 33 1 Internet Group Management
+ Protocol (IGMP) packet type
+
+ When using sampled NetFlow,
+ the rate at which packets
+ SAMPLING_INTERVAL 34 4 are sampled; for example, a
+ value of 100 indicates that
+ one of every hundred
+ packets is sampled
+
+ For sampled NetFlow
+ platform-wide:
+ SAMPLING_ALGORITHM 35 1 0x01 deterministic sampling
+ 0x02 random sampling
+ Use in connection with
+ SAMPLING_INTERVAL
+
+
+
+
+Claise Informational [Page 21]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Timeout value (in seconds)
+
+ FLOW_ACTIVE_TIMEOUT 36 2 for active flow entries
+ in the NetFlow cache
+
+ Timeout value (in seconds)
+ FLOW_INACTIVE_TIMEOUT 37 2 for inactive Flow entries
+ in the NetFlow cache
+
+ Type of Flow switching
+ ENGINE_TYPE 38 1 engine (route processor,
+ linecard, etc...)
+
+ ENGINE_ID 39 1 ID number of the Flow
+ switching engine
+
+ Counter with length
+ N x 8 bits for the number
+ TOTAL_BYTES_EXP 40 N of bytes exported by the
+ Observation Domain. By
+ default N is 4
+
+ Counter with length
+ N x 8 bits for the number
+ TOTAL_PKTS_EXP 41 N of packets exported by the
+ Observation Domain. By
+ default N is 4
+
+ Counter with length
+ N x 8 bits for the number
+ TOTAL_FLOWS_EXP 42 N of Flows exported by the
+ Observation Domain. By
+ default N is 4
+
+ MPLS_TOP_LABEL_TYPE 46 1 MPLS Top Label Type:
+ 0x00 UNKNOWN
+ 0x01 TE-MIDPT
+ 0x02 ATOM
+ 0x03 VPN
+ 0x04 BGP
+ 0x05 LDP
+
+ Forwarding Equivalent Class
+ MPLS_TOP_LABEL_IP_ADDR 47 4 corresponding to the MPLS
+ Top Label
+
+ FLOW_SAMPLER_ID 48 1 Identifier shown
+ in "show flow-sampler"
+
+
+
+Claise Informational [Page 22]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ The type of algorithm used
+ for sampling data:
+ FLOW_SAMPLER_MODE 49 1 0x02 random sampling
+ Use in connection with
+ FLOW_SAMPLER_MODE
+ Packet interval at which to
+ FLOW_SAMPLER_RANDOM_INTERVAL 50 4 sample. Use in connection
+ with FLOW_SAMPLER_MODE
+
+ Type of Service byte
+ DST_TOS 55 1 setting when exiting
+ outgoing interface
+
+ SRC_MAC 56 6 Source MAC Address
+
+ DST_MAC 57 6 Destination MAC Address
+
+ Virtual LAN identifier
+
+ SRC_VLAN 58 2 associated with ingress
+ interface
+
+ Virtual LAN identifier
+ DST_VLAN 59 2 associated with egress
+ interface
+
+ Internet Protocol Version
+ Set to 4 for IPv4, set to 6
+ IP_PROTOCOL_VERSION 60 1 for IPv6. If not present in
+ the template, then version
+ 4 is assumed
+
+ Flow direction:
+ DIRECTION 61 1 0 - ingress flow
+ 1 - egress flow
+
+ IPV6_NEXT_HOP 62 16 IPv6 address of the
+ next-hop router
+
+ BGP_IPV6_NEXT_HOP 63 16 Next-hop router in the BGP
+ domain
+
+ Bit-encoded field
+ IPV6_OPTION_HEADERS 64 4 identifying IPv6 option
+ headers found in the flow
+
+ MPLS_LABEL_1 70 3 MPLS label at position 1 in
+ the stack
+
+
+
+Claise Informational [Page 23]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ MPLS_LABEL_2 71 3 MPLS label at position 2 in
+ the stack
+
+ MPLS_LABEL_3 72 3 MPLS label at position 3 in
+ the stack
+
+ MPLS_LABEL_4 73 3 MPLS label at position 4 in
+ the stack
+
+ MPLS_LABEL_5 74 3 MPLS label at position 5 in
+ the stack
+
+ MPLS_LABEL_6 75 3 MPLS label at position 6 in
+ the stack
+
+ MPLS_LABEL_7 76 3 MPLS label at position 7 in
+ the stack
+
+ MPLS_LABEL_8 77 3 MPLS label at position 8 in
+ the stack
+
+ MPLS_LABEL_9 78 3 MPLS label at position 9 in
+ the stack
+
+ MPLS_LABEL_10 79 3 MPLS label at position 10
+ in the stack
+
+ The value field is a numeric identifier for the field type. The
+ following value fields are reserved for proprietary field types: 25,
+ 26, 43 to 45, 51 to 54, and 65 to 69.
+
+ When extensibility is required, the new field types will be added to
+ the list. The new field types have to be updated on the Exporter and
+ Collector but the NetFlow export format would remain unchanged.
+ Refer to the latest documentation at http://www.cisco.com for the
+ newly updated list.
+
+ In some cases the size of a field type is fixed by definition, for
+ example PROTOCOL, or IPV4_SRC_ADDR. However in other cases they are
+ defined as a variant type. This improves the memory efficiency in
+ the collector and reduces the network bandwidth requirement between
+ the Exporter and the Collector. As an example, in the case IN_BYTES,
+ on an access router it might be sufficient to use a 32 bit counter (N
+ = 4), whilst on a core router a 64 bit counter (N = 8) would be
+ required.
+
+ All counters and counter-like objects are unsigned integers of size N
+ * 8 bits.
+
+
+
+Claise Informational [Page 24]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+9. The Collector Side
+
+ The Collector receives Template Records from the Exporter, normally
+ before receiving Flow Data Records (or Options Data Records). The
+ Flow Data Records (or Options Data Records) can then be decoded and
+ stored locally on the devices. If the Template Records have not been
+ received at the time Flow Data Records (or Options Data Records) are
+ received, the Collector SHOULD store the Flow Data Records (or
+ Options Data Records) and decode them after the Template Records are
+ received. A Collector device MUST NOT assume that the Data FlowSet
+ and the associated Template FlowSet (or Options Template FlowSet) are
+ exported in the same Export Packet.
+
+ The Collector MUST NOT assume that one and only one Template FlowSet
+ is present in an Export Packet.
+
+ The life of a template at the Collector is limited to a fixed refresh
+ timeout. Templates not refreshed from the Exporter within the
+ timeout are expired at the Collector. The Collector MUST NOT attempt
+ to decode the Flow or Options Data Records with an expired Template.
+ At any given time the Collector SHOULD maintain the following for all
+ the current Template Records and Options Template Records: Exporter,
+ Observation Domain, Template ID, Template Definition, Last Received.
+
+ Note that the Observation Domain is identified by the Source ID field
+ from the Export Packet.
+
+ In the event of a clock configuration change on the Exporter, the
+ Collector SHOULD discard all Template Records and Options Template
+ Records associated with that Exporter, in order for Collector to
+ learn the new set of fields: Exporter, Observation Domain, Template
+ ID, Template Definition, Last Received.
+
+ Template IDs are unique per Exporter and per Observation Domain.
+
+ If the Collector receives a new Template Record (for example, in the
+ case of an Exporter restart) it MUST immediately override the
+ existing Template Record.
+
+ Finally, note that the Collector MUST accept padding in the Data
+ FlowSet and Options Template FlowSet, which means for the Flow Data
+ Records, the Options Data Records and the Template Records. Refer to
+ the terminology summary table in Section 2.1.
+
+
+
+
+
+
+
+
+Claise Informational [Page 25]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+10. Security Considerations
+
+ The NetFlow version 9 protocol was designed with the expectation that
+ the Exporter and Collector would remain within a single private
+ network. However the NetFlow version 9 protocol might be used to
+ transport Flow Records over the public Internet which exposes the
+ Flow Records to a number of security risks. For example an attacker
+ might capture, modify or insert Export Packets. There is therefore a
+ risk that IP Flow information might be captured or forged, or that
+ attacks might be directed at the NetFlow Collector.
+
+ The designers of NetFlow Version 9 did not impose any
+ confidentiality, integrity or authentication requirements on the
+ protocol because this reduced the efficiency of the implementation
+ and it was believed at the time that the majority of deployments
+ would confine the Flow Records to private networks, with the
+ Collector(s) and Exporter(s) in close proximity.
+
+ The IPFIX protocol (IP Flow Information eXport), which has chosen the
+ NetFlow version 9 protocol as the base protocol, addresses the
+ security considerations discussed in this section. See the security
+ section of IPFIX requirement draft [RFC3917] for more information.
+
+10.1. Disclosure of Flow Information Data
+
+ Because the NetFlow Version 9 Export Packets are not encrypted, the
+ observation of Flow Records can give an attacker information about
+ the active flows in the network, communication endpoints and traffic
+ patterns. This information can be used both to spy on user behavior
+ and to plan and conceal future attacks.
+
+ The information that an attacker could derive from the interception
+ of Flow Records depends on the Flow definition. For example, a Flow
+ Record containing the source and destination IP addresses might
+ reveal privacy sensitive information regarding the end user's
+ activities, whilst a Flow Record only containing the source and
+ destination IP network would be less revealing.
+
+10.2. Forgery of Flow Records or Template Records
+
+ If Flow Records are used in accounting and/or security applications,
+ there may be a strong incentive to forge exported Flow Records (for
+ example to defraud the service provider, or to prevent the detection
+ of an attack). This can be done either by altering the Flow Records
+ on the path between the Observer and the Collector, or by injecting
+ forged Flow Records that pretend to be originated by the Exporter.
+
+
+
+
+
+Claise Informational [Page 26]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ An attacker could forge Templates and/or Options Templates and
+ thereby try to confuse the NetFlow Collector, rendering it unable to
+ decode the Export Packets.
+
+10.3. Attacks on the NetFlow Collector
+
+ Denial of service attacks on the NetFlow Collector can consume so
+ many resources from the machine that, the Collector is unable to
+ capture or decode some NetFlow Export Packets. Such hazards are not
+ explicitly addressed by the NetFlow Version 9 protocol, although the
+ normal methods used to protect a server from a DoS attack will
+ mitigate the problem.
+
+11. Examples
+
+ Let us consider the example of an Export Packet composed of a
+ Template FlowSet, a Data FlowSet (which contains three Flow Data
+ Records), an Options Template FlowSet, and a Data FlowSet (which
+ contains two Options Data Records).
+
+ Export Packet:
+
+ +--------+---------------------------------------------. . .
+ | | +--------------+ +-----------------------+
+ | Packet | | Template | | Data |
+ | Header | | FlowSet | | FlowSet | . . .
+ | | | (1 Template) | | (3 Flow Data Records) |
+ | | +--------------+ +-----------------------+
+ +--------+---------------------------------------------. . .
+
+ . . .+-------------------------------------------------+
+ +------------------+ +--------------------------+ |
+ | Options | | Data | |
+ . . .| Template FlowSet | | FlowSet | |
+ | (1 Template) | | (2 Options Data Records) | |
+ +------------------+ +--------------------------+ |
+ . . .--------------------------------------------------+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Claise Informational [Page 27]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+11.1. Packet Header Example
+
+ The Packet Header is composed of:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Version = 9 | Count = 7 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | sysUpTime |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | UNIX Secs |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Sequence Number |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Source ID |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+11.2. Template FlowSet Example
+
+ We want to report the following Field Types:
+ - The source IP address (IPv4), so the length is 4
+ - The destination IP address (IPv4), so the length is 4
+ - The next-hop IP address (IPv4), so the length is 4
+ - The number of bytes of the Flow
+ - The number of packets of the Flow
+
+ Therefore, the Template FlowSet is composed of the following:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | FlowSet ID = 0 | Length = 28 bytes |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID 256 | Field Count = 5 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | IP_SRC_ADDR = 8 | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | IP_DST_ADDR = 12 | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | IP_NEXT_HOP = 15 | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | IN_PKTS = 2 | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | IN_BYTES = 1 | Field Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+Claise Informational [Page 28]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+11.3. Data FlowSet Example
+
+ In this example, we report the following three Flow Records:
+
+ Src IP addr. | Dst IP addr. | Next Hop addr. | Packet | Bytes
+ | | | Number | Number
+ ---------------------------------------------------------------
+ 198.168.1.12 | 10.5.12.254 | 192.168.1.1 | 5009 | 5344385
+ 192.168.1.27 | 10.5.12.23 | 192.168.1.1 | 748 | 388934
+ 192.168.1.56 | 10.5.12.65 | 192.168.1.1 | 5 | 6534
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | FlowSet ID = 256 | Length = 64 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 198.168.1.12 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 10.5.12.254 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 192.168.1.1 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 5009 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 5344385 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 192.168.1.27 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 10.5.12.23 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 192.168.1.1 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 748 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 388934 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 192.168.1.56 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 10.5.12.65 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 192.168.1.1 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 5 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 6534 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+Claise Informational [Page 29]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ Note that padding was not necessary in this example.
+
+11.4. Options Template FlowSet Example
+
+ Per line card (the Exporter is composed of two line cards), we want
+ to report the following Field Types:
+ - Total number of Export Packets
+ - Total number of exported Flows
+
+ The format of the Options Template FlowSet is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | FlowSet ID = 1 | Length = 24 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Template ID 257 | Option Scope Length = 4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option Length = 8 | Scope 1 Field Type = 3 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Scope 1 Field Length = 2 | TOTAL_EXP_PKTS_SENT = 41 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 2 | TOTAL_FLOWS_EXP = 42 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Field Length = 2 | Padding |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+11.5. Data FlowSet with Options Data Records Example
+
+ In this example, we report the following two records:
+
+ Line Card ID | Export Packet| Export Flow
+ ------------------------------------------
+ Line Card 1 | 345 | 10201
+ Line Card 2 | 690 | 20402
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Claise Informational [Page 30]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | FlowSet ID = 257 | Length = 16 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 1 | 345 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 10201 | 2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 690 | 20402 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+12. References
+
+12.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+12.2. Informative References
+
+ [RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
+ August 1980.
+
+ [RFC793] Postel, J., "Transmission Control Protocol", STD 7, RFC
+ 793, September 1981.
+
+ [RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C.,
+ Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, M.,
+ Zhang, L., and V. Paxson, "Stream Control Transmission
+ Protocol", RFC 2960, October 2000.
+
+ [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander,
+ "Requirements for IP Flow Information Export (IPFIX)",
+ RFC 3917, October 2004.
+
+13. Authors
+
+ This document was jointly written by Vamsidhar Valluri, Martin
+ Djernaes, Ganesh Sadasivan, and Benoit Claise.
+
+14. Acknowledgments
+
+ I would like to thank Pritam Shah, Paul Kohler, Dmitri Bouianovski,
+ and Stewart Bryant for their valuable technical feedback.
+
+
+
+
+
+
+Claise Informational [Page 31]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+15. Authors' Addresses
+
+ Benoit Claise (Editor)
+ Cisco Systems
+ De Kleetlaan 6a b1
+ 1831 Diegem
+ Belgium
+
+ Phone: +32 2 704 5622
+ EMail: bclaise@cisco.com
+
+
+ Ganesh Sadasivan
+ Cisco Systems, Inc.
+ 3750 Cisco Way
+ San Jose, CA 95134
+ USA
+
+ Phone: +1 408 527-0251
+ EMail: gsadasiv@cisco.com
+
+
+ Vamsi Valluri
+ Cisco Systems, Inc.
+ 510 McCarthy Blvd.
+ San Jose, CA 95035
+ USA
+
+ Phone: +1 408 525-1835
+ EMail: vvalluri@cisco.com
+
+
+ Martin Djernaes
+ Cisco Systems, Inc.
+ 510 McCarthy Blvd.
+ San Jose, CA 95035
+ USA
+
+ Phone: +1 408 853-1676
+ EMail: djernaes@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+Claise Informational [Page 32]
+
+RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2004).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and at www.rfc-editor.org, and except as set
+ forth therein, the authors retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the ISOC's procedures with respect to rights in ISOC Documents can
+ be found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at ietf-
+ ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+Claise Informational [Page 33]
+