From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc3954.txt | 1851 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1851 insertions(+) create mode 100644 doc/rfc/rfc3954.txt (limited to 'doc/rfc/rfc3954.txt') diff --git a/doc/rfc/rfc3954.txt b/doc/rfc/rfc3954.txt new file mode 100644 index 0000000..53dccd3 --- /dev/null +++ b/doc/rfc/rfc3954.txt @@ -0,0 +1,1851 @@ + + + + + + +Network Working Group B. Claise, Ed. +Request for Comments: 3954 Cisco Systems +Category: Informational October 2004 + + + Cisco Systems NetFlow Services Export Version 9 + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2004). + +IESG Note + + This RFC documents the NetFlow services export protocol Version 9 as + it was when submitted to the IETF as a basis for further work in the + IPFIX WG. + + This RFC itself is not a candidate for any level of Internet + Standard. The IETF disclaims any knowledge of the fitness of this + RFC for any purpose, and in particular notes that it has not had + complete IETF review for such things as security, congestion control, + or inappropriate interaction with deployed protocols. The RFC Editor + has chosen to publish this document at its discretion. + +Abstract + + This document specifies the data export format for version 9 of Cisco + Systems' NetFlow services, for use by implementations on the network + elements and/or matching collector programs. The version 9 export + format uses templates to provide access to observations of IP packet + flows in a flexible and extensible manner. A template defines a + collection of fields, with corresponding descriptions of structure + and semantics. + +Table of Contents + + 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 2 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 2.1. Terminology Summary Table . . . . . . . . . . . . . . . 6 + 3. NetFlow High-Level Picture on the Exporter. . . . . . . . . . 6 + 3.1. The NetFlow Process on the Exporter . . . . . . . . . . 6 + 3.2. Flow Expiration . . . . . . . . . . . . . . . . . . . . 7 + + + +Claise Informational [Page 1] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + 3.3. Transport Protocol. . . . . . . . . . . . . . . . . . . 7 + 4. Packet Layout . . . . . . . . . . . . . . . . . . . . . . . . 8 + 5. Export Packet Format. . . . . . . . . . . . . . . . . . . . . 9 + 5.1. Header Format . . . . . . . . . . . . . . . . . . . . . 9 + 5.2. Template FlowSet Format . . . . . . . . . . . . . . . . 11 + 5.3. Data FlowSet Format . . . . . . . . . . . . . . . . . . 13 + 6. Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 + 6.1. Options Template FlowSet Format . . . . . . . . . . . . 14 + 6.2. Options Data Record Format. . . . . . . . . . . . . . . 16 + 7. Template Management . . . . . . . . . . . . . . . . . . . . . 17 + 8. Field Type Definitions. . . . . . . . . . . . . . . . . . . . 18 + 9. The Collector Side. . . . . . . . . . . . . . . . . . . . . . 25 + 10. Security Considerations . . . . . . . . . . . . . . . . . . . 26 + 10.1. Disclosure of Flow Information Data . . . . . . . . . . 26 + 10.2. Forgery of Flow Records or Template Records . . . . . . 26 + 10.3. Attacks on the NetFlow Collector. . . . . . . . . . . . 27 + 11. Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . 27 + 11.1. Packet Header Example . . . . . . . . . . . . . . . . . 28 + 11.2. Template FlowSet Example. . . . . . . . . . . . . . . . 28 + 11.3. Data FlowSet Example. . . . . . . . . . . . . . . . . . 29 + 11.4. Options Template FlowSet Example. . . . . . . . . . . . 30 + 11.5. Data FlowSet with Options Data Records Example. . . . . 30 + 12. References. . . . . . . . . . . . . . . . . . . . . . . . . . 31 + 12.1. Normative References. . . . . . . . . . . . . . . . . . 31 + 12.2. Informative References. . . . . . . . . . . . . . . . . 31 + 13. Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 + 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 + 15. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . 32 + 16. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 33 + +1. Introduction + + Cisco Systems' NetFlow services provide network administrators with + access to IP flow information from their data networks. Network + elements (routers and switches) gather flow data and export it to + collectors. The collected data provides fine-grained metering for + highly flexible and detailed resource usage accounting. + + A flow is defined as a unidirectional sequence of packets with some + common properties that pass through a network device. These + collected flows are exported to an external device, the NetFlow + collector. Network flows are highly granular; for example, flow + records include details such as IP addresses, packet and byte counts, + timestamps, Type of Service (ToS), application ports, input and + output interfaces, etc. + + Exported NetFlow data is used for a variety of purposes, including + enterprise accounting and departmental chargebacks, ISP billing, data + + + +Claise Informational [Page 2] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + warehousing, network monitoring, capacity planning, application + monitoring and profiling, user monitoring and profiling, security + analysis, and data mining for marketing purposes. + + This document specifies NetFlow version 9. It describes the + implementation specifications both from network element and NetFlow + collector points of view. These specifications should help the + deployment of NetFlow version 9 across different platforms and + different vendors by limiting the interoperability risks. The + NetFlow export format version 9 uses templates to provide access to + observations of IP packet flows in a flexible and extensible manner. + + A template defines a collection of fields, with corresponding + descriptions of structure and semantics. + + The template-based approach provides the following advantages: + + - New fields can be added to NetFlow flow records without + changing the structure of the export record format. With + previous NetFlow versions, adding a new field in the flow + record implied a new version of the export protocol format and + a new version of the NetFlow collector that supported the + parsing of the new export protocol format. + + - Templates that are sent to the NetFlow collector contain the + structural information about the exported flow record fields; + therefore, if the NetFlow collector does not understand the + semantics of new fields, it can still interpret the flow + record. + + - Because the template mechanism is flexible, it allows the + export of only the required fields from the flows to the + NetFlow collector. This helps to reduce the exported flow data + volume and provides possible memory savings for the exporter + and NetFlow collector. Sending only the required information + can also reduce network load. + + The IETF IPFIX Working Group (IP Flow Information eXport) is + developing a new protocol, based on the version 9 of Cisco Systems' + NetFlow services. Some enhancements in different domains (congestion + aware transport protocol, built-in security, etc... ) have been + incorporated in this new IPFIX protocol. Refer to the IPFIX Working + Group documents for more details. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in BCP 14, RFC 2119 + [RFC2119]. + + + +Claise Informational [Page 3] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + +2. Terminology + + Various terms used in this document are described in this section. + Note that the terminology summary table in Section 2.1 gives a quick + overview of the relationships between some of the different terms + defined. + + Observation Point + An Observation Point is a location in the network where IP packets + can be observed; for example, one or a set of interfaces on a network + device like a router. Every Observation Point is associated with an + Observation Domain. + + Observation Domain + The set of Observation Points that is the largest aggregatable set of + flow information at the network device with NetFlow services enabled + is termed an Observation Domain. For example, a router line card + composed of several interfaces with each interface being an + Observation Point. + + IP Flow or Flow + An IP Flow, also called a Flow, is defined as a set of IP packets + passing an Observation Point in the network during a certain time + interval. All packets that belong to a particular Flow have a set of + common properties derived from the data contained in the packet and + from the packet treatment at the Observation Point. + + Flow Record + A Flow Record provides information about an IP Flow observed at an + Observation Point. In this document, the Flow Data Records are also + referred to as NetFlow services data and NetFlow data. + + Exporter + A device (for example, a router) with the NetFlow services enabled, + the Exporter monitors packets entering an Observation Point and + creates Flows from these packets. The information from these Flows + is exported in the form of Flow Records to the NetFlow Collector. + + NetFlow Collector + The NetFlow Collector receives Flow Records from one or more + Exporters. It processes the received Export Packet(s); that is, it + parses and stores the Flow Record information. Flow Records can be + optionally aggregated before being stored on the hard disk. The + NetFlow Collector is also referred to as the Collector in this + document. + + + + + + +Claise Informational [Page 4] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Export Packet + An Export Packet is a packet originating at the Exporter that carries + the Flow Records of this Exporter and whose destination is the + NetFlow Collector. + + Packet Header + The Packet Header is the first part of an Export Packet. The Packet + Header provides basic information about the packet such as the + NetFlow version, number of records contained within the packet, and + sequence numbering. + + Template Record + A Template Record defines the structure and interpretation of fields + in a Flow Data Record. + + Flow Data Record + A Flow Data Record is a data record that contains values of the Flow + parameters corresponding to a Template Record. + + Options Template Record + An Options Template Record defines the structure and interpretation + of fields in an Options Data Record, including defining the scope + within which the Options Data Record is relevant. + + Options Data Record + The data record that contains values and scope information of the + Flow measurement parameters, corresponding to an Options Template + Record. + + FlowSet + FlowSet is a generic term for a collection of Flow Records that have + a similar structure. In an Export Packet, one or more FlowSets + follow the Packet Header. There are three different types of + FlowSets: Template FlowSet, Options Template FlowSet, and Data + FlowSet. + + Template FlowSet + A Template FlowSet is one or more Template Records that have been + grouped together in an Export Packet. + + Options Template FlowSet + An Options Template FlowSet is one or more Options Template Records + that have been grouped together in an Export Packet. + + + + + + + + +Claise Informational [Page 5] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Data FlowSet + A Data FlowSet is one or more records, of the same type, that are + grouped together in an Export Packet. Each record is either a Flow + Data Record or an Options Data Record previously defined by a + Template Record or an Options Template Record. + +2.1. Terminology Summary Table + + +------------------+---------------------------------------------+ + | | Contents | + | +--------------------+------------------------+ + | FlowSet | Template Record | Data Record | + +------------------+--------------------+------------------------+ + | | | Flow Data Record(s) | + | Data FlowSet | / | or | + | | | Options Data Record(s) | + +------------------+--------------------+------------------------+ + | Template FlowSet | Template Record(s) | / | + +------------------+--------------------+------------------------+ + | Options Template | Options Template | / | + | FlowSet | Record(s) | | + +------------------+--------------------+------------------------+ + + A Data FlowSet is composed of an Options Data Record(s) or Flow Data + Record(s). No Template Record is included. A Template Record defines + the Flow Data Record, and an Options Template Record defines the + Options Data Record. + + A Template FlowSet is composed of Template Record(s). No Flow or + Options Data Record is included. + + An Options Template FlowSet is composed of Options Template + Record(s). No Flow or Options Data Record is included. + +3. NetFlow High-Level Picture on the Exporter + +3.1. The NetFlow Process on the Exporter + + The NetFlow process on the Exporter is responsible for the creation + of Flows from the observed IP packets. The details of this process + are beyond the scope of this document. + + + + + + + + + + +Claise Informational [Page 6] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + +3.2. Flow Expiration + + A Flow is considered to be inactive if no packets belonging to the + Flow have been observed at the Observation Point for a given timeout. + If any packet is seen within the timeout, the flow is considered an + active flow. A Flow can be exported under the following conditions: + + 1. If the Exporter can detect the end of a Flow. For example, if + the FIN or RST bit is detected in a TCP [RFC793] connection, + the Flow Record is exported. + + 2. If the Flow has been inactive for a certain period of time. + This inactivity timeout SHOULD be configurable at the Exporter, + with a minimum value of 0 for an immediate expiration. + + 3. For long-lasting Flows, the Exporter SHOULD export the Flow + Records on a regular basis. This timeout SHOULD be + configurable at the Exporter. + + 4. If the Exporter experiences internal constraints, a Flow MAY be + forced to expire prematurely; for example, counters wrapping or + low memory. + +3.3. Transport Protocol + + To achieve efficiency in terms of processing at the Exporter while + handling high volumes of Export Packets, the NetFlow Export Packets + are encapsulated into UDP [RFC768] datagrams for export to the + NetFlow Collector. However, NetFlow version 9 has been designed to + be transport protocol independent. Hence, it can also operate over + congestion-aware protocols such as SCTP [RFC2960]. + + Note that the Exporter can export to multiple Collectors, using + independent transport protocols. + + UDP [RFC768] is a non congestion-aware protocol, so when deploying + NetFlow version 9 in a congestion-sensitive environment, make the + connection between Exporter and NetFlow Collector through a dedicated + link. This ensures that any burstiness in the NetFlow traffic + affects only this dedicated link. When the NetFlow Collector can not + be placed within a one-hop distance from the Exporter or when the + export path from the Exporter to the NetFlow Collector can not be + exclusively used for the NetFlow Export Packets, the export path + should be designed so that it can always sustain the maximum + burstiness of NetFlow traffic from the Exporter. Note that the + congestion can occur on the Exporter in case the export path speed is + too low. + + + + +Claise Informational [Page 7] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + +4. Packet Layout + + An Export Packet consists of a Packet Header followed by one or more + FlowSets. The FlowSets can be any of the possible three types: + Template, Data, or Options Template. + + +--------+-------------------------------------------+ + | | +----------+ +---------+ +----------+ | + | Packet | | Template | | Data | | Options | | + | Header | | FlowSet | | FlowSet | | Template | ... | + | | | | | | | FlowSet | | + | | +----------+ +---------+ +----------+ | + +--------+-------------------------------------------+ + Export Packet + + A FlowSet ID is used to distinguish the different types of FlowSets. + FlowSet IDs lower than 256 are reserved for special FlowSets, such as + the Template FlowSet (ID 0) and the Options Template FlowSet (ID 1). + The Data FlowSets have a FlowSet ID greater than 255. + + The format of the Template, Data, and Options Template FlowSets will + be discussed later in this document. The Exporter MUST code all + binary integers of the Packet Header and the different FlowSets in + network byte order (also known as the big-endian byte ordering). + + Following are some examples of export packets: + + 1. An Export Packet consisting of interleaved Template, Data, and + Options Template FlowSets. Example: a newly created Template is + exported as soon as possible. So if there is already an Export + Packet with a Data FlowSet that is being prepared for export, the + Template and Option FlowSets are also interleaved with this + information, subject to availability of space. + + Export Packet: + +--------+--------------------------------------------------------+ + | | +----------+ +---------+ +-----------+ +---------+ | + | Packet | | Template | | Data | | Options | | Data | | + | Header | | FlowSet | | FlowSet | ... | Template | | FlowSet | | + | | | | | | | FlowSet | | | | + | | +----------+ +---------+ +-----------+ +---------+ | + +--------+--------------------------------------------------------+ + + 2. An Export Packet consisting entirely of Data FlowSets. Example: + after the appropriate Template Records have been defined and + transmitted to the NetFlow Collector device, the majority of + Export Packets consists solely of Data FlowSets. + + + + +Claise Informational [Page 8] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Export Packet: + +--------+----------------------------------------------+ + | | +---------+ +---------+ +---------+ | + | Packet | | Data | ... | Data | ... | Data | | + | Header | | FlowSet | ... | FlowSet | ... | FlowSet | | + | | +---------+ +---------+ +---------+ | + +--------+----------------------------------------------+ + + 3. An Export Packet consisting entirely of Template and Options + Template FlowSets. Example: the Exporter MAY transmit a packet + containing Template and Options Template FlowSets periodically to + help ensure that the NetFlow Collector has the correct Template + Records and Options Template Records when the corresponding Flow + Data records are received. + + Export Packet: + +--------+-------------------------------------------------+ + | | +----------+ +----------+ +----------+ | + | Packet | | Template | | Template | | Options | | + | Header | | FlowSet | ... | FlowSet | ... | Template | | + | | | | | | | FlowSet | | + | | +----------+ +----------+ +----------+ | + +--------+-------------------------------------------------+ + +5. Export Packet Format + +5.1. Header Format + + The Packet Header format is specified as: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Version Number | Count | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | sysUpTime | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | UNIX Secs | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sequence Number | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Source ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + + + + + + + +Claise Informational [Page 9] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Packet Header Field Descriptions + + Version + Version of Flow Record format exported in this packet. The + value of this field is 9 for the current version. + + Count + The total number of records in the Export Packet, which is the + sum of Options FlowSet records, Template FlowSet records, and + Data FlowSet records. + + sysUpTime + Time in milliseconds since this device was first booted. + + UNIX Secs + Time in seconds since 0000 UTC 1970, at which the Export Packet + leaves the Exporter. + + Sequence Number + Incremental sequence counter of all Export Packets sent from + the current Observation Domain by the Exporter. This value + MUST be cumulative, and SHOULD be used by the Collector to + identify whether any Export Packets have been missed. + + Source ID + A 32-bit value that identifies the Exporter Observation Domain. + NetFlow Collectors SHOULD use the combination of the source IP + address and the Source ID field to separate different export + streams originating from the same Exporter. + + + + + + + + + + + + + + + + + + + + + + +Claise Informational [Page 10] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + +5.2. Template FlowSet Format + + One of the essential elements in the NetFlow format is the Template + FlowSet. Templates greatly enhance the flexibility of the Flow + Record format because they allow the NetFlow Collector to process + Flow Records without necessarily knowing the interpretation of all + the data in the Flow Record. The format of the Template FlowSet is + as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | FlowSet ID = 0 | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Template ID 256 | Field Count | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Field Type 1 | Field Length 1 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Field Type 2 | Field Length 2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | ... | ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Field Type N | Field Length N | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Template ID 257 | Field Count | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Field Type 1 | Field Length 1 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Field Type 2 | Field Length 2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | ... | ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Field Type M | Field Length M | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | ... | ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Template ID K | Field Count | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | ... | ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Template FlowSet Field Descriptions + + FlowSet ID + FlowSet ID value of 0 is reserved for the Template FlowSet. + + + + + + +Claise Informational [Page 11] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Length + Total length of this FlowSet. Because an individual Template + FlowSet MAY contain multiple Template Records, the Length value + MUST be used to determine the position of the next FlowSet + record, which could be any type of FlowSet. Length is the sum + of the lengths of the FlowSet ID, the Length itself, and all + Template Records within this FlowSet. + + Template ID + Each of the newly generated Template Records is given a unique + Template ID. This uniqueness is local to the Observation + Domain that generated the Template ID. Template IDs 0-255 are + reserved for Template FlowSets, Options FlowSets, and other + reserved FlowSets yet to be created. Template IDs of Data + FlowSets are numbered from 256 to 65535. + + Field Count + Number of fields in this Template Record. Because a Template + FlowSet usually contains multiple Template Records, this field + allows the Collector to determine the end of the current + Template Record and the start of the next. + + Field Type + A numeric value that represents the type of the field. Refer + to the "Field Type Definitions" section. + + Field Length + The length of the corresponding Field Type, in bytes. Refer to + the "Field Type Definitions" section. + + + + + + + + + + + + + + + + + + + + + + +Claise Informational [Page 12] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + +5.3. Data FlowSet Format + + The format of the Data FlowSet is as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | FlowSet ID = Template ID | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Record 1 - Field Value 1 | Record 1 - Field Value 2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Record 1 - Field Value 3 | ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Record 2 - Field Value 1 | Record 2 - Field Value 2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Record 2 - Field Value 3 | ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Record 3 - Field Value 1 | ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | ... | Padding | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Data FlowSet Field Descriptions + + FlowSet ID = Template ID + Each Data FlowSet is associated with a FlowSet ID. The FlowSet + ID maps to a (previously generated) Template ID. The Collector + MUST use the FlowSet ID to find the corresponding Template + Record and decode the Flow Records from the FlowSet. + + Length + The length of this FlowSet. Length is the sum of the lengths + of the FlowSet ID, Length itself, all Flow Records within this + FlowSet, and the padding bytes, if any. + + Record N - Field Value M + The remainder of the Data FlowSet is a collection of Flow Data + Record(s), each containing a set of field values. The Type and + Length of the fields have been previously defined in the + Template Record referenced by the FlowSet ID or Template ID. + + Padding + The Exporter SHOULD insert some padding bytes so that the + subsequent FlowSet starts at a 4-byte aligned boundary. It is + important to note that the Length field includes the padding + bytes. Padding SHOULD be using zeros. + + + + + +Claise Informational [Page 13] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Interpretation of the Data FlowSet format can be done only if the + Template FlowSet corresponding to the Template ID is available at the + Collector. + +6. Options + +6.1. Options Template FlowSet Format + + The Options Template Record (and its corresponding Options Data + Record) is used to supply information about the NetFlow process + configuration or NetFlow process specific data, rather than supplying + information about IP Flows. + + For example, the Options Template FlowSet can report the sample rate + of a specific interface, if sampling is supported, along with the + sampling method used. + + The format of the Options Template FlowSet follows. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | FlowSet ID = 1 | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Template ID | Option Scope Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Option Length | Scope 1 Field Type | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Scope 1 Field Length | ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Scope N Field Length | Option 1 Field Type | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Option 1 Field Length | ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Option M Field Length | Padding | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Options Template FlowSet Field Definitions + + FlowSet ID = 1 + A FlowSet ID value of 1 is reserved for the Options Template. + + Length + Total length of this FlowSet. Each Options Template FlowSet + MAY contain multiple Options Template Records. Thus, the + Length value MUST be used to determine the position of the next + FlowSet record, which could be either a Template FlowSet or + Data FlowSet. + + + +Claise Informational [Page 14] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Length is the sum of the lengths of the FlowSet ID, the Length + itself, and all Options Template Records within this FlowSet + Template ID. + + Template ID + Template ID of this Options Template. This value is greater + than 255. + + Option Scope Length + The length in bytes of any Scope field definition contained in + the Options Template Record (The use of "Scope" is described + below). + + Option Length + The length (in bytes) of any options field definitions + contained in this Options Template Record. + + Scope 1 Field Type + The relevant portion of the Exporter/NetFlow process to which + the Options Template Record refers. + Currently defined values are: + 1 System + 2 Interface + 3 Line Card + 4 Cache + 5 Template + For example, the NetFlow process can be implemented on a per- + interface basis, so if the Options Template Record were + reporting on how the NetFlow process is configured, the Scope + for the report would be 2 (interface). The associated + interface ID would then be carried in the associated Options + Data FlowSet. The Scope can be limited further by listing + multiple scopes that all must match at the same time. Note + that the Scope fields always precede the Option fields. + + Scope 1 Field Length + The length (in bytes) of the Scope field, as it would appear in + an Options Data Record. + + Option 1 Field Type + A numeric value that represents the type of field that would + appear in the Options Template Record. Refer to the Field Type + Definitions section. + + Option 1 Field Length + The length (in bytes) of the Option field. + + + + + +Claise Informational [Page 15] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Padding + The Exporter SHOULD insert some padding bytes so that the + subsequent FlowSet starts at a 4-byte aligned boundary. It is + important to note that the Length field includes the padding + bytes. Padding SHOULD be using zeros. + +6.2. Options Data Record Format + + The Options Data Records are sent in Data FlowSets, on a regular + basis, but not with every Flow Data Record. How frequently these + Options Data Records are exported is configurable. See the + "Templates Management" section for more details. + + The format of the Data FlowSet containing Options Data Records + follows. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | FlowSet ID = Template ID | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Record 1 - Scope 1 Value |Record 1 - Option Field 1 Value| + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Record 1 - Option Field 2 Value| ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Record 2 - Scope 1 Value |Record 2 - Option Field 1 Value| + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Record 2 - Option Field 2 Value| ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Record 3 - Scope 1 Value |Record 3 - Option Field 1 Value| + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |Record 3 - Option Field 2 Value| ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | ... | Padding | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Options Data Records of the Data FlowSet Field Descriptions + + FlowSet ID = Template ID + A FlowSet ID precedes each group of Options Data Records within + a Data FlowSet. The FlowSet ID maps to a previously generated + Template ID corresponding to this Options Template Record. The + Collector MUST use the FlowSet ID to map the appropriate type + and length to any field values that follow. + + + + + + + +Claise Informational [Page 16] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Length + The length of this FlowSet. Length is the sum of the lengths of + the FlowSet ID, Length itself, all the Options Data Records + within this FlowSet, and the padding bytes, if any. + + Record N - Option Field M Value + The remainder of the Data FlowSet is a collection of Flow + Records, each containing a set of scope and field values. The + type and length of the fields were previously defined in the + Options Template Record referenced by the FlowSet ID or + Template ID. + + Padding + The Exporter SHOULD insert some padding bytes so that the + subsequent FlowSet starts at a 4-byte aligned boundary. It is + important to note that the Length field includes the padding + bytes. Padding SHOULD be using zeros. + + The Data FlowSet format can be interpreted only if the Options + Template FlowSet corresponding to the Template ID is available at the + Collector. + +7. Template Management + + Flow Data records that correspond to a Template Record MAY appear in + the same and/or subsequent Export Packets. The Template Record is + not necessarily carried in every Export Packet. As such, the NetFlow + Collector MUST store the Template Record to interpret the + corresponding Flow Data Records that are received in subsequent data + packets. + + A NetFlow Collector that receives Export Packets from several + Observation Domains from the same Exporter MUST be aware that the + uniqueness of the Template ID is not guaranteed across Observation + Domains. + + The Template IDs must remain constant for the life of the NetFlow + process on the Exporter. If the Exporter or the NetFlow process + restarts for any reason, all information about Templates will be lost + and new Template IDs will be created. Template IDs are thus not + guaranteed to be consistent across an Exporter or NetFlow process + restart. + + A newly created Template record is assigned an unused Template ID + from the Exporter. If the template configuration is changed, the + current Template ID is abandoned and SHOULD NOT be reused until the + + + + + +Claise Informational [Page 17] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + NetFlow process or Exporter restarts. If a Collector should receive + a new definition for an already existing Template ID, it MUST discard + the previous template definition and use the new one. + + If a configured Template Record on the Exporter is deleted, and re- + configured with exactly the same parameters, the same Template ID + COULD be reused. + + The Exporter sends the Template FlowSet and Options Template FlowSet + under the following conditions: + + 1. After a NetFlow process restarts, the Exporter MUST NOT send any + Data FlowSet without sending the corresponding Template FlowSet + and the required Options Template FlowSet in a previous packet or + including it in the same Export Packet. It MAY transmit the + Template FlowSet and Options Template FlowSet, without any Data + FlowSets, in advance to help ensure that the Collector will have + the correct Template Record before receiving the first Flow or + Options Data Record. + + 2. In the event of configuration changes, the Exporter SHOULD send + the new template definitions at an accelerated rate. In such a + case, it MAY transmit the changed Template Record(s) and Options + Template Record(s), without any data, in advance to help ensure + that the Collector will have the correct template information + before receiving the first data. + + 3. On a regular basis, the Exporter MUST send all the Template + Records and Options Template Records to refresh the Collector. + Template IDs have a limited lifetime at the Collector and MUST be + periodically refreshed. Two approaches are taken to make sure + that Templates get refreshed at the Collector: + * Every N number of Export Packets. + * On a time basis, so every N number of minutes. + Both options MUST be configurable by the user on the Exporter. + When one of these expiry conditions is met, the Exporter MUST send + the Template FlowSet and Options Template. + + 4. In the event of a clock configuration change on the Exporter, the + Exporter SHOULD send the template definitions at an accelerated + rate. + +8. Field Type Definitions + + The following table describes all the field type definitions that an + Exporter MAY support. The fields are a selection of Packet Header + fields, lookup results (for example, the autonomous system numbers or + the subnet masks), and properties of the packet such as length. + + + +Claise Informational [Page 18] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Field Type Value Length Description + (bytes) + + Incoming counter with + length N x 8 bits for the + IN_BYTES 1 N number of bytes associated + with an IP Flow. By default + N is 4 + + Incoming counter with + length N x 8 bits for the + IN_PKTS 2 N number of packets + associated with an IP Flow. + By default N is 4 + + FLOWS 3 N Number of Flows + that were aggregated; + by default N is 4 + + PROTOCOL 4 1 IP protocol byte + + Type of service byte + TOS 5 1 setting when entering + the incoming interface + + TCP flags; cumulative of + TCP_FLAGS 6 1 all the TCP flags seen in + this Flow + + TCP/UDP source port number + L4_SRC_PORT 7 2 (for example, FTP, Telnet, + or equivalent) + + IPV4_SRC_ADDR 8 4 IPv4 source address + + The number of contiguous + bits in the source subnet + SRC_MASK 9 1 mask (i.e., the mask in + slash notation) + + Input interface index. + INPUT_SNMP 10 N By default N is 2, but + higher values can be used + + TCP/UDP destination port + L4_DST_PORT 11 2 number (for example, FTP, + Telnet, or equivalent) + + + + +Claise Informational [Page 19] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + IPV4_DST_ADDR 12 4 IPv4 destination address + + The number of contiguous + bits in the destination + DST_MASK 13 1 subnet mask (i.e., the mask + in slash notation) + + Output interface index. + + OUTPUT_SNMP 14 N By default N is 2, but + higher values can be used + + IPV4_NEXT_HOP 15 4 IPv4 address of the next- + hop router + + Source BGP autonomous + SRC_AS 16 N system number where N could + be 2 or 4. By default N is + 2 + + Destination BGP autonomous + DST_AS 17 N system number where N could + be 2 or 4. By default N is + 2 + + BGP_IPV4_NEXT_HOP 18 4 Next-hop router's IP + address in the BGP domain + + IP multicast outgoing + packet counter with length + MUL_DST_PKTS 19 N N x 8 bits for packets + associated with the IP + Flow. By default N is 4 + + IP multicast outgoing + Octet (byte) counter with + length N x 8 bits for the + MUL_DST_BYTES 20 N number of bytes associated + with the IP Flow. By + default N is 4 + + sysUptime in msec at which + LAST_SWITCHED 21 4 the last packet of this + Flow was switched + + sysUptime in msec at which + FIRST_SWITCHED 22 4 the first packet of this + Flow was switched + + + +Claise Informational [Page 20] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Outgoing counter with + length N x 8 bits for the + OUT_BYTES 23 N number of bytes associated + with an IP Flow. By + default N is 4 + + Outgoing counter with + length N x 8 bits for the + OUT_PKTS 24 N number of packets + associated with an IP Flow. + By default N is 4 + + IPV6_SRC_ADDR 27 16 IPv6 source address + + IPV6_DST_ADDR 28 16 IPv6 destination address + + IPV6_SRC_MASK 29 1 Length of the IPv6 source + mask in contiguous bits + + Length of the IPv6 + IPV6_DST_MASK 30 1 destination mask in + contiguous bits + + IPV6_FLOW_LABEL 31 3 IPv6 flow label as per + RFC 2460 definition + + Internet Control Message + ICMP_TYPE 32 2 Protocol (ICMP) packet + type; reported as + ICMP Type * 256 + ICMP code + + MUL_IGMP_TYPE 33 1 Internet Group Management + Protocol (IGMP) packet type + + When using sampled NetFlow, + the rate at which packets + SAMPLING_INTERVAL 34 4 are sampled; for example, a + value of 100 indicates that + one of every hundred + packets is sampled + + For sampled NetFlow + platform-wide: + SAMPLING_ALGORITHM 35 1 0x01 deterministic sampling + 0x02 random sampling + Use in connection with + SAMPLING_INTERVAL + + + + +Claise Informational [Page 21] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Timeout value (in seconds) + + FLOW_ACTIVE_TIMEOUT 36 2 for active flow entries + in the NetFlow cache + + Timeout value (in seconds) + FLOW_INACTIVE_TIMEOUT 37 2 for inactive Flow entries + in the NetFlow cache + + Type of Flow switching + ENGINE_TYPE 38 1 engine (route processor, + linecard, etc...) + + ENGINE_ID 39 1 ID number of the Flow + switching engine + + Counter with length + N x 8 bits for the number + TOTAL_BYTES_EXP 40 N of bytes exported by the + Observation Domain. By + default N is 4 + + Counter with length + N x 8 bits for the number + TOTAL_PKTS_EXP 41 N of packets exported by the + Observation Domain. By + default N is 4 + + Counter with length + N x 8 bits for the number + TOTAL_FLOWS_EXP 42 N of Flows exported by the + Observation Domain. By + default N is 4 + + MPLS_TOP_LABEL_TYPE 46 1 MPLS Top Label Type: + 0x00 UNKNOWN + 0x01 TE-MIDPT + 0x02 ATOM + 0x03 VPN + 0x04 BGP + 0x05 LDP + + Forwarding Equivalent Class + MPLS_TOP_LABEL_IP_ADDR 47 4 corresponding to the MPLS + Top Label + + FLOW_SAMPLER_ID 48 1 Identifier shown + in "show flow-sampler" + + + +Claise Informational [Page 22] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + The type of algorithm used + for sampling data: + FLOW_SAMPLER_MODE 49 1 0x02 random sampling + Use in connection with + FLOW_SAMPLER_MODE + Packet interval at which to + FLOW_SAMPLER_RANDOM_INTERVAL 50 4 sample. Use in connection + with FLOW_SAMPLER_MODE + + Type of Service byte + DST_TOS 55 1 setting when exiting + outgoing interface + + SRC_MAC 56 6 Source MAC Address + + DST_MAC 57 6 Destination MAC Address + + Virtual LAN identifier + + SRC_VLAN 58 2 associated with ingress + interface + + Virtual LAN identifier + DST_VLAN 59 2 associated with egress + interface + + Internet Protocol Version + Set to 4 for IPv4, set to 6 + IP_PROTOCOL_VERSION 60 1 for IPv6. If not present in + the template, then version + 4 is assumed + + Flow direction: + DIRECTION 61 1 0 - ingress flow + 1 - egress flow + + IPV6_NEXT_HOP 62 16 IPv6 address of the + next-hop router + + BGP_IPV6_NEXT_HOP 63 16 Next-hop router in the BGP + domain + + Bit-encoded field + IPV6_OPTION_HEADERS 64 4 identifying IPv6 option + headers found in the flow + + MPLS_LABEL_1 70 3 MPLS label at position 1 in + the stack + + + +Claise Informational [Page 23] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + MPLS_LABEL_2 71 3 MPLS label at position 2 in + the stack + + MPLS_LABEL_3 72 3 MPLS label at position 3 in + the stack + + MPLS_LABEL_4 73 3 MPLS label at position 4 in + the stack + + MPLS_LABEL_5 74 3 MPLS label at position 5 in + the stack + + MPLS_LABEL_6 75 3 MPLS label at position 6 in + the stack + + MPLS_LABEL_7 76 3 MPLS label at position 7 in + the stack + + MPLS_LABEL_8 77 3 MPLS label at position 8 in + the stack + + MPLS_LABEL_9 78 3 MPLS label at position 9 in + the stack + + MPLS_LABEL_10 79 3 MPLS label at position 10 + in the stack + + The value field is a numeric identifier for the field type. The + following value fields are reserved for proprietary field types: 25, + 26, 43 to 45, 51 to 54, and 65 to 69. + + When extensibility is required, the new field types will be added to + the list. The new field types have to be updated on the Exporter and + Collector but the NetFlow export format would remain unchanged. + Refer to the latest documentation at http://www.cisco.com for the + newly updated list. + + In some cases the size of a field type is fixed by definition, for + example PROTOCOL, or IPV4_SRC_ADDR. However in other cases they are + defined as a variant type. This improves the memory efficiency in + the collector and reduces the network bandwidth requirement between + the Exporter and the Collector. As an example, in the case IN_BYTES, + on an access router it might be sufficient to use a 32 bit counter (N + = 4), whilst on a core router a 64 bit counter (N = 8) would be + required. + + All counters and counter-like objects are unsigned integers of size N + * 8 bits. + + + +Claise Informational [Page 24] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + +9. The Collector Side + + The Collector receives Template Records from the Exporter, normally + before receiving Flow Data Records (or Options Data Records). The + Flow Data Records (or Options Data Records) can then be decoded and + stored locally on the devices. If the Template Records have not been + received at the time Flow Data Records (or Options Data Records) are + received, the Collector SHOULD store the Flow Data Records (or + Options Data Records) and decode them after the Template Records are + received. A Collector device MUST NOT assume that the Data FlowSet + and the associated Template FlowSet (or Options Template FlowSet) are + exported in the same Export Packet. + + The Collector MUST NOT assume that one and only one Template FlowSet + is present in an Export Packet. + + The life of a template at the Collector is limited to a fixed refresh + timeout. Templates not refreshed from the Exporter within the + timeout are expired at the Collector. The Collector MUST NOT attempt + to decode the Flow or Options Data Records with an expired Template. + At any given time the Collector SHOULD maintain the following for all + the current Template Records and Options Template Records: Exporter, + Observation Domain, Template ID, Template Definition, Last Received. + + Note that the Observation Domain is identified by the Source ID field + from the Export Packet. + + In the event of a clock configuration change on the Exporter, the + Collector SHOULD discard all Template Records and Options Template + Records associated with that Exporter, in order for Collector to + learn the new set of fields: Exporter, Observation Domain, Template + ID, Template Definition, Last Received. + + Template IDs are unique per Exporter and per Observation Domain. + + If the Collector receives a new Template Record (for example, in the + case of an Exporter restart) it MUST immediately override the + existing Template Record. + + Finally, note that the Collector MUST accept padding in the Data + FlowSet and Options Template FlowSet, which means for the Flow Data + Records, the Options Data Records and the Template Records. Refer to + the terminology summary table in Section 2.1. + + + + + + + + +Claise Informational [Page 25] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + +10. Security Considerations + + The NetFlow version 9 protocol was designed with the expectation that + the Exporter and Collector would remain within a single private + network. However the NetFlow version 9 protocol might be used to + transport Flow Records over the public Internet which exposes the + Flow Records to a number of security risks. For example an attacker + might capture, modify or insert Export Packets. There is therefore a + risk that IP Flow information might be captured or forged, or that + attacks might be directed at the NetFlow Collector. + + The designers of NetFlow Version 9 did not impose any + confidentiality, integrity or authentication requirements on the + protocol because this reduced the efficiency of the implementation + and it was believed at the time that the majority of deployments + would confine the Flow Records to private networks, with the + Collector(s) and Exporter(s) in close proximity. + + The IPFIX protocol (IP Flow Information eXport), which has chosen the + NetFlow version 9 protocol as the base protocol, addresses the + security considerations discussed in this section. See the security + section of IPFIX requirement draft [RFC3917] for more information. + +10.1. Disclosure of Flow Information Data + + Because the NetFlow Version 9 Export Packets are not encrypted, the + observation of Flow Records can give an attacker information about + the active flows in the network, communication endpoints and traffic + patterns. This information can be used both to spy on user behavior + and to plan and conceal future attacks. + + The information that an attacker could derive from the interception + of Flow Records depends on the Flow definition. For example, a Flow + Record containing the source and destination IP addresses might + reveal privacy sensitive information regarding the end user's + activities, whilst a Flow Record only containing the source and + destination IP network would be less revealing. + +10.2. Forgery of Flow Records or Template Records + + If Flow Records are used in accounting and/or security applications, + there may be a strong incentive to forge exported Flow Records (for + example to defraud the service provider, or to prevent the detection + of an attack). This can be done either by altering the Flow Records + on the path between the Observer and the Collector, or by injecting + forged Flow Records that pretend to be originated by the Exporter. + + + + + +Claise Informational [Page 26] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + An attacker could forge Templates and/or Options Templates and + thereby try to confuse the NetFlow Collector, rendering it unable to + decode the Export Packets. + +10.3. Attacks on the NetFlow Collector + + Denial of service attacks on the NetFlow Collector can consume so + many resources from the machine that, the Collector is unable to + capture or decode some NetFlow Export Packets. Such hazards are not + explicitly addressed by the NetFlow Version 9 protocol, although the + normal methods used to protect a server from a DoS attack will + mitigate the problem. + +11. Examples + + Let us consider the example of an Export Packet composed of a + Template FlowSet, a Data FlowSet (which contains three Flow Data + Records), an Options Template FlowSet, and a Data FlowSet (which + contains two Options Data Records). + + Export Packet: + + +--------+---------------------------------------------. . . + | | +--------------+ +-----------------------+ + | Packet | | Template | | Data | + | Header | | FlowSet | | FlowSet | . . . + | | | (1 Template) | | (3 Flow Data Records) | + | | +--------------+ +-----------------------+ + +--------+---------------------------------------------. . . + + . . .+-------------------------------------------------+ + +------------------+ +--------------------------+ | + | Options | | Data | | + . . .| Template FlowSet | | FlowSet | | + | (1 Template) | | (2 Options Data Records) | | + +------------------+ +--------------------------+ | + . . .--------------------------------------------------+ + + + + + + + + + + + + + + +Claise Informational [Page 27] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + +11.1. Packet Header Example + + The Packet Header is composed of: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Version = 9 | Count = 7 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | sysUpTime | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | UNIX Secs | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sequence Number | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Source ID | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +11.2. Template FlowSet Example + + We want to report the following Field Types: + - The source IP address (IPv4), so the length is 4 + - The destination IP address (IPv4), so the length is 4 + - The next-hop IP address (IPv4), so the length is 4 + - The number of bytes of the Flow + - The number of packets of the Flow + + Therefore, the Template FlowSet is composed of the following: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | FlowSet ID = 0 | Length = 28 bytes | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Template ID 256 | Field Count = 5 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | IP_SRC_ADDR = 8 | Field Length = 4 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | IP_DST_ADDR = 12 | Field Length = 4 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | IP_NEXT_HOP = 15 | Field Length = 4 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | IN_PKTS = 2 | Field Length = 4 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | IN_BYTES = 1 | Field Length = 4 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + + + + +Claise Informational [Page 28] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + +11.3. Data FlowSet Example + + In this example, we report the following three Flow Records: + + Src IP addr. | Dst IP addr. | Next Hop addr. | Packet | Bytes + | | | Number | Number + --------------------------------------------------------------- + 198.168.1.12 | 10.5.12.254 | 192.168.1.1 | 5009 | 5344385 + 192.168.1.27 | 10.5.12.23 | 192.168.1.1 | 748 | 388934 + 192.168.1.56 | 10.5.12.65 | 192.168.1.1 | 5 | 6534 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | FlowSet ID = 256 | Length = 64 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 198.168.1.12 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 10.5.12.254 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 192.168.1.1 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 5009 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 5344385 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 192.168.1.27 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 10.5.12.23 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 192.168.1.1 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 748 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 388934 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 192.168.1.56 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 10.5.12.65 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 192.168.1.1 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 5 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 6534 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + + + +Claise Informational [Page 29] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + Note that padding was not necessary in this example. + +11.4. Options Template FlowSet Example + + Per line card (the Exporter is composed of two line cards), we want + to report the following Field Types: + - Total number of Export Packets + - Total number of exported Flows + + The format of the Options Template FlowSet is as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | FlowSet ID = 1 | Length = 24 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Template ID 257 | Option Scope Length = 4 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Option Length = 8 | Scope 1 Field Type = 3 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Scope 1 Field Length = 2 | TOTAL_EXP_PKTS_SENT = 41 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Field Length = 2 | TOTAL_FLOWS_EXP = 42 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Field Length = 2 | Padding | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +11.5. Data FlowSet with Options Data Records Example + + In this example, we report the following two records: + + Line Card ID | Export Packet| Export Flow + ------------------------------------------ + Line Card 1 | 345 | 10201 + Line Card 2 | 690 | 20402 + + + + + + + + + + + + + + + + +Claise Informational [Page 30] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | FlowSet ID = 257 | Length = 16 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 1 | 345 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 10201 | 2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 690 | 20402 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +12. References + +12.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + +12.2. Informative References + + [RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, + August 1980. + + [RFC793] Postel, J., "Transmission Control Protocol", STD 7, RFC + 793, September 1981. + + [RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C., + Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, M., + Zhang, L., and V. Paxson, "Stream Control Transmission + Protocol", RFC 2960, October 2000. + + [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, + "Requirements for IP Flow Information Export (IPFIX)", + RFC 3917, October 2004. + +13. Authors + + This document was jointly written by Vamsidhar Valluri, Martin + Djernaes, Ganesh Sadasivan, and Benoit Claise. + +14. Acknowledgments + + I would like to thank Pritam Shah, Paul Kohler, Dmitri Bouianovski, + and Stewart Bryant for their valuable technical feedback. + + + + + + +Claise Informational [Page 31] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + +15. Authors' Addresses + + Benoit Claise (Editor) + Cisco Systems + De Kleetlaan 6a b1 + 1831 Diegem + Belgium + + Phone: +32 2 704 5622 + EMail: bclaise@cisco.com + + + Ganesh Sadasivan + Cisco Systems, Inc. + 3750 Cisco Way + San Jose, CA 95134 + USA + + Phone: +1 408 527-0251 + EMail: gsadasiv@cisco.com + + + Vamsi Valluri + Cisco Systems, Inc. + 510 McCarthy Blvd. + San Jose, CA 95035 + USA + + Phone: +1 408 525-1835 + EMail: vvalluri@cisco.com + + + Martin Djernaes + Cisco Systems, Inc. + 510 McCarthy Blvd. + San Jose, CA 95035 + USA + + Phone: +1 408 853-1676 + EMail: djernaes@cisco.com + + + + + + + + + + + +Claise Informational [Page 32] + +RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2004). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and at www.rfc-editor.org, and except as set + forth therein, the authors retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the ISOC's procedures with respect to rights in ISOC Documents can + be found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at ietf- + ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + +Claise Informational [Page 33] + -- cgit v1.2.3