1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
|
Network Working Group J. Quittek
Request for Comments: 3917 NEC Europe Ltd.
Category: Informational T. Zseby
Fraunhofer FOKUS
B. Claise
Cisco Systems
S. Zander
Swinburne University
October 2004
Requirements for IP Flow Information Export (IPFIX)
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004).
Abstract
This memo defines requirements for the export of measured IP flow
information out of routers, traffic measurement probes, and
middleboxes.
Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. IP Traffic Flow. . . . . . . . . . . . . . . . . . . . 3
2.2. Observation Point. . . . . . . . . . . . . . . . . . . 4
2.3. Metering Process . . . . . . . . . . . . . . . . . . . 4
2.4. Flow Record. . . . . . . . . . . . . . . . . . . . . . 5
2.5. Exporting Process. . . . . . . . . . . . . . . . . . . 5
2.6. Collecting Process . . . . . . . . . . . . . . . . . . 5
3. Applications Requiring IP Flow Information Export . . . . . . 6
3.1. Usage-based Accounting . . . . . . . . . . . . . . . . 6
3.2. Traffic Profiling. . . . . . . . . . . . . . . . . . . 7
3.3. Traffic Engineering. . . . . . . . . . . . . . . . . . 7
3.4. Attack/Intrusion Detection . . . . . . . . . . . . . . 7
3.5. QoS Monitoring . . . . . . . . . . . . . . . . . . . . 8
4. Distinguishing Flows. . . . . . . . . . . . . . . . . . . . . 8
4.1. Encryption . . . . . . . . . . . . . . . . . . . . . . 9
4.2. Interfaces . . . . . . . . . . . . . . . . . . . . . . 9
Quittek, et al. Informational [Page 1]
^L
RFC 3917 IPFIX Requirements October 2004
4.3. IP Header Fields . . . . . . . . . . . . . . . . . . . 9
4.4. Transport Header Fields. . . . . . . . . . . . . . . . 10
4.5. MPLS Label . . . . . . . . . . . . . . . . . . . . . . 10
4.6. DiffServ Code Point. . . . . . . . . . . . . . . . . . 10
5. Metering Process. . . . . . . . . . . . . . . . . . . . . . . 10
5.1. Reliability. . . . . . . . . . . . . . . . . . . . . . 10
5.2. Sampling . . . . . . . . . . . . . . . . . . . . . . . 11
5.3. Overload Behavior. . . . . . . . . . . . . . . . . . . 11
5.4. Timestamps . . . . . . . . . . . . . . . . . . . . . . 12
5.5. Time Synchronization . . . . . . . . . . . . . . . . . 12
5.6. Flow Expiration. . . . . . . . . . . . . . . . . . . . 13
5.7. Multicast Flows. . . . . . . . . . . . . . . . . . . . 13
5.8. Packet Fragmentation . . . . . . . . . . . . . . . . . 13
5.9. Ignore Port Copy . . . . . . . . . . . . . . . . . . . 13
6. Data Export . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.1. Information Model. . . . . . . . . . . . . . . . . . . 14
6.2. Data Model . . . . . . . . . . . . . . . . . . . . . . 16
6.3. Data Transfer. . . . . . . . . . . . . . . . . . . . . 16
6.3.1. Congestion Awareness. . . . . . . . . . . . . . 16
6.3.2. Reliability . . . . . . . . . . . . . . . . . . 17
6.3.3. Security. . . . . . . . . . . . . . . . . . . . 18
6.4. Push and Pull Mode Reporting . . . . . . . . . . . . . 18
6.5. Regular Reporting Interval . . . . . . . . . . . . . . 18
6.6. Notification on Specific Events. . . . . . . . . . . . 18
6.7. Anonymization. . . . . . . . . . . . . . . . . . . . . 18
7. Configuration . . . . . . . . . . . . . . . . . . . . . . . . 19
7.1. Configuration of the Metering Process. . . . . . . . . 19
7.2. Configuration of the Exporting Process . . . . . . . . 19
8. General Requirements. . . . . . . . . . . . . . . . . . . . . 20
8.1. Openness . . . . . . . . . . . . . . . . . . . . . . . 20
8.2. Scalability. . . . . . . . . . . . . . . . . . . . . . 20
8.3. Several Collecting Processes . . . . . . . . . . . . . 20
9. Special Device Considerations . . . . . . . . . . . . . . . . 20
10. Security Considerations . . . . . . . . . . . . . . . . . . . 23
10.1. Disclosure of Flow Information Data. . . . . . . . . . 23
10.2. Forgery of Flow Records. . . . . . . . . . . . . . . . 24
10.3. Denial of Service (DoS) Attacks. . . . . . . . . . . . 24
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 25
12. Appendix: Derivation of Requirements from Applications. . . . 26
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 31
13.1. Normative References . . . . . . . . . . . . . . . . . 31
13.2. Informative References . . . . . . . . . . . . . . . . 31
14. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 32
15. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 33
Quittek, et al. Informational [Page 2]
^L
RFC 3917 IPFIX Requirements October 2004
1. Introduction
There are several applications that require flow-based IP traffic
measurements. Such measurements could be performed by a router while
forwarding the traffic, by a middlebox [RFC3234], or by a traffic
measurement probe attached to a line or a monitored port. This memo
defines requirements for exporting traffic flow information out of
these boxes for further processing by applications located on other
devices. They serve as input to the standardization of the IPFIX
protocol specifications.
In section 3, a selection of such applications is presented. The
following sections list requirements derived from these applications.
In its early discussions the IPFIX Working Group chose to evaluate
existing flow export protocols at the same time it was developing
this 'requirements' document.
Flow export, however, is not performed by a protocol acting alone, it
also requires a system of co-operating processes. In producing IPFIX
requirements, therefore, the Working Group decided to specify what
was required by these various processes - the metering process, the
exporting process, etc. In these specifications we use lower-case
for the words must, may, and should, to indicate that IPFIX
implementors have some freedom as to how to meet the requirements.
The Working Group's goal is to produce standards-track RFCs
describing the IPFIX information model and export protocol RFCs. As
well as meeting the requirements set out in this document, the
information model and protocol documents will provide a full
specification of the IPFIX system, and will use uppercase keywords as
in [RFC 2119].
2. Terminology
The following terminology is used in this document:
2.1. IP Traffic Flow
There are several definitions of the term 'flow' being used by the
Internet community. Within this document we use the following one:
A flow is defined as a set of IP packets passing an observation point
in the network during a certain time interval. All packets belonging
to a particular flow have a set of common properties. Each property
is defined as the result of applying a function to the values of:
Quittek, et al. Informational [Page 3]
^L
RFC 3917 IPFIX Requirements October 2004
1. one or more packet header field (e.g., destination IP address),
transport header field (e.g., destination port number), or
application header field (e.g., RTP header fields [RFC3550])
2. one or more characteristics of the packet itself (e.g., number
of MPLS labels, etc.)
3. one or more of fields derived from packet treatment (e.g., next
hop IP address, the output interface, etc.)
A packet is defined to belong to a flow if it completely satisfies
all the defined properties of the flow.
This definition covers the range from a flow containing all packets
observed at a network interface to a flow consisting of just a single
packet between two applications with a specific sequence number.
Please note that the flow definition does not necessarily match a
general application-level end-to-end stream. However, an application
may derive properties of application-level streams by processing
measured flow data. Also, please note that although packet
properties may depend on application headers, there is no requirement
defined in this document related to application headers.
2.2. Observation Point
The observation point is a location in the network where IP packets
can be observed. Examples are a line to which a probe is attached, a
shared medium such as an Ethernet-based LAN, a single port of a
router, or a set of interfaces (physical or logical) of a router.
Note that one observation point may be a superset of several other
observation points. For example one observation point can be an
entire line card. This would be the superset of the individual
observation points at the line card's interfaces.
2.3. Metering Process
The metering process generates flow records. Input to the process
are packet headers observed at an observation point and packet
treatment at the observation point, for example the selected output
interface. The metering process consists of a set of functions that
includes packet header capturing, timestamping, sampling,
classifying, and maintaining flow records.
The maintenance of flow records may include creating new records,
updating existing ones, computing flow statistics, deriving further
flow properties, detecting flow expiration, passing flow records to
the exporting process, and deleting flow records.
Quittek, et al. Informational [Page 4]
^L
RFC 3917 IPFIX Requirements October 2004
The sampling function and the classifying function may be applied
more than once with different parameters. Figure 1 shows the
sequence in which the functions are applied. Sampling is not
illustrated in the figure; it may be applied before any other
function.
packet header capturing
|
timestamping
|
v
+----->+
| |
| classifying
| |
+------+
|
maintaining flow records
|
v
Figure 1: Functions of the metering process
2.4. Flow Record
A flow record contains information about a specific flow that was
metered at an observation point. A flow record contains measured
properties of the flow (e.g., the total number of bytes of all
packets of the flow) and usually characteristic properties of the
flow (e.g., source IP address).
2.5. Exporting Process
The exporting process sends flow records to one or more collecting
processes. The flow records are generated by one or more metering
processes.
2.6. Collecting Process
The collecting process receives flow records from one or more
exporting processes. The collecting process might store received
flow records or further process them, but these actions are out of
the scope of this document.
Quittek, et al. Informational [Page 5]
^L
RFC 3917 IPFIX Requirements October 2004
3. Applications Requiring IP Flow Information Export
This section describes a selection of applications requiring IP flow
information export. Because requirements for flow export listed in
further sections below are derived from these applications, their
selection is crucial. The goal of this requirements document is not
to cover all possible applications with all their flow export
requirements, but to cover applications which are considered to be of
significant importance in today's and/or future IP networks, and for
which requirements can be met with reasonable technical effort.
The list of applications should lead to a better understanding of the
requirements which is particularly important when designing or
implementing traffic flow metering functions. A detailed overview of
which requirement was derived from which application(s) is given in
the appendix.
Please note that the described applications can have a large number
of differing implementations. Requirement details or requirement
significance (required (must), recommended (should), optional (may))
could differ for specific implementations and/or for specific
application scenarios. Therefore we derive the requirements from the
general functionality of the selected applications. Some particular
cases will even mandate more stringent requirements than the ones
defined in this document. For example, usage-based accounting is
certainly the application that will probably mandate the highest
degree of reliability amongst the applications discussed below. The
reliability requirements defined in sections 5.1 and 6.3.2. are not
sufficient to guarantee the level of reliability that is needed for
many usage-based accounting systems. Particular reliability
requirements for accounting systems are discussed in [RFC2975].
3.1. Usage-based Accounting
Several new business models for selling IP services and IP-based
services are currently under investigation. Beyond flat rate
services which do not need accounting, accounting can be based on
time or volume. Accounting data can serve as input for billing
systems. Accounting can be performed per user or per user group, it
can be performed just for basic IP service or individually per high-
level service and/or per content type delivered. For advanced/future
services, accounting may also be performed per class of service, per
application, per time of day, per (label switched) path used, etc.
Quittek, et al. Informational [Page 6]
^L
RFC 3917 IPFIX Requirements October 2004
3.2. Traffic Profiling
Traffic profiling is the process of characterizing IP flows by using
a model that represents key parameters of the flows such as flow
duration, volume, time, and burstiness. It is a prerequisite for
network planning, network dimensioning, trend analysis, business
model development, and other activities. It depends heavily on the
particular traffic profiling objective(s), which statistics, and
which accuracy are required from the measurements. Typical
information needed for traffic profiling is the distribution of used
services and protocols in the network, the amount of packets of a
specific type (e.g., percentage of IPv6 packets) and specific flow
profiles.
Since objectives for traffic profiling can vary, this application
requires a high flexibility of the measurement infrastructure,
especially regarding the options for measurement configuration and
packet classification.
3.3. Traffic Engineering
Traffic Engineering (TE) comprises methods for measurement,
modelling, characterization and control of a network. The goal of TE
is the optimization of network resource utilization and traffic
performance [RFC2702]. Since control and administrative reaction to
measurement results requires access to the involved network nodes, TE
mechanisms and the required measurement function usually are
performed within one administrative domain. Typical parameters
required for TE are link utilization, load between specific network
nodes, number, size and entry/exit points of the active flows and
routing information.
3.4. Attack/Intrusion Detection
Capturing flow information plays an important role for network
security, both for detection of security violation, and for
subsequent defense. In case of a Denial of Service (DOS) attack,
flow monitoring can allow detection of unusual situations or
suspicious flows. In a second step, flow analysis can be performed
in order to gather information about the attacking flows, and for
deriving a defense strategy.
Intrusion detection is a potentially more demanding application which
would not only look at specific characteristics of flows, but may
also use a stateful packet flow analysis for detecting specific,
suspicious activities, or unusually frequent activities. Such
activities may be characterized by specific communication patterns,
detectable by characteristic sequences of certain packet types.
Quittek, et al. Informational [Page 7]
^L
RFC 3917 IPFIX Requirements October 2004
3.5. QoS Monitoring
QoS monitoring is the passive measurement of quality parameters for
IP flows. In contrast to active measurements, passive measurements
utilize the existing traffic in the network for QoS analysis. Since
no test traffic is sent, passive measurements can only be applied in
situations where the traffic of interest is already present in the
network. One example application is the validation of QoS parameters
negotiated in a service level specification. Note that
passive/active measurement is also referred to as non-
intrusive/intrusive measurement or as measurement of
observed/synthetic traffic.
Passive measurements cannot provide the kind of controllable
experiments that can be achieved with active measurements. On the
other hand passive measurements do not suffer from undesired side
effects caused by sending test traffic (e.g., additional load,
potential differences in treatment of test traffic and real customer
traffic).
QoS monitoring often requires the correlation of data from multiple
observation points (e.g., for measuring one-way metrics). This
requires proper clock synchronization of the involved metering
processes. For some measurements, flow records and/or notifications
on specific events at the different observation points must be
correlated, for example the arrival of a certain packet. For this,
the provisioning of post-processing functions (e.g., the generation
of packet IDs) at the metering processes would be useful. Since QoS
monitoring can lead to a huge amount of measurement result data, it
would highly benefit from mechanisms to reduce the measurement data,
like aggregation of results and sampling.
Please note that not all requirements for QoS monitoring are covered
by the IPFIX requirements specified in the following sections. The
IPFIX requirements are targeted at per flow information including
summaries of per-packet properties for packets within a flow, but not
per-packet information itself. For example jitter measurement
requires timestamping each packet and reporting of all timestamps of
a flow, but the IPFIX requirements only cover timestamps of first and
last packet of a flow.
4. Distinguishing Flows
Packets are mapped to flows by evaluating their properties. Packets
with common properties are considered to belong to the same flow. A
packet showing at least one difference in the set of properties is
considered to belong to a different flow.
Quittek, et al. Informational [Page 8]
^L
RFC 3917 IPFIX Requirements October 2004
The following subsections list a set of properties which a metering
process must, should, or may be able to evaluate for mapping packets
to flows. Please note that requiring the ability to evaluate a
certain property does not imply that this property must be evaluated
for each packet. In other words, meeting the IPFIX requirements
means that the metering process in general must be able, via its
configuration, to somehow support to distinguish flows via all the
must fields, even if in certain circumstances/for certain
applications, only a subset of the must fields is needed and
effectively used to distinguish flows.
Which combination of properties is used for distinguishing flows and
how these properties are evaluated depends on the configuration of
the metering process. The configured choice of evaluated properties
strongly depends on the environment and purpose of the measurement
and on the information required by the collecting process. But in
any case, a collecting process must be able to clearly identify, for
each received flow record, which set of properties was used for
distinguishing this flow from other ones.
For specific deployments, only a subset of the required properties
listed below can be used to distinguish flows. For example, in order
to aggregate the flow records and reduce the number of flow records
exported. On the other hand, some other deployments will require
distinguishing flows by some extra parameters, such as the TTL field
of the IP header or the BGP Autonomous System number [RFC1771] of the
IP destination address.
4.1. Encryption
If encryption is used, the metering process might not be able to
access all header fields. A metering process must meet the
requirements stated in this section 4 only for packets that have the
relevant header fields not encrypted.
4.2. Interfaces
The metering process must be able to separate flows by the incoming
interface or by the outgoing interface or by both of them.
4.3. IP Header Fields
The metering process must be able to separate flows by the following
fields of the IP header:
1. source IP address
2. destination IP address
Quittek, et al. Informational [Page 9]
^L
RFC 3917 IPFIX Requirements October 2004
3. protocol type (TCP, UDP, ICMP, ...)
For source address and destination address, separating by full match
must be supported as well as separation by prefix match.
The metering process should be able to separate flows by the IP
version number if the observation point is located at a device that
is supporting more than one IP version.
4.4. Transport Header Fields
The metering process must be able to separate flows by the port
numbers of the transport header in case of TCP or UDP being used as
transport protocol. The metering process should be able to separate
flows by the port numbers of the transport header in case of SCTP
[RFC2960].
For separation, both, source and destination port number must be
supported for distinguishing flows, individually as well as in
combination.
4.5. MPLS Label
If the observation point is located at a device supporting
Multiprotocol Label Switching (MPLS, see [RFC3031]) then the metering
process must be able to separate flows by the MPLS label.
4.6. DiffServ Code Point
If the observation point is located at a device supporting
Differentiated Services (DiffServ) then the metering process must be
able to separate flows by the DiffServ Code Point (DSCP, see
[RFC2474]).
5. Metering Process
The following are requirements for the metering process. All
measurements must be conducted from the point of view of the
observation point.
5.1. Reliability
The metering process must either be reliable or the absence of
reliability must be known and indicated. The metering process is
reliable if each packet passing the observation point is metered
according to the configuration of the metering process. If, e.g.,
Quittek, et al. Informational [Page 10]
^L
RFC 3917 IPFIX Requirements October 2004
due to some overload, not all passing packets can be included into
the metering process, then the metering process must be able to
detect this failure and to report it.
5.2. Sampling
Sampling describes the systematic or random selection of a subset of
elements (the sample) out of a set of elements (the parent
population). Usually the purpose of applying sampling techniques is
to estimate a parameter of the parent population by using only the
elements of the subset. Sampling techniques can be applied for
instance to select a subset of packets out of all packets of a flow
or to select a subset of flows out of all flows on a link. Sampling
methods differ in their sampling strategy (e.g., systematic or
random) and in the event that triggers the selection of an element.
The selection of one packet can for instance be triggered by its
arrival time (time-based sampling), by its position in the flow
(count-based sampling) or by the packet content (content-based
sampling).
The metering process may support packet sampling. If sampling is
supported, the sampling configuration must be well defined. The
sampling configuration includes the sampling method and all its
parameters.
If the sampling configuration is changed during operation, the new
sampling configuration with its parameters must be indicated to all
collecting processes receiving the affected flow records. Changing
the sampling configuration includes: adding a sampling function to
the metering process, removing a sampling function from the metering
process, change sampling method, and change sampling parameter(s).
In case of any change in the sampling configuration, all flow records
metered by the previous sampling configuration must be terminated and
exported according to the export configuration. The metering process
must not merge the flow records generated with the new sampling
configuration with the flow records generated with the previous
sampling configuration.
5.3. Overload Behavior
In case of an overload, for example lack of memory or processing
power, the metering process may change its behavior in order to cope
with the lack of resources. Possible reactions include:
Quittek, et al. Informational [Page 11]
^L
RFC 3917 IPFIX Requirements October 2004
- Reduce the number of flows to be metered. This can be
achieved by more coarse-grained flow measurement or by a
restriction of the flow records to a subset of the set of
original ones.
- Start sampling packets before they are processed by the
metering process or - if sampling is already performed -
reduce the sampling frequency.
- Stop metering.
- Reducing the resource usage of competing processes on the
same device. Example: reducing the packet forwarding
throughput
Overload behavior is not restricted to the four options listed above.
But in case the overload behavior induces a change of the metering
process behavior, the overload behavior must be clearly defined.
For some flows, the change of behavior might have an impact on the
data that would be stored in the associated flow records after the
change, for example if the packet classification is changed or the
sampling frequency. These flows must be considered as terminated and
the associated flow records must be exported separately from new ones
generated after the behavior change. The terminated flow records and
new ones generated after the behavior change must not be merged by
the metering process. The collecting process must be able to
distinguish the affected flow records generated before and after the
change of behavior. This requirement does not apply to flows and
associated flow records not affected by the change of metering
process behavior.
5.4. Timestamps
The metering process must be able to generate timestamps for the
first and the last observation of a packet of a flow at the
observation point. The timestamp resolution must be at least the one
of the sysUpTime [RFC3418], which is one centisecond.
5.5. Time Synchronization
It must be possible to synchronize timestamps generated by a metering
process with Coordinated Universal Time (UTC).
Note that the possibility of synchronizing timestamps of each single
metering process with UTC implies the possibility of synchronizing
timestamps generated by different metering processes.
Quittek, et al. Informational [Page 12]
^L
RFC 3917 IPFIX Requirements October 2004
Note that this does not necessarily imply that timestamps generated
by the metering process are UTC timestamps. For example, this
requirement can be met by using local system clock values as
timestamps and adding an additional timestamp when exporting a report
to a collecting process. Then the collecting process can synchronize
the timestamps by calculating the offset between UTC and the system
clock of the metering process.
5.6. Flow Expiration
The metering process must be able to detect flow expirations. A flow
is considered to be expired if no packet of this flow has been
observed for a given timeout interval. The metering process may
support means for detecting the expiration of a flow before a timeout
occurs, for example by detecting the FIN or RST bits in a TCP
connection. The procedure for detecting a flow expiration must be
clearly defined.
5.7. Multicast Flows
For multicast flows containing packets replicated to multiple output
interfaces, the metering process should be able to maintain discrete
flow records per different output interface. For example, the
metering process should be able to report an incoming multicast
packet that is replicated to four output interfaces in four different
flow records that differ by the output interface.
5.8. Packet Fragmentation
In case of IP packet fragmentation and depending on the
classification scheme, only the zero-offset fragment of a single
initial packet might contain sufficient information to classify the
packet. Note that this fragment should be the first one generated by
the router imposing the fragmentation [RFC791], but might not be the
first one observed by the IPFIX device, due to reordering reasons.
The metering process may keep state of IP packet fragmentation in
order to map fragments that do not contain sufficient header
information correctly to flows.
5.9. Ignore Port Copy
The metering process may be able to ignore packets which are
generated by a port copy function acting at the device where the
observation point of a flow is located.
Quittek, et al. Informational [Page 13]
^L
RFC 3917 IPFIX Requirements October 2004
6. Data Export
The following are requirements for exporting flow records out of the
exporting process. Beside requirements on the data transfer, we
separate requirements concerning the information model from
requirements concerning the data model. Furthermore, we list
requirements on reporting times and notification on specific events,
and on anonymization of flow records.
6.1. Information Model
The information model for the flow information export is the list of
attributes of a flow to be contained in the report (including the
semantics of the attributes).
This section lists attributes an exporting process must, should or
may be able to report. This does not imply that each exported flow
record must contain all required attributes. But it implies that it
must be possible to configure the exporting process in a way that the
information of all required attributes can be transmitted from the
exporting process to the receiving collecting process(es) for each
exported flow.
In other words, meeting the IPFIX requirements means that the
exporting process in general must be able, via its configuration, to
somehow support to report all the must fields, even if in certain
circumstances or for certain applications, only a subset of the set
of all must fields is needed and effectively reported.
Beyond that, the exporting process might offer to report further
attributes not mentioned here. A particular flow record may contain
some of the "required" attributes as well as some additional ones,
for example covering future technologies.
This document does not impose that the following attributes are
reported for every single flow record, especially for repetitive
attributes. For example, if the observation point is the incoming
packet stream at the IP interface with the ifIndex value 3, then this
observation point does not have to be exported as part of every
single flow record. Exporting it just once might give sufficient
information to the collecting process.
The exporting process must be able to report the following attributes
for each metered flow:
1. IP version number
This requirement only applies if the observation point is
located at a device supporting more than one version of IP.
Quittek, et al. Informational [Page 14]
^L
RFC 3917 IPFIX Requirements October 2004
2. source IP address
3. destination IP address
4. IP protocol type (TCP,UDP,ICMP,...)
5. if protocol type is TCP or UDP: source TCP/UDP port number
6. if protocol type is TCP or UDP: destination TCP/UDP port
number
7. packet counter
If a packet is fragmented, each fragment is counted as an
individual packet.
8. byte counter
The sum of the total length in bytes of all IP packets
belonging to the flow. The total length of a packet covers IP
header and IP payload.
9. type of service octet (in case of IPv4), traffic class octet
(in case of IPv6). According to [RFC2474], these octets
include the DiffServ Code Point that has a length of 6 bits.
10. in case of IPv6: Flow Label
11. if MPLS is supported at the observation point: the top MPLS
label or the corresponding forwarding equivalence class (FEC,
[RFC3031]) bound to that label. The FEC is typically defined
by an IP prefix.
12. timestamp of the first packet of the flow
13. timestamp of the last packet of the flow
14. if sampling is used: sampling configuration
15. unique identifier of the observation point
16. unique identifier of the exporting process
The exporting process should be able to report the following
attributes for each metered flow:
17. if protocol type is ICMP: ICMP type and code
18. input interface (ifIndex)
This requirement does not apply if the observation point is
located at a probe device.
19. output interface (ifIndex)
This requirement does not apply if the observation point is
located at a probe device.
20. multicast replication factor
the number of outgoing packets originating from a single
incoming multicast packet. This is a dynamic property of
multicast flows, that may change over time. For unicast flows
it has the constant value 1. The reported value must be the
value of the factor at the time the flow record is exported.
The exporting process may be able to report the following attributes
for each metered flow:
21. Time To Live (in case of IPv4) or Hop Limit (in case of IPv6)
Quittek, et al. Informational [Page 15]
^L
RFC 3917 IPFIX Requirements October 2004
22. IP header flags
23. TCP header flags
24. dropped packet counter at the observation point
If a packet is fragmented, each fragment must be counted as an
individual packet.
25. fragmented packet counter
counter of all packets for which the fragmented bit is set in
the IP header
26. next hop IP address
27. source BGP Autonomous System number (see [RFC1771])
28. destination BGP Autonomous System number
29. next hop BGP Autonomous System number
6.2. Data Model
The data model describes how information is represented in flow
records.
The data model must be extensible for future attributes to be added.
Even if a set of attributes is fixed in the flow record, the data
model must provide a way of extending the record by configuration or
for certain implementations.
The data model used for exporting flow information must be flexible
concerning the flow attributes contained in flow records. A flexible
record format would offer the possibility of defining records in a
flexible (customizable) way regarding the number and type of
contained attributes.
The data model should be independent of the underlying transport
protocol, i.e., the data transfer.
6.3. Data Transfer
Requirements for the data transfer include reliability, congestion
awareness, and security requirements. For meeting these requirements
the exporting process can utilize existing security features provided
by the device hosting the process and/or provided by the transport
network. For example it can use existing security technologies for
authentication and encryption or it can rely on physical protection
of a separated network for transferring flow information.
6.3.1. Congestion Awareness
For the data transfer, a congestion aware protocol must be supported.
Quittek, et al. Informational [Page 16]
^L
RFC 3917 IPFIX Requirements October 2004
6.3.2. Reliability
Loss of flow records during the data transfer from the exporting
process to the collecting process must be indicated at the collecting
process. This indication must allow the collecting process to gauge
the number of flow records lost. Possible reasons for flow records
loss include but are not limited to:
1. Metering process limitations: lack of memory, processing power,
etc. These limitations are already covered in section 5.1.
2. Exporting process limitations: lack of memory, processing
power, etc.
3. Data transfer problems: packets that carry flow records sent
from the exporting process to the collecting process, are
dropped by the network. Examples are connection failures and
losses by a transport protocol that specifically offers
congestion avoidance without persistent transport-level
reliability.
4. Collecting process limitations: it may be experiencing
congestion and not able to buffer new flows records.
5. Operation and Maintenance: the collecting process is taken down
for maintenance or other administrative purposes.
Please note that if an unreliable transport protocol is used,
reliability can be provided by higher layers. If reliability is
provided by higher layers, only lack of overall reliability must be
indicated. For example reordering could be dealt with by adding a
sequence number to each packet.
The data transfer between exporting process and collecting process
must be open to reliability extensions including at least
- retransmission of lost flow records,
- detection of disconnection and fail-over, and
- acknowledgement of flow records by the collecting process.
This extensibility may be used to provide additional reliability.
The extended protocol must still meet the requirements described in
this section, particularly, it must still be congestion aware.
Therefore, extensions using retransmissions must use exponential
backoff.
Quittek, et al. Informational [Page 17]
^L
RFC 3917 IPFIX Requirements October 2004
6.3.3. Security
Confidentiality of IPFIX data transferred from an exporting process
to a collecting process must be ensured.
Integrity of IPFIX data transferred from an exporting process to a
collecting process must be ensured.
Authenticity of IPFIX data transferred from an exporting process to a
collecting process must be ensured.
The security requirements have been derived from an analysis of
potential security threads. The analysis is summarized in Section
10.
6.4. Push and Pull Mode Reporting
In general, there are two ways of deciding on reporting times: push
mode and pull mode. In push mode, the exporting process decides
without an external trigger when to send flow records. In pull mode,
sending flow records is triggered by an explicit request from a
collecting process. The exporting process must support push mode
reporting, it may support pull mode reporting.
6.5. Regular Reporting Interval
The exporting process should be capable of reporting measured traffic
data regularly according to a given interval length.
6.6. Notification on Specific Events
The exporting process may be capable of sending notifications to a
collecting process, if a specific event occurs. Such an event can
be, for instance, the arrival of the first packet of a new flow, or
the termination of a flow after flow timeout.
6.7. Anonymization
The exporting process may be capable of anonymizing source and
destination IP addresses in flow data before exporting them. It may
support anonymization of port numbers and other fields. Please note
that anonymization is not originally an application requirement, but
derived from general requirements for treatment of measured traffic
data within a network.
For several applications anonymization cannot be applied, for example
for accounting and traffic engineering. However, for protecting the
network user's privacy, anonymization should be applied whenever
Quittek, et al. Informational [Page 18]
^L
RFC 3917 IPFIX Requirements October 2004
possible. In many cases it is sufficient if anonymization is
performed at the collecting process after flow information has been
exported. This provides a reasonable protection of privacy as long
as confidentiality of the export is provided.
It would be desirable to request that all IPFIX exporters provide
anonymization of flow records, but algorithms for anonymization are
still a research issue. Several are known but the security they
provide and their other properties are not yet studied sufficiently.
Also, there is no standardized method for anonymization. Therefore,
the requirement for the exporting process supporting anonymization is
qualified with 'may' and not with 'must'.
If anonymized flow data is exported, this must be clearly indicated
to all receiving collecting processes, such that they can distinguish
anonymized data from non-anonymized data.
7. Configuration
If configuration is done remotely, security should be provided for
the configuration process covering confidentiality, integrity, and
authenticity. The means used for remote configuration are out of the
scope of this document.
7.1. Configuration of the Metering Process
The metering process must provide a way of configuring traffic
measurement. The following parameters of the metering process should
be configurable:
1. specification of the observation point
e.g., an interface or a list of interfaces to be monitored.
2. specifications of flows to be metered
3. flow timeouts
The following parameters may be configurable:
4. sampling method and parameters, if feature is supported
5. overload behavior, if feature is supported
7.2. Configuration of the Exporting Process
The exporting process must provide a way of configuring the data
export. The following parameters of the exporting process should be
configurable:
1. reporting data format
Specifying the reporting data format must include a
Quittek, et al. Informational [Page 19]
^L
RFC 3917 IPFIX Requirements October 2004
selection of attributes to be reported for each flow.
2. the collecting process(es) to which flows are reported
3. the reporting interval
This requirement only applies if the exporting process
supports reporting in regular intervals.
4. notifications to be sent to the collecting process(es)
This requirement only applies if the exporting process
supports notifications.
5. flow anonymization
This requirement only applies if the exporting process
supports flow anonymization.
8. General Requirements
8.1. Openness
IPFIX specifications should be open to future technologies. This
includes extensibility of configuration of the metering process and
the exporting process.
Openness is also required concerning the extensibility of the data
model, as stated in section 6.2.
8.2. Scalability
Data collection from hundreds of different exporting processes must
be supported. The collecting process must be able to distinguish
several hundred exporting processes by their identifiers.
8.3. Several Collecting Processes
The exporting process may be able to export flow information to more
than one collecting process. If an exporting process is able to
export flow records to multiple collecting processes then it must be
able to ensure that the flow records can be identified so that
duplicates can be detected between different collecting processes and
double counting problems can be avoided.
9. Special Device Considerations
This document intends to avoid constraining the architecture of
probes, routers, and other devices hosting observation points,
metering processes, exporting processes, and/or collecting processes.
It can be expected that typically observation point, metering
process, and exporting process are co-located at a single device.
However, the requirements defined in this document do not exclude
devices that derive from this configuration. Figure 2 shows some
examples.
Quittek, et al. Informational [Page 20]
^L
RFC 3917 IPFIX Requirements October 2004
All examples are composed of one or more of the following elements:
observation point (O), metering process (M), exporting process (E),
and collecting process (C). The observation points shown in the
figure are always the most fine-granular ones supported by the
respective device.
+---+ +-----+ +---------+ +---------+
| E-+-> | E--+-> | E----+-> <-+--E E--+->
| | | | | | | / \ | | | | |
| M | | M | | M M | | M M |
| | | | /|\ | | /|\ /|\ | | /|\ /|\ |
| O | | OOO | | OOO OOO | | OOO OOO |
+---+ +-----+ +---------+ +---------+
Probe Basic Complex Multiple
Router Router Exporting
Processes
+---+ +---+ +---+
| E-+-> | E-+-> | E-+------------->---+
| | | | | | | | | +---+ +-+-----+
+-+-+ | M | | M | | E-+------->-+-C-M-E-+->
| | | | | | | | | | +---+ +-+-----+
+-+-+ +-+-+ | O | | M | | E-+->---+
| | | | +---+ | | | | | |
| M | +-+-+ | O | | M |
| | | | | | +---+ | | | +-----+
| O | | O | | O | ->-+-C-E-+->
+---+ +---+ +---+ +-----+
Protocol Remote Concentrator Proxy
Converter Observation
Figure 2: IPFIX-related Devices
A very simple device is a probe. A typical probe contains a single
observation point, a single metering process, and a single exporting
process.
A basic router extends this structure by multiple observation points.
Here, the observation point of a particular flow may be one of the
displayed most fine-granular observation points, but also it may be a
set of them.
A more complex router may host more than one metering process, for
example one per line card. Please note that here, the observation
point of a single flow cannot exceed the set of most fine-granular
observation points linked to a single metering process, because only
the metering process can merge packets observed at different fine-
Quittek, et al. Informational [Page 21]
^L
RFC 3917 IPFIX Requirements October 2004
granular observation points to a joint flow. An observation point
containing all most fine-granular observation points of this router
is not possible with this structure. Alternatively, a complex router
may host different exporting processes for flow records generated by
different metering processes.
A protocol converter makes use of a metering process that can be
accessed only by protocol(s) other than the one defined for IPFIX,
for example, the SNMP and the Meter MIB module [RFC2720]. Then the
exporting process receives flow records from a remote metering
process and exports these records using the IPFIX protocol. Please
note that this document does not make any particular assumption on
how metering processes and export processes exchange information, as
long as all individual requirements for these processes are met.
Also the locations of metering processes are not of any relevance for
this document (in contrast to the locations of observation points and
the exporting processes).
In the example of remote packet observation in Figure 2 the metering
process and the observation point are not co-located. Packet headers
captured at an observation point may be exported as raw data to a
device hosting metering process and exporting process. Again, this
document does not make any particular assumption on how packet
headers are transferred from observation points to metering
processes, as long as all requirements for the metering processes are
met.
An intermediate structure between protocol converter and remote
observation (not shown in the Figure) would be a split metering
process, for example performing timestamping and sampling at the
device hosting the observation point and performing packet
classification at another device hosting the exporting process.
A concentrator receives flow records via the IPFIX protocol, merges
them into more aggregated flow records, and exports them again using
the IPFIX protocol. Please note that for the final flow records the
resulting observation point may be a superset of the more fine-
granular observation points at the first level devices. The metering
process of the final flow records is composed by the (partial)
metering processes at the first level devices and the partial
metering process at the concentrator.
Finally, a very simple IPFIX-related device is a proxy. It just
receives flow records using the IPFIX protocol and sends them further
using the same protocol. A proxy might be useful for traversing
firewalls or other gateways.
Quittek, et al. Informational [Page 22]
^L
RFC 3917 IPFIX Requirements October 2004
10. Security Considerations
An IPFIX protocol must be capable of transporting data over the
public Internet. Therefore it cannot be excluded that an attacker
captures or modifies packets or inserts additional packets.
This section describes security requirements for IPFIX. Like other
requirements, the security requirements differ among the considered
applications. The incentive to modify collected data for accounting
or intrusion detection for instance is usually higher than the
incentive to change data collected for traffic profiling. A detailed
list of the required security features per application can be found
in the appendix.
The suggestion of concrete solutions for achieving the required
security properties should be part of an IPFIX architecture and
protocol. It is out of scope of this document. Also methods for
remote configuration of the metering processes and exporting
processes are out of scope. Therefore, threats that are caused by
data exchange for remote configuration are not considered here.
The following potential security hazards for an IPFIX protocol have
been identified: disclosure of IP flow information, forgery of flow
records, and Denial of Service (DoS) attacks.
10.1. Disclosure of Flow Information Data
The content of data exchanged by an IPFIX protocol (for example IPFIX
flow records) should be kept confidential between the involved
parties (exporting process and collecting process). Observation of
IPFIX flow records gives an attacker information about the active
flows in the network, communication endpoints and traffic patterns.
This information cannot only be used to spy on user behavior but also
to plan and conceal future attacks. Therefore, the requirements
specified in section 6.3.3. include confidentiality of the
transferred data. This can be achieved for instance by encryption.
Also the privacy of users acting as sender or receiver of the
measured traffic needs to be protected when they use the Internet.
In many countries the right to store user-specific data (including
the user's traffic profiles) is restricted by law or by regulations.
In addition to encryption, this kind of privacy can also be protected
by anonymizing flow records. For many traffic flow measurements,
anonymized data is as useful as precise data. Therefore, it is
desirable to support anonymization in IPFIX implementations. It is
beyond the scope of the IPFIX Working Group to develop and
Quittek, et al. Informational [Page 23]
^L
RFC 3917 IPFIX Requirements October 2004
standardize anonymization methods. However, the requirements for
extensibility of the IPFIX protocol are sufficient to support
anonymized flow records when appropriate methods are standardized.
10.2. Forgery of Flow Records
If flow records are used in accounting and/or security applications,
there are potentially strong incentives to forge exported IPFIX flow
records (for example, to save money or prevent the detection of an
attack). This can be done either by altering flow records on the
path or by injecting forged flow records that pretend to be
originated by the original exporting process.
Special caution is required if security applications rely on flow
measurements. With forged flow records it is possible to trick
security applications. For example, an application may be lead to
falsely conclude that a DoS attack is in progress. If such an
injection of IPFIX traffic flow records fools the security
application, causing it to erroneously conclude that a DoS attack is
underway, then the countermeasures employed by the security
application may actually deny useful non-malicious services.
In order to make an IPFIX protocol resistant against such attacks,
authentication and integrity must be provided, as specified in
section 6.3.3.
10.3. Denial of Service (DoS) Attacks
DoS attacks on routers or other middleboxes that have the IPFIX
protocol implemented would also affect the IPFIX protocol and impair
the sending of IPFIX records. Nevertheless, since such hazards are
not induced specifically by the IPFIX protocol the prevention of such
attacks is out of scope of this document.
However, IPFIX itself also causes potential hazards for DoS attacks.
All processes that expect the reception of traffic can be target of a
DoS attack. With the exporting process this is only the case if it
supports the pull mode (which can be an optional feature of the IPFIX
protocol according to this document). The collecting process always
expects data and therefore can be flooded by flow records.
Quittek, et al. Informational [Page 24]
^L
RFC 3917 IPFIX Requirements October 2004
11. Acknowledgments
Many thanks to Georg Carle for contributing to the application
analysis, to K.C. Norseth for several fine-tunings, to Sandra
Tartarelli for checking the appendix, and to a lot of people on the
mailing list for providing valuable comments and suggestions
including Nevil Brownlee, Carter Bullard, Paul Calato, Ram Gopal, Tal
Givoly, Jeff Meyer, Reinaldo Penno, Sonia Panchen, Simon Leinen,
David Plonka, Ganesh Sadasivan, Kevin Zhang, and many more.
Quittek, et al. Informational [Page 25]
^L
RFC 3917 IPFIX Requirements October 2004
12. Appendix: Derivation of Requirements from Applications
The following table documents, how the requirements stated in
sections 3-7 are derived from requirements of the applications listed
in section 2.
Used abbreviations:
M = must
S = should
O = may (optional)
- = DONT CARE
-----------------------------------------------------------------------.
IPFIX |
----------------------------------------------------------------. |
E: QoS Monitoring | |
----------------------------------------------------------. | |
D: Attack/Intrusion Detection | | |
----------------------------------------------------. | | |
C: Traffic Engineering | | | |
----------------------------------------------. | | | |
B: Traffic Profiling | | | | |
----------------------------------------. | | | | |
A: Usage-based Accounting | | | | | |
----------------------------------. | | | | | |
| | | | | | |
| Sect. | Requirement | A | B | C | D | E | IPFIX|
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 4. | DISTINGUISHING FLOWS |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 4. | Combination of | M | M | M | M | M | M |
| | required attributes | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 4.1. | in/out IF | S | M | M | S | S | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 4.2. | src/dst address | M | M | M | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 4.2. | Masking of IP addresses | M | M | M | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 4.2. | transport protocol | M | M | - | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 4.2. | version field | - | S | S | O | O | S |
| | | | | (b) | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
Quittek, et al. Informational [Page 26]
^L
RFC 3917 IPFIX Requirements October 2004
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| Sect. | Requirement | A | B | C | D | E | IPFIX|
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 4.3. | src/dst port | M | M | - | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 4.4. | MPLS label (a) | S | S | M | O | S | M |
| | | | | (c) | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 4.5. | DSCP (a) | M | S | M | O | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 5. | METERING PROCESS |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 5.1. | Reliability | M | S | S | S | S | |
|-------+-------------------------+-----+-----+-----+-----+-----+ M |
| 5.1. | Indication of | - | M | M | M | M | |
| | missing reliability | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 5.2. | Sampling (d,e) | O | O | O | O | O | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 5.3. | Overload Behavior (f) | O | O | O | O | O | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 5.4. | Timestamps | M | O | O | S | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 5.5. | Time synchronization | M | S | S | S | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 5.6. | Flow timeout | M | S | - | O | O | M |
| | | (g) | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 5.7. | Multicast flows | S | O | O | O | S | S |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 5.8. | Packet fragmentation | O | O | - | - | - | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 5.9. | Ignore port copy | O | O | O | O | O | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6. | DATA EXPORT |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | INFORMATION MODEL |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | IP Version | - | M | M | O | O | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | src/dst address | M | M | M | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | transport protocol | M | M | - | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | src/dst port | M | M | - | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | Packet counter (h) | S | M | M | S | S | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
Quittek, et al. Informational [Page 27]
^L
RFC 3917 IPFIX Requirements October 2004
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| Sect. | Requirement | A | B | C | D | E | IPFIX|
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | Byte counter | M | M | M | S | S | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | ToS (IPv4) or traffic | M | S | M | O | M | M |
| | class octet (IPv6) | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | Flow Label (IPv6) | M | S | M | O | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | MPLS label (a) | S | S | M | O | S | M |
| | | | | (c) | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | Timestamps for | M | O | O | S | S | M |
| | first/last packet | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | Sampling configuration | M | M | M | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | observation point | M | M | M | M | M | M |
| | identifier | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | export process | M | M | M | M | M | M |
| | identifier | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | ICMP type and code (i) | S | S | - | S | S | S |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | input/output interface | S | S | S | S | S | S |
| | (j) | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | Multicast | O | S | S | - | S | S |
| | replication factor | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | TTL | O | O | O | O | O | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | IP header flags | - | O | O | O | O | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | TCP header flags | - | O | O | O | - | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | Dropped Packet | O | O | O | O | O | O |
| | Counter (h,k) | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | Fragment counter | - | O | O | O | O | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | next hop IP address | O | O | O | O | - | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.1. | src / dst / next hop | - | O | O | - | - | O |
| | BGP AS # | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
Quittek, et al. Informational [Page 28]
^L
RFC 3917 IPFIX Requirements October 2004
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| Sect. | Requirement | A | B | C | D | E | IPFIX|
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.2. | DATA MODEL |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.2. | Flexibility | M | S | M | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.2. | Extensibility | M | S | M | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.3. | DATA TRANSFER |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.3.1.| Congestion aware | M | M | M | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.3.2.| Reliability | M | S | S | S | S | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.3.3.| Confidentiality | M | S | S | M | S | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.3.4.| Integrity | M | M | M | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.3.5.| Authenticity | M | M | M | M | M | M |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.4. | REPORTING TIMES |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.4. | Push mode | M | O | O | M | S | M |
| | | | (l) | (l) | |(l,m)| |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.4. | Pull mode | O | O | O | O | O | O |
| | | | (l) | (l) | | (l) | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.4.1.| Regular interval | S | S | S | S | S | S |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.6. | Notifications | O | O | O | O | O | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 6.7. | Anonymization (n) | O | O | O | O | O | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 7. | CONFIGURATION |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 7. | Secure remote | S | S | S | S | S | S |
| | configuration (a) | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 7.1. | Config observation point| S | S | S | S | S | S |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 7.1. | Config flow | S | S | S | S | S | S |
| | specifications | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 7.1. | Config flow timeouts | S | S | S | S | O | S |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
Quittek, et al. Informational [Page 29]
^L
RFC 3917 IPFIX Requirements October 2004
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| Sect. | Requirement | A | B | C | D | E | IPFIX|
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 7.1. | Config sampling | O | O | O | O | O | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 7.1. | Config overload | O | O | O | O | O | O |
| | behavior (a) | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 7.2. | Config report | S | S | S | S | S | S |
| | data format | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 7.2. | Config | S | S | S | S | S | S |
| | notifications | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 8. | GENERAL REQUIREMENTS |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 8.1. | Openness | S | S | S | S | S | S |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 8.2. | Scalability: | | | | | | |
| | data collection | M | S | M | O | S | M |
| | from hundreds of | | | | | | |
| | measurement devices | | | | | | |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
| 8.3. | Several collectors | O | O | O | O | O | O |
|-------+-------------------------+-----+-----+-----+-----+-----+------|
Remarks:
(a) If feature is supported.
(b) The differentiation of IPv4 and IPv6 is for TE of importance.
So we tended to make this a must. Nevertheless, a should
seems to be sufficient to perform most TE tasks and allows us
to have a should for IPFIX instead of a must.
(c) For TE in an MPLS network the label is essential. Therefore a
must is given here leading to a must in IPFIX.
(d) If sampling is supported, the methods and parameters must be
well defined.
(e) If sampling is supported, sampling configuration changes must
be indicated to all collecting processes.
(f) If overload behavior is supported and it induces changes in
the metering process behavior, the overload behavior must be
clearly defined.
(g) Precise time-based accounting requires reaction to a flow
timeout.
(h) If a packet is fragmented, each fragment is counted as an
individual packet.
(i) If protocol type is ICMP.
Quittek, et al. Informational [Page 30]
^L
RFC 3917 IPFIX Requirements October 2004
(j) This requirement does not apply if the observation point is
located at a probe device.
(k) Only if measurement is done on data path i.e., has access to
forwarding decision.
(l) Either push or pull has to be supported.
(m) Required, in order to immediately report drop indications for
SLA validation.
(n) Anonymization must be clearly indicated to all receiving
collecting processes.
13. References
13.1. Normative References
[RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C.,
Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, M.,
Zhang, L., and V. Paxson, "Stream Control Transmission
Protocol", RFC 2960, October 2000.
[RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol
Label Switching Architecture", RFC 3031, January 2001.
[RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black,
"Definition of the Differentiated Services Field (DS
Field) in the IPv4 and IPv6 Headers", RFC 2474, December
1998.
[RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791,
September 1981.
13.2. Informative References
[RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and
Issues", RFC 3234, February 2002.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, July 2003.
[RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to
Accounting Management", RFC 2975, October 2000.
[RFC2702] Awduche, D., Malcolm, J., Agogbua, J., O'Dell, M., and J.
McManus, "Requirements for Traffic Engineering Over
MPLS", RFC 2702, September 1999.
Quittek, et al. Informational [Page 31]
^L
RFC 3917 IPFIX Requirements October 2004
[RFC1771] Rekhter, Y. and T. Li, "A Border Gateway Protocol 4
(BGP-4)", RFC 1771, March 1995.
[RFC3418] Presuhn, R., "Management Information Base (MIB) for the
Simple Network Management Protocol (SNMP)", STD 62, RFC
3418, December 2002.
[RFC2720] Brownlee, N., "Traffic Flow Measurement: Meter MIB", RFC
2720, October 1999.
14. Authors' Addresses
Juergen Quittek
NEC Europe Ltd., Network Laboratories
Kurfuersten-Anlage 36
69115 Heidelberg
Germany
Phone: +49 6221 90511 15
EMail: quittek@netlab.nec.de
Tanja Zseby
Fraunhofer Institute for Open Communication Systems (FOKUS)
Kaiserin-Augusta-Allee 31
10589 Berlin
Germany
Phone: +49 30 3463 7153
EMail: zseby@fokus.fhg.de
Benoit Claise
Cisco Systems
De Kleetlaan 6a b1
1831 Diegem
Belgium
Phone: +32 2 704 5622
EMail: bclaise@cisco.com
Sebastian Zander
Centre for Advanced Internet Architectures, Mail H31
Swinburne University of Technology
PO Box 218
John Street, Hawthorn
Victoria 3122, Australia
Phone: +61 3 9214 8089
EMail: szander@swin.edu.au
Quittek, et al. Informational [Page 32]
^L
RFC 3917 IPFIX Requirements October 2004
15. Full Copyright Statement
Copyright (C) The Internet Society (2004).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the IETF's procedures with respect to rights in IETF Documents can
be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Quittek, et al. Informational [Page 33]
^L
|
