[ipfix-data] Data Doc
calato@riverstonenet.com Tue, 12 February 2002 18:50 UTC
Received: from mil.doit.wisc.edu (mil.doit.wisc.edu [128.104.31.31]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA21827 for <ipfix-archive@lists.ietf.org>; Tue, 12 Feb 2002 13:50:52 -0500 (EST)
Received: from majordomo by mil.doit.wisc.edu with local (Exim 3.13 #1) id 16ahaG-0006n5-00 for ipfix-list@mil.doit.wisc.edu; Tue, 12 Feb 2002 12:23:16 -0600
Received: from host3.riverstonenet.com ([63.113.148.3] helo=exc-sc1.yagosys.com) by mil.doit.wisc.edu with esmtp (Exim 3.13 #1) id 16ahaE-0006lp-00 for ipfix-data@net.doit.wisc.edu; Tue, 12 Feb 2002 12:23:14 -0600
Received: from riverstonenet.com (134.141.180.88 [134.141.180.88]) by exc-sc1.yagosys.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 1PZYYVJX; Tue, 12 Feb 2002 10:21:57 -0800
Message-ID: <3C695D44.40D5A338@riverstonenet.com>
Date: Tue, 12 Feb 2002 13:21:56 -0500
From: calato@riverstonenet.com
X-Mailer: Mozilla 4.75C-CCK-MCD NSCPCD475 [en] (X11; U; SunOS 5.6 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: "Norseth, KC" <knorseth@enterasys.com>, data <ipfix-data@net.doit.wisc.edu>
Subject: [ipfix-data] Data Doc
References: <3C695880.69C2A4FB@riverstonenet.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Precedence: bulk
Sender: majordomo listserver <majordomo@mil.doit.wisc.edu>
Content-Transfer-Encoding: 7bit
KC, here are a bunch of edits. If you want, send me the source and I'll take editor responsibilties for it. Paul calato@riverstonenet.com wrote: > > IPFIX working group > Internet Draft > draft-ietf-ipfix-data-00.txt > Expires: August 2002 > > Benoit Claise > Cisco Systems > P. Calato > Riverstone Networks Inc > Ram Gopal > Man Li > Nokia > K.C. Norseth > Enterasys Networks > Reinaldo Penno > NortelNetworks > J. Quittek > NEC Europe Ltd. > Ganesh Sadasivan > Cisco Systems, Inc.Kevin Zhang > XACCT Technologies > Tanja Zseby > FhI FOKUS > > February 2002 > > IPFIX Architecture > Architecture Model for IP Flow Information Export > draft-ietf-ipfix-data-00.txt > > Status of this Memo > > This document is an Internet-Draft and is in full conformance with all > provisions of Section 10 of RFC2026 [1]. > > Internet-Drafts are working documents of the Internet Engineering Task > Force (IETF), its areas, and its working groups. Note that other groups > may also distribute working documents as Internet-Drafts. > Internet-Drafts are draft documents valid for a maximum of six months > and may be updated, replaced, or obsoleted by other documents at any > time. It is inappropriate to use Internet- Drafts as reference material > or to cite them other than as "work in progress." > > The list of current Internet-Drafts can be accessed at > http://www.ietf.org/ietf/1id-abstracts.txt > The list of Internet-Draft Shadow Directories can be accessed at > http://www.ietf.org/shadow.html. > > Abstract > > This document defines architecture for scalable monitoring, measuring > and exporting IP flow information to collectors. > > Conventions used in this document > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this > document are to be interpreted as described in RFC-2119 [1]. > > 1. Introduction 5 > 2. Scope 5 > 3. Terminology 5 > 4. Information Model 5 > 4.1. Attributes related to IP Packet Header 6 > 4.2. Attributes Related to Measurement 6 > 4.3. Attributes Related to Flow Definition 6 > 4.4. Attributes related to Upper Layers 6 > 4.5. IPFIX Template 7 > 4.5.1. Template Negotiation 7 > 5. Information Elements 7 > 5.1. Packet Management 7 > 5.1.1. Version Number 7 > 5.1.2. FLOWS 7 > 5.1.3. FLOW_LABEL 7 > 5.2. IP Address 7 > 5.2.1. Source Address IE 7 > 5.2.2. Destination Address IE 8 > 5.2.3. NEXT_HOP_IP IE 8 > 5.3. Time Stamps 8 > 5.3.1. Time IE 8 > 5.3.2. UTC Time IE 8 > 5.3.3. Delta Time IE 8 > 5.4. Service Types 8 > 5.4.1. Class of Service IE 8 > 5.4.2. TCP Control Bits IE 9 > 5.4.3. Protocol Identifier IE 9 > 5.4.4. Source Exporter [ is that the right term?? PAC] Address IE > 9 > 5.5. Flow State IE 9 > 5.6. Statistical Elements 9 > 5.6.1. Byte Count IE 10 > 5.6.2. Packet Count IE 10 > 5.6.3. Dropped Byte Count IE 10 > 5.6.4. Dropped Packet Count IE 10 > 5.7. Port Information 11 > 5.7.1. Source Port IE 11 > 5.7.2. Destination Port IE 11 > 5.8. Autonomous System (AS) 11 > 5.8.1. Source AS IE 11 > 5.8.2. Destination AS IE 11 > 5.8.3. Next Hop AS IE 11 > 5.9. IfIndexes and Interfaces 11 > 5.9.1. Ingress Port IE 11 > 5.9.2. Egress Port IE 11 > 5.9.3. Egress ATM Subinterface 12 > 5.9.4. EGRESS_FRAME_RELAY_SUBINTERFACE IE 12 > 5.10. NetMasks 12 > 5.10.1. Source Address Netmask IE 12 > 5.10.2. Destination Address Netmask IE 12 > 5.11. BGP & Vlan IE's 12 > 5.11.1. Destination BGP Community IE 12 > 5.11.2. Source BGP Community IE 12 > 5.11.3. BGP_NEXT_HOP 12 > 5.11.4. Source VLAN ID IE 12 > 5.11.5. Destination VLAN ID IE 13 > 5.11.6. Source Virtual Address IE 13 > 5.11.7. Source Virtual Port IE 13 > 5.11.8. Destination Virtual Address IE 14 > 5.11.9. Destination Virtual Port IE 14 > 5.12. NAT 14 > 5.12.1. INSIDE_L4_SRC 14 > 5.12.2. INSIDE_IPV4_SRC_ADDR 14 > 5.12.3. INSIDE_L4_DST_PORT 14 > 5.12.4. INSIDE_IPV4_DST_ADDR 14 > 5.12.5. INSIDE_IPV6_SRC_ADDR 14 > 5.12.6. INSIDE_IPV6_DST_ADDR 14 > 5.12.7. OUTSIDE_L4_SRC_PORT 14 > 5.12.8. OUTSIDE_IPV4_SRC_ADDR 15 > 5.12.9. OUTSIDE_L4_DST_PORT 15 > 5.12.10. OUTSIDE_IPV4_DST_ADDR 15 > 5.12.11. OUTSIDE_IPV6_SRC_ADDR 15 > 5.12.12. OUTSIDE_IPV6_DST_ADDR 15 > 5.13. Vendor Specific IE 15 > 5.14. Misc. Information Elements 15 > 5.14.1. Flow Label IE 15 > 5.14.2. Flow Direction 15 > 5.14.3. Fragment ID IE 16 > 5.14.4. Internal queue priority 16 > 5.14.5. Global VPN Identifier IE 16 > 5.14.6. IPM_DPKTS 16 > 5.14.7. IPM_DOCTETS 16 > 5.14.8. LAST_SWITCHED 16 > 5.14.9. FIRST_SWITCHED 16 > 5.14.10. MAC_ADDR 16 > 5.14.11. VLAN_ID 16 > 5.14.12. ICMP_TYPE 16 > 5.14.13. IGMP_TYPE 16 > 5.15. Sampling 17 > 5.15.1. SAMPLING_INTERVAL 17 > 5.15.2. SAMPLING_ALGO 17 > 5.15.3. FLOW_ACTIVE_TIMEOUT 17 > 5.15.4. FLOW_INACTIVE_TIMEOUT 17 > 6. References 17 > 7. Acknowledgements 19 > 8. Author's Addresses 20 > 9. Full Copyright Statement 21 > 10. Stuff to Add 21 > 11. End of stuff to add 21 > > 1. Introduction > > Many applications e.g., Intrusion detection, traffic engineering, > require the monitoring, measuring of IP traffic flows. It is hence > important to have a standard way of exporting information related to IP > flows. This document defines architecture for IP traffic flow > monitoring, measuring and exporting. It provides a high-level > description of the key components and their functions. > > 2. Scope > > This document defines information data model for IPFIX[3]. Specifically, > this document > > 3. Terminology > MOVED to the Requirements draft > > 4. Information Model > Delete Start ============ > I think we need to begin with a couple of guidlines (which > we should augment as we go). They are just guidelines. > > 1. Data element values should be defined in terms of other > specifications. Since we are only reporting things in other protocols, > there should be little reason for us to define anything from scatch. > > 2. Each element should be able to be interpreted on it own. In other > words, don't make me look though the rest of the message to figure out > what this value means. The drawback is this can lead to data element > explosion. We'll have to balance the tradeoffs. > > 3. Others? Delete End =========== Those were just my comments. I don't think they belong in the document. > > The IPFIX information model is listed in the IPFIX requirement > document. The information model consists of the minimum set of > attributes that an IPFIX exporting device should be able to export. In > conjunction with IP flow definitions, they provide locally accurate > information about a flow. I do not think it is the minimum set. It is the full set to this point in time. We need to define the full set in order to get interoperabiltity. Vendors defining their own fields should be the exception rather than the rule. > > To meet application's requirement may require the collection device to > obtain additional information about the flow, e.g. address translation, > user identification, etc. Additional flow information may also be > required; in this case, equipment vendors may define extensions to the > IPFIX information model. Any extension to the IPFIX information model > should be conveyed between end points. > > This section presents a rigorous definition and sufficient statistics > for these attributes. > > 4.1. Attributes related to IP Packet Header > > The following attributes are obtained directly from IP packet header > belonging to a flow: > o IP Version Number > o Source Address > o Destination Address > o Protocol Type > o TOS (for version 4) > o Flow Label (for version 6) > o DSCP (if DiffServ is supported) > > 4.2. Attributes Related to Measurement > > The following attributes relates to measurements and measuring > methodology: > o Packet Counter > o Dropped Packet Counter > o Payload Byte Counter What is this?? > o Timestamp of the First Packet Observed > o Timestamp of the Last Packet Observed > o Timeout Indication > o Sampling Method > o Sampling Parameters > > 4.3. Attributes Related to Flow Definition > > The following attributes relates to IP flow definitions. > > o Incoming Interface > o Outgoing Interface > o Packet Treatment > o Unique ID of the Observation Point > o Unique ID of the Measuring Device > > 4.4. Attributes related to Upper Layers > > The following attributes provides information of upper layer protocols. > o Source Port Address > o MPLS Label (if MPLS is supported) Just a nit but MPLS is actaually a lower layer. Where are derived things like AS number? > > 4.5. IPFIX Template > > The IPFIX system MUST support efficient exporting of IP flow > information. This can be achieved by negotiating a set of IPFIX > Templates for an IPFIX session before actual IP flow information is > exported. A template defines the structure of an IPFIX user message > payload by describing the data type, meaning, and location of the fields > in the payload. By agreeing on IPFIX templates, IPFIX end-points > understand how to process IPFIX user messages. As a result, an exporting > device only needs to export actual flow information without attaching > any descriptors of the attributes; this reduces the amount of bytes sent > over communication links. > > A template is an ordered list of keys. A key specifies an attribute that > a meter entity MAY export. The specification MUST consist of the > description and the data type of the attribute. (e.g. 'Number of Sent > Bytes' can be a key that is an 32 bit unsigned integer) An exporting > device typically defines keys. Based on the IPFIX information model, a > set of IPFIX standard keys can be defined. > > 4.5.1. Template Negotiation > > During the initial setup of an IPFIX session, template negotiation > procedures should be carried out. It would allow all the IPFIX > end-points to synchronize on a set of templates that will be used during > IP flow information export. I assume a lot more discussion needs to happen here. > > 5. Information Elements > 5.1. Packet Management > > This information contains the fields needed to manage the data packets > transmitted > > 5.1.1. Version Number > > [Need to expand more] If this is IPFIX protocol version, it does not belong here. > > 5.1.2. FLOWS > V#3 S#4 > Number of main cache flows What is this??? > > 5.1.3. FLOW_LABEL > V#31 S#2 > IPV6 Flow Label > [Need to expand more] > Delete, already covered below in more detail. > 5.2. IP Address > > 5.2.1. Source Address IE > > Source address associated with a flow. Addresses can be of any type as > described in RFC 1700 [note - we need a new reference here, 1700 has > been obsoleted] > > 5.2.2. Destination Address IE > > Destination address associated with a flow. same as above. > > 5.2.3. NEXT_HOP_IP IE > > Address of the next hop. address is defined the same as for Source > Address IE. > > 5.3. Time Stamps > > 5.3.1. Time IE > > The time (as a SNMPv2 TimeStamp [1443]) associated with the > status/statistics observed or other events. > > 5.3.2. UTC Time IE > > The time in seconds since 00:00:00 UTC, January 1, 1970 associated with > the status/statistics observed or other events. If both Time and > UTC_TIME are present, UTC Time takes precedence. > > 5.3.3. Delta Time IE > > The number in 100ths of seconds over which the statistics were observed. > TYPE is 71 and format is: > > 5.4. Service Types > > 5.4.1. Class of Service IE > > The class of service associated with a flow. > > Class of Service Received > Class of Service Transmitted > > 1. IPv4, CoS value is defined by ToS in RFC 791 > 2. IPv6, CoS value is defined by Traffic Class in RFC 2460 > 3. MPLS, CoS value is defined by Exp in RFC 3032 > 4. VLAN, CoS value is defined by user_priority in IEEE802.1q[802.1q] and > IEEE 802.1p[802.1p] > > [Can more than one Class of Service can be present??? PAC] > > > 5.4.2. TCP Control Bits IE > > The TCP control bits seen for this flow. Note a 0 value for each bit > only indicates that the flag was not detected (i.e. it may have occurred > but was not detected by the reporting CCE). TCP Control Bits are defined > by RFC 793. > > 5.4.3. Protocol Identifier IE > > e.g. TCP/UDP [ need an RFC reference here. PAC] > > 5.4.4. Source Exporter [ is that the right term?? PAC] Address IE > > Source Exporter address is the address of the Exporter reporting the > flow, Address is same as is as shown for Source Address. This > information is used by applications to later correlate the > ingress/egress port with a specific Exporter. It is also used to > maintain the source Exporter information when there is an intermediate > proxy. For example, given the picture below: > > SW1 -------- P1 ------ FAS1 > ^ > | > SW2---------- | > > Flows coming from SW1 and SW2 through proxy P1 would look to the > Collector [ is this the rigth term??? PAC] like the same Exporter > connection. With the Source Exporter in the message the original > Exporter address is maintained. > > 5.5. Flow State IE > > Flow State is the intended End State for the Flow. > > Flow state has one of the following meanings: > > Flow is inactive > Flow is active > > 5.6. Statistical Elements > > To be added > > 5.6.1. Byte Count IE > > Contains the count of octets sent and received associated with the > identified flow. > > The byte count can be for bytes received (towards source) or bytes sent > (towards destination) or both (bi-directional flow). > > The byte count can be a running counter and is the count from the > beginning of the flow establishment. > > The byte count can be a delta counter and is the count since the last > report for this flow. > > 5.6.2. Packet Count IE > > Contains the count of packets sent and received associated with the > identified flow. > > The packet count can be for packets received (towards source) or packets > sent (towards destination) or both (bi-directional flow). > > The packet count can be a running counter and is the count from the > beginning of the flow establishment. > > The packet count can be a delta counter and is the count since the last > report for this flow. > > 5.6.3. Dropped Byte Count IE > > Contains the count of octets dropped at the observation point associated > with the identified flow. > > The dropped byte count can be a running counter and is the count from > the beginning of the flow establishment. > > The byte count can be a delta counter and is the count since the last > report for this flow. > > 5.6.4. Dropped Packet Count IE > > Contains the count of packets dropped at the observation point > associated with the identified flow. > > The dropped packet count can be a running counter and is the count from > the beginning of the flow establishment. > > The dropped packet count can be a delta counter and is the count since > the last report for this flow. > > 5.7. Port Information > > To be added > > 5.7.1. Source Port IE > > This IE is used to report UDP source port [see RFC 768] or TCP source > port [see RFC 793]. > > 5.7.2. Destination Port IE > > This IE is used to report UDP destination port [see RFC 768] or TCP > destination port [see RFC 793]. > > 5.8. Autonomous System (AS) > > To be added > > 5.8.1. Source AS IE > > The Autonomous System (AS) numbers for the source address associated > with a flow. Autonomous System (AS) number is defined by RFC 1930 and > RFC 1771 (BGP-4): > > 5.8.2. Destination AS IE > > The Autonomous System (AS) numbers for the destination address > associated wit a flow. Autonomous System (AS) number is defined by RFC > 1930 and RFC 1771 (BGP-4). > > 5.8.3. Next Hop AS IE > > The Autonomous System (AS) numbers for the next hop IP. Autonomous > System (AS) number is defined by RFC 1930 and RFC 1771 (BGP-4). > > 5.9. IfIndexes and Interfaces > > To be added > > 5.9.1. Ingress Port IE > > The ingress ifIndex for the flow is provided in this IE. ifIndex is > defined by RFC 2233. > > 5.9.2. Egress Port IE > > The egress ifIndex for the flow is provided in this IE. ifIndex is > defined by RFC 2233. > > 5.9.3. Egress ATM Subinterface > > The egress vpi/vci for the flow is provided in this IE. vpi/vci id > defined by the ATM Forum UNI 3.1 specification: > > 5.9.4. EGRESS_FRAME_RELAY_SUBINTERFACE IE > > The egress DLCI for the flow is provided in this IE. ITU Q.922 defines > the DLCI range. The frDlcmiState is defined in RFC 2115 and defines the > specific values of the DLCI. > > 5.10. NetMasks > 5.10.1. Source Address Netmask IE > > The number of bits in the CIDR netmask, as defined in RFC 1519, for the > source address. > > 5.10.2. Destination Address Netmask IE > > The CIDR netmask, as defined in RFC 1519, for the destination address. > > 5.11. BGP & Vlan IE's > > 5.11.1. Destination BGP Community IE > > The BGP community number for the destination address. BGP community > number is defined by RFC 1997: > > 5.11.2. Source BGP Community IE > > The BGP community number for the source address. > > 5.11.3. BGP_NEXT_HOP > V#18 S#4 > Next-hop router in the BGP > domain > > 5.11.4. Source VLAN ID IE > > The Source VLAN ID associated with the flow. VLAN ID is defined by IEEE > standard 802.1q - 1998[802.1q]. > > [ Is this ultimate source VLAN or the source vlan of the port where the > packet came in? Or do we need a way to represent both? PAC] > > 5.11.5. Destination VLAN ID IE > > The destination VLAN ID associated with the flow. VLAN ID is defined by > IEEE standard 802.1q - 1998[802.1q]. > > [ Is this ultimate destination VLAN or the destination vlan of the port > where the packet went out? Or do we need a way to represent both? PAC] > > 1.1. Virtual Information > > 5.11.6. Source Virtual Address IE > > An Exporter may be involved in redirecting flows. This IE captures > information needed for proper accounting of redirected flows. The Source > Virtual IE contains the source address of the flow as transmitted by the > Exporter. It is generally different than the source address IE, which > contains the address of the actual source of the message. > > A type field would contain the type of translation performed on the > source address. The following types are currently available: > 1. - NAT > 2. - LSNAT > 3. - Web Cache > > The address is defined the same as for Source Address. > > 5.11.7. Source Virtual Port IE > > A CCE may be involved in redirecting flows. This IE captures information > needed for proper accounting of redirected flows. The Source Virtual > port IE contains the source port of the flow as transmitted by the CCE. > It may be different than the source port IE, which contains the port of > the actual source of the flow. An IP Protocol field is present and is > defined by the IP protocol spec [RFC 791] (e.g. TCP/UDP). The fields > indicates how to interpret the port value field. > > A type field contains the type of translation performed on the source > port. The following types are currently available: > > 1. - NAT > 2. - LSNAT > 3. - Web Cache > > 5.11.8. Destination Virtual Address IE > > The Destination Virtual IE contains the destination address of the flow > as received by the Exporter. It is generally different than the > destination port number, which contains the actual destination address > of the flow. > > 5.11.9. Destination Virtual Port IE > > The Destination Virtual port IE contains the destination port of the > flow as received by the Exporter. It may be different than the > destination port recorded in the destination port, which contains the > actual destination port of the flow. > Start delete ============ > 5.12. NAT > 5.12.1. INSIDE_L4_SRC > V#42 S#2 > > NAT port number (.e.g, FTP, Telnet, etc...) only applicable with NAT > > 5.12.2. INSIDE_IPV4_SRC_ADDR > V#43 S#4 > Source IPv4 Address only applicable with NAT TCP/UDP destination port > > 5.12.3. INSIDE_L4_DST_PORT > V#44 S#2 > The number (.e.g, FTP, telnet etc...) only applicable with NAT > > 5.12.4. INSIDE_IPV4_DST_ADDR > V#45 S#4 > Destination IPv4 Address only applicable with NAT > > 5.12.5. INSIDE_IPV6_SRC_ADDR > V#46 S#16 > IPv6 Source Address only applicable with NAT > > 5.12.6. INSIDE_IPV6_DST_ADDR > V#47 #16 > IPv6 Destination Address only applicable with NAT > > 5.12.7. OUTSIDE_L4_SRC_PORT > V#48 S#2 > TCP/UDP destination port number (.e.g, FTP, Telnet, etc...) only > applicable with NAT > > 5.12.8. OUTSIDE_IPV4_SRC_ADDR > V#49 S#4 > Source IPv4 Address only applicable with NAT TCP/UDP destination port > > 5.12.9. OUTSIDE_L4_DST_PORT > V#50 S#2 > number (.e.g, FTP, Telnet, etc...) only applicable with NAT > > 5.12.10. OUTSIDE_IPV4_DST_ADDR > V#51 S#4 > Destination IPv4 Address only applicable with NAT > > 5.12.11. OUTSIDE_IPV6_SRC_ADDR > V#52 S#16 > IPv6 Source Address only applicable with NAT > > 5.12.12. OUTSIDE_IPV6_DST_ADDR > V#53 S#16 > IPv6 Destination Address only applicable with NAT > Delete ENd ========== Already covered above in more detail above. Even if we disagree on the exact text, this stuyff is duplicate. > 5.13. Vendor Specific IE > > Vendors may add their own information to the protocol. Information > contained in this IE is vendor specific. OID and OID Value is defined by > ITU X.680.X683 (1997) and is encoded as defined by ITU X.690.691(1997). > This IE MUST not contain any information which cannot be safely ignored > by the Exporter or Collector. If multiple Vendor Specific IE's with the > same OID occur, then the vendor defines semantics of ordering. > > 5.14. Misc. Information Elements > > To be added > > 5.14.1. Flow Label IE > > The Flow Label IE contains the IPV6 Flow Label information as defined by > RFC 2460. > 5.14.2. Flow Direction > V#54 S#1 > The direction of the flow observed at the observation point. If the > observation point is a set of interface(s) the direction is w.r.t the > wire. > > 5.14.3. Fragment ID IE > > The fragment ID associated with the flow. RFC 791 and RFC 2460 define > fragment ID. > > 5.14.4. Internal queue priority > > A switch may map several of its internal priority queues into a Premium, > High, Medium or Low category. > > [ this sections needs more work] > > 5.14.5. Global VPN Identifier IE > > The VPN identifier associated with the flow as defined in RFC 2685. > > 5.14.6. IPM_DPKTS > V#19 S#4 > Packet count for IP Multicast > > 5.14.7. IPM_DOCTETS > V#20 S#4 > Octet (byte) count for IP Multicast IPM_DPKTS and IPM_DOCTETS should be moved to where the other counts are. > > 5.14.8. LAST_SWITCHED > V#21 S#4 > SysUptime at which the last packet of this flow was switched > > 5.14.9. FIRST_SWITCHED > V#22 S#4 > SysUptime at which the first packet of this flow was switched > [Need to expand more] > Move these with the other timestamp info, I'll work on combining. > 5.14.10. MAC_ADDR > V#25 S#6 > Layer 2 Media Access Control address associated with a flow > Delete. Already covered under the address stuff. > 5.14.11. VLAN_ID > V#26 S#2 > Virtual LAN identifier associated with a flow Delete. already covered in more detail. > > 5.14.12. ICMP_TYPE > V#32 S#1 > ICMP Packet Type. This is reported as (ICMP Type * 256) + ICMP code We need a spec reference. > > 5.14.13. IGMP_TYPE > V#33 S#1 > IGMP Packet Type we need a spec reference. > > 5.15. Sampling > > 5.15.1. SAMPLING_INTERVAL > V#34 S#1 > When using Sampling, the rate at which packets are sampled. For > example, a value of 100 indicates that one of every hundred packets is > sampled. > > 5.15.2. SAMPLING_ALGO > V#35 S#1 > The type of algorithm used for sampling > data. Currently, the only > sampling algorithm defined is: > 0x02 packet-sampling > > 5.15.3. FLOW_ACTIVE_TIMEOUT > V#36 S#2 > Timeout value for active flow entries in the cache. > > 5.15.4. FLOW_INACTIVE_TIMEOUT > V#37 S#2 > Timeout value for inactive flow entries in the cache. > > 6. References > > 3. J. Quittek ,et al.," Requirements for IP Flow Information Export ", > (work in progress) ,Internet Draft, Internet Engineering Task Force, > <draft-ietf-ipfix-reqs-00.txt>, November 2001 > > 4. M. Wood ,et al.," Intrusion Detection Message Exchange > Requirements",(work in progress), Internet Draft, Internet Engineering > Task Force, draft-ietf-idwg-requirements-06,February 2002. > > 5. Daniel O. Awduche, et. al.," Overview and Principles of Internet > Traffic Engineering", (work in progress), Internet Draft, Internet > Engineering Task Force, draft-ietf-tewg-principles-02.txt, May 2002 > > [Brow00] Nevil Brownlee: Packet Matching for NeTraMet Distributions, > http://www2.auckland.ac.nz/net//Internet/rtfm/meetings/47-adelaide/pp-dist/ > > [DeCi01] C. Demichelis, P. Cimento: IP Packet Delay Variation Metric for > IPPM, > <draft-ietf-ippm-ipdv-08.txt>, November 2001 > > [RFC2680] G. Almes, S. Kalidindi, M. Zekauskas: A One-way Packet Loss > Metric for > IPPM, September 1999 > > [ClPB93] K.C. Claffy, George C Polyzos, Hans-Werner Braun: Application > of Sampling > Methodologies to Network Traffic Characterization, Proceedings of ACM > SIGCOMM'93, > San Francisco, CA, USA, September 13 - 17, 1993 > > [GrDM98] Ian D. GRAHAM, Stephen F. DONNELLY, Stele MARTIN, Jed MARTENS, > John G. CLEARY: > Nonintrusive and Accurate Measurement of Unidirectional Delay and Delay > Variation on > the Internet, INET'98, Geneva, Switzerland, 21-24 July, 1998 > > [DuGr00] Nick Duffield, Matthias Grossglauser: "Trajectory Sampling for > Direct Traffic > Observation", Proceedings of ACM SIGCOMM 2000, Stockholm, Sweden, August > 28 - > September 1, 2000. > > [RFC2679] G. Almes, S. Kalidindi, M. Zekauskas: A One-way Delay Metric > for IPPM, > Request for Comments: 2679, September 1999 > > [ZsZC01] Tanja Zseby, Sebastian Zander, Georg Carle: Evaluation > of Building Blocks > for Passive One-way-delay Measurements, Proceedings of Passive and > Active Measurement > Workshop (PAM 2001), Amsterdam, The Netherlands, April 23-24, 2001 (PAM > 2001) > > [MCFW] Srisuresh, S. et al. "Middlebox Communication Architecture and > framework," work in progress. October 2001. > > [NAT-TERM] Srisuresh, P. and M. Holdrege, "IP Network Address Translator > (NAT) Terminology and Considerations", RFC 2663, August 1999. > > [NAT-TRAD] Srisuresh, P. and K. Egevang, "Traditional IP Network > Address Translator (Traditional NAT)", RFC 3022, January 2001. > > [PPVPN-FR] Callon, R., Suzuki, M., et al. "A Framework for Provider > Provisioned Virtual Private Networks ", work in progress, > <draft-ietf-ppvpn-framework-03.txt>, January 2002. > > [VPN-L2] Rosen, E., "An Architecture for L2VPNs," Internet-draft > <draft-ietf-ppvpn-l2vpn-00.txt>, July 2001. > > [RFC2475] Black, D., Blake, S., Carlson, M., Davies, E., Wang, Z. and W. > Weiss, "An Architecture for Differentiated Services", RFC 2475, December > 1998. > > [1] Requirements for IP Flow Export, <draft-ietf-ipfx-req-00.txt> > <http://www.ietf.org/html.charters/ipfix-charter.html> > > [2] K.Zhang, et al., "Common Reliable Accounting for Network Element > (CRANE)", <draft-kzhang-crane-protocol-02.txt>, February 2002 > > [3] G. Sadasivan, et al., "Flow Export Architecture", > <draft-cisco-ipfix-arch-00.txt>, January 2002 > > [4] Carlson, James, "PPP Design, Implementation and Debugging", Second > Edition . > > 7. Acknowledgements > We like to thank all the people contributing to the requirements > discussion on the mailing list, and the design teams for a lot of > valuable comments. > > George Carle > Tanja Zseby > Paul Calato > Dave Plonka > Kevin Zhang > KC Norseth > Phill Richards > Will Eatherton > Benoit Claise > Ganesh Sadasivan > Vamsi Valluri > Ram Gopal > Jc Martin > Carter Bullard > Juergen Quittek > Reinaldo Penno > Nevil Brownlee > Simon Leinen > > 8. Author's Addresses > > Benoit Claise > Cisco Systems > De Kleetlaan 6a b1 > 1831 Diegem > Belgium > Phone: +32 2 704 5622 > Email: bclaise@cisco.com > > Paul Calato > Riverstone Networks, Inc. > 5200 Great America Parkway > Santa Clara, CA 95054 USA > Phone: +1 (603) 557-6913 > Email: calato@riverstonenet.com > > Ganesh Sadasivan > Cisco Systems, Inc. > 170 W. Tasman Dr. > San Jose, CA 95134 > USA > Phone: +1 (408) 527-0251 > Email: gsadasiv@cisco.com > > Ram Gopal > Nokia > 5 Wayside Road, > Burlington, MA 01803 > Phone:+1 781 993 3685 > Email: ram.gopal@nokia.com > > Man Li > Nokia > 5 Wayside Road, > Burlington, MA 01803 > Phone: +1 781 993 3923 > Email: man.m.li@nokia.com > > K.C. Norseth > Enterasys Networks > 2691 S. Decker Lake Lane > Salt Lake City, Utah 84119 > Phone: +1 801 887 9823 > Email: knorseth@enterasys.com > > Reinaldo Penno > Nortel Networks, Inc. > 2305 Mission College Boulevard > Building SC9-B1240 > Santa Clara, CA 95134 > Email: rpenno@nortelnetworks.com > > Juergen Quittek > NEC Europe Ltd. > Adenauerplatz 6 > 69115 Heidelberg > Germany > Phone: +49 6221 90511-15 > EMail: quittek@ccrle.nec.de > > Kevin Zhang > XACCT Technologies, Inc. > 2900 Lakeside Drive > Santa Clara, CA 95054 > Phone +1 301 992 4697 > Email: kevin.zhang@xacct.com > > Tanja Zseby > GMD FOKUS > Kaiserin-Augusta-Allee 31 > 10589 Berlin, Germany > Phone: +49 30 3463 7153 > Email: zseby@fokus.gmd.de > > 9. Full Copyright Statement > > "Copyright (C) The Internet Society (date). All Rights Reserved. This > document and translations of it may be copied and furnished to others, > and derivative works that comment on or otherwise explain it or assist > in its implementation may be prepared, copied, published and > distributed, in whole or in part, without restriction of any kind, > provided that the above copyright notice and this paragraph are included > on all such copies and derivative works. However, this document itself > may not be modified in any way, such as by removing the copyright notice > or references to the Internet Society or other Internet organizations, > except as needed for the purpose of developing Internet standards in > which case the procedures for copyrights defined in the Internet > Standards process must be followed, or as required to translate it into. > > 10. Stuff to Add > 11. End of stuff to add > > > IPFIX Information Data Model February, 2002 > > > IPFIX WG Expires August, 2002 [Page 4] > > Gopal, Li,Zhang,Tanja Expires July 2002 [Page 1] -- Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body Unsubscribe mailto:majordomo@net.doit.wisc.edu and say "unsubscribe ipfix" in message body Archive http://ipfix.doit.wisc.edu/archive/
- [ipfix-data] Data Doc calato
- [ipfix] Re: [ipfix-data] Data Doc K.C. Norseth
- [ipfix] Re: [ipfix-data] Data Doc calato