Exporting Type Information for IP Flow Information Export (IPFIX) Information Elements
RFC 5610
Document | Type | RFC - Proposed Standard (July 2009) Errata | |
---|---|---|---|
Authors | Lutz Mark , Elisa Boschi , Tanja Zseby , Brian Trammell | ||
Last updated | 2020-01-21 | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Additional resources | Mailing list discussion | ||
IESG | Responsible AD | Dan Romascanu | |
Send notices to | (None) |
RFC 5610
Network Working Group E. Boschi Request for Comments: 5610 B. Trammell Category: Standards Track Hitachi Europe L. Mark Fraunhofer IFAM T. Zseby Fraunhofer FOKUS July 2009 Exporting Type Information for IP Flow Information Export (IPFIX) Information Elements Abstract This document describes an extension to the IP Flow Information Export (IPFIX) protocol, which is used to represent and transmit data from IP flow measurement devices for collection, storage, and analysis, to allow the encoding of IPFIX Information Model properties within an IPFIX Message stream. This enables the export of extended type information for enterprise-specific Information Elements and the storage of such information within IPFIX Files, facilitating interoperability and reusability among a wide variety of applications and tools. Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Boschi, et al. Standards Track [Page 1] RFC 5610 IPFIX Type Information July 2009 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. IPFIX Documents Overview . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Type Information Export . . . . . . . . . . . . . . . . . . . 5 3.1. informationElementDataType . . . . . . . . . . . . . . . . 5 3.2. informationElementDescription . . . . . . . . . . . . . . 6 3.3. informationElementName . . . . . . . . . . . . . . . . . . 7 3.4. informationElementRangeBegin . . . . . . . . . . . . . . . 7 3.5. informationElementRangeEnd . . . . . . . . . . . . . . . . 7 3.6. informationElementSemantics . . . . . . . . . . . . . . . 8 3.7. informationElementUnits . . . . . . . . . . . . . . . . . 9 3.8. privateEnterpriseNumber . . . . . . . . . . . . . . . . . 9 3.9. Information Element Type Options Template . . . . . . . . 10 3.10. Data Type and Semantics Restrictions . . . . . . . . . . . 12 4. Security Considerations . . . . . . . . . . . . . . . . . . . 13 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 7.1. Normative References . . . . . . . . . . . . . . . . . . . 15 7.2. Informative References . . . . . . . . . . . . . . . . . . 16 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 17 Boschi, et al. Standards Track [Page 2] RFC 5610 IPFIX Type Information July 2009 1. Introduction IP Flow Information Export (IPFIX) provides a template mechanism for the flexible description of Data Records, by defining a record as a collection of Information Elements defined in an IANA registry, However, these Templates provide limited information about the type of described data; indeed, they encode only the size of the fields defined by these Information Elements. There presently exists no mechanism to provide full type information for these Information Elements, as is defined for the Information Elements in the IPFIX Information Model [RFC5102]. This especially limits the interoperability of enterprise-specific Information Elements. It is not possible to use analysis tools on IPFIX records containing these partially defined Information Elements that have not been developed with a priori knowledge of their types, since such tools will not be able to decode them; these tools can only treat and store them as opaque octet arrays. However, if richer information is available, additional operations such as efficient storage, display, and limited analysis of records containing enterprise-specific Information Elements become possible, even for Collecting Processes that have not been specifically developed to understand them. This document defines a general mechanism to encode the full set of properties available for the definition of Information Elements within the IPFIX Information Model inline within an IPFIX Message stream using IPFIX Options. This mechanism may be used to fully define type information for Information Elements used within a message stream, without resorting to an external reference or reliance on out-of-band configuration, thereby improving the interoperability of enterprise-specific Information Elements. Note that the solution described in this document is not intended as a replacement for registration with IANA of generally useful Information Elements. It introduces overhead and does not lead to real interoperability as provided by standardization. Therefore, we highly recommend standardizing all new generally useful Information Elements by registering them with IANA. Standardization is straightforward, and the type information that needs to be specified in order to support the proposed solution provides a perfect basis for the description required for standardizing the Information Element. It might happen that an Information Element previously described by the mechanism in this document later becomes an IANA-registered, standard Information Element. In such environments, old and new versions of the Information Element can coexist. A translation Boschi, et al. Standards Track [Page 3] RFC 5610 IPFIX Type Information July 2009 between Information Elements expressed by the described solution and standardized Information Elements is therefore not necessary and is out of scope for this document. 1.1. IPFIX Documents Overview "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information" [RFC5101] (informally, the IPFIX Protocol document) and its associated documents define the IPFIX Protocol, which provides network engineers and administrators with access to IP traffic flow information. "Architecture for IP Flow Information Export" [RFC5470] (the IPFIX Architecture document) defines the architecture for the export of measured IP flow information out of an IPFIX Exporting Process to an IPFIX Collecting Process, and the basic terminology used to describe the elements of this architecture, per the requirements defined in "Requirements for IP Flow Information Export" [RFC3917]. The IPFIX Protocol document [RFC5101] then covers the details of the method for transporting IPFIX Data Records and Templates via a congestion-aware transport protocol from an IPFIX Exporting Process to an IPFIX Collecting Process. "Information Model for IP Flow Information Export" [RFC5102] (informally, the IPFIX Information Model document) describes the Information Elements used by IPFIX, including details on Information Element naming, numbering, and data type encoding. This document references the Protocol and Architecture documents for terminology and extends the IPFIX Information Model to provide new Information Elements for the representation of Information Element properties. It draws data type definitions and data type semantics definitions from the Information Model; the encodings of these data types are defined in [RFC5101]. 2. Terminology Terms used in this document that are defined in the Terminology section of the IPFIX Protocol [RFC5101] document are to be interpreted as defined there. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD[[RFC editor: please remove the remainder of this section before publication.]] The version number for the final version of this specification (0x00000001), is reserved for the version of the protocol that is published as an RFC. Version numbers used to identify IETF drafts are created by adding the draft number to 0xff000000. For example, draft-ietf-quic- transport-13 would be identified as 0xff00000d. Implementors are encouraged to register version numbers of QUIC that they are using for private experimentation on the GitHub wiki at https://github.com/quicwg/base-drafts/wiki/QUIC-Versions. 16. Variable-Length Integer Encoding QUIC packets and frames commonly use a variable-length encoding for non-negative integer values. This encoding ensures that smaller integer values need fewer bytes to encode. The QUIC variable-length integer encoding reserves the two most significant bits of the first byte to encode the base 2 logarithm of the integer encoding length in bytes. The integer value is encoded on the remaining bits, in network byte order. This means that integers are encoded on 1, 2, 4, or 8 bytes and can encode 6, 14, 30, or 62 bit values respectively. Table 4 summarizes the encoding properties. +======+========+=============+=======================+ | 2Bit | Length | Usable Bits | Range | +======+========+=============+=======================+ | 00 | 1 | 6 | 0-63 | +------+--------+-------------+-----------------------+ | 01 | 2 | 14 | 0-16383 | +------+--------+-------------+-----------------------+ | 10 | 4 | 30 | 0-1073741823 | +------+--------+-------------+-----------------------+ | 11 | 8 | 62 | 0-4611686018427387903 | +------+--------+-------------+-----------------------+ Table 4: Summary of Integer Encodings Iyengar & Thomson Expires 23 April 2021 [Page 106] Internet-Draft QUIC Transport Protocol October 2020 For example, the eight byte sequence c2 19 7c 5e ff 14 e8 8c (in hexadecimal) decodes to the decimal value 151288809941952652; the four byte sequence 9d 7f 3e 7d decodes to 494878333; the two byte sequence 7b bd decodes to 15293; and the single byte 25 decodes to 37 (as does the two byte sequence 40 25). Versions (Section 15) and packet numbers sent in the header (Section 17.1) are described using integers, but do not use this encoding. 17. Packet Formats All numeric values are encoded in network byte order (that is, big- endian) and all field sizes are in bits. Hexadecimal notation is used for describing the value of fields. 17.1. Packet Number Encoding and Decoding Packet numbers are integers in the range 0 to 2^62-1 (Section 12.3). When present in long or short packet headers, they are encoded in 1 to 4 bytes. The number of bits required to represent the packet number is reduced by including only the least significant bits of the packet number. The encoded packet number is protected as described in Section 5.4 of [QUIC-TLS]. Prior to receiving an acknowledgement for a packet number space, the full packet number MUST be included; it is not to be truncated as described below. After an acknowledgement is received for a packet number space, the sender MUST use a packet number size able to represent more than twice as large a range than the difference between the largest acknowledged packet and packet number being sent. A peer receiving the packet will then correctly decode the packet number, unless the packet is delayed in transit such that it arrives after many higher- numbered packets have been received. An endpoint SHOULD use a large enough packet number encoding to allow the packet number to be recovered even if the packet arrives after packets that are sent afterwards. As a result, the size of the packet number encoding is at least one bit more than the base-2 logarithm of the number of contiguous unacknowledged packet numbers, including the new packet. Iyengar & Thomson Expires 23 April 2021 [Page 107] Internet-Draft QUIC Transport Protocol October 2020 For example, if an endpoint has received an acknowledgment for packet 0xabe8bc, sending a packet with a number of 0xac5c02 requires a packet number encoding with 16 bits or more; whereas the 24-bit packet number encoding is needed to send a packet with a number of 0xace8fe. At a receiver, protection of the packet number is removed prior to recovering the full packet number. The full packet number is then reconstructed based on the number of significant bits present, the value of those bits, and the largest packet number received on a successfully authenticated packet. Recovering the full packet number is necessary to successfully remove packet protection. Once header protection is removed, the packet number is decoded by finding the packet number value that is closest to the next expected packet. The next expected packet is the highest received packet number plus one. For example, if the highest successfully authenticated packet had a packet number of 0xa82f30ea, then a packet containing a 16-bit value of 0x9b32 will be decoded as 0xa82f9b32. Example pseudo-code for packet number decoding can be found in Appendix A. 17.2. Long Header Packets Long Header Packet { Header Form (1) = 1, Fixed Bit (1) = 1, Long Packet Type (2), Type-Specific Bits (4), Version (32), Destination Connection ID Length (8), Destination Connection ID (0..160), Source Connection ID Length (8), Source Connection ID (0..160), } Figure 13: Long Header Packet Format Long headers are used for packets that are sent prior to the establishment of 1-RTT keys. Once 1-RTT keys are available, a sender switches to sending packets using the short header (Section 17.3). The long form allows for special packets - such as the Version Negotiation packet - to be represented in this uniform fixed-length packet format. Packets that use the long header contain the following fields: Header Form: The most significant bit (0x80) of byte 0 (the first byte) is set to 1 for long headers. Iyengar & Thomson Expires 23 April 2021 [Page 108] Internet-Draft QUIC Transport Protocol October 2020 Fixed Bit: The next bit (0x40) of byte 0 is set to 1. Packets containing a zero value for this bit are not valid packets in this version and MUST be discarded. Long Packet Type: The next two bits (those with a mask of 0x30) of byte 0 contain a packet type. Packet types are listed in Table 5. Type-Specific Bits: The lower four bits (those with a mask of 0x0f) of byte 0 are type-specific. Version: The QUIC Version is a 32-bit field that follows the first byte. This field indicates the version of QUIC that is in use and determines how the rest of the protocol fields are interpreted. Destination Connection ID Length: The byte following the version contains the length in bytes of the Destination Connection ID field that follows it. This length is encoded as an 8-bit unsigned integer. In QUIC version 1, this value MUST NOT exceed 20. Endpoints that receive a version 1 long header with a value larger than 20 MUST drop the packet. In order to properly form a Version Negotiation packet, servers SHOULD be able to read longer connection IDs from other QUIC versions. Destination Connection ID: The Destination Connection ID field follows the Destination Connection ID Length field, which indicates the length of this field. Section 7.2 describes the use of this field in more detail. Source Connection ID Length: The byte following the Destination Connection ID contains the length in bytes of the Source Connection ID field that follows it. This length is encoded as a 8-bit unsigned integer. In QUIC version 1, this value MUST NOT exceed 20 bytes. Endpoints that receive a version 1 long header with a value larger than 20 MUST drop the packet. In order to properly form a Version Negotiation packet, servers SHOULD be able to read longer connection IDs from other QUIC versions. Source Connection ID: The Source Connection ID field follows the Source Connection ID Length field, which indicates the length of this field. Section 7.2 describes the use of this field in more detail. In this version of QUIC, the following packet types with the long header are defined: Iyengar & Thomson Expires 23 April 2021 [Page 109] Internet-Draft QUIC Transport Protocol October 2020 +======+===========+================+ | Type | Name | Section | +======+===========+================+ | 0x0 | Initial | Section 17.2.2 | +------+-----------+----------------+ | 0x1 | 0-RTT | Section 17.2.3 | +------+-----------+----------------+ | 0x2 | Handshake | Section 17.2.4 | +------+-----------+----------------+ | 0x3 | Retry | Section 17.2.5 | +------+-----------+----------------+ Table 5: Long Header Packet Types The header form bit, Destination and Source Connection ID lengths, Destination and Source Connection ID fields, and Version fields of a long header packet are version-independent. The other fields in the first byte are version-specific. See [QUIC-INVARIANTS] for details on how packets from different versions of QUIC are interpreted. The interpretation of the fields and the payload are specific to a version and packet type. While type-specific semantics for this version are described in the following sections, several long-header packets in this version of QUIC contain these additional fields: Reserved Bits: Two bits (those with a mask of 0x0c) of byte 0 are reserved across multiple packet types. These bits are protected using header protection; see Section 5.4 of [QUIC-TLS]. The value included prior to protection MUST be set to 0. An endpoint MUST treat receipt of a packet that has a non-zero value for these bits after removing both packet and header protection as a connection error of type PROTOCOL_VIOLATION. Discarding such a packet after only removing header protection can expose the endpoint to attacks; see Section 9.3 of [QUIC-TLS]. Packet Number Length: In packet types that contain a Packet Number field, the least significant two bits (those with a mask of 0x03) of byte 0 contain the length of the packet number, encoded as an unsigned, two-bit integer that is one less than the length of the packet number field in bytes. That is, the length of the packet number field is the value of this field, plus one. These bits are protected using header protection; see Section 5.4 of [QUIC-TLS]. Length: The length of the remainder of the packet (that is, the Packet Number and Payload fields) in bytes, encoded as a variable- length integer (Section 16). Packet Number: The packet number field is 1 to 4 bytes long. The Iyengar & Thomson Expires 23 April 2021 [Page 110] Internet-Draft QUIC Transport Protocol October 2020 packet number is protected using header protection; see Section 5.4 of [QUIC-TLS]. The length of the packet number field is encoded in the Packet Number Length bits of byte 0; see above. 17.2.1. Version Negotiation Packet A Version Negotiation packet is inherently not version-specific. Upon receipt by a client, it will be identified as a Version Negotiation packet based on the Version field having a value of 0. The Version Negotiation packet is a response to a client packet that contains a version that is not supported by the server, and is only sent by servers. The layout of a Version Negotiation packet is: Version Negotiation Packet { Header Form (1) = 1, Unused (7), Version (32) = 0, Destination Connection ID Length (8), Destination Connection ID (0..2040), Source Connection ID Length (8), Source Connection ID (0..2040), Supported Version (32) ..., } Figure 14: Version Negotiation Packet The value in the Unused field is selected randomly by the server. Clients MUST ignore the value of this field. Servers SHOULD set the most significant bit of this field (0x40) to 1 so that Version Negotiation packets appear to have the Fixed Bit field. The Version field of a Version Negotiation packet MUST be set to 0x00000000. The server MUST include the value from the Source Connection ID field of the packet it receives in the Destination Connection ID field. The value for Source Connection ID MUST be copied from the Destination Connection ID of the received packet, which is initially randomly selected by a client. Echoing both connection IDs gives clients some assurance that the server received the packet and that the Version Negotiation packet was not generated by an off-path attacker. Iyengar & Thomson Expires 23 April 2021 [Page 111] Internet-Draft QUIC Transport Protocol October 2020 Future versions of QUIC may have different requirements for the lengths of connection IDs. In particular, connection IDs might have a smaller minimum length or a greater maximum length. Version- specific rules for the connection ID therefore MUST NOT influence a server decision about whether to send a Version Negotiation packet. The remainder of the Version Negotiation packet is a list of 32-bit versions that the server supports. A Version Negotiation packet is not acknowledged. It is only sent in response to a packet that indicates an unsupported version; see Section 5.2.2. The Version Negotiation packet does not include the Packet Number and Length fields present in other packets that use the long header form. Consequently, a Version Negotiation packet consumes an entire UDP datagram. A server MUST NOT send more than one Version Negotiation packet in response to a single UDP datagram. See Section 6 for a description of the version negotiation process. 17.2.2. Initial Packet An Initial packet uses long headers with a type value of 0x0. It carries the first CRYPTO frames sent by the client and server to perform key exchange, and carries ACKs in either direction. Initial Packet { Header Form (1) = 1, Fixed Bit (1) = 1, Long Packet Type (2) = 0, Reserved Bits (2), Packet Number Length (2), Version (32), Destination Connection ID Length (8), Destination Connection ID (0..160), Source Connection ID Length (8), Source Connection ID (0..160), Token Length (i), Token (..), Length (i), Packet Number (8..32), Packet Payload (..), } Figure 15: Initial Packet Iyengar & Thomson Expires 23 April 2021 [Page 112] Internet-Draft QUIC Transport Protocol October 2020 The Initial packet contains a long header as well as the Length and Packet Number fields; see Section 17.2. The first byte contains the Reserved and Packet Number Length bits; see also Section 17.2. Between the Source Connection ID and Length fields, there are two additional fields specific to the Initial packet. Token Length: A variable-length integer specifying the length of the Token field, in bytes. This value is zero if no token is present. Initial packets sent by the server MUST set the Token Length field to zero; clients that receive an Initial packet with a non-zero Token Length field MUST either discard the packet or generate a connection error of type PROTOCOL_VIOLATION. Token: The value of the token that was previously provided in a Retry packet or NEW_TOKEN frame; see Section 8.1. Packet Payload: The payload of the packet. In order to prevent tampering by version-unaware middleboxes, Initial packets are protected with connection- and version-specific keys (Initial keys) as described in [QUIC-TLS]. This protection does not provide confidentiality or integrity against on-path attackers, but provides some level of protection against off-path attackers. The client and server use the Initial packet type for any packet that contains an initial cryptographic handshake message. This includes all cases where a new packet containing the initial cryptographic message needs to be created, such as the packets sent after receiving a Retry packet (Section 17.2.5). A server sends its first Initial packet in response to a client Initial. A server may send multiple Initial packets. The cryptographic key exchange could require multiple round trips or retransmissions of this data. The payload of an Initial packet includes a CRYPTO frame (or frames) containing a cryptographic handshake message, ACK frames, or both. PING, PADDING, and CONNECTION_CLOSE frames of type 0x1c are also permitted. An endpoint that receives an Initial packet containing other frames can either discard the packet as spurious or treat it as a connection error. The first packet sent by a client always includes a CRYPTO frame that contains the start or all of the first cryptographic handshake message. The first CRYPTO frame sent always begins at an offset of 0; see Section 7. Iyengar & Thomson Expires 23 April 2021 [Page 113] Internet-Draft QUIC Transport Protocol October 2020 Note that if the server sends a HelloRetryRequest, the client will send another series of Initial packets. These Initial packets will continue the cryptographic handshake and will contain CRYPTO frames starting at an offset matching the size of the CRYPTO frames sent in the first flight of Initial packets. 17.2.2.1. Abandoning Initial Packets A client stops both sending and processing Initial packets when it sends its first Handshake packet. A server stops sending and processing Initial packets when it receives its first Handshake packet. Though packets might still be in flight or awaiting acknowledgment, no further Initial packets need to be exchanged beyond this point. Initial packet protection keys are discarded (see Section 4.9.1 of [QUIC-TLS]) along with any loss recovery and congestion control state; see Section 6.4 of [QUIC-RECOVERY]. Any data in CRYPTO frames is discarded - and no longer retransmitted - when Initial keys are discarded. 17.2.3. 0-RTT A 0-RTT packet uses long headers with a type value of 0x1, followed by the Length and Packet Number fields; see Section 17.2. The first byte contains the Reserved and Packet Number Length bits; see Section 17.2. A 0-RTT packet is used to carry "early" data from the client to the server as part of the first flight, prior to handshake completion. As part of the TLS handshake, the server can accept or reject this early data. See Section 2.3 of [TLS13] for a discussion of 0-RTT data and its limitations. 0-RTT Packet { Header Form (1) = 1, Fixed Bit (1) = 1, Long Packet Type (2) = 1, Reserved Bits (2), Packet Number Length (2), Version (32), Destination Connection ID Length (8), Destination Connection ID (0..160), Source Connection ID Length (8), Source Connection ID (0..160), Length (i), Packet Number (8..32), Packet Payload (..), } Iyengar & Thomson Expires 23 April 2021 [Page 114] Internet-Draft QUIC Transport Protocol October 2020 Figure 16: 0-RTT Packet Packet numbers for 0-RTT protected packets use the same space as 1-RTT protected packets. After a client receives a Retry packet, 0-RTT packets are likely to have been lost or discarded by the server. A client SHOULD attempt to resend data in 0-RTT packets after it sends a new Initial packet. New packet numbers MUST be used for any new packets that are sent; as described in Section 17.2.5.3, reusing packet numbers could compromise packet protection. A client only receives acknowledgments for its 0-RTT packets once the handshake is complete, as defined Section 4.1.1 of [QUIC-TLS]. A client MUST NOT send 0-RTT packets once it starts processing 1-RTT packets from the server. This means that 0-RTT packets cannot contain any response to frames from 1-RTT packets. For instance, a client cannot send an ACK frame in a 0-RTT packet, because that can only acknowledge a 1-RTT packet. An acknowledgment for a 1-RTT packet MUST be carried in a 1-RTT packet. A server SHOULD treat a violation of remembered limits (Section 7.4.1) as a connection error of an appropriate type (for instance, a FLOW_CONTROL_ERROR for exceeding stream data limits). 17.2.4. Handshake Packet A Handshake packet uses long headers with a type value of 0x2, followed by the Length and Packet Number fields; see Section 17.2. The first byte contains the Reserved and Packet Number Length bits; see Section 17.2. It is used to carry cryptographic handshake messages and acknowledgments from the server and client. Iyengar & Thomson Expires 23 April 2021 [Page 115] Internet-Draft QUIC Transport Protocol October 2020 Handshake Packet { Header Form (1) = 1, Fixed Bit (1) = 1, Long Packet Type (2) = 2, Reserved Bits (2), Packet Number Length (2), Version (32), Destination Connection ID Length (8), Destination Connection ID (0..160), Source Connection ID Length (8), Source Connection ID (0..160), Length (i), Packet Number (8..32), Packet Payload (..), } Figure 17: Handshake Protected Packet Once a client has received a Handshake packet from a server, it uses Handshake packets to send subsequent cryptographic handshake messages and acknowledgments to the server. The Destination Connection ID field in a Handshake packet contains a connection ID that is chosen by the recipient of the packet; the Source Connection ID includes the connection ID that the sender of the packet wishes to use; see Section 7.2. Handshake packets are their own packet number space, and thus the first Handshake packet sent by a server contains a packet number of 0. The payload of this packet contains CRYPTO frames and could contain PING, PADDING, or ACK frames. Handshake packets MAY contain CONNECTION_CLOSE frames of type 0x1c. Endpoints MUST treat receipt of Handshake packets with other frames as a connection error. Like Initial packets (see Section 17.2.2.1), data in CRYPTO frames for Handshake packets is discarded - and no longer retransmitted - when Handshake protection keys are discarded. 17.2.5. Retry Packet A Retry packet uses a long packet header with a type value of 0x3. It carries an address validation token created by the server. It is used by a server that wishes to perform a retry; see Section 8.1. Iyengar & Thomson Expires 23 April 2021 [Page 116] Internet-Draft QUIC Transport Protocol October 2020 Retry Packet { Header Form (1) = 1, Fixed Bit (1) = 1, Long Packet Type (2) = 3, Unused (4), Version (32), Destination Connection ID Length (8), Destination Connection ID (0..160), Source Connection ID Length (8), Source Connection ID (0..160), Retry Token (..), Retry Integrity Tag (128), } Figure 18: Retry Packet A Retry packet (shown in Figure 18) does not contain any protected fields. The value in the Unused field is set to an arbitrary value by the server; a client MUST ignore these bits. In addition to the fields from the long header, it contains these additional fields: Retry Token: An opaque token that the server can use to validate the client's address. Retry Integrity Tag: See the Retry Packet Integrity section of [QUIC-TLS]. 17.2.5.1. Sending a Retry Packet The server populates the Destination Connection ID with the connection ID that the client included in the Source Connection ID of the Initial packet. The server includes a connection ID of its choice in the Source Connection ID field. This value MUST NOT be equal to the Destination Connection ID field of the packet sent by the client. A client MUST discard a Retry packet that contains a Source Connection ID field that is identical to the Destination Connection ID field of its Initial packet. The client MUST use the value from the Source Connection ID field of the Retry packet in the Destination Connection ID field of subsequent packets that it sends. A server MAY send Retry packets in response to Initial and 0-RTT packets. A server can either discard or buffer 0-RTT packets that it receives. A server can send multiple Retry packets as it receives Initial or 0-RTT packets. A server MUST NOT send more than one Retry packet in response to a single UDP datagram. Iyengar & Thomson Expires 23 April 2021 [Page 117] Internet-Draft QUIC Transport Protocol October 2020 17.2.5.2. Handling a Retry Packet A client MUST accept and process at most one Retry packet for each connection attempt. After the client has received and processed an Initial or Retry packet from the server, it MUST discard any subsequent Retry packets that it receives. Clients MUST discard Retry packets that have a Retry Integrity Tag that cannot be validated; see the Retry Packet Integrity section of [QUIC-TLS]. This diminishes an off-path attacker's ability to inject a Retry packet and protects against accidental corruption of Retry packets. A client MUST discard a Retry packet with a zero-length Retry Token field. The client responds to a Retry packet with an Initial packet that includes the provided Retry Token to continue connection establishment. A client sets the Destination Connection ID field of this Initial packet to the value from the Source Connection ID in the Retry packet. Changing Destination Connection ID also results in a change to the keys used to protect the Initial packet. It also sets the Token field to the token provided in the Retry. The client MUST NOT change the Source Connection ID because the server could include the connection ID as part of its token validation logic; see Section 8.1.4. A Retry packet does not include a packet number and cannot be explicitly acknowledged by a client. 17.2.5.3. Continuing a Handshake After Retry Subsequent Initial packets from the client include the connection ID and token values from the Retry packet. The client copies the Source Connection ID field from the Retry packet to the Destination Connection ID field and uses this value until an Initial packet with an updated value is received; see Section 7.2. The value of the Token field is copied to all subsequent Initial packets; see Section 8.1.2. Other than updating the Destination Connection ID and Token fields, the Initial packet sent by the client is subject to the same restrictions as the first Initial packet. A client MUST use the same cryptographic handshake message it included in this packet. A server MAY treat a packet that contains a different cryptographic handshake message as a connection error or discard it. Iyengar & Thomson Expires 23 April 2021 [Page 118] Internet-Draft QUIC Transport Protocol October 2020 A client MAY attempt 0-RTT after receiving a Retry packet by sending 0-RTT packets to the connection ID provided by the server. A client MUST NOT change the cryptographic handshake message it sends in response to receiving a Retry. A client MUST NOT reset the packet number for any packet number space after processing a Retry packet. In particular, 0-RTT packets contain confidential information that will most likely be retransmitted on receiving a Retry packet. The keys used to protect these new 0-RTT packets will not change as a result of responding to a Retry packet. However, the data sent in these packets could be different than what was sent earlier. Sending these new packets with the same packet number is likely to compromise the packet protection for those packets because the same key and nonce could be used to protect different content. A server MAY abort the connection if it detects that the client reset the packet number. The connection IDs used on Initial and Retry packets exchanged between client and server are copied to the transport parameters and validated as described in Section 7.3. 17.3. Short Header Packets This version of QUIC defines a single packet type that uses the short packet header. Short Header Packet { Header Form (1) = 0, Fixed Bit (1) = 1, Spin Bit (1), Reserved Bits (2), Key Phase (1), Packet Number Length (2), Destination Connection ID (0..160), Packet Number (8..32), Packet Payload (..), } Figure 19: Short Header Packet Format The short header can be used after the version and 1-RTT keys are negotiated. Packets that use the short header contain the following fields: Header Form: The most significant bit (0x80) of byte 0 is set to 0 for the short header. Fixed Bit: The next bit (0x40) of byte 0 is set to 1. Packets Iyengar & Thomson Expires 23 April 2021 [Page 119] Internet-Draft QUIC Transport Protocol October 2020 ", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Boschi, et al. Standards Track [Page 4] RFC 5610 IPFIX Type Information July 2009 3. Type Information Export This section describes the mechanism used to encode Information Element type information within an IPFIX Message stream. This mechanism consists of an Options Template Record used to define Information Element type records, and a set of Information Elements required by these type records. We first specify the necessary Information Elements, followed by the structure of the Options Template describing the type records. Note that Information Element type records require one Information Element, informationElementId, that is defined in the Packet Sampling (PSAMP) Information Model [RFC5477]. This Information Element supports references only to IANA-defined Information Elements; the privateEnterpriseNumber Information Element is required alongside informationElementId to describe enterprise-specific Information Elements. 3.1. informationElementDataType Description: A description of the abstract data type of an IPFIX information element. These are taken from the abstract data types defined in Section 3.1 of the IPFIX Information Model [RFC5102]; see that section for more information on the types described below. This field may take the values defined in Table 1 below. Boschi, et al. Standards Track [Page 5] RFC 5610 IPFIX Type Information July 2009 +-------+----------------------+ | Value | Description | +-------+----------------------+ | 0 | octetArray | | 1 | unsigned8 | | 2 | unsigned16 | | 3 | unsigned32 | | 4 | unsigned64 | | 5 | signed8 | | 6 | signed16 | | 7 | signed32 | | 8 | signed64 | | 9 | float32 | | 10 | float64 | | 11 | boolean | | 12 | macAddress | | 13 | string | | 14 | dateTimeSeconds | | 15 | dateTimeMilliseconds | | 16 | dateTimeMicroseconds | | 17 | dateTimeNanoseconds | | 18 | ipv4Address | | 19 | ipv6Address | +-------+----------------------+ Table 1: IE Data Type Values These types are registered in the IANA IPFIX Information Element Data Type subregistry. This subregistry is intended to assign numbers for type names, not to provide a mechanism for adding data types to the IPFIX Protocol, and as such requires a Standards Action [RFC5226] to modify. Abstract Data Type: unsigned8 ElementId: 339 Status: current Reference: Section 3.1 of the IPFIX Information Model [RFC5102] 3.2. informationElementDescription Description: A UTF-8 [RFC3629] encoded Unicode string containing a human-readable description of an Information Element. The content of the informationElementDescription MAY be annotated with one or more language tags [RFC4646], encoded in-line [RFC2482] within the UTF-8 string, in order to specify the language in which the Boschi, et al. Standards Track [Page 6] RFC 5610 IPFIX Type Information July 2009 description is written. Description text in multiple languages MAY tag each section with its own language tag; in this case, the description information in each language SHOULD have equivalent meaning. In the absence of any language tag, the "i-default" [RFC2277] language SHOULD be assumed. See the Security Considerations (Section 4) for notes on string handling for Information Element type records. Abstract Data Type: string ElementId: 340 Status: current 3.3. informationElementName Description: A UTF-8 [RFC3629] encoded Unicode string containing the name of an Information Element, intended as a simple identifier. See the Security Considerations (Section 4) for notes on string handling for Information Element type records. Abstract Data Type: string ElementId: 341 Status: current 3.4. informationElementRangeBegin Description: Contains the inclusive low end of the range of acceptable values for an Information Element. Abstract Data Type: unsigned64 Data Type Semantics: quantity ElementId: 342 Status: current 3.5. informationElementRangeEnd Description: Contains the inclusive high end of the range of acceptable values for an Information Element. Boschi, et al. Standards Track [Page 7] RFC 5610 IPFIX Type Information July 2009 Abstract Data Type: unsigned64 Data Type Semantics: quantity ElementId: 343 Status: current 3.6. informationElementSemantics Description: A description of the semantics of an IPFIX Information Element. These are taken from the data type semantics defined in Section 3.2 of the IPFIX Information Model [RFC5102]; see that section for more information on the types described below. This field may take the values in Table 2 below. The special value 0x00 (default) is used to note that no semantics apply to the field; it cannot be manipulated by a Collecting Process or File Reader that does not understand it a priori. +-------+--------------+ | Value | Description | +-------+--------------+ | 0 | default | | 1 | quantity | | 2 | totalCounter | | 3 | deltaCounter | | 4 | identifier | | 5 | flags | +-------+--------------+ Table 2: IE Semantics Values These semantics are registered in the IANA IPFIX Information Element Semantics subregistry. This subregistry is intended to assign numbers for semantics names, not to provide a mechanism for adding semantics to the IPFIX Protocol, and as such requires a Standards Action [RFC5226] to modify. Abstract Data Type: unsigned8 ElementId: 344 Status: current Reference: Section 3.2 of the IPFIX Information Model [RFC5102] Boschi, et al. Standards Track [Page 8] RFC 5610 IPFIX Type Information July 2009 3.7. informationElementUnits Description: A description of the units of an IPFIX Information Element. These correspond to the units implicitly defined in the Information Element definitions in Section 5 of the IPFIX Information Model [RFC5102]; see that section for more information on the types described below. This field may take the values in Table 3 below; the special value 0x00 (none) is used to note that the field is unitless. +-------+---------------+---------------------------+ | Value | Name | Notes | +-------+---------------+---------------------------+ | 0 | none | | | 1 | bits | | | 2 | octets | | | 3 | packets | | | 4 | flows | | | 5 | seconds | | | 6 | milliseconds | | | 7 | microseconds | | | 8 | nanoseconds | | | 9 | 4-octet words | for IPv4 header length | | 10 | messages | for reliability reporting | | 11 | hops | for TTL | | 12 | entries | for MPLS label stack | +-------+---------------+---------------------------+ Table 3: IE Units Values These types are registered in the IANA IPFIX Information Element Units subregistry; new types may be added on a First Come First Served [RFC5226] basis. Abstract Data Type: unsigned16 ElementId: 345 Status: current Reference: Section 5 of the IPFIX Information Model [RFC5102] 3.8. privateEnterpriseNumber Description: A private enterprise number, as assigned by IANA. Within the context of an Information Element Type record, this element can be used along with the informationElementId element to scope properties to a specific Information Element. To export Boschi, et al. Standards Track [Page 9] RFC 5610 IPFIX Type Information July 2009 type information about an IANA-assigned Information Element, set the privateEnterpriseNumber to 0, or do not export the privateEnterpriseNumber in the type record. To export type information about an enterprise-specific Information Element, export the enterprise number in privateEnterpriseNumber, and export the Information Element number with the Enterprise bit cleared in informationElementId. The Enterprise bit in the associated informationElementId Information Element MUST be ignored by the Collecting Process. Abstract Data Type: unsigned32 Data Type Semantics: identifier ElementId: 346 Status: current Reference: Sections 3.2 and 3.4.1 of the IPFIX Protocol [RFC5101]; Section 8.2.3 of the PSAMP Information Model [RFC5477]. 3.9. Information Element Type Options Template The Information Element Type Options Template attaches type information to Information Elements used within Template Records, as scoped to an Observation Domain within a Transport Session. This provides a mechanism for representing an IPFIX Information Model inline within an IPFIX Message stream. Data Records described by this template are referred to as Information Element type records. In deployments in which interoperability across vendor implementations of IPFIX is important, an Exporting Process exporting data using Templates containing enterprise-specific Information Elements SHOULD export an Information Element type record for each enterprise-specific Information Element it exports. Collecting Processes MAY use these type records to improve handling of unknown enterprise-specific Information Elements. Exporting Processes using enterprise-specific Information Elements to implement proprietary features MAY omit type records for those Information Elements. Information Element type records MUST be handled by Collecting Processes as scoped to the Transport Session in which they are sent; this facility is not intended to provide a method for the permanent definition of Information Elements. Similarly, for security reasons, type information for a given Information Element MUST NOT be redefined by Information Element type records, and a Collecting Process MUST NOT allow an Information Boschi, et al. Standards Track [Page 10] RFC 5610 IPFIX Type Information July 2009 Element type record to replace its own internal definition of an Information Element. Information Element type records SHOULD NOT be duplicated in a given Observation Domain within a Transport Session. Once an Information Element type record has been exported for a given Information Element within a given Transport Session, all subsequent type records for that Information Element MUST be identical. Information Elements for which a Collecting Process receives conflicting semantic or type information MUST be ignored. Note that while this template MAY be used to export information about any Information Element, including those registered with IANA, Exporting Processes SHOULD NOT export any type records that could be reasonably assumed to duplicate type information available at the Collecting Process. This mechanism is not intended as a replacement for Exporting and Collecting Processes keeping up to date with changes to the IANA registry; such an update mechanism is out of scope for this document. The template SHOULD contain the Information Elements in Table 4, below, as defined in the PSAMP Information Model [RFC5477] and in this document, above. +-------------------------------+-----------------------------------+ | IE | Description | +-------------------------------+-----------------------------------+ | informationElementId [scope] | The Information Element | | | identifier of the Information | | | Element described by this type | | | record. This Information Element | | | MUST be defined as a Scope Field. | | | See the PSAMP Information Model | | | [RFC5477] for a definition of | | | this field. | | privateEnterpriseNumber | The Private Enterprise number of | | [scope] | the Information Element described | | | by this type record. This | | | Information Element MUST be | | | defined as a Scope Field. | | informationElementDataType | The storage type of the specified | | | Information Element. | | informationElementSemantics | The semantic type of the | | | specified Information Element. | | informationElementUnits | The units of the specified | | | Information Element. This | | | element SHOULD be omitted if the | | | Information Element is a unitless | | | quantity, or a not a quantity or | | | counter. | Boschi, et al. Standards Track [Page 11] RFC 5610 IPFIX Type Information July 2009 +-------------------------------+-----------------------------------+ | IE (Continued) | Description (Continued) | +-------------------------------+-----------------------------------+ | informationElementRangeBegin | The low end of the range of | | | acceptable values for the | | | specified Information Element. | | | This element SHOULD be omitted if | | | the beginning of the Information | | | Element's acceptable range is | | | defined by its data type. | | informationElementRangeEnd | The high end of the range of | | | acceptable values for the | | | specified Information Element. | | | This element SHOULD be omitted if | | | the end Information Element's | | | acceptable range is defined by | | | its data type. | | informationElementName | The name of the specified | | | Information Element. | | informationElementDescription | A human-readable description of | | | the specified Information | | | Element. This element MAY be | | | omitted in the interest of export | | | efficiency. | +-------------------------------+-----------------------------------+ Table 4: IE Type Options 3.10. Data Type and Semantics Restrictions Note that the informationElementSemantics values defined in Section 3.2 of [RFC5102] are primarily intended to differentiate semantic interpretation of numeric values, and that not all combinations of the informationElementDataType and informationElementSemantics Information Elements are valid; e.g., a counter cannot be encoded as an IPv4 address. The following are acceptable values of informationElementSemantics: o Any value is valid for unsigned informationElementDataType values ("unsigned8", "unsigned16", "unsigned32", or "unsigned64"). o Any value except "flags" is valid for signed informationElementDataType values ("signed8", "signed16", "signed32", or "signed64"). o Any value except "identifier" or "flags" is valid for floating- point informationElementDataType values ("float32" or "float64"). Boschi, et al. Standards Track [Page 12] RFC 5610 IPFIX Type Information July 2009 o Only "default" is valid for all other informationElementDataType values ("octetArray", "boolean", "macAddress", "string", "dateTimeSeconds", "dateTimeMilliseconds", "dateTimeMicroseconds", "dateTimeNanoseconds", "ipv4Address", or "ipv6Address"). Information Element type records containing invalid combinations of informationElementSemantics and informationElementDataType MUST NOT be sent by Exporting Processes, and MUST be ignored by Collecting Processes. Future Standards Actions that modify the Information Element Data Type subregistry or the Information Element Semantics subregistry should contain a Data Type and Semantics Restrictions section such as this one to define allowable combinations of type and semantics information. 4. Security Considerations The same security considerations as for the IPFIX Protocol [RFC5101] apply. In addition, attention must be paid to the handling of Information Element type records at the Collecting Process. Type information precedence rules defined above (a Collecting Process' current knowledge overrides type records; types are not redefinable during a session) are designed to minimize the opportunity for an attacker to maliciously redefine the data model. Note that Information Element type records may contain two strings describing Information Elements: informationElementName and informationElementDescription. IPFIX strings on the wire are length- prefixed and UTF-8 [RFC3629] encoded, most often within an IPFIX variable-length Information Element, which mitigates the risk of unterminated-string attacks against IPFIX Collecting Processes. However, care should still be taken when handling strings within the type system of the Collecting Process. First, Collecting Processes should pay particular attention to buffer sizes converting between length-prefixed and null-terminated strings. Exporting Processes MUST NOT export, and Collecting Processes MUST ignore, any informationElementName or informationElementDescription content that contains null characters (U+0000) in order to ensure buffer and string lengths are consistent. Also, note that there is no limit to IPFIX string length beyond that inherent in the protocol. The maximum IPFIX string length is 65512 octets (maximum message length (65535), minus message header (16), minus set header (4), minus long variable length field (3)). Boschi, et al. Standards Track [Page 13] RFC 5610 IPFIX Type Information July 2009 Specifically, although the informationElementName of all IANA Information Elements at the time of this writing is less than about 40 octets, and the informationElementDescription is less than 4096 octets, either of these Information Elements may contain strings up to 65512 octets long. 5. IANA Considerations This document specifies several new IPFIX Information Elements in the IPFIX Information Element registry as defined in Section 3 above. IANA has assigned the following Information Element numbers for their respective Information Elements as specified below: o Information Element Number 339 for the informationElementDataType Information Element o Information Element Number 340 for the informationElementDescription Information Element o Information Element Number 341 for the informationElementName Information Element o Information Element Number 342 for the informationElementRangeBegin Information Element o Information Element Number 343 for the informationElementRangeEnd Information Element o Information Element Number 344 for the informationElementSemantics Information Element o Information Element Number 345 for the informationElementUnits Information Element o Information Element Number 346 for the privateEnterpriseNumber Information Element IANA has created an Information Element Data Type subregistry for the values defined for the informationElementDataType Information Element. Entries may be added to this subregistry subject to a Standards Action [RFC5226]. IANA has created an Information Element Semantics subregistry for the values defined for the informationElementSemantics Information Element. Entries may be added to this subregistry subject to a Standards Action [RFC5226]. Boschi, et al. Standards Track [Page 14] RFC 5610 IPFIX Type Information July 2009 IANA has created an Information Element Units subregistry for the values defined for the informationElementUnits Information Element. Entries may be added to this subregistry on an Expert Review [RFC5226] basis. 6. Acknowledgements Thanks to Paul Aitken and Gerhard Muenz for the detailed reviews, and to David Moore for first raising this issue to the IPFIX mailing list. Thanks to the PRISM project for its support of this work. 7. References 7.1. Normative References [RFC5101] Claise, B., "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", RFC 5101, January 2008. [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, "Information Model for IP Flow Information Export", RFC 5102, January 2008. [RFC5477] Dietz, T., Claise, B., Aitken, P., Dressler, F., and G. Carle, "Information Model for Packet Sampling Exports", RFC 5477, March 2009. [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003. [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and Languages", BCP 18, RFC 2277, January 1998. [RFC2482] Whistler, K. and G. Adams, "Language Tagging in Unicode Plain Text", RFC 2482, January 1999. [RFC4646] Phillips, A. and M. Davis, "Tags for Identifying Languages", BCP 47, RFC 4646, September 2006. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. Boschi, et al. Standards Track [Page 15] RFC 5610 IPFIX Type Information July 2009 7.2. Informative References [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, "Requirements for IP Flow Information Export (IPFIX)", RFC 3917, October 2004. [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, "Architecture for IP Flow Information Export", RFC 5470, March 2009. Boschi, et al. Standards Track [Page 16] RFC 5610 IPFIX Type Information July 2009 Appendix A. Examples The following example illustrates how the type information extension mechanism defined in this document may be used to describe the semantics of enterprise-specific Information Elements. The Information Elements used in this example are as follows: o initialTCPFlags, an example private IE 14, 1 octet, the TCP flags on the first TCP packet in the flow. o unionTCPFlags, an example private IE 15, 1 octet, the union of the TCP flags on all packets after the first TCP packet in the flow. An Exporting Process exporting flows containing these Information Elements might use a Template like the following: 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 52 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 256 | Field Count = 9 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| flowStartSeconds 150 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv4Address 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv4Address 12 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceTransportPort 7 | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationTransportPort 11 | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| octetTotalCount 85 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| (initialTCPFlags) 14 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Private Enterprise Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| (unionTCPFlags) 15 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Private Enterprise Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| protocolIdentifier 4 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: Template with Enterprise-Specific IEs Boschi, et al. Standards Track [Page 17] RFC 5610 IPFIX Type Information July 2009 However, a Collecting Process receiving Data Sets described by this Template can only treat the enterprise-specific Information Elements as opaque octets; specifically, there is no hint to the collector that they contain flag information. To use the type information extension mechanism to address this problem, the Exporting Process would first export the Information Element Type Options Template described in Section 3.9 above: 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 3 | Length = 26 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 257 | Field Count = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope Field Count = 2 |0| priv.EnterpriseNumber 346 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 4 |0| informationElementId 303 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 2 |0| inf.El.DataType 339 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 1 |0| inf.El.Semantics 344 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 1 |0| inf.El.Name 341 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 65536 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: Example Information Element Type Options Template Then, the Exporting Process would export two records described by the Example Information Element Type Options Template to describe the enterprise-specific Information Elements: Boschi, et al. Standards Track [Page 18] RFC 5610 IPFIX Type Information July 2009 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 257 | Length = 50 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Private Enterprise Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |X| IE 14 |0x01 unsigned8 |0x05 flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 15 length | | +-+-+-+-+-+-+-+-+ | | "initialTCPFlags" | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Private Enterprise Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |X| IE 15 |0x01 unsigned8 |0x05 flags | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 13 length | | +-+-+-+-+-+-+-+-+ "unionTCPFlags" | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3: Type Record Example Boschi, et al. Standards Track [Page 19] RFC 5610 IPFIX Type Information July 2009 Authors' Addresses Elisa Boschi Hitachi Europe c/o ETH Zurich Gloriastrasse 35 8092 Zurich Switzerland Phone: +41 44 632 70 57 EMail: elisa.boschi@hitachi-eu.com Brian Trammell Hitachi Europe c/o ETH Zurich Gloriastrasse 35 8092 Zurich Switzerland Phone: +41 44 632 70 13 EMail: brian.trammell@hitachi-eu.com Lutz Mark Fraunhofer Institute for Manufacturing Technology and Applied Materials Research Wiener Str. 12 28359 Bremen Germany Phone: +49 421 2246206 EMail: lutz.mark@ifam.fraunhofer.de Tanja Zseby Fraunhofer Institute for Open Communication Systems Kaiserin-Augusta-Allee 31 10589 Berlin Germany Phone: +49 30 3463 7153 EMail: tanja.zseby@fokus.fraunhofer.de Boschi, et al. Standards Track [Page 20]