RFC 6728
Configuration Data Model for the IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Protocols
7. Examples
This section shows example configurations conforming to the YANG module specified in Section 6.7.1. PSAMP Device
This configuration example configures two Observation Points capturing ingress traffic at eth0 and all traffic at eth1. Both Observed Packet Streams enter two different Selection Processes. The first Selection Process implements a Composite Selector of a filter for UDP packets and a random sampler. The second Selection Process implements a Primitive Selector of an ICMP filter. The Selected Packet Streams of both Selection Processes enter the same Cache. The Cache generates a PSAMP Packet Report for every selected packet. The associated Exporting Process exports to a Collector using PR-SCTP and DTLS. The TLS/DTLS parameters specify that the collector must supply a certificate for the FQDN collector.example.net. Valid certificates from any certification authority will be accepted. As the destination transport port is omitted, the standard IPFIX-over- DTLS port 4740 is used. The parameters of the Selection Processes are reported as Selection Sequence Report Interpretations and Selector Report Interpretations [RFC5476]. There will be two Selection Sequence Report Interpretations per Selection Process, one for each Observation Point. Selection Sequence Statistics Report Interpretations are exported every 30 seconds (30000 milliseconds). <ipfix xmlns="urn:ietf:params:xml:ns:yang:ietf-ipfix-psamp"> <observationPoint> <name>OP at eth0 (ingress)</name> <observationDomainId>123</observationDomainId> <ifName>eth0</ifName> <direction>ingress</direction> <selectionProcess>Sampled UDP packets</selectionProcess>
<selectionProcess>ICMP packets</selectionProcess>
</observationPoint>
<observationPoint>
<name>OP at eth1</name>
<observationDomainId>123</observationDomainId>
<ifName>eth1</ifName>
<selectionProcess>Sampled UDP packets</selectionProcess>
<selectionProcess>ICMP packets</selectionProcess>
</observationPoint>
<selectionProcess>
<name>Sampled UDP packets</name>
<selector>
<name>UDP filter</name>
<filterMatch>
<ieId>4</ieId>
<value>17</value>
</filterMatch>
</selector>
<selector>
<name>10-out-of-100 sampler</name>
<sampRandOutOfN>
<size>10</size>
<population>100</population>
</sampRandOutOfN>
</selector>
<cache>PSAMP cache</cache>
</selectionProcess>
<selectionProcess>
<name>ICMP packets</name>
<selector>
<name>ICMP filter</name>
<filterMatch>
<ieId>4</ieId>
<value>1</value>
</filterMatch>
</selector>
<cache>PSAMP cache</cache>
</selectionProcess>
<cache>
<name>PSAMP cache</name>
<immediateCache>
<cacheLayout>
<cacheField>
<name>Field 1: ipHeaderPacketSection</name>
<ieId>313</ieId>
<ieLength>64</ieLength>
</cacheField>
<cacheField>
<name>Field 2: observationTimeMilliseconds</name>
<ieId>322</ieId>
</cacheField>
</cacheLayout>
</immediateCache>
<exportingProcess>The only exporter</exportingProcess>
</cache>
<exportingProcess>
<name>The only exporter</name>
<destination>
<name>PR-SCTP collector</name>
<sctpExporter>
<destinationIPAddress>192.0.2.1</destinationIPAddress>
<rateLimit>1000000</rateLimit>
<timedReliability>500</timedReliability>
<transportLayerSecurity>
<remoteSubjectFQDN>coll-1.example.net</remoteSubjectFQDN>
</transportLayerSecurity>
</sctpExporter>
</destination>
<options>
<name>Options 1</name>
<optionsType>selectionSequence</optionsType>
<optionsTimeout>0</optionsTimeout>
</options>
<options>
<name>Options 2</name>
<optionsType>selectionStatistics</optionsType>
<optionsTimeout>30000</optionsTimeout>
</options>
</exportingProcess>
</ipfix>
The above configuration results in one Template and six Options
Templates. For the remainder of the example, we assume Template ID
256 for the Template and Template IDs 257 to 262 for the Options
Templates. The Template is used to export the Packet Reports and has
the following fields:
Template ID: 256
ipHeaderPacketSection (elementId = 313, length = 64)
observationTimeMilliseconds (elementId = 322, length = 8)
Two Options Templates are used for the Selection Sequence Report
Interpretations. The first one has one selectorId field and is used
for the Selection Process "ICMP packets". The second one has two
selectorId fields to describe the two selectors of the Selection
Process "Sampled UDP packets".
Template ID: 257
Scope: selectionSequenceId (elementId = 301, length = 8)
observationPointId (elementId = 138, length = 4)
selectorId (elementId = 302, length = 4)
Template ID: 258
Scope: selectionSequenceId (elementId = 301, length = 8)
observationPointId (elementId = 138, length = 4)
selectorId (elementId = 302, length = 4)
selectorId (elementId = 302, length = 4)
Another Options Template is used to carry the Property Match
Filtering Selector Report Interpretation for the Selectors "UDP
filter" and "ICMP filter":
Template ID: 259
Scope: selectorId (elementId = 302, length = 4)
selectorAlgorithm (elementId = 304, length = 2)
protocolIdentifier (elementId = 4, length = 1)
Yet another Options Template is used to carry the Random n-out-of-N
Sampling Selector Report Interpretation for the Selector "10-out-of-
100 sampler":
Template ID: 260
Scope: selectorId (elementId = 302, length = 4)
selectorAlgorithm (elementId = 304, length = 2)
samplingSize (elementId = 319, length = 4)
samplingPopulation (elementId = 310, length = 4)
The last two Options Template are used to carry the Selection
Sequence Statistics Report Interpretation for the Selection
Processes, containing the statistics for one and two Selectors,
respectively:
Template ID: 261
Scope: selectionSequenceId (elementId = 301, length = 8)
selectorIdTotalPktsObserved (elementId = 318, length = 8)
selectorIdTotalPktsSelected (elementId = 319, length = 8)
Template ID: 262
Scope: selectionSequenceId (elementId = 301, length = 8)
selectorIdTotalPktsObserved (elementId = 318, length = 8)
selectorIdTotalPktsSelected (elementId = 319, length = 8)
selectorIdTotalPktsObserved (elementId = 318, length = 8)
selectorIdTotalPktsSelected (elementId = 319, length = 8)
After a short runtime, 100 packets have been observed at the two
Observation Points, including 20 UDP and 5 ICMP packets. 3 of the UDP
packets are selected by the random sampler, which results in a total
of 8 Packet Reports generated by the Cache. Under these
circumstances, the complete configuration and state data of the PSAMP
Device may look as follows:
<ipfix xmlns="urn:ietf:params:xml:ns:yang:ietf-ipfix-psamp">
<observationPoint>
<name>OP at eth0 (ingress)</name>
<observationPointId>1</observationPointId>
<observationDomainId>123</observationDomainId>
<ifName>eth0</ifName>
<direction>ingress</direction>
<selectionProcess>Sampled UDP packets</selectionProcess>
<selectionProcess>ICMP packets</selectionProcess>
</observationPoint>
<observationPoint>
<name>OP at eth1</name>
<observationPointId>2</observationPointId>
<observationDomainId>123</observationDomainId>
<ifName>eth1</ifName>
<direction>both</direction>
<selectionProcess>Sampled UDP packets</selectionProcess>
<selectionProcess>ICMP packets</selectionProcess>
</observationPoint>
<selectionProcess>
<name>Sampled UDP packets</name>
<selector>
<name>UDP filter</name>
<filterMatch>
<ieId>4</ieId>
<value>17</value>
</filterMatch>
<packetsObserved>100</packetsObserved>
<packetsDropped>80</packetsDropped>
<selectorDiscontinuityTime>2010-03-15T00:00:00.00Z
</selectorDiscontinuityTime>
</selector>
<selector>
<name>10-out-of-100 sampler</name>
<sampRandOutOfN>
<size>10</size>
<population>100</population>
</sampRandOutOfN>
<packetsObserved>20</packetsObserved>
<packetsDropped>17</packetsDropped>
<selectorDiscontinuityTime>2010-03-15T00:00:00.00Z
</selectorDiscontinuityTime>
</selector>
<selectionSequence>
<observationDomainId>123</observationDomainId>
<selectionSequenceId>1</selectionSequenceId>
</selectionSequence>
<selectionSequence>
<observationDomainId>123</observationDomainId>
<selectionSequenceId>2</selectionSequenceId>
</selectionSequence>
<cache>PSAMP cache</cache>
</selectionProcess>
<selectionProcess>
<name>ICMP packets</name>
<selector>
<name>ICMP filter</name>
<filterMatch>
<ieId>4</ieId>
<value>1</value>
</filterMatch>
<packetsObserved>100</packetsObserved>
<packetsDropped>95</packetsDropped>
<selectorDiscontinuityTime>2010-03-15T00:00:00.00Z
</selectorDiscontinuityTime>
</selector>
<selectionSequence>
<observationDomainId>123</observationDomainId>
<selectionSequenceId>3</selectionSequenceId>
</selectionSequence>
<selectionSequence>
<observationDomainId>123</observationDomainId>
<selectionSequenceId>4</selectionSequenceId>
</selectionSequence>
<cache>PSAMP cache</cache>
</selectionProcess>
<cache>
<name>PSAMP cache</name>
<meteringProcessId>1</meteringProcessId>
<immediateCache>
<cacheLayout>
<cacheField>
<name>Field 1: ipHeaderPacketSection</name>
<ieId>313</ieId>
<ieLength>64</ieLength>
</cacheField>
<cacheField>
<name>Field 2: observationTimeMilliseconds</name>
<ieId>322</ieId>
</cacheField>
</cacheLayout>
</immediateCache>
<dataRecords>8</dataRecords>
<cacheDiscontinuityTime>2010-03-15T00:00:00.00Z
</cacheDiscontinuityTime>
<exportingProcess>The only exporter</exportingProcess>
</cache>
<exportingProcess>
<name>The only exporter</name>
<exportingProcessId>1</exportingProcessId>
<exportMode>parallel</exportMode>
<destination>
<name>PR-SCTP collector</name>
<sctpExporter>
<ipfixVersion>10</ipfixVersion>
<destinationIPAddress>192.0.2.1</destinationIPAddress>
<destinationPort>4740</destinationPort>
<sendBufferSize>32768</sendBufferSize>
<rateLimit>1000000</rateLimit>
<timedReliability>500</timedReliability>
<transportLayerSecurity>
<remoteSubjectFQDN>coll-1.example.net</remoteSubjectFQDN>
</transportLayerSecurity>
<transportSession>
<ipfixVersion>10</ipfixVersion>
<sourceAddress>192.0.2.100</sourceAddress>
<destinationAddress>192.0.2.1</destinationAddress>
<sourcePort>45687</sourcePort>
<destinationPort>4740</destinationPort>
<sctpAssocId>1</sctpAssocId>
<status>active</status>
<rate>230</rate>
<bytes>978</bytes>
<messages>3</messages>
<records>19</records>
<templates>1</templates>
<optionsTemplates>6</optionsTemplates>
<transportSessionStartTime>2010-03-15T00:00:00.50Z
</transportSessionStartTime>
<template>
<observationDomainId>123</observationDomainId>
<templateId>256</templateId>
<setId>2</setId>
<accessTime>2010-03-15T00:00:02.15Z</accessTime>
<templateDataRecords>8</templateDataRecords>
<templateDiscontinuityTime>2010-03-15T00:00:01.10Z
</templateDiscontinuityTime>
<field>
<ieId>313</ieId>
<ieLength>64</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
<field>
<ieId>154</ieId>
<ieLength>4</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
</template>
<template>
<observationDomainId>123</observationDomainId>
<templateId>257</templateId>
<setId>3</setId>
<accessTime>2010-03-15T00:00:02.15Z</accessTime>
<templateDataRecords>2</templateDataRecords>
<templateDiscontinuityTime>2010-03-15T00:00:01.10Z
</templateDiscontinuityTime>
<field>
<ieId>301</ieId>
<ieLength>8</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
<isScope/>
</field>
<field>
<ieId>138</ieId>
<ieLength>4</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
<field>
<ieId>302</ieId>
<ieLength>4</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
</template>
<template>
<observationDomainId>123</observationDomainId>
<templateId>258</templateId>
<setId>3</setId>
<accessTime>2010-03-15T00:00:02.15Z</accessTime>
<templateDataRecords>2</templateDataRecords>
<templateDiscontinuityTime>2010-03-15T00:00:01.10Z
</templateDiscontinuityTime>
<field>
<ieId>301</ieId>
<ieLength>8</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
<isScope/>
</field>
<field>
<ieId>138</ieId>
<ieLength>4</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
<field>
<ieId>302</ieId>
<ieLength>4</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
<field>
<ieId>302</ieId>
<ieLength>4</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
</template>
<template>
<observationDomainId>123</observationDomainId>
<templateId>259</templateId>
<setId>3</setId>
<accessTime>2010-03-15T00:00:02.15Z</accessTime>
<templateDataRecords>2</templateDataRecords>
<templateDiscontinuityTime>2010-03-15T00:00:01.10Z
</templateDiscontinuityTime>
<field>
<ieId>302</ieId>
<ieLength>4</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
<isScope/>
</field>
<field>
<ieId>304</ieId>
<ieLength>2</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
<field>
<ieId>4</ieId>
<ieLength>1</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
</template>
<template>
<observationDomainId>123</observationDomainId>
<templateId>260</templateId>
<setId>3</setId>
<accessTime>2010-03-15T00:00:02.15Z</accessTime>
<templateDataRecords>1</templateDataRecords>
<templateDiscontinuityTime>2010-03-15T00:00:01.10Z
</templateDiscontinuityTime>
<field>
<ieId>302</ieId>
<ieLength>4</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
<isScope/>
</field>
<field>
<ieId>304</ieId>
<ieLength>2</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
<field>
<ieId>309</ieId>
<ieLength>4</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
<field>
<ieId>310</ieId>
<ieLength>4</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
</template>
<template>
<observationDomainId>123</observationDomainId>
<templateId>261</templateId>
<setId>3</setId>
<accessTime>2010-03-15T00:00:03.10Z</accessTime>
<templateDataRecords>2</templateDataRecords>
<templateDiscontinuityTime>2010-03-15T00:00:01.10Z
</templateDiscontinuityTime>
<field>
<ieId>301</ieId>
<ieLength>8</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
<isScope/>
</field>
<field>
<ieId>318</ieId>
<ieLength>8</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
<field>
<ieId>319</ieId>
<ieLength>8</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
</template>
<template>
<observationDomainId>123</observationDomainId>
<templateId>262</templateId>
<setId>3</setId>
<accessTime>2010-03-15T00:00:03.10Z</accessTime>
<templateDataRecords>2</templateDataRecords>
<templateDiscontinuityTime>2010-03-15T00:00:01.10Z
</templateDiscontinuityTime>
<field>
<ieId>301</ieId>
<ieLength>8</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
<isScope/>
</field>
<field>
<ieId>318</ieId>
<ieLength>8</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
<field>
<ieId>319</ieId>
<ieLength>8</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
<field>
<ieId>318</ieId>
<ieLength>8</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
<field>
<ieId>319</ieId>
<ieLength>8</ieLength>
<ieEnterpriseNumber>0</ieEnterpriseNumber>
</field>
</template>
</transportSession>
</sctpExporter>
</destination>
<options>
<name>Options 1</name>
<optionsType>selectionSequence</optionsType>
<optionsTimeout>0</optionsTimeout>
</options>
<options>
<name>Options 2</name>
<optionsType>selectionStatistics</optionsType>
<optionsTimeout>30000</optionsTimeout>
</options>
</exportingProcess>
</ipfix>
7.2. IPFIX Device
This configuration example demonstrates the shared usage of a Cache
for maintaining Flow Records from two Observation Points belonging to
different Observation Domains. Packets are selected using different
Sampling techniques: count-based Sampling for the first Observation
Point (eth0) and selection of all packets for the second Observation
Point (eth1). The Exporting Process sends the Flow Records to a
primary destination using SCTP. A UDP Collector is specified as
secondary destination.
Exporting Process reliability statistics [RFC5101] are exported
periodically every minute (60000 milliseconds). Selection Sequence
Report Interpretations and Selector Report Interpretations [RFC5476]
are exported once after configuring the Selection Processes. In
total, two Selection Sequence Report Interpretations will be
exported, one for each Selection Process.
<ipfix xmlns="urn:ietf:params:xml:ns:yang:ietf-ipfix-psamp">
<observationPoint>
<name>OP at eth0 (ingress)</name>
<observationDomainId>123</observationDomainId>
<ifName>eth0</ifName>
<direction>ingress</direction>
<selectionProcess>Count-based packet selection</selectionProcess>
</observationPoint>
<observationPoint>
<name>OP at eth1</name>
<observationDomainId>456</observationDomainId>
<ifName>eth1</ifName>
<selectionProcess>All packet selection</selectionProcess>
</observationPoint>
<selectionProcess>
<name>Count-based packet selection</name>
<selector>
<name>Count-based sampler</name>
<sampCountBased>
<packetInterval>1</packetInterval>
<packetSpace>99</packetSpace>
</sampCountBased>
</selector>
<cache>Flow cache</cache>
</selectionProcess>
<selectionProcess>
<name>All packet selection</name>
<selector>
<name>Select all</name>
<selectAll/>
</selector>
<cache>Flow cache</cache>
</selectionProcess>
<cache>
<name>Flow cache</name>
<timeoutCache>
<maxFlows>4096</maxFlows>
<activeTimeout>5000</activeTimeout>
<idleTimeout>10000</idleTimeout>
<cacheLayout>
<cacheField>
<name>Field 1</name>
<ieName>sourceIPv4Address</ieName>
<isFlowKey/>
</cacheField>
<cacheField>
<name>Field 2</name>
<ieName>destinationIPv4Address</ieName>
<isFlowKey/>
</cacheField>
<cacheField>
<name>Field 3</name>
<ieName>protocolIdentifier</ieName>
<isFlowKey/>
</cacheField>
<cacheField>
<name>Field 4</name>
<ieName>sourceTransportPort</ieName>
<isFlowKey/>
</cacheField>
<cacheField>
<name>Field 5</name>
<ieName>destinationTransportPort</ieName>
<isFlowKey/>
</cacheField>
<cacheField>
<name>Field 6</name>
<ieName>flowStartMilliseconds</ieName>
</cacheField>
<cacheField>
<name>Field 7</name>
<ieName>flowEndSeconds</ieName>
</cacheField>
<cacheField>
<name>Field 8</name>
<ieName>octetDeltaCount</ieName>
</cacheField>
<cacheField>
<name>Field 9</name>
<ieName>packetDeltaCount</ieName>
</cacheField>
</cacheLayout>
</timeoutCache>
<exportingProcess>SCTP export with UDP backup</exportingProcess>
</cache>
<exportingProcess>
<name>SCTP export with UDP backup</name>
<exportMode>fallback</exportMode>
<destination>
<name>SCTP destination (primary)</name>
<sctpExporter>
<destinationPort>4739</destinationPort>
<destinationIPAddress>192.0.2.1</destinationIPAddress>
</sctpExporter>
</destination>
<destination>
<name>UDP destination (secondary)</name>
<udpExporter>
<destinationPort>4739</destinationPort>
<destinationIPAddress>192.0.2.2</destinationIPAddress>
<templateRefreshTimeout>300</templateRefreshTimeout>
<optionsTemplateRefreshTimeout>300
</optionsTemplateRefreshTimeout>
</udpExporter>
</destination>
<options>
<name>Options 1</name>
<optionsType>selectionSequence</optionsType>
<optionsTimeout>0</optionsTimeout>
</options>
<options>
<name>Options 2</name>
<optionsType>exportingReliability</optionsType>
<optionsTimeout>60000</optionsTimeout>
</options>
</exportingProcess>
</ipfix>
7.3. Export of Flow Records and Packet Reports
This configuration example demonstrates the combined export of Flow
Records and Packet Reports for a single Observation Point. One
Selection Process applies random Sampling to the Observed Packet
Stream. Its output is passed to a Cache generating Flow Records. In
parallel, the Observed Packet Stream enters a second Selection
Process that discards all non-ICMP packets and passes the selected
packets to a second Cache for generating Packet Reports. The output
of both Caches is exported to a single Collector using SCTP.
<ipfix xmlns="urn:ietf:params:xml:ns:yang:ietf-ipfix-psamp">
<observationPoint>
<name>OP at linecard 3</name>
<observationDomainId>9876</observationDomainId>
<ifIndex>4</ifIndex>
<direction>ingress</direction>
<selectionProcess>Sampling</selectionProcess>
<selectionProcess>ICMP</selectionProcess>
</observationPoint>
<selectionProcess>
<name>Sampling</name>
<selector>
<name>Random sampler</name>
<sampUniProb>
<probability>0.01</probability>
</sampUniProb>
</selector>
<cache>Flow cache</cache>
</selectionProcess>
<selectionProcess>
<name>ICMP</name>
<selector>
<name>ICMP filter</name>
<filterMatch>
<ieId>4</ieId>
<value>1</value>
</filterMatch>
</selector>
<cache>Packet reporting</cache>
</selectionProcess>
<cache>
<name>Flow cache</name>
<timeoutCache>
<maxFlows>4096</maxFlows>
<activeTimeout>5</activeTimeout>
<idleTimeout>10</idleTimeout>
<cacheLayout>
<cacheField>
<name>Field 1</name>
<ieName>sourceIPv4Address</ieName>
<isFlowKey/>
</cacheField>
<cacheField>
<name>Field 2</name>
<ieName>destinationIPv4Address</ieName>
<isFlowKey/>
</cacheField>
<cacheField>
<name>Field 6</name>
<ieName>flowStartMilliseconds</ieName>
</cacheField>
<cacheField>
<name>Field 7</name>
<ieName>flowEndSeconds</ieName>
</cacheField>
<cacheField>
<name>Field 8</name>
<ieName>octetDeltaCount</ieName>
</cacheField>
<cacheField>
<name>Field 9</name>
<ieName>packetDeltaCount</ieName>
</cacheField>
</cacheLayout>
</timeoutCache>
<exportingProcess>Export</exportingProcess>
</cache>
<cache>
<name>Packet reporting</name>
<immediateCache>
<cacheLayout>
<cacheField>
<name>Field 1</name>
<ieId>313</ieId>
<ieLength>64</ieLength>
</cacheField>
<cacheField>
<name>Field 2</name>
<ieId>154</ieId>
</cacheField>
</cacheLayout>
</immediateCache>
<exportingProcess>Export</exportingProcess>
</cache>
<exportingProcess>
<name>Export</name>
<destination>
<name>SCTP collector</name>
<sctpExporter>
<destinationIPAddress>192.0.2.1</destinationIPAddress>
<timedReliability>0</timedReliability>
</sctpExporter>
</destination>
<options>
<name>Options 1</name>
<optionsType>selectionSequence</optionsType>
<optionsTimeout>0</optionsTimeout>
</options>
</exportingProcess>
</ipfix>
7.4. Collector and File Writer
This configuration example configures a Collector that writes the received data to a file. <ipfix xmlns="urn:ietf:params:xml:ns:yang:ietf-ipfix-psamp"> <collectingProcess> <name>SCTP collector</name> <sctpCollector> <name>Listening port 4739</name> <localPort>4739</localPort> <localIPAddress>192.0.2.1</localIPAddress> </sctpCollector> <exportingProcess>File writer</exportingProcess> </collectingProcess> <exportingProcess> <name>File writer</name> <destination> <name>Write to /tmp folder</name> <fileWriter> <file>file://tmp/collected-records.ipfix</file> </fileWriter> </destination> </exportingProcess> </ipfix>
7.5. Deviations
Assume that a Monitoring Device has only two interfaces ifIndex=1 and ifIndex=2, which can be configured as Observation Points. The Observation Point ID is always identical to the ifIndex. The following YANG module specifies these deviations. module my-ipfix-psamp-deviation { namespace "urn:my-company:xml:ns:ietf-ipfix-psamp"; prefix my; import ietf-ipfix-psamp { prefix ipfix; } deviation /ipfix:ipfix/ipfix:observationPoint/ipfix:entPhysicalIndex { deviate not-supported; } deviation /ipfix:ipfix/ipfix:observationPoint/ipfix:entPhysicalName { deviate not-supported; } deviation /ipfix:ipfix/ipfix:observationPoint/ipfix:ifName { deviate not-supported; } deviation /ipfix:ipfix/ipfix:observationPoint { deviate add { must "ipfix:ifIndex=1 or ipfix:ifIndex=2"; } } deviation /ipfix:ipfix/ipfix:observationPoint/ipfix:observationPointId { deviate add { must "current()=../ipfix:ifIndex"; } } }8. Security Considerations
The YANG module defined in this memo is designed to be accessed via the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the secure transport layer and the mandatory-to-implement secure transport is SSH [RFC6242]. There are a number of data nodes defined in this YANG module which are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., edit-config)
to these data nodes without proper protection can have a negative
effect on network operations. These are the subtrees and data nodes
and their sensitivity/vulnerability:
/ipfix/observationPoint
The configuration parameters in this subtree specify where packets
are observed and by which Selection Processes they will be
processed. Write access to this subtree allows observing packets
at arbitrary interfaces or linecards of the Monitoring Device and
may thus lead to the export of sensitive traffic information.
/ipfix/selectionProcess
The configuration parameters in this subtree specify for which
packets information will be reported in Packet Reports or Flow
Records. Write access to this subtree allows changing the subset
of packets for which information will be reported and may thus
lead to the export of sensitive traffic information.
/ipfix/cache
The configuration parameters in this subtree specify the fields
included in Packet Reports or Flow Records. Write access to this
subtree allows adding fields which may contain sensitive traffic
information, such as IP addresses or parts of the packet payload.
/ipfix/exportingProcess
The configuration parameters in this subtree specify to which
Collectors Packet Reports or Flow Records are exported. Write
access to this subtree allows exporting potentially sensitive
traffic information to illegitimate Collectors. Furthermore, TLS/
DTLS parameters can be changed, which may affect the mutual
authentication between Exporters and Collectors as well as the
encrypted transport of the data.
/ipfix/collectingProcess
The configuration parameters in this subtree may specify that
collected Packet Reports and Flow Records are reexported to
another Collector or written to a file. Write access to this
subtree potentially allows reexporting or storing the sensitive
traffic information.
Some of the readable data nodes in this YANG module may be considered
sensitive or vulnerable in some network environments. It is thus
important to control read access (e.g., via get, get-config, or
notification) to these data nodes. These are the subtrees and data
nodes and their sensitivity/vulnerability:
/ipfix/observationPoint
Parameters in this subtree may be sensitive because they reveal
information about the Monitoring Device itself and the network
infrastructure.
/ipfix/selectionProcess
Parameters in this subtree may be sensitive because they reveal
information about the Monitoring Device itself and the observed
traffic. For example, the counters packetsObserved and
packetsDropped inferring the number of observed packets.
/ipfix/cache
Parameters in this subtree may be sensitive because they reveal
information about the Monitoring Device itself and the observed
traffic. For example, the counters activeFlows and dataRecords
allow inferring the number of measured Flows or packets.
/ipfix/exportingProcess
Parameters in this subtree may be sensitive because they reveal
information about the network infrastructure and the outgoing
IPFIX Transport Sessions. For example, it discloses the IP
addresses of Collectors as well as the deployed TLS/DTLS
configuration, which may facilitate the interception of outgoing
IPFIX Messages.
/ipfix/collectingProcess
Parameters in this subtree may be sensitive because they reveal
information about the network infrastructure and the incoming
IPFIX Transport Sessions. For example, it discloses the IP
addresses of Exporters as well as the deployed TLS/DTLS
configuration, which may facilitate the interception of incoming
IPFIX Messages.
9. IANA Considerations
This document registers a URI in the IETF XML registry [RFC3688].
Following the format in RFC 3688, the following registration is
requested.
URI: urn:ietf:params:xml:ns:yang:ietf-ipfix-psamp
Registrant Contact: The IPFIX WG of the IETF.
XML: N/A, the requested URI is an XML namespace.
This document registers a YANG module in the YANG Module Names
registry [RFC6020].
name: ietf-ipfix-psamp
namespace: urn:ietf:params:xml:ns:yang:ietf-ipfix-psamp
prefix: ipfix
reference: RFC 6728
10. Acknowledgements
The authors thank Martin Bjorklund, Andy Bierman, and Ladislav Lhotka for helping specify the configuration data model in YANG, as well as Atsushi Kobayashi, Andrew Johnson, Lothar Braun, and Brian Trammell for their valuable reviews of this document.11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5101] Claise, B., "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", RFC 5101, January 2008. [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, "Information Model for IP Flow Information Export", RFC 5102, January 2008. [RFC5103] Trammell, B. and E. Boschi, "Bidirectional Flow Export Using IP Flow Information Export (IPFIX)", RFC 5103, January 2008. [RFC5475] Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F. Raspall, "Sampling and Filtering Techniques for IP Packet Selection", RFC 5475, March 2009. [RFC5476] Claise, B., Johnson, A., and J. Quittek, "Packet Sampling (PSAMP) Protocol Specifications", RFC 5476, March 2009. [RFC5477] Dietz, T., Claise, B., Aitken, P., Dressler, F., and G. Carle, "Information Model for Packet Sampling Exports", RFC 5477, March 2009. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021, October 2010. [UML] Object Management Group, "OMG Unified Modeling Language (OMG UML), Superstructure, V2.2", OMG formal/2009-02-02, February 2009.
[IANA-IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", <http://www.iana.org/assignments/ipfix>.11.2. Informative References
[RFC1141] Mallory, T. and A. Kullberg, "Incremental updating of the Internet checksum", RFC 1141, January 1990. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000. [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004. [RFC3758] Stewart, R., Ramalho, M., Xie, Q., Tuexen, M., and P. Conrad, "Stream Control Transmission Protocol (SCTP) Partial Reliability Extension", RFC 3758, May 2004. [RFC3871] Jones, G., "Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure", RFC 3871, September 2004. [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, "Requirements for IP Flow Information Export (IPFIX)", RFC 3917, October 2004. [RFC4133] Bierman, A. and K. McCloghrie, "Entity MIB (Version 3)", RFC 4133, August 2005. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012. [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. Bierman, "Network Configuration Protocol (NETCONF)", RFC 6241, June 2011.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, June 2011. [RFC4960] Stewart, R., "Stream Control Transmission Protocol", RFC 4960, September 2007. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, "Architecture for IP Flow Information Export", RFC 5470, March 2009. [RFC5472] Zseby, T., Boschi, E., Brownlee, N., and B. Claise, "IP Flow Information Export (IPFIX) Applicability", RFC 5472, March 2009. [RFC5473] Boschi, E., Mark, L., and B. Claise, "Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports", RFC 5473, March 2009. [RFC5474] Duffield, N., Chiou, D., Claise, B., Greenberg, A., Grossglauser, M., and J. Rexford, "A Framework for Packet Selection and Reporting", RFC 5474, March 2009. [RFC5610] Boschi, E., Trammell, B., Mark, L., and T. Zseby, "Exporting Type Information for IP Flow Information Export (IPFIX) Information Elements", RFC 5610, July 2009. [RFC5655] Trammell, B., Boschi, E., Mark, L., Zseby, T., and A. Wagner, "Specification of the IP Flow Information Export (IPFIX) File Format", RFC 5655, October 2009. [RFC6110] Lhotka, L., "Mapping YANG to Document Schema Definition Languages and Validating NETCONF Content", RFC 6110, February 2011. [RFC6526] Claise, B., Aitken, P., Johnson, A., and G. Muenz, "IP Flow Information Export (IPFIX) Per Stream Control Transmission Protocol (SCTP) Stream", RFC 6526, March 2012. [RFC6615] Dietz, T., Kobayashi, A., Claise, B., and G. Muenz, "Definitions of Managed Objects for IP Flow Information Export", RFC 6615, June 2012.
[W3C.REC-xml-20081126] Sperberg-McQueen, C., Yergeau, F., Bray, T., Paoli, J., and E. Maler, "Extensible Markup Language (XML) 1.0 (Fifth Edition)", World Wide Web Consortium Recommendation REC-xml-20081126, November 2008, <http://www.w3.org/TR/2008/REC-xml-20081126>. [W3C.REC-xmlschema-0-20041028] Walmsley, P. and D. Fallside, "XML Schema Part 0: Primer Second Edition", World Wide Web Consortium Recommendation REC-xmlschema-0-20041028, October 2004, <http://www.w3.org/TR/2004/REC-xmlschema-0-20041028>. [RFC6727] Dietz, T., Claise, B., and J. Quittek, "Definitions of Managed Objects for Packet Sampling", RFC 6727, October 2012. [YANG-WEB] Bjoerklund, M., "YANG WebHome", March 2011, <http://www.yang-central.org/>. [IANA-ENTERPRISE-NUMBERS] IANA, "Private Enterprise Numbers", <http://www.iana.org/assignments/enterprise-numbers>.
Authors' Addresses
Gerhard Muenz Technische Universitaet Muenchen Department of Informatics Chair for Network Architectures and Services (I8) Boltzmannstr. 3 85748 Garching Germany EMail: muenz@net.in.tum.de URI: http://www.net.in.tum.de/~muenz Benoit Claise Cisco Systems, Inc. De Kleetlaan 6a b1 1831 Diegem Belgium Phone: +32 2 704 5622 EMail: bclaise@cisco.com Paul Aitken Cisco Systems, Inc. 96 Commercial Quay Commercial Street Edinburgh EH6 6LX United Kingdom Phone: +44 131 561 3616 EMail: paitken@cisco.com