RFC 7970
The Incident Object Description Exchange Format Version 2
3.15. Expectation Class
The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. +-------------------------+ | Expectation | +-------------------------+ | ENUM action |<>--{0..*}--[ Description ] | STRING ext-action |<>--{0..*}--[ DefinedCOA ] | ENUM severity |<>--{0..1}--[ StartTime ] | ENUM restriction |<>--{0..1}--[ EndTime ] | STRING ext-restriction |<>--{0..1}--[ Contact ] | ID observable-id | +-------------------------+ Figure 31: The Expectation Class The aggregate classes of the Expectation class are: Description Zero or more. ML_STRING. A free-form text description of the desired action(s). DefinedCOA Zero or more. STRING. A unique identifier meaningful to the sender and recipient of this document that references a course of action. This class MUST be present if the action attribute is set to "defined-coa".
StartTime
Zero or one. DATETIME. The time at which the sender would like
the action performed. A timestamp that is earlier than the
ReportTime specified in the Incident class denotes that the sender
would like the action performed as soon as possible. The absence
of this element indicates no expectations of when the recipient
would like the action performed.
EndTime
Zero or one. DATETIME. The time by which the sender expects the
recipient to complete the action. If the recipient cannot
complete the action before EndTime, the recipient MUST NOT carry
out the action. Because of transit delays and clock drift, the
sender MUST be prepared for the recipient to have carried out the
action, even if it completes past EndTime.
Contact
Zero or one. The entity expected to perform the action. See
Section 3.9.
The attributes of the Expectation class are:
action
Optional. ENUM. Classifies the type of action requested. The
default value of "other". These values are maintained in the
"Expectation-action" IANA registry per Section 10.2.
1. nothing. No action is requested. Do nothing with the
information.
2. contact-source-site. Contact the site(s) identified as the
source of the activity.
3. contact-target-site. Contact the site(s) identified as the
target of the activity.
4. contact-sender. Contact the originator of the document.
5. investigate. Investigate the system(s) listed in the event.
6. block-host. Block traffic from the machine(s) listed as
sources in the event.
7. block-network. Block traffic from the network(s) lists as
sources in the event.
8. block-port. Block the port listed as sources in the event.
9. rate-limit-host. Rate-limit the traffic from the machine(s)
listed as sources in the event.
10. rate-limit-network. Rate-limit the traffic from the
network(s) lists as sources in the event.
11. rate-limit-port. Rate-limit the port(s) listed as sources in
the event.
12. redirect-traffic. Redirect traffic from the intended
recipient for further analysis.
13. honeypot. Redirect traffic from systems listed in the event
to a honeypot for further analysis.
14. upgrade-software. Upgrade or patch the software or firmware
on an asset listed in the event.
15. rebuild-asset. Reinstall the operating system or
applications on an asset listed in the event.
16. harden-asset. Change the configuration of an asset listed in
the event to reduce the attack surface.
17. remediate-other. Remediate the activity in a way other than
by rate-limiting or blocking.
18. status-triage. Confirm receipt and begin triaging the
incident.
19. status-new-info. Notify the sender when new information is
received for this incident.
20. watch-and-report. Watch for the described activity or
indicators, and notify the sender when seen.
21. training. Train user to identify or mitigate the described
threat.
22. defined-coa. Perform a predefined course of action (COA).
The COA is named in the DefinedCOA class.
23. other. Perform a custom action described in the Description
class.
24. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-action
Optional. STRING. A means by which to extend the action
attribute. See Section 5.1.1.
severity
Optional. ENUM. Indicates the desired priority of the action.
This attribute is an enumerated list with no default value, and
the semantics of these relative measures are context dependent.
1. low. Low priority
2. medium. Medium priority
3. high. High priority
restriction
Optional. ENUM. See Section 3.3.1. The default value is
"default".
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.16. Flow Class
The Flow class describes the systems and networks involved in the
incident and the relationships between them.
+------------------+
| Flow |
+------------------+
| |<>--{1..*}--[ System ]
+------------------+
Figure 32: The Flow Class
The aggregate class of the Flow class is:
System
One or More. A host or network involved in an event. See
Section 3.17.
The Flow class has no attributes.
3.17. System Class
The System class describes a system or network involved in an event. +------------------------+ | System | +------------------------+ | ENUM category |<>----------[ Node ] | STRING ext-category |<>--{0..*}--[ NodeRole ] | STRING interface |<>--{0..*}--[ Service ] | ENUM spoofed |<>--{0..*}--[ OperatingSystem ] | ENUM virtual |<>--{0..*}--[ Counter ] | ENUM ownership |<>--{0..*}--[ AssetID ] | STRING ext-ownership |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ AdditionalData ] | STRING ext-restriction | | ID observable-id | +------------------------+ Figure 33: The System Class The aggregate classes of the System class are: Node One. A host or network involved in the incident. See Section 3.18. NodeRole Zero or more. The intended purpose of the system. See Section 3.18.2. Service Zero or more. A network service running on the system. See Section 3.20. OperatingSystem Zero or more. SOFTWARE. The operating system running on the system. Counter Zero or more. A counter with which to summarize properties of this host or network. See Section 3.18.3. AssetID Zero or more. STRING. An asset identifier for the System.
Description
Zero or more. ML_STRING. A free-form text description of the
System.
AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data
model.
The attributes of the System class are:
category
Optional. ENUM. Classifies the role the host or network played
in the incident. These values are maintained in the "System-
category" IANA registry per Section 10.2.
1. source. The System was the source of the event.
2. target. The System was the target of the event.
3. intermediate. The System was an intermediary in the event.
4. sensor. The System was a sensor monitoring the event.
5. infrastructure. The System was an infrastructure node of the
IODEF document exchange.
6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-category
Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1.
interface
Optional. STRING. Specifies the interface on which the event(s)
on this System originated. If the Node class specifies a network
rather than a host, this attribute has no meaning.
spoofed
Optional. ENUM. An indication of confidence in whether this
System was the true target or attacking host. The permitted
values for this attribute are shown below. The default value is
"unknown".
1. unknown. The accuracy of the category attribute value is
unknown.
2. yes. The category attribute value is likely incorrect. In
the case of a source, the System is likely a decoy; with a
target, the System was likely not the intended victim.
3. no. The category attribute value is believed to be correct.
virtual
Optional. ENUM. Indicates whether this System is a virtual or
physical device. The default value is "unknown".
1. yes. The System is a virtual device.
2. no. The System is a physical device.
3. unknown. It is not known if the System is virtual.
ownership
Optional. ENUM. Describes the ownership of this System relative
to the victim in the incident. These values are maintained in the
"System-ownership" IANA registry per Section 10.2.
1. organization. Corporate or enterprise owned.
2. personal. Personally owned by an employee or affiliate of the
corporation or enterprise.
3. partner. Owned by a partner of the corporation or enterprise.
4. customer. Owned by a customer of the corporation or
enterprise.
5. no-relationship. Owned by an entity that has no known
relationship with the victim organization.
6. unknown. Ownership is unknown.
7. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-ownership
Optional. STRING. A means by which to extend the ownership
attribute. See Section 5.1.1.
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.18. Node Class
The Node class identifies a system, asset, or network and its
location.
+---------------+
| Node |
+---------------+
| |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ PostalAddress ]
| |<>--{0..*}--[ Location ]
| |<>--{0..*}--[ Counter ]
+---------------+
Figure 34: The Node Class
The aggregate classes of the Node class are:
DomainData
Zero or more. The domain (DNS) information associated with this
node. If an Address is not provided, at least one DomainData MUST
be specified. See Section 3.19.
Address
Zero or more. The hardware, network, or application address of
the node. If a DomainData is not provided, at least one Address
MUST be specified. See Section 3.18.1.
PostalAddress
Zero or one. POSTAL. The postal address of the node.
Location
Zero or more. ML_STRING. A free-form text description of the
physical location of the node. This description may provide a
more detailed description of where at the address specified by the
PostalAddress class this node is found (e.g., room number, rack
number, or slot number in a chassis).
Counter
Zero or more. A counter with which to summarize properties of
this host or network. See Section 3.18.3.
The Node class has no attributes.
3.18.1. Address Class
The Address class represents a hardware (Layer 2), network (Layer 3),
or application (Layer 7) address.
+-------------------------+
| Address |
+-------------------------+
| STRING |
| |
| ENUM category |
| STRING ext-category |
| STRING vlan-name |
| INTEGER vlan-num |
| ID observable-id |
+-------------------------+
Figure 35: The Address Class
The content of the class is an address of type STRING whose semantics
are determined by the category attribute.
The attributes of the Address class are:
category
Required. ENUM. The type of address represented. The default
value is "ipv6-addr". These values are maintained in the
"Address-category" IANA registry per Section 10.2.
1. asn. Autonomous System Number.
2. atm. Asynchronous Transfer Mode (ATM) address.
3. e-mail. Email address, per the EMAIL data type.
4. ipv4-addr. IPv4 host address in dotted-decimal notation
(i.e., a.b.c.d).
5. ipv4-net. IPv4 network address in dotted-decimal notation,
slash, significant bits (i.e., a.b.c.d/nn).
6. ipv4-net-masked. A sanitized IPv4 address with significant
bits per "ipv4-net" but with the character 'x' replacing any
digit(s) in the address or prefix.
7. ipv4-net-mask. IPv4 network address in dotted-decimal
notation, slash, network mask in dotted-decimal notation
(i.e., a.b.c.d/w.x.y.z).
8. ipv6-addr. IPv6 host address per Section 4 of [RFC5952].
9. ipv6-net. IPv6 network address, slash, prefix per
Section 2.3 of [RFC4291].
10. ipv6-net-masked. A sanitized IPv6 address and prefix per
"ipv6-net" but with the character 'x' replacing any
hexadecimal digit(s) in the address or digit(s) in the
prefix.
11. mac. Media Access Control (MAC) address (i.e.,
aa:bb:cc:dd:ee:ff).
12. site-uri. A URL or URI for a resource, per the URL data
type.
13. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-category
Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1.
vlan-name
Optional. STRING. The name of the Virtual LAN to which the
address belongs.
vlan-num
Optional. INTEGER. The number of the Virtual LAN to which the
address belongs.
observable-id
Optional. ID. See Section 3.3.2.
3.18.2. NodeRole Class
The NodeRole class describes the function performed by or role of a
particular system, asset, or network.
+-----------------------+ | NodeRole | +-----------------------+ | ENUM category |<>--{0..*}--[ Description ] | STRING ext-category | +-----------------------+ Figure 36: The NodeRole Class The aggregate class of the NodeRole class is: Description Zero or more. ML_STRING. A free-form text description of the role of the system. The attributes of the NodeRole class are: category Required. ENUM. Function or role of a node. These values are maintained in the "NodeRole-category" IANA registry per Section 10.2. 1. client. Client computer. 2. client-enterprise. Client computer on the enterprise network. 3. client-partner. Client computer on network of a partner. 4. client-remote. Client computer remotely connected to the enterprise network. 5. client-kiosk. Client computer serving as a kiosk. 6. client-mobile. Mobile device. 7. server-internal. Server with internal services. 8. server-public. Server with public services. 9. www. WWW server. 10. mail. Mail server. 11. webmail. Web mail server. 12. messaging. Messaging server (e.g., NNTP, IRC, IM).
13. streaming. Streaming-media server.
14. voice. Voice server (e.g., SIP, H.323).
15. file. File server.
16. ftp. FTP server.
17. p2p. Peer-to-peer node.
18. name. Name server (e.g., DNS, WINS).
19. directory. Directory server (e.g., LDAP, finger, whois).
20. credential. Credential server (e.g., domain controller,
Kerberos).
21. print. Print server.
22. application. Application server.
23. database. Database server.
24. backup. Backup server.
25. dhcp. DHCP server.
26. assessment. Assessment server (e.g., vulnerability scanner,
endpoint assessment).
27. source-control. Source code control server.
28. config-management. Configuration management server.
29. monitoring. Security monitoring server (e.g., IDS).
30. infra. Infrastructure server (e.g., router, firewall, DHCP).
31. infra-firewall. Firewall.
32. infra-router. Router.
33. infra-switch. Switch.
34. camera. Camera and video system.
35. proxy. Proxy server.
36. remote-access. Remote access server.
37. log. Log server (e.g., syslog).
38. virtualization. Server running virtual machines.
39. pos. Point-of-sale device.
40. scada. Supervisory control and data acquisition (SCADA)
system.
41. scada-supervisory. Supervisory system for a SCADA.
42. sinkhole. Traffic sinkhole destination.
43. honeypot. Honeypot server.
44. anonymization. Anonymization server (e.g., Tor node).
45. c2-server. Malicious command and control server.
46. malware-distribution. Server that distributes malware
47. drop-server. Server to which exfiltrated content is
uploaded.
48. hop-point. Intermediary server used to get to a victim.
49. reflector. A system used in a reflector attack.
50. phishing-site. Site hosting phishing content.
51. spear-phishing-site. Site hosting spear-phishing content.
52. recruiting-site. Site to recruit.
53. fraudulent-site. Fraudulent site.
54. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-category
Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1.
3.18.3. Counter Class
The Counter class summarizes multiple occurrences of an event or conveys counts or rates of various features. The complete semantics of this class are context dependent based on the class in which it is aggregated. +---------------------+ | Counter | +---------------------+ | REAL | | | | ENUM type | | STRING ext-type | | ENUM unit | | STRING ext-unit | | STRING meaning | | ENUM duration | | STRING ext-duration | +---------------------+ Figure 37: The Counter Class The content of the class is a value of type REAL whose meaning and units are determined by the type and duration attributes, respectively. If the duration attribute is present, the element content is a rate. Otherwise, it is a simple counter. The attributes of the Counter class are: type Required. ENUM. Specifies the type of counter specified in the element content. These values are maintained in the "Counter- type" IANA registry per Section 10.2. 1. count. The Counter class value is a counter. 2. peak. The Counter class value is a peak value. 3. average. The Counter class value is an average. 4. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
unit
Required. ENUM. Specifies the units of the element content.
These values are maintained in the "Counter-unit" IANA registry
per Section 10.2.
1. byte. Bytes transferred.
2. mbit. Megabits (Mbits) transferred.
3. packet. Packets.
4. flow. Network flow records.
5. session. Sessions.
6. alert. Notifications generated by another system (e.g., IDS
or SIEM system).
7. message. Messages (e.g., mail messages).
8. event. Events.
9. host. Hosts.
10. site. Site.
11. organization. Organizations.
12. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-unit
Optional. STRING. A means by which to extend the unit attribute.
See Section 5.1.1.
meaning
Optional. STRING. A free-form text description of the metric
represented by the Counter.
duration
Optional. ENUM. If present, the Counter class represents a rate.
This attribute specifies a unit of time over which the rate whose
units are specified in the unit attribute is being conveyed. This
attribute is the denominator of the rate (where the unit attribute
specified the nominator). The possible values of this attribute
are defined in the duration attribute of Section 3.12.3
ext-duration
Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.1.
3.19. DomainData Class
The DomainData class describes a domain name and metadata associated
with this domain.
+--------------------------+
| DomainData |
+--------------------------+
| ENUM system-status |<>----------[ Name ]
| STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
| ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
| STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
| ID observable-id |<>--{0..*}--[ RelatedDNS ]
| |<>--{0..*}--[ Nameservers ]
| |<>--{0..1}--[ DomainContacts ]
+--------------------------+
Figure 38: The DomainData Class
The aggregate classes of the DomainData class are:
Name
One. STRING. The domain name of a system.
DateDomainWasChecked
Zero or one. DATETIME. A timestamp of when the domain listed in
the Name class was resolved.
RegistrationDate
Zero or one. DATETIME. A timestamp of when domain listed in the
Name class was registered.
ExpirationDate
Zero or one. DATETIME. A timestamp of when the domain listed in
the Name class is set to expire.
RelatedDNS
Zero or more. EXTENSION. Additional DNS records associated with
this domain.
Nameservers
Zero or more. The nameservers identified for the domain listed in
the Name class. See Section 3.19.1.
DomainContacts
Zero or one. Contact information for the domain listed in the
Name class supplied by the registrar or through a whois query.
The attributes of the DomainData class are:
system-status
Required. ENUM. Assesses the domain's involvement in the event.
These values are maintained in the "DomainData-system-status" IANA
registry per Section 10.2.
1. spoofed. This domain was spoofed.
2. fraudulent. This domain was operated with fraudulent
intentions.
3. innocent-hacked. This domain was compromised by a third
party.
4. innocent-hijacked. This domain was deliberately hijacked.
5. unknown. No categorization for this domain known.
6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-system-status
Optional. STRING. A means by which to extend the system-status
attribute. See Section 5.1.1.
domain-status
Required. ENUM. Categorizes the registry status of the domain at
the time the document was generated. These values and their
associated descriptions are derived from Section 3.2.2 of
[RFC3982]. These values are maintained in the
"DomainData-domain-status" IANA registry per Section 10.2.
1. reservedDelegation. The domain is permanently inactive.
2. assignedAndActive. The domain is in a normal state.
3. assignedAndInactive. The domain has an assigned
registration, but the delegation is inactive.
4. assignedAndOnHold. The domain is in dispute.
5. revoked. The domain is in the process of being purged from
the database.
6. transferPending. The domain is pending a change in
authority.
7. registryLock. The domain is on hold by the registry.
8. registrarLock. Same as "registryLock".
9. other. The domain has a known status, but it is not one of
the redefined enumerated values.
10. unknown. The domain has an unknown status.
11. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-domain-status
Optional. STRING. A means by which to extend the domain-status
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3.19.1. Nameservers Class
The Nameservers class describes the nameservers associated with a
given domain.
+--------------------+
| Nameservers |
+--------------------+
| |<>----------[ Server ]
| |<>--{1..*}--[ Address ]
+--------------------+
Figure 39: The Nameservers Class
The aggregate classes of the Nameservers class are:
Server
One. STRING. The domain name of the nameserver.
Address
One or more. The address of the nameserver. The value of the
category attribute MUST be either "ipv4-addr" or "ipv6-addr". See
Section 3.18.1.
The Nameservers class has no attributes.
3.19.2. DomainContacts Class
The DomainContacts class describes the contact information for a
given domain provided either by the registrar or through a whois
query.
This contact information can be explicitly described through a
Contact class, or a reference can be provided to a domain with
identical contact information. Either a single SameDomainContact or
one or more Contact classes MUST be present.
+--------------------+
| DomainContacts |
+--------------------+
| |<>--{0..1}--[ SameDomainContact ]
| |<>--{1..*}--[ Contact ]
+--------------------+
Figure 40: The DomainContacts Class
The aggregate classes of the DomainContacts class are:
SameDomainContact
Zero or one. STRING. A domain name already cited in this
document or through previous exchange that contains the identical
contact information as the domain name in question. The domain
contact information associated with this domain should be used
instead of an explicit definition with the Contact class.
Contact
One or more. Contact information for the domain. See
Section 3.9.
The DomainContacts class has no attributes.
3.20. Service Class
The Service class describes a network service. The service is described by a protocol, port, protocol header field, and application providing or using the service. +-------------------------+ | Service | +-------------------------+ | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ] | ID observable-id |<>--{0..1}--[ Port ] | |<>--{0..1}--[ Portlist ] | |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ApplicationHeader ] | |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ Application ] +-------------------------+ Figure 41: The Service Class The aggregate classes of the Service class are: ServiceName Zero or one. A protocol name. Port Zero or one. INTEGER. A port number. Portlist Zero or one. PORTLIST. A list of port numbers. ProtoCode Zero or one. INTEGER. A transport-layer (Layer 4) protocol- specific code field (e.g., ICMP code field). ProtoType Zero or one. INTEGER. A transport-layer (Layer 4) protocol- specific type field (e.g., ICMP type field). ProtoField Zero or one. INTEGER. A transport-layer (Layer 4) protocol- specific flag field (e.g., TCP flag field). ApplicationHeader Zero or one. A protocol header. See Section 3.20.2.
EmailData
Zero or one. Headers associated with an email message. See
Section 3.21.
Application
Zero or one. SOFTWARE. The application acting as either the
client or the server for the service.
At least one of these classes MUST be present.
When a given System class with category="source" and another with
category="target" are aggregated into a single Flow class, and each
of these System classes has a Service and Portlist class, an implicit
relationship between these Portlists exists. If N ports are listed
for a System@category="source", and M ports are listed for
System@category="target", the number of ports in N must be equal to
M. Likewise, the ports MUST be listed in an identical sequence such
that the n-th port in the source corresponds to the n-th port of the
target. If N is greater than 1, a given instance of a Flow class
MUST only have a single instance of a System@category="source" and
System@category="target".
The attributes of the Service class are:
ip-protocol
Optional. INTEGER. The IANA-assigned IP protocol number per
[IANA.Protocols]. The attribute MUST be set if a Port, Portlist,
ProtoCode, ProtoType, or ProtoField class is present.
observable-id
Optional. ID. See Section 3.3.2.
3.20.1. ServiceName Class
The ServiceName class identifies an application protocol. It can be
described by referencing an IANA-registered protocol, by referencing
a URL, or with free-form text.
+--------------------+
| ServiceName |
+--------------------+
| |<>--{0..1}--[ IANAService ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+--------------------+
Figure 42: The ServiceName Class
The aggregate classes of the ServiceName class are:
IANAService
Zero or one. STRING. The name of the service per the "Service
Name" field of the registry [IANA.Ports].
URL
Zero or more. URL. A URL to a resource describing the service.
Description
Zero or more. ML_STRING. A free-form text description of the
service.
At least one of these classes MUST be present.
The ServiceName class has no attributes.
3.20.2. ApplicationHeader Class
The ApplicationHeader class describes arbitrary fields from a
protocol header and its corresponding value.
+--------------------------+
| ApplicationHeader |
+--------------------------+
| |<>--{1..*}--[ ApplicationHeaderField ]
+--------------------------+
Figure 43: The ApplicationHeader Class
The aggregate class of the ApplicationHeader class is:
ApplicationHeaderField
One or more. EXTENSION. A field name and value in a protocol
header. The name attribute MUST be set to the field name. The
field value MUST be set in the element content.
The ApplicationHeader class has no attributes.
(next page on part 5)
