Rich Template Set Extension to the IPFIX Protocol

IPFIX supports the concept of a Mediator, a device that receives, transforms, and exports data streams using IPFIX. A major requirement of flow mediation is the reduction of the volume of IPFIX traffic by discarding and aggregating received information. describes how pattern matching is used for flow aggregation. The draft also outlines how to select flows and subsequently communicate the selection criteria to an IPFIX Collector, using Common Properties of the resulting Compound Flows to describe these attributes. In order to avoid the overhead of the repeated transmissions of all Common Properties (or their identifiers) in all Flow Records, a new Template Set, the Rich Template Set, is introduced. This Template Set allows an Exporting Process to simultaneously declare and transmit Common Properties to a receiver. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

The basic format of a Rich Template Set is shown in . It is the same as that of a Template Set defined in , except for a different Set ID. The format of individual Rich Template Records, however, differs from that of Template Records and is shown in .

255) | Field Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Count | Common Properties ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Field 1 Specifier | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ... | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Field N Specifier | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Data 1 Specifier | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ... | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Data M Specifier | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Data 1 Value | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | ... | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Data M Value | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]> The Rich Template Set field definitions are as follows: Type of this Template Set. A Set ID value of 4 is proposed for the Rich Template Set. Total length of this set in bytes, as defined in . OPTIONAL padding, as defined in . The Rich Template Record field definitions are as follows: Template ID of this Rich Template Record. As defined in , this value MUST be greater than 255. Number of regular fields that will be sent in subsequent Data Records using this Template, as defined in . Number of fixed-value fields that will be sent in this Template. Contains an identifier that can be referred to by commonPropertiesId Information Elements, as introduced in . Information Element identifier, Field length and an Enterprise Number (if applicable) of field N. Refer to for more information on Field Specifiers. Same as "Field N Specifier", but used for Common Properties of all Data Records of this Template. Together with Data M Value, a similar encoding like TLV (type-length-value) is achieved. Bit representation of a Common Property as would be transmitted in a Data Record.

The Rich Template is well-suited for use in flow aggregation, as introduced in . illustrates the relationship between a flow aggregator's field modifiers and patterns on the one hand, and the resulting regular and fixed-value fields in the Rich Template on the other hand. It can be seen that the analyzer is able to deduce all instructions of the Aggregation Rule considering the structure of the Rich Template, except the combination "discard without pattern" that does not result in any field. field modifierpatternfield in Flow Recordfixed-value field in Rich Template discardnoN/AN/A discardyesN/Ayes, contains pattern keepnoyesN/A keepyesyes, if pattern specifies a range of valuesyes, contains pattern masknoyes, IP network addressN/A maskyesyes, IP network addressyes, contains pattern Assume, for example, the concentrator was given the Aggregation Rule shown in . IPFIX FieldFilteringAggregation sourceIPv4Address192.0.2.0/28discard destinatonTransportPortkeep packetDeltaCountaggregate Based on the Aggregation Rule, the concentrator would now first send a corresponding Rich Template Record as shown in . FieldValue Template ID10001 Field Count2 Data Count2 Common Properties ID0 Field 1 TypeDestination Port Field 2 TypePackets Data 1 TypeSource IP Prefix Data 2 TypeSource IP Mask Data 1 Value192.0.2.0 Data 2 Value28 Assume further that the concentrator receives the Flow Records shown in . Source IPSource PortDestination IPDestination PortPackets 192.0.2.164235192.0.2.1018010 192.0.2.264236192.0.2.10211010 192.0.2.364237192.0.2.1038010 192.0.2.10164238192.0.2.18010 192.0.2.10264239192.0.2.28010 The concentrator would then export Data Records of this type, which contain the Compound Flows resulting from aggregation. Note that the Flows' Common Property, having a source IP address in 192.0.2.0/28, was already transmitted in the Rich Template Record and is thus not included in Data Records. The exported Data Records, shown in , only contain the aggregated packet counts and the destination port, the latter being the only discriminating Flow Key property. Destination PortPackets 8020 11010

This document introduces a new IPFIX Template Set, a variation on the Template Set and data types introduced in and . No additional security considerations apply.

Use of the Rich Template Set requires one new IPFIX Set ID to be assigned.