This is a purely informative rendering of an RFC that includes verified errata. This rendering may not be used as a reference.
The following 'Verified' errata have been incorporated in this document:
EID 3909, EID 3910, EID 3911
Internet Engineering Task Force (IETF) B. Claise
Request for Comments: 6759 P. Aitken
Category: Informational N. Ben-Dvora
ISSN: 2070-1721 Cisco Systems, Inc.
November 2012
Cisco Systems Export of Application Information in
IP Flow Information Export (IPFIX)
Abstract
This document specifies a Cisco Systems extension to the IPFIX
information model specified in RFC 5102 to export application
information.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6759.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
1.1. Application Information Use Cases ..........................5
1.2. Conventions Used in This Document ..........................5
2. IPFIX Documents Overview ........................................5
3. Terminology .....................................................6
3.1. New Terminology ............................................6
4. applicationId Information Element Specification .................6
4.1. Existing Classification Engine IDs .........................7
4.2. Selector ID Length per Classification ID ..................11
4.3. Application Name Options Template Record ..................12
4.4. Resolving IANA L4 Port Discrepancies ......................13
5. Grouping Applications with Attributes ..........................13
5.1. Options Template Record for Attribute Values ..............15
6. Application ID Examples ........................................15
6.1. Example 1: Layer 2 Protocol ...............................15
6.2. Example 2: Standardized IANA Layer 3 Protocol .............16
6.3. Example 3: Proprietary Layer 3 Protocol ...................17
6.4. Example 4: Standardized IANA Layer 4 Port .................18
6.5. Example 5: Layer 7 Application ............................19
6.6. Example 6: Layer 7 Application with Private
Enterprise Number (PEN) ...................................21
6.7. Example: Port Obfuscation .................................22
6.8. Example: Application Name Mapping Options Template ........23
6.9. Example: Attributes Values Options Template Record ........24
7. IANA Considerations ............................................25
7.1. New Information Elements ..................................25
7.1.1. applicationDescription .............................25
7.1.2. applicationId ......................................26
7.1.3. applicationName ....................................26
7.1.4. classificationEngineId .............................26
7.1.5. applicationCategoryName ............................29
7.1.6. applicationSubCategoryName .........................29
7.1.7. applicationGroupName ...............................29
7.1.8. p2pTechnology ......................................29
7.1.9. tunnelTechnology ...................................30
7.1.10. encryptedTechnology ...............................30
7.2. Classification Engine ID Registry .........................30
8. Security Considerations ........................................30
9. References .....................................................31
9.1. Normative References ......................................31
9.2. Informative References ....................................32
10. Acknowledgements ..............................................33
Appendix A. Additions to XML Specification of IPFIX Information
(Non-normative) .......................................34
Appendix B. Port Collisions Tables (Non-normative) ................39
Appendix C. Application Registry Example (Non-normative) ..........43
List of Figures
Figure 1: applicationId Information Element .......................7
Figure 2: Selector ID Encoding ...................................12
List of Tables
Table 1: Existing Classification Engine IDs .......................7
Table 2: Selector ID Default Length per Classification
Engine ID ...............................................11
Table 3: Application ID Static Attributes ........................13
Table 4: Different Protocols on UDP and TCP ......................39
Table 5: Different Protocols on SCTP and TCP .....................40
1. Introduction
Today, service providers and network administrators are looking for
visibility into the packet content rather than just the packet
header. Some network devices' Metering Processes inspect the packet
content and identify the applications that are utilizing the network
traffic. Applications in this context are defined as networking
protocols used by networking processes that exchange packets between
them (such as web applications, peer-to-peer applications, file
transfer, e-mail applications, etc.). Applications can be further
characterized by other criteria, some of which are application
specific. Examples include: web application to a specific domain,
per-user specific traffic, a video application with a specific codec,
etc.
The application identification is based on several different methods
or even a combination of methods:
1. L2 (Layer 2) protocols (such as ARP (Address Resolution Protocol),
PPP (Point-to-Point Protocol), LLDP (Link Layer Discovery
Protocol))
2. IP protocols (such as ICMP (Internet Control Message Protocol),
IGMP (Internet Group Management Protocol), GRE (Generic Routing
Encapsulation)
3. TCP or UDP ports (such as HTTP, Telnet, FTP)
4. Application layer header (of the application to be identified)
5. Packet data content
6. Packets and traffic behavior
The exact application identification methods are part of the Metering
Process internals that aim to provide an accurate identification and
minimize false identification. This task requires a sophisticated
Metering Process since the protocols do not behave in a standard
manner.
1. Applications use port obfuscation where the application runs on a
different port than the IANA assigned one. For example, an HTTP
server might run on TCP port 23 (assigned to telnet in
[IANA-PORTS]).
2. IANA port registries do not accurately reflect how certain ports
are "commonly" used today. Some ports are reserved, but the
application either never became prevalent or is not in use today.
3. The application behavior and identification logic become more and
more complex.
For that reason, such Metering Processes usually detect applications
based on multiple mechanisms in parallel. Detection based only on
port matching might wrongly identify the application. If the
Metering Process is capable of detecting applications more
accurately, it is considered to be stronger and more accurate.
Similarly, a reporting mechanism that uses L4 port based applications
only, such as L4:<known port>, would have similar issues. The
reporting system should be capable of reporting the applications
classified using all types of mechanisms. In particular,
applications that do not have any IANA port definition. While a
mechanism to export application information should be defined, the L4
port being used must be exported using the destination port
(destinationTransportPort at [IANA-IPFIX]) in the corresponding IPFIX
record.
Applications could be identified at different OSI layers, from layer
2 to layer 7. For example, the Link Layer Distribution Protocol
(LLDP) [LLDP] can be identified in layer 2, ICMP can be identified in
layer 3 [IANA-PROTO], HTTP can be identified in layer 4 [IANA-PORTS],
and Webex can be identified in layer 7.
While an ideal solution would be an IANA registry for applications
above (or inside the payload of) the well-known ports [IANA-PORTS],
this solution is not always possible. Indeed, the specifications for
some applications embedded in the payload are not available. Some
reverse engineering as well as a ubiquitous language for application
identification would be required conditions to be able to manage an
IANA registry for these types of applications. Clearly, these are
blocking factors.
This document specifies the Cisco Systems application information
encoding (as described in Section 4) to export the application
information with the IPFIX protocol [RFC5101]. However, the layer 7
application registry values are out of scope of this document.
1.1. Application Information Use Cases
There are several use cases for application information:
1. Application Visibility
This is one of the main cases for using application information.
Network administrators are using application visibility to
understand the main network consumers, network trends, and user
behavior.
2. Security Functions
Application knowledge is sometimes used in security functions in
order to provide comprehensive functions such as Application-based
firewall, URL filtering, parental control, intrusion detection,
etc.
All of the above use cases require exporting application information
to provide the network function itself or to log the network function
operation.
1.2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. IPFIX Documents Overview
The IPFIX protocol [RFC5101] provides network administrators with
access to IP Flow information.
The architecture for the export of measured IP Flow information out
of an IPFIX Exporting Process to a Collecting Process is defined in
the IPFIX Architecture [RFC5470], per the requirements defined in RFC
3917 [RFC3917].
The IPFIX Architecture [RFC5470] specifies how IPFIX Data Records and
Templates are carried via a congestion-aware transport protocol from
IPFIX Exporting Processes to IPFIX Collecting Processes.
IPFIX has a formal description of IPFIX Information Elements, their
names, types, and additional semantic information, as specified in
the IPFIX information model [RFC5102].
In order to gain a level of confidence in the IPFIX implementation,
probe the conformity and robustness, and allow interoperability, the
Guidelines for IPFIX Testing [RFC5471] presents a list of tests for
implementers of compliant Exporting Processes and Collecting
Processes.
The Bidirectional Flow Export [RFC5103] specifies a method for
exporting bidirectional flow (biflow) information using the IPFIX
protocol, representing each biflow using a single Flow Record.
"Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet
Sampling (PSAMP) Reports" [RFC5473] specifies a bandwidth-saving
method for exporting Flow or packet information, by separating
information common to several Flow Records from information specific
to an individual Flow Record: common Flow information is exported
only once.
3. Terminology
IPFIX-specific terminology used in this document is defined in
Section 2 of the IPFIX protocol specification [RFC5101]. As in
[RFC5101], these IPFIX-specific terms have the first letter of a word
capitalized when used in this document.
3.1. New Terminology
Application ID
A unique identifier for an application.
When an application is detected, the most granular application is
encoded in the Application ID.
4. applicationId Information Element Specification
This document specifies the applicationId Information Element, which
is a single field composed of two parts:
1. 8 bits of Classification Engine ID. The Classification Engine can
be considered as a specific registry for application assignments.
2. n bits of Selector ID. The Selector ID length varies depending on
the Classification Engine ID.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Class. Eng. ID| Selector ID ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: applicationId Information Element
Classification Engine ID
A unique identifier for the engine that determined the Selector
ID. Thus, the Classification Engine ID defines the context for
the Selector ID.
Selector ID
A unique identifier of the application for a specific
Classification Engine ID. Note that the Selector ID length varies
depending on the Classification Engine ID.
The Selector ID term is a similar concept to the selectorId
Information Element, specified in the PSAMP Protocol
[RFC5476][RFC5477].
4.1. Existing Classification Engine IDs
The following Classification Engine IDs have been allocated:
Name Value Description
0 Invalid.
IANA-L3 1 The Assigned Internet Protocol
Number (layer 3 (L3)) is exported
in the Selector ID.
See [IANA-PROTO].
PANA-L3 2 Proprietary layer 3 definition.
An enterprise can export its own
layer 3 protocol numbers. The
Selector ID has a global
significance for all devices from
the same enterprise.
IANA-L4 3 The IANA layer 4 (L4) well-known
port number is exported in the
Selector ID. See [IANA-PORTS].
Note: as an IPFIX flow is
unidirectional, it contains the
destination port.
PANA-L4 4 Proprietary layer 4 definition.
An enterprise can export its own
layer 4 port numbers. The
Selector ID has global
significance for devices from the
same enterprise. Example: IPFIX was
pre-assigned the port 4739 using the IANA
early allocation process [RFC4020] years
before the document was published as an RFC.
While waiting for the RFC and its associated
IANA registration, Selector ID 4739
was used with this PANA-L4.
5 Reserved.
USER- 6 The Selector ID represents
Defined applications defined by the user
(using CLI, GUI, etc.) based on
the methods described in Section
1. The Selector ID has a local
significance per device.
7 Reserved.
8 Reserved.
9 Reserved.
10 Reserved.
11 Reserved.
PANA-L2 12 Proprietary layer 2 (L2)
definition. An enterprise can
export its own layer 2
identifiers. The Selector ID
represents the enterprise's
unique global layer 2
applications. The Selector ID has
a global significance for all
devices from the same enterprise.
Examples include Cisco Subnetwork
Access Protocol (SNAP).
PANA-L7 13 Proprietary layer 7 definition.
The Selector ID represents the
enterprise's unique global ID for
layer 7 applications. The
Selector ID has a global
significance for all devices from
the same enterprise. This
Classification Engine ID is used
when the application registry is
owned by the Exporter
manufacturer (referred to as the
"enterprise" in this document).
14 Reserved.
15 Reserved.
16 Reserved.
17 Reserved.
ETHERTYPE 18 The Selector ID represents the
well-known Ethertype. See
[ETHERTYPE].
LLC 19 The Selector ID represents the
well-known IEEE 802.2 Link Layer
Control (LLC) Destination Service
Access Point (DSAP). See [LLC].
PANA-L7- 20 Proprietary layer 7 definition,
PEN including a Private Enterprise
Number (PEN) [IANA-PEN] to identify
that the application registry
being used is not owned by the
Exporter manufacturer or to
identify the original
enterprise in the case of a
mediator or 3rd party device. The
Selector ID represents the
enterprise unique global ID for
the layer 7 applications. The
Selector ID has a global
significance for all devices from
the same enterprise.
21 to
255 Available (255 is the maximum
Engine ID)
Table 1: Existing Classification Engine IDs
"PANA = Proprietary Assigned Number Authority". In other words, an
enterprise specific version of IANA for internal IDs.
The PANA-L7 Classification Engine ID SHOULD be used when the
application registry is owned by the Exporter manufacturer. Even if
the application registry is owned by the Exporter manufacturer, the
PANA-L7-PEN MAY be used, specifying the manufacturer.
For example, if Exporter A (from enterprise-A) wants to export its
enterprise-A L7 registry, then it uses the PANA-L7 Classification
Engine ID. If Exporter B (from enterprise-B) wants to export its
enterprise-B L7 registry, then it also uses the PANA-L7
Classification Engine ID.
The mechanism for the Collector to know about the Exporter PEN is out
of scope of this document. Possible tracks are SNMP polling, an
Options Template exporting the privateEnterpriseNumber Information
Element [IANA-IPFIX], hardcoded value, etc.
An Exporter may classify the application according to another
vendor's application registry. For example, an IPFIX Mediator
[RFC6183] may need to re-export applications received from different
Exporters using different PANA-L7 application registries. For
example, if Exporter C (from enterprise-C) wants to reuse enterprise-
D's application registry, then it uses PANA-L7-PEN with enterprise-
D's PEN.
When reporting application information from multiple Exporters from
different enterprises (different PENs), the PANA-L7-PEN
Classification Engine MUST be used in exported Flow Records, which
allows the original enterprise ID to be reported. The ID of the
enterprise that defined the Application ID is identified by the
enterprise's PEN. For example, an IPFIX Mediator aggregates traffic
from some Exporters which report enterprise-E applications and other
Exporters that report enterprise-F applications.
An example is displayed in Section 6.6.
Note that the PANA-L7 Classification Engine ID is also used for
resolving IANA L4 port Discrepancies (see Section 4.4).
The list in Table 1 is maintained by IANA thanks to the registry
within the classificationEngineId Information Element. See the IANA
Considerations section. The Classification Engine ID is part of the
Application ID encoding, so the classificationEngineId Information
Element is currently not required by the specifications in this
document. However, this Information Element was created for
completeness, as it was anticipated that this Information Element
will be required in the future.
4.2. Selector ID Length per Classification ID
As the Selector ID part of the Application ID is variable based on
the Classification Engine ID value, the applicationId SHOULD be
encoded in a variable-length Information Element [RFC5101] for IPFIX
export.
The following table displays the Selector ID default length for the
different Classification Engine IDs.
Classification Selector ID default
Engine ID Name length (in bytes)
IANA-L3 1
PANA-L3 1
IANA-L4 2
PANA-L4 2
USER-Defined 3
PANA-L2 5
PANA-L7 3
ETHERTYPE 2
LLC 1
PANA-L7-PEN 3 (*)
Table 2: Selector ID Default Length
per Classification Engine ID
(*) There are an extra 4 bytes for the PEN. However, the PEN is not
considered part of the Selector ID.
If a legacy protocol such as NetFlow version 9 [RFC3954] is used, and
this protocol doesn't support variable-length Information Elements,
then either multiple Template Records (one per applicationId length),
or a single Template Record corresponding to the maximum sized
applicationId MUST be used.
Application IDs MAY be encoded in a smaller number of bytes,
following the same rules as for IPFIX Reduced Size Encoding
[RFC5101].
Application IDs MAY be encoded with a larger length. For example, a
normal IANA L3 protocol encoding would take 2 bytes since the
Selector ID represents the protocol field from the IP header encoded
in one byte. However, an IANA L3 protocol encoding may be encoded
with 3 bytes. In this case, the Selector ID value MUST always be
encoded in the least significant bits as shown in Figure 2.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Class. Eng. ID |zero-valued upper-bits ... Selector ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Selector ID Encoding
4.3. Application Name Options Template Record
For Classification Engines that specify locally unique Application
IDs (which means unique per engine and per router), an Options
Template Record (see [RFC5101]) MUST be used to export the
correspondence between the Application ID, the Application Name, and
the Application Description.
For Classification Engines that specify globally unique Application
IDs, an Options Template Record MAY be used to export the
correspondence between the Application ID, the Application Name and
the Application Description, unless the mapping is hardcoded in the
Collector, or known out of band (for example, by polling a MIB).
An example Options Template is shown in Section 6.8.
Enterprises may assign company-wide Application ID values for the
PANA-L7 Classification Engine. In this case, a possible optimization
for the Collector is to keep the mappings between the Application IDs
and the Application Names per enterprise, as opposed to per Exporter.
4.4. Resolving IANA L4 Port Discrepancies
Even though IANA L4 ports usually point to the same protocols for
both UDP, TCP or other transport types, there are some exceptions, as
mentioned in Appendix B.
Instead of imposing the transport protocol (UDP/TCP/SCTP/etc.) in the
scope of the "Application Name Options Template Record" (Section 6.8)
for all applications (in addition to having the transport protocol as
a key-field in the Flow Record definition), the convention is that
the L4 application is always TCP related. So, whenever the Collector
has a conflict in looking up IANA, it would choose the TCP choice.
As a result, the UDP L4 applications from Table 3 and the SCTP L4
applications from Table 4 are assigned in the PANA_L7 Application ID
range, i.e., under Classification Engine ID 13.
Currently, there are no discrepancies between the well-known ports
for TCP and the Datagram Congestion Control Protocol (DCCP).
5. Grouping Applications with Attributes
Due to the high number of different Application IDs, Application IDs
MAY be categorized into groups. This offers the benefits of easier
reporting and action, such as QoS policies. Indeed, most
applications with the same characteristics should be treated the same
way; for example, all video traffic.
Attributes are statically assigned per Application ID and are
independent of the traffic. The attributes are listed below:
Name Description
Category An attribute that provides a first-
level categorization for each
Application ID. Examples include
browsing, email, file-sharing,
gaming, instant messaging, voice-
and-video, etc.
The category attribute is encoded by
the applicationCategoryName
Information Element.
Sub-Category An attribute that provides a second-
level categorization for each
Application ID. Examples include
backup-systems, client-server,
database, routing-protocol, etc.
The sub-category attribute is
encoded by the
applicationSubCategoryName
Information Element.
Application- An attribute that groups multiple
Group Application IDs that belong to the
same networking application. For
example, the ftp-group contains
ftp-data (port 20), ftp (port 20),
ni-ftp (port 47), sftp (port 115),
bftp (port 152), ftp-agent(port
574), ftps-data (port 989). The
application-group attribute is
encoded by the applicationGroupName
Information Element.
P2P-Technology Specifies if the Application ID is
based on peer-to-peer technology.
The P2P-technology attribute is
encoded by the p2pTechnology
Information Element.
Tunnel- Specifies if the Application ID is
Technology used as a tunnel technology. The
tunnel-technology attribute is
encoded by the tunnelTechnology
Information Element.
Encrypted Specifies if the Application ID is
an encrypted networking protocol.
The encrypted attribute is encoded
by the encryptedTechnology
Information Element.
Table 3: Application ID Static Attributes
Every application is assigned to one applicationCategoryName, one
applicationSubCategoryName, one applicationGroupName, and it has one
p2pTechnology, one tunnelTechnology, and one encryptedTechnology.
These new Information Elements are specified in the IANA
Considerations section (Section 7.1).
Maintaining the attribute values in IANA seems impossible to realize.
Therefore, the attribute values per application are enterprise
specific.
5.1. Options Template Record for Attribute Values
An Options Template Record (see [RFC5101]) SHOULD be used to export
the correspondence between each Application ID and its related
Attribute values. An alternative way for the Collecting Process to
learn the correspondence is to populate these mappings out of band,
for example, by loading a CSV file containing the correspondence
table.
The Attributes Option Template contains the application ID as a scope
field, followed by the applicationCategoryName, the
applicationSubCategoryName, the applicationGroupName, the
p2pTechnology, the tunnelTechnology, and the encryptedTechnology
Information Elements.
A list of attributes may conveniently be exported using a
subTemplateList per [RFC6313].
An example is given in Section 6.9.
6. Application ID Examples
The following examples are created solely for the purpose of
illustrating how the extensions proposed in this document are
encoded.
6.1. Example 1: Layer 2 Protocol
The list of Classification Engine IDs in Table 1 shows that the layer
2 Classification Engine IDs are 12 (PANA-L2), 18, (ETHERTYPE) and 19
(LLC).
From the Ethertype list, LLDP [LLDP] has the Selector ID value
0x88CC, so 35020 in decimal:
NAME Selector ID
LLDP 35020
So, in the case of LLDP, the Classification Engine ID is 18 (LLC)
while the Selector ID has the value 35020.
Per Section 4, the applicationId Information Element is a single
field composed of 8 bits of Classification Engine ID, followed by n
bits of Selector ID. From Table 2, the Selector ID length n is 2 for
the ETHERTYPE Engine ID.
Therefore, the Application ID is encoded as:
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 18 | 35020 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
So the Application ID has the decimal value of 1214668. The format
'18..35020' is used for simplicity in the examples below, to clearly
express that two components of the Application ID.
The Exporting Process creates a Template Record with a few
Information Elements: amongst other things, the Application ID. For
example:
- applicationId (key field)
- octetTotalCount (non-key field)
For example, a Flow Record corresponding to the above Template Record
may contain:
{ applicationId='18..35020',
octetTotalCount=123456 }
The Collector has all the required information to determine that the
application is LLDP, because the Application ID uses a global and
well-known registry, i.e., the Ethertype. The Collector can
determine which application is represented by the Application ID by
loading the registry out of band.
6.2. Example 2: Standardized IANA Layer 3 Protocol
From the list of Classification Engine IDs in Table 1, the IANA layer
3 Classification Engine ID (IANA-L3) is 1. From Table 2 the Selector
ID length is 1 for the IANA-L3 Engine ID.
From the list of IANA layer 3 protocols (see [IANA-PROTO]), ICMP has
the value 1:
Decimal Keyword Protocol Reference
1 ICMP Internet Control [RFC792]
Message
So, in the case of the standardized IANA layer 3 protocol ICMP, the
Classification Engine ID is 1, and the Selector ID has the value of
1.
Therefore, the Application ID is encoded as:
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 1 | 1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
So, the Application ID has the value of 257. The format '1..1' is
used for simplicity in the examples below.
The Exporting Process creates a Template Record with a few
Information Elements: amongst other things, the Application ID. For
example:
- sourceIPv4Address (key field)
- destinationIPv4Address (key field)
- ipDiffServCodePoint (key field)
- applicationId (key field)
- octetTotalCount (non-key field)
For example, a Flow Record corresponding to the above Template Record
may contain:
{ sourceIPv4Address=192.0.2.1,
destinationIPv4Address=192.0.2.2,
ipDiffServCodePoint=0,
applicationId='1..1',
octetTotalCount=123456 }
The Collector has all the required information to determine that the
application is ICMP, because the Application ID uses a global and
well-known registry, i.e., the IANA L3 protocol number.
6.3. Example 3: Proprietary Layer 3 Protocol
Assume that an enterprise has specified a new layer 3 protocol called
"foo".
From the list of Classification Engine IDs in Table 1, the
proprietary layer 3 Classification Engine ID (PANA-L3) is 2. From
Table 2 the Selector ID length is 1 for the PANA-L3 Engine ID.
A global registry within the enterprise specifies that the "foo"
protocol has the value 90:
Protocol Protocol ID
foo 90
So, in the case of the layer 3 protocol foo specified by this
enterprise, the Classification Engine ID is 2, and the Selector ID
has the value of 90.
Therefore, the Application ID is encoded as:
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2 | 90 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
So the Application ID has the value of 602. The format '2..90' is
used for simplicity in the examples below.
The Exporting Process creates a Template Record with a few
Information Elements: amongst other things, the Application ID. For
example:
- sourceIPv4Address (key field)
- destinationIPv4Address (key field)
- ipDiffServCodePoint (key field)
- applicationId (key field)
- octetTotalCount (non-key field)
For example, a Flow Record corresponding to the above Template Record
may contain:
{ sourceIPv4Address=192.0.2.1,
destinationIPv4Address=192.0.2.2,
ipDiffServCodePoint=0,
applicationId='2..90',
octetTotalCount=123456 }
Along with this Flow Record, a new Options Template Record would be
exported, as shown in Section 6.8.
6.4. Example 4: Standardized IANA Layer 4 Port
From the list of Classification Engine IDs in Table 1, the IANA layer
4 Classification Engine ID (IANA-L4) is 3. From Table 2 the Selector
ID length is 2 for the IANA-L4 Engine ID.
From the list of IANA layer 4 ports (see [IANA-PORTS]), SNMP has the
value 161:
Keyword Decimal Description
snmp 161/tcp SNMP
snmp 161/udp SNMP
So, in the case of the standardized IANA layer 4 SNMP port, the
Classification Engine ID is 3, and the Selector ID has the value of
161.
Therefore, the Application ID is encoded as:
0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 3 | 161 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
So the Application ID has the value of 196769. The format '3..161'
is used for simplicity in the examples below.
The Exporting Process creates a Template Record with a few
Information Elements: amongst other things, the Application ID. For
example:
- sourceIPv4Address (key field)
- destinationIPv4Address (key field)
- protocol (key field)
- ipDiffServCodePoint (key field)
- applicationId (key field)
- octetTotalCount (non-key field)
For example, a Flow Record corresponding to the above Template Record
may contain:
{ sourceIPv4Address=192.0.2.1,
destinationIPv4Address=192.0.2.2,
protocol=17, ipDiffServCodePoint=0,
applicationId='3..161',
octetTotalCount=123456 }
The Collector has all the required information to determine that the
application is SNMP, because the Application ID uses a global and
well-known registry, i.e., the IANA L4 protocol number.
6.5. Example 5: Layer 7 Application
In this example, the Metering Process has observed some Webex
traffic.
From the list of Classification Engine IDs in Table 1, the layer 7
unique Classification Engine ID (PANA-L7) is 13. From Table 2 the
Selector ID length is 3 for the PANA-L7 Engine ID.
Suppose that the Metering Process returns the ID 10000 for Webex
traffic.
So, in the case of this Webex application, the Classification Engine
ID is 13 and the Selector ID has the value of 10000.
Therefore, the Application ID is encoded as:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 13 | 10000 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
So the Application ID has the value of 218113808. The format
'13..10000' is used for simplicity in the examples below.
The Exporting Process creates a Template Record with a few
Information Elements: amongst other things, the Application ID. For
example:
- sourceIPv4Address (key field)
- destinationIPv4Address (key field)
- ipDiffServCodePoint (key field)
- applicationId (key field)
- octetTotalCount (non-key field)
For example, a Flow Record corresponding to the above Template Record
may contain:
{ sourceIPv4Address=192.0.2.1,
destinationIPv4Address=192.0.2.2,
ipDiffServCodePoint=0,
applicationId='13..10000',
octetTotalCount=123456 }
The 10000 value is globally unique for the enterprise, so that the
Collector can determine which application is represented by the
Application ID by loading the registry out of band.
Along with this Flow Record, a new Options Template Record would be
exported, as shown in Section 6.8.
6.6. Example 6: Layer 7 Application with Private Enterprise Number
(PEN)
In this example, the layer 7 Webex traffic from Example 5 above have
been classified by enterprise X. The exported records have been
received by enterprise Y's mediation device, which wishes to forward
them to a top-level Collector.
In order for the top-level Collector to know that the records were
classified by enterprise X, the enterprise Y mediation device must
report the records using the PANA-L7-PEN Classification Engine ID
with enterprise X's Private Enterprise Number.
The PANA-L7-PEN Classification Engine ID is 20, and enterprise X's
Selector ID for Webex traffic has the value of 10000. From Table 2
the Selector ID length is 3 for the PANA-L7-PEN Engine ID.
Therefore, the Application ID is encoded as:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 20 | enterprise ID = X ...|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|...Ent.ID.contd| 10000 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The format '20..X..10000' is used for simplicity in the examples
below.
The Exporting Process creates a Template Record with a few
Information Elements: amongst other things, the Application ID. For
example:
- sourceIPv4Address (key field)
- destinationIPv4Address (key field)
- ipDiffServCodePoint (key field)
- applicationId (key field)
- octetTotalCount (non-key field)
For example, a Flow Record corresponding to the above Template Record
may contain:
{ sourceIPv4Address=192.0.2.1,
destinationIPv4Address=192.0.2.2,
ipDiffServCodePoint=0,
applicationId='20..X..10000',
octetTotalCount=123456 }
The 10000 value is globally unique for enterprise X, so that the
Collector can determine which application is represented by the
Application ID by loading the registry out of band.
Along with this Flow Record, a new Options Template Record would be
exported, as shown in Section 6.8.
6.7. Example: Port Obfuscation
For example, an HTTP server might run on a TCP port 23 (assigned to
telnet in [IANA-PORTS]). If the Metering Process is capable of
detecting HTTP in the same case, the Application ID representation
must contain HTTP. However, if the reporting application wants to
determine whether or not the default HTTP port 80 or 8080 was used,
the transport ports (sourceTransportPort and destinationTransportPort
at [IANA-IPFIX]) must also be exported in the corresponding IPFIX
record.
In the case of a standardized IANA layer 4 port, the Classification
Engine ID (PANA-L4) is 3, and the Selector ID has the value of 80 for
HTTP (see [IANA-PORTS]). From Table 2 the Selector ID length is 2
for the PANA-L4 Engine ID.
Therefore, the Application ID is encoded as:
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 3 | 80 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Exporting Process creates a Template Record with a few
Information Elements: amongst other things, the Application ID. For
example:
- sourceIPv4Address (key field)
- destinationIPv4Address (key field)
- protocol (key field)
- destinationTransportPort (key field)
- applicationId (key field)
- octetTotalCount (non-key field)
For example, a Flow Record corresponding to the above
Template Record may contain:
{ sourceIPv4Address=192.0.2.1,
destinationIPv4Address=192.0.2.2,
protocol=17,
destinationTransportPort=23,
applicationId='3..80',
octetTotalCount=123456 }
The Collector has all the required information to determine that the
application is HTTP, but runs on port 23.
6.8. Example: Application Name Mapping Options Template
Along with the Flow Records shown in the above examples, a new
Options Template Record should be exported to express the Application
Name and Application Description associated with each Application ID.
The Options Template Record contains the following Information
Elements:
1. Scope = applicationId.
From RFC 5101: The scope, which is only available
in the Options Template Set, gives the context of
the reported Information Elements in the Data
Records.
2. applicationName.
3. applicationDescription.
The Options Data Record associated with the examples above
would contain, for example:
{ scope=applicationId='2..90',
applicationName="foo",
applicationDescription="The foo protocol",
scope=applicationId='13..10000',
applicationName="webex",
applicationDescription="Webex application" }
scope=applicationId='20..X..10000',
applicationName="webex",
applicationDescription="Webex application" }
When combined with the example Flow Records above, these Options
Template Records tell the Collector:
1. A flow of 123456 bytes exists from sourceIPv4Address 192.0.2.1 to
destinationIPv4address 192.0.2.2 with an applicationId of
'12..90', which maps to the "foo" application.
2. A flow of 123456 bytes exists from sourceIPv4Address 192.0.2.1 to
destinationIPv4address 192.0.2.2 with an Application ID of
'13..10000', which maps to the "Webex" application.
3. A flow of 123456 bytes exists from sourceIPv4Address 192.0.2.1 to
destinationIPv4address 192.0.2.2 with an Application ID of
'20..PEN..10000', which maps to the "Webex" application, according
to the application registry from the enterprise X.
6.9. Example: Attributes Values Options Template Record
Along with the Flow Records shown in the above examples, a new
Options Template Record is exported to express the values of the
different attributes related to the Application IDs.
The Options Template Record would contain the following Information
Elements:
1. Scope = applicationId.
From RFC 5101: The scope, which is only available in the Options
Template Set, gives the context of the reported Information
Elements in the Data Records.
2. applicationCategoryName.
3. applicationSubCategoryName.
4. applicationGroupName
5. p2pTechnology
6. tunnelTechnology
7. encryptedTechnology
The Options Data Record associated with the examples above would
contain, for example:
{ scope=applicationId='2..90',
applicationCategoryName="foo-category",
applicationSubCategoryName="foo-subcategory",
applicationGroupName="foo-group",
p2pTechnology=NO
tunnelTechnology=YES
encryptedTechnology=NO
When combined with the example Flow Records above, these Options
Template Records tell the Collector:
A flow of 123456 bytes exists from sourceIPv4Address 192.0.2.1 to
destinationIPv4address 192.0.2.2 with a DSCP value of 0 and an
applicationId of '12..90', which maps to the "foo" application. This
application can be characterized by the relevant attributes values.
7. IANA Considerations
7.1. New Information Elements
This document specifies 10 new IPFIX Information Elements:
applicationDescription, applicationId, applicationName,
classificationEngineId, applicationCategoryName,
applicationSubCategoryName, applicationGroupName, p2pTechnology,
tunnelTechnology, and encryptedTechnology.
The new Information Elements listed below have been added to the
IPFIX Information Element registry at [IANA-IPFIX].
7.1.1. applicationDescription
Name: applicationDescription
Description:
Specifies the description of an application.
Abstract Data Type: string
Data Type Semantics:
ElementId: 94
Status: current
7.1.2. applicationId
Name: applicationId
Description:
Specifies an Application ID.
Abstract Data Type: octetArray
Data Type Semantics: identifier
Reference: See Section 4 of [RFC6759]
for the applicationId Information Element Specification.
ElementId: 95
Status: current
7.1.3. applicationName
Name: applicationName
Description:
Specifies the name of an application.
Abstract Data Type: string
Data Type Semantics:
ElementId: 96
Status: current
7.1.4. classificationEngineId
Name: classificationEngineId
Description:
A unique identifier for the engine that determined the
Selector ID. Thus, the Classification Engine ID defines
the context for the Selector ID. The Classification
Engine can be considered as a specific registry for
application assignments.
Initial values for this field are listed below. Further
values may be assigned by IANA in the Classification
Engine IDs registry per Section 7.2.
0 Invalid.
1 IANA-L3: The Assigned Internet Protocol Number
(layer 3 (L3)) is exported in the Selector ID. See
http://www.iana.org/assignments/protocol-numbers.
2 PANA-L3: Proprietary layer 3 definition. An
enterprise can export its own layer 3 protocol
numbers. The Selector ID has a global significance
for all devices from the same enterprise.
3 IANA-L4: The IANA layer 4 (L4) well-known port
number is exported in the Selector ID. See [IANA-PORTS].
Note: as an IPFIX flow is unidirectional,
it contains the destination port.
4 PANA-L4: Proprietary layer 4 definition. An
enterprise can export its own layer 4 port
numbers. The Selector ID has global significance
for devices from the same enterprise. Example:
IPFIX was pre-assigned port 4739 using the IANA
early allocation process [RFC4020] years before the
document was published as an RFC. While waiting for
the RFC and it associated IANA registration,
Selector ID 4739 was used with this PANA-L4.
5 Reserved
6 USER-Defined: The Selector ID represents
applications defined by the user (using CLI, GUI,
etc.) based on the methods described in Section 2.
The Selector ID has a local significance per
device.
7 Reserved
8 Reserved
9 Reserved
10 Reserved
11 Reserved
12 PANA-L2: Proprietary layer 2 (L2) definition. An
enterprise can export its own layer 2 identifiers.
The Selector ID represents the enterprise's unique
global layer 2 applications. The Selector ID has a
global significance for all devices from the same
enterprise. Examples include the Cisco Subnetwork
Access Protocol (SNAP).
13 PANA-L7: Proprietary layer 7 definition. The
Selector ID represents the enterprise's unique
global ID for layer 7 applications. The
Selector ID has a global significance for all
devices from the same enterprise. This
Classification Engine ID is used when the
application registry is owned by the Exporter
manufacturer (referred to as the "enterprise" in
this document).
14 Reserved
15 Reserved
16 Reserved
17 Reserved
18 ETHERTYPE: The Selector ID represents the well-
known Ethertype. See [ETHERTYPE].
19 LLC: The Selector ID represents the well-known
IEEE 802.2 Link Layer Control (LLC) Destination
Service Access Point (DSAP). See [LLC].
20 PANA-L7-PEN: Proprietary layer 7 definition,
including a Private Enterprise Number (PEN) [IANA-PEN]
to identify that the application registry being
used is not owned by the Exporter manufacturer or to
identify the original enterprise in the case of a
mediator or 3rd party device. The Selector ID represents
the enterprise unique global ID for layer 7
applications. The Selector ID has a global
significance for all devices from the same
enterprise.
Some values (5, 7, 8, 9, 10, 11, 14, 15, 16, and 17),
are reserved to be compliant with existing
implementations already using the
classificationEngineId.
Abstract Data Type: unsigned8
Data Type Semantics: identifier
ElementId: 101
Status: current
7.1.5. applicationCategoryName
Name: applicationCategoryName
Description:
An attribute that provides a first-level categorization for
each Application Id.
Abstract Data Type: string
Data Type Semantics:
ElementId: 372
Status: current
7.1.6. applicationSubCategoryName
Name: applicationSubCategoryName
Description:
An attribute that provides a second-level categorization
for each Application Id.
Abstract Data Type: string
Data Type Semantics:
ElementId: 373
Status: current
7.1.7. applicationGroupName
Name: applicationGroupName
Description:
An attribute that groups multiple Application IDs that
belong to the same networking application.
Abstract Data Type: string
Data Type Semantics:
ElementId: 374
Status: current
7.1.8. p2pTechnology
Name: p2pTechnology
Description:
Specifies if the Application ID is based on peer-to-peer
technology. Possible values are { "yes", "y", 1 },
{ "no", "n", 2 }, and { "unassigned", "u", 0 }.
Note that 0, 1, and 2 above are integer values; as UTF-8
characters they are U+0000(NUL), U+0001(SOH), and U+0002(STX).
WARNING: the overloading of a string value with an integer
representation that can take the value 0 requires careful
handling on collectors and exporters which use this value
to signify the end of a string.
EID 3909 (Verified) is as follows:Section: 7.1.8
Original Text:
Description:
Specifies if the Application ID is based on peer-to-peer
technology. Possible values are { "yes", "y", 1 },
{ "no", "n", 2 }, and { "unassigned", "u", 0 }.
Corrected Text:
Description:
Specifies if the Application ID is based on peer-to-peer
technology. Possible values are { "yes", "y", 1 },
{ "no", "n", 2 }, and { "unassigned", "u", 0 }.
Note that 0, 1, and 2 above are integer values; as UTF-8
characters they are U+0000(NUL), U+0001(SOH), and U+0002(STX).
WARNING: the overloading of a string value with an integer
representation that can take the value 0 requires careful
handling on collectors and exporters which use this value
to signify the end of a string.
Notes:
Added clarifying text. The difference between a quoted and unquoted digit (1 vs "1") is extremely subtle and easily missed.
See, for example, http://www.ietf.org/mail-archive/web/ipfix/current/msg07151.html.
Abstract Data Type: string
Data Type Semantics:
ElementId: 288
Status: current
7.1.9. tunnelTechnology
Name: tunnelTechnology
Description:
Specifies if the Application ID is used as a tunnel technology.
Possible values are { "yes", "y", 1 }, { "no", "n", 2 },
and { "unassigned", "u", 0 }.
Note that 0, 1, and 2 above are integer values; as UTF-8
characters they are U+0000(NUL), U+0001(SOH), and U+0002(STX).
WARNING: the overloading of a string value with an integer
representation that can take the value 0 requires careful
handling on collectors and exporters which use this value
to signify the end of a string.
EID 3910 (Verified) is as follows:Section: 7.1.9
Original Text:
Description:
Specifies if the Application ID is used as a tunnel technology.
Possible values are { "yes", "y", 1 }, { "no", "n", 2 },
and { "unassigned", "u", 0 }.
Corrected Text:
Description:
Specifies if the Application ID is used as a tunnel technology.
Possible values are { "yes", "y", 1 }, { "no", "n", 2 },
and { "unassigned", "u", 0 }.
Note that 0, 1, and 2 above are integer values; as UTF-8
characters they are U+0000(NUL), U+0001(SOH), and U+0002(STX).
WARNING: the overloading of a string value with an integer
representation that can take the value 0 requires careful
handling on collectors and exporters which use this value
to signify the end of a string.
Notes:
Added clarifying text. The difference between a quoted and unquoted digit (1 vs "1") is extremely subtle and easily missed.
See, for example, http://www.ietf.org/mail-archive/web/ipfix/current/msg07151.html.
Abstract Data Type: string
Data Type Semantics:
ElementId: 289
Status: current
7.1.10. encryptedTechnology
Name: encryptedTechnology
Description:
Specifies if the Application ID is an encrypted networking
protocol. Possible values are { "yes", "y", 1 },
{ "no", "n", 2 }, and { "unassigned", "u", 0 }.
Note that 0, 1, and 2 above are integer values; as UTF-8
characters they are U+0000(NUL), U+0001(SOH), and U+0002(STX).
WARNING: the overloading of a string value with an integer
representation that can take the value 0 requires careful
handling on collectors and exporters which use this value
to signify the end of a string.
EID 3911 (Verified) is as follows:Section: 7.1.10
Original Text:
Description:
Specifies if the Application ID is an encrypted networking
protocol. Possible values are { "yes", "y", 1 },
{ "no", "n", 2 }, and { "unassigned", "u", 0 }.
Corrected Text:
Description:
Specifies if the Application ID is an encrypted networking
protocol. Possible values are { "yes", "y", 1 },
{ "no", "n", 2 }, and { "unassigned", "u", 0 }.
Note that 0, 1, and 2 above are integer values; as UTF-8
characters they are U+0000(NUL), U+0001(SOH), and U+0002(STX).
WARNING: the overloading of a string value with an integer
representation that can take the value 0 requires careful
handling on collectors and exporters which use this value
to signify the end of a string.
Notes:
Added clarifying text. The difference between a quoted and unquoted digit (1 vs "1") is extremely subtle and easily missed.
See, for example, http://www.ietf.org/mail-archive/web/ipfix/current/msg07151.html.
Abstract Data Type: string
Data Type Semantics:
ElementId: 290
Status: current
7.2. Classification Engine ID Registry
The Information Element #101, named classificationEngineId, carries
information about the context for the Selector ID, and can be
considered as a specific registry for application assignments. For
ensuring extensibility of this information, IANA has created a new
registry for Classification Engine IDs and filled it with the initial
list from the description Information Element #101,
classificationEngineId, along with their respective default lengths
(Table 2 in this document).
New assignments for Classification Engine IDs will be administered by
IANA through Expert Review [RFC5226], i.e., review by one of a group
of experts designated by an IETF Area Director. The group of experts
must double-check the new definitions with already defined
Classification Engine IDs for completeness, accuracy, and redundancy.
The specification of Classification Engine IDs MUST be published
using a well-established and persistent publication medium.
8. Security Considerations
The same security considerations as for the IPFIX protocol [RFC5101]
apply. The IPFIX extension specified in this memo allows to identify
what applications are used on the network. Consequently, it is
possible to identify what applications are being used by the users,
potentially threatening the privacy of those users, if not handled
with great care.
As mentioned in Section 1.1, the application knowledge is useful in
security based applications. Security applications may impose
supplementary requirements on the export of application information,
and these need to be examined on a case by case basis.
9. References
9.1. Normative References
[ETHERTYPE] IEEE, <http://standards.ieee.org/develop/regauth/
ethertype/eth.txt>.
[IANA-PEN] IANA, "PRIVATE ENTERPRISE NUMBERS",
<http://www.iana.org/assignments/enterprise-numbers>.
[IANA-PORTS] IANA, "Service Name and Transport Protocol Port Number
Registry",
<http://www.iana.org/assignments/port-numbers>.
[IANA-PROTO] IANA, "Protocol Numbers",
<http://www.iana.org/assignments/protocol-numbers>.
[LLC] IEEE, "LOGICAL LINK CONTROL (LLC) PUBLIC LISTING",
<http://standards.ieee.org /develop/regauth/llc
/public.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5101] Claise, B., Ed., "Specification of the IP Flow
Information Export (IPFIX) Protocol for the Exchange of
IP Traffic Flow Information", RFC 5101, January 2008.
[RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J.
Meyer, "Information Model for IP Flow Information
Export", RFC 5102, January 2008.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
9.2. Informative References
[CISCO-APPLICATION-REGISTRY]
Cisco, "Application Registry",
<http://www.cisco.com/go/application_registry>.
[IANA-IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities",
<http://www.iana.org/assignments/ipfix>.
[LLDP] IEEE, Std 802.1AB-2005, "Standard for Local and
metropolitan area networks - Station and Media Access
Control Connectivity Discovery", IEEE Std 802.1AB-2005
IEEE Std, 2005.
[RFC792] Postel, J., "Internet Control Message Protocol", STD 5,
RFC 792, September 1981.
[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander,
"Requirements for IP Flow Information Export (IPFIX)",
RFC 3917, October 2004.
[RFC3954] Claise, B., Ed., "Cisco Systems NetFlow Services Export
Version 9", RFC 3954, October 2004.
[RFC4020] Kompella, K. and A. Zinin, "Early IANA Allocation of
Standards Track Code Points", BCP 100, RFC 4020,
February 2005.
[RFC5103] Trammell, B. and E. Boschi, "Bidirectional Flow Export
Using IP Flow Information Export (IPFIX)", RFC 5103,
January 2008.
[RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
"Architecture for IP Flow Information Export", RFC 5470,
March 2009.
[RFC5471] Schmoll, C., Aitken, P., and B. Claise, "Guidelines for
IP Flow Information Export (IPFIX) Testing", RFC 5471,
March 2009.
[RFC5473] Boschi, E., Mark, L., and B. Claise, "Reducing
Redundancy in IP Flow Information Export (IPFIX) and
Packet Sampling (PSAMP) Reports", RFC 5473, March 2009.
[RFC5476] Claise, B., Ed., Johnson, A., and J. Quittek, "Packet
Sampling (PSAMP) Protocol Specifications", RFC 5476,
March 2009.
[RFC5477] Dietz, T., Claise, B., Aitken, P., Dressler, F., and G.
Carle, "Information Model for Packet Sampling Exports",
RFC 5477, March 2009.
[RFC5353] Xie, Q., Stewart, R., Stillman, M., Tuexen, M., and A.
Silverton, "Endpoint Handlespace Redundancy Protocol
(ENRP)", RFC 5353, September 2008.
[RFC5811] Hadi Salim, J. and K. Ogawa, "SCTP-Based Transport
Mapping Layer (TML) for the Forwarding and Control
Element Separation (ForCES) Protocol", RFC 5811, March
2010.
[RFC6183] Kobayashi, A., Claise, B., Muenz, G., and K. Ishibashi,
"IP Flow Information Export (IPFIX) Mediation:
Framework", RFC 6183, April 2011.
[RFC6313] Claise, B., Dhandapani, G., Aitken, P., and S. Yates,
"Export of Structured Data in IP Flow Information Export
(IPFIX)", RFC 6313, July 2011.
10. Acknowledgements
The authors would like to thank their many colleagues across Cisco
Systems who made this work possible. Specifically, Patrick Wildi for
his time and expertise.
Appendix A. Additions to XML Specification of IPFIX Information
Elements (Non-normative)
This appendix contains additions to the machine-readable description
of the IPFIX information model coded in XML in Appendix A and
Appendix B in [RFC5102]. Note that this appendix is of informational
nature, while the text in Section 7 (generated from this appendix) is
normative.
The following field definitions are appended to the IPFIX information
model in Appendix A of [RFC5102].
<field name="applicationDescription"
dataType="string"
group="application"
elementId="94" applicability="all"
status="current">
<description>
<paragraph>
Specifies the description of an application.
</paragraph>
</description>
</field>
<field name="applicationId"
dataType="octetArray"
group="application"
dataTypeSemantics="identifier"
elementId="95" applicability="all"
status="current">
<description>
<paragraph>
Specifies an Application ID.
</paragraph>
</description>
<reference>
<paragraph>
See Section 4 of [RFC6759]
for the applicationId Information Element
Specification.
</paragraph>
</reference>
</field>
<field name="applicationName"
dataType="string"
group="application"
elementId="96" applicability="all"
status="current">
<description>
<paragraph>
Specifies the name of an application.
</paragraph>
</description>
</field>
<field name="classificationEngineId"
dataType="unsigned8"
group="application"
dataTypeSemantics="identifier"
elementId="101" applicability="all"
status="current">
<description>
<paragraph>
0 Invalid.
1 IANA-L3: The Assigned Internet Protocol Number
(layer 3 (L3)) is exported in the Selector ID.
See http://www.iana.org/assignments/protocol-
numbers.
2 PANA-L3: Proprietary layer 3 definition. An
enterprise can export its own layer 3 protocol
numbers. The Selector ID has a global
significance for all devices from the same
enterprise.
3 IANA-L4: The IANA layer 4 (L4) well-known port
number is exported in the Selector ID. See
[IANA-PORTS]. Note: as an IPFIX flow is
unidirectional, it contains the destination
port.
4 PANA-L4: Proprietary layer 4 definition. An
enterprise can export its own layer 4 port
numbers. The Selector ID has global
significance for devices from the same
enterprise. Example: IPFIX was pre-assigned
port 4739 using the IANA early allocation
process [RFC4020] years before the document was
published as an RFC. While waiting for the
RFC and its associated IANA registration,
Selector ID 4739 was used with this PANA-L4.
5 Reserved
6 USER-Defined: The Selector ID represents
applications defined by the user (using CLI,
GUI, etc.) based on the methods described in
Section 2. The Selector ID has a local
significance per device.
7 Reserved
8 Reserved
9 Reserved
10 Reserved
11 Reserved
12 PANA-L2: Proprietary layer 2 (L2) definition.
An enterprise can export its own layer 2
identifiers. The Selector ID represents the
enterprise's unique global layer 2
applications. The Selector ID has a global
significance for all devices from the same
enterprise. Examples include the Cisco Subnetwork
Access Protocol (SNAP).
13 PANA-L7: Proprietary layer 7 definition. The
Selector ID represents the enterprise's unique
global ID for layer 7 applications. The
Selector ID has a global significance for all
devices from the same enterprise. This
Classification Engine ID is used when the
application registry is owned by the Exporter
manufacturer (referred to as the "enterprise"
in this document).
14 Reserved
15 Reserved
16 Reserved
17 Reserved
18 ETHERTYPE: The Selector ID represents the
well-known Ethertype. See [ETHERTYPE].
19 LLC: The Selector ID represents the well-known
IEEE 802.2 Link Layer Control (LLC)
Destination Service Access Point (DSAP). See
[LLC].
20 PANA-L7-PEN: Proprietary layer 7 definition,
including a Private Enterprise Number (PEN)
[IANA-PEN] to identify that the application
registry being used is not owned by the
Exporter manufacturer or to identify the
original enterprise in the case of a mediator
or 3rd party device. The Selector ID represents
the enterprise unique global ID for layer 7
applications. The Selector ID has a global
significance for all devices from the same
enterprise.
</paragraph>
</description>
</field>
<field name="applicationCategoryName"
dataType="string"
group="application"
elementId="372"
applicability="all"
status="current">
<description>
<paragraph>
An attribute that provides a first-level categorization
for each Application Id.
</paragraph>
</description>
</field>
<field name="applicationSubCategoryName"
dataType="string"
group="application"
elementId="373"
applicability="all"
status="current">
<description>
<paragraph>
An attribute that provides a second-level
categorization for each Application ID.
</paragraph>
</description>
</field>
<field name="applicationGroupName"
dataType="string"
group="application"
elementId="374"
applicability="all"
status="current">
<description>
<paragraph>
An attribute that groups multiple Application IDs
that belong to the same networking application.
</paragraph>
</description>
</field>
<field name="p2pTechnology"
dataType="string"
group="application"
elementId="288"
applicability="all"
status="current">
<description>
<paragraph>
Specifies if the Application ID is based on peer-
to-peer technology. Possible values are
{ "yes", "y", 1 }, { "no", "n", 2 }, and
{ "unassigned", "u", 0 }.
</paragraph>
</description>
</field>
<field name="tunnelTechnology"
dataType="string"
group="application"
elementId="289"
applicability="all"
status="current">
<description>
<paragraph>
Specifies if the Application ID is used as a
tunnel technology. Possible values are
{ "yes", "y", 1 }, { "no", "n", 2 }, and
{ "unassigned", "u", 0 }.
</paragraph>
</description>
</field>
<field name="encryptedTechnology"
dataType="string"
group="application"
elementId="290"
applicability="all"
status="current">
<description>
<paragraph>
Specifies if the Application ID is an encrypted
networking protocol. Possible values are
{ "yes", "y", 1 }, { "no", "n", 2 }, and
{ "unassigned", "u", 0 }.
</paragraph>
</description>
</field>
Appendix B. Port Collisions Tables (Non-normative)
The following table lists the 10 ports that have different protocols
assigned for TCP and UDP (at the time of writing this document):
exec 512/tcp remote process execution;
authentication performed
using passwords and UNIX
login names
comsat/biff 512/udp used by mail system to
notify users of new mail
received; currently
receives messages only from
processes on the same
machine
login 513/tcp remote login a la telnet;
automatic authentication
performed based on
priviledged [sic] port numbers
and distributed data bases
which identify
"authentication domains"
who 513/udp maintains data bases
showing who's logged in to
machines on a local
net and the load average of
the machine
shell 514/tcp cmd
like exec, but automatic
authentication is performed
as for login server
syslog 514/udp
oob-ws-https 664/tcp DMTF out-of-band secure web
services management
protocol
Jim Davis
<[email protected]>
asf-secure-rmcp 664/udp ASF Secure Remote
Management and Control
Protocol
rfile 750/tcp
kerberos-iv 750/udp kerberos version iv
submit 773/tcp
notify 773/udp
rpasswd 774/tcp
acmaint_dbd 774/udp
entomb 775/tcp
acmaint_transd 775/udp
busboy 998/tcp
puparp 998/udp
garcon 999/tcp
applix 999/udp Applix ac
Table 4: Different Protocols on UDP and TCP
The following table lists the 19 ports that have different protocols
assigned for TCP and SCTP (at the time of writing this document):
# 3097/tcp Reserved
itu-bicc-stc 3097/sctp ITU-T Q.1902.1/Q.2150.3
Greg Sidebottom
<[email protected]>
# 5090/tcp <not assigned>
car 5090/sctp Candidate AR
# 5091/tcp <not assigned>
cxtp 5091/sctp Context Transfer Protocol
# 6704/tcp Reserved
frc-hp 6704/sctp ForCES HP (High Priority)
channel [RFC5811]
# 6705/tcp Reserved
frc-mp 6705/sctp ForCES MP (Medium
Priority) channel
[RFC5811]
# 6706/tcp Reserved
frc-lp 6706/sctp ForCES LP (Low Priority)
channel [RFC5811]
# 9082/tcp <not assigned>
lcs-ap 9082/sctp LCS Application Protocol
Kimmo Kymalainen
<[email protected]>
# 9902/tcp <not assigned>
enrp-sctp-tls 9902/sctp enrp/tls server channel
[RFC5353]
# 11997/tcp <not assigned>
# 11998/tcp <not assigned>
# 11999/tcp <not assigned>
wmereceiving 11997/sctp WorldMailExpress
wmedistribution 11998/sctp WorldMailExpress
wmereporting 11999/sctp WorldMailExpress
Greg Foutz
<[email protected]>
# 25471/tcp <not assigned>
rna 25471/sctp RNSAP User Adaptation for
Iurh
Dario S. Tonesi
<[email protected]>
07 February 2011
# 29118/tcp Reserved
sgsap 29118/sctp SGsAP in 3GPP
# 29168/tcp Reserved
sbcap 29168/sctp SBcAP in 3GPP
# 29169/tcp <not assigned>
iuhsctpassoc 29169/sctp HNBAP and RUA Common
Association
John Meredith
<[email protected]>
08 September 2009
# 36412/tcp <not assigned>
s1-control 36412/sctp S1-Control Plane (3GPP)
Kimmo Kymalainen
<[email protected]>
01 September 2009
# 36422/tcp <not assigned>
x2-control 36422/sctp X2-Control Plane (3GPP)
Kimmo Kymalainen
<[email protected]>
01 September 2009
# 36443/tcp <not assigned>
m2ap 36443/sctp M2 Application Part
Dario S. Tonesi
<[email protected]>
07 February 2011
# 36444/tcp <not assigned>
m3ap 36444/sctp M3 Application Part
Dario S. Tonesi
<[email protected]>
07 February 2011
Table 5: Different Protocols on SCTP and TCP
Appendix C. Application Registry Example (Non-normative)
A reference to the Cisco Systems assigned numbers for the Application
ID and the different attribute assignments can be found at
[CISCO-APPLICATION-REGISTRY].
Authors' Addresses
Benoit Claise
Cisco Systems, Inc.
De Kleetlaan 6a b1
Diegem 1813
Belgium
Phone: +32 2 704 5622
EMail: [email protected]
Paul Aitken
Cisco Systems, Inc.
96 Commercial Quay
Commercial Street
Edinburgh, EH6 6LX
United Kingdom
Phone: +44 131 561 3616
EMail: [email protected]
Nir Ben-Dvora
Cisco Systems, Inc.
32 HaMelacha St.,
P.O. Box 8735, I.Z.Sapir
South Netanya, 42504
Israel
Phone: +972 9 892 7187
EMail: [email protected]