Netflow Rfc

Network Working Group B. Claise, Ed.

Request for Comments: 3954 Cisco Systems

Category: Informational October 2004

Cisco Systems NetFlow Services Export Version 9

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this

memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2004).

IESG Note

This RFC documents the NetFlow services export protocol Version 9 as

it was when submitted to the IETF as a basis for further work in the

IPFIX WG.

This RFC itself is not a candidate for any level of Internet

Standard. The IETF disclaims any knowledge of the fitness of this

RFC for any purpose, and in particular notes that it has not had

complete IETF review for such things as security, congestion control,

or inappropriate interaction with deployed protocols. The RFC Editor

has chosen to publish this document at its discretion.

Abstract

This document specifies the data export format for version 9 of Cisco

Systems' NetFlow services, for use by implementations on the network

elements and/or matching collector programs. The version 9 export

format uses templates to provide access to observations of IP packet

flows in a flexible and extensible manner. A template defines a

collection of fields, with corresponding descriptions of structure

and semantics.

Table of Contents

1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 2

2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1. Terminology Summary Table . . . . . . . . . . . . . . . 6

3. NetFlow High-Level Picture on the Exporter. . . . . . . . . . 6

3.1. The NetFlow Process on the Exporter . . . . . . . . . . 6

3.2. Flow Expiration . . . . . . . . . . . . . . . . . . . . 7

Claise Informational [Page 1]

RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004

3.3. Transport Protocol. . . . . . . . . . . . . . . . . . . 7

4. Packet Layout . . . . . . . . . . . . . . . . . . . . . . . . 8

5. Export Packet Format. . . . . . . . . . . . . . . . . . . . . 9

5.1. Header Format . . . . . . . . . . . . . . . . . . . . . 9

5.2. Template FlowSet Format . . . . . . . . . . . . . . . . 11

5.3. Data FlowSet Format . . . . . . . . . . . . . . . . . . 13

6. Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

6.1. Options Template FlowSet Format . . . . . . . . . . . . 14

6.2. Options Data Record Format. . . . . . . . . . . . . . . 16

7. Template Management . . . . . . . . . . . . . . . . . . . . . 17

8. Field Type Definitions. . . . . . . . . . . . . . . . . . . . 18

9. The Collector Side. . . . . . . . . . . . . . . . . . . . . . 25

10. Security Considerations . . . . . . . . . . . . . . . . . . . 26

10.1. Disclosure of Flow Information Data . . . . . . . . . . 26

10.2. Forgery of Flow Records or Template Records . . . . . . 26

10.3. Attacks on the NetFlow Collector. . . . . . . . . . . . 27

11. Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . 27

11.1. Packet Header Example . . . . . . . . . . . . . . . . . 28

11.2. Template FlowSet Example. . . . . . . . . . . . . . . . 28

11.3. Data FlowSet Example. . . . . . . . . . . . . . . . . . 29

11.4. Options Template FlowSet Example. . . . . . . . . . . . 30

11.5. Data FlowSet with Options Data Records Example. . . . . 30

12. References. . . . . . . . . . . . . . . . . . . . . . . . . . 31

12.1. Normative References. . . . . . . . . . . . . . . . . . 31

12.2. Informative References. . . . . . . . . . . . . . . . . 31

13. Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31

15. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . 32

16. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 33

1. Introduction

Cisco Systems' NetFlow services provide network administrators with

access to IP flow information from their data networks. Network

elements (routers and switches) gather flow data and export it to

collectors. The collected data provides fine-grained metering for

highly flexible and detailed resource usage accounting.

A flow is defined as a unidirectional sequence of packets with some

common properties that pass through a network device. These

collected flows are exported to an external device, the NetFlow

collector. Network flows are highly granular; for example, flow

records include details such as IP addresses, packet and byte counts,

timestamps, Type of Service (ToS), application ports, input and

output interfaces, etc.

Exported NetFlow data is used for a variety of purposes, including

enterprise accounting and departmental chargebacks, ISP billing, data

Claise Informational [Page 2]

RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004

warehousing, network monitoring, capacity planning, application

monitoring and profiling, user monitoring and profiling, security

analysis, and data mining for marketing purposes.

This document specifies NetFlow version 9. It describes the

implementation specifications both from network element and NetFlow

collector points of view. These specifications should help the

deployment of NetFlow version 9 across different platforms and

different vendors by limiting the interoperability risks. The

NetFlow export format version 9 uses templates to provide access to

observations of IP packet flows in a flexible and extensible manner.

A template defines a collection of fields, with corresponding

descriptions of structure and semantics.

The template-based approach provides the following advantages:

- New fields can be added to NetFlow flow records without

changing the structure of the export record format. With

previous NetFlow versions, adding a new field in the flow

record implied a new version of the export protocol format and

a new version of the NetFlow collector that supported the

parsing of the new export protocol format.

- Templates that are sent to the NetFlow collector contain the

structural information about the exported flow record fields;

therefore, if the NetFlow collector does not understand the

semantics of new fields, it can still interpret the flow

record.

- Because the template mechanism is flexible, it allows the

export of only the required fields from the flows to the

NetFlow collector. This helps to reduce the exported flow data

volume and provides possible memory savings for the exporter

and NetFlow collector. Sending only the required information

can also reduce network load.

The IETF IPFIX Working Group (IP Flow Information eXport) is

developing a new protocol, based on the version 9 of Cisco Systems'

NetFlow services. Some enhancements in different domains (congestion

aware transport protocol, built-in security, etc... ) have been

incorporated in this new IPFIX protocol. Refer to the IPFIX Working

Group documents for more details.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",

"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this

document are to be interpreted as described in BCP 14, RFC 2119

[RFC2119].

Claise Informational [Page 3]

RFC 3954 Cisco Systems NetFlow Services Export V9 October 2004

2. Terminology

Various terms used in this document are described in this section.

Note that the terminology summary table in Section 2.1 gives a quick

overview of the relationships between some of the different terms

defined.

Observation Point

An Observation

...