YANG model for Data Export over IP Flow Information Export (IPFIX) ProtocolNokiaanand.arokiaraj@nokia.comCalixmarta.seda@calix.com
Internet
This document defines a YANG model for data export via the IP Flow Information Export (IPFIX) protocol. The YANG model in this document conforms to the Network Management Datastore Architecture (NMDA) defined in RFC 8342.IntroductionA device may be exporting statistics and other data for the consumption of a collector. An operator may wish to take the data and analyze it for trend analysis purposes or other usages (e.g., collect octet counts every 5 minutes for service level agreement purposes or collect reported device temperature for network health purposes). This data can be streamed using IPFIX protocol to an IPFIX collector that supports analytics tools. The IPFIX protocol may be used to transport data such as:
Statistics from interfaces and sessions: YANG models define statistics that can be retrieved via protocols such as NETCONF or RESTCONF .
State data that can be used to correlate the statisticis.
This document defines a YANG data model for the management of the IPFIX exporting processes and templates. The data model includes configuration data and state data (status information and counters for the collection of statistics).This data model is inspired from the Configuration Data Model for the IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Protocols defined in .TerminologyThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.The following terms that are defined in RFC7011 are not redefined here:
* Observation Domain
* Exporting Process
* Exporter
* IPFIX Device
* Collecting Process
* Collector
* Template
* IPFIX Message
* Template Record
* Data Record
* Options Template Record
* Set
* Template Set
* Options Template Set
* Data Set
* Information Element
* Transport SessionTree DiagramsTree diagrams used in this document follow the notation defined in .ObjectivesThis section describes some of the design objectives for the model presented in this RFC.
The model should focus purely on the requirements for a data export mechanism and not involve packet sampling, selection or collection process.
References to physical and logical interface should be as simple as possible (e.g., through a leafref).
The model should support TLS over TCP - a reliable and secure transport mechanism.
The data model should provide suffient state and statistics information for a network operator to monitor the individual transport sessions.
The data model should provide reference in the template and Information Element (IE) id state information to correlate it to the configuration.
Structure of the Configuration Data ModelData Exporter Decomposition shows the main components of the model that are involved in data export. The data model uses a list of templates, each identified by a unique name. Each template in turn refers to one or more exporting processes that will use that will use the template for data export. In a device that has a resource instance capable of reporting data through IPFIX, a data template is created and applied to that resource instance.The data model also uses a list of exporting processes that contains various TCP exporter related parameters and the export destinations. Each exporting-process is identified by a unique name. An exporting-process also maintains the state and statistics data for each of its transport-session.Configuration and State ParametersThis section specifies the configuration and state parameters of the configuration data model separately for each list.Exporting Process ListThe exporting process list in ) specifies destinations to which the state and statistics data are to be exported. The destination list includes the exporter. The order in which destination instances appear has a specific meaning only if the export-mode parameter is set to "fallback".The exporting process list also contains the identifier of the exporting process (exporting-process-id). This parameter corresponds to the information element exportingProcessId . Its occurrence helps to associate exporting process reliability statistics exported according to the IPFIX protocol specification with the corresponding object of the Exporting Process list.The exporting process parameters are defined as follows:
enabled
Enables the exporting-process to begin exporting data.
export-mode
Determines to which configured destination(s) the incoming data records are exported. The following parameter values are specified by the configuration data model:
parallel: every data record is exported to all configured destinations in parallel
load-balancing: every data record is exported to exactly one configured destination according to a device-specific load-balancing policy
fallback: every data record is exported to exactly one configured destination according to the fallback policy described below
If export-mode is set to "fallback", the first destination instance defines the primary destination, the second destination instance defines the secondary destination, and so on. If the exporting process fails to export data records to the primary destination, it tries to export them to the secondary one. If the secondary destination fails as well, it continues with the tertiary, etc.The reporting of information with options templates is defined with objects of the options list.Exporter SubtreeThe exporter subtree shown in contains the configuration parameters of a TCP export destination.Transport Layer Security (TLS) SHOULD be used unless the data is not sensitive and the data is being transported over a closed network. Using the "ietf-tls-client" Module described in , Transport Layer Security (TLS) is enabled and configured for this export destination.The transport session subtree is specified in .Options ListThe Options list in defines the type of specific information to be reported, such as statistics and filtering parameters, etc. and specify several types of reporting information that may be exported.The following parameter values are specified by the configuration data model:
exporting-reliability
Export of exporting process reliability statistics using the exporting process reliability statistics options template .
accuracy
Export of accuracy report interpretation .
reducing-redundancy
Enables the utilization of options templates to reduce redundancy in the exported data records according to . The exporting process decides when to apply these options templates.
extended-type-information
Export of extended type information for enterprise-specific information elements used in the exported templates .
The exporting process MUST choose a template definition according to the options type and available options data. The options-timeout parameter specifies the reporting interval (in milliseconds) for periodic export of the option data. A parameter value of zero means that the export of the option data is not triggered periodically, but whenever the available option data has changed. This is the typical setting for options types accuracy and reducing-redundancy. If options-timeout is not configured by the user, it is set by the monitoring device.Security Subtree mandates strong mutual authentication of exporting processes as follows. shows the Security subtree which is used in the exporting process's list to enable and configure TLS for IPFIX.If TLS is enabled, the endpoint must use TLS since the transport protocol is TCP. To prevent on-path-attacks from impostor collecting processes or the export of data to an unauthorized collecting process, strong mutual authentication via asymmetric keys must be used for TLS.This model uses the TLS client part of the TLS client server YANG model being defined by .Transport Session SubtreeThe Transport Session subtree contains state data about transport sessions originating from an exporting process. The parameters might appear to be a duplication of the configuration parameters. But configuration might contain only one or none of the data corresponding to the state parameters listed here.The following attributes are supported:
source-address, destination-address
Source-address contains the IP address of the exporter, and destination-address contains the IP addresses of the collector.
source-port, destination-port
These state parameters contain the transport-protocol port numbers of the exporter and the collector of the transport session.
status
Status of the transport session, which can be one of the following:
inactive: transport session is established, but no IPFIX messages are currently transferred (e.g., because this is a backup (secondary) session)
active: transport session is established and transfers IPFIX messages
unknown: transport session status cannot be determined;
rate
The number of bytes per second transmitted by the exporting process.
The number of bytes, IPFIX messages, data records, template records, and options template records transmitted by the exporting process in this specific transport-session. Discontinuities in the values of these counters can occur at re-initialization of the management system, and at other times as indicated by the value of discontinuity-time.
discarded-messages
This parameter indicates the number of messages that could not be sent due to internal buffer overflows, network congestion, routing issues, etc.Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of discontinuity-time.
start-time
Timestamp of the start of the given transport session.
discontinuity-time
Timestamp of the most recent occasion at which one or more of the transport session counters suffered a discontinuity. The time is absolute.
Note that the values of the state parameters destination-address and destination-port match the values of the configuration parameters destination-address and destination-port of the exporter when present.The Transport Session subtree includes Template list that contains the state and statistics about the templates transmitted on the given transport session. The Template list is specified in .Template State List shows the Template list which contains state data about templates used by an exporting process in a specific transport session. A template may be part of more than one exporting process and so the template state node is maintained separately for every exporting process. The field list contains the state data about Information Elements (IE) of the template.The exporting process may modify the data being exported to enable a more efficient transmission or storage under the condition that no information is changed or suppressed. For example, the exporting process may shorten the length of a field according to the rules of reduced size encoding . The exporting process may also export certain fields in a separate data record as described in . Hence the need for some data to be maintained separately in state node though they are part of the configuration node.
observation-domain-id
The identifier of the observation domain for which this template is defined.
id
This number indicates the template identifier in the IPFIX Message.
set-id
This number indicates the set identifier of this template. Currently, there are two values defined . The value 2 is used for sets containing template definitions. The value 3 is used for sets containing options template definitions.
access-time
This parameter contains the time when this (Options) Template was last sent to the Collector.
data-records
The number of transmitted data records exported by this (options) template in this particular transport-session since the (options) template was defined.
discontinuity-time
Timestamp of the most recent occasion at which the counter data-records suffered a discontinuity. The time is absolute.
ie-id, ie-length, ie-enterprise-number
Information Element identifier, length, and enterprise number of a field in the exported template. If this is not an enterprise-specific Information Element, ie-enterprise-number is zero.
is-scope
If this state parameter is present, this is a scope field. This parameter is only available for options templates (i.e., if setId is 3).
Template ListThe template list in specifies the data template to be applied to resource or set of resources. The template list is mapped to a list of exporting processes that would use the template to export data and provides state information about the template records across all exporting processes.The following attributes are supported:
enabled
Enables the template so that specified data may be exported.
export-interval
The interval (in seconds) for periodical export of data records.
observation-domain-id
The Observation Domain that is locally unique to an Exporting Process
field-layout
The IPFIX template to be applied to the resource. The following attributes are configurable:
ie-id: Identifies the Information Element identifier.
ie-enterprise-number: Identifies the enterprise identifier of the Information Element. If 0, the enterprise ID is an IANA based Information Element.
ie-length: Identifies the length of the Information Element.
exporting-process
A template may be mapped to one or more exporting-process instances.
resource
A template may be applied to one or more resource instances (e.g., different interface instances on a line card)
The following state information is available:
data-records
Reports the number of data records generated for this data template across all exporting processes.
discontinuity-time
Timestamp of the most recent occasion at which the counter data records suffered a discontinuity.
YANG ModulesThis document defines the ietf-ipfix-data-export YANG module.ietf-ipfix-data-exportThe ietf-ipfix-data-export YANG module defines an exporting-process based on TCP and a template list.ietf-ipfix-data-export YANG moduleThis YANG Module imports typedefs from and .<CODE BEGINS> file "ietf-ipfix-data-export@2018-11-15.yang"
module ietf-ipfix-data-export {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export";
prefix ipfixde;
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-yang-types {
prefix yang;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-interfaces {
prefix if;
reference
"RFC 8343: A YANG Model for Interface Management";
}
import ietf-tls-client {
prefix tlsc;
reference
"I-D.ietf-netconf-tls-client-server:
YANG Groupings for TLS Clients and TLS Servers";
}
organization
"IETF";
contact
"Web: TBD
List: TBD
Editor: Marta Seda
<mailto:marta.seda@calix.com>
Editor: Anand Arokiaraj
<mailto:anand.arokiaraj@nokia.com>";
// RFC Ed.: replace XXXX with actual RFC numbers and
// remove this note.
description
"This module contains a collection of YANG definitions for the
management exporting data over IPFIX.
This data model is designed for the Network Management Datastore
Architecture defined in RFC 8342.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.
Copyright (c) 2021 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Simplified BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices.";
revision 2022-08-12 {
description
"Initial revision.";
reference
"RFC XXXX: YANG Data Model for the IP Flow Information Export
(IPFIX) Data Export";
}
feature exporter {
description
"If supported, the Exporting Device can be used as
an Exporter. Exporting Processes can be configured.";
}
feature if-mib {
description
"This feature indicates that the device implements
the IF-MIB.";
reference
"RFC 2863: The Interfaces Group MIB";
}
identity export-mode {
description
"Base identity for different usages of export
destinations configured for an Exporting Process.";
reference
"RFC 6728, Section 4.4 (exportMode)";
}
identity parallel {
base export-mode;
description
"Parallel export of Data Records to all destinations configured
for the Exporting Process.";
reference
"RFC 6728, Section 4.4 (exportMode)";
}
identity load-balancing {
base export-mode;
description
"Load-balancing between the different destinations
configured for the Exporting Process.";
reference
"RFC 6728, Section 4.4 (exportMode)";
}
identity fallback {
base export-mode;
description
"Export to the primary destination (i.e., the first
destination configured for the Exporting Process). If the
export to the primary destination fails, the Exporting Process
tries to export to the secondary destination. If the
secondary destination fails as well, it continues with the
tertiary, etc.";
reference
"RFC 6728, Section 4.4 (exportMode)";
}
identity options-type {
description
"Base identity for report types exported with
options templates.";
}
identity exporting-reliability {
base options-type;
description
"Exporting Process Reliability Statistics.";
reference
"RFC 7011, Section 4.3";
}
identity reducing-redundancy {
base options-type;
description
"Enables the utilization of Options Templates to reduce
redundancy in the exported Data Records.";
reference
"RFC 5473";
}
identity extended-type-information {
base options-type;
description
"Export of extended type information for enterprise-specific
Information Elements used in the exported Templates.";
reference
"RFC 5610";
}
typedef ie-id-type {
type uint16 {
range "1..32767";
}
description
"Type for Information Element identifiers.";
}
typedef transport-session-status {
type enumeration {
enum "inactive" {
value 0;
description
"This value MUST be used for Transport Sessions that are
specified in the system but currently not active.
The value can be used for Transport Sessions that are
backup (secondary) sessions.";
}
enum "active" {
value 1;
description
"This value MUST be used for Transport Sessions that are
currently active and transmitting or receiving data.";
}
enum "unknown" {
value 2;
description
"This value MUST be used if the status of the Transport
Sessions cannot be detected by the device.
This value should be avoided as far as possible.";
}
}
description
"Status of a Transport Session.";
reference
"RFC 6728, Section 4.7 (status)";
}
typedef resource {
type instance-identifier {
require-instance false;
}
description
"A resource from which data will be exported.";
}
grouping transport-session-state-parameters {
description
"State parameters of a Transport Session originating from an
Exporting Process.";
reference
"RFC 7011; RFC 6615, Section 8 (ipfixTransportSessionEntry,
ipfixTransportSessionStatsEntry)";
leaf name {
type string;
description
"The name of the interface.
An implementation MAY map this leaf to the ifName
MIB object. Such an implementation needs to use some
mechanism to handle the differences in size and characters
allowed between this leaf and ifName. The definition of
such a mechanism is outside the scope of this document.";
reference
"RFC 2863: The Interfaces Group MIB - ifName";
}
leaf source-address {
type inet:host;
description
"The source address of the Exporter of the IPFIX Transport
Session.";
reference
"RFC 6728, Section 4.7 (sourceAddress);
RFC 4960, Section 6.4";
}
leaf destination-address {
type inet:host;
description
"The destination address of the path that is selected by the
Exporter to send IPFIX messages to the Collector.
It is possible that if an FQDN address
is configured it resolves into many addresses.";
reference
"RFC 6728, Section 4.7 (destinationAddress);
RFC 4960, Section 6.4";
}
leaf source-port {
type inet:port-number;
description
"The transport-protocol port number of the Exporter of the
IPFIX Transport Session.";
reference
"RFC 6728, Section 4.7 (sourcePort).";
}
leaf destination-port {
type inet:port-number;
description
"The TCP port number of the Collector of the IPFIX Transport
Session.";
reference
"RFC 6728, Section 4.7 (destinationPort)";
}
leaf status {
type transport-session-status;
description
"Status of the Transport Session.";
reference
"RFC 6728, Section 4.7 (status)";
}
leaf rate {
type yang:gauge32;
units "bytes per second";
description
"The number of bytes per second transmitted by the
Exporting Process.";
reference
"RFC 6728, Section 4.7 (rate)";
}
leaf bytes {
type yang:counter64;
units "bytes";
description
"The number of bytes transmitted by the Exporting Process.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (bytes)";
}
leaf messages {
type yang:counter64;
units "IPFIX Messages";
description
"The number of messages transmitted by the Exporting
Process.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (messages)";
}
leaf discarded-messages {
type yang:counter64;
units "IPFIX Messages";
description
"This parameter indicates the number of messages that could
not be sent due to internal buffer overflows, network
congestion, routing issues, etc.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (discardedMessages)";
}
leaf data-records {
type yang:counter64;
units "Data Records";
description
"The number of Data Records transmitted by the Exporting
Process.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (records)";
}
leaf templates {
type yang:counter32;
units "Templates";
description
"The number of Templates transmitted by the Exporting
Process.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (templates)";
}
leaf options-templates {
type yang:counter32;
units "Options Templates";
description
"The number of Option Templates transmitted by the Exporting
Process.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.7 (optionsTemplates)";
}
leaf start-time {
type yang:date-and-time;
description
"Timestamp of the start of the given Transport Session.";
}
leaf discontinuity-time {
type yang:date-and-time;
description
"Timestamp of the most recent occasion at which one or more
of the Transport Session counters suffered a
discontinuity.";
reference
"RFC 6728, Section 4.7 (transportSessionDiscontinuityTime)";
}
}
grouping export-template-state-parameters {
description
"State parameters of a (Options) Template used by an Exporting
Process in a specific Transport Session.";
reference
"RFC 7011; RFC 6728, Section 4.8 (Template Class)";
list template {
key "name";
description
"This list contains the Templates and Options Templates that
are transmitted by the Exporting Process.
Withdrawn or invalidated (Options) Templates MUST be removed
from this list.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the
template.";
}
leaf observation-domain-id {
type uint32;
description
"The ID of the Observation Domain for which this Template
is defined.";
reference
"RFC 6728, Section 4.8 (observationDomainId).";
}
leaf id {
type uint16 {
range "256..65535";
}
description
"This number indicates the Template ID in the IPFIX
message.";
reference
"RFC 6728, Section 4.8 (templateId).";
}
leaf set-id {
type uint16 {
range "2..3 | 256..65535";
}
description
"This number indicates the Set ID of the Template.
A value of 2 is reserved for Template Sets. A value of 3
is reserved for Options Template Sets. Values from 4 to
255 are reserved for future use. Values 256 and above
are used for Data Sets. The Set ID values of 0 and 1 are
not used for historical reasons.";
reference
"RFC 7011, Section 3.3.2;
RFC 6728, Section 4.8 (setId)";
}
leaf access-time {
type yang:date-and-time;
description
"This parameter contains the time when this (Options)
Template was last sent to the Collector(s).";
reference
"RFC 6728, Section 4.8 (accessTime).";
}
leaf data-records {
type yang:counter64;
description
"The number of transmitted Data Records defined by this
(Options) Template.
Discontinuities in the value of this counter can occur at
re-initialization of the management system, and at other
times as indicated by the value of discontinuity-time.";
reference
"RFC 6728, Section 4.8 (templateDataRecords).";
}
leaf discontinuity-time {
type yang:date-and-time;
description
"Timestamp of the most recent occasion at which the counter
data-records suffered a discontinuity.";
reference
"RRFC 6728, Section 4.8 (templateDiscontinuityTime).";
}
list field {
key "name";
description
"This list contains the (Options) Template fields of which
the (Options) Template is defined.
The order of the list corresponds to the order
of the fields in the (Option) Template Record.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the
template field.";
}
leaf ie-id {
type ie-id-type;
description
"This parameter indicates the Information Element
identifier of the field.";
reference
"RFC 7011; RFC 6728, Section 4.8 (ieId).";
}
leaf ie-length {
type uint16;
units "octets";
description
"This parameter indicates the length of the Information
Element of the field.";
reference
"RFC 7011; RFC 6728, Section 4.8 (ieLength).";
}
leaf ie-enterprise-number {
type uint32;
description
"This parameter indicates the IANA enterprise number of
the authority defining the Information Element
identifier.
If the Information Element is not enterprise-specific,
this state parameter is zero.";
reference
"RFC 6728, Section 4.8 (ieEnterpriseNumber);
IANA registry for Private Enterprise Numbers,
http://www.iana.org/assignments/enterprise-numbers.";
}
leaf is-scope {
when "../../set-id = 3" {
description
"This parameter is available for Options Templates
(Set ID is 3).";
}
type empty;
description
"If present, this is a scope field.";
reference
"RFC 6728, Section 4.8 (isScope).";
}
}
}
}
grouping exporter-parameters {
description
"Parameters of an exporter.";
leaf ipfix-version {
type uint16;
default '10';
description
"IPFIX version number.";
reference
"RFC 7011.";
}
container source {
description
"Configuration corresponding to how exporter's source IP
address is specified.";
choice source-method {
description
"Method to configure the source address of the exporter
or the interface to be used by the exporter.
Note that it is expected that other methods be available.
Those methods can augment this choice.";
case interface {
leaf interface {
type if:interface-ref;
description
"The interface to be used by the Exporting Process.";
}
}
case source-address {
leaf source-address {
type inet:host;
description
"The source IP address or hostname used by the
Exporting Process.";
}
}
}
}
container destination {
description
"Configuration corresponding to how exporter's destination IP
address is specified.";
choice destination-method {
mandatory true;
description
"Method to configuring the destination address of the
Collection Process to which IPFIX Messages are sent.
Note it is expected that if other methods are available
that they would augment from this statement.";
case destination-address {
leaf destination-address {
type inet:host;
description
"The destination IP address or hostname of the
Collecting Process to which IPFIX Messages are sent.
A hostname may resolve to one or more IP
addresses.";
}
}
}
}
leaf destination-port {
type inet:port-number;
description
"If not configured by the user, the Exporting Device uses
the default port number for IPFIX, which is 4739 without TLS
and 4740 if TLS is activated.";
}
leaf send-buffer-size {
type uint32;
units "bytes";
description
"Size of the socket send buffer.
If not configured by the user, this parameter is set by
the Exporting Device.";
reference
"RFC 6728, Section 4.4.3 (sendBufferSize).";
}
leaf rate-limit {
type uint32;
units "bytes per second";
description
"Maximum number of bytes per second the Exporting Process may
export to the given destination. The number of bytes is
calculated from the lengths of the IPFIX Messages exported.
If not configured, no rate limiting is performed.";
reference
"RFC 6728, Section 4.4.3 (rateLimit).";
}
leaf connection-timeout {
type uint32;
units seconds;
description
"Time after which the exporting process deems the TCP
connection to have failed.";
reference
"RFC 7011, Sections 10.4.4 and 10.4.5.";
}
leaf retry-schedule {
type uint32 {
range "60..max";
}
units seconds;
description
"Time after which the exporting process retries the TCP
connection to a collector.";
reference
"RFC 7011, Section 10.4.4.";
}
container security {
description
"Security related parameters.";
uses tlsc:tls-client-grouping;
}
}
grouping exporting-process-parameters {
description
"Parameters of an Exporting Process.";
leaf export-mode {
type identityref {
base export-mode;
}
default 'fallback';
description
"This parameter determines to which configured destination(s)
the incoming Data Records are exported.";
}
list destination {
key "name";
min-elements 1;
ordered-by user;
description
"List of export destinations.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the export
destination.";
}
container exporter {
description
"Exporter parameters.";
uses exporter-parameters;
container transport-session {
config false;
description
"Transport session state data.";
uses transport-session-state-parameters;
uses export-template-state-parameters;
}
}
}
list options {
key "name";
description
"List of options reported by the Exporting Process.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the
option.";
}
uses options-parameters;
}
}
grouping options-parameters {
description
"Parameters specifying the data export using an Options
Template.";
leaf options-type {
type identityref {
base options-type;
}
mandatory true;
description
"Type of the exported options data.";
}
leaf options-timeout {
type uint32;
units "milliseconds";
description
"Time interval for periodic export of the options data. If
set to zero, the export is triggered when the options data
has changed.
If not configured by the user, this parameter is set by the
Exporting Device.";
}
}
grouping data-template-parameters {
description
"Field Layout parameters.";
leaf observation-domain-id {
type uint32;
default 0;
description
"An identifier of an Observation Domain that is locally
unique to an Exporting Process (see RFC 7011 Section 3.1).
Typically, this Information Element is for limiting the
scope of other Information Elements.
A value of 0 indicates that no specific Observation Domain
is identified by this Information Element.";
}
container field-layout {
description
"Field Layout parameters.";
list field {
key name;
min-elements 1;
description
"Superset of statistics field names or special field-names
(e.g., timestamps, etc) for interpreting statistics that
are included in the Data Records generated by the
device.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the
field.";
}
choice identifier {
mandatory true;
description
"The Information Element to be added to the template.";
case ie-name {
leaf ie-name {
type string;
description
"Name of the Information Element.";
}
}
case ie-id {
leaf ie-id {
type ie-id-type;
description
"ID of the Information Element.";
}
}
}
leaf ie-length {
type uint16;
units octets;
description
"Length of the field in which the Information Element is
encoded. A value of 65535 specifies a variable-length
Information Element. For Information Elements of
integer and float type, the field length MAY be set to a
smaller value than the standard length of the abstract
data type if the rules of reduced size encoding are
fulfilled.
If not configured by the user, this parameter is set by
the Exporting Device.";
reference
"RFC 7011, Section 6.2";
}
leaf ie-enterprise-number {
type uint32;
default 0;
description
"If this parameter is zero, the Information Element is
registered in the IANA registry of IPFIX Information
Elements or unspecified (if the Informational Element is
not IANA registered).
If this parameter is configured with a non-zero private
enterprise number, the Information Element is
enterprise-specific.";
reference
"RFC 7011; RFC 5103;
IANA registry for Private Enterprise Numbers,
http://www.iana.org/assignments/enterprise-numbers;
IANA registry for IPFIX Entities,
http://www.iana.org/assignments/ipfix";
}
}
}
}
container ipfix-data-export {
description
"IPFIX data export node.";
list exporting-process {
if-feature exporter;
key "name";
description
"List of Exporting Processes of the IPFIX Exporting Device
for which configuration will be applied.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the
Exporting Process.";
}
leaf enabled {
type boolean;
default "true";
description
"If true, this Exporting Process is enabled for
exporting.";
}
uses exporting-process-parameters;
leaf exporting-process-id {
type uint32;
config false;
description
"The identifier of the Exporting Process. This parameter
corresponds to the Information Element exportingProcessId.
Its occurrence helps to associate Exporting Process
parameters with Exporing Process statistics exported by
the Exporting Device using the Exporting Process
Reliability Statistics Template as defined by the IPFIX
protocol specification.";
reference
"RFC 7011, Section 4.3; IANA registry for IPFIX
Entities, http://www.iana.org/assignments/ipfix.";
}
}
list template {
key name;
description
"List of data templates of the Exporting Device.";
leaf name {
type string;
description
"An arbitrary string which uniquely identifies the data
template.";
}
leaf enabled {
type boolean;
default "true";
description
"If true, this template is enabled and the specified data
is able to be exported.";
}
leaf export-interval {
type uint32;
units "seconds";
description
"This parameter configures the interval (in seconds) for
periodical export of Data Records.
If not configured by the user, the Exporting Device
sets this parameter.";
}
uses data-template-parameters;
leaf-list exporting-process {
if-feature exporter;
type leafref {
path "/ipfix-data-export"
+ "/exporting-process/name";
}
description
"Data Records are exported by all Exporting Processes in
the list.";
}
choice resource-identifier {
description
"Method to select the resources from which the Data
Records are to be exported.
Note that it is expected that other methods be available.
Those methods can augment this choice.";
case resource-instance {
leaf-list resource-instance {
type resource;
description
"Data Records are sourced from all the resources in
this list.";
}
}
}
leaf data-records {
type yang:counter64;
units "Data Records";
config false;
description
"The number of Data Records generated for this template.
Discontinuities in the value of this counter can occur
at re-initialization of the management system, and at
other times as indicated by the value of Discontinuity
Time.";
}
leaf discontinuity-time {
type yang:date-and-time;
config false;
description
"Timestamp of the most recent occasion at which the
counter data records suffered a discontinuity.";
}
}
}
}
<CODE ENDS>
ietf-ipfix-data-export Module StructureThis document defines the YANG module "ietf-ipfix-data-export", which has the following tentative structure:=============== NOTE: '\' line wrapping per RFC 8792 ================
module: ietf-ipfix-data-export
+--rw ipfix-data-export
+--rw exporting-process* [name] {exporter}?
| +--rw name string
| +--rw enabled? boolean
| +--rw export-mode? identityref
| +--rw destination* [name]
| | +--rw name string
| | +--rw exporter
| | +--rw ipfix-version? uint16
| | +--rw source
| | | +--rw (source-method)?
| | | +--:(interface)
| | | | +--rw interface? if:interface-ref
| | | +--:(source-address)
| | | +--rw source-address? inet:host
| | +--rw destination
| | | +--rw (destination-method)
| | | +--:(destination-address)
| | | +--rw destination-address? inet:host
| | +--rw destination-port? inet:port-number
| | +--rw send-buffer-size? uint32
| | +--rw rate-limit? uint32
| | +--rw connection-timeout? uint32
| | +--rw retry-schedule? uint32
| | +--rw security
| | | +--rw client-identity!
| | | | +--rw (auth-type)
| | | | +--:(certificate) {client-ident-x509-cert}?
| | | | | +--rw certificate
| | | | | +--rw (local-or-keystore)
| | | | | +--:(local)
| | | | | | {local-definitions-supporte\
d,asymmetric-keys}?
| | | | | | +--rw local-definition
| | | | | +--:(keystore)
| | | | | {central-keystore-supported\
,asymmetric-keys}?
| | | | | +--rw keystore-reference
| | | | | +--rw asymmetric-key?
| | | | | | ks:asymmetric-key-ref
| | | | | | {central-keystore-supp\
orted,asymmetric-keys}?
| | | | | +--rw certificate? leafref
| | | | +--:(raw-public-key)
| | | | | {client-ident-raw-public-key}?
| | | | | +--rw raw-private-key
| | | | | +--rw (local-or-keystore)
| | | | | +--:(local)
| | | | | | {local-definitions-supporte\
d,asymmetric-keys}?
| | | | | | +--rw local-definition
| | | | | +--:(keystore)
| | | | | {central-keystore-supported\
,asymmetric-keys}?
| | | | | +--rw keystore-reference?
| | | | | ks:asymmetric-key-ref
| | | | +--:(tls12-psk) {client-ident-tls12-psk}?
| | | | | +--rw tls12-psk
| | | | | +--rw (local-or-keystore)
| | | | | | +--:(local)
| | | | | | | {local-definitions-supporte\
d,symmetric-keys}?
| | | | | | | +--rw local-definition
| | | | | | +--:(keystore)
| | | | | | {central-keystore-supported\
,symmetric-keys}?
| | | | | | +--rw keystore-reference?
| | | | | | ks:symmetric-key-ref
| | | | | +--rw id? string
| | | | +--:(tls13-epsk) {client-ident-tls13-epsk}?
| | | | +--rw tls13-epsk
| | | | +--rw (local-or-keystore)
| | | | | +--:(local)
| | | | | | {local-definitions-supporte\
d,symmetric-keys}?
| | | | | | +--rw local-definition
| | | | | +--:(keystore)
| | | | | {central-keystore-supported\
,symmetric-keys}?
| | | | | +--rw keystore-reference?
| | | | | ks:symmetric-key-ref
| | | | +--rw external-identity string
| | | | +--rw hash
| | | | | tlscmn:epsk-supported-hash
| | | | +--rw context? string
| | | | +--rw target-protocol? uint16
| | | | +--rw target-kdf? uint16
| | | +--rw server-authentication
| | | | +--rw ca-certs! {server-auth-x509-cert}?
| | | | +--rw ee-certs! {server-auth-x509-cert}?
| | | | +--rw raw-public-keys! {server-auth-raw-public-k\
ey}?
| | | | +--rw tls12-psks? empty
| | | | | {server-auth-tls12-psk}?
| | | | +--rw tls13-epsks? empty
| | | | {server-auth-tls13-epsk}?
| | | +--rw hello-params {tlscmn:hello-params}?
| | | +--rw keepalives {tls-client-keepalives}?
| | | +--rw peer-allowed-to-send? empty
| | | +--rw test-peer-aliveness!
| | | +--rw max-wait? uint16
| | | +--rw max-attempts? uint8
| | +--ro transport-session
| | +--ro name? string
| | +--ro source-address? inet:host
| | +--ro destination-address? inet:host
| | +--ro source-port? inet:port-number
| | +--ro destination-port? inet:port-number
| | +--ro status? transport-session-stat\
us
| | +--ro rate? yang:gauge32
| | +--ro bytes? yang:counter64
| | +--ro messages? yang:counter64
| | +--ro discarded-messages? yang:counter64
| | +--ro data-records? yang:counter64
| | +--ro templates? yang:counter32
| | +--ro options-templates? yang:counter32
| | +--ro start-time? yang:date-and-time
| | +--ro discontinuity-time? yang:date-and-time
| | +--ro template* [name]
| | +--ro name string
| | +--ro observation-domain-id? uint32
| | +--ro id? uint16
| | +--ro set-id? uint16
| | +--ro access-time? yang:date-and-time
| | +--ro data-records? yang:counter64
| | +--ro discontinuity-time? yang:date-and-time
| | +--ro field* [name]
| | +--ro name string
| | +--ro ie-id? ie-id-type
| | +--ro ie-length? uint16
| | +--ro ie-enterprise-number? uint32
| | +--ro is-scope? empty
| +--rw options* [name]
| | +--rw name string
| | +--rw options-type identityref
| | +--rw options-timeout? uint32
| +--ro exporting-process-id? uint32
+--rw template* [name]
+--rw name string
+--rw enabled? boolean
+--rw export-interval? uint32
+--rw observation-domain-id? uint32
+--rw field-layout
| +--rw field* [name]
| +--rw name string
| +--rw (identifier)
| | +--:(ie-name)
| | | +--rw ie-name? string
| | +--:(ie-id)
| | +--rw ie-id? ie-id-type
| +--rw ie-length? uint16
| +--rw ie-enterprise-number? uint32
+--rw exporting-process*
| -> /ipfix-data-export/exporting-process/name {export\
er}?
+--rw (resource-identifier)?
| +--:(resource-instance)
| +--rw resource-instance* resource
+--ro data-records? yang:counter64
+--ro discontinuity-time? yang:date-and-time
ietf-ipfix-data-export Model ExampleThe configuration example configures a field-layout template to export Ethernet statistics from eth0 and eth1.<ipfix-data-export
xmlns="urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export">
<exporting-process>
<name>ipfix data exporter</name>
<destination>
<name>ipfix-collector</name>
<exporter>
<source>
<source-address>192.100.2.1</source-address>
</source>
<destination>
<destination-address>proxy1.sys.com</destination-address>
</destination>
</exporter>
</destination>
<options>
<name>Options 1</name>
<options-type>extended-type-information</options-type>
<options-timeout>0</options-timeout>
</options>
</exporting-process>
</ipfix-data-export>
IANA ConsiderationsThis document registers 1 URI in the "IETF XML Registry". . Following the format in RFC 3688, the following registrations have been made.URI: urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export
Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace.
This document registers 1 YANG module in the "YANG Module Names" registry. Following the format in , the following have been registered.Name: ietf-ipfix-data-export
Namespace: urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export
Prefix: ipfixde
Reference: RFC XXXX: YANG Data Model for the IP Flow Information
Export (IPFIX) Protocol Data Export
Security ConsiderationsThe YANG module specified in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF or RESTCONF . The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) . The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS .The NETCONF access control model provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content.There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., NETCONF edit-config) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability:
/ipfix-data-export/exporting-process: The configuration parameters in this subtree specify Collectors to which Data Records are exported. Write access to this subtree allows exporting potentially sensitive information to illegitimate Collectors. Furthermore, TLS parameters can be changed, which may affect the mutual authentication between Exporters and Collectors as well as the encrypted transport of the data.
/ipfix-data-export/template: The configuration parameters in this subtree specify the fields included in the data export. Write access to this subtree allows adding fields which may cause export of sensitive configuration and/or statistics.
Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability:
/ipfix-data-export/exporting-process: Parameters in this subtree may be sensitive because they reveal information about the network infrastructure and the outgoing IPFIX Transport Sessions. For example, it discloses the IP addresses of Collectors as well as the deployed TLS configuration, which may facilitate the interception of outgoing IPFIX Messages.
/ipfix-data-export/template: Parameters in this subtree may be sensitive because they reveal information about the Monitoring Device itself and the observed traffic. For example, the counters data-records allow inferring the number of packets.
AcknowledgmentsThe authors would like to thank Benoit Claise, Joe Clarke, Gerhard Muenz, Rob Wilton, Joey Boyd and William Lupton for their contributions towards creation of this document and associated YANG data models.Normative ReferencesInformative ReferencesIP Flow Information Export (IPFIX) EntitiesIANA