Internet Engineering Task Force (IETF) B. Claise Request for Comments: 6313 G. Dhandapani Updates: 5102 P. Aitken Category: Standards Track S. Yates ISSN: 2070-1721 Cisco Systems, Inc. July 2011
Internet Engineering Task Force (IETF) B. Claise Request for Comments: 6313 G. Dhandapani Updates: 5102 P. Aitken Category: Standards Track S. Yates ISSN: 2070-1721 Cisco Systems, Inc. July 2011
Export of Structured Data in IP Flow Information Export (IPFIX)
在IP流信息导出(IPFIX)中导出结构化数据
Abstract
摘要
This document specifies an extension to the IP Flow Information Export (IPFIX) protocol specification in RFC 5101 and the IPFIX information model specified in RFC 5102 to support hierarchical structured data and lists (sequences) of Information Elements in data records. This extension allows definition of complex data structures such as variable-length lists and specification of hierarchical containment relationships between Templates. Finally, the semantics are provided in order to express the relationship among multiple list elements in a structured data record.
本文件规定了对RFC 5101中的IP流信息导出(IPFIX)协议规范和RFC 5102中规定的IPFIX信息模型的扩展,以支持分层结构化数据和数据记录中的信息元素列表(序列)。此扩展允许定义复杂的数据结构,如可变长度列表和指定模板之间的层次包含关系。最后,为了表达结构化数据记录中多个列表元素之间的关系,提供了语义。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6313.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6313.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括简化的BSD许可证文本,如本规范第4.e节所述
the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
如简化的BSD许可证所述,信托法律条款和许可证不提供任何担保。
Table of Contents
目录
1. Overview ........................................................5 1.1. IPFIX Documents Overview ...................................5 1.2. Relationship between IPFIX and PSAMP .......................6 2. Introduction ....................................................6 2.1. The IPFIX Track ............................................7 2.2. The IPFIX Limitations ......................................8 2.3. Structured Data Use Cases ..................................8 2.4. Specifications Summary ....................................11 3. Terminology ....................................................11 3.1. New Terminology ...........................................12 3.2. Conventions Used in This Document .........................12 4. Linkage with the IPFIX Information Model .......................12 4.1. New Abstract Data Types ...................................12 4.1.1. basicList ..........................................12 4.1.2. subTemplateList ....................................12 4.1.3. subTemplateMultiList ...............................12 4.2. New Data Type Semantic ....................................13 4.2.1. List ...............................................13 4.3. New Information Elements ..................................13 4.3.1. basicList ..........................................13 4.3.2. subTemplateList ....................................13 4.3.3. subTemplateMultiList ...............................13 4.4. New Structured Data Type Semantics ........................13 4.4.1. undefined ..........................................14 4.4.2. noneOf .............................................14 4.4.3. exactlyOneOf .......................................14 4.4.4. oneOrMoreOf ........................................15 4.4.5. allOf ..............................................16 4.4.6. ordered ............................................16 4.5. Encoding of IPFIX Data Types ..............................16 4.5.1. basicList ..........................................17 4.5.2. subTemplateList ....................................19 4.5.3. subTemplateMultiList ...............................21 5. Structured Data Format .........................................25 5.1. Length Encoding Considerations ............................25 5.2. Recursive Structured Data .................................26 5.3. Structured Data Information Elements Applicability in Options Template Sets ..................................26 5.4. Usage Guidelines for Equivalent Data Representations ......27 5.5. Padding ...................................................29 5.6. Semantic ..................................................29 6. Template Management ............................................33 7. The Collecting Process's Side ..................................33
1. Overview ........................................................5 1.1. IPFIX Documents Overview ...................................5 1.2. Relationship between IPFIX and PSAMP .......................6 2. Introduction ....................................................6 2.1. The IPFIX Track ............................................7 2.2. The IPFIX Limitations ......................................8 2.3. Structured Data Use Cases ..................................8 2.4. Specifications Summary ....................................11 3. Terminology ....................................................11 3.1. New Terminology ...........................................12 3.2. Conventions Used in This Document .........................12 4. Linkage with the IPFIX Information Model .......................12 4.1. New Abstract Data Types ...................................12 4.1.1. basicList ..........................................12 4.1.2. subTemplateList ....................................12 4.1.3. subTemplateMultiList ...............................12 4.2. New Data Type Semantic ....................................13 4.2.1. List ...............................................13 4.3. New Information Elements ..................................13 4.3.1. basicList ..........................................13 4.3.2. subTemplateList ....................................13 4.3.3. subTemplateMultiList ...............................13 4.4. New Structured Data Type Semantics ........................13 4.4.1. undefined ..........................................14 4.4.2. noneOf .............................................14 4.4.3. exactlyOneOf .......................................14 4.4.4. oneOrMoreOf ........................................15 4.4.5. allOf ..............................................16 4.4.6. ordered ............................................16 4.5. Encoding of IPFIX Data Types ..............................16 4.5.1. basicList ..........................................17 4.5.2. subTemplateList ....................................19 4.5.3. subTemplateMultiList ...............................21 5. Structured Data Format .........................................25 5.1. Length Encoding Considerations ............................25 5.2. Recursive Structured Data .................................26 5.3. Structured Data Information Elements Applicability in Options Template Sets ..................................26 5.4. Usage Guidelines for Equivalent Data Representations ......27 5.5. Padding ...................................................29 5.6. Semantic ..................................................29 6. Template Management ............................................33 7. The Collecting Process's Side ..................................33
8. Defining New Information Elements Based on the New Abstract Data Types ............................................34 9. Structured Data Encoding Examples ..............................34 9.1. Encoding a Multicast Data Record with basicList ...........35 9.2. Encoding a Load-Balanced Data Record with a basicList .....37 9.3. Encoding subTemplateList ..................................38 9.4. Encoding subTemplateMultiList .............................41 9.5. Encoding an Options Template Set Using Structured Data ....46 10. Relationship with the Other IPFIX Documents ...................51 10.1. Relationship with Reducing Redundancy ....................51 10.1.1. Encoding Structured Data Element Using Common Properties .................................51 10.1.2. Encoding Common Properties Elements with Structured Data Information Element ...............51 10.2. Relationship with Guidelines for IPFIX Testing ...........53 10.3. Relationship with IPFIX Mediation Function ...............54 11. IANA Considerations ...........................................54 11.1. New Abstract Data Types ..................................54 11.1.1. basicList .........................................54 11.1.2. subTemplateList ...................................54 11.1.3. subTemplateMultiList ..............................55 11.2. New Data Type Semantics ..................................55 11.2.1. list ..............................................55 11.3. New Information Elements .................................55 11.3.1. basicList .........................................55 11.3.2. subTemplateList ...................................56 11.3.3. subTemplateMultiList ..............................56 11.4. New Structured Data Semantics ............................56 11.4.1. undefined .........................................56 11.4.2. noneOf ............................................57 11.4.3. exactlyOneOf ......................................57 11.4.4. oneOrMoreOf .......................................57 11.4.5. allOf .............................................57 11.4.6. ordered ...........................................58 12. Security Considerations .......................................58 13. References ....................................................58 13.1. Normative References .....................................58 13.2. Informative References ...................................58 14. Acknowledgements ..............................................59 Appendix A. Additions to XML Specification of IPFIX Information Elements and Abstract Data Types ..........60 Appendix B. Encoding IPS Alert Using Structured Data Information Elements ..................................65
8. Defining New Information Elements Based on the New Abstract Data Types ............................................34 9. Structured Data Encoding Examples ..............................34 9.1. Encoding a Multicast Data Record with basicList ...........35 9.2. Encoding a Load-Balanced Data Record with a basicList .....37 9.3. Encoding subTemplateList ..................................38 9.4. Encoding subTemplateMultiList .............................41 9.5. Encoding an Options Template Set Using Structured Data ....46 10. Relationship with the Other IPFIX Documents ...................51 10.1. Relationship with Reducing Redundancy ....................51 10.1.1. Encoding Structured Data Element Using Common Properties .................................51 10.1.2. Encoding Common Properties Elements with Structured Data Information Element ...............51 10.2. Relationship with Guidelines for IPFIX Testing ...........53 10.3. Relationship with IPFIX Mediation Function ...............54 11. IANA Considerations ...........................................54 11.1. New Abstract Data Types ..................................54 11.1.1. basicList .........................................54 11.1.2. subTemplateList ...................................54 11.1.3. subTemplateMultiList ..............................55 11.2. New Data Type Semantics ..................................55 11.2.1. list ..............................................55 11.3. New Information Elements .................................55 11.3.1. basicList .........................................55 11.3.2. subTemplateList ...................................56 11.3.3. subTemplateMultiList ..............................56 11.4. New Structured Data Semantics ............................56 11.4.1. undefined .........................................56 11.4.2. noneOf ............................................57 11.4.3. exactlyOneOf ......................................57 11.4.4. oneOrMoreOf .......................................57 11.4.5. allOf .............................................57 11.4.6. ordered ...........................................58 12. Security Considerations .......................................58 13. References ....................................................58 13.1. Normative References .....................................58 13.2. Informative References ...................................58 14. Acknowledgements ..............................................59 Appendix A. Additions to XML Specification of IPFIX Information Elements and Abstract Data Types ..........60 Appendix B. Encoding IPS Alert Using Structured Data Information Elements ..................................65
Table of Figures
图表
Figure 1: basicList Encoding ......................................17 Figure 2: basicList Encoding with Enterprise Number ...............18 Figure 3: Variable-Length basicList Encoding (Length < 255 Octets) 18 Figure 4: Variable-Length basicList Encoding (Length 0 to 65535 Octets) .................................................19 Figure 5: subTemplateList Encoding ................................19 Figure 6: Variable-Length subTemplateList Encoding (Length < 255 Octets) ...................................20 Figure 7: Variable-Length subTemplateList Encoding (Length 0 to 65535 Octets) ..............................21 Figure 8: subTemplateMultiList Encoding ...........................21 Figure 9: Variable-Length subTemplateMultiList Encoding (Length < 255 Octets) ...................................23 Figure 10: Variable-Length subTemplateMultiList Encoding (Length 0 to 65535 Octets) ..............................24 Figure 11: Encoding basicList, Template Record .....................35 Figure 12: Encoding basicList, Data Record, Semantic allOf .........36 Figure 13: Encoding basicList, Data Record with Variable-Length Elements, Semantic allOf ................................37 Figure 14: Encoding basicList, Data Record, Semantic exactlyOneOf ..38 Figure 15: Encoding subTemplateList, Template for One-Way Delay Metrics .................................................39 Figure 16: Encoding subTemplateList, Template Record ...............40 Figure 17: Encoding subTemplateList, Data Set ......................40 Figure 18: Encoding subTemplateMultiList, Template for Filtering Attributes ..............................................44 Figure 19: Encoding subTemplateMultiList, Template for Sampling Attributes ..............................................44 Figure 20: Encoding subTemplateMultiList, Template for Flow Record .45 Figure 21: Encoding subTemplateMultiList, Data Set .................45 Figure 22: PSAMP SSRI to Be encoded ................................48 Figure 23: Options Template Record for PSAMP SSRI Using subTemplateMultiList ....................................48 Figure 24: PSAMP SSRI, Template Record for interface ...............49 Figure 25: PSAMP SSRI, Template Record for linecard ................49 Figure 26: PSAMP SSRI, Template Record for linecard and interface ..49 Figure 27: Example of a PSAMP SSRI Data Record, Encoded Using a subTemplateMultiList ...................................50 Figure 28: Common and Specific Properties Exported Together [RFC5473] ..............................................51 Figure 29: Common and Specific Properties Exported Separately According to [RFC5473] .................................52 Figure 30: Common and Specific Properties Exported with Structured Data Information Element ...............................52 Figure 31: Encoding IPS Alert, Template for Target ................67 Figure 32: Encoding IPS Alert, Template for Attacker ..............68
Figure 1: basicList Encoding ......................................17 Figure 2: basicList Encoding with Enterprise Number ...............18 Figure 3: Variable-Length basicList Encoding (Length < 255 Octets) 18 Figure 4: Variable-Length basicList Encoding (Length 0 to 65535 Octets) .................................................19 Figure 5: subTemplateList Encoding ................................19 Figure 6: Variable-Length subTemplateList Encoding (Length < 255 Octets) ...................................20 Figure 7: Variable-Length subTemplateList Encoding (Length 0 to 65535 Octets) ..............................21 Figure 8: subTemplateMultiList Encoding ...........................21 Figure 9: Variable-Length subTemplateMultiList Encoding (Length < 255 Octets) ...................................23 Figure 10: Variable-Length subTemplateMultiList Encoding (Length 0 to 65535 Octets) ..............................24 Figure 11: Encoding basicList, Template Record .....................35 Figure 12: Encoding basicList, Data Record, Semantic allOf .........36 Figure 13: Encoding basicList, Data Record with Variable-Length Elements, Semantic allOf ................................37 Figure 14: Encoding basicList, Data Record, Semantic exactlyOneOf ..38 Figure 15: Encoding subTemplateList, Template for One-Way Delay Metrics .................................................39 Figure 16: Encoding subTemplateList, Template Record ...............40 Figure 17: Encoding subTemplateList, Data Set ......................40 Figure 18: Encoding subTemplateMultiList, Template for Filtering Attributes ..............................................44 Figure 19: Encoding subTemplateMultiList, Template for Sampling Attributes ..............................................44 Figure 20: Encoding subTemplateMultiList, Template for Flow Record .45 Figure 21: Encoding subTemplateMultiList, Data Set .................45 Figure 22: PSAMP SSRI to Be encoded ................................48 Figure 23: Options Template Record for PSAMP SSRI Using subTemplateMultiList ....................................48 Figure 24: PSAMP SSRI, Template Record for interface ...............49 Figure 25: PSAMP SSRI, Template Record for linecard ................49 Figure 26: PSAMP SSRI, Template Record for linecard and interface ..49 Figure 27: Example of a PSAMP SSRI Data Record, Encoded Using a subTemplateMultiList ...................................50 Figure 28: Common and Specific Properties Exported Together [RFC5473] ..............................................51 Figure 29: Common and Specific Properties Exported Separately According to [RFC5473] .................................52 Figure 30: Common and Specific Properties Exported with Structured Data Information Element ...............................52 Figure 31: Encoding IPS Alert, Template for Target ................67 Figure 32: Encoding IPS Alert, Template for Attacker ..............68
Figure 33: Encoding IPS Alert, Template for Participant ...........68 Figure 34: Encoding IPS Alert, Template for IPS Alert .............69 Figure 35: Encoding IPS Alert, Data Set ...........................69
Figure 33: Encoding IPS Alert, Template for Participant ...........68 Figure 34: Encoding IPS Alert, Template for IPS Alert .............69 Figure 35: Encoding IPS Alert, Data Set ...........................69
The IPFIX protocol [RFC5101] provides network administrators with access to IP Flow information.
IPFIX协议[RFC5101]为网络管理员提供了访问IP流信息的权限。
The architecture for the export of measured IP Flow information out of an IPFIX Exporting Process to a Collecting Process is defined in the IPFIX architecture [RFC5470], per the requirements defined in RFC 3917 [RFC3917].
根据RFC 3917[RFC3917]中定义的要求,IPFIX体系结构[RFC5470]中定义了将测量的IP流信息从IPFIX导出过程导出到收集过程的体系结构。
The IPFIX architecture [RFC5470] specifies how IPFIX Data Records and Templates are carried via a congestion-aware transport protocol from IPFIX Exporting Processes to IPFIX Collecting Processes.
IPFIX体系结构[RFC5470]指定如何通过拥塞感知传输协议将IPFIX数据记录和模板从IPFIX导出进程传送到IPFIX收集进程。
IPFIX has a formal description of IPFIX Information Elements, their name, type, and additional semantic information, as specified in the IPFIX information model [RFC5102].
按照IPFIX信息模型[RFC5102]的规定,IPFIX对IPFIX信息元素、它们的名称、类型和附加语义信息有一个正式的描述。
In order to gain a level of confidence in the IPFIX implementation, probe the conformity and robustness, and allow interoperability, the guidelines for IPFIX testing [RFC5471] present a list of tests for implementers of compliant Exporting Processes and Collecting Processes.
为了获得对IPFIX实施的信心,探索一致性和健壮性,并允许互操作性,IPFIX测试指南[RFC5471]为符合性导出过程和收集过程的实施者提供了一份测试列表。
The Bidirectional Flow Export [RFC5103] specifies a method for exporting bidirectional flow (biflow) information using the IP Flow Information Export (IPFIX) protocol, representing each biflow using a single Flow Record.
双向流导出[RFC5103]指定使用IP流信息导出(IPFIX)协议导出双向流(biflow)信息的方法,使用单个流记录表示每个biflow。
"Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports" [RFC5473] specifies a bandwidth-saving method for exporting Flow or packet information, by separating information common to several Flow Records from information specific to an individual Flow Record: common Flow information is exported only once.
“减少IP流信息导出(IPFIX)和数据包采样(PSAMP)报告中的冗余”[RFC5473]通过将多个流记录的公共信息与单个流记录的特定信息分离,指定了导出流或数据包信息的带宽节约方法:公共流信息仅导出一次。
The specification in this document applies to the IPFIX protocol specifications [RFC5101]. All specifications from [RFC5101] apply unless specified otherwise in this document.
本文件中的规范适用于IPFIX协议规范[RFC5101]。除非本文件另有规定,否则[RFC5101]中的所有规范均适用。
The Packet Sampling (PSAMP) protocol [RFC5476] specifies the export of packet information from a PSAMP Exporting Process to a PSAMP Collecting Process. Like IPFIX, PSAMP has a formal description of its information elements, their name, type, and additional semantic information. The PSAMP information model is defined in [RFC5477].
数据包采样(PSAMP)协议[RFC5476]指定将数据包信息从PSAMP导出进程导出到PSAMP收集进程。与IPFIX一样,PSAMP对其信息元素、名称、类型和附加语义信息进行了形式化描述。PSAMP信息模型在[RFC5477]中定义。
As the PSAMP protocol specifications [RFC5476] are based on the IPFIX protocol specifications, the specifications in this document are also valid for the PSAMP protocol.
由于PSAMP协议规范[RFC5476]基于IPFIX协议规范,因此本文档中的规范也适用于PSAMP协议。
Indeed, the major difference between IPFIX and PSAMP is that the IPFIX protocol exports Flow Records while the PSAMP protocol exports Packet Reports. From a pure export point of view, IPFIX will not distinguish a Flow Record composed of several packets aggregated together from a Flow Record composed of a single packet. So the PSAMP export can be seen as a special IPFIX Flow Record containing information about a single packet.
实际上,IPFIX和PSAMP之间的主要区别在于IPFIX协议导出流记录,而PSAMP协议导出数据包报告。从纯导出的角度来看,IPFIX不会区分由多个数据包聚合而成的流记录和由单个数据包组成的流记录。因此,PSAMP导出可以看作是一个特殊的IPFIX流记录,其中包含关于单个数据包的信息。
While collecting the interface counters every five minutes has proven to be useful in the past, more and more granular information is required from network elements for a series of applications: performance assurance, capacity planning, security, billing, or simply monitoring. However, the amount of information has become so large that, when dealing with highly granular information such as Flow information, a push mechanism (as opposed to a pull mechanism, such as Simple Network Management Protocol (SNMP)) is the only solution for routers whose primary function is to route packets. Indeed, polling short-lived Flows via SNMP is not an option: high-end routers can support hundreds of thousands of Flows simultaneously. Furthermore, in order to reduce the export bandwidth requirements, the network elements have to integrate mediation functions to aggregate the collected information, both in space (typically, from different linecards or different Exporters) and in time.
在过去,每五分钟收集一次接口计数器已被证明是有用的,但对于一系列应用程序(性能保证、容量规划、安全性、计费或简单的监控),需要从网络元素中获取越来越多的细粒度信息。然而,信息量变得如此之大,以至于在处理诸如流信息之类的高粒度信息时,推送机制(与诸如简单网络管理协议(SNMP)之类的拉送机制相反)是路由器的唯一解决方案,其主要功能是路由数据包。事实上,通过SNMP轮询短期流不是一个选项:高端路由器可以同时支持数十万个流。此外,为了降低导出带宽要求,网络元件必须集成中介功能以在空间(通常,来自不同线路卡或不同导出器)和时间上聚合收集的信息。
Typically, it would be beneficial if access routers could export Flow Records, composed of the counters before and after an optimization mechanism on the egress interface, instead of exporting two Flow Records with identical tuple information.
通常,如果访问路由器可以导出由出口接口上的优化机制前后的计数器组成的流记录,而不是导出具有相同元组信息的两个流记录,这将是有益的。
In terms of aggregation in time, let us imagine that, for performance assurance, the network management application must receive the performance metrics associated with a specific Flow, every millisecond. Since the performance metrics will be constantly changing, there is a new dimension to the Flow definition: we are not dealing anymore with a single Flow lasting a few seconds or a few minutes, but with a multitude of one millisecond sub-flows for which the performance metrics are reported.
就时间聚合而言,让我们设想一下,为了保证性能,网络管理应用程序必须每毫秒接收与特定流相关联的性能指标。由于性能指标将不断变化,因此流定义有一个新的维度:我们不再处理持续几秒或几分钟的单个流,而是处理报告性能指标的大量一毫秒子流。
Which current protocol is suitable for these requirements: push mechanism, highly granular information, and huge number of similar records? IPFIX, as specified in RFC 5101 would give part of the solution.
当前哪个协议适合这些需求:推送机制、高度粒度的信息和大量类似记录?RFC 5101中规定的IPFIX将提供部分解决方案。
The IPFIX working group has specified a protocol to export Flow information [RFC5101]. This protocol is designed to export information about IP traffic Flows and related measurement data, where a Flow is defined by a set of key attributes (e.g., source and destination IP address, source and destination port).
IPFIX工作组指定了导出流信息的协议[RFC5101]。该协议旨在导出有关IP流量和相关测量数据的信息,其中流量由一组关键属性(例如,源和目标IP地址、源和目标端口)定义。
The IPFIX protocol specification [RFC5101] specifies that traffic measurements for Flows are exported using a TLV (type, length, value) format. The information is exported using a Template Record that is sent once to export the {type, length} pairs that define the data format for the Information Elements in a Flow. The Data Records specify values for each Flow.
IPFIX协议规范[RFC5101]指定使用TLV(类型、长度、值)格式导出流的流量测量值。使用模板记录导出信息,该模板记录发送一次以导出{type,length}对,这些对定义流中信息元素的数据格式。数据记录为每个流指定值。
Based on the requirements for IP Flow Information Export (IPFIX) [RFC3917], the IPFIX protocol has been optimized to export Flow-related information. However, thanks to its Template mechanism, the IPFIX protocol can export any type of information, as long as the relevant Information Element is specified in the IPFIX information model [RFC5102], registered with IANA [IANA-IPFIX], or specified as an enterprise-specific Information Element. For each Information Element, the IPFIX information model [RFC5102] defines a numeric identifier, an abstract data type, an encoding mechanism for the data type, and any semantic constraints. Only basic, single-valued data types, e.g., numbers, strings, and network addresses, are currently supported.
根据IP流信息导出(IPFIX)[RFC3917]的要求,已对IPFIX协议进行了优化,以导出流相关信息。但是,由于其模板机制,IPFIX协议可以导出任何类型的信息,只要相关信息元素在IPFIX信息模型[RFC5102]中指定、在IANA[IANA-IPFIX]中注册或指定为企业特定的信息元素。对于每个信息元素,IPFIX信息模型[RFC5102]定义了数字标识符、抽象数据类型、数据类型的编码机制以及任何语义约束。目前只支持基本的单值数据类型,例如数字、字符串和网络地址。
The IPFIX protocol specification [RFC5101] does not support the encoding of hierarchical structured data and arbitrary-length lists (sequences) of Information Elements as fields within a Template Record. As it is currently specified, a Data Record is a "flat" list of single-valued attributes. However, it is a common data modeling requirement to compose complex hierarchies of data types, with multiple occurrences, e.g., 0..* cardinality allowed for instances of each Information Element in the hierarchy.
IPFIX协议规范[RFC5101]不支持将分层结构化数据和任意长度的信息元素列表(序列)编码为模板记录中的字段。按照目前的规定,数据记录是单值属性的“平面”列表。但是,组成数据类型的复杂层次结构是一种常见的数据建模要求,该层次结构中每个信息元素的实例都允许出现多次,例如0..*基数。
A typical example is the MPLS label stack entries model. An early NetFlow implementation used two Information Elements to represent the MPLS label stack entry: a "label stack entry position" followed by a "label stack value". However, several drawbacks were discovered. Firstly, the Information Elements in the Template Record had to be imposed so that the position would always precede the value. However, some encoding optimizations are based on the permutation of Information Element order. Secondly, a new semantic intelligence, not described in the information model, had to be hard-coded in the Collecting Process: the label value at the position "X" in the stack is contained in the "label stack value" Information Element following by a "label stack entry position" Information Element containing the value "X". Therefore, this model was abandoned.
一个典型的例子是MPLS标签堆栈条目模型。早期的NetFlow实现使用两个信息元素来表示MPLS标签堆栈条目:“标签堆栈条目位置”后跟“标签堆栈值”。然而,发现了一些缺点。首先,必须强制使用模板记录中的信息元素,以便位置始终位于值之前。然而,一些编码优化是基于信息元素顺序的排列。其次,信息模型中未描述的新语义智能必须在收集过程中硬编码:堆栈中位置“X”处的标签值包含在“标签堆栈值”信息元素中,后面是包含值“X”的“标签堆栈入口位置”信息元素。因此,这一模式被放弃。
The selected solution in the IPFIX information model [RFC5102] is a long series of Information Elements: mplsTopLabelStackSection, mplsLabelStackSection2, mplsLabelStackSection3, mplsLabelStackSection4, mplsLabelStackSection5, mplsLabelStackSection6, mplsLabelStackSection7, mplsLabelStackSection8, mplsLabelStackSection9, mplsLabelStackSection10. While this model removes any ambiguity, it overloads the IPFIX information model with repetitive information. Furthermore, if mplsLabelStackSection11 is required, IANA [IANA-IPFIX] will not be able to assign the new Information Element next to the other ones in the registry, which might cause some confusion.
IPFIX信息模型[RFC5102]中选择的解决方案是一系列信息元素:MPLSTACKLabelStackSection、mplsLabelStackSection2、mplsLabelStackSection3、mplsLabelStackSection4、mplsLabelStackSection5、mplsLabelStackSection6、mplsLabelStackSection7、mplsLabelStackSection8、mplsLabelStackSection9、mplsLabelStackSection10。虽然此模型消除了任何歧义,但它使用重复信息重载IPFIX信息模型。此外,如果需要mplsLabelStackSection11,IANA[IANA-IPFIX]将无法将新的信息元素分配到注册表中其他信息元素旁边,这可能会造成一些混乱。
Clearly, the MPLS label stack entries issue can best be solved by using a real structured data type composed of ("label stack entry position", "label stack value") pairs, potentially repeated multiple times in Flow Records, since this would be the most efficient from an information model point of view.
显然,MPLS标签堆栈条目问题可以通过使用由(“标签堆栈条目位置”、“标签堆栈值”)对组成的真实结构化数据类型得到最佳解决,这些数据类型可能在流记录中重复多次,因为从信息模型的角度来看,这是最有效的。
Some more examples enter the same category: how to encode the list of output interfaces in a multicast Flow, how to encode the list of BGP Autonomous Systems (AS) in a BGP Flow, how to encode the BGP communities in a BGP Flow, etc.
还有一些例子属于同一类:如何在多播流中对输出接口列表进行编码,如何在BGP流中对BGP自治系统(AS)列表进行编码,如何在BGP流中对BGP社区进行编码,等等。
The one-way delay passive measurement, which is described in the IPFIX applicability [RFC5472], is yet another example that would benefit from a structured data encoding. Assuming synchronized clocks, the Collector can deduce the one-way delay between two Observation Points from the following two Information Elements, collected from two different Observation Points:
IPFIX适用性[RFC5472]中描述的单向延迟被动测量是另一个受益于结构化数据编码的示例。假设时钟同步,采集器可根据从两个不同观测点采集的以下两个信息元素推断两个观测点之间的单向延迟:
- Packet arrival time: observationTimeMicroseconds [RFC5477] - Packet ID: digestHashValue [RFC5477]
- 数据包到达时间:observationTimeMicroseconds[RFC5477]-数据包ID:digestHashValue[RFC5477]
In practice, this implies that many pairs of (observationTimeMicroseconds, digestHashValue) must be exported for each Observation Point, even if Hash-Based Filtering [RFC5475] is used. On top of that information, if the requirement is to understand the one-way delay per application type, the 5-tuple (source IP address, destination IP address, protocol, source port, destination port) would need to be added to every Flow Record. Instead of exporting this repetitive 5-tuple, as part of every single Flow Record a Flow Record composed of a structured data type such as the following would save a lot of bandwidth:
在实践中,这意味着必须为每个观察点导出多对(observationTimeMicroseconds,digestHashValue),即使使用了基于哈希的过滤[RFC5475]。除此之外,如果需要了解每个应用程序类型的单向延迟,则需要将5元组(源IP地址、目标IP地址、协议、源端口、目标端口)添加到每个流记录中。与导出此重复的5元组不同,作为每个流记录的一部分,由以下结构化数据类型组成的流记录将节省大量带宽:
5-tuple { observationTimeMicroseconds 1, digestHashValue 1 } { observationTimeMicroseconds 2, digestHashValue 2 } { observationTimeMicroseconds 3, digestHashValue 3 } { ... , ... }
5-tuple { observationTimeMicroseconds 1, digestHashValue 1 } { observationTimeMicroseconds 2, digestHashValue 2 } { observationTimeMicroseconds 3, digestHashValue 3 } { ... , ... }
As a last example, here is a more complex case of hierarchical structured data encoding. Consider the example scenario of an IPS (Intrusion Prevention System) alert data structure containing multiple participants, where each participant contains multiple attackers and multiple targets, with each target potentially composed of multiple applications, as depicted below:
作为最后一个示例,这里是分层结构化数据编码的更复杂的情况。考虑IPS(入侵防御系统)警报数据结构的示例场景,其中包含多个参与者,其中每个参与者包含多个攻击者和多个目标,每个目标潜在地由多个应用程序组成,如下所示:
alert signatureId protocolIdentifier riskRating participant 1 attacker 1 sourceIPv4Address applicationId ... attacker N sourceIPv4Address applicationId target 1 destinationIPv4Address applicationId 1 ... applicationId n ... target N destinationIPv4Address applicationId 1 ... applicationId n participant 2 ...
警报签名ID protocolIdentifier riskRating参与者1攻击者1 sourceIPv4Address应用程序ID。。。攻击者N sourceIPv4Address应用程序ID目标1 destinationIPv4Address应用程序ID 1。。。应用程序ID。。。目标N DestinationIPV4地址应用程序ID 1。。。参与者2中的应用程序ID。。。
To export this information in IPFIX, the data would need to be flattened (thus, losing the hierarchical relationships) and a new IPFIX Template created for each alert, according to the number of applicationId elements in each target, the number of targets and attackers in each participant, and the number of participants in each alert. Clearly, each Template will be unique to each alert, and a large amount of CPU, memory, and export bandwidth will be wasted creating, exporting, maintaining, and withdrawing the Templates. See Appendix B for a specific example related to this case study.
要在IPFIX中导出此信息,需要根据每个目标中applicationId元素的数量、每个参与者中目标和攻击者的数量以及每个警报中参与者的数量,展平数据(从而丢失层次关系),并为每个警报创建一个新的IPFIX模板。显然,每个模板对于每个警报都是唯一的,创建、导出、维护和撤消模板将浪费大量CPU、内存和导出带宽。有关本案例研究的具体示例,请参见附录B。
This document specifies an IPFIX extension to support hierarchical structured data and variable-length lists by defining three new Information Elements and three corresponding new abstract data types called basicList, subTemplateList, and subTemplateMultiList. These are defined in Sections 4.1 and 4.3.
本文档通过定义三个新的信息元素和三种称为basicList、subTemplateList和subTemplateMultiList的新抽象数据类型,指定了一个IPFIX扩展,以支持分层结构化数据和可变长度列表。第4.1节和第4.3节对其进行了定义。
The three Structured Data Information Elements carry some semantic information so that the Collecting Process can understand the relationship between the different list elements. The semantic in the Structured Data Information Elements is provided in order to express the relationship among the multiple top-level list elements. As an example, if a list is composed of the elements (A,B,C), the semantic expresses the relationship among A, B, and C, regardless of whether A, B, and C are individual elements or a list of elements.
三个结构化数据信息元素携带一些语义信息,以便收集过程能够理解不同列表元素之间的关系。在结构化数据信息元素中提供语义,以表示多个顶级列表元素之间的关系。例如,如果列表由元素(a、B、C)组成,则语义表示a、B和C之间的关系,而不管a、B和C是单个元素还是元素列表。
It is important to note that whereas the Information Elements and abstract data types defined in the IPFIX information model [RFC5102] represent single values, these new abstract data types are structural in nature and primarily contain references to other Information Elements and to Templates. By referencing other Information Elements and Templates from an Information Element's data content, it is possible to define complex data structures such as variable-length lists and to specify hierarchical containment relationships between Templates. Therefore, this document prefers the more generic "Data Record" term to the "Flow Record" term.
需要注意的是,尽管IPFIX信息模型[RFC5102]中定义的信息元素和抽象数据类型表示单个值,但这些新的抽象数据类型本质上是结构化的,主要包含对其他信息元素和模板的引用。通过从信息元素的数据内容中引用其他信息元素和模板,可以定义复杂的数据结构,如可变长度列表,并指定模板之间的层次包含关系。因此,本文件倾向于使用更通用的“数据记录”术语,而不是“流量记录”术语。
This document specifies three new abstract data types, which are basic blocks to represent structured data. However, this document does not comment on all possible combinations of basicList, subTemplateList, and subTemplateMultiList. Neither does it limit the possible combinations.
本文档指定了三种新的抽象数据类型,它们是表示结构化数据的基本块。但是,本文档不会对basicList、subTemplateList和subTemplateMultiList的所有可能组合进行评论。它也没有限制可能的组合。
IPFIX-specific terminology used in this document is defined in Section 2 of the IPFIX protocol specification [RFC5101] and Section 3 of the PSAMP protocol specification [RFC5476]. As in [RFC5101], these IPFIX-specific terms have the first letter of a word capitalized when used in this document.
本文件中使用的IPFIX专用术语在IPFIX协议规范[RFC5101]第2节和PSAMP协议规范[RFC5476]第3节中有定义。与[RFC5101]一样,这些IPFIX专用术语在本文档中使用时,单词的首字母大写。
Structured Data Information Element
结构化数据信息元
One of the Information Elements supporting structured data, i.e., the basicList, subTemplateList, or subTemplateMultiList Information Elements specified in Section 4.3.
支持结构化数据的信息元素之一,即第4.3节规定的基本列表、子模板列表或子模板多列表信息元素。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
As in the IPFIX protocol specification [RFC5101], the new Information Elements specified in Section 4.3 MUST be sent in canonical format in network-byte order (also known as the big-endian byte ordering).
正如IPFIX协议规范[RFC5101]中所述,第4.3节中规定的新信息元素必须以网络字节顺序(也称为big-endian字节顺序)的标准格式发送。
This document specifies three new abstract data types, as described below.
本文档指定了三种新的抽象数据类型,如下所述。
The type "basicList" represents a list of zero or more instances of any Information Element, primarily used for single-valued data types. Examples include a list of port numbers, a list of interface indexes, a list of AS in a BGP AS-PATH, etc.
类型“basicList”表示任何信息元素的零个或多个实例的列表,主要用于单值数据类型。示例包括端口号列表、接口索引列表、BGP AS-PATH中的AS列表等。
The type "subTemplateList" represents a list of zero or more instances of a structured data type, where the data type of each list element is the same and corresponds with a single Template Record. Examples include a structured data type composed of multiple pairs of ("MPLS label stack entry position", "MPLS label stack value"), a structured data type composed of performance metrics, and a structured data type composed of multiple pairs of IP address, etc.
类型“subTemplateList”表示结构化数据类型的零个或多个实例的列表,其中每个列表元素的数据类型相同,并且与单个模板记录相对应。示例包括由多对数据组成的结构化数据类型(“MPLS标签堆栈入口位置”、“MPLS标签堆栈值”)、由性能度量组成的结构化数据类型以及由多对IP地址组成的结构化数据类型等。
The type "subTemplateMultiList" represents a list of zero or more instances of a structured data type, where the data type of each list element can be different and corresponds with different Template definitions. Examples include a structured data type composed of
类型“subTemplateMultiList”表示结构化数据类型的零个或多个实例的列表,其中每个列表元素的数据类型可以不同,并且对应于不同的模板定义。示例包括由以下内容组成的结构化数据类型
multiple access-list entries, where entries can be composed of different criteria types.
多重访问列表条目,其中条目可以由不同的标准类型组成。
This document specifies a new data type semantic, in addition to the ones specified in Section 3.2 of the IPFIX information model [RFC5102], as described below.
除IPFIX信息模型[RFC5102]第3.2节规定的数据类型外,本文件还规定了一种新的数据类型语义,如下所述。
A list represents an arbitrary-length sequence of zero or more structured data Information Elements, either composed of regular Information Elements or composed of data conforming to a Template Record.
列表表示零个或多个结构化数据信息元素的任意长度序列,这些数据信息元素或由常规信息元素组成,或由符合模板记录的数据组成。
This document specifies three new Information Elements, as described below.
本文件规定了三个新的信息要素,如下所述。
A basicList specifies a generic Information Element with a basicList abstract data type as defined in Section 4.1.1 and list semantics as defined in Section 4.2.1. Examples include a list of port numbers, a list of interface indexes, etc.
basicList使用第4.1.1节中定义的basicList抽象数据类型和第4.2.1节中定义的列表语义指定通用信息元素。示例包括端口号列表、接口索引列表等。
A subTemplateList specifies a generic Information Element with a subTemplateList abstract data type as defined in Section 4.1.2 and list semantics as defined in Section 4.2.1.
子模板列表使用第4.1.2节中定义的子模板列表抽象数据类型和第4.2.1节中定义的列表语义指定通用信息元素。
A subTemplateMultiList specifies a generic Information Element with a subTemplateMultiList abstract data type as defined in Section 4.1.3 and list semantics as defined in Section 4.2.1.
subTemplateMultiList指定具有第4.1.3节中定义的subTemplateMultiList抽象数据类型和第4.2.1节中定义的列表语义的通用信息元素。
Structured data type semantics are provided in order to express the relationship among multiple list elements in a Structured Data Information Element. These structured data type semantics require a new IPFIX subregistry, as specified in the "IANA Considerations" section. The semantics are specified in the following subsections.
为了表达结构化数据信息元素中多个列表元素之间的关系,提供了结构化数据类型语义。这些结构化数据类型语义需要一个新的IPFIX子区域,如“IANA注意事项”部分所述。语义在以下小节中指定。
The "undefined" structured data type semantic specifies that the semantic of list elements is not specified and that, if a semantic exists, then it is up to the Collecting Process to draw its own conclusions. The "undefined" structured data type semantic, which is the default value, is used when no other structured data type semantic applies.
“未定义”结构化数据类型语义指定列表元素的语义未指定,如果存在语义,则由收集过程得出自己的结论。“未定义”结构化数据类型语义是默认值,在没有其他结构化数据类型语义应用时使用。
For example, a mediator that wants to translate IPFIX [RFC5101] into the export of structured data according to the specifications in this document doesn't know what the semantic is; it can only guess, as the IPFIX specifications [RFC5101] does not contain any semantic. Therefore, the mediator should use the "undefined" semantic.
例如,希望根据本文档中的规范将IPFIX[RFC5101]转换为结构化数据导出的中介不知道语义是什么;它只能猜测,因为IPFIX规范[RFC5101]不包含任何语义。因此,中介应该使用“未定义”语义。
The "noneOf" structured data type semantic specifies that none of the elements are actual properties of the Data Record.
“noneOf”结构化数据类型语义指定所有元素都不是数据记录的实际属性。
For example, a mediator might want to report to a Collector that a specific Flow is suspicious, but that it checked already that this Flow does not belong to the attack type 1, attack type 2, or attack type 3. So this Flow might need some further inspection. In such a case, the mediator would report the Flow Record with a basicList composed of (attack type 1, attack type 2, attack type 3) and the respective structured data type semantic of "noneOf".
例如,中介可能希望向收集器报告某个特定流是可疑的,但已检查该流是否不属于攻击类型1、攻击类型2或攻击类型3。因此,此流程可能需要进一步检查。在这种情况下,中介将报告流记录,其基本列表由(攻击类型1、攻击类型2、攻击类型3)和相应的结构化数据类型语义“noneOf”组成。
Another example is a router that monitors some specific BGP AS-PATHs and reports if a Flow belongs to any of them. If the router wants to export that a Flow does not belong to any of the monitored BGP AS-PATHs, the router reports a Data Record with a basicList composed of (BGP AS-PATH 1, BGP AS-PATH 2, BGP AS-PATH 3) and the respective structured data type semantic of "noneOf".
另一个例子是一个路由器,它监视一些特定的BGP作为路径,并报告流是否属于其中任何一个。如果路由器想要导出流不属于任何受监控的BGP AS路径,则路由器报告一个数据记录,其基本列表由(BGP AS-PATH 1、BGP AS-PATH 2、BGP AS-PATH 3)和相应的结构化数据类型语义“noneOf”组成。
The "exactlyOneOf" structured data type semantic specifies that only a single element from the structured data is an actual property of the Data Record. This is equivalent to a logical XOR operation.
“exactlyOneOf”结构化数据类型语义指定结构化数据中只有一个元素是数据记录的实际属性。这相当于逻辑异或操作。
For example, if a Flow record contains a basicList of outgoing interfaces with the "exactlyOneOf" semantic, then it implies that the reported Flow only egressed from a single interface, although the Flow Record lists all of the possible outgoing interfaces. This is a typical example of a per destination load-balancing.
例如,如果流记录包含具有“exactlyOneOf”语义的传出接口的基本列表,则表示报告的流仅从单个接口传出,尽管流记录列出了所有可能的传出接口。这是每个目标负载平衡的典型示例。
Another example is a mediator that must aggregate Data Records from different Observation Points and report an aggregated Observation Point. However, the different Observation Points can be specified by different Information Element types depending on the Exporter. For example:
另一个例子是中介,它必须聚合来自不同观察点的数据记录,并报告聚合的观察点。但是,根据导出器的不同,可以通过不同的信息元素类型指定不同的观测点。例如:
Exporter1 Observation Point is characterized by the exporterIPv4Address, so a specific Exporter can be represented.
Exporter1观察点以exporteripv4地址为特征,因此可以表示特定的导出器。
Exporter2 Observation Point is characterized by the exporterIPv4Address and a basicList of ingressInterface, so the Exporting Process can express that the observations were made on a series of input interfaces.
Exporter2观测点的特征是ExporterIPV4地址和入口接口的基本列表,因此导出过程可以表示观测是在一系列输入接口上进行的。
Exporter3 Observation Point is characterized by the exporterIPv4Address and a specific lineCardId, so the Exporting Process can express that the observation was made on a specific linecard.
Exporter3观察点的特征是ExporterIPV4地址和特定的lineCardId,因此导出过程可以表示观察是在特定的linecard上进行的。
If the mediator models the three different types of Observation Points with the three Template Records below:
如果调解员使用以下三个模板记录对三种不同类型的观察点进行建模:
Template Record 1: exporterIPv4Address Template Record 2: exporterIPv4Address, basicList of ingressInterface Template Record 3: exporterIPv4Address, lineCardId
模板记录1:exporterIPv4Address模板记录2:exporterIPv4Address,入口基本列表接口模板记录3:exporterIPv4Address,lineCardId
then it can represent the aggregated Observation Point with a subTemplateMultiList and the semantic "exactlyOneOf". The aggregated Observation Point is modeled with the Data Records corresponding to either Template Record 1, Template Record 2, or Template Record 3 but not more than one of these. This implies that the Flow was observed at exactly one of the Observation Points reported.
然后,它可以用子模板多列表和语义“exactlyOneOf”表示聚合的观察点。聚合观测点使用与模板记录1、模板记录2或模板记录3相对应的数据记录建模,但不超过其中一个。这意味着在报告的观测点中正好有一个观测到流量。
The "oneOrMoreOf" structured data type semantic specifies that one or more elements from the list in the structured data are actual properties of the Data Record. This is equivalent to a logical OR operation.
“oneOrMoreOf”结构化数据类型语义指定结构化数据列表中的一个或多个元素是数据记录的实际属性。这相当于逻辑OR操作。
Consider an example where a mediator must report an aggregated Flow (e.g., by aggregating IP addresses from IP prefixes), with an aggregated Observation Point. However, the different Observation Points can be specified by different Information Element types as described in Section 4.4.2.
考虑一个例子,其中中介必须报告聚合流(例如,通过聚合IP前缀的IP地址),以聚合的观察点。但是,不同的观测点可通过第4.4.2节所述的不同信息元素类型来指定。
If the mediator models the three different types of Observation Points with the three Template Records below:
如果调解员使用以下三个模板记录对三种不同类型的观察点进行建模:
Template Record 1: exporterIPv4Address Template Record 2: exporterIPv4Address, basicList of ingressInterface Template Record 3: exporterIPv4Address, lineCardId
模板记录1:exporterIPv4Address模板记录2:exporterIPv4Address,入口基本列表接口模板记录3:exporterIPv4Address,lineCardId
then it can represent the aggregated Observation Point with a subTemplateMultiList and the semantic "oneOrMoreOf". The aggregated Observation Point is modeled with the Data Records corresponding to either Template Record 1, Template Record 2, or Template Record 3. This implies that the Flow was observed on at least one of the Observation Points reported, and potentially on multiple Observation Points.
然后,它可以用子模板多列表和语义“oneOrMoreOf”表示聚合的观察点。聚合观测点使用与模板记录1、模板记录2或模板记录3相对应的数据记录建模。这意味着至少在报告的一个观察点上观察到了流量,并且可能在多个观察点上观察到流量。
The "allOf" structured data type semantic specifies that all of the list elements from the structured data are actual properties of the Data Record.
“allOf”结构化数据类型语义指定结构化数据中的所有列表元素都是数据记录的实际属性。
For example, if a Record contains a basicList of outgoing interfaces with the "allOf" semantic, then the observed Flow is typically a multicast Flow where each packet in the Flow has been replicated to each outgoing interface in the basicList.
例如,如果记录包含具有“allOf”语义的传出接口的基本列表,则观察到的流通常是多播流,其中流中的每个数据包都已复制到基本列表中的每个传出接口。
The "ordered" structured data type semantic specifies that elements from the list in the structured data are ordered.
“有序”结构化数据类型语义指定结构化数据中列表中的元素是有序的。
For example, an Exporter might want to export the AS10 AS20 AS30 AS40 BGP AS-PATH. In such a case, the Exporter would report a basicList composed of (AS10, AS20, AS30, AS40) and the respective structured data type semantic of "ordered".
例如,导出器可能希望导出AS10 AS20 AS30 AS40 BGP AS-PATH。在这种情况下,出口商将报告由(AS10、AS20、AS30、AS40)和相应的结构化数据类型语义“ordered”组成的基本列表。
The following subsections define the encoding of the abstract data types defined in Section 4.1. These data types may be encoded using either fixed- or variable-length Information Elements, as discussed in Section 5.1. Like in the IPFIX specifications [RFC5101], all lengths are specified in octets.
以下小节定义了第4.1节中定义的抽象数据类型的编码。这些数据类型可以使用固定长度或可变长度的信息元素进行编码,如第5.1节所述。与IPFIX规范[RFC5101]一样,所有长度均以八位字节为单位指定。
The basicList Information Element defined in Section 4.3.1 represents a list of zero or more instances of an Information Element and is encoded as follows:
第4.3.1节中定义的基本信息元素表示一个信息元素的零个或多个实例的列表,其编码如下:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Semantic |0| Field ID | Element... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ...Length | basicList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Semantic |0| Field ID | Element... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ...Length | basicList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: basicList Encoding
图1:basicList编码
Semantic
语义的
The Semantic field indicates the relationship among the different Information Element values within this Structured Data Information Element. Refer to IANA's "IPFIX Structured Data Types Semantics" registry.
语义字段表示此结构化数据信息元素中不同信息元素值之间的关系。请参阅IANA的“IPFIX结构化数据类型语义”注册表。
Field ID
字段ID
Field ID is the Information Element identifier of the Information Element(s) contained in the list.
字段ID是列表中包含的信息元素的信息元素标识符。
Element Length
元素长度
Per Section 7 of [RFC5101], the Element Length field indicates the length, in octets, of each list element specified by Field ID, or contains the value 0xFFFF if the length is encoded as a variable-length Information Element at the start of the basicList Content.
根据[RFC5101]第7节,元素长度字段表示字段ID指定的每个列表元素的长度(以八位字节为单位),或者如果长度在基本列表内容的开头编码为可变长度信息元素,则包含值0xFFFF。
Effectively, the Element Length field is part of the header, so even in the case of a zero-element list, it MUST NOT be omitted.
实际上,元素长度字段是标题的一部分,因此即使在零元素列表的情况下,也不能忽略它。
basicList Content
基本内容
A Collecting Process decodes list elements from the basicList Content until no further data remains. A field count is not included but can be derived when the Information Element is decoded.
收集过程从基本列表内容中解码列表元素,直到没有更多的数据保留。字段计数不包括在内,但可在解码信息元素时导出。
Note that in the diagram above, Field ID is shown with the Enterprise bit (most significant bit) set to 0. Instead, if the Enterprise bit is set to 1, a four-byte Enterprise Number MUST be encoded immediately after the Element Length as shown below. See the "Field Specifier Format" section in the IPFIX protocol [RFC5101] for additional information.
请注意,在上图中,显示字段ID时,企业位(最高有效位)设置为0。相反,如果企业位设置为1,则必须在元素长度之后立即编码一个四字节的企业编号,如下所示。有关更多信息,请参阅IPFIX协议[RFC5101]中的“字段说明符格式”部分。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Semantic |1| Field ID | Element... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ...Length | Enterprise Number ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | basicList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Semantic |1| Field ID | Element... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ...Length | Enterprise Number ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | basicList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: basicList Encoding with Enterprise Number
图2:basicList编码与企业编号
Also, note that if a basicList has zero elements, the encoded data contains the Semantic field, Field ID, the Element Length field, and the four-byte Enterprise Number (if present), while the basicList Content is empty.
另外,请注意,如果basicList包含零个元素,则编码数据包含语义字段、字段ID、元素长度字段和四字节企业编号(如果存在),而basicList内容为空。
If the basicList is encoded as a variable-length Information Element in less than 255 octets, it MAY be encoded with the Length field per Section 7 of [RFC5101] as shown in Figure 3. However, the three-byte length encoding, as shown in Figure 4, is RECOMMENDED (see Section 5.1).
如果basicList编码为小于255个八位字节的可变长度信息元素,则可根据[RFC5101]第7节使用长度字段对其进行编码,如图3所示。但是,建议使用图4所示的三字节长度编码(参见第5.1节)。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (< 255)| Semantic |0| Field ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Element Length | basicList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (< 255)| Semantic |0| Field ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Element Length | basicList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Variable-Length basicList Encoding (Length < 255 Octets)
图3:可变长度基本列表编码(长度<255个八位字节)
If the basicList is encoded as a variable-length Information Element in 255 or more octets, it MUST be encoded with the Length field per Section 7 of [RFC5101] as follows:
如果basicList编码为255个或更多八位字节中的可变长度信息元素,则必须按照[RFC5101]第7节使用长度字段进行编码,如下所示:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | Length (0 to 65535) | Semantic | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| Field ID | Element Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | basicList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | Length (0 to 65535) | Semantic | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| Field ID | Element Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | basicList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Variable-Length basicList Encoding (Length 0 to 65535 Octets)
图4:可变长度基本列表编码(长度为0到65535个八位字节)
The subTemplateList Information Element represents a list of zero or more Data Records corresponding to a specific Template. Because the Template Record referenced by a subTemplateList Information Element can itself contain other subTemplateList Information Elements, and because these Template Record references are part of the Information Elements content in the Data Record, it is possible to represent complex hierarchical data structures. The following diagram shows how a subTemplateList Information Element is encoded within a Data Record:
subTemplateList信息元素表示对应于特定模板的零个或多个数据记录的列表。由于子模板列表信息元素引用的模板记录本身可以包含其他子模板列表信息元素,并且由于这些模板记录引用是数据记录中信息元素内容的一部分,因此可以表示复杂的分层数据结构。下图显示了如何在数据记录中对subTemplateList信息元素进行编码:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Semantic | Template ID | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | subTemplateList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Semantic | Template ID | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | subTemplateList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: subTemplateList Encoding
图5:子模板编码
Semantic
语义的
The Semantic field indicates the relationship among the different Data Records within this Structured Data Information Element.
语义字段表示此结构化数据信息元素中不同数据记录之间的关系。
Template ID
模板ID
The Template ID field contains the ID of the Template used to encode and decode the subTemplateList Content.
模板ID字段包含用于编码和解码子模板列表内容的模板ID。
subTemplateList Content
子模板内容
subTemplateList Content consists of zero or more instances of Data Records corresponding to the Template ID specified in the Template ID field. A Collecting Process decodes the subTemplateList Content until no further data remains. A record count is not included but can be derived when the subTemplateList is decoded. Encoding and decoding are performed recursively if the specified Template itself contains Structured Data Information Elements as described here.
子模板列表内容由零个或多个与模板ID字段中指定的模板ID对应的数据记录实例组成。收集过程对子模板内容进行解码,直到没有其他数据保留。记录计数不包括在内,但可以在对子模板列表进行解码时导出。如果指定的模板本身包含此处所述的结构化数据信息元素,则递归执行编码和解码。
Note that, if a subTemplateList has zero elements, the encoded data contains only the Semantic field and the Template ID field, while the subTemplateList Content is empty.
请注意,如果子模板列表有零个元素,则编码数据仅包含语义字段和模板ID字段,而子模板列表内容为空。
If the subTemplateList is encoded as a variable-length Information Element in less than 255 octets, it MAY be encoded with the Length field per Section 7 of [RFC5101] as shown in Figure 6. However, the three-byte length encoding, as shown in Figure 7, is RECOMMENDED (see Section 5.1).
如果子模板被编码为小于255个八位字节的可变长度信息元素,则可以使用[RFC5101]第7节中的长度字段对其进行编码,如图6所示。但是,建议使用三字节长度编码,如图7所示(参见第5.1节)。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (< 255)| Semantic | Template ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | subTemplateList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (< 255)| Semantic | Template ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | subTemplateList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: Variable-Length subTemplateList Encoding (Length < 255 Octets)
图6:可变长度子模板编码(长度<255个八位字节)
If the subTemplateList is encoded as a variable-length Information Element in 255 or more octets, it MUST be encoded with the Length field per Section 7 of [RFC5101] as follows:
如果子模板被编码为255个或更多八位字节中的可变长度信息元素,则必须按照[RFC5101]第7节使用长度字段进行编码,如下所示:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | Length (0 to 65535) | Semantic | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID | subTemplateList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | Length (0 to 65535) | Semantic | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID | subTemplateList Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7: Variable-Length subTemplateList Encoding (Length 0 to 65535 Octets)
图7:可变长度子模板编码(长度为0到65535个八位字节)
Whereas each element in a subTemplateList Information Element corresponds to a single Template, it is sometimes useful for a list to contain elements corresponding to different Templates. To support this case, each top-level element in a subTemplateMultiList Information Element carries a Template ID, Length, and zero or more Data Records corresponding to the Template ID. The following diagram shows how a subTemplateMultiList Information Element is encoded within a Data Record. Note that the encoding following the Semantic field is consistent with the Set Header specified in [RFC5101].
虽然subTemplateList信息元素中的每个元素对应于单个模板,但有时列表包含对应于不同模板的元素是有用的。为了支持这种情况,subTemplateMultiList信息元素中的每个顶级元素都带有模板ID、长度以及与模板ID对应的零个或多个数据记录。下图显示了subTemplateMultiList信息元素在数据记录中的编码方式。请注意,语义字段后面的编码与[RFC5101]中指定的集合头一致。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Semantic | Template ID X |Data Records...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... Length X | Data Record X.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record X.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record X.L Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Template ID Y |Data Records...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Semantic | Template ID X |Data Records...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... Length X | Data Record X.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record X.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record X.L Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Template ID Y |Data Records...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... Length Y | Data Record Y.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Y.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Y.M Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Template ID Z |Data Records...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... Length Z | Data Record Z.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Z.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Z.N Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+
| ... Length Y | Data Record Y.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Y.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Y.M Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Template ID Z |Data Records...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... Length Z | Data Record Z.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Z.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Z.N Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+
Figure 8: subTemplateMultiList Encoding
图8:子模板多列表编码
Semantic
语义的
The Semantic field indicates the top-level relationship among the series of Data Records corresponding to the different Template Records within this Structured Data Information Element.
语义字段表示与此结构化数据信息元素中的不同模板记录相对应的一系列数据记录之间的顶级关系。
Template ID
模板ID
Unlike the subTemplateList Information Element, each element of the subTemplateMultiList contains a Template ID that specifies the encoding of the following Data Records.
与subTemplateList信息元素不同,subTemplateMultiList的每个元素都包含一个模板ID,用于指定以下数据记录的编码。
Data Records Length
数据记录长度
This is the total length of the Data Records encoding for the Template ID previously specified, including the two bytes for the Template ID and the two bytes for the Data Records Length field itself.
这是之前指定的模板ID的数据记录编码的总长度,包括模板ID的两个字节和数据记录长度字段本身的两个字节。
Data Record X.M
数据记录X.M
The Data Record X.M consists of the Mth Data Record of the Template Record X. A Collecting Process decodes the Data Records according to Template Record X until no further data remains, according to the Data Records Length X. Further Template IDs and Data Records may then be decoded according to the overall subTemplateMultiList length. A record count is not included but can be derived when the Element Content is decoded. Encoding and decoding are performed recursively if the specified Template itself contains Structured Data Information Elements as described here.
数据记录X.M由模板记录X的第Mth条数据记录组成。收集过程根据模板记录X对数据记录进行解码,直到根据数据记录长度X不再保留更多数据。然后,可以根据整个子模板多列表长度对进一步的模板ID和数据记录进行解码。不包括记录计数,但可在解码元素内容时导出。如果指定的模板本身包含此处所述的结构化数据信息元素,则递归执行编码和解码。
In the exceptional case of zero instances in the subTemplateMultiList, no data is encoded, only the Semantic field and Template ID field(s), and the Data Record Length field is set to zero.
在subTemplateMultiList中实例为零的例外情况下,不编码任何数据,只有语义字段和模板ID字段,并且数据记录长度字段设置为零。
If the subTemplateMultiList is encoded as a variable-length Information Element in less than 255 octets, it MAY be encoded with the Length field per Section 7 of [RFC5101] as shown in Figure 9. However, the three-byte length encoding, as shown in Figure 10, is RECOMMENDED (see Section 5.1).
如果subTemplateMultiList编码为小于255个八位字节的可变长度信息元素,则可以使用[RFC5101]第7节中的长度字段对其进行编码,如图9所示。但是,建议使用三字节长度编码,如图10所示(参见第5.1节)。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (< 255)| Semantic | Template ID X | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Records Length X | Data Record X.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record X.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record X.L Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length (< 255)| Semantic | Template ID X | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Records Length X | Data Record X.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record X.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record X.L Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... | Template ID Y | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Records Length Y | Data Record Y.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Y.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Y.M Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Template ID Z | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Records Length Z | Data Record Z.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Z.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Z.N Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... | Template ID Y | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Records Length Y | Data Record Y.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Y.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Y.M Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Template ID Z | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Records Length Z | Data Record Z.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Z.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | Data Record Z.N Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9: Variable-Length subTemplateMultiList Encoding (Length < 255 Octets)
图9:可变长度子模板多列表编码(长度<255个八位字节)
If the subTemplateMultiList is encoded as a variable-length Information Element in 255 or more octets, it MUST be encoded with the Length field per Section 7 of [RFC5101] as follows:
如果子模板多列表编码为255个或更多八位字节中的可变长度信息元素,则必须按照[RFC5101]第7节使用长度字段进行编码,如下所示:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | Length (0 to 65535) | Semantic | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID X | Data Records Length X | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record X.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... |
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | Length (0 to 65535) | Semantic | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID X | Data Records Length X | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record X.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record X.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record X.L Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID Y | Data Records Length Y | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Y.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Y.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Y.M Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID Z | Data Records Length Z | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Z.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Z.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Z.N Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record X.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record X.L Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID Y | Data Records Length Y | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Y.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Y.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Y.M Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID Z | Data Records Length Z | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Z.1 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Z.2 Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Record Z.N Content ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10: Variable-Length subTemplateMultiList Encoding (Length 0 to 65535 Octets)
图10:可变长度子模板多列表编码(长度为0到65535个八位字节)
The new Structured Data Information Elements represent a list that potentially carries complex hierarchical and repeated data.
新的结构化数据信息元素表示一个列表,该列表可能包含复杂的层次结构和重复数据。
When the encoding of a Structured Data Information Element has a fixed length (because, for example, it contains the same number of fixed-length elements, or if the permutations of elements in the list always produces the same total length), the element length can be encoded in the corresponding Template Record.
当结构化数据信息元素的编码具有固定长度时(例如,因为它包含相同数量的固定长度元素,或者如果列表中元素的排列总是产生相同的总长度),可以在相应的模板记录中对元素长度进行编码。
However, when representing variable-length data, hierarchical data, and repeated data with variable element counts, where the number and length of elements can vary from record to record, we RECOMMEND that the Information Elements are encoded using the variable-length encoding described in Section 7 of [RFC5101], with the length carried before the Structured Data Information Element encoding.
然而,当用可变元素计数表示可变长度数据、分层数据和重复数据时,元素的数量和长度可能因记录而异,我们建议使用[RFC5101]第7节中描述的可变长度编码对信息元素进行编码,在结构化数据信息元素编码之前携带长度。
Because of the complex and repeated nature of the data, it is potentially difficult for the Exporting Process to efficiently know in advance the exact encoding size. In this case, the Exporting Process may encode the available data starting at a fixed offset and fill in the final length afterwards. Therefore, the three-byte length encoding is RECOMMENDED for variable-length Information Elements in all Template Records containing a Structured Data Information Element, even if the encoded length can be less than 255 bytes, because the starting offset of the data is known in advance.
由于数据的复杂性和重复性,导出过程可能很难事先有效地知道确切的编码大小。在这种情况下,导出过程可以从固定偏移量开始对可用数据进行编码,然后填充最终长度。因此,建议对包含结构化数据信息元素的所有模板记录中的可变长度信息元素进行三字节长度编码,即使编码长度可以小于255字节,因为数据的起始偏移量是预先知道的。
When encoding such data, an Exporting Process MUST take care to not exceed the maximum allowed IPFIX message length of 65535 bytes as specified in [RFC5101].
编码此类数据时,导出过程必须注意不超过[RFC5101]中规定的最大允许IPFIX消息长度65535字节。
It is possible to define recursive relationships between IPFIX structured data instances, for example, when representing a tree structure. The simplest case of this might be a basicList, where each element is itself a basicList, or a subTemplateList where one of the fields of the referenced Template is itself a subTemplateList referencing the same Template. Also, the Exporting Process MUST take care when encoding recursively-defined structured data not to exceed the maximum allowed length of an IPFIX Message (as noted in Length Encoding Considerations).
例如,在表示树结构时,可以定义IPFIX结构化数据实例之间的递归关系。最简单的情况可能是basicList,其中每个元素本身就是basicList,或者是subTemplateList,其中引用模板的一个字段本身就是引用同一模板的subTemplateList。此外,在对递归定义的结构化数据进行编码时,导出过程必须注意不要超过IPFIX消息允许的最大长度(如长度编码注意事项中所述)。
5.3. Structured Data Information Elements Applicability in Options Template Sets
5.3. 结构化数据信息元素在选项模板集中的适用性
Structured Data Information Elements MAY be used in Options Template Sets.
结构化数据信息元素可用于选项模板集中。
As an example, consider a mediation function that must aggregate Data Records from multiple Observation Point types:
作为一个例子,考虑一个中介函数,它必须聚合来自多个观察点类型的数据记录:
Router 1, (interface 1) Router 2, (linecard A) Router 3, (linecard B) Router 4, (linecard C, interface 2)
路由器1,(接口1)路由器2,(线路卡A)路由器3,(线路卡B)路由器4,(线路卡C,接口2)
In order to encode the PSAMP Selection Sequence Report Interpretation [RFC5476], the mediation function must express this combination of Observation Points as a single new Observation Point. Recall from [RFC5476] that the PSAMP Selection Sequence Report Interpretation consists of the following fields:
为了对PSAMP选择序列报告解释[RFC5476]进行编码,中介函数必须将观察点组合表示为单个新观察点。回想一下[RFC5476],PSAMP选择序列报告解释由以下字段组成:
Scope: selectionSequenceId Non-Scope: one Information Element mapping the Observation Point selectorId (one or more)
范围:selectionSequenceId非范围:映射观察点selectorId的一个信息元素(一个或多个)
Without structured data, there is clearly no way to express the complex aggregated Observation Point as "one Information Element mapping the Observation Point". However, the desired result may be easily achieved using the structured data types. Refer to Section 9.5. for an encoding example related to this case study.
如果没有结构化数据,显然无法将复杂的聚合观测点表示为“映射观测点的一个信息元素”。然而,使用结构化数据类型可以很容易地实现期望的结果。参考第9.5节。有关与本案例研究相关的编码示例。
Regarding the scope in the Options Template Record, the IPFIX specification [RFC5101] mentions that "the IPFIX protocol doesn't prevent the use of any Information Elements for scope". Therefore, a Structured Data Information Element MAY be used as scope in an Options Template Set.
关于选项模板记录中的范围,IPFIX规范[RFC5101]提到“IPFIX协议不阻止对范围使用任何信息元素”。因此,结构化数据信息元素可以用作选项模板集中的范围。
Extending the previous example, the mediation function could export a given name for this complex aggregated Observation Point:
扩展前面的示例,中介函数可以导出此复杂聚合观察点的给定名称:
Scope: Aggregated Observation Point (structured data) Non-Scope: a new Information Element containing the name
范围:聚合观察点(结构化数据)非范围:包含名称的新信息元素
Because basicList, subTemplateList, and subTemplateMultiList are all lists, in several cases, there is more than one way to represent what is effectively the same data structure. However, in some cases, one approach has an advantage over the other, e.g., more compact, uses fewer resources, and is therefore preferred over an alternate representation.
因为basicList、subTemplateList和subTemplateMultiList都是列表,所以在某些情况下,有多种方法可以有效地表示相同的数据结构。然而,在某些情况下,一种方法比另一种方法具有优势,例如更紧凑,使用更少的资源,因此优于替代表示法。
A subTemplateList can represent the same simple list of single-valued Information Elements as a basicList, if the Template referenced by the subTemplateList contains only one single-valued Information Element. Although the encoding is more compact than a basicList by two bytes, using a subTemplateList, in this case, requires a new
如果子模板列表引用的模板仅包含一个单值信息元素,则子模板列表可以表示与基本列表相同的单值信息元素的简单列表。虽然编码比basicList紧凑两个字节,但在本例中,使用子模板列表需要新的
Template per Information Element. The basicList requires no additional Template and is therefore RECOMMENDED in this case.
每个信息元素的模板。basicList不需要额外的模板,因此在这种情况下建议使用。
Although a subTemplateMultiList with one Element can represent the contents of a subTemplateList, the subTemplateMultiList carries two additional bytes (Element Length). It is also potentially useful to a Collecting Process to know in advance that a subTemplateList directly indicates that list element types are consistent. The subTemplateList Information Element is therefore RECOMMENDED in this case.
尽管带有一个元素的subTemplateMultiList可以表示subTemplateList的内容,但subTemplateMultiList还包含两个额外的字节(元素长度)。对于收集过程来说,提前知道子模板列表直接指示列表元素类型是一致的也可能很有用。因此,在这种情况下建议使用子模板信息元素。
The Semantic field in a subTemplateMultiList indicates the top-level relationship among the series of Data Records corresponding to the different Template Records, within this Structured Data Information Element. If a semantic is required to describe the relationship among the different Data Records corresponding to a single Template ID within the subTemplateMultiList, then an encoding based on a basicList of subTemplateLists should be used; refer to Section 5.6 for more information. Alternatively, if a semantic is required to describe the relationship among all Data Records within a subTemplateMultiList (regardless of the Template Record), an encoding based on a subTemplateMultiList with one Data Record corresponding to a single Template ID can be used.
subTemplateMultiList中的语义字段表示此结构化数据信息元素中与不同模板记录对应的一系列数据记录之间的顶级关系。如果需要语义来描述对应于子模板多列表中单个模板ID的不同数据记录之间的关系,则应使用基于子模板多列表基本列表的编码;有关更多信息,请参阅第5.6节。或者,如果需要语义来描述subTemplateMultiList中所有数据记录之间的关系(无论模板记录如何),则可以使用基于subTemplateMultiList的编码,其中一条数据记录对应于单个模板ID。
Note that the referenced Information Element(s) in the Structured Data Information Elements can be taken from the IPFIX information model [RFC5102], the PSAMP information model [RFC5477], any of the Information Elements defined in the IANA IPFIX registry [IANA-IPFIX], or enterprise-specific Information Elements.
请注意,结构化数据信息元素中引用的信息元素可以取自IPFIX信息模型[RFC5102]、PSAMP信息模型[RFC5477]、IANA IPFIX注册表[IANA-IPFIX]中定义的任何信息元素或企业特定信息元素。
If a Template Record contains a subTemplateList as the only field, a Set encoding as specified in the IPFIX protocol specifications [RFC5101] should be considered, unless:
如果模板记录包含子模板列表作为唯一字段,则应考虑IPFIX协议规范[RFC5101]中指定的集合编码,除非:
- A relationship among multiple list elements must be exported, in which case, the semantic from the IPFIX Structured Data Information Element can convey this relationship.
- 必须导出多个列表元素之间的关系,在这种情况下,来自IPFIX结构化数据信息元素的语义可以传递这种关系。
- The Exporting Process wants to convey the number of elements in the list, even in the special cases of zero or one element in the list. Indeed, the case of an empty list cannot be represented with the IPFIX protocol specifications [RFC5101]. In the case of a single element list, the Template Record specified in the IPFIX protocol specification [RFC5101] could be used. However, on the top of the Template Record with the subTemplateList to export multiple list elements, this supplementary Template would impose some extra
- 导出过程希望传递列表中元素的数量,即使在列表中有零个或一个元素的特殊情况下也是如此。事实上,IPFIX协议规范[RFC5101]无法表示空列表的情况。对于单个元素列表,可以使用IPFIX协议规范[RFC5101]中指定的模板记录。但是,在模板记录的顶部,使用subTemplateList导出多个列表元素,此补充模板将施加一些额外的限制
management, both on the Exporting Process and on the Collecting Process, which might have to correlate the information from two Template Records.
管理,包括导出过程和收集过程,可能必须关联来自两个模板记录的信息。
Similarly, if a Template Record contains a subTemplateMultiList as the only field, an IPFIX Message as described in the IPFIX protocol specification [RFC5101] should be considered, unless:
类似地,如果模板记录包含subTemplateMultiList作为唯一字段,则应考虑IPFIX协议规范[RFC5101]中描述的IPFIX消息,除非:
- A relationship among top-level list elements must be exported, in which case, the semantic from the IPFIX Structured Data Information Element can convey this relationship.
- 必须导出顶级列表元素之间的关系,在这种情况下,来自IPFIX结构化数据信息元素的语义可以传递这种关系。
- The Exporting Process wants to convey the number of Data Records corresponding to every Template in the subTemplateMultiList.
- 导出过程希望传递与subTemplateMultiList中每个模板对应的数据记录数。
The Exporting Process MAY insert some padding octets in structured data field values in a Data Record by including the 'paddingOctets' Information Element as described in [RFC5101], Section 3.3.1. The paddingOctets Information Element can be included in a Template Record referenced by a structured data Information Element for this purpose.
导出过程可通过包括[RFC5101]第3.3.1节所述的“paddingOctets”信息元素,在数据记录的结构化数据字段值中插入一些填充八位字节。为此,paddingOctets信息元素可以包含在结构化数据信息元素引用的模板记录中。
Semantic interpretations of received Data Records at or beyond the Collecting Process remain explicitly undefined, unless that data is transmitted using this extension with explicit structured data type semantic information.
在收集过程中或收集过程之后,接收到的数据记录的语义解释仍显式未定义,除非该数据使用具有显式结构化数据类型语义信息的扩展进行传输。
It is not the Exporter's role to check the validity of the semantic representation of Data Records.
出口商的职责不是检查数据记录语义表示的有效性。
More complex semantics can be expressed as a combination of the Semantic Data Information Elements specified in this document.
更复杂的语义可以表示为本文档中指定的语义数据信息元素的组合。
For example, the export of the AS10 AS20 AS30 AS40 {AS50,AS60} BGP AS-PATH would be reported as a basicList of two elements, each element being a basicList of BGP AS, with the top-level structured data type semantic of "ordered". The first element would contain a basicList composed of (AS10,AS20,AS30,AS40) and the respective structured data type semantic of "ordered", while the second element would contain a basicList composed of (AS50, AS60) and the respective structured data type semantic of "exactlyOneOf". A high-level Data Record diagram would be represented as:
例如,AS10 AS20 AS30 AS40{AS50,AS60}BGP AS-PATH的导出将报告为两个元素的基本列表,每个元素都是BGP AS的基本列表,顶级结构化数据类型语义为“有序”。第一个元素将包含由(AS10、AS20、AS30、AS40)和各自的结构化数据类型语义“ordered”组成的基本列表,而第二个元素将包含由(AS50、AS60)和各自的结构化数据类型语义“exactlyOneOf”组成的基本列表。高级数据记录图将表示为:
BGP AS-PATH = (basicList, ordered,
BGP AS-PATH = (basicList, ordered,
(basicList, ordered, AS10,AS20,AS30,AS40),
(基本列表、订单、AS10、AS20、AS30、AS40),
(basicList, exactlyOneOf, AS50, AS60)
(basicList、ExactlyOnof、AS50、AS60)
)
)
If a semantic is required to describe the relationship among the different Data Records corresponding to a single Template ID within the subTemplateMultiList, then an encoding based on a basicList of subTemplateLists should be used, as shown in the next case study.
如果需要语义来描述与subTemplateMultiList中单个模板ID对应的不同数据记录之间的关系,则应使用基于SubTemplateList基本列表的编码,如下一个案例研究所示。
Case study 1:
案例研究1:
In this example, an Exporter monitoring security attacks must export a list of security events consisting of attackers and targets. For the sake of the example, assume that the Collector can differentiate the attacker (which is expressed using source fields) from the target (which is expressed using destination fields). Imagine that attackers A1 or A2 may attack targets T1 and T2.
在此示例中,监视安全攻击的导出器必须导出由攻击者和目标组成的安全事件列表。在本例中,假设收集器可以区分攻击者(使用源字段表示)和目标(使用目标字段表示)。假设攻击者A1或A2可能攻击目标T1和T2。
The first case uses a subTemplateMultiList composed of two Template Records, one representing the attacker and one representing the target, each of them containing an IP address and a port.
第一种情况使用由两个模板记录组成的subTemplateMultiList,一个表示攻击者,一个表示目标,每个模板记录都包含一个IP地址和一个端口。
Attacker Template Record = (src IP address, src port)
Attacker Template Record = (src IP address, src port)
Target Template Record = (dst IP address, dst port)
Target Template Record = (dst IP address, dst port)
A high-level Data Record diagram would be represented as:
高级数据记录图将表示为:
Alert = (subTemplateMultiList, allOf,
Alert = (subTemplateMultiList, allOf,
(Attacker Template Record, A1, A2),
(攻击者模板记录,A1,A2),
(Target Template Record, T1, T2)
(目标模板记录,T1,T2)
)
)
The Collecting Process can only conclude that the list of attackers (A1, A2) and the list of targets (T1, T2) are present, without knowing the relationship amongst attackers and targets. The Exporting Process would have to explicitly call out the relationship amongst attackers and targets as the top-level semantic offered by the subTemplateMultiList isn't sufficient.
收集过程只能得出攻击者列表(A1、A2)和目标列表(T1、T2)存在的结论,而不知道攻击者和目标之间的关系。导出过程必须明确指出攻击者和目标之间的关系,因为subTemplateMultiList提供的顶级语义是不够的。
The only proper encoding for the previous semantic (i.e., attacker A1 or A2 may attack target T1 and T2) uses a basicList of subTemplateLists and is represented as follows:
前一语义的唯一正确编码(即攻击者A1或A2可能攻击目标T1和T2)使用子模板的基本列表,如下所示:
Attacker Template Record = (src IP address, src port)
Attacker Template Record = (src IP address, src port)
Target Template Record = (dst IP address, dst port)
Target Template Record = (dst IP address, dst port)
Alert = (basicList, allOf,
Alert = (basicList, allOf,
(subTemplateList, exactlyOneOf, attacker A1, A2)
(子员工,exactlyOneOf,攻击者A1、A2)
(subTemplateList, allOf, target T1, T2)
(子模板,allOf,目标T1,T2)
)
)
Case study 2:
案例研究2:
In this example, an Exporter monitoring security attacks must export a list of attackers and targets. For the sake of the example, assume that the Collector can differentiate the attacker (which is expressed using source fields) from the target (which is expressed using destination fields). Imagine that attacker A1 or A2 is attacking target T1, while attacker A3 is attacking targets T2 and T3. The first case uses a subTemplateMultiList that contains Data Records corresponding to two Template Records, one representing the attacker and one representing the target, each of them containing an IP address and a port.
在此示例中,监视安全攻击的导出器必须导出攻击者和目标的列表。在本例中,假设收集器可以区分攻击者(使用源字段表示)和目标(使用目标字段表示)。假设攻击者A1或A2正在攻击目标T1,而攻击者A3正在攻击目标T2和T3。第一种情况使用一个subTemplateMultiList,其中包含与两个模板记录对应的数据记录,一个表示攻击者,一个表示目标,每个模板记录都包含一个IP地址和一个端口。
Attacker Template Record = (src IP address, src port) Target Template Record = (dst IP address, dst port)
Attacker Template Record = (src IP address, src port) Target Template Record = (dst IP address, dst port)
A high-level Data Record diagram would be represented as:
高级数据记录图将表示为:
Alert = (subTemplateMultiList, allOf,
Alert = (subTemplateMultiList, allOf,
(Attacker Template Record, A1, A2, A3),
(攻击者模板记录,A1、A2、A3),
(Target Template Record, T1, T2, T3)
(目标模板记录,T1、T2、T3)
)
)
The Collecting Process can only conclude that the list of attackers (A1, A2, A3), and the list of targets (T1, T2, T3) are present, without knowing the relationship amongst attackers and targets.
收集过程只能得出攻击者列表(A1、A2、A3)和目标列表(T1、T2、T3)存在的结论,而不知道攻击者和目标之间的关系。
The second case could use a Data Record definition composed of the following:
第二种情况可以使用由以下内容组成的数据记录定义:
Alert = (subTemplateMultiList, allOf,
Alert = (subTemplateMultiList, allOf,
(Attacker Template Record, A1, A2),
(攻击者模板记录,A1,A2),
(Target Template Record, T1),
(目标模板记录,T1),
(Attacker Template Record, A3),
(攻击者模板记录,A3),
(Target Template Record, T2, T3)
(目标模板记录,T2,T3)
)
)
With the above representation, the Collecting Process can infer that the alert consists of the list of attackers (A1, A2), target (T1), attacker (A3), and list of targets (T2, T3). From the sequence in which attackers and targets are encoded, the Collector can possibly deduce that some relationship exists among (A1, A2, T1) and (A2, T1, T2) but cannot understand what it is exactly. So, there is a need for the Exporting Process to explicitly define the relationship between the attackers, and targets and the top-level semantic of the subTemplateMultiList is not sufficient.
通过上述表示,收集过程可以推断警报由攻击者列表(A1、A2)、目标(T1)、攻击者(A3)和目标列表(T2、T3)组成。根据攻击者和目标的编码顺序,收集器可能推断出(A1、A2、T1)和(A2、T1、T2)之间存在某种关系,但无法准确理解其含义。因此,导出过程需要明确定义攻击者和目标之间的关系,并且子模板多列表的顶级语义是不够的。
The only proper encoding for the previous semantic (i.e., attacker A1 or A2 attacks target T1, attacker A3 attacks targets T2 and T3) uses a basicList of subTemplateLists and is represented as follows:
前一语义的唯一正确编码(即攻击者A1或A2攻击目标T1,攻击者A3攻击目标T2和T3)使用子模板的基本列表,表示如下:
Participant P1 =
参与者P1=
(basicList, allOf,
(基本主义者,所有人,
(subTemplateList, exactlyOneOf, attacker A1, A2)
(子员工,exactlyOneOf,攻击者A1、A2)
(subTemplateList, undefined, target T1)
(子模板列表,未定义,目标T1)
)
)
Participant P2 =
参与者P2=
(basicList, allOf,
(基本主义者,所有人,
(subTemplateList, undefined, attacker A3,
(子模板,未定义,攻击者A3,
(subTemplateList, allOf, targets T2, T3)
(子模板,allOf,目标T2,T3)
)
)
The security alert is represented as a subTemplateList of participants.
安全警报表示为参与者的子模板列表。
Alert =
警觉的=
(subTemplateList, allOf, Participant P1, Participant P2)
(副员工,allOf,参与者P1,参与者P2)
Note that, in the particular case of a single element in a Structured Data Information Element, the Semantic field is actually not very useful since it specifies the relationship among multiple elements. Any choice of allOf, exactlyOneOf, or OneOrMoreOf would provide the same result semantically. Therefore, in case of a single element in a Structured Data Information Element, the default "undefined" semantic SHOULD be used.
请注意,在结构化数据信息元素中单个元素的特定情况下,语义字段实际上不是很有用,因为它指定了多个元素之间的关系。任何allOf、exactlyOneOf或one或moreof的选择都会在语义上提供相同的结果。因此,对于结构化数据信息元素中的单个元素,应使用默认的“未定义”语义。
This section introduces some more specific Template management and Template Withdrawal Message-related specifications compared to the IPFIX protocol specification [RFC5101].
与IPFIX协议规范[RFC5101]相比,本节介绍了一些更具体的模板管理和模板撤销消息相关规范。
First of all, the Template ID uniqueness is unchanged compared to [RFC5101]; the uniqueness is local to the Transport Session and Observation Domain that generated the Template ID. In other words, the Set ID used to export the Template Record does not influence the Template ID uniqueness.
首先,模板ID唯一性与[RFC5101]相比没有变化;唯一性是生成模板ID的传输会话和观察域的本地唯一性。换句话说,用于导出模板记录的集合ID不会影响模板ID的唯一性。
While [RFC5101] mentions that "if an Information Element is required more than once in a Template, the different occurrences of this Information Element SHOULD follow the logical order of their treatments by the Metering Process", this rule MAY be ignored within Structured Data Information Elements.
虽然[RFC5101]提到“如果模板中多次需要信息元素,则该信息元素的不同出现应遵循计量过程处理的逻辑顺序”,但在结构化数据信息元素中,该规则可能会被忽略。
As specified in [RFC5101], Templates that are not used anymore SHOULD be deleted. Deleting a Template implies that it MUST NOT be used within subTemplateList and subTemplateMultiList anymore. Before reusing a Template ID, the Template MUST be deleted. In order to delete an allocated Template, the Template is withdrawn through the use of a Template Withdrawal Message.
按照[RFC5101]中的规定,应删除不再使用的模板。删除模板意味着它不能再在subTemplateList和subTemplateMultiList中使用。在重用模板ID之前,必须删除该模板。为了删除分配的模板,通过使用模板撤回消息撤回模板。
This section introduces some more specific specifications to the Collection Process compared to Section 9 in the IPFIX protocol [RFC5101].
与IPFIX协议[RFC5101]中的第9节相比,本节为收集过程介绍了一些更具体的规范。
As opposed to the IPFIX specification in [RFC5101], IPFIX Messages with IPFIX Structured Data Information Elements change the IPFIX
与[RFC5101]中的IPFIX规范不同,带有IPFIX结构化数据信息元素的IPFIX消息会更改IPFIX
concept from the Collector's point of view as the data types are present in the Data Records rather than in the Template Records. For example, a basicList Information Element in a Template Record doesn't specify the list element data type; this information is contained in the Data Record. For example, in case of a subTemplateMultiList, the Collecting Process must refer to the included Template Records in the middle of the Data Record decode.
从收集器的角度来看,数据类型出现在数据记录中,而不是模板记录中。例如,模板记录中的basicList信息元素没有指定列表元素数据类型;此信息包含在数据记录中。例如,在子模板的列表中,收集过程必须参考数据记录解码中间的包含模板记录。
As described in [RFC5101], a Collecting Process MUST note the Information Element identifier of any Information Element that it does not understand and MAY discard that Information Element from the Flow Record. Therefore, a Collection Process that does not support the extension specified in this document can ignore the Structured Data Information Elements in a Data Record, or it can ignore Data Records containing these new Structured Data Information Elements while continuing to process other Data Records.
如[RFC5101]中所述,收集过程必须注意其不理解的任何信息元素的信息元素标识符,并且可以从流记录中丢弃该信息元素。因此,不支持本文档中指定的扩展的收集过程可以忽略数据记录中的结构化数据信息元素,也可以忽略包含这些新的结构化数据信息元素的数据记录,同时继续处理其他数据记录。
If the structured data contains the "undefined" structured data type semantic, the Collecting Process MAY attempt to draw its own conclusion in terms of the semantic contained in the Data Record.
如果结构化数据包含“未定义”的结构化数据类型语义,则收集过程可能会尝试根据数据记录中包含的语义得出自己的结论。
8. Defining New Information Elements Based on the New Abstract Data Types
8. 基于新的抽象数据类型定义新的信息元素
This document specifies three new abstract data types: basicList, subTemplateList, and subTemplateMultiList. As specified in [RFC5102], the specification of new IPFIX Information Elements uses the Template specified in Section 2.1 of [RFC5102]. This Template mentioned existing and future the data types: "One of the types listed in Section 3.1 of this document or in a future extension of the information model". So new Information Elements can be specified based on the three new abstract data types.
本文档指定了三种新的抽象数据类型:basicList、subTemplateList和subTemplateMultiList。如[RFC5102]所述,新IPFIX信息元素的规范使用[RFC5102]第2.1节中规定的模板。该模板提到了现有和未来的数据类型:“本文件第3.1节或信息模型未来扩展中列出的类型之一”。因此,可以根据这三种新的抽象数据类型指定新的信息元素。
The authors anticipate the creation of both enterprise-specific and IANA Information Elements based on the IPFIX structured data types. For example, bgpPathList, bgpSequenceList, and bgpSetList, of abstract types and semantics basicList/ordered, basicList/ordered, and basicList/exactlyOneOf respectively, would define the complete semantic of the list. This specification doesn't specify any new Information Elements beyond the ones in Section 4.3.
作者预计将基于IPFIX结构化数据类型创建企业特定信息元素和IANA信息元素。例如,抽象类型和语义分别为basicList/ordered、basicList/ordered和basicList/exactlyOneOf的bgpatthlist、bgpSequenceList和bgpSetList将定义列表的完整语义。本规范未规定第4.3节以外的任何新信息元素。
The following examples are created solely for the purpose of illustrating how the extensions proposed in this document are encoded.
以下示例仅用于说明如何对本文档中提出的扩展进行编码。
Consider encoding a multicast Data Record containing the following data:
考虑编码包含以下数据的多播数据记录:
--------------------------------------------------------------- Ingress If | Source IP | Destination IP | Egress Interfaces --------------------------------------------------------------- 9 192.0.2.201 233.252.0.1 1, 4, 8 ---------------------------------------------------------------
--------------------------------------------------------------- Ingress If | Source IP | Destination IP | Egress Interfaces --------------------------------------------------------------- 9 192.0.2.201 233.252.0.1 1, 4, 8 ---------------------------------------------------------------
Template Record for the multicast Flows, with the Template ID 256:
多播流的模板记录,模板ID为256:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 24 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 256 | Field Count = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| ingressInterface = 10 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| DestinationIPv4Address = 12 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| basicList = 291 | Field Length = 0xFFFF | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 24 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 256 | Field Count = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| ingressInterface = 10 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| DestinationIPv4Address = 12 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| basicList = 291 | Field Length = 0xFFFF | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 11: Encoding basicList, Template Record
图11:编码基本列表、模板记录
The list of outgoing interfaces is represented as a basicList with semantic allOf, and the Length of the list is chosen to be encoded in three bytes even though it may be less than 255 octets.
传出接口的列表表示为带有语义allOf的基本列表,列表的长度被选择为以三个字节编码,即使它可能小于255个八位字节。
The Data Set is represented as follows:
数据集表示如下:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 256 | Length = 36 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ingressInterface = 9 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceIPv4Address = 192.0.2.201 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DestinationIPv4Address = 233.252.0.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | List Length = 17 | semantic=allOf| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface FieldId = 14 |egressInterface Field Length=4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 1 = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 2 = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 3 = 8 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 256 | Length = 36 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ingressInterface = 9 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceIPv4Address = 192.0.2.201 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DestinationIPv4Address = 233.252.0.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | List Length = 17 | semantic=allOf| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface FieldId = 14 |egressInterface Field Length=4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 1 = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 2 = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 3 = 8 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 12: Encoding basicList, Data Record, Semantic allOf
图12:编码基本列表、数据记录、语义分配
In the example above, the basicList contains fixed-length elements. To illustrate how variable-length elements would be encoded, the same example is shown below with variable-length interface names in the basicList instead:
在上面的示例中,basicList包含固定长度的元素。为了说明可变长度元素的编码方式,下面显示了相同的示例,在basicList中使用可变长度接口名称:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 256 | Length = 44 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ingressInterface = 9 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceIPv4Address = 192.0.2.201 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DestinationIPv4Address = 233.252.0.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | List Length = 25 | semantic=allOf| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| InterfaceName FieldId = 82 | InterfaceName Field Len=0xFFFF| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length = 5 | 'F' | 'E' | '0' | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | '/' | '0' | Length = 7 | 'F' | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 'E' | '1' | '0' | '/' | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | '1' | '0' | Length = 5 | 'F' | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 'E' | '2' | '/' | '2' | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 256 | Length = 44 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ingressInterface = 9 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceIPv4Address = 192.0.2.201 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DestinationIPv4Address = 233.252.0.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | List Length = 25 | semantic=allOf| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| InterfaceName FieldId = 82 | InterfaceName Field Len=0xFFFF| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length = 5 | 'F' | 'E' | '0' | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | '/' | '0' | Length = 7 | 'F' | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 'E' | '1' | '0' | '/' | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | '1' | '0' | Length = 5 | 'F' | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 'E' | '2' | '/' | '2' | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 13: Encoding basicList, Data Record with Variable-Length Elements, Semantic allOf
图13:编码基本列表、具有可变长度元素的数据记录、语义allOf
Consider encoding a load-balanced Data Record containing the following data:
考虑编码包含下列数据的负载平衡数据记录:
--------------------------------------------------------------- Ingress If | Source IP | Destination IP | Egress Interfaces --------------------------------------------------------------- 9 192.0.2.201 233.252.0.1 1, 4, 8 ---------------------------------------------------------------
--------------------------------------------------------------- Ingress If | Source IP | Destination IP | Egress Interfaces --------------------------------------------------------------- 9 192.0.2.201 233.252.0.1 1, 4, 8 ---------------------------------------------------------------
So the Data Record egressed from either interface 1, 4, or 8. The Data Set is represented as follows:
因此,数据记录从接口1、4或8退出。数据集表示如下:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 256 | Length = 36 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ingressInterface = 9 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceIPv4Address = 192.0.2.201 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DestinationIPv4Address = 233.252.0.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | List Length = 17 |sem=exactlyOne | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface FieldId = 14 |egressInterface Field Length=4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 1 = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 2 = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 3 = 8 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 256 | Length = 36 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ingressInterface = 9 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceIPv4Address = 192.0.2.201 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DestinationIPv4Address = 233.252.0.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | List Length = 17 |sem=exactlyOne | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface FieldId = 14 |egressInterface Field Length=4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 1 = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 2 = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | egressInterface value 3 = 8 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Note: sem=exactlyOne represents semantic=exactlyOneOf
Note: sem=exactlyOne represents semantic=exactlyOneOf
Figure 14: Encoding basicList, Data Record, Semantic exactlyOneOf
图14:编码基本列表、数据记录、语义精确EOF
As explained in Section 2.2, multiple pairs of (observationTimeMicroseconds, digestHashValue) must be collected from two different Observation Points to passively compute the one-way delay across the network. This data can be exported with an optimized Data Record that consists of the following attributes:
如第2.2节所述,必须从两个不同的观测点收集多对(observationTimeMicroseconds,digestHashValue),以被动地计算整个网络的单向延迟。可以使用优化的数据记录导出此数据,该记录由以下属性组成:
5-tuple { observationTimeMicroseconds 1, digestHashValue 1 } { observationTimeMicroseconds 2, digestHashValue 2 } { observationTimeMicroseconds 3, digestHashValue 3 } { ... , ... }
5-tuple { observationTimeMicroseconds 1, digestHashValue 1 } { observationTimeMicroseconds 2, digestHashValue 2 } { observationTimeMicroseconds 3, digestHashValue 3 } { ... , ... }
A subTemplateList is best suited for exporting the list of (observationTimeMicroseconds, digestHashValue). For illustration purposes, the number of elements in the list is 5; in practice, it could be more.
子模板列表最适合导出列表(observationTimeMicroseconds,digestHashValue)。为了便于说明,列表中的元素数为5;在实践中,这可能更为重要。
------------------------------------------------------------------ srcIP | dstIP | src | dst |proto| one-way delay | | Port | Port | | metrics ------------------------------------------------------------------ 192.0.2.1 192.0.2.105 1025 80 6 Time1, 0x0x91230613 Time2, 0x0x91230650 Time3, 0x0x91230725 Time4, 0x0x91230844 Time5, 0x0x91230978 ------------------------------------------------------------------
------------------------------------------------------------------ srcIP | dstIP | src | dst |proto| one-way delay | | Port | Port | | metrics ------------------------------------------------------------------ 192.0.2.1 192.0.2.105 1025 80 6 Time1, 0x0x91230613 Time2, 0x0x91230650 Time3, 0x0x91230725 Time4, 0x0x91230844 Time5, 0x0x91230978 ------------------------------------------------------------------
The following Template is defined for exporting the one-way delay metrics:
定义以下模板用于导出单向延迟度量:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 257 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| observationTimeMicroSec=324 | Field Length = 8 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| digestHashValue = 326 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 257 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| observationTimeMicroSec=324 | Field Length = 8 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| digestHashValue = 326 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 15: Encoding subTemplateList, Template for One-Way Delay Metrics
图15:编码子模板,单向延迟度量模板
The Template Record for the Optimized Data Record is as follows:
优化数据记录的模板记录如下:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 32 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 258 | Field Count = 6 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv4Address = 12 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceTransportPort = 7 | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationTransportPort= 11| Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| protocolIdentifier = 4 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| subTemplateList = 292 | Field Length = 0xFFFF | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 32 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 258 | Field Count = 6 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv4Address = 12 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceTransportPort = 7 | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationTransportPort= 11| Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| protocolIdentifier = 4 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| subTemplateList = 292 | Field Length = 0xFFFF | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 16: Encoding subTemplateList, Template Record
图16:编码子模板列表,模板记录
The list of (observationTimeMicroseconds, digestHashValue) is exported as a subTemplateList with semantic allOf. The Length of the subTemplateList is chosen to be encoded in three bytes even though it may be less than 255 octets.
列表(observationTimeMicroseconds,digestHashValue)将导出为具有语义allOf的子模板列表。子模板列表的长度被选择为以三个字节编码,即使它可能小于255个八位字节。
The Data Record is represented as follows:
数据记录如下所示:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 258 | Length = 83 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceIPv4Address = 192.0.2.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | destinationIPv4Address = 192.0.2.105 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceTransportPort = 1025 | destinationTransportPort = 80 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol = 6 | 255 | one-way metrics list len = 63 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | semantic=allOf| TemplateID = 257 | TimeValue1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 2-5 of TimeValue1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 258 | Length = 83 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceIPv4Address = 192.0.2.1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | destinationIPv4Address = 192.0.2.105 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceTransportPort = 1025 | destinationTransportPort = 80 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol = 6 | 255 | one-way metrics list len = 63 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | semantic=allOf| TemplateID = 257 | TimeValue1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 2-5 of TimeValue1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... octets 6-8 of TimeValue1 |digestHashVal1=| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 0x0x91230613 | TimeValue2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 2-5 of TimeValue2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 6-8 of TimeValue2 |digestHashVal2=| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 0x0x91230650 | TimeValue3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 2-5 of TimeValue3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 6-8 of TimeValue3 |digestHashVal3=| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 0x0x91230725 | TimeValue4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 2-5 of TimeValue4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 6-8 of TimeValue4 |digestHashVal4=| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 0x0x91230844 | TimeValue5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 2-5 of TimeValue5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 6-8 of TimeValue5 |digestHashVal5=| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 0x0x91230978 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... octets 6-8 of TimeValue1 |digestHashVal1=| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 0x0x91230613 | TimeValue2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 2-5 of TimeValue2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 6-8 of TimeValue2 |digestHashVal2=| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 0x0x91230650 | TimeValue3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 2-5 of TimeValue3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 6-8 of TimeValue3 |digestHashVal3=| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 0x0x91230725 | TimeValue4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 2-5 of TimeValue4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 6-8 of TimeValue4 |digestHashVal4=| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 0x0x91230844 | TimeValue5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 2-5 of TimeValue5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... octets 6-8 of TimeValue5 |digestHashVal5=| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 0x0x91230978 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 17: Encoding subTemplateList, Data Set
图17:编码子模板,数据集
As explained in Section 4.5.3, a subTemplateMultiList is used to export a list of mixed-type content where each top-level element corresponds to a different Template Record.
如第4.5.3节所述,subTemplateMultiList用于导出混合类型内容的列表,其中每个顶级元素对应于不同的模板记录。
To illustrate this, consider the Data Record with the following attributes:
为了说明这一点,考虑具有以下属性的数据记录:
5-tuple (Flow Keys), octetCount, packetCount attributes for filtering selectorId, selectorAlgorithm attributes for sampling selectorId, selectorAlgorithm, samplingPacketInterval, samplingPacketSpace
五元组(流键)、八位计数、用于筛选selectorId的packetCount属性、用于采样的selectorAlgorithm属性selectorId、selectorAlgorithm、samplingPacketInterval、samplingPacketSpace
This example demonstrates that the Selector Report Interpretation [RFC5476] can be encoded with the subTemplateMultiList. More specifically, the example describes Property Match Filtering Selector Report Interpretation [RFC5476] used for filtering purposes, and the Systemic Count-Based Sampling as described in Section 6.5.2.1 of [RFC5476]. Some traffic will be filtered according to match properties configured, some will be sampled, some will be filtered and sampled, and some will not be filtered or sampled.
此示例演示了选择器报告解释[RFC5476]可以使用subTemplateMultiList进行编码。更具体地说,该示例描述了用于过滤目的的属性匹配过滤选择器报告解释[RFC5476],以及[RFC5476]第6.5.2.1节所述的基于系统计数的采样。一些流量将根据配置的匹配属性进行过滤,一些流量将进行采样,一些流量将进行过滤和采样,一些流量将不进行过滤或采样。
A subTemplateMultiList is best suited for exporting this variable data. A Template is defined for filtering attributes and another Template is defined for sampling attributes. A Data Record can contain data corresponding to either of the Templates, both of them, or neither of them.
subTemplateMultiList最适合导出此变量数据。为过滤属性定义了一个模板,为采样属性定义了另一个模板。数据记录可以包含与任一模板、两个模板或两个模板都不对应的数据。
Consider the example below where the following Data Record contains both filtering and sampling attributes.
请考虑下面的示例,其中下面的数据记录包含过滤和采样属性。
Key attributes of the Data Record:
数据记录的关键属性:
------------------------------------------------------------------ srcIP | dstIP | src | dst | proto | octetCount | packet | | Port | Port | | | Count ------------------------------------------------------------------ 2001:DB8::1 2001:DB8::2 1025 80 6 108000 120 ------------------------------------------------------------------
------------------------------------------------------------------ srcIP | dstIP | src | dst | proto | octetCount | packet | | Port | Port | | | Count ------------------------------------------------------------------ 2001:DB8::1 2001:DB8::2 1025 80 6 108000 120 ------------------------------------------------------------------
Filtering attributes:
筛选属性:
------------------------------------------- selectorId | selectorAlgorithm ------------------------------------------- 100 5 (Property Match Filtering) -------------------------------------------
------------------------------------------- selectorId | selectorAlgorithm ------------------------------------------- 100 5 (Property Match Filtering) -------------------------------------------
Sampling attributes:
采样属性:
For Systemic Count-Based Sampling as defined in Section 6.5.2.1 of [RFC5476] the required algorithm-specific Information Elements are:
对于[RFC5476]第6.5.2.1节中定义的基于系统计数的抽样,所需的算法特定信息元素为:
samplingPacketInterval: number of packets selected in a row samplingPacketSpace: number of packets between selections
samplingPacketInterval:行中选择的数据包数samplingPacketSpace:选择之间的数据包数
Example of a simple 1-out-of-100 systematic count-based Selector definition, where the samplingPacketInterval is 1 and the samplingPacketSpace is 99.
简单的基于系统计数的百分之一选择器定义示例,其中samplingPacketInterval为1,samplingPacketSpace为99。
-------------------------------------------------------------- selectorId | selectorAlgorithm | sampling | sampling | | Packet | Packet | | Interval | Space -------------------------------------------------------------- 15 1 (Count-Based Sampling) 1 99 --------------------------------------------------------------
-------------------------------------------------------------- selectorId | selectorAlgorithm | sampling | sampling | | Packet | Packet | | Interval | Space -------------------------------------------------------------- 15 1 (Count-Based Sampling) 1 99 --------------------------------------------------------------
To represent the Data Record, the following Template Records are defined:
为了表示数据记录,定义了以下模板记录:
Template for filtering attributes: 259 Template for sampling attributes: 260 Template for Flow Record: 261
过滤属性模板:259采样属性模板:260流量记录模板:261
Flow record (261) | (sourceIPv6Address) | (destinationIPv6Address) | (sourceTransportPort) | (destinationTransportPort) | (protocolIdentifier) | (octetTotalCount) | (packetTotalCount) | +------ filtering attributes (259) | (selectorId) | (selectorAlgorithm) | +------ sampling attributes (260) | (selectorId) | (selectorAlgorithm) | (samplingPacketInterval) | (samplingPacketSpace)
Flow record (261) | (sourceIPv6Address) | (destinationIPv6Address) | (sourceTransportPort) | (destinationTransportPort) | (protocolIdentifier) | (octetTotalCount) | (packetTotalCount) | +------ filtering attributes (259) | (selectorId) | (selectorAlgorithm) | +------ sampling attributes (260) | (selectorId) | (selectorAlgorithm) | (samplingPacketInterval) | (samplingPacketSpace)
The following Template Record is defined for filtering attributes:
为筛选属性定义了以下模板记录:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 259 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| selectorId = 302 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| selectorAlgorithm = 304 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 259 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| selectorId = 302 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| selectorAlgorithm = 304 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 18: Encoding subTemplateMultiList, Template for Filtering Attributes
图18:编码子模板MultiList,用于筛选属性的模板
The Template for sampling attributes is defined as follows:
采样属性的模板定义如下:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 24 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 260 | Field Count = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| selectorId = 302 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| selectorAlgorithm = 304 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| samplingPacketInterval = 305| Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| samplingPacketSpace = 306 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 24 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 260 | Field Count = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| selectorId = 302 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| selectorAlgorithm = 304 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| samplingPacketInterval = 305| Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| samplingPacketSpace = 306 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 19: Encoding subTemplateMultiList, Template for Sampling Attributes
图19:编码子模板MultiList,采样属性模板
Note that while selectorAlgorithm is defined as unsigned16, and samplingPacketInterval and samplingPacketSpace are defined as unsigned32, they are compressed down to 1 octet here as allowed by Reduced Size Encoding in Section 6.2 of the IPFIX protocol specifications [RFC5101].
请注意,虽然selectorAlgorithm被定义为unsigned16,samplingPacketInterval和samplingPacketSpace被定义为unsigned32,但根据IPFIX协议规范[RFC5101]第6.2节中的缩减编码,它们在这里被压缩为1个八位字节。
Template for the Flow Record is defined as shown below:
流程记录的模板定义如下所示:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 40 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 261 | Field Count = 8 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv6Address = 27 | Field Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv6Address = 28 | Field Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceTransportPort = 7 | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationTransportPort=11 | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| protocolIdentifier = 4 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| octetTotalCount = 85 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| packetTotalCount = 86 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| subTemplateMultiList = 293 | Field Length = 0XFFFF | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 40 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 261 | Field Count = 8 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv6Address = 27 | Field Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv6Address = 28 | Field Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceTransportPort = 7 | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationTransportPort=11 | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| protocolIdentifier = 4 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| octetTotalCount = 85 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| packetTotalCount = 86 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| subTemplateMultiList = 293 | Field Length = 0XFFFF | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 20: Encoding subTemplateMultiList, Template for Flow Record
图20:编码子模板MultiList,流记录模板
A subTemplateMultiList with semantic allOf is used to export the filtering and sampling attributes. The Length field of the subTemplateMultiList is chosen to be encoded in three bytes even though it may be less than 255 octets.
带有语义allOf的subTemplateMultiList用于导出筛选和采样属性。subTemplateMultiList的长度字段被选择为以三个字节编码,即使它可能小于255个八位字节。
The Data Record is encoded as follows:
数据记录编码如下:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 261 | Length = 73 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceIPv6Address = ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 2001:DB8::1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 261 | Length = 73 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceIPv6Address = ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 2001:DB8::1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| destinationIPv6Address = ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 2001:DB8::2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceTransportPort = 1025 | destinationTransportPort = 80 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | protocol = 6 | octetTotalCount = 108000 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | packetTotalCount = 120 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | 255 | Attributes List Length = 21 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |semantic=allOf | Filtering Template ID = 259 |Filtering Attr | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ...Length = 9 | selectorId = ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 100 |selectorAlg = 5| Sampling Template ID = 260 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sampling Attributes Length=11 | selectorId = ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 15 |selectorAlg = 1| Interval = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Space = 99 | +-+-+-+-+-+-+-+-+
| destinationIPv6Address = ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 2001:DB8::2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | sourceTransportPort = 1025 | destinationTransportPort = 80 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | protocol = 6 | octetTotalCount = 108000 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | packetTotalCount = 120 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | 255 | Attributes List Length = 21 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |semantic=allOf | Filtering Template ID = 259 |Filtering Attr | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ...Length = 9 | selectorId = ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 100 |selectorAlg = 5| Sampling Template ID = 260 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sampling Attributes Length=11 | selectorId = ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 15 |selectorAlg = 1| Interval = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Space = 99 | +-+-+-+-+-+-+-+-+
Figure 21: Encoding subTemplateMultiList, Data Set
图21:编码子模板多列表,数据集
As described in Section 5.3, consider a mediation function that must aggregate Data Records from different Observation Points.
如第5.3节所述,考虑一个中介函数,它必须聚合来自不同观察点的数据记录。
Say Observation Point 1 consists of one or more interfaces, Observation Points 2 and 3 consist of one or more linecards, and Observation Point 4 consists of one or more interfaces and one or more linecards. Without structured data, a Template would have to be defined for every possible combination to interpret the data corresponding to each of the Observation Points. However, with structured data, a basicList can be used to encode the list of interfaces and another basicList can be used to encode the list of linecards.
假设观测点1由一个或多个接口组成,观测点2和3由一个或多个线卡组成,观测点4由一个或多个接口和一个或多个线卡组成。如果没有结构化数据,则必须为每个可能的组合定义一个模板,以解释与每个观测点对应的数据。但是,对于结构化数据,一个基本列表可用于编码接口列表,另一个基本列表可用于编码线路卡列表。
For the sake of simplicity, each Observation Point shown below has the IP address corresponding to the Router and an <interface> or <linecard> or <linecard and interface>. This can very well be extended to include a list of interfaces and a list of linecards using basicLists as explained above.
为了简单起见,下面显示的每个观察点都有对应于路由器的IP地址和一个<interface>或<linecard>或<linecard and interface>。这可以很好地扩展到包括一个接口列表和一个使用BasicList的线路卡列表,如上所述。
Observation Point 1: Router 1, (interface 1) Observation Point 2: Router 2, (linecard A) Observation Point 3: Router 3, (linecard B) Observation Point 4: Router 4, (linecard C, interface 2)
观察点1:路由器1,(接口1)观察点2:路由器2,(线路卡A)观察点3:路由器3,(线路卡B)观察点4:路由器4,(线路卡C,接口2)
The mediation function wishes to express this as a single Observation Point, in order to encode the PSAMP Selection Sequence Report Interpretation (SSRI). Recall from [RFC5476] that the PSAMP Selection Sequence Report Interpretation consists of the following fields:
中介函数希望将其表示为单个观察点,以便对PSAMP选择序列报告解释(SSRI)进行编码。回想一下[RFC5476],PSAMP选择序列报告解释由以下字段组成:
Scope: selectionSequenceId Non-Scope: one Information Element mapping the Observation Point selectorId (one or more)
范围:selectionSequenceId非范围:映射观察点selectorId的一个信息元素(一个或多个)
For example, the Observation Point detailed above may be encoded in a PSAMP Selection Sequence Report Interpretation as shown below:
例如,上文详述的观测点可在PSAMP选择序列报告解释中编码,如下所示:
Selection Sequence 7 (Filter->Sampling): Observation Point: subTemplateMultiList. Router 1 (IP address = 192.0.2.11), (interface 1) Router 2 (IP address = 192.0.2.12), (linecard A) Router 3 (IP address = 192.0.2.13), (linecard B) Router 4 (IP address = 192.0.2.14), (linecard C, interface 2) selectorId: 5 (Filter, match IPv4SourceAddress 192.0.2.1) selectorId: 10 (Sampler, Random 1 out-of ten)
选择顺序7(过滤器->采样):观察点:子模板多列表。路由器1(IP地址=192.0.2.11),(接口1)路由器2(IP地址=192.0.2.12),(线路卡A)路由器3(IP地址=192.0.2.13),(线路卡B)路由器4(IP地址=192.0.2.14),(线路卡C,接口2)选择器ID:5(筛选,匹配IPV4源地址192.0.2.1)选择器ID:10(采样器,随机十取一)
The following Templates are defined to represent the PSAMP SSRI: Template for representing PSAMP SSRI: 262 Template for representing interface: 263 Template for representing linecard: 264 Template for representing linecard and interface: 265
定义以下模板来表示PSAMP SSRI:表示PSAMP SSRI的模板:262表示接口的模板:263表示线路卡的模板:264表示线路卡和接口的模板:265
PSAMP SSRI (262) | (SelectionSequenceId) | +--- Observation Point 1 (263) | (exporterIPv4Address) | (Interface Id) | +--- Observation Point 2 and 3 (264) | (exporterIPv4Address) | (linecard) | +--- Observation Point 4 (265) | (exporterIPv4Address) | (linecard) | (Interface Id) | | (selectorId 1) | (selectorId 2)
PSAMP SSRI (262) | (SelectionSequenceId) | +--- Observation Point 1 (263) | (exporterIPv4Address) | (Interface Id) | +--- Observation Point 2 and 3 (264) | (exporterIPv4Address) | (linecard) | +--- Observation Point 4 (265) | (exporterIPv4Address) | (linecard) | (Interface Id) | | (selectorId 1) | (selectorId 2)
Note that the example could further be improved with a basicList of selectorId if many Selector IDs have to be reported.
请注意,如果必须报告多个选择器ID,则可以使用selectorId的基本列表进一步改进该示例。
Figure 22: PSAMP SSRI to Be Encoded
图22:要编码的PSAMP SSRI
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 3 | Length = 26 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 262 | Field Count = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope Field Count = 1 |0| selectionSequenceId = 301 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope 1 Length = 4 |0| subTemplateMultiList = 293 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 0xFFFF |0| selectorId = 302 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 4 |0| selectorId = 302 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 3 | Length = 26 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 262 | Field Count = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope Field Count = 1 |0| selectionSequenceId = 301 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Scope 1 Length = 4 |0| subTemplateMultiList = 293 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 0xFFFF |0| selectorId = 302 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 4 |0| selectorId = 302 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 23: Options Template Record for PSAMP SSRI Using subTemplateMultiList
图23:使用subTemplateMultiList的PSAMP SSRI的选项模板记录
A subTemplateMultiList with semantic allOf is used to encode the list of Observation Points.
带有语义allOf的subTemplateMultiList用于对观察点列表进行编码。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 263 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| exporterIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| ingressInterface = 10 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 263 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| exporterIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| ingressInterface = 10 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 24: PSAMP SSRI, Template Record for interface
图24:PSAMP SSRI,接口模板记录
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 264 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| exporterIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| lineCardId = 141 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 264 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| exporterIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| lineCardId = 141 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 25: PSAMP SSRI, Template Record for linecard
图25:PSAMP SSRI,线路卡的模板记录
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 20 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 265 | Field Count = 3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| exporterIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| lineCardId = 141 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| ingressInterface = 10 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 20 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 265 | Field Count = 3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| exporterIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| lineCardId = 141 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| ingressInterface = 10 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 26: PSAMP SSRI, Template Record for linecard and interface
图26:PSAMP SSRI,线路卡和接口的模板记录
The PSAMP SSRI Data Set is represented as follows:
PSAMP SSRI数据集表示如下:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 262 | Length = 68 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | selectionSequenceId = 7 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | Observation Point List Len=49 |semantic=allOf | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP1 Template ID = 263 | OP1 Length = 12 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Router 1 exporterIPv4Address = 192.0.2.11 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP1 ingressInterface = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP2&OP3 Template ID = 264 | OP2 & OP3 Length = 20 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Router 2 exporterIPv4Address = 192.0.2.12 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP2 lineCardId = A | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Router 3 exporterIPv4Address = 192.0.2.13 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP3 lineCardId = B | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP4 Template ID = 265 | OP4 Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Router 4 exporterIPv4Address = 192.0.2.14 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP4 lineCardId = C | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP4 ingressInterface = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | selectorId = 5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | selectorId = 10 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 262 | Length = 68 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | selectionSequenceId = 7 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | Observation Point List Len=49 |semantic=allOf | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP1 Template ID = 263 | OP1 Length = 12 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Router 1 exporterIPv4Address = 192.0.2.11 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP1 ingressInterface = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP2&OP3 Template ID = 264 | OP2 & OP3 Length = 20 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Router 2 exporterIPv4Address = 192.0.2.12 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP2 lineCardId = A | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Router 3 exporterIPv4Address = 192.0.2.13 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP3 lineCardId = B | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP4 Template ID = 265 | OP4 Length = 16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Router 4 exporterIPv4Address = 192.0.2.14 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP4 lineCardId = C | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OP4 ingressInterface = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | selectorId = 5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | selectorId = 10 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 27: Example of a PSAMP SSRI Data Record, Encoded Using a subTemplateMultiList
图27:使用subTemplateMultiList编码的PSAMP SSRI数据记录示例
Note that the Data Record above contains multiple instances of Template 264 to represent Observation Point 2 (Router2, linecard A) and Observation Point 3 (Router3, linecard B). Instead, if a single Observation Point had both linecard A and linecard B, a basicList would be used to represent the list of linecards.
注意,上面的数据记录包含模板264的多个实例,以表示观测点2(路由2,线路卡A)和观测点3(路由3,线路卡B)。相反,如果单个观测点同时具有线卡a和线卡B,则将使用基本列表来表示线卡列表。
"Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports" [RFC5473] describes a bandwidth saving method for exporting Flow or packet information using the IP Flow Information Export (IPFIX) protocol.
“减少IP流信息导出(IPFIX)和数据包采样(PSAMP)报告中的冗余”[RFC5473]描述了使用IP流信息导出(IPFIX)协议导出流或数据包信息的带宽节约方法。
It defines the commonPropertiesID Information Element for exporting Common Properties.
它定义用于导出公共属性的commonPropertiesID信息元素。
When Structured Data Information Elements contain repeated elements, these elements may be replaced with a commonPropertiesID Information Element as specified in [RFC5473]. The replaced elements may include the basicList, subTemplateList, and subTemplateMultiList Information Elements.
当结构化数据信息元素包含重复元素时,可使用[RFC5473]中规定的公共属性ID信息元素替换这些元素。被替换的元素可以包括基本列表、子模板列表和子模板多列表信息元素。
This technique might help reducing the bandwidth requirements for the export. However, a detailed analysis of the gain has not been done; refer to Section 8.3 of [RFC5473] for further considerations.
此技术可能有助于减少导出的带宽要求。然而,尚未对收益进行详细分析;更多注意事项,请参考[RFC5473]第8.3节。
10.1.2. Encoding Common Properties Elements with Structured Data Information Element
10.1.2. 用结构化数据信息元素编码公共属性元素
Structured Data Information Element MAY be used to define a list of commonPropertiesID, as a replacement for the specifications in [RFC5473].
结构化数据信息元素可用于定义公共属性ID列表,以替代[RFC5473]中的规范。
Indeed, the example in Figures 1 and 2 of [RFC5473] can be encoded with the specifications in this document.
实际上,[RFC5473]图1和图2中的示例可以使用本文档中的规范进行编码。
+----------------+-------------+---------------------------+ | sourceAddressA | sourcePortA | <Flow1 information> | +----------------+-------------+---------------------------+ | sourceAddressA | sourcePortA | <Flow2 information> | +----------------+-------------+---------------------------+ | sourceAddressA | sourcePortA | <Flow3 information> | +----------------+-------------+---------------------------+ | sourceAddressA | sourcePortA | <Flow4 information> | +----------------+-------------+---------------------------+ | ... | ... | ... | +----------------+-------------+---------------------------+
+----------------+-------------+---------------------------+ | sourceAddressA | sourcePortA | <Flow1 information> | +----------------+-------------+---------------------------+ | sourceAddressA | sourcePortA | <Flow2 information> | +----------------+-------------+---------------------------+ | sourceAddressA | sourcePortA | <Flow3 information> | +----------------+-------------+---------------------------+ | sourceAddressA | sourcePortA | <Flow4 information> | +----------------+-------------+---------------------------+ | ... | ... | ... | +----------------+-------------+---------------------------+
Figure 28: Common and Specific Properties Exported Together [RFC5473]
图28:共同和特定属性一起导出[RFC5473]
+------------------------+-----------------+-------------+ | index for properties A | sourceAddressA | sourcePortA | +------------------------+-----------------+-------------+ | ... | ... | ... | +------------------------+-----------------+-------------+
+------------------------+-----------------+-------------+ | index for properties A | sourceAddressA | sourcePortA | +------------------------+-----------------+-------------+ | ... | ... | ... | +------------------------+-----------------+-------------+
+------------------------+---------------------------+ | index for properties A | <Flow1 information> | +------------------------+---------------------------+ | index for properties A | <Flow2 information> | +------------------------+---------------------------+ | index for properties A | <Flow3 information> | +------------------------+---------------------------+ | index for properties A | <Flow4 information> | +------------------------+---------------------------+
+------------------------+---------------------------+ | index for properties A | <Flow1 information> | +------------------------+---------------------------+ | index for properties A | <Flow2 information> | +------------------------+---------------------------+ | index for properties A | <Flow3 information> | +------------------------+---------------------------+ | index for properties A | <Flow4 information> | +------------------------+---------------------------+
Figure 29: Common and Specific Properties Exported Separately According to [RFC5473]
图29:根据[RFC5473]分别导出的通用和特定属性
+----------------+-------------+---------------------------+ | sourceAddressA | sourcePortA | <Flow1 information> | +----------------+-------------+---------------------------+ | <Flow2 information> | +---------------------------+ | <Flow3 information> | +---------------------------+ | <Flow4 information> | +---------------------------+ | ... | +---------------------------+
+----------------+-------------+---------------------------+ | sourceAddressA | sourcePortA | <Flow1 information> | +----------------+-------------+---------------------------+ | <Flow2 information> | +---------------------------+ | <Flow3 information> | +---------------------------+ | <Flow4 information> | +---------------------------+ | ... | +---------------------------+
Figure 30: Common and Specific Properties Exported with Structured Data Information Element
图30:使用结构化数据信息元素导出的公共和特定属性
The example in Figure 28 could be encoded with a basicList if the <Flow information> represents a single Information Element, with a subTemplateList if the <Flow information> represents a Template Record, or with a subTemplateMultiList if the <Flow information> is composed of different Template Records.
如果<Flow information>表示单个信息元素,则图28中的示例可以使用basicList编码;如果<Flow information>表示模板记录,则可以使用subTemplateList编码;如果<Flow information>由不同的模板记录组成,则可以使用subTemplateMultiList编码。
Using Structured Data Information Elements as a replacement for the techniques specified in "Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports" [RFC5473] offers the advantage that a single Template Record is defined. Hence, the Collector's job is simplified in terms of Template management and combining Template/Options Template Records.
使用结构化数据信息元素替代“减少IP流信息导出(IPFIX)和数据包采样(PSAMP)报告中指定的技术”[RFC5473]具有定义单个模板记录的优势。因此,收集器的工作在模板管理和组合模板/选项模板记录方面得到了简化。
However, it must be noted that using Structured Data Information Elements as a replacement for the techniques specified in "Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports" only applies to simplified cases. For example, the "Multiple Data Reduction" (Section 7.1 [RFC5473]) might be too complex to encode with Structured Data Information Elements.
但是,必须注意的是,使用结构化数据信息元素替代“减少IP流信息导出(IPFIX)和数据包采样(PSAMP)报告中指定的技术”仅适用于简化情况。例如,“多重数据缩减”(第7.1节[RFC5473])可能过于复杂,无法使用结构化数据信息元素进行编码。
[RFC5471] presents a list of tests for implementers of IP Flow Information Export (IPFIX) compliant Exporting Processes and Collecting Processes.
[RFC5471]为符合IP流信息导出(IPFIX)的导出过程和收集过程的实施者提供了测试列表。
Although [RFC5471] doesn't define any structured data element specific tests, the Structured Data Information Elements can be used in many of the [RFC5471] tests.
尽管[RFC5471]未定义任何特定于结构化数据元素的测试,但结构化数据信息元素可用于许多[RFC5471]测试。
The [RFC5471] series of test could be useful because the document specifies that every Information Element type should be tested. However, not all cases from this document are tested in [RFC5471].
[RFC5471]系列测试可能很有用,因为该文档规定应对每种信息元素类型进行测试。然而,并非本文件中的所有案例都在[RFC5471]中进行了测试。
The following sections are especially noteworthy:
以下章节特别值得注意:
3.2.1. Transmission of Template with Fixed-Size Information Elements
3.2.1. 具有固定大小信息元素的模板传输
- each data type should be used in at least one test. The new data types specified in Section 4.1 should be included in this test.
- 每种数据类型至少应在一次测试中使用。本试验应包括第4.1节中规定的新数据类型。
3.2.2. Transmission of Template with Variable-Length Information Elements
3.2.2. 具有可变长度信息元素的模板传输
- this test should be expanded to include Data Records containing variable length basicList, subTemplateList, and subTemplateMultiList Information Elements.
- 此测试应扩展为包括包含可变长度基本列表、子模板列表和子模板多列表信息元素的数据记录。
3.3.1. Enterprise-Specific Information Elements
3.3.1. 特定于企业的信息要素
- this test should include the export of basicList, subTemplateList, and subTemplateMultiList Information Elements containing Enterprise-specific Information Elements, e.g., see the example in Figure 2.
- 此测试应包括导出包含企业特定信息元素的basicList、subTemplateList和subTemplateMultiList信息元素,例如,请参见图2中的示例。
3.3.3. Multiple Instances of the Same Information Element in One Template
3.3.3. 同一模板中同一信息元素的多个实例
- this test should verify that multiple instances of the basicList, subTemplateList, and subTemplateMultiList Information Elements are accepted.
- 此测试应验证是否接受basicList、subTemplateList和subTemplateMultiList信息元素的多个实例。
3.5. Stress/Load Tests
3.5. 应力/载荷试验
- since the structured data types defined here allow modeling of complex data structures, they may be useful for stress testing both Exporting Processes and Collecting Processes.
- 由于此处定义的结构化数据类型允许对复杂的数据结构进行建模,因此它们对于导出过程和收集过程的压力测试可能都很有用。
The Structured Data Information Elements would be beneficial for the export of aggregated Data Records in mediation function, as was demonstrated with the example of the aggregated Observation Point in Section 5.3.
结构化数据信息元素有助于在中介功能中导出聚合数据记录,如第5.3节中聚合观察点的示例所示。
This document specifies several new IPFIX abstract data types, a new IPFIX Data Type Semantic, and several new Information Elements.
本文档指定了几个新的IPFIX抽象数据类型、一个新的IPFIX数据类型语义和几个新的信息元素。
Two new IPFIX registries have been created, and the existing IPFIX Information Element registry has been updated as detailed below.
已创建了两个新的IPFIX注册表,现有的IPFIX信息元素注册表已更新,详情如下。
Section 4.1 of this document specifies several new IPFIX abstract data types. Per Section 6 of the IPFIX information model [RFC5102], new abstract data types can be added to the IPFIX information model in the IPFIX Information Element Data Types registry.
本文件第4.1节规定了几种新的IPFIX抽象数据类型。根据IPFIX信息模型[RFC5102]的第6节,可以将新的抽象数据类型添加到IPFIX信息元素数据类型注册表中的IPFIX信息模型中。
Abstract data types that have been added to the IPFIX Information Element Data Types registry are listed below.
下面列出了已添加到IPFIX信息元素数据类型注册表的抽象数据类型。
The type "basicList" represents a list of any Information Element used for single-valued data types.
类型“basicList”表示用于单值数据类型的任何信息元素的列表。
The type "subTemplateList" represents a list of a structured data type, where the data type of each list element is the same and corresponds with a single Template Record.
类型“subTemplateList”表示结构化数据类型的列表,其中每个列表元素的数据类型相同,并且与单个模板记录相对应。
The type "subTemplateMultiList" represents a list of structured data types, where the data types of the list elements can be different and correspond with different Template definitions.
类型“subTemplateMultiList”表示结构化数据类型的列表,其中列表元素的数据类型可以不同,并且对应于不同的模板定义。
Section 4.2 of this document specifies a new IPFIX Data Type Semantic. Per Section 3.2 of the IPFIX information model [RFC5102], new data type semantics can be added to the IPFIX information model. Therefore, the IANA IPFIX informationElementSemantics registry [IANA-IPFIX], which contains all the data type semantics from Section 3.2 of [RFC5102], has been augmented with the "list" value below.
本文件第4.2节规定了新的IPFIX数据类型语义。根据IPFIX信息模型[RFC5102]的第3.2节,可以向IPFIX信息模型添加新的数据类型语义。因此,包含[RFC5102]第3.2节中所有数据类型语义的IANA IPFIX informationElementSemantics注册表[IANA-IPFIX]已增加了以下“列表”值。
A list is a structured data type, being composed of a sequence of elements, e.g., Information Element, Template Record.
列表是一种结构化数据类型,由一系列元素组成,例如信息元素、模板记录。
Section 4.3 of this document specifies several new Information Elements that have been created in the IPFIX Information Element registry [IANA-IPFIX].
本文件第4.3节规定了在IPFIX信息元素注册表[IANA-IPFIX]中创建的几个新信息元素。
New Information Elements that have been added to the IPFIX Information Element registry are listed below.
已添加到IPFIX信息元素注册表的新信息元素如下所示。
Name: basicList Description: Specifies a generic Information Element with a basicList abstract data type. Examples include a list of port numbers, and a list of interface indexes. Abstract Data Type: basicList Data Type Semantics: list ElementId: 291 Status: current
名称:basicList描述:指定具有basicList抽象数据类型的通用信息元素。示例包括端口号列表和接口索引列表。抽象数据类型:basicList数据类型语义:list ElementId:291状态:当前
Name: subTemplateList Description: Specifies a generic Information Element with a subTemplateList abstract data type. Abstract Data Type: subTemplateList Data Type Semantics: list ElementId: 292 Status: current
名称:subTemplateList描述:指定具有subTemplateList抽象数据类型的泛型信息元素。抽象数据类型:子模板数据类型语义:列表元素ID:292状态:当前
Name: subTemplateMultiList Description: Specifies a generic Information Element with a subTemplateMultiList abstract data type. Abstract Data Type: subTemplateMultiList Data Type Semantics: list ElementId: 293 Status: current
名称:subTemplateMultiList描述:指定具有subTemplateMultiList抽象数据类型的通用信息元素。抽象数据类型:subTemplateMultiList数据类型语义:list ElementId:293状态:当前
Section 4.4 of this document specifies a series of new IPFIX structured data type semantics, which is expressed as an 8-bit value. This requires the creation of a new "IPFIX Structured Data Types Semantics" IPFIX subregistry [IANA-IPFIX].
本文档第4.4节规定了一系列新的IPFIX结构化数据类型语义,表示为8位值。这需要创建新的“IPFIX结构化数据类型语义”IPFIX子区域[IANA-IPFIX]。
Entries may be added to this subregistry subject to a Standards Action [RFC5226]. Initially, this registry includes all the structured data type semantics listed below.
根据标准行动[RFC5226],可将条目添加到此子地区。最初,该注册表包含下面列出的所有结构化数据类型语义。
Name: undefined
名称:未定义
Description: The "undefined" structured data type semantic specifies that the semantic of list elements is not specified and that, if a semantic exists, then it is up to the Collecting Process to draw its own conclusions. The "undefined" structured data type semantic is the default structured data type semantic.
描述:“未定义”结构化数据类型语义指定列表元素的语义未指定,如果存在语义,则由收集过程得出自己的结论。“未定义”结构化数据类型语义是默认的结构化数据类型语义。
Value: 0xFF
值:0xFF
Reference: RFC 6313
参考:RFC6313
Name: noneOf
姓名:无
Description: The "noneOf" structured data type semantic specifies that none of the elements are actual properties of the Data Record.
描述:“noneOf”结构化数据类型语义指定所有元素都不是数据记录的实际属性。
Value: 0x00
值:0x00
Reference: RFC 6313
参考:RFC6313
Name: exactlyOneOf
姓名:exactlyOneOf
Description: The "exactlyOneOf" structured data type semantic specifies that only a single element from the structured data is an actual property of the Data Record. This is equivalent to a logical XOR operation.
描述:“exactlyOneOf”结构化数据类型语义指定结构化数据中只有一个元素是数据记录的实际属性。这相当于逻辑异或操作。
Value: 0x01
值:0x01
Reference: RFC 6313
参考:RFC6313
Name: oneOrMoreOf
姓名:一个或多个
Description: The "oneOrMoreOf" structured data type semantic specifies that one or more elements from the list in the structured data are actual properties of the Data Record. This is equivalent to a logical OR operation.
描述:“oneOrMoreOf”结构化数据类型语义指定结构化数据列表中的一个或多个元素是数据记录的实际属性。这相当于逻辑OR操作。
Value: 0x02
值:0x02
Reference: RFC 6313
参考:RFC6313
Name: allOf
姓名:allOf
Description: The "allOf" structured data type semantic specifies that all of the list elements from the structured data are actual properties of the Data Record.
描述:“allOf”结构化数据类型语义指定结构化数据中的所有列表元素都是数据记录的实际属性。
Value: 0x03
值:0x03
Reference: RFC 6313
参考:RFC6313
Name: ordered Description: The "ordered" structured data type semantic specifies that elements from the list in the structured data are ordered.
名称:有序描述:“有序”结构化数据类型语义指定结构化数据中列表中的元素是有序的。
Value: 0x04
值:0x04
Reference: RFC 6313
参考:RFC6313
The addition of complex data types necessarily complicates the implementation of the Collector. This could easily result in new security vulnerabilities (e.g., buffer overflows); this creates additional risk in cases where either Datagram Transport Layer Security (DTLS) is not used or if the Observation Point and Collector belong to different trust domains. Otherwise, the same security considerations as for the IPFIX protocol [RFC5101] and the IPFIX information model [RFC5102] apply.
添加复杂数据类型必然使收集器的实现复杂化。这很容易导致新的安全漏洞(例如,缓冲区溢出);如果未使用数据报传输层安全性(DTLS),或者观察点和收集器属于不同的信任域,则会产生额外的风险。否则,适用与IPFIX协议[RFC5101]和IPFIX信息模型[RFC5102]相同的安全注意事项。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC5101] Claise, B., Ed., "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", RFC 5101, January 2008.
[RFC5101]Claise,B.,Ed.,“交换IP流量信息的IP流量信息导出(IPFIX)协议规范”,RFC 5101,2008年1月。
[RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, "Information Model for IP Flow Information Export", RFC 5102, January 2008.
[RFC5102]Quitek,J.,Bryant,S.,Claise,B.,Aitken,P.,和J.Meyer,“IP流信息导出的信息模型”,RFC 5102,2008年1月。
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008.
[RFC5226]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,2008年5月。
[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, "Requirements for IP Flow Information Export (IPFIX)", RFC 3917, October 2004.
[RFC3917]Quitek,J.,Zseby,T.,Claise,B.,和S.Zander,“IP流信息导出(IPFIX)的要求”,RFC 39172004年10月。
[RFC5103] Trammell, B. and E. Boschi, "Bidirectional Flow Export Using IP Flow Information Export (IPFIX)", RFC 5103, January 2008.
[RFC5103]Trammell,B.和E.Boschi,“使用IP流量信息导出(IPFIX)的双向流量导出”,RFC 5103,2008年1月。
[RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, "Architecture for IP Flow Information Export", RFC 5470, March 2009.
[RFC5470]Sadasivan,G.,Brownlee,N.,Claise,B.,和J.Quitek,“IP流信息导出架构”,RFC 54702009年3月。
[RFC5471] Schmoll, C., Aitken, P., and B. Claise, "Guidelines for IP Flow Information Export (IPFIX) Testing", RFC 5471, March 2009.
[RFC5471]Schmoll,C.,Aitken,P.,和B.Claise,“IP流信息导出(IPFIX)测试指南”,RFC 54712009年3月。
[RFC5472] Zseby, T., Boschi, E., Brownlee, N., and B. Claise, "IP Flow Information Export (IPFIX) Applicability", RFC 5472, March 2009.
[RFC5472]Zseby,T.,Boschi,E.,Brownlee,N.,和B.Claise,“IP流信息导出(IPFIX)适用性”,RFC 54722009年3月。
[RFC5473] Boschi, E., Mark, L., and B. Claise, "Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports", RFC 5473, March 2009.
[RFC5473]Boschi,E.,Mark,L.,和B.Claise,“减少IP流信息导出(IPFIX)和数据包采样(PSAMP)报告中的冗余”,RFC 5473,2009年3月。
[RFC5475] Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F. Raspall, "Sampling and Filtering Techniques for IP Packet Selection", RFC 5475, March 2009.
[RFC5475]Zseby,T.,Molina,M.,Duffield,N.,Niccolini,S.,和F.Raspall,“IP数据包选择的采样和过滤技术”,RFC 5475,2009年3月。
[RFC5476] Claise, B., Ed., Johnson, A., and J. Quittek, "Packet Sampling (PSAMP) Protocol Specifications", RFC 5476, March 2009.
[RFC5476]Claise,B.,Ed.,Johnson,A.,和J.Quittek,“数据包采样(PSAMP)协议规范”,RFC 54762009年3月。
[RFC5477] Dietz, T., Claise, B., Aitken, P., Dressler, F., and G. Carle, "Information Model for Packet Sampling Exports", RFC 5477, March 2009.
[RFC5477]Dietz,T.,Claise,B.,Aitken,P.,Dressler,F.,和G.Carle,“数据包抽样出口的信息模型”,RFC 5477,2009年3月。
[IANA-IPFIX] IANA, "IP Flow Information Export (IPFIX) Entities", <http://www.iana.org/>.
[IANA-IPFIX]IANA,“IP流信息导出(IPFIX)实体”<http://www.iana.org/>.
The authors would like to thank Zhipu Jin, Nagaraj Varadharajan, Brian Trammel, Atsushi Kobayashi, and Rahul Patel for their feedback, and Gerhard Muenz, for proofreading the document.
作者要感谢Jin Zhipu、Nagaraj Varadharajan、Brian Trammel、Atsushi Kobayashi和Rahul Patel的反馈,以及Gerhard Muenz对文件的校对。
Appendix A. Additions to XML Specification of IPFIX Information Elements and Abstract Data Types
附录A.对IPFIX信息元素和抽象数据类型的XML规范的补充
This appendix contains additions to the machine-readable description of the IPFIX information model coded in XML in Appendices A and B in [RFC5102]. Note that this appendix is of informational nature, while the text in Section 4 (generated from this appendix) is normative.
本附录包含对[RFC5102]附录A和附录B中以XML编码的IPFIX信息模型的机器可读说明的补充。请注意,本附录为信息性附录,而第4节(由本附录产生)中的文本为规范性附录。
The following field definitions are appended to the IPFIX information model in Appendix A of [RFC5102].
[RFC5102]附录A中的IPFIX信息模型附加了以下字段定义。
<field name="basicList" dataType="basicList" group="structured-data" dataTypeSemantics="List" elementId="291" applicability="all" status="current"> <description> <paragraph> Represents a list of zero or more instances of any Information Element, primarily used for single-valued data types. Examples include a list of port numbers, list of interface indexes, and a list of AS in a BGP AS-PATH. </paragraph> </description> </field>
<field name="basicList" dataType="basicList" group="structured-data" dataTypeSemantics="List" elementId="291" applicability="all" status="current"> <description> <paragraph> Represents a list of zero or more instances of any Information Element, primarily used for single-valued data types. Examples include a list of port numbers, list of interface indexes, and a list of AS in a BGP AS-PATH. </paragraph> </description> </field>
<field name="subTemplateList" dataType="subTemplateList" group="structured-data" dataTypeSemantics="List" elementId="292" applicability="all" status="current"> <description> <paragraph> Represents a list of zero or more instances of a structured data type, where the data type of each list element is the same and corresponds with a single Template Record. Examples include a structured data type composed of multiple pairs of ("MPLS label stack entry position", "MPLS label stack value"), a structured data type composed of performance metrics, and a structured data type composed of multiple pairs of IP address. </paragraph> </description> </field>
<field name="subTemplateList" dataType="subTemplateList" group="structured-data" dataTypeSemantics="List" elementId="292" applicability="all" status="current"> <description> <paragraph> Represents a list of zero or more instances of a structured data type, where the data type of each list element is the same and corresponds with a single Template Record. Examples include a structured data type composed of multiple pairs of ("MPLS label stack entry position", "MPLS label stack value"), a structured data type composed of performance metrics, and a structured data type composed of multiple pairs of IP address. </paragraph> </description> </field>
<field name="subTemplateMultiList" dataType="subTemplateMultiList" group="structured-data" dataTypeSemantics="List" elementId="293" applicability="all" status="current"> <description> <paragraph> Represents a list of zero or more instances of structured data types, where the data type of each list element can be different and corresponds with different Template definitions. Examples include, a structured data type composed of multiple access-list entries, where entries can be composed of different criteria types. </paragraph> </description> </field>
<field name="subTemplateMultiList" dataType="subTemplateMultiList" group="structured-data" dataTypeSemantics="List" elementId="293" applicability="all" status="current"> <description> <paragraph> Represents a list of zero or more instances of structured data types, where the data type of each list element can be different and corresponds with different Template definitions. Examples include, a structured data type composed of multiple access-list entries, where entries can be composed of different criteria types. </paragraph> </description> </field>
The following structured data type semantic definitions are appended to the IPFIX information model in Appendix A of [RFC5102].
[RFC5102]附录A中的IPFIX信息模型附加了以下结构化数据类型语义定义。
<structuredDataTypeSemantics> <structuredDataTypeSemantic name="undefined" value="255"> <description> <paragraph> The "undefined" structured data type semantic specifies that the semantic of list elements is not specified and that, if a semantic exists, then it is up to the Collecting Process to draw its own conclusions. The "undefined" structured data type semantic is the default structured data type semantic. </paragraph> </description> </structuredDataTypeSemantic>
<structuredDataTypeSemantics> <structuredDataTypeSemantic name="undefined" value="255"> <description> <paragraph> The "undefined" structured data type semantic specifies that the semantic of list elements is not specified and that, if a semantic exists, then it is up to the Collecting Process to draw its own conclusions. The "undefined" structured data type semantic is the default structured data type semantic. </paragraph> </description> </structuredDataTypeSemantic>
<structuredDataTypeSemantic name="noneOf" value="0"> <description> <paragraph> The "noneOf" structured data type semantic specifies that none of the elements are actual properties of the Data Record. </paragraph> </description> </structuredDataTypeSemantic>
<structuredDataTypeSemantic name="noneOf" value="0"> <description> <paragraph> The "noneOf" structured data type semantic specifies that none of the elements are actual properties of the Data Record. </paragraph> </description> </structuredDataTypeSemantic>
<structuredDataTypeSemantic name="exactlyOneOf" value="1"> <description> <paragraph> The "exactlyOneOf" structured data type semantic specifies that only a single element from the structured data is an actual property of the Data Record. This is equivalent to a logical XOR operation. </paragraph> </description> </structuredDataTypeSemantic>
<structuredDataTypeSemantic name="exactlyOneOf" value="1"> <description> <paragraph> The "exactlyOneOf" structured data type semantic specifies that only a single element from the structured data is an actual property of the Data Record. This is equivalent to a logical XOR operation. </paragraph> </description> </structuredDataTypeSemantic>
<structuredDataTypeSemantic name="oneOrMoreOf" value="2"> <description> <paragraph> The "oneOrMoreOf" structured data type semantic specifies that one or more elements from the list in the structured data are actual properties of the Data Record. This is equivalent to a logical OR operation. </paragraph> </description> </structuredDataTypeSemantic>
<structuredDataTypeSemantic name="oneOrMoreOf" value="2"> <description> <paragraph> The "oneOrMoreOf" structured data type semantic specifies that one or more elements from the list in the structured data are actual properties of the Data Record. This is equivalent to a logical OR operation. </paragraph> </description> </structuredDataTypeSemantic>
<structuredDataTypeSemantic name="allOf" value="3"> <description> <paragraph> The "allOf" structured data type semantic specifies that all of the list elements from the structured data are actual properties of the Data Record. </paragraph> </description> </structuredDataTypeSemantic>
<structuredDataTypeSemantic name="allOf" value="3"> <description> <paragraph> The "allOf" structured data type semantic specifies that all of the list elements from the structured data are actual properties of the Data Record. </paragraph> </description> </structuredDataTypeSemantic>
<structuredDataTypeSemantic name="ordered" value="4"> <description> <paragraph> The "ordered" structured data type semantic specifies that elements from the list in the structured data are ordered. </paragraph> </description> </structuredDataTypeSemantic> </structuredDataTypeSemantics>
<structuredDataTypeSemantic name="ordered" value="4"> <description> <paragraph> The "ordered" structured data type semantic specifies that elements from the list in the structured data are ordered. </paragraph> </description> </structuredDataTypeSemantic> </structuredDataTypeSemantics>
The following schema definitions are appended to the abstract data types defined in Appendix B of [RFC5102]. This schema and its namespace are registered by IANA at http://www.iana.org/assignments/xml-registry/schema/ipfix.xsd.
以下模式定义附加到[RFC5102]附录B中定义的抽象数据类型。此架构及其命名空间由IANA在注册http://www.iana.org/assignments/xml-registry/schema/ipfix.xsd.
<simpleType name="dataType"> <restriction base="string"> <enumeration value="basicList"> <annotation> <documentation> Represents a list of zero or more instances of any Information Element, primarily used for single-valued data types. Examples include a list of port numbers, a list of interface indexes, and a list of AS in a BGP AS-PATH. </documentation> </annotation> </enumeration> <enumeration value="subTemplateList"> <annotation> <documentation> Represents a list of zero or more instances of a structured data type, where the data type of each list element is the same and corresponds with a single Template Record. Examples include a structured data type composed of multiple pairs of ("MPLS label stack entry position", "MPLS label stack value"), a structured data type composed of performance metrics, and a structured data type composed of multiple pairs of IP address. </documentation> </annotation> </enumeration> <enumeration value="subTemplateMultiList"> <annotation> <documentation> Represents a list of zero or more instances of structured data types, where the data type of each list element can be different and corresponds with different Template definitions. An example is a structured data type composed of multiple access-list entries, where entries can be composed of different criteria types. </documentation> </annotation> </enumeration> </restriction> </simpleType>
<simpleType name="dataType"> <restriction base="string"> <enumeration value="basicList"> <annotation> <documentation> Represents a list of zero or more instances of any Information Element, primarily used for single-valued data types. Examples include a list of port numbers, a list of interface indexes, and a list of AS in a BGP AS-PATH. </documentation> </annotation> </enumeration> <enumeration value="subTemplateList"> <annotation> <documentation> Represents a list of zero or more instances of a structured data type, where the data type of each list element is the same and corresponds with a single Template Record. Examples include a structured data type composed of multiple pairs of ("MPLS label stack entry position", "MPLS label stack value"), a structured data type composed of performance metrics, and a structured data type composed of multiple pairs of IP address. </documentation> </annotation> </enumeration> <enumeration value="subTemplateMultiList"> <annotation> <documentation> Represents a list of zero or more instances of structured data types, where the data type of each list element can be different and corresponds with different Template definitions. An example is a structured data type composed of multiple access-list entries, where entries can be composed of different criteria types. </documentation> </annotation> </enumeration> </restriction> </simpleType>
<simpleType name="dataTypeSemantics"> <restriction base="string"> <enumeration value="List"> <annotation> <documentation> Represents an arbitrary-length sequence of structured data elements, either composed of regular Information Elements or composed of data conforming to a Template Record. </documentation> </annotation> </enumeration> </restriction> </simpleType>
<simpleType name="dataTypeSemantics"> <restriction base="string"> <enumeration value="List"> <annotation> <documentation> Represents an arbitrary-length sequence of structured data elements, either composed of regular Information Elements or composed of data conforming to a Template Record. </documentation> </annotation> </enumeration> </restriction> </simpleType>
<complexType name="structuredDataTypeSemantics"> <sequence> <element name="structuredDataTypeSemantic" minOccurs="1" maxOccurs="unbounded"> <complexType> <sequence> <element name="description" type="text"/> </sequence> <attribute name="name" type="string" use="required"/> <attribute name="value" type="unsignedByte" use="required"/> </complexType> </element> </sequence> </complexType>
<complexType name="structuredDataTypeSemantics"> <sequence> <element name="structuredDataTypeSemantic" minOccurs="1" maxOccurs="unbounded"> <complexType> <sequence> <element name="description" type="text"/> </sequence> <attribute name="name" type="string" use="required"/> <attribute name="value" type="unsignedByte" use="required"/> </complexType> </element> </sequence> </complexType>
<element name="structuredDataTypeSemantics" type="structuredDataTypeSemantics"> <annotation> <documentation> Structured data type semantics express the relationship among multiple list elements in a structured data Information Element. </documentation> </annotation> </element>
<element name="structuredDataTypeSemantics" type="structuredDataTypeSemantics"> <annotation> <documentation> Structured data type semantics express the relationship among multiple list elements in a structured data Information Element. </documentation> </annotation> </element>
Appendix B. Encoding IPS Alert Using Structured Data Information Elements
附录B.使用结构化数据信息元素对IPS警报进行编码
In this section, an IPS alert example is used to demonstrate how complex data and multiple levels of hierarchy can be encoded using Structured Data Information Elements. Also, this example demonstrates how a basicList of subTemplateLists can be used to represent semantics at multiple levels in the hierarchy.
在本节中,将使用IPS警报示例演示如何使用结构化数据信息元素对复杂数据和多层次结构进行编码。此外,该示例还演示了如何使用子模板的基本列表在层次结构的多个级别上表示语义。
An IPS alert consists of the following mandatory attributes: signatureId, protocolIdentifier, and riskRating. It can also contain zero or more participants, and each participant can contain zero or more attackers and zero or more targets. An attacker contains the attributes sourceIPv4Address and applicationId, and a target contains the attributes destinationIPv4Address and applicationId.
IPS警报由以下强制属性组成:signatureId、protocolIdentifier和riskRating。它还可以包含零个或多个参与者,每个参与者可以包含零个或多个攻击者和零个或多个目标。攻击者包含属性sourceIPv4Address和applicationId,而目标包含属性destinationIPv4Address和applicationId。
Note that the signatureId and riskRating Information Element fields are created for these examples only; the Field IDs are shown as N/A. The signatureId helps to uniquely identify the IPS signature that triggered the alert. The riskRating identifies the potential risk, on a scale of 0-100 (100 being most serious), of the traffic that triggered the alert.
请注意,signatureId和riskRating信息元素字段仅为这些示例创建;字段ID显示为N/A。signatureId有助于唯一标识触发警报的IPS签名。riskRating以0-100(100为最严重)的等级识别触发警报的流量的潜在风险。
Consider the example described in case study 2 of Section 5.6. The IPS alert contains participants encoded as a subTemplateList with semantic allOf. Each participant uses a basicList of subTemplateLists to represent attackers and targets. For the sake of simplicity, the alert has two participants P1 and P2. In participant P1, attacker A1 or A2 attacks target T1. In participant P2, attacker A3 attacks targets T2 and T3.
考虑在第5.6部分的案例研究2中描述的例子。IPS警报包含编码为子模板列表的参与者,其中包含语义allOf。每个参与者使用子模板的基本列表来表示攻击者和目标。为简单起见,警报有两个参与者P1和P2。在参与者P1中,攻击者A1或A2攻击目标T1。在参与者P2中,攻击者A3攻击目标T2和T3。
Participant P1:
参与者P1:
(basicList, allOf,
(基本主义者,所有人,
(subTemplateList, exactlyOneOf, attacker A1, A2)
(子员工,exactlyOneOf,攻击者A1、A2)
(subTemplateList, undefined, target T1)
(子模板列表,未定义,目标T1)
)
)
Participant P2:
参与者P2:
(basicList, allOf,
(基本主义者,所有人,
(subTemplateList, undefined, attacker A3, (subTemplateList, allOf, targets T2, T3)
(子模板列表,未定义,攻击者A3,(子模板列表,allOf,目标T2,T3)
)
)
Alert :
警觉的:
(subTemplateList, allOf, Participant P1, Participant P2)
(副员工,allOf,参与者P1,参与者P2)
------------------------------------------------------------------ | | | participant sigId |protocol| risk | attacker | target | Id | Rating | IP | appId | IP | appId ------------------------------------------------------------------ 1003 17 10 192.0.2.3 103 192.0.2.103 3001 192.0.2.4 104
------------------------------------------------------------------ | | | participant sigId |protocol| risk | attacker | target | Id | Rating | IP | appId | IP | appId ------------------------------------------------------------------ 1003 17 10 192.0.2.3 103 192.0.2.103 3001 192.0.2.4 104
192.0.2.5 105 192.0.2.104 4001 192.0.2.105 5001 ------------------------------------------------------------------
192.0.2.5 105 192.0.2.104 4001 192.0.2.105 5001 ------------------------------------------------------------------
Participant P1 contains: Attacker A1: (IP, appId)=(192.0.2.3, 103) Attacker A2: (IP, appId)=(192.0.2.4, 104) Target T1: (IP, appId)= (192.0.2.103, 3001)
Participant P1 contains: Attacker A1: (IP, appId)=(192.0.2.3, 103) Attacker A2: (IP, appId)=(192.0.2.4, 104) Target T1: (IP, appId)= (192.0.2.103, 3001)
Participant P2 contains: Attacker A3: (IP, appId) = (192.0.2.5, 105) Target T2: (IP, appId)= (192.0.2.104, 4001) Target T3: (IP, appId)= (192.0.2.105, 5001)
Participant P2 contains: Attacker A3: (IP, appId) = (192.0.2.5, 105) Target T2: (IP, appId)= (192.0.2.104, 4001) Target T3: (IP, appId)= (192.0.2.105, 5001)
To represent an alert, the following Templates are defined: Template for target (268) Template for attacker (269)
为了表示警报,定义了以下模板:目标模板(268)攻击者模板(269)
Template for participant (270) Template for alert (271)
参与者模板(270)警报模板(271)
alert (271) | (signatureId) | (protocolIdentifier) | (riskRating) | +------- participant (270) | +------- attacker (269) | (sourceIPv4Address) | (applicationId) | +------- target (268) | (destinationIPv4Address) | (applicationId)
alert (271) | (signatureId) | (protocolIdentifier) | (riskRating) | +------- participant (270) | +------- attacker (269) | (sourceIPv4Address) | (applicationId) | +------- target (268) | (destinationIPv4Address) | (applicationId)
Note that the attackers are always composed of a single applicationId, while the targets typically have multiple applicationIds; for the sake of simplicity, this example shows only one applicationId in the target.
请注意,攻击者总是由单个applicationId组成,而目标通常有多个applicationId;为了简单起见,此示例仅显示目标中的一个applicationId。
Template Record for target, with the Template ID 268:
目标的模板记录,模板ID为268:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 268 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv4Address = 12 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| applicationId = 95 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 268 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| destinationIPv4Address = 12 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| applicationId = 95 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 31: Encoding IPS Alert, Template for Target
图31:编码IPS警报,目标的模板
Template Record for attacker, with the Template ID 269:
攻击者的模板记录,模板ID为269:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 269 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| applicationId = 95 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 16 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 269 | Field Count = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| sourceIPv4Address = 8 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| applicationId = 95 | Field Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 32: Encoding IPS Alert, Template for Attacker
图32:编码IPS警报,攻击者模板
Template Record for participant, with the Template ID 270:
参与者的模板记录,模板ID为270:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 12 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 270 | Field Count = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| basicList = 291 | Field Length = 0xFFFF | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 12 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 270 | Field Count = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| basicList = 291 | Field Length = 0xFFFF | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 33: Encoding IPS Alert, Template for Participant
图33:编码IPS警报,参与者模板
The Template Record for the participant has one basicList Information Element, which is a list of subTemplateLists of attackers and targets.
参与者的模板记录有一个基本信息元素,即攻击者和目标的子模板列表。
Template Record for IPS alert, with the Template ID 271:
IPS警报的模板记录,模板ID为271:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 24 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 271 | Field Count = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| signatureId = N/A | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| protocolIdentifier = 4 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| riskRating = N/A | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| subTemplateList = 292 | Field Length = 0xFFFF | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 2 | Length = 24 octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID = 271 | Field Count = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| signatureId = N/A | Field Length = 2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| protocolIdentifier = 4 | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| riskRating = N/A | Field Length = 1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| subTemplateList = 292 | Field Length = 0xFFFF | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 34: Encoding IPS Alert, Template for IPS Alert
图34:编码IPS警报,IPS警报模板
The subTemplateList in the alert Template Record contains a list of participants.
警报模板记录中的子模板列表包含参与者列表。
The Length of basicList and subTemplateList are encoded in three bytes even though they may be less than 255 octets.
basicList和subTemplateList的长度以三个字节编码,即使它们可能小于255个八位字节。
The Data Set is represented as follows:
数据集表示如下:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 271 | Length = 102 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | signatureId = 1003 | protocolId=17 | riskRating=10 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 |participant List Length = 91 |semantic=allOf | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | participant Template ID = 270 | 255 | P1 List Len = | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 41 | semantic=allOf| P1 List Field ID = 292 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 List Field ID Len = 0xFFFF | 255 |P1 attacker ...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | List Len = 19 |sem=exactlyOne | P1 attacker Template ID = 269 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 attacker A1 sourceIPv4Address = 192.0.2.3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 attacker A1 applicationId = 103 |
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Set ID = 271 | Length = 102 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | signatureId = 1003 | protocolId=17 | riskRating=10 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 |participant List Length = 91 |semantic=allOf | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | participant Template ID = 270 | 255 | P1 List Len = | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 41 | semantic=allOf| P1 List Field ID = 292 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 List Field ID Len = 0xFFFF | 255 |P1 attacker ...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | List Len = 19 |sem=exactlyOne | P1 attacker Template ID = 269 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 attacker A1 sourceIPv4Address = 192.0.2.3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 attacker A1 applicationId = 103 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 attacker A2 sourceIPv4Address = 192.0.2.4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 attacker A2 applicationId = 104 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | P1 target List Len = 11 | sem=undefined | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 target Template ID = 268 | P1 target T1 destinationIPv4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... Address = 192.0.2.103 |P1 target T1 applicationId =...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 3001 | 255 | P2 List Len = | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 41 | semantic=allOf| P2 List Field ID = 292 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P2 List Field ID Len = 0xFFFF | 255 |P2 attacker ...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | List Len = 11 | sem=undefined | P2 attacker Template ID = 269 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P2 attacker A3 sourceIPv4Address = 192.0.2.5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P2 attacker A3 applicationId = 105 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | P2 target List Len = 19 |semantic=allOf | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P2 target Template ID = 268 | P2 target T2 destinationIPv4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... Address = 192.0.2.104 |P2 target T2 applicationId =...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 4001 | P2 target T3 destinationIPv4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... Address = 192.0.2.105 |P2 target T3 applicationId =...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 5001 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 attacker A2 sourceIPv4Address = 192.0.2.4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 attacker A2 applicationId = 104 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | P1 target List Len = 11 | sem=undefined | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P1 target Template ID = 268 | P1 target T1 destinationIPv4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... Address = 192.0.2.103 |P1 target T1 applicationId =...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 3001 | 255 | P2 List Len = | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 41 | semantic=allOf| P2 List Field ID = 292 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P2 List Field ID Len = 0xFFFF | 255 |P2 attacker ...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | List Len = 11 | sem=undefined | P2 attacker Template ID = 269 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P2 attacker A3 sourceIPv4Address = 192.0.2.5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P2 attacker A3 applicationId = 105 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 255 | P2 target List Len = 19 |semantic=allOf | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | P2 target Template ID = 268 | P2 target T2 destinationIPv4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... Address = 192.0.2.104 |P2 target T2 applicationId =...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 4001 | P2 target T3 destinationIPv4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... Address = 192.0.2.105 |P2 target T3 applicationId =...| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... 5001 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Note: sem=exactlyOne represents semantic=exactlyOneOf
Note: sem=exactlyOne represents semantic=exactlyOneOf
Figure 35: Encoding IPS Alert, Data Set
图35:编码IPS警报,数据集
Authors' Addresses
作者地址
Benoit Claise Cisco Systems, Inc. De Kleetlaan 6a b1 Diegem 1813 Belgium
比利时Benoit Claise思科系统有限公司De Kleetlaan 6a b1 Diegem 1813
Phone: +32 2 704 5622 EMail: bclaise@cisco.com
Phone: +32 2 704 5622 EMail: bclaise@cisco.com
Gowri Dhandapani Cisco Systems, Inc. 13615 Dulles Technology Drive Herndon, Virginia 20171 United States
Gowri Dhandapani Cisco Systems,Inc.美国弗吉尼亚州赫恩登市杜勒斯技术大道13615号,邮编20171
Phone: +1 408 853 0480 EMail: gowri@cisco.com
Phone: +1 408 853 0480 EMail: gowri@cisco.com
Paul Aitken Cisco Systems, Inc. 96 Commercial Quay Commercial Street Edinburgh, EH6 6LX United Kingdom
Paul Aitken Cisco Systems,Inc.英国爱丁堡商业码头商业街96号,EH6 6LX
Phone: +44 131 561 3616 EMail: paitken@cisco.com
Phone: +44 131 561 3616 EMail: paitken@cisco.com
Stan Yates Cisco Systems, Inc. 7100-8 Kit Creek Road PO Box 14987 Research Triangle Park, North Carolina 27709-4987 United States
Stan Yates Cisco Systems,Inc.地址:美国北卡罗来纳州三角研究公园Kit Creek路7100-8号邮政信箱14987 27709-4987
Phone: +1 919 392 8044 EMail: syates@cisco.com
Phone: +1 919 392 8044 EMail: syates@cisco.com