ietf
[Top] [All Lists]

Re: sending strings data into IPfix stream

2013-07-01 08:05:07
Hi, Thierry,

Have a look in the IANA information element registry 
(http://www.iana.org/assignments/ipfix) to see if there are existing IEs for 
the information you want to export. 

Hostnames, I think, are not there -- in general, IPFIX exporters deal in 
addresses taken from observed packets and leave it up to the collector to do 
reverse resolution, due to (1) the amount of time DNS reverse lookups can take, 
blocking measurement activity on a (presumably) resource-constrained metering 
process, as well as (2) the ambiguity inherent within reverse lookups (due to 
e.g. misconfigured local and/or authoritative resolvers). In an environment 
where you have a good, internal database of hostnames (e.g. because the 
metering process is colocated with a DHCP server), this is more likely to be 
useful, though.

If you'd like to export information _not_ in the IANA Information Element 
registry, you have two options; (1) defining new enterprise-specific IEs scoped 
by your Private Enterprise Number (see Section 3.2 and example A.2.2. in 
http://tools.ietf.org/html/draft-ietf-ipfix-protocol-rfc5101bis) or (2) 
submitting a new Information Element definition for addition to the IANA 
registry (see http://tools.ietf.org/html/draft-ietf-ipfix-ie-doctors-07/ for 
guidelines on writing such a definition).

Keep in mind, for strings, you'll almost certainly be dealing with 
variable-length IE export; see section 7 of 
http://tools.ietf.org/html/draft-ietf-ipfix-protocol-rfc5101bis.

Cheers,

Brian


On 1 Jul 2013, at 11:06 , DESCOMBES Thierry 
<descombes(_at_)lpsc(_dot_)in2p3(_dot_)fr> wrote:

Hello,
Not sure if this is the right list for this type of message ...
I am developing an IPFIX exporter. It exports IP flows, and I'd like now to 
export some extra information (strings) about the machines on the LAN (the 
hostname of the machine, and others information ...)
What is the right way to do that (IPFIX fields to use, template options or 
not ...)
Thank you very much in advance. Regards
T. Descombes


<Prev in Thread] Current Thread [Next in Thread>