Internet-Draft IPFIX Data Export Data Models October 2021
Arokiaraj & Seda Expires 11 April 2022 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-arokiarajseda-ipfix-data-export-yang-model-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
A. Arokiaraj
Nokia
M. Seda
Calix

YANG model for Data Export over IP Flow Information Export (IPFIX) Protocol

Abstract

This document defines a flexible, modular YANG model for data export via the IPFIX protocol. The YANG models in this document conform to the Network Management Datastore Architecture (NMDA) defined in RFC 8342.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 11 April 2022.

Table of Contents

1. Introduction

A device may be exporting statistics and other data for the consumption of a collector. The IPFIX protocol may be used to transport data such as:

These statistics and state information can be streamed using an IPFIX transport to an IPFIX collector that supports analytics tools. An operator may wish to take the data and analyze it for trend analysis purposes or other usages (e.g., collect octet counts every 5 minutes for service level agreement purposes or collect reported device temperature for network health purposes).

1.1. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

The following terms that are defined in RFC7011 are not redefined here:
Observation Domain Exporting Process Exporter IPFIX Device Collecting Process Collector Template IPFIX Message Template Record Data Record Options Template Record Set Template Set Options Template Set Data Set Information Element Transport Session

1.2. Tree Diagrams

Tree diagrams used in this document follow the notation defined in [RFC8340].

2. Objectives

This section describes some of the design objectives for the model presented in this RFC.

3. Structure of the Configuration Data Model

IPFIX data export yang model - inline with RFC 7317/RFC8343

3.1. Data Exporter Decomposition

Figure 1 shows the main classes of the configuration model that are involved in data export. In a device that has a resource instance capable of reporting data through IPFIX, a data template is created and applied to that resource instance.

The ExportingProcess class contains configuration and state parameters of an exporting-process. It includes various TCP-specific parameters and the export destinations. The data-template may refer to multiple instances of the ExportingProcess class.

 +--------------------------------+
 | module:ietf-ipfix--data-export |
 |--------------------------------|
 +--------------------------------+
              ^
              |
            1 |
 +------------+-------+              +---------------+
 | list:template-set  |              | list:resource |
 |--------------------|------------->+---------------|
 +------------+-------+         0..* +---------------+
              |
         0..* | exporting-process-ref
              v
 +-------------------------+
 | list:exporting-process  |
 |-------------------------|
 +-------------------------+
Figure 1: Data Exporter Model

4. Configuration and State Parameters

This section specifies the configuration and state parameters of the configuration data model separately for each class.

4.1. Exporting Process Class

The ExportingProcess class in Figure 2) specifies destinations to which the incoming packet reports and flow records are exported using objects of the destination class. The destination class includes exporter.

The ExportingProcess class contains the identifier of the exporting process (exporting-process-id). This parameter corresponds to the information element exportingProcessId [IANA-IPFIX]. Its occurrence helps to associate exporting process reliability statistics exported according to the IPFIX protocol specification [RFC7011] with the corresponding object of the ExportingProcess class.

The order in which destination instances appear has a specific meaning only if the export-mode parameter is set to "fallback".

     +--rw exporting-process* [name] {exporter}?
        +--rw name                    name-type
        +--rw enabled?                boolean
        +--rw export-mode?            identityref
        +--rw destination* [name]
        |  +--rw name                   name-type
        |  +--rw exporter
        |         ...
        +--rw options* [name]
        |  +--rw name               name-type
        |  +--rw options-type       identityref
        |  +--rw options-timeout?   uint32
        +--ro exporting-process-id?   uint32
Figure 2: Exporting Process Class

The Exporting Process parameters are defined as follows:

enabled

Enables the exporting process to begin exporting data. The default is "enabled".

export-mode

Determines to which configured destination(s) the incoming data records are exported. The following parameter values are specified by the configuration data model:

  • parallel: every data record is exported to all configured destinations in parallel
  • load-balancing: every data record is exported to exactly one configured destination according to a device-specific load-balancing policy
  • fallback: every data record is exported to exactly one configured destination according to the fallback policy described below

If export-mode is set to "fallback", the first destination instance defines the primary destination, the second destination instance defines the secondary destination, and so on. If the exporting process fails to export data records to the primary destination, it tries to export them to the secondary one. If the secondary destination fails as well, it continues with the tertiary, etc. "parallel" is the default value if exportmode is not configured.

Note that the export-mode parameter is related to the ipfixExportMemberType object in [RFC6615]. If export-mode is "parallel", the ipfixExportMemberType values of the corresponding entries in IpfixExportTable are set to parallel(3). If export-mode is "load-balancing", the ipfixExportMemberType values of the corresponding entries in IpfixExportTable are set to loadBalancing(4). If exportmode is "fallback", the ipfixExportMemberType value that refers to the primary destination is set to primary(1); the ipfixExportMemberType values that refer to the remaining destinations need to be set to secondary(2). The IPFIX mib module does not define any value for tertiary destination, etc.

The reporting of information with options templates is defined with objects of the Options class.

The exporting process may modify the packet reports and flow records to enable a more efficient transmission or storage under the condition that no information is changed or suppressed. For example, the exporting process may shorten the length of a field according to the rules of reduced size encoding [RFC7011]. The exporting process may also export certain fields in a separate data record as described in [RFC5476].

4.1.1. Exporter Class

The exporter class shown in {#exporter} contains the configuration parameters of a TCP export destination.

Using the TransportLayerSecurity class described in Section 4.2, Transport Layer Security (TLS) is enabled and configured for this export destination.

The TransportSession class is specified in Section 4.3.

        +--rw exporter
           +--rw ipfix-version?               uint16
           +--rw destination-port?
           |       inet:port-number
           +--rw send-buffer-size?            uint32
           +--rw rate-limit?                  uint32
           +--rw transport-layer-security!
           |     ...
           +--rw source
           |  +--rw (source-method)?
           |     +--:(source-address)
           |     |  +--rw source-address?   inet:host
           |     +--:(interface-ref)
           |     |  +--rw interface-ref?    if:interface-ref
           |     +--:(if-name) {if-mib}?
           |        +--rw if-name?          string
           +--rw destination
           |  +--rw (destination-method)
           |     +--:(destination-address)
           |        +--rw destination-address?   inet:host
           +--ro transport-session
Figure 3: TCP Exporter Class {#tcpexporter} ### Options Class

The Options class in Figure 4 defines the type of specific information to be reported, such as statistics and filtering parameters, etc. [RFC7011] and [RFC5476] specify several types of reporting information that may be exported.

     +--rw options* [name]
        +--rw name               name-type
        +--rw options-type       identityref
        +--rw options-timeout?   uint32
Figure 4: Options Class

The following parameter values are specified by the configuration data model:

exporting-reliability

Export of exporting process reliability statistics using the exporting process reliability statistics options template [RFC7011].

accuracy

Export of accuracy report interpretation [RFC5476].

reducing-redundancy

Enables the utilization of options templates to reduce redundancy in the exported data records according to [RFC5473]. The exporting process decides when to apply these options templates.

extended-type-information

Export of extended type information for enterprise-specific information elements used in the exported templates [RFC5610].

The exporting process must choose a template definition according to the options type and available options data. The options-timeout parameter specifies the reporting interval (in milliseconds) for periodic export of the option data. A parameter value of zero means that the export of the option data is not triggered periodically, but whenever the available option data has changed. this is the typical setting for options types accuracy and reducing-redundancy. If options-timeout is not configured by the user, it is set by the monitoring device.

4.2. Transport Layer Security Class

Figure 5 shows the TransportLayerSecurity class which is used in the exporting process's class to enable and configure TLS for IPFIX. If TLS is enabled, the endpoint must use TLS [RFC8446] since the transport protocol is TCP.

[RFC7011] mandates strong mutual authentication of exporting processes as follows. IPFIX exporting processes are identified by the fully qualified domain name (FQDN) of the interface on which IPFIX messages are sent or received, for purposes of X.509 client and server certificates as in [RFC5280]. To prevent man-in-the-middle attacks from impostor collecting processes, the export of data to an unauthorized collecting process, strong mutual authentication via asymmetric keys must be used for TLS. Each of the IPFIX exporting processes must verify the identity of its peer against its authorized certificates, and must verify that the peer's certificate matches its fully qualified domain name.

The fully qualified domain name used to identify an IPFIX collecting process or exporting process may be stored either in a subjectaltname extension of type dnsname, or in the most specific common name field of the subject field of the x.509 certificate. If both are present, the subjectaltname extension is given preference.

In order to use TLS/DTLS, appropriate certificates and keys have to be previously installed on the monitoring devices. For security reasons, the configuration data model does not offer the possibility to upload any certificates or keys on a monitoring device. If TLS/DTLS is enabled on a monitoring device that does not dispose of appropriate certificates and keys, the configuration must be rejected with an error.

The configuration data model allows restricting the authorization of remote endpoints to certificates issued by specific certification authorities or identifying specific fqdns for authorization. Furthermore, the configuration data model allows restricting the utilization of certificates identifying the local endpoint. This is useful if the monitoring device disposes of more than one certificate for the given local endpoint.

     +--rw transport-layer-security!
        +--rw local-certification-authority-dn*    string
        +--rw local-subject-dn*                    string
        +--rw local-subject-fqdn*                  inet:domain-name
        +--rw remote-certification-authority-dn*   string
        +--rw remote-subject-dn*                   string
        +--rw remote-subject-fqdn*                 inet:domain-name
Figure 5: Transport Layer Security Class

The configuration parameters are defined as follows:

local-certification-authority-dn

This parameter may appear one or more times to restrict the identification of the local endpoint during the tls/dtls handshake to certificates issued by the configured certification authorities. each occurrence of this parameter contains the distinguished name of one certification authority. To identify the local endpoint, the exporting process or collecting process must use a certificate issued by one of the configured certification authorities. Certificates issued by any other certification authority must not be sent to the remote peer during TLS/DTLS handshake. If none of the certificates installed on the monitoring device fulfills the specified restrictions, the configuration must be rejected with an error. If local-certification-authority-dn is not configured, the choice of certificates identifying the local endpoint is not restricted with respect to the issuing certification authority.

local-subject-dn, local-subject-fqdn

Each of these parameters may appear one or more times to restrict the identification of the local endpoint during the TLS/DTLS handshake to certificates issued for specific subjects or for specific FQDNs. Each occurrence of local-subject-dn contains a distinguished name identifying the local endpoint. Each occurrence of local-subject-fqdn contains a FQDN which is assigned to the local endpoint. To identify the local endpoint, the exporting process or collecting process must use a certificate that contains either one of the configured distinguished names in the subject field or at least one of the configured FQDNs in a dnsname component of the subject alternative extension field or in the most specific commonname component of the subject field. If none of the certificates installed on the monitoring device fulfills the specified restrictions, the configuration must be rejected with an error. If any of the parameters local-subject-dn and local-subject-fqdn is configured at the same time as the local-certification-authority-dn parameter, certificates must also fulfill the specified restrictions regarding the certification authority. If local-subject-dn and local-subject-fqdn are not configured, the choice of certificates identifying the local endpoint is not restricted with respect to the subject's distinguished name or FQDN.

remote-certification-authority-dn

This parameter may appear one or more times to restrict the authentication of remote endpoints during the TLS/DTLS handshake to certificates issued by the configured certification authorities. Each occurrence of this parameter contains the distinguished name of one certification authority. To authenticate the remote endpoint, the remote exporting process or collecting process must provide a certificate issued by one of the configured certification authorities. Certificates issued by any other certification authority must be rejected during TLS/DTLS handshake. If the monitoring device is not able to validate certificates issued by the configured certification authorities (e.g., because of missing public keys), the configuration must be rejected with an error. If remote-certification-authority-dn is not configured, the authorization of remote endpoints is not restricted with respect to the issuing certification authority of the delivered certificate.

remote-subject-dn, remote-subject-fqdn

Each of these parameters may appear one or more times to restrict the authentication of remote endpoints during the TLS/DTLS handshake to certificates issued for specific subjects or for specific FQDNs. Each occurrence of remote-subject-dn contains a distinguished name identifying a remote endpoint. Each occurrence of remote-subject-fqdn contains a FQDN that is assigned to a remote endpoint. To authenticate a remote endpoint, the remote exporting process or collecting process must provide a certificate that contains either one of the configured distinguished names in the subject field or at least one of the configured FQDNs in a dnsname component of the subject alternative extension field or in the most specific common name component of the subject field. Certificates not fulfilling this condition must be rejected during TLS/DTLS handshake. If any of the parameters remote-subject-dn and remote-subject-fqdn is configured at the same time as the remote-certification-authority-dn parameter, certificates must also fulfill the specified restrictions regarding the certification authority in order to be accepted. If remote-subject-dn and remote-subject-FQDN are not configured, the authorization of remote endpoints is not restricted with respect to the subject's distinguished name or FQDN of the delivered certificate.

4.3. Transport Session Class

The TransportSession class contains state data about transport sessions originating from an exporting process or terminating at a collecting process.

The following attributes are supported:

ipfix-version

Used for exporting processes, this parameter contains the version number of the IPFIX protocol that the exporter uses to export its data in this transport session. Hence, it is identical to the value of the configuration parameter ipfix-version of the exporter object. When used for collecting processes, this parameter contains the version-number of the IPFIX protocol it receives for this transport session. If IPFIX messages of different IPFIX protocol versions are received, this parameter contains the maximum version number. This state parameter is identical to ipfixTransportSessionIpfixVersion in the IPFIX MIB module [RFC6615].

source-address, destination-address

Source-address contains the IP address or hostname of the exporter, and destination-address contains the IP address or hostname of the collector. Hence, the two parameters have identical values as ipfixTransportSessionSourceAddress and ipfixTransportSessionDestinationAddress in the IPFIX MIB module [RFC6615].

source-port, destination-port

These state parameters contain the transport-protocol port numbers of the exporter and the collector of the transport session and thus are identical to ipfixTransportSessionSourcePort and ipfixTransportSessionDestinationPort in the IPFIX MIB module [RFC6615].

status

Status of the transport session, which can be one of the following:

  • inactive: transport session is established, but no IPFIX messages are currently transferred (e.g., because this is a backup (secondary) session)
  • active: transport session is established and transfers IPFIX messages
  • unknown: transport session status cannot be determined; this state parameter is identical to ipfixTransportSessionStatus in the IPFIX MIB module [RFC6615]
rate

The number of bytes per second transmitted by the exporting process or received by the collecting process. This parameter is updated every second. This state parameter is identical to ipfixtransportsessionrate in the IPFIX MIB module [RFC6615].

bytes, messages, records, templates, options-templates

The number of bytes, IPFIX messages, data records, template records, and options template records transmitted by the exporting process or received by the collecting process. Discontinuities in the values of these counters can occur at re-initialization of the management system, and at other times as indicated by the value of transport-session-discontinuity-time.

discarded-messages

Used for exporting processes, this parameter indicates the number of messages that could not be sent due to internal buffer overflows, network congestion, routing issues, etc. Used for collecting process, this parameter indicates the number of received IPFIX messages that are malformed, cannot be decoded, are received in the wrong order or are missing according to the sequence number. Discontinuities in the value of this counter can occur at re-initialization of the management system, and at other times as indicated by the value of transport-session-discontinuity-time.

transport-session-start-time

Timestamp of the start of the given transport session.

transport-session-discontinuity-time

Timestamp of the most recent occasion at which one or more of the transport session counters suffered a discontinuity. The time is absolute and not relative to sysUpTime. Note that, if used for exporting processes, the values of the state parameters destination-address and destination-port match the values of the configuration parameters destination-ip-address and destination-port of the exporter.

The TransportSession class includes Template class information and statistics about the templates transmitted or received on the given transport session. The Template class is specified in Section 4.4.

     +--ro transport-session* [name]
        +--ro name                                    name-type
        +--ro ipfix-version?                          uint16
        +--ro source-address?                         inet:host
        +--ro destination-address?                    inet:host
        +--ro source-port?
        |       inet:port-number
        +--ro destination-port?
        |       inet:port-number
        +--ro status?
        |       transport-session-status
        +--ro rate?
        |       yang:gauge32
        +--ro bytes?
        |       yang:counter64
        +--ro messages?
        |       yang:counter64
        +--ro discarded-messages?
        |       yang:counter64
        +--ro records?
        |       yang:counter64
        +--ro templates?
        |       yang:counter32
        +--ro options-templates?
        |       yang:counter32
        +--ro transport-session-start-time?
        |       yang:date-and-time
        +--ro transport-session-discontinuity-time?
        |       yang:date-and-time
        +--ro template* []
          ...
Figure 6: Transport Session Class

4.4. Template Class

Figure 7 shows the Template class which contains state data about templates used by an exporting process or received by a collecting process in a specific transport session. The field class defines one field of the template.

        +--ro template* [name]
           +--ro name                           name-type
           +--ro observation-domain-id?         uint32
           +--ro template-id?                   uint16
           +--ro set-id?                        uint16
           +--ro access-time?                   yang:date-and-time
           +--ro template-data-records?         yang:counter64
           +--ro template-discontinuity-time?   yang:date-and-time
           +--ro field* [name]
              +--ro name                    name-type
              +--ro ie-id?                  ie-id-type
              +--ro ie-length?              uint16
              +--ro ie-enterprise-number?   uint32
              +--ro is-scope?               empty
Figure 7: Template Class

The names and semantics of the state parameters correspond to the managed objects in the ipfixTemplateTable, ipfixTemplateDefinitionTable, and ipfixTemplateStatsTable of the IPFIX MIB module [RFC6615]:

observation-domain-id

The identifier of the observation domain for which this template is defined.

template-id

This number indicates the template identifier in the IPFIX Message.

set-id

This number indicates the set identifier of this template. Currently, there are two values defined [RFC7011]. The value 2 is used for sets containing template definitions. The value 3 is used for sets containing options template definitions.

access-time

Used for exporting processes, this parameter contains the time when this (Options) Template was last sent to the Collector or written to the file. Used for Collecting Processes, this parameter contains the time when this (Options) Template was last received from the Exporter or read from the file.

template-data-records

The number of transmitted or received data records defined by this (options) template since the point in time indicated by template-definition-time.

template-discontinuity-time

Timestamp of the most recent occasion at which the counter template-data-records suffered a discontinuity. The time is absolute and not relative to sysUpTime.

ie-id, ie-length, ie-enterprise-number

Information Element identifier, length, and enterprise number of a field in the template. If this is not an enterprise-specific Information Element, ie-enterprise-number is zero. These state parameters are identical to ipfixTemplateDefinitionIeId, ipfixTemplateDefinitionIeLength, and ipfixTemplateDefinitionIeEnterpriseNumber in the IPFIX MIB module [RFC6615].

is-scope

If this state parameter is present, this is a scope field. This parameter is only available for options templates (i.e., if setId is 3).

4.5. Data Class

The DataProcess class in Figure 8 specifies the data template to be applied to resource or set of resources and provides state information about the template records.

     +--rw data-export
        +--rw template* [name]
           +--rw name                     ietf-ipfix:name-type
           +--rw enabled?                 boolean
           +--rw export-interval?         uint32
           +--rw observation-domain-id?   uint32
           +--rw field-layout
           |  +--rw field* [name]
           |     +--rw name                    ietf-ipfix:name-type
           |     +--rw (identifier)
           |     |  +--:(ie-id)
           |     |     +--rw ie-id?            ietf-ipfix:ie-id-type
           |     +--rw ie-length?              uint16
           |     +--rw ie-enterprise-number?   uint32
           +--rw exporting-process*
           |       -> /ietf-ipfix:ipfix/exporting-process/name
           |       {ietf-ipfix:exporter}?
           +--rw resource*                resource
           +--ro data-records?            yang:counter64
           +--ro discontinuity-time?      yang:date-and-time
Figure 8: Data Class

The following attributes are supported:

enabled

Enables the template so that specified data may be exported. The default is "enabled".

export-interval

The interval (in seconds) for periodical export of data records.

observation-domain-id

The Observation Domain that is locally unique to an Exporting Process

field-layout

The IPFIX template to be applied to the resource. The following attributes are configurable:

  • ie-id: Identifies the Information Element identifier.
  • ie-enterprise-number: Identifies the enterprise identifier of the Information Element. If 0, the enterprise ID is an IANA based Information Element.
  • ie-length: Identifies the length of the Information Element.

A data instance may refer to:

  • one or more exporting-process instances
  • one or more resource instances (e.g., different interface instances on a line card)

The following state information is available;

data-records

Reports the number of data records generated for this bulk data template.

discontinuity-time

Timestamp of the most recent occasion at which the counter data records suffered a discontinuity.

5. YANG Modules

This document defines the ietf-ipfix-data-export YANG module.

5.1. ietf-ipfix-data-export

The ietf-ipfix-data-export YANG module defines an exporting-process based on TCP and a data-export template list.

5.1.1. ietf-ipfix-data-export Module Structure

This document defines the YANG module "ietf-ipfix-data-export", which has the following tentative structure:

module: ietf-ipfix-data-export
  +--rw ipfix-data-export
     +--rw exporting-process* [name] {exporter}?
     |  +--rw name                    name-type
     |  +--rw enabled?                boolean
     |  +--rw export-mode?            identityref
     |  +--rw destination* [name]
     |  |  +--rw name        name-type
     |  |  +--rw exporter
     |  |     +--rw ipfix-version?              uint16
     |  |     +--rw source
     |  |     |  +--rw (source-method)?
     |  |     |     +--:(interface-ref)
     |  |     |     |  +--rw interface-ref?    if:interface-ref
     |  |     |     +--:(if-name) {if-mib}?
     |  |     |     |  +--rw if-name?          string
     |  |     |     +--:(source-address)
     |  |     |        +--rw source-address?   inet:host
     |  |     +--rw destination
     |  |     |  +--rw (destination-method)
     |  |     |     +--:(destination-address)
     |  |     |        +--rw destination-address?   inet:host
     |  |     +--rw destination-port?           inet:port-number
     |  |     +--rw send-buffer-size?           uint32
     |  |     +--rw rate-limit?                 uint32
     |  |     +--rw connection-timeout?         uint32
     |  |     +--rw retry-schedule?             uint32
     |  |     +--rw transport-layer-security!
     |  |     |  +--rw local-certification-authority-dn*    string
     |  |     |  +--rw local-subject-dn*                    string
     |  |     |  +--rw local-subject-fqdn*
     |  |     |  |       inet:domain-name
     |  |     |  +--rw remote-certification-authority-dn*   string
     |  |     |  +--rw remote-subject-dn*                   string
     |  |     |  +--rw remote-subject-fqdn*
     |  |     |          inet:domain-name
     |  |     +--ro transport-session
     |  |        +--ro ipfix-version?                          uint16
     |  |        +--ro source-address?
     |  |        |       inet:host
     |  |        +--ro destination-address?
     |  |        |       inet:host
     |  |        +--ro source-port?
     |  |        |       inet:port-number
     |  |        +--ro destination-port?
     |  |        |       inet:port-number
     |  |        +--ro status?
     |  |        |       transport-session-status
     |  |        +--ro rate?
     |  |        |       yang:gauge32
     |  |        +--ro bytes?
     |  |        |       yang:counter64
     |  |        +--ro messages?
     |  |        |       yang:counter64
     |  |        +--ro discarded-messages?
     |  |        |       yang:counter64
     |  |        +--ro records?
     |  |        |       yang:counter64
     |  |        +--ro templates?
     |  |        |       yang:counter32
     |  |        +--ro options-templates?
     |  |        |       yang:counter32
     |  |        +--ro transport-session-start-time?
     |  |        |       yang:date-and-time
     |  |        +--ro transport-session-discontinuity-time?
     |  |        |       yang:date-and-time
     |  |        +--ro template* [name]
     |  |           +--ro name                           name-type
     |  |           +--ro observation-domain-id?         uint32
     |  |           +--ro template-id?                   uint16
     |  |           +--ro set-id?                        uint16
     |  |           +--ro access-time?
     |  |           |       yang:date-and-time
     |  |           +--ro template-data-records?
     |  |           |       yang:counter64
     |  |           +--ro template-discontinuity-time?
     |  |           |       yang:date-and-time
     |  |           +--ro field* [name]
     |  |              +--ro name                    name-type
     |  |              +--ro ie-id?                  ie-id-type
     |  |              +--ro ie-length?              uint16
     |  |              +--ro ie-enterprise-number?   uint32
     |  |              +--ro is-scope?               empty
     |  +--rw options* [name]
     |  |  +--rw name               name-type
     |  |  +--rw options-type       identityref
     |  |  +--rw options-timeout?   uint32
     |  +--ro exporting-process-id?   uint32
     +--rw data-export
        +--rw template* [name]
           +--rw name                       name-type
           +--rw enabled?                   boolean
           +--rw export-interval?           uint32
           +--rw observation-domain-id?     uint32
           +--rw field-layout
           |  +--rw field* [name]
           |     +--rw name                    name-type
           |     +--rw (identifier)
           |     |  +--:(ie-name)
           |     |  |  +--rw ie-name?          ie-name-type
           |     |  +--:(ie-id)
           |     |     +--rw ie-id?            ie-id-type
           |     +--rw ie-length?              uint16
           |     +--rw ie-enterprise-number?   uint32
           +--rw exporting-process*
           |       -> /ipfix-data-export/exporting-process/name
           |       {exporter}?
           +--rw (resource-identifier)?
           |  +--:(resource-instance)
           |     +--rw resource-instance*   resource
           +--ro data-records?              yang:counter64
           +--ro discontinuity-time?        yang:date-and-time

5.1.2. ietf-ipfix-data-export YANG module

This YANG Module imports typedefs from [RFC6991].

<CODE BEGINS> file "ietf-ipfix-data-export@2021-02-02.yang"            /
module ietf-ipfix-data-export {
  yang-version 1.1;

  namespace
    "urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export";

  prefix ipfixde;

  import ietf-inet-types {
    prefix inet;
    reference
      "RFC 6991: Common YANG Data Types";
  }

  import ietf-yang-types {
    prefix yang;
    reference
      "RFC 6991: Common YANG Data Types";
  }

  import ietf-interfaces {
    prefix if;
    reference
      "RFC 8343: A YANG Model for Interface Management";
  }

  organization
    "IETF";

  contact
    "Web:      TBD
     List:     TBD

     Editor:   Anand Arokiaraj
               <mailto:anand.arokiaraj@nokia.com>
     Editor:   Marta Seda
               <mailto:marta.seda@calix.com>";

  // RFC Ed.: replace XXXX with actual RFC numbers and
  // remove this note.

  description
    "This module contains a collection of YANG definitions for the
     management exporting data over IPFIX.

     This data model is designed for the Network Management Datastore
     Architecture defined in RFC 8342.

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
     NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
     'MAY', and 'OPTIONAL' in this document are to be interpreted as
     described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
     they appear in all capitals, as shown here.

     Copyright (c) 2021 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject to
     the license terms contained in, the Simplified BSD License set
     forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC XXXX
     (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
     for full legal notices.";

  revision 2021-02-02 {
    description
      "Initial revision.";
    reference
      "RFC XXXX: YANG Data Model for the IP Flow Information Export
                 (IPFIX) Data Export";
  }

  feature exporter {
    description
      "If supported, the Monitoring Device can be used as
       an Exporter. Exporting Processes can be configured.";
  }

  feature if-mib {
    description
      "This feature indicates that the device implements
       the IF-MIB.";
    reference
      "RFC 2863: The Interfaces Group MIB";
  }

  identity export-mode {
    description
      "Base identity for different usages of export
       destinations configured for an Exporting Process.";
    reference
      "RFC 6615, Section 8 (ipfixExportMemberType)";
  }

  identity parallel {
    base export-mode;
    description
      "Parallel export of Data Records to all destinations configured
       for the Exporting Process.";
    reference
      "RFC 6615, Section 8 (ipfixExportMemberType)";
  }

  identity load-balancing {
    base export-mode;
    description
      "Load-balancing between the different destinations
       configured for the Exporting Process.";
    reference
      "RFC 6615, Section 8 (ipfixExportMemberType)";
  }

  identity fallback {
    base export-mode;
    description
      "Export to the primary destination (i.e., the first
       destination configured for the Exporting Process). If the
       export to the primary destination fails, the Exporting Process
       tries to export to the secondary destination.  If the
       secondary destination fails as well, it continues with the
       tertiary, etc.";
    reference
      "RFC 6615, Section 8 (ipfixExportMemberType)";
  }

  identity options-type {
    description
      "Base identity for report types exported with
       options templates.";
  }

  identity exporting-reliability {
    base options-type;
    description
      "Exporting Process Reliability Statistics.";
    reference
      "RFC 7011, Section 4.3";
  }

  identity reducing-redundancy {
    base options-type;
    description
      "Enables the utilization of Options Templates to reduce
       redundancy in the exported Data Records.";
    reference
      "RFC 5473";
  }

  identity extended-type-information {
    base options-type;
    description
      "Export of extended type information for enterprise-specific
       Information Elements used in the exported Templates.";
    reference
      "RFC 5610";
  }

  typedef ie-name-type {
    type string {
      length "1..max";
      pattern '\S+';
    }
    description
      "Type for Information Element names. Whitespaces are not
       allowed.";
  }

  typedef name-type {
    type string {
      length "1..max";
      pattern '\S(.*\S)?';
    }
    description
      "Type for 'name' leafs, which are used to identify specific
       instances within lists, etc.

       Leading and trailing whitespaces are not allowed.";
  }

  typedef ie-id-type {
    type uint16 {
      range "1..32767";
    }
    description
      "Type for Information Element identifiers.";
  }

  typedef transport-session-status {
    type enumeration {
      enum "inactive" {
        value 0;
        description
          "This value MUST be used for Transport Sessions that are
           specified in the system but currently not active.

           The value can be used for Transport Sessions that are
           backup (secondary) sessions.";
      }
      enum "active" {
        value 1;
        description
          "This value MUST be used for Transport Sessions that are
           currently active and transmitting or receiving data.";
      }
      enum "unknown" {
        value 2;
        description
          "This value MUST be used if the status of the Transport
           Sessions cannot be detected by the device.

           This value should be avoided as far as possible.";
      }
    }
    description
      "Status of a Transport Session.";
    reference
      "RFC 6615, Section 8 (ipfixTransportSessionStatus)";
  }

  typedef resource {
    type instance-identifier {
      require-instance false;
    }
    description
      "A resource from which data will be exported.";
  }

  grouping transport-layer-security-parameters {
    description
      "TLS parameters.";

    container transport-layer-security {
      presence
        "The presence of this container indicates TLS is enabled.";
      description
        "TLS configuration.";

      leaf-list local-certification-authority-dn {
        type string;
        description
          "Distinguished names of certification authorities whose
           certificates may be used to identify the local endpoint.";
        reference
          "RFC 5280";
      }

      leaf-list local-subject-dn {
        type string;
        description
          "Distinguished names that may be used in the certificates
           to identify the local endpoint.";
        reference
          "RFC 5280.";
      }

      leaf-list local-subject-fqdn {
        type inet:domain-name;
        description
          "Fully qualified domain names that may be used in the
           certificates to identify the local endpoint.";
        reference
          "RFC 5280";
      }

      leaf-list remote-certification-authority-dn {
        type string;
        description
          "Distinguished names of certification authorities whose
           certificates are accepted to authorize remote endpoints.";
        reference
          "RFC 5280";
      }

      leaf-list remote-subject-dn {
        type string;
        description
          "Distinguished names which are accepted in certificates to
           authorize remote endpoints.";
        reference
          "RFC 5280";
      }

      leaf-list remote-subject-fqdn {
        type inet:domain-name;
        description
          "Fully qualified domain names that are accepted in
           certificates to authorize remote endpoints.";
        reference
          "RFC 5280";
      }
    }
  }

  grouping transport-session-state-parameters {
    description
      "State parameters of a Transport Session originating from an
       Exporting Process or terminating at a Collecting Process.
       Parameter names and semantics correspond to the managed
       objects in IPFIX-MIB.";
    reference
      "RFC 7011; RFC 6615, Section 8 (ipfixTransportSessionEntry,
       ipfixTransportSessionStatsEntry)";

    leaf ipfix-version {
      type uint16;
      description
        "Used for Exporting Processes, this parameter contains the
         version number of the IPFIX protocol that the Exporter uses
         to export its data in this Transport Session.

         Used for Collecting Processes, this parameter contains the
         version number of the IPFIX protocol it receives for this
         Transport Session. If IPFIX Messages of different IPFIX
         protocol versions are received, this parameter contains the
         maximum version number.

         Note that this parameter corresponds to
         ipfixTransportSessionIpfixVersion in the IPFIX MIB module.";
      reference
        "RFC 6615, Section 8
         (ipfixTransportSessionIpfixVersion)";
    }

    leaf source-address {
      type inet:host;
      description
        "The source address of the Exporter of the IPFIX Transport
         Session.";
      reference
        "RFC 6615, Section 8
         (ipfixTransportSessionSourceAddressType,
         ipfixTransportSessionSourceAddress);
         RFC 4960, Section 6.4";
    }

    leaf destination-address {
      type inet:host;
      description
        "The destination address of the path that is selected by the
         Exporter to send IPFIX messages to the Collector.

         It is possible that if an FQDN address
         is configured it resolves into many addresses.

         Note that this parameter functionally corresponds to
         ipfixTransportSessionDestinationAddressType and
         ipfixTransportSessionDestinationAddress in the IPFIX MIB
         module.";
      reference
        "RFC 6615, Section 8
         (ipfixTransportSessionDestinationAddressType,
         ipfixTransportSessionDestinationAddress);
         RFC 4960, Section 6.4";
    }

    leaf source-port {
      type inet:port-number;
      description
        "The transport-protocol port number of the Exporter of the
         IPFIX Transport Session.

         Note that this parameter corresponds to
         ipfixTransportSessionSourcePort in the IPFIX MIB module.";
      reference
        "RFC 6615, Section 8
         (ipfixTransportSessionSourcePort).";
    }

    leaf destination-port {
      type inet:port-number;
      description
        "The transport-protocol port number of the Collector of the
         IPFIX Transport Session.

         Note that this parameter corresponds to
         ipfixTransportSessionDestinationPort in the IPFIX MIB
         module.";
      reference
        "RFC 6615, Section 8
         (ipfixTransportSessionDestinationPort)";
    }

    leaf status {
      type transport-session-status;
      description
        "Status of the Transport Session.

         Note that this parameter corresponds to
         ipfixTransportSessionStatus in the IPFIX MIB module.";
        reference
         "RFC 6615, Section 8 (ipfixTransportSessionStatus)";
    }

    leaf rate {
      type yang:gauge32;
      units "bytes per second";
      description
        "The number of bytes per second transmitted by the
         Exporting Process or received by the Collecting Process.
         This parameter is updated every second.

         Note that this parameter corresponds to
         ipfixTransportSessionRate in the IPFIX MIB module.";
      reference
        "RFC 6615, Section 8 (ipfixTransportSessionRate)";
    }

    leaf bytes {
      type yang:counter64;
      units "bytes";
      description
        "The number of bytes transmitted by the Exporting Process or
         received by the Collecting Process.

         Discontinuities in the value of this counter can occur at
         re-initialization of the management system, and at other
         times as indicated by the value of
         transport-session-discontinuity-time.

         Note that this parameter corresponds to
         ipfixTransportSessionBytes in the IPFIX MIB module.";
      reference
        "RFC 6615, Section 8 (ipfixTransportSessionBytes)";
    }

    leaf messages {
       type yang:counter64;
       units "IPFIX Messages";
       description
         "The number of messages transmitted by the Exporting Process
          or received by the Collecting Process.

          Discontinuities in the value of this counter can occur at
          re-initialization of the management system, and at other
          times as indicated by the value of
          transport-session-discontinuity-time.

          Note that this parameter corresponds to
          ipfixTransportSessionMessages in the IPFIX MIB module.";
       reference
         "RFC 6615, Section 8
          (ipfixTransportSessionMessages)";
    }

    leaf discarded-messages {
      type yang:counter64;
      units "IPFIX Messages";
      description
        "Used for Exporting Processes, this parameter indicates the
         number of messages that could not be sent due to internal
         buffer overflows, network congestion, routing issues, etc.
         Used for Collecting Process, this parameter indicates the
         number of received IPFIX Message that are malformed, cannot
         be decoded, are received in the wrong order or are missing
         according to the sequence number.

         Discontinuities in the value of this counter can occur at
         re-initialization of the management system, and at other
         times as indicated by the value of
         transport-session-discontinuity-time.

         Note that this parameter corresponds to
         ipfixTransportSessionDiscardedMessages in the IPFIX MIB
         module.";
      reference
        "RFC 6615, Section 8
         (ipfixTransportSessionDiscardedMessages)";
    }

    leaf records {
      type yang:counter64;
      units "Data Records";
      description
        "The number of Data Records transmitted by the Exporting
         Process or received by the Collecting Process.

         Discontinuities in the value of this counter can occur at
         re-initialization of the management system, and at other
         times as indicated by the value of
         transport-session-discontinuity-time.

         Note that this parameter corresponds to
         ipfixTransportSessionRecords in the IPFIX MIB module.";
      reference
        "RFC 6615, Section 8
         (ipfixTransportSessionRecords)";
    }

    leaf templates {
      type yang:counter32;
      units "Templates";
      description
        "The number of Templates transmitted by the Exporting Process
         or received by the Collecting Process.

         Discontinuities in the value of this counter can occur at
         re-initialization of the management system, and at other
         times as indicated by the value of
         transport-session-discontinuity-time.

         Note that this parameter corresponds to
         ipfixTransportSessionTemplates in the IPFIX MIB module.";
      reference
        "RFC 6615, Section 8
        (ipfixTransportSessionTemplates)";
    }

    leaf options-templates {
      type yang:counter32;
      units "Options Templates";
      description
        "The number of Option Templates transmitted by the Exporting
         Process or received by the Collecting Process.

         Discontinuities in the value of this counter can occur at
         re-initialization of the management system, and at other
         times as indicated by the value of
         transport-session-discontinuity-time.

         Note that this parameter corresponds to
         ipfixTransportSessionOptionsTemplates in the IPFIX MIB
         module.";
      reference
        "RFC 6615, Section 8
         (ipfixTransportSessionOptionsTemplates)";
    }

    leaf transport-session-start-time {
      type yang:date-and-time;
      description
        "Timestamp of the start of the given Transport Session.

         This state parameter does not correspond to any object in
         the IPFIX MIB module.";
    }

    leaf transport-session-discontinuity-time {
      type yang:date-and-time;
      description
        "Timestamp of the most recent occasion at which one or more
         of the Transport Session counters suffered a discontinuity.

         Note that this parameter functionally corresponds to
         ipfixTransportSessionDiscontinuityTime in the IPFIX MIB
         module. In contrast to
         ipfixTransportSessionDiscontinuityTime, the time is
         absolute and not relative to sysUpTime.";
      reference
        "RFC 6615, Section 8
         (ipfixTransportSessionDiscontinuityTime)";
    }
  }

  grouping export-template-state-parameters {
    description
      "State parameters of a (Options) Template used by an Exporting
       Process in a specific Transport Session or by a File Writer.
       Parameter names and semantics correspond to the managed
       objects in IPFIX-MIB.";
    reference
      "RFC 7011; RFC 6615, Section 8 (ipfixTemplateEntry,
       ipfixTemplateDefinitionEntry, ipfixTemplateStatsEntry)";

    list template {
      key "name";
      description
        "This list contains the Templates and Options Templates that
         are transmitted by the Exporting Process or written by the
         File Writer.

         Withdrawn or invalidated (Options) Templates MUST be removed
         from this list.";

      leaf name {
        type name-type;
        description
          "An arbitrary string which uniquely identifies the
           template.";
      }

      leaf observation-domain-id {
        type uint32;
        description
          "The ID of the Observation Domain for which this Template
           is defined.

           Note that this parameter corresponds to
           ipfixTemplateObservationDomainId in the IPFIX MIB
           module.";
        reference
          "RFC 6615, Section 8
           (ipfixTemplateObservationDomainId).";
      }

      leaf template-id {
        type uint16 {
          range "256..65535";
        }
        description
          "This number indicates the Template ID in the IPFIX
           message.

           Note that this parameter corresponds to ipfixTemplateId in
           the IPFIX MIB module.";
        reference
          "RFC 6615, Section 8 (ipfixTemplateId).";
      }

      leaf set-id {
        type uint16 {
          range "2..3 | 256..65535";
        }
        description
          "This number indicates the Set ID of the Template.
           A value of 2 is reserved for Template Sets.  A value of 3
           is reserved for Options Template Sets.  Values from 4 to
           255 are reserved for future use.  Values 256 and above
           are used for Data Sets.  The Set ID values of 0 and 1 are
           not used for historical reasons.

           Note that this parameter corresponds to ipfixTemplateSetId
           in the IPFIX MIB module.";
        reference
          "RFC 7011, Section 3.3.2;
           RFC 6615, Section 8 (ipfixTemplateSetId)";
      }

      leaf access-time {
        type yang:date-and-time;
        description
          "This parameter contains the time when this (Options)
           Template was last sent to the Collector(s) or written to
           the file.

           Note that this parameter corresponds to
           ipfixTemplateAccessTime in the IPFIX MIB module.";
        reference
          "RFC 6615, Section 8 (
           ipfixTemplateAccessTime).";
      }

      leaf template-data-records {
        type yang:counter64;
        description
          "The number of transmitted Data Records defined by this
           (Options) Template.

           Discontinuities in the value of this counter can occur at
           re-initialization of the management system, and at other
           times as indicated by the value of
           template-discontinuity-time.

           Note that this parameter corresponds to
           ipfixTemplateDataRecords in the IPFIX MIB module.";
        reference
          "RFC 6615, Section 8 (ipfixTemplateDataRecords).";
      }

      leaf template-discontinuity-time {
        type yang:date-and-time;
        description
          "Timestamp of the most recent occasion at which the counter
           template-data-records suffered a discontinuity.

           Note that this parameter functionally
           corresponds to ipfixTemplateDiscontinuityTime in the IPFIX
           MIB module. In contrast to
           ipfixTemplateDiscontinuityTime, the time is absolute and
           not relative to sysUpTime.";
        reference
          "RFC 6615, Section 8
           (ipfixTemplateDiscontinuityTime).";
      }

      list field {
        key "name";
        description
          "This list contains the (Options) Template fields of which
           the (Options) Template is defined.

           The order of the list corresponds to the order
           of the fields in the (Option) Template Record.";

        leaf name {
          type name-type;
          description
            "An arbitrary string which uniquely identifies the
             template field.";
        }

        leaf ie-id {
          type ie-id-type;
          description
            "This parameter indicates the Information Element
             identifier of the field.

             Note that this parameter corresponds to
             ipfixTemplateDefinitionIeId in the IPFIX MIB module.";
          reference
            "RFC 7011; RFC 6615, Section 8
             (ipfixTemplateDefinitionIeId).";
        }

        leaf ie-length {
          type uint16;
          units "octets";
          description
            "This parameter indicates the length of the Information
             Element of the field.

             Note that this parameter corresponds to
             ipfixTemplateDefinitionIeLength in the IPFIX MIB
             module.";
          reference
            "RFC 7011; RFC 6615, Section 8
             (ipfixTemplateDefinitionIeLength).";
        }

        leaf ie-enterprise-number {
          type uint32;
          description
            "This parameter indicates the IANA enterprise number of
             the authority defining the Information Element
             identifier.

             If the Information Element is not enterprise-specific,
             this state parameter is zero.

             Note that this parameter corresponds to
             ipfixTemplateDefinitionIeEnterpriseNumber in the IPFIX
             MIB module.";
          reference
            "RFC 6615, Section 8
             (ipfixTemplateDefinitionIeEnterpriseNumber);
             IANA registry for Private Enterprise Numbers,
             http://www.iana.org/assignments/enterprise-numbers.";
        }

        leaf is-scope {
          when "../../set-id = 3" {
          description
            "This parameter is available for Options Templates
             (Set ID is 3).";
          }
          type empty;
          description
            "If present, this is a scope field.

             Note that this corresponds to scope(0) being set in
             ipfixTemplateDefinitionFlags.";
          reference
            "RFC 6615, Section 8
             (ipfixTemplateDefinitionFlags).";
        }
      }
    }
  }

  grouping exporter-parameters {
    description
      "Parameters of an exporter.";

    leaf ipfix-version {
      type uint16;
      default '10';
      description
        "IPFIX version number.";
      reference
        "RFC 7011.";
    }

    container source {
      description
        "Configuration corresponding to how exporter's source IP
         address is specified.";

      choice source-method {
        description
          "Method to configure the source address of the exporter
           or the interface to be used by the exporter.

           Note that it is expected that other methods be available.
           Those methods can augment this choice.";

        case interface-ref {
          leaf interface-ref {
            type if:interface-ref;
            description
              "The interface to be used by the Exporting Process.";
          }
        }

        case if-name {
          if-feature if-mib;
          leaf if-name {
            type string;
            description
              "Name of an interface as stored in the ifTable
               of IF-MIB.";
            reference
              "RFC 2863.";
          }
        }

        case source-address {
          leaf source-address {
            type inet:host;
            description
              "The source IP address or hostname used by the
               Exporting Process.";
          }
        }
      }
    }

    container destination {
      description
        "Configuration corresponding to how exporter's destination IP
         address is specified.";

      choice destination-method {
        mandatory true;
        description
          "Method to configuring the destination address of the
           Collection Process to which IPFIX Messages are sent.

           Note it is expected that if other methods are available
           that they would augment from this statement.";

        case destination-address {
          leaf destination-address {
            type inet:host;
            description
              "The destination IP address or hostname of the
               Collecting Process to which IPFIX Messages are sent.
               A hostname may resolve to one or more IP
               addresses.";
          }
        }
      }
    }

    leaf destination-port {
      type inet:port-number;
      description
        "If not configured by the user, the Monitoring Device uses
         the default port number for IPFIX, which is 4739 without TLS
         or DTLS and 4740 if TLS or DTLS is activated.";
    }

    leaf send-buffer-size {
      type uint32;
      units "bytes";
      description
        "Size of the socket send buffer.

         If not configured by the user, this parameter is set by
         the Monitoring Device.";
    }

    leaf rate-limit {
      type uint32;
      units "bytes per second";
      description
        "Maximum number of bytes per second the Exporting Process may
         export to the given destination.  The number of bytes is
         calculated from the lengths of the IPFIX Messages exported.
         If not configured, no rate limiting is performed.";
      reference
        "RFC 5476, Section 6.3.";
    }

    leaf connection-timeout {
      type uint32;
      units seconds;
      description
        "Time after which the exporting process deems the TCP
         connection to have failed.";
      reference
        "RFC 7011, Sections 10.4.4 and 10.4.5.";
    }

    leaf retry-schedule {
      type uint32 {
      range "60..max";
      }
      units seconds;
      description
        "Time after which the exporting process retries the TCP
         connection to a collector.";
      reference
        "RFC 7011, Section 10.4.4.";
    }

    uses transport-layer-security-parameters;
  }

  grouping exporting-process-parameters {
    description
      "Parameters of an Exporting Process.";

    leaf export-mode {
      type identityref {
        base export-mode;
      }
      default 'fallback';
      description
        "This parameter determines to which configured destination(s)
         the incoming Data Records are exported.";
    }

    list destination {
      key "name";
      min-elements 1;
      description
        "List of export destinations.";

      leaf name {
        type name-type;
        description
          "An arbitrary string which uniquely identifies the export
           destination.";
      }

      container exporter {
        description
          "Exporter parameters.";

        uses exporter-parameters;

        container transport-session {
          config false;
          description
            "Transport session state data.";

          uses transport-session-state-parameters;
          uses export-template-state-parameters;
        }
      }
    }

    list options {
      key "name";
      description
        "List of options reported by the Exporting Process.";

      leaf name {
        type name-type;
        description
          "An arbitrary string which uniquely identifies the
           option.";
      }
      uses options-parameters;
    }
  }

  grouping options-parameters {
    description
      "Parameters specifying the data export using an Options
       Template.";

    leaf options-type {
      type identityref {
        base options-type;
      }
      mandatory true;
      description
        "Type of the exported options data.";
    }

    leaf options-timeout {
      type uint32;
      units "milliseconds";
      description
        "Time interval for periodic export of the options data. If
         set to zero, the export is triggered when the options data
         has changed.

         If not configured by the user, this parameter is set by the
         Monitoring Device.";
    }
  }

  grouping data-template-parameters {
    description
      "Field Layout parameters.";

    leaf observation-domain-id {
      type uint32;
      default 0;
      description
        "An identifier of an Observation Domain that is locally
         unique to an Exporting Process (see RFC 7011 Section 3.1).

         Typically, this Information Element is for limiting the
         scope of other Information Elements.

         A value of 0 indicates that no specific Observation Domain
         is identified by this Information Element.";
    }

    container field-layout {
      description
        "Field Layout parameters.";

      list field {
        key name;
        min-elements 1;
        description
          "Superset of statistics field names or special field-names
           (e.g., timestamps, etc) for interpreting statistics that
           are included in the Packet Reports or Flow Records
           generated by the device.";

        leaf name {
          type name-type;
          description
            "An arbitrary string which uniquely identifies the
             field.";
        }

        choice identifier {
          mandatory true;
          description
            "The Information Element to be added to the template.";

          case ie-name {
            leaf ie-name {
              type ie-name-type;
              description
                "Name of the Information Element.";
            }
          }

          case ie-id {
            leaf ie-id {
              type ie-id-type;
              description
                "ID of the Information Element.";
            }
          }
        }

        leaf ie-length {
          type uint16;
          units octets;
          description
            "Length of the field in which the Information Element is
             encoded.  A value of 65535 specifies a variable-length
             Information Element.  For Information Elements of
             integer and float type, the field length MAY be set to a
             smaller value than the standard length of the abstract
             data type if the rules of reduced size encoding are
             fulfilled.

             If not configured by the user, this parameter is set by
             the Monitoring Device.";
          reference
            "RFC 7011, Section 6.2";
        }

        leaf ie-enterprise-number {
          type uint32;
          default 0;
          description
            "If this parameter is zero, the Information Element is
             registered in the IANA registry of IPFIX Information
             Elements or unspecified (if the Informational Element is
             not IANA registered).

             If this parameter is configured with a non-zero private
             enterprise number, the Information Element is
             enterprise-specific.";
          reference
            "RFC 7011; RFC 5103;
             IANA registry for Private Enterprise Numbers,
             http://www.iana.org/assignments/enterprise-numbers;
             IANA registry for IPFIX Entities,
             http://www.iana.org/assignments/ipfix";
        }
      }
    }
  }

  container ipfix-data-export {
    description
      "IPFIX data export node.";

    list exporting-process {
      if-feature exporter;
      key "name";
      description
        "List of Exporting Processes of the IPFIX Monitoring Device
         for which configuration will be applied.";

      leaf name {
        type name-type;
        description
          "An arbitrary string which uniquely identifies the
           Exporting Process.";
      }

      leaf enabled {
        type boolean;
        default "true";
        description
          "If true, this Exporting Process is enabled for
           exporting.";
      }

      uses exporting-process-parameters;

      leaf exporting-process-id {
        type uint32;
        config false;
        description
          "The identifier of the Exporting Process.  This parameter
           corresponds to the Information Element exportingProcessId.
           Its occurrence helps to associate Exporting Process
           parameters with Exporing Process statistics exported by
           the Monitoring Device using the Exporting Process
           Reliability Statistics Template as defined by the IPFIX
           protocol specification.";
        reference
          "RFC 7011, Section 4.3; IANA registry for IPFIX
           Entities, http://www.iana.org/assignments/ipfix.";
      }
    }

    container data-export {
      description
        "Container for data export nodes.";

      list template {
        key name;
        description
          "List of data templates of the Monitoring Device.";

        leaf name {
          type name-type;
          description
            "An arbitrary string which uniquely identifies the
             data template.";
        }

        leaf enabled {
          type boolean;
          default "true";
          description
            "If true, this template is enabled and the specified
             data is able to be exported.";
        }

        leaf export-interval {
          type uint32;
          units "seconds";
          description
            "This parameter configures the interval (in seconds) for
             periodical export of Flow Records.

             If not configured by the user, the Monitoring Device
             sets this parameter.";
        }

        uses data-template-parameters;

        leaf-list exporting-process {
          if-feature exporter;
          type leafref {
            path "/ipfix-data-export"
               + "/exporting-process/name";
          }
          description
            "Records are exported by all Exporting Processes in the
             list.";
        }

        choice resource-identifier {
          description
            "Method to select the resources from which the records
             are to be exported.

             Note that it is expected that other methods be available.
             Those methods can augment this choice.";

          case resource-instance {
            leaf-list resource-instance {
              type resource;
              description
                "Records are sourced from all the resources in
                 this list.";
            }
          }
        }

        leaf data-records {
          type yang:counter64;
          units "Data Records";
          config false;
          description
            "The number of Data Records generated for this sampling
             template.

             Discontinuities in the value of this counter can occur
             at re-initialization of the management system, and at
             other times as indicated by the value of Discontinuity
             Time.";
        }

        leaf discontinuity-time {
          type yang:date-and-time;
          config false;
          description
            "Timestamp of the most recent occasion at which the
             counter data records suffered a discontinuity.";
        }
      }
    }
  }
}

<CODE ENDS>

6. IANA Considerations

This document registers 1 URI in the "IETF XML Registry". [RFC3688]. Following the format in RFC 3688, the following registrations have been made.

URI: urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export
Registrant Contact: The IESG.
XML: N/A, the requested URI is an XML namespace.

This document registers 1 YANG module in the "YANG Module Names" registry. Following the format in [RFC7950], the following have been registered.

Name: ietf-ipfix-data-export
Namespace: urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export
Prefix: ipfixde
Reference: RFC XXXX: YANG Data Model for the IP Flow Information
           Export (IPFIX) Protocol Data Export

7. Security Considerations

The YANG module specified in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC8446].

The NETCONF access control model [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content.

There are a number of data nodes defined in this YANG module that are writable/creatable/deletable (i.e., config true, which is the default). These data nodes may be considered sensitive or vulnerable in some network environments. Write operations (e.g., NETCONF edit-config) to these data nodes without proper protection can have a negative effect on network operations. These are the subtrees and data nodes and their sensitivity/vulnerability:

Some of the readable data nodes in this YANG module may be considered sensitive or vulnerable in some network environments. It is thus important to control read access (e.g., via get, get-config, or notification) to these data nodes. These are the subtrees and data nodes and their sensitivity/vulnerability:

8. Acknowledgments

The authors would like to thank Joey Boyd, William Lupton, and Benoit Claise for their contributions and feedback towards this document.

9. Normative References

[RFC3688]
Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, , <https://www.rfc-editor.org/info/rfc3688>.
[RFC5280]
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, , <https://www.rfc-editor.org/info/rfc5280>.
[RFC5476]
Claise, B., Ed., Johnson, A., and J. Quittek, "Packet Sampling (PSAMP) Protocol Specifications", RFC 5476, DOI 10.17487/RFC5476, , <https://www.rfc-editor.org/info/rfc5476>.
[RFC5610]
Boschi, E., Trammell, B., Mark, L., and T. Zseby, "Exporting Type Information for IP Flow Information Export (IPFIX) Information Elements", RFC 5610, DOI 10.17487/RFC5610, , <https://www.rfc-editor.org/info/rfc5610>.
[RFC6615]
Dietz, T., Ed., Kobayashi, A., Claise, B., and G. Muenz, "Definitions of Managed Objects for IP Flow Information Export", RFC 6615, DOI 10.17487/RFC6615, , <https://www.rfc-editor.org/info/rfc6615>.
[RFC6991]
Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, , <https://www.rfc-editor.org/info/rfc6991>.
[RFC7011]
Claise, B., Ed., Trammell, B., Ed., and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, DOI 10.17487/RFC7011, , <https://www.rfc-editor.org/info/rfc7011>.
[RFC7950]
Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, , <https://www.rfc-editor.org/info/rfc7950>.

10. Informative References

[IANA-IPFIX]
IANA, "IP Flow Information Export (IPFIX) Entities", <https://www.iana.org/assignments/ipfix>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC5473]
Boschi, E., Mark, L., and B. Claise, "Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports", RFC 5473, DOI 10.17487/RFC5473, , <https://www.rfc-editor.org/info/rfc5473>.
[RFC6241]
Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, , <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242]
Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, , <https://www.rfc-editor.org/info/rfc6242>.
[RFC8040]
Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10.17487/RFC8040, , <https://www.rfc-editor.org/info/rfc8040>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC8340]
Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, , <https://www.rfc-editor.org/info/rfc8340>.
[RFC8341]
Bierman, A. and M. Bjorklund, "Network Configuration Access Control Model", STD 91, RFC 8341, DOI 10.17487/RFC8341, , <https://www.rfc-editor.org/info/rfc8341>.
[RFC8446]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, , <https://www.rfc-editor.org/info/rfc8446>.

Appendix A. Example: ietf-ipfix-data-export Usage

The configuration example configures a field-layout template to export Ethernet statistics from eth0 and eth1.

<ipfix-data-export xmlns="urn:ietf:params:xml:ns:yang:ietf-ipfix-data-export">
  <exporting-process>
    <name>ipfix data exporter</name>
    <enabled>true</enabled>
    <destination>
      <name>ipfix-collector</name>
      <exporter>
        <source>
          <source-address>192.100.2.1</source-address>
        </source>
        <destination>
          <destination-address>proxy1.sys.com</destination-address>
        </destination>
      </exporter>
    </destination>
    <options>
      <name>Options 1</name>
      <options-type>extended-type-information</options-type>
      <options-timeout>0</options-timeout>
    </options>
  </exporting-process>
</ipfix-data-export>

Appendix B. Tree diagrams

B.1. ietf-ipfix-data-export

The complete tree diagram for ietf-ipfix-bulk-data-export:

module: ietf-ipfix-data-export
  +--rw ipfix-data-export
     +--rw exporting-process* [name] {exporter}?
     |  +--rw name                    name-type
     |  +--rw enabled?                boolean
     |  +--rw export-mode?            identityref
     |  +--rw destination* [name]
     |  |  +--rw name        name-type
     |  |  +--rw exporter
     |  |     +--rw ipfix-version?              uint16
     |  |     +--rw source
     |  |     |  +--rw (source-method)?
     |  |     |     +--:(interface-ref)
     |  |     |     |  +--rw interface-ref?    if:interface-ref
     |  |     |     +--:(if-name) {if-mib}?
     |  |     |     |  +--rw if-name?          string
     |  |     |     +--:(source-address)
     |  |     |        +--rw source-address?   inet:host
     |  |     +--rw destination
     |  |     |  +--rw (destination-method)
     |  |     |     +--:(destination-address)
     |  |     |        +--rw destination-address?   inet:host
     |  |     +--rw destination-port?           inet:port-number
     |  |     +--rw send-buffer-size?           uint32
     |  |     +--rw rate-limit?                 uint32
     |  |     +--rw connection-timeout?         uint32
     |  |     +--rw retry-schedule?             uint32
     |  |     +--rw transport-layer-security!
     |  |     |  +--rw local-certification-authority-dn*    string
     |  |     |  +--rw local-subject-dn*                    string
     |  |     |  +--rw local-subject-fqdn*
     |  |     |  |       inet:domain-name
     |  |     |  +--rw remote-certification-authority-dn*   string
     |  |     |  +--rw remote-subject-dn*                   string
     |  |     |  +--rw remote-subject-fqdn*
     |  |     |          inet:domain-name
     |  |     +--ro transport-session
     |  |        +--ro ipfix-version?                          uint16
     |  |        +--ro source-address?
     |  |        |       inet:host
     |  |        +--ro destination-address?
     |  |        |       inet:host
     |  |        +--ro source-port?
     |  |        |       inet:port-number
     |  |        +--ro destination-port?
     |  |        |       inet:port-number
     |  |        +--ro status?
     |  |        |       transport-session-status
     |  |        +--ro rate?
     |  |        |       yang:gauge32
     |  |        +--ro bytes?
     |  |        |       yang:counter64
     |  |        +--ro messages?
     |  |        |       yang:counter64
     |  |        +--ro discarded-messages?
     |  |        |       yang:counter64
     |  |        +--ro records?
     |  |        |       yang:counter64
     |  |        +--ro templates?
     |  |        |       yang:counter32
     |  |        +--ro options-templates?
     |  |        |       yang:counter32
     |  |        +--ro transport-session-start-time?
     |  |        |       yang:date-and-time
     |  |        +--ro transport-session-discontinuity-time?
     |  |        |       yang:date-and-time
     |  |        +--ro template* [name]
     |  |           +--ro name                           name-type
     |  |           +--ro observation-domain-id?         uint32
     |  |           +--ro template-id?                   uint16
     |  |           +--ro set-id?                        uint16
     |  |           +--ro access-time?
     |  |           |       yang:date-and-time
     |  |           +--ro template-data-records?
     |  |           |       yang:counter64
     |  |           +--ro template-discontinuity-time?
     |  |           |       yang:date-and-time
     |  |           +--ro field* [name]
     |  |              +--ro name                    name-type
     |  |              +--ro ie-id?                  ie-id-type
     |  |              +--ro ie-length?              uint16
     |  |              +--ro ie-enterprise-number?   uint32
     |  |              +--ro is-scope?               empty
     |  +--rw options* [name]
     |  |  +--rw name               name-type
     |  |  +--rw options-type       identityref
     |  |  +--rw options-timeout?   uint32
     |  +--ro exporting-process-id?   uint32
     +--rw data-export
        +--rw template* [name]
           +--rw name                       name-type
           +--rw enabled?                   boolean
           +--rw export-interval?           uint32
           +--rw observation-domain-id?     uint32
           +--rw field-layout
           |  +--rw field* [name]
           |     +--rw name                    name-type
           |     +--rw (identifier)
           |     |  +--:(ie-name)
           |     |  |  +--rw ie-name?          ie-name-type
           |     |  +--:(ie-id)
           |     |     +--rw ie-id?            ie-id-type
           |     +--rw ie-length?              uint16
           |     +--rw ie-enterprise-number?   uint32
           +--rw exporting-process*
           |       -> /ipfix-data-export/exporting-process/name
           |       {exporter}?
           +--rw (resource-identifier)?
           |  +--:(resource-instance)
           |     +--rw resource-instance*   resource
           +--ro data-records?              yang:counter64
           +--ro discontinuity-time?        yang:date-and-time

Authors' Addresses

Anand Arokiaraj
Nokia
Marta Seda
Calix