Export of TLS Handshake Information in IPFIX
draft-gao-opsawg-ipfix-term-and-app-02
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Gao xing , Shuai Zhang , Changwang Lin | ||
| Last updated | 2026-05-14 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-gao-opsawg-ipfix-term-and-app-02
opsawg X. Gao, Ed.
Internet-Draft S. Zhang
Intended status: Standards Track China Unicom
Expires: 16 November 2026 C. Lin
New H3C Technologies
15 May 2026
Export of TLS Handshake Information in IPFIX
draft-gao-opsawg-ipfix-term-and-app-02
Abstract
This document defines a set of new Information Elements (IEs) in the
IPFIX Information Model for exporting raw TLS ClientHello handshake
fields. These IEs enable the collection of standardized client
behavioral fingerprints from network traffic without decryption of
the encrypted payload. The exported fields facilitate network
anomaly detection, threat identification, and fault diagnosis in
encrypted traffic environments.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 16 November 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
Gao, et al. Expires 16 November 2026 [Page 1]
Internet-Draft Information Element for terminal and app May 2026
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. Sample Use Cases . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Problem Description . . . . . . . . . . . . . . . . . . . 3
3.2. Solution . . . . . . . . . . . . . . . . . . . . . . . . 3
4. New Information Elements . . . . . . . . . . . . . . . . . . 4
4.1. tlsClientHelloSNI . . . . . . . . . . . . . . . . . . . . 4
4.2. tlsClientHelloVersion . . . . . . . . . . . . . . . . . . 5
4.3. tlsClientHelloCipherSuite . . . . . . . . . . . . . . . . 5
4.4. tlsClientHelloSSLExtension . . . . . . . . . . . . . . . 5
4.5. tlsClientHelloEllipticCurve . . . . . . . . . . . . . . . 6
4.6. tlsClientHelloEllipticCurvePointFormat . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
5.1. Privacy and Sensitive Information Risks . . . . . . . . . 6
5.2. No Involvement of Traffic Decryption Operations . . . . . 7
5.3. Risk Control Against Misuse . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
As encrypted transmission via TLS has become ubiquitous across all
network traffic, the payload content of business communications is no
longer visible. The plaintext TLS ClientHello handshake fields have
emerged as one of the few stable and exploitable analysis entry
points in encrypted traffic. Various types of malware, remote access
trojans (RATs), ransomware, and DDoS attack tools all carry
distinctive TLS client fingerprints, which serve as core identifiers
for threat detection, attribution analysis, and forensic
investigation in encrypted traffic scenarios. Telecommunications
operators, cloud service providers, and enterprise networks, when
performing security operations such as anomaly detection, crawler
identification, and attack attribution, urgently require
standardized, interoperable, and comparable client fingerprinting
features derived from the plaintext TLS ClientHello fields.
Currently, TLS client fingerprint field export in the industry is
predominantly implemented through proprietary vendor-specific
solutions, which suffer from inconsistent data formats, divergent
collection rules, and inability to perform collaborative parsing
across devices. To address these issues, it is necessary to define
standardized specifications for core fingerprint fields within the
Gao, et al. Expires 16 November 2026 [Page 2]
Internet-Draft Information Element for terminal and app May 2026
IPFIX information model, so as to achieve unified collection,
standardized export, universal parsing, and cross-domain comparison
of fingerprinting features, thereby enhancing the compatibility and
scalability of end-to-end security operations and situational
awareness systems.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Sample Use Cases
3.1. Problem Description
Endpoints within home broadband networks, such as computers,
smartphones, surveillance cameras, and routers, may, due to malware
infection, firmware vulnerabilities, or unauthorized access,
proactively initiate TLS connections to external suspicious servers
without the user's awareness. Such connections are typically
employed for malware command and control, network scanning, or
crawler access, representing a typical form of anomalous outbound
traffic. Due to TLS encryption, traditional traffic analysis methods
are unable to identify client fingerprinting features. The majority
of malware, remote access tools, and crawler scripts utilize
lightweight TLS libraries, whose handshake characteristics differ
significantly from standard browsers. By evaluating TLS handshake
characteristics, it becomes possible to determine whether a
connection originates from an anomalous client, thereby enabling
precise detection and remediation.
3.2. Solution
By deploying IPFIX-based traffic collection and analysis capabilities
on critical network gateways and boundary devices such as telecom
operator residential broadband BRAS (Broadband Remote Access Server),
cloud gateways, enterprise egress routers, and backbone network
monitoring points, the system extracts key TLS client fingerprint
characteristic fields losslessly from TLS handshake packets. This
enables feature export and centralized reporting without traffic
decryption. Through traffic collection and analysis platforms,
fingerprint modeling, whitelist comparison, and anomalous feature
analysis are performed, thereby achieving behavior identification and
operational closed-loop remediation for encrypted traffic anomalous
outbound connections, malware, remote access tools, crawlers, and
Gao, et al. Expires 16 November 2026 [Page 3]
Internet-Draft Information Element for terminal and app May 2026
similar threats.
+-------------+ +------------+ +-------------+ +-------------+
| Vendor-A | | Vendor-B | | Vendor-C | | Vendor-N |
| device | | device | | device |... | device |
+-------------+ +------------+ +-------------+ +-------------+
| | | |
+----------------+---------------+-----------------+
| IPFIX
v
+-------------------------------------------------------+
| Unified Collector |
| +-------------------------+ |
| | TLS Field Parser | |
| | Fingerprint Engine | |
| | Fingerprint Database | |
| +-------------------------+ |
+—------------------------------------------------------+
Figure 1. IPFIX-Based Unified TLS Fingerprint Collection
The TLS field parser is responsible for parsing and extracting key
TLS handshake field information from IPFIX exported elements. The
fingerprint engine performs the modeling and construction of client
fingerprints based on raw TLS handshake field data collected via
IPFIX. The characteristic fingerprint database is a database used
for the standardized storage of various known and identifiable
feature sets,the system performs real-time comparison and matching of
the collected and generated client fingerprints against the
characteristic fingerprint database.
4. New Information Elements
4.1. tlsClientHelloSNI
ElementID: TBD
Name: tlsClientHelloSNI
Abstract Data Type: string
Data Type Semantics: identifier
Description:The value of the Server Name Indication (SNI) extension
in the TLS ClientHello message, which specifies the target server
hostname (encoded in UTF - 8) as defined in Section 3 of RFC 6066 and
used for certificate selection in multi - domain hosting
scenarios.The Server Name Indication (SNI) extension enables a TLS
client to indicate the name of the server it is attempting to connect
to.This mechanism facilitates secure connections to servers hosting
multiple virtual servers on a single network address.
Reference:See RFC 6066 section 3 for the specification of Server Name
Indication.
Gao, et al. Expires 16 November 2026 [Page 4]
Internet-Draft Information Element for terminal and app May 2026
4.2. tlsClientHelloVersion
ElementID: TBD
Name: tlsClientHelloVersion
Abstract Data Type: unsigned16
Data Type Semantics: identifier
Description:The TLS protocol version number negotiated during the
handshake and used in the TLS record layer header, encoded as a
2-byte unsigned integer (e.g., 0x0304 for TLS 1.3) as defined in RFC
8446 and RFC 5246.
Reference:RFC 8446,RFC 5246
4.3. tlsClientHelloCipherSuite
ElementID: TBD
Name: tlsClientHelloCipherSuite
Abstract Data Type: unsigned16
Data Type Semantics: identifier
Description:A list of cipher suite values (each 2-byte unsigned
integer) advertised by the client in the TLS ClientHello message.
Reference:RFC 8446
4.4. tlsClientHelloSSLExtension
ElementID: TBD
Name: tlsClientHelloSSLExtension
Abstract Data Type: unsigned16
Data Type Semantics: identifier
Description:A list of TLS extension type codes (each 2-byte unsigned
integer) from the ClientHello extensions field.
Reference:RFC 8446
Gao, et al. Expires 16 November 2026 [Page 5]
Internet-Draft Information Element for terminal and app May 2026
4.5. tlsClientHelloEllipticCurve
ElementID: TBD
Name:tlsClientHelloEllipticCurve
Abstract Data Type: unsigned16
Data Type Semantics: identifier
Description:A list of elliptic curve identifiers (each 2-byte
unsigned integer) from the "elliptic_curves" extension in
ClientHello.
Reference:RFC 8446
4.6. tlsClientHelloEllipticCurvePointFormat
ElementID: TBD
Name: tlsClientHelloEllipticCurvePointFormat
Abstract Data Type: unsigned16
Data Type Semantics: identifier
Description:A list of elliptic curve point format identifiers (each
1-byte unsigned integer) from the "elliptic_curves_point_formats"
extension in ClientHello.
Reference:RFC 8446
5. Security Considerations
5.1. Privacy and Sensitive Information Risks
All fields defined in this document do not carry or process any user-
sensitive information. They solely represent client software
implementation characteristics and TLS cipher suite configuration
features, and cannot independently be used to identify natural
persons. These fingerprints are not uniquely bound to specific
users, do not constitute personally identifiable information, and are
not used for scenarios such as user behavior analysis or individual
user identification. This mechanism solely achieves network
anomalous traffic identification through fingerprint feature
comparison, and does not introduce any risk of privacy leakage.
Gao, et al. Expires 16 November 2026 [Page 6]
Internet-Draft Information Element for terminal and app May 2026
5.2. No Involvement of Traffic Decryption Operations
All exportable metadata fields specified in this document are solely
derived from the TLS plaintext handshake phase. The data collection
and processing workflow of this solution does not perform decryption,
parsing, or storage of user encrypted communications. Only publicly
available handshake metadata is collected, without accessing the
user-encrypted business data in transit. Such transport layer
behavioral characteristics have abundant mature application
precedents in the IETF standards ecosystem, and are consistent with
the application paradigm of traditional transport layer metadata
mechanisms such as TCP options.
5.3. Risk Control Against Misuse
To prevent improper use or malicious abuse of the TLS fingerprint
fields defined in this document, the following constraints and
principles shall be strictly observed during the deployment and
application of this mechanism:
Legitimate use restrictions: This mechanism shall only be used for
compliant network management scenarios, including but not limited to
network operations, anomalous traffic detection, network fault
troubleshooting, DDoS attack mitigation, and other legitimate
business purposes.
Prohibition of non-compliant use: This mechanism shall be strictly
prohibited from being used in unauthorized, non-network-management
scenarios such as cross-domain user tracking, user profiling, or
individual behavior monitoring.
Transmission access control: For TLS fingerprint data transmission
based on the IPFIX protocol, communication privileges between
collectors and exporters shall be restricted through mechanisms such
as Access Control Lists (ACL) and authentication, so as to ensure
transmission security.
Data minimization: All collected traffic feature data shall strictly
adhere to the data minimization principle. Long-term storage of
redundant or irrelevant traffic feature data is prohibited, so as to
minimize potential security risks.
6. IANA Considerations
The document makes a request to IANA to register the Information
Elements defined in section 4.
Gao, et al. Expires 16 November 2026 [Page 7]
Internet-Draft Information Element for terminal and app May 2026
Authors' Addresses
Xing Gao (editor)
China Unicom
Beijing
China
Email: gaox60@chinaunicom.cn
Shuai Zhang
China Unicom
Beijing
China
Email: zhangs366@chinaunicom.cn
Changwang Lin
New H3C Technologies
Beijing
China
Email: linchangwang.04414@h3c.com
Gao, et al. Expires 16 November 2026 [Page 8]