The CERT IPFIX Registry is a list of Private Enterprise IPFIX elements that have been defined by CERT to extend the list of IPFIX elements defined by IANA. These elements are used and generated by other tools in the CERT NetSA Security Suite and are scoped by CERT's Private Enterprise Number (PEN), 6871 (0x1ad7).

The XML file contains the same fields as the IANA IPFIX registry XML file, with two additional fields:

The PEN for that element
Whether this element is a candidate for reversal, as described next

Reverse Elements

Reverse elements, used for bidirectional flow records, are defined by RFC 5103, Bidirectional Flow Export Using IP Flow Information Export (IPFIX). Specifically, they are addressed in section 6 of that document.

In the CERT private enterprise registry, reverse elements are created by OR-ing the value 0x4000 to the non-reversed element ID, upper-casing the first letter of the element name, and prepending the string reverse to form the name. For example, the (forward) CERT element initialTCPFlags and its reverse are:

PEN 6871, ID    14 (0x000e), initialTCPFlags
PEN 6871, ID 16398 (0x400e), reverseInitialTCPFlags