



opsawg                                                       X. Gao, Ed.
Internet-Draft                                                  S. Zhang
Intended status: Standards Track                            China Unicom
Expires: 16 November 2026                                         C. Lin
                                                    New H3C Technologies
                                                             15 May 2026


              Export of TLS Handshake Information in IPFIX
                 draft-gao-opsawg-ipfix-term-and-app-02

Abstract

   This document defines a set of new Information Elements (IEs) in the
   IPFIX Information Model for exporting raw TLS ClientHello handshake
   fields.  These IEs enable the collection of standardized client
   behavioral fingerprints from network traffic without decryption of
   the encrypted payload.  The exported fields facilitate network
   anomaly detection, threat identification, and fault diagnosis in
   encrypted traffic environments.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 16 November 2026.

Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components



Gao, et al.             Expires 16 November 2026                [Page 1]

Internet-Draft  Information Element for terminal and app        May 2026


   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   3
   3.  Sample Use Cases  . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Problem Description . . . . . . . . . . . . . . . . . . .   3
     3.2.  Solution  . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  New Information Elements  . . . . . . . . . . . . . . . . . .   4
     4.1.  tlsClientHelloSNI . . . . . . . . . . . . . . . . . . . .   4
     4.2.  tlsClientHelloVersion . . . . . . . . . . . . . . . . . .   5
     4.3.  tlsClientHelloCipherSuite . . . . . . . . . . . . . . . .   5
     4.4.  tlsClientHelloSSLExtension  . . . . . . . . . . . . . . .   5
     4.5.  tlsClientHelloEllipticCurve . . . . . . . . . . . . . . .   6
     4.6.  tlsClientHelloEllipticCurvePointFormat  . . . . . . . . .   6
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
     5.1.  Privacy and Sensitive Information Risks . . . . . . . . .   6
     5.2.  No Involvement of Traffic Decryption Operations . . . . .   7
     5.3.  Risk Control Against Misuse . . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   As encrypted transmission via TLS has become ubiquitous across all
   network traffic, the payload content of business communications is no
   longer visible.  The plaintext TLS ClientHello handshake fields have
   emerged as one of the few stable and exploitable analysis entry
   points in encrypted traffic.  Various types of malware, remote access
   trojans (RATs), ransomware, and DDoS attack tools all carry
   distinctive TLS client fingerprints, which serve as core identifiers
   for threat detection, attribution analysis, and forensic
   investigation in encrypted traffic scenarios.  Telecommunications
   operators, cloud service providers, and enterprise networks, when
   performing security operations such as anomaly detection, crawler
   identification, and attack attribution, urgently require
   standardized, interoperable, and comparable client fingerprinting
   features derived from the plaintext TLS ClientHello fields.

   Currently, TLS client fingerprint field export in the industry is
   predominantly implemented through proprietary vendor-specific
   solutions, which suffer from inconsistent data formats, divergent
   collection rules, and inability to perform collaborative parsing
   across devices.  To address these issues, it is necessary to define
   standardized specifications for core fingerprint fields within the



Gao, et al.             Expires 16 November 2026                [Page 2]

Internet-Draft  Information Element for terminal and app        May 2026


   IPFIX information model, so as to achieve unified collection,
   standardized export, universal parsing, and cross-domain comparison
   of fingerprinting features, thereby enhancing the compatibility and
   scalability of end-to-end security operations and situational
   awareness systems.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119][RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Sample Use Cases

3.1.  Problem Description

   Endpoints within home broadband networks, such as computers,
   smartphones, surveillance cameras, and routers, may, due to malware
   infection, firmware vulnerabilities, or unauthorized access,
   proactively initiate TLS connections to external suspicious servers
   without the user's awareness.  Such connections are typically
   employed for malware command and control, network scanning, or
   crawler access, representing a typical form of anomalous outbound
   traffic.  Due to TLS encryption, traditional traffic analysis methods
   are unable to identify client fingerprinting features.  The majority
   of malware, remote access tools, and crawler scripts utilize
   lightweight TLS libraries, whose handshake characteristics differ
   significantly from standard browsers.  By evaluating TLS handshake
   characteristics, it becomes possible to determine whether a
   connection originates from an anomalous client, thereby enabling
   precise detection and remediation.

3.2.  Solution

   By deploying IPFIX-based traffic collection and analysis capabilities
   on critical network gateways and boundary devices such as telecom
   operator residential broadband BRAS (Broadband Remote Access Server),
   cloud gateways, enterprise egress routers, and backbone network
   monitoring points, the system extracts key TLS client fingerprint
   characteristic fields losslessly from TLS handshake packets.  This
   enables feature export and centralized reporting without traffic
   decryption.  Through traffic collection and analysis platforms,
   fingerprint modeling, whitelist comparison, and anomalous feature
   analysis are performed, thereby achieving behavior identification and
   operational closed-loop remediation for encrypted traffic anomalous
   outbound connections, malware, remote access tools, crawlers, and



Gao, et al.             Expires 16 November 2026                [Page 3]

Internet-Draft  Information Element for terminal and app        May 2026


   similar threats.

   +-------------+  +------------+    +-------------+    +-------------+
   |   Vendor-A  |  |  Vendor-B  |    | Vendor-C    |    | Vendor-N    | 
   |    device   |  |   device   |    |  device     |... |   device    |  
   +-------------+  +------------+    +-------------+    +-------------+
          |                |               |                 |
          +----------------+---------------+-----------------+
                                   | IPFIX 
                                   v
       +-------------------------------------------------------+
        |                    Unified Collector                |
        |              +-------------------------+            | 
        |              |     TLS Field Parser    |            |
        |              |    Fingerprint Engine   |            |
        |              |   Fingerprint Database  |            |
        |              +-------------------------+            |
       +—------------------------------------------------------+ 
          Figure 1.   IPFIX-Based Unified TLS Fingerprint Collection

   The TLS field parser is responsible for parsing and extracting key
   TLS handshake field information from IPFIX exported elements.  The
   fingerprint engine performs the modeling and construction of client
   fingerprints based on raw TLS handshake field data collected via
   IPFIX.  The characteristic fingerprint database is a database used
   for the standardized storage of various known and identifiable
   feature sets，the system performs real-time comparison and matching of
   the collected and generated client fingerprints against the
   characteristic fingerprint database.

4.  New Information Elements

4.1.  tlsClientHelloSNI

   ElementID: TBD

   Name: tlsClientHelloSNI

   Abstract Data Type: string

   Data Type Semantics: identifier

   Description：The value of the Server Name Indication (SNI) extension
   in the TLS ClientHello message, which specifies the target server
   hostname (encoded in UTF - 8) as defined in Section 3 of RFC 6066 and
   used for certificate selection in multi - domain hosting
   scenarios.The Server Name Indication (SNI) extension enables a TLS
   client to indicate the name of the server it is attempting to connect
   to.This mechanism facilitates secure connections to servers hosting
   multiple virtual servers on a single network address.

   Reference：See RFC 6066 section 3 for the specification of Server Name
   Indication.




Gao, et al.             Expires 16 November 2026                [Page 4]

Internet-Draft  Information Element for terminal and app        May 2026


4.2.  tlsClientHelloVersion

   ElementID: TBD

   Name: tlsClientHelloVersion

   Abstract Data Type: unsigned16

   Data Type Semantics: identifier

   Description：The TLS protocol version number negotiated during the
   handshake and used in the TLS record layer header, encoded as a
   2-byte unsigned integer (e.g., 0x0304 for TLS 1.3) as defined in RFC
   8446 and RFC 5246.

   Reference：RFC 8446,RFC 5246

4.3.  tlsClientHelloCipherSuite

   ElementID: TBD

   Name: tlsClientHelloCipherSuite

   Abstract Data Type: unsigned16

   Data Type Semantics: identifier

   Description：A list of cipher suite values (each 2-byte unsigned
   integer) advertised by the client in the TLS ClientHello message.

   Reference：RFC 8446

4.4.  tlsClientHelloSSLExtension

   ElementID: TBD

   Name: tlsClientHelloSSLExtension

   Abstract Data Type: unsigned16

   Data Type Semantics: identifier

   Description：A list of TLS extension type codes (each 2-byte unsigned
   integer) from the ClientHello extensions field.

   Reference：RFC 8446





Gao, et al.             Expires 16 November 2026                [Page 5]

Internet-Draft  Information Element for terminal and app        May 2026


4.5.  tlsClientHelloEllipticCurve

   ElementID: TBD

   Name:tlsClientHelloEllipticCurve

   Abstract Data Type: unsigned16

   Data Type Semantics: identifier

   Description：A list of elliptic curve identifiers (each 2-byte
   unsigned integer) from the "elliptic_curves" extension in
   ClientHello.

   Reference：RFC 8446

4.6.  tlsClientHelloEllipticCurvePointFormat

   ElementID: TBD

   Name: tlsClientHelloEllipticCurvePointFormat

   Abstract Data Type: unsigned16

   Data Type Semantics: identifier

   Description：A list of elliptic curve point format identifiers (each
   1-byte unsigned integer) from the "elliptic_curves_point_formats"
   extension in ClientHello.

   Reference：RFC 8446

5.  Security Considerations

5.1.  Privacy and Sensitive Information Risks

   All fields defined in this document do not carry or process any user-
   sensitive information.  They solely represent client software
   implementation characteristics and TLS cipher suite configuration
   features, and cannot independently be used to identify natural
   persons.  These fingerprints are not uniquely bound to specific
   users, do not constitute personally identifiable information, and are
   not used for scenarios such as user behavior analysis or individual
   user identification.  This mechanism solely achieves network
   anomalous traffic identification through fingerprint feature
   comparison, and does not introduce any risk of privacy leakage.





Gao, et al.             Expires 16 November 2026                [Page 6]

Internet-Draft  Information Element for terminal and app        May 2026


5.2.  No Involvement of Traffic Decryption Operations

   All exportable metadata fields specified in this document are solely
   derived from the TLS plaintext handshake phase.  The data collection
   and processing workflow of this solution does not perform decryption,
   parsing, or storage of user encrypted communications.  Only publicly
   available handshake metadata is collected, without accessing the
   user-encrypted business data in transit.  Such transport layer
   behavioral characteristics have abundant mature application
   precedents in the IETF standards ecosystem, and are consistent with
   the application paradigm of traditional transport layer metadata
   mechanisms such as TCP options.

5.3.  Risk Control Against Misuse

   To prevent improper use or malicious abuse of the TLS fingerprint
   fields defined in this document, the following constraints and
   principles shall be strictly observed during the deployment and
   application of this mechanism:

   Legitimate use restrictions: This mechanism shall only be used for
   compliant network management scenarios, including but not limited to
   network operations, anomalous traffic detection, network fault
   troubleshooting, DDoS attack mitigation, and other legitimate
   business purposes.

   Prohibition of non-compliant use: This mechanism shall be strictly
   prohibited from being used in unauthorized, non-network-management
   scenarios such as cross-domain user tracking, user profiling, or
   individual behavior monitoring.

   Transmission access control: For TLS fingerprint data transmission
   based on the IPFIX protocol, communication privileges between
   collectors and exporters shall be restricted through mechanisms such
   as Access Control Lists (ACL) and authentication, so as to ensure
   transmission security.

   Data minimization: All collected traffic feature data shall strictly
   adhere to the data minimization principle.  Long-term storage of
   redundant or irrelevant traffic feature data is prohibited, so as to
   minimize potential security risks.

6.  IANA Considerations

   The document makes a request to IANA to register the Information
   Elements defined in section 4.





Gao, et al.             Expires 16 November 2026                [Page 7]

Internet-Draft  Information Element for terminal and app        May 2026


Authors' Addresses

   Xing Gao (editor)
   China Unicom
   Beijing
   China
   Email: gaox60@chinaunicom.cn


   Shuai Zhang
   China Unicom
   Beijing
   China
   Email: zhangs366@chinaunicom.cn


   Changwang Lin
   New H3C Technologies
   Beijing
   China
   Email: linchangwang.04414@h3c.com






























Gao, et al.             Expires 16 November 2026                [Page 8]
