from netflow to ipfix
play

From NetFlow to IPFIX the evolution of IP flow information export - PowerPoint PPT Presentation

May 11, 2023 •131 likes •316 views

From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA - Pittsburgh, PA, US Elisa Boschi - Hitachi Europe - Zurich, CH NANOG 41 - Albuquerque, NM, US - October 15, 2007 What is IPFIX? Emerging IETF

  1. From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA - Pittsburgh, PA, US Elisa Boschi - Hitachi Europe - Zurich, CH NANOG 41 - Albuquerque, NM, US - October 15, 2007

  2. What is IPFIX? • Emerging IETF standard for flexible export of IP flow data from routers or other metering processes. • Defines – a rich, easily extensible information model, – a template-driven data representation, – and a unidirectional protocol for export of IP flow data over a variety of transport protocols. • Does not define specific requirements for flow assembly, flow key selection, etc. October 15, 2007 NANOG 41 - Albuquerque 2

  3. History and Motivation • IETF IPFIX working group started in 2001 to define a standard flow export protocol. • Selected Cisco NetFlow V9 as a basis for this new protocol. – Evolution of previous NetFlow versions. – Added templates for flexible data definition. • Developed protocol from this basis to meet defined requirements. – IPFIX information model is maintained as a superset of V9 information model, but otherwise the two are not directly interoperable without message translation. October 15, 2007 NANOG 41 - Albuquerque 3

  4. Representation • Templates in the message stream describe the data sets. • Allows flexible and efficient representation of flows on the wire. message message template template data data data A B A1 B1 A2 October 15, 2007 NANOG 41 - Albuquerque 4

  5. Information model • The information model supports reporting a wide variety of information elements: – “Five-tuple” (IPv4, IPv6) and standard counters – Packet treatment: e.g., routed next hop and AS – Detailed counters: e.g., sum of squares, flag counters – Timestamps down to nanosecond resolution – Any ICMP, TCP, UDP header field – Layer 2, VLAN, MPLS, and other sub-IP information • Flow keys are not limited to specific information elements. • New IEs registered with IANA. • Enterprise-specific IEs for private extensions. October 15, 2007 NANOG 41 - Albuquerque 5

  6. Comparison to sFlow • sFlow is a packet sampling protocol – Intended for many of the same applications as NetFlow and IPFIX. – Use of packet sampling instead of flow assembly reduces state overhead on measurement device. – Analogous to PSAMP, which extends IPFIX for export of sampled packet data. • Both provide flexible export, but… – sFlow provides message types for flexibility, – IPFIX provides templates and information elements: – IPFIX allows definition of novel message types on the fly. October 15, 2007 NANOG 41 - Albuquerque 6

  7. Status • It’s taken longer than we’d thought, but we’re nearly done… • Core IPFIX protocol documents completed in 2006, (probably) to be published as RFCs in 2007. • Working group continuing to define extensions to and applications of the protocol. – Bidirectional flow export – Redundancy reduction for export efficiency – Flow storage and File-based interoperability – MIB and XML-based configuration for IPFIX devices – etc… • Implementations tracking the draft standard available now. October 15, 2007 NANOG 41 - Albuquerque 7

  8. Bidirectional Flow Export • Bidirectional flow (biflow) metering and analysis is applicable to several use cases: – data reduction – separation of “answered” traffic from unanswered – full reconstruction of TCP sessions • The IPFIX protocol has no direct support for single-record export of bidirectional flows (biflows). • This extension allows “reversal” of any element within the Information Model for biflow export. • To be published as an RFC this year. October 15, 2007 NANOG 41 - Albuquerque 8

  9. Reducing Redundancy • Technique for bandwidth-saving information export – Separates the export of flow records such that attributes common to several flow records are sent only once. – Links common flow properties to specific properties with a unique identifier. • To be published as an RFC this year. October 15, 2007 NANOG 41 - Albuquerque 9

  10. Flow Storage • Many analysis tools interoperate not via direct communication, but via file exchange. – exchange available via a variety of transport methods (HTTP, FTP, SSH+SCP, SMTP+MIME, etc., etc.) – files support a variety of useful operations (compression, encryption, etc.) – files are a natural unit of grouping related flow data (e.g. a single security incident or query result). • Existing de-facto standard for flow storage: NetFlow PDU files – Not extensible for data fields not in NetFlow. October 15, 2007 NANOG 41 - Albuquerque 10

  11. Flow Storage: IPFIX as basis • IPFIX defines a template-driven data representation and a rich, easily extensible information model, so : • Ideal basis for a flow storage format – Extensible and self-describing, unlike V5 PDU files – Adequate semantic flexibility for flow data without overhead of e.g. XML. – Additional applicability to IPFIX (or NetFlow V9) collection infrastructures. October 15, 2007 NANOG 41 - Albuquerque 11

  12. IPFIX Files • An IPFIX file is any serialized stream of IPFIX Messages. – Alternately, a “file transport” for IPFIX. • Provides a set of extensions: – File contents – Error detection and recovery – Extended type information for enterprise-specific information elements. • To be published as an RFC in 2008. October 15, 2007 NANOG 41 - Albuquerque 12

  13. IPFIX Implementations (1) • YAF (Yet Another Flowmeter) – takes packets from the wire or libpcap dumpfiles. – writes IPFIX Files or exports IPFIX Messages. – supports bidirectional flow export. • SiLK (System for Internet Level Knowledge) – large-scale flow storage and command-line analysis suite. – supports NetFlow V5 and IPFIX flow collection. – can analyze IPFIX Files directly, as well. • libfixbuf: an IPFIX library in C – Used by YAF and SiLK • Available from http://tools.netsa.cert.org/ October 15, 2007 NANOG 41 - Albuquerque 13

  14. IPFIX Implementations (2) • OpenIMP – provides metering processes, export/collection, and analysis tools. – specifically focused on active and passive quality of service measurement. – available from http://www.ip-measurement.org/openimp/ • libipfix: another IPFIX library in C – supports Reducing Redundancy extension – supports IPFIX File and mysql storage – used by OpenIMP – available from http://meteor.fokus.fraunhofer.de/libipfix/ October 15, 2007 NANOG 41 - Albuquerque 14

  15. IPFIX Implementations (3) • Versatile Monitoring Toolkit (VERMONT) – provides metering processes, export/collection, and monitoring tools. – implements IPFIX and related PSAMP (packet sampling) protocol. – available from http://vermont.berlios.de/ • ntop – web-based traffic measurement application – acts as IPFIX collecting process – available from http://www.ntop.org/ October 15, 2007 NANOG 41 - Albuquerque 15

  16. FIN • IPFIX is an emerging standard for flexible flow export, representation, and storage. – For those who want to follow the progress: – http://tools.ietf.org/wg/ipfix - WG tools page – http://www.ietf.org/html.charters/ipfix-charter.html • Implementations available now – IPFIX interoperability events in July ‘05, March ‘06, and November ‘06 so far. October 15, 2007 NANOG 41 - Albuquerque 16

  17. Questions? • ask now • or later: bht@cert.org elisa.boschi@hitachi-eu.com October 15, 2007 NANOG 41 - Albuquerque 17

Recommend

Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

A Performance Benchmark for NetFlow Data Analysis on Distributed Stream Processing Systems NOMS 2016 Wednesday 27 th April, 2016 Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring and Analysis

606 views • 23 slides
On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate Professor at UPC BarcelonaTech (pbarlet@ac.upc.edu) Joint work with: Valentn Carela-Espaol, Tomasz Bujlow and Josep Sol-Pareta This project

544 views • 26 slides
SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of respondents admitted that their organizations have already been impacted by an SSH key-related compromise in the last 24 months. Ponemon 2014 SSH

916 views • 57 slides
Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska, J. Novotn, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

479 views • 26 slides
Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T. Plesnk, M. Truneka, V. Krmek {celeda|vykopal|plesnik|trunecka|vojtec}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network

1.19k views • 36 slides
Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore, George Varghese University of California, San Diego IETF60 Aug 4, 2004 IPFIX WG UCSD CSE Disclaimers "NetFlow" used

510 views • 26 slides
IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 draft-ietf-ipfix-mediators-framework-05

IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 draft-ietf-ipfix-mediators-framework-05

IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 draft-ietf-ipfix-mediators-framework-05 Atsushi Kobayashi, Benoit Claise, Gerhard Munz, Keisuke Ishibashi 1 History Submitted -04 version on October 2009. Received comments from

332 views • 8 slides
An IPFIX-Based File Format draft-trammell-ipfix-file-01

An IPFIX-Based File Format draft-trammell-ipfix-file-01

An IPFIX-Based File Format draft-trammell-ipfix-file-01 http://www.ietf.org/internet-drafts/draft-trammell-ipfix-file-01.txt Brian Trammell, Elisa Boschi, Lutz Mark, Tanja Zseby Tuesday, July 11, 2006 IETF 66 - Montral, Qubec, Canada The

318 views • 6 slides
IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004

IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004

IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004 <draft-ietf-ipfix-protocol-06.txt> Benoit Claise <bclaise@cisco.com> Stewart Bryant <stbryant@cisco.com> Mark Fullmer <maf@eng.oar.net> Ganesh

265 views • 13 slides
IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX) elisa.boschi@hitachi-eu.com {boschi, zseby, mark, hirsch}@fokus.fraunhofer.de Outline Outline IPFIX Terminology Applicability Initial Goals

212 views • 19 slides
Bidirectional Flow Export using IPFIX draft-ietf-ipfix-biflow-00

Bidirectional Flow Export using IPFIX draft-ietf-ipfix-biflow-00

Bidirectional Flow Export using IPFIX draft-ietf-ipfix-biflow-00 http://www.ietf.org/internet-drafts/draft-ietf-ipfix-biflow-00.txt Brian Trammell <bht@cert.org> Elisa Boschi <elisa.boschi@hitachi-eu.com> Thursday, November 9, 2006

140 views • 12 slides
NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents Netflow What it is and how it works Uses and Applications Vendor Configurations/Implementation Cisco and Juniper NetFlow tools

1.24k views • 62 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
Standardization Activities (IPFIX, PSAMP) Standardization Activities (IPFIX, PSAMP) Tanja Zseby

Standardization Activities (IPFIX, PSAMP) Standardization Activities (IPFIX, PSAMP) Tanja Zseby

Standardization Activities (IPFIX, PSAMP) Standardization Activities (IPFIX, PSAMP) Tanja Zseby IP Flow Information Export (IPFIX) IP Flow Information Export (IPFIX) Goal: Find or develop a protocol for exporting IP traffic flow information

398 views • 10 slides
Configuration Data Model for IPFIX and PSAMP draft-ietf-ipfix-configuration-model-04 Gerhard

Configuration Data Model for IPFIX and PSAMP draft-ietf-ipfix-configuration-model-04 Gerhard

Configuration Data Model for IPFIX and PSAMP draft-ietf-ipfix-configuration-model-04 Gerhard Mnz, Benoit Claise, Paul Aitken 76th IETF Meeting, Hiroshima, 2009 Changes in -04 Additional information in UML class diagrams:

175 views • 6 slides
Reporting Equivalent IPFIX Information Elements draft-aitken-ipfix-equivalent-ies-00 Paul Aitken

Reporting Equivalent IPFIX Information Elements draft-aitken-ipfix-equivalent-ies-00 Paul Aitken

Reporting Equivalent IPFIX Information Elements draft-aitken-ipfix-equivalent-ies-00 Paul Aitken 86th IETF Meeting, Orlando, 2013 Problem to be solved An Exporting Process is changed to export IANA standard Information Elements rather than

367 views • 5 slides
IPFIX/PSAMP: IPFIX/PSAMP: What Future Standards Can What Future Standards Can Offer to Network

IPFIX/PSAMP: IPFIX/PSAMP: What Future Standards Can What Future Standards Can Offer to Network

IPFIX/PSAMP: IPFIX/PSAMP: What Future Standards Can What Future Standards Can Offer to Network Security Offer to Network Security Tanja Zseby, Elisa Boschi, Thomas Hirsch, Lutz Mark zseby@fokus.fhg.de Measurement Requirements for Network

332 views • 19 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org> NetFlow Traffic Monitoring Cisco NetFlow is a commercial standard for network monitoring and accounting Many companies (e.g. Cisco, Juniper,

430 views • 14 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van

A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van

A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van Vliet, Aiko Pras Design and Analysis of Communication Systems University of Twente, The Netherlands NMRG Workshop on Netflow/IPFIX Usage in Network

592 views • 21 slides
Export of Structured Data in IPFIX IETF-77 March 23rd, 2010 IETF-77 March 23rd, 2010

Export of Structured Data in IPFIX IETF-77 March 23rd, 2010 IETF-77 March 23rd, 2010

Export of Structured Data in IPFIX IETF-77 March 23rd, 2010 IETF-77 March 23rd, 2010 <draft-ietf-ipfix-structured-data-01.txt> Gowri Dhandapani, Paul Aitken, Stan Yates, Benoit Claise 1 . New in this Version How to encode a

499 views • 11 slides
Applying IPFIX to Network Measurement and Management presented

Applying IPFIX to Network Measurement and Management presented

Applying IPFIX to Network Measurement and Management presented by Brian Trammell and Benoit Claise Sunday 28 July 2013 IETF 87 Berlin, Germany

1.03k views • 77 slides

More recommend