WIXLIB

Advanced NetFlow for Service ProvidersAamer Akhter (aa@cisco.com)Benoit Claise (bclaise@cisco.com)1

Agenda IntroductionNetFlow Version 9Interesting Features on Traditional NetFlowFlexible NetFlowNetFlow for SecurityNetFlow for Application VisibilityNetFlow Performance2

NetFlow – What is it? Developed and patented at Cisco Systems in 1996 NetFlow is a standard for acquiringIP operational data Provides network and securitymonitoring, network planning,traffic analysis, and IP accounting IETF’s IPFIX (RFC 5101) basedon NetFlow v9 (with changes)Network World Article – NetFlow Adoption on the 005/0314nsm1.html3

Key Concept — *Flow Scalability Packet capture is like a wiretap *Flow is like a phone bill This level of granularity allows *Flow to scale for verylarge amounts of trafficWe can learn a lot from studying the phone billWho’s talking to whom, over what protocols and ports, for howlong, at what speed, for whatduration, etc.*Flow is a form of telemetry pushed from the routers/switches —each one can be a sensor4

Key Concept — *Flow Follows the Topology Network traffic is often asymmetrical, even on smallnetworks Probes typically require engineered symmetry This means that with *Flow, there’s no need to engineerthe network around the instrumentationWe can follow traffic through the network over its natural pathWe can see pps, bps, packet-size, QoS markings, TCP flags,etc. for specific apps/services at each point in the networkWe can validate traffic engineering, policy enforcement, etc. atany point in the topology, as long as *Flow is enabled5

Why *Flow?Network Operator Benefits UnderstandProductivity and utilization of assets in the networkApplication and network usageImpact of network changes and servicesNetFlow answers the who, what, when, where, and how network traffic is flowing Detect and classify security incidents with proven threat defence Improve network usage and application performance6

Principal *Flow UsesService ProviderEnterprisePeering ArrangementsInternet access monitoring (protocoldistribution, where traffic isgoing/coming)Network PlanningUser MonitoringTraffic EngineeringApplication MonitoringAccounting and BillingChargeback billing for departmentsSecurity MonitoringSecurity MonitoringPerformance MonitoringPerformance Monitoring7

Examples of useCustomer ChallengeSecurityTraffic AnalysisTraffic AnalysisDescriptionProblem SituationNetFlow ResolutionDetect SQL Slammer on dayoneDetrimental incapacity ofserversNetFlow day-zero anomalydetectionBandwidth HogFull Circuit- Sluggish networkperformance- Single user applicationmonopolizing networkCircuit 100% utilized- More servers andbandwidth addedCapacity PlanningSlow network performance- Users still complained- Rented RMON probes didn’t workCapacity PlanningPoor network performance –low bandwidthWe need more bandwidthCost savings of 7k in laborcostsQuickly tracked problem andsaved 300 hours 34k inlabor costsCost savings of 126k inprobe costsTracked point of slowdown –saved 36k per yr. circuits8

NetFlow—nfdump and nfsenSource: http://nfsen.sourceforge.net9

NetFlow—StagerSource: UNINETT10

NetFlow—Stager (Cont.)Source: UNINETT11

NetFlow—Stager (Cont.)Source: UNINETT12

Arbor Peakflow SP — ApplicationDistribution13

Example—SQL Slammer14

*Flow and SNMP All the *flow protocols are essentially pushtechnologies:Information is sent asynchronously from measurement nodePost-processing (aggregation) might be done onrouter/switchInformation is exported and usually immediately expiredNMS does not decide on rate of information SNMP is a pull technologyNMS needs to decide when and how often to poll deviceDevice may not retain information when polledDevice does not decide on rate of informationCorrelated information may require multiple transactions15

BGP Accounting BGP accounting provides a way of getting prefix trafficinformation BGP prefixes are colored in one of X colors Each color has counters (byte/packet) associated When traffic from/to prefix is received/sent counters areincremented. Easy form of aggregation – usually limited 8 buckets Information organized only around buckets, noadditional information provided.16

sFlow Created by InMon (sells sFlow collectors) sFlow v2, v4 and v5 (v2 and v4 deprecated) sFlow somewhere in between NFv8 andNFv9/IPFIXExtendable set of fields – called structures (fixed templates)sampling (sampling is required part of sFlow) Supported by (generally switch vendors) Alcatel,Extreme, Force10, HP, Hitachi (*) Incompatible with NetFlow V9/IPFIX, but somecollectors support both NFv9 and sFlow* Complete list at sFlow.org17

J-Flow / cflow J-Flow and cflowd is essentially NetFlow NetFlow collectors will support J-Flow/cflow output J-Flow and cflow are terms used by Juniper(v5, v8,v9) cflow term used by Alcatel (v5, v8, v9) Implementations do not support flexible templates18

NetStream NetStream comes in three formats: v5, v8 and v9Essentially mirroring NetFlow v5, v8 and v9 Generally easily supported by NetFlow collectorsHowever differences exist between NetStream v9 and NFv9eg: NetFlow represents interfaces using ifIndex(standard MIB), NetStream represents using proprietaryinterface MIBCollector needs to be explicitly told record is NetStream NetStream is supported by 3COM and Huawei Implementations do not support flexible templates19

NetFlow V5, v8 and v9 export formats exist IETF standard (IPFIX) is based on v9 NetFlow v9 Documented in RFC3954 (informational)Lack of regulation has lead to minor (and corrected) collisions in field(nProbe) identifiers Enjoys wide collector support. NFv9 collectors generally need minor tweaks to support IPFIX Supported by cisco, Alcatel, Juniper (as J-Flow/cflow),Packeteer (v5), 3COM/ Huawei (sort of), Riverbed, Adtran,Enterasys, wide open-source support Cisco implementations support flexible templatesProviding flexible reports down the field level20

IETF: IP Flow Information ExportWG (IPFIX) IPFIX protocol specificationsChanges in terminology but same NetFlow Version 9 principles(IPFIX version field says ‘10’) Improvements vs. NetFlow v9: SCTP-PR, security, variablelength information element, IANA registration, etc. Generic streaming protocol, not flow-centric anymore Security:Threat: confidentiality, integrity, authorizationSolution: DTLS on SCTP-PRAnonymization draft IPFIX information modelMost NetFlow v9 information elements ID are keptProprietary information element specification21

IETF: IP Flow Information ExportWG (IPFIX) RFC3954 Cisco Systems NetFlow Services ExportVersion 9 RFC3917 Requirements for IP Flow Information ExportGathers all IPFIX requirements for the IPFIX evaluation process RFC3955 Evaluation of Candidate Protocols for IPFIX RFC5101 Specification of the IPFIX Protocol for theExchange of IP Traffic Flow Information RFC5102 Information Model for IP Flow InformationExport RFC5103 “Bidirectional Flow Export using IP FlowInformation Export (IPFIX)”22

IPFIX: Interesting Drafts Export of Application Information in IPFIXdraft-claise-export-application-info-in-ipfix Exporting MIB variables using the IPFIX Protocoldraft-johnson-ipfix-mib-variable-export Export of Structured Data in IPFIXdraft-ietf-ipfix-structured-data IP Flow Anonymisation Supportdraft-ietf-ipfix-anon Information Elements for Flow PerformanceMeasurementdraft-akhter-ipfix-perfmon23

IETF: Packet Sampling WG (PSAMP) PSAMP is an effort to:Specify a set of selection operations by which packets aresampled, and describe protocols by which information on sampledpackets is reported to applications Sampling and filtering techniques for IP packet selectionTo be compliant with PSAMP, we must implement at least one ofthe mechanisms: sampled NetFlow, NetFlow input filters arealready implemented PSAMP protocol specificationsAgreed to use IPFIX for export protocol Information model for packet sampling exportExtension of the IPFIX information model24

In the olden times Flow was Defined By Seven Unique KeysTraffic Source IP address Destination IP addressEnable NetFlowNew SNMPMIBInterface Source port Destination port Layer 3 protocol type TOS byte (DSCP) Input logical interface(ifIndex)NetFlowExport PacketsTraditional Export &CollectorGUI 2004 Cisco Systems, Inc. All rights reserved.SNMP Poller2525

NetFlow Processing OrderPreProcessing Packet Sampling FilteringFeaturesandServices IPMulticastMPLSIPv6PostProcessing Aggregationschemes Non-key fieldslookup Export26

KeyfieldsNetFlow Cache Example1. Create and update flows in NetFlow 510.0.23.2104024.514 Inactive timer expired (15 sec is default) Active timer expired (30 min is default) NetFlow cache is full (oldest flows are expired) RST or FIN TCP flag2. 1180101100000A2/24500A2/241510.0.23.21528180043. Aggregation4. Export version5. Transport protocol(UDP, SCTP)ExportPacketHeaderNon-aggregated flows—export version 5 or 9Payload(Flows)E.g., Protocol-Port AggregationScheme 0A200A21528Aggregated Flows—Export Version 8 or 927

Extensibility and Flexibility RequirementsPhases Approach Traditional NetFlow with the v5 or v8 NetFlow exportReally needed something flexible and extensible Phase One: NetFlow Version 9Advantages: extensibilityIntegrate new technologies/data types quicker(MPLS, IPv6, BGP next hop, etc.)ExportingProcessIntegrate new aggregations quicker Phase Two: Flexible NetFlowAdvantages: cache and export content flexibilityUser selection of flow keysUser definition of the recordsMeteringProcess28

NetFlow Open Source ToolsProduct NamePrimary UseCommentOSCflowdTraffic AnalysisNo longer supportedv5, v8UNIXFlow-toolsCollector Devicev5, v8, v9 (only old fields)UNIXFlowdCollector DeviceV5, v7, and v9BSD, LinuxFlowScanReporting for Flow-Tools-UNIXIPFlowTraffic AnalysisSupport V9, IPv4, IPv6,MPLS, SCTP, etc.Linux, FreeBSD,SolarisNetFlow GuideReporting ToolsNetFlow MonitorTraffic AnalysisSupports V9UNIXNetmetCollector Devicev5, support v9LinuxNTOPSecurity Monitoringv9UNIXStagerReporting for Flow-ToolsNfdump/nfsenTraffic AnalysisDifferent costs: implementation and customizationBSD, LinuxUNIXV5, v7, v9UNIX29

NetFlow v930

NetFlow Version 9 Export PacketTemplate FlowSetHEADERTemplateRecordTemplateID #1TemplateRecordTemplateID #2(SpecificFieldTypes andLengths)(SpecificFieldTypes andLengths)Template 1Template 2Data FlowSetFlowSet ID #1Data FlowSetFlowSet ID #1FlowSetID dValues)(FieldValues)31

NetFlow Version 9 Export PacketOptions Template FlowSet Specifies the Scope: Cache, System,Template, etc.Template 3HEADEROptionsTemplate FlowSetData FlowSetFlowSet ID #3OptionTemplate RecordTemplateID #3OptionDataRecordOptionDataRecord(Specific Scope,Field Typesand Lengths)(FieldValues)(FieldValues)32

Interesting Features on TraditionalNetFlow33

Multicast & NetFlow Multicast NetFlow ingressSees incoming mcast flowfan out is not represented as there are multiple interfacesByte counts do not include replication Multicast NetFlow egressSees outgoing multicast packetsfan out is represented by multiple cache entries (one per output interface) New fields that represent the size of OIL (output interface list) Display the multicast data that fails the Reverse Path Forwarding(RPF) check No NetFlow export over multicast34

IPv6 and NetFlow New NetFlow fields represent IPv6 header fieldsNeeds NFv9 to exportLack of IPv6 capable NetFlow collectors (chicken or egg situation)Currently need it export records about IPv6 via IPv4 A flow is either IPv4 or IPv6!Separate metering and export for v4 vs. v6, otherwise waste of exportbandwidth.35