Implementing IPFIX - PowerPoint PPT Presentation

About This Presentation
Title:

Implementing IPFIX

Description:

http://www.ist-scampi.org/ Implementation Overview ... http://www.ist-scampi.org/ Vendor-Specific Extensions ... http://www.ist-scampi.org/ IPFIX Evaluation ... – PowerPoint PPT presentation

Number of Views:167
Avg rating:3.0/5.0
Slides: 8
Provided by: KevinM164
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Implementing IPFIX


1
Implementing IPFIX
  • Luca Deri ltluca.deri_at_netikos.comgt
  • NETikos S.p.A.

2
Implementation Overview
  • This work evaluated the effort required to
    implement IPFIX starting from NetFlow v9 because
  • NetFlow is the leading protocol for flow-based
    measurements.
  • This is a reasonable scenario at least for the
    early days of IPFIX.
  • Implementing IPFIX basically means
  • Provide support for vendor-specific (I.e. non
    IETF) field types.
  • Add SCTP support.

3
Vendor-Specific Extensions
  • Vendor-specific fields are defined using a PEN
    (IANA enterprise number) and a numeric field.
  • As templates and flows are slightly different
    from IETF-defined fields this requires the
    implementation of additional logic inside the
    IPFIX applications.
  • Suggestion IETF should unify the template format
    using an unique format for both IETF and
    vendor-specific fields.

4
SCTP Support
  • It is a shift from connection-less to
    connection-oriented protocols.
  • Little coding is necessary for supporting the
    protocol per-se.
  • Reduce template traffic they are sent at the
    beginning or in case of reconnection.
  • Major code changes the probe supports multiple
    collectors it is necessary to resend the
    templates per-connection (i.e. only when its
    necessary).

5
SCTP Issues
  • Flows are (often) acknowledged (almost)
    immediately increasing significantly the network
    traffic. This amplifies problems in some
    situations (e.g. in case of DoS attacks).
  • SCTP is supported only on a few platforms and
    there are no plans to support it in Windows or
    network equipment. This could limit the usage of
    IPFIX at least in its early days.
  • Unclear how reliable/robust is SCTP and how it
    behaves in production environments (network
    attacks?).

6
IPFIX Evaluation
  • IPFIX Evaluation
  • Its basically a standard NetFlow (thats both
    good and bad).
  • Very little innovation after 10 years of
    flow-based measurement.
  • Major IPFIX limitations are
  • No dynamic templates static templates push
    people to define a super-template that contains
    everything even if only a few fields are used.
  • Ability to define flows but not flow headers.
  • Still based on the concept of flow-packet even
    with SCTP.
  • One-way protocol (probe-gtcollector) no support
    for configuration, monitoring, and error
    reporting (e.g. via SNMP like sFlow does).
  • Too tight to NetFlow will IPFIX be able to grow
    and evolve without Ciscos blessing?

7
IPFIX Feedback
  • Written Internet Draft about IPFIX implementation
    experience.
  • Implemented IPFIX support in both probe and
    collector (ntop).
  • Availability http//www.ntop.org/
Write a Comment
User Comments (0)
About PowerShow.com