Background
Developed at Cisco in 1996, NetFlow answers the who, what, when, where, and how of network traffic, and it has become the primary network accounting technology and anomaly-detection technology in the industry. In 2003, Cisco NetFlow Version 9 was chosen for a proposed IETF standard called IP Flow Information Export (IPFIX). IPFIX defines the format by which IP flow information can be transferred from an exporter, such as a Cisco router, to a collector application that analyses the data. “You can think of NetFlow as a form of telemetry pushed from routers and Layer 3 switches, each one acting as a sensor” (Cisco Systems, 2004).
As per (NetFlow: Wikipedia, 2017), NetFlow is a feature that was introduced on Cisco routers that provides the ability to collect IP network traffic metadata as it enters or exits an interface (observation point). By analysing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup (using NetFlow) consists of three main components:
- NetFlow exporter: aggregates packets into flows and exports flow records to NetFlow collectors
- NetFlow collector: receive, store and pre-process flow data received from a flow exporter
- Analysis application: analyses stored flow data
Illustration 1: NetFlow Architecture (NetFlow: Wikipedia, 2017)
Routers and switches that support NetFlow can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records toward at least one NetFlow collector. The informational RFC 3954 (Cisco Systems NetFlow Services Export Version 9) defines 79 field types for NetFlow v9. NetFlow records are traditionally exported via User Datagram Protocol (UDP) and collected with a NetFlow collector. The IP address of the NetFlow collector and the destination UDP port must be configured on the sending router. The standard UDP port is 2055. Modern implementations of NetFlow use the Stream Control Transmission Protocol (SCTP) to export packets and provide some protection against packet loss. TCP would not be suitable for NetFlow, because a strict ordering of packets would cause excessive buffering and delays.
As per Wikipedia (IP Flow Information Export: Wikipedia, 2017), Internet Protocol Flow Information Export (IPFIX) is an IETF protocol. It was created based on the need for a common, universal standard of export for Internet Protocol flow information from routers, probes and other devices that are used by mediation systems, accounting/billing systems and network management systems to facilitate services such as measurement, accounting and billing. The IPFIX standard defines how IP flow information is to be formatted and transferred from an exporter to a collector. Previously many data network operators were relying on Cisco Systems proprietary NetFlow technology for traffic flow information export. Cisco NetFlow Version 9 was the basis for IPFIX. The basic specifications for IPFIX are documented in RFC 7011 through RFC 7015, and RFC 5103.
Similar to the NetFlow Protocol, IPFIX considers a flow to be any number of packets observed in a specific timeslot and sharing a number of properties, e.g. “same source, same destination, same protocol”. Using IPFIX, devices like routers can inform a central monitoring station about their view of a potentially larger network.
IPFIX defines the same 79 fields as the last version of NetFlow (v9), but extends the number of basic fields to 238. The exporter is also free to use user-defined data types which means that the protocol is freely extensible and can adapt to different scenarios allowing to export anything.
As per a Cisco white paper (Cisco Systems, 2007), here are some of the flow analysis benefits. Even though the white paper refers to NetFlow, the below list of benefits also applies to IPFIX. An extended list is documented in the white paper.
- Network monitoring: NetFlow data enables extensive, near real time network monitoring capabilities. Flow-based analysis techniques may be utilized to visualize traffic patterns associated with individual routers and switches as well as on a network-wide basis (providing aggregate traffic or application based views) to provide proactive problem detection, efficient troubleshooting, and rapid problem resolution
- User monitoring and profiling: NetFlow data enables network engineers to gain detailed understanding of customer/user utilization of network and application resources. This information may then be utilized to efficiently plan and allocate access, backbone and application resources as well as to detect and resolve potential security and policy violations
- Network planning: NetFlow can be used to capture data over a long period of time to track and anticipate network growth and plan upgrades to increase the number of routing devices, ports, or higher bandwidth interfaces.
- Security analysis: NetFlow identifies and classifies DDOS attacks, viruses and worms in realtime. Changes in network behaviour indicate anomalies that are clearly demonstrated in NetFlow data. The data is also a valuable forensic tool to understand and replay the history of security incidents
- Accounting/billing: NetFlow data provides fine-grained metering (e.g. flow data includes details such as IP addresses, packet and byte counts, timestamps, type-of-service and application ports, etc.) for highly flexible and detailed resource utilization accounting. Service providers may utilize the information for billing based on time-of-day, bandwidth usage, application usage, quality of service, etc. Enterprise customers may utilize the information for departmental charge-back or cost allocation for resource utilization