IP Flow Information Export

Internet Protocol Flow Information Export (IPFIX) is an IETF protocol, as well as the name of the IETF working group defining the protocol. It was created based on the need for a common, universal standard of export for Internet Protocol flow information from routers, probes and other devices that are used by mediation systems, accounting/billing systems and network management systems to facilitate services such as measurement, accounting and billing. The IPFIX standard defines how IP flow information is to be formatted and transferred from an exporter to a collector.[1] Previously many data network operators were relying on Cisco Systems' proprietary NetFlow technology for traffic flow information export.

The IPFIX standards requirements were outlined in the original RFC 3917. Cisco NetFlow Version 9 was the basis for IPFIX. The basic specifications for IPFIX are documented in RFC 7011 through RFC 7015, and RFC 5103.

Architecture

The following figure shows a typical architecture of information flow in an IPFIX architecture:

      Metering,             
      Exporter      IPFIX         Collector
         O--------------------------->O
         |
         | Observation Point
         v
---- IP Traffic --->

A Metering Process collects data packets at an Observation Point, optionally filters them and aggregates information about these packets. Using the IPFIX protocol, an Exporter then sends this information to a Collector. Exporters and Collectors are in a many-to-many relationship: One Exporter can send data to many Collectors and one Collector can receive data from many Exporters. [2]

Protocol

Similar to the NetFlow Protocol, IPFIX considers a flow to be any number of packets observed in a specific timeslot and sharing a number of properties, e.g. "same source, same destination, same protocol". Using IPFIX, devices like routers can inform a central monitoring station about their view of a potentially larger network.

IPFIX is a push protocol, i.e. each sender will periodically send IPFIX messages to configured receivers without any interaction by the receiver.

The actual makeup of data in IPFIX messages is to a great extent up to the sender. IPFIX introduces the makeup of these messages to the receiver with the help of special Templates. The sender is also free to use user-defined data types in its messages, so the protocol is freely extensible and can adapt to different scenarios.

IPFIX prefers the Stream Control Transmission Protocol as its transport layer protocol, but also allows the use of the Transmission Control Protocol or User Datagram Protocol.

Example

A simple information set sent via IPFIX might look like this:

Source         Destination    Packets
------------------------------------------
192.168.0.201  192.168.0.1    235
192.168.0.202  192.168.0.1    42

This information set would be sent in the following IPFIX message:

Bits 0..15 Bits 16..31
Version = 0x000a Message Length = 64 Bytes
Export Timestamp = 2005-12-31 23:59:60
Sequence Number = 0
Observation Domain ID = 12345678
Set ID = 2 (Template) Set Length = 20 Bytes
Template ID = 256 Number of Fields = 3
Typ = sourceIPv4Address Field Length = 4 Bytes
Typ = destinationIPv4Address Field Length = 4 Bytes
Typ = packetDeltaCount Field Length = 4 Bytes
Set ID = 256 (Data Set
using Template 256)
Set Length = 28 Bytes
Record 1, Field 1 = 192.168.0.201
Record 1, Field 2 = 192.168.0.1
Record 1, Field 3 = 235 Packets
Record 2, Field 1 = 192.168.0.202
Record 2, Field 2 = 192.168.0.1
Record 2, Field 3 = 42 Packets

As can be seen, the message contains the IPFIX header and two IPFIX Sets: One Template Set that introduces the build-up of the Data Set used, as well as one Data Set, which contains the actual data. Because the Template Set is buffered in Collectors it will not need to be transmitted in subsequent messages.

See also

References

  1. Hofstede, Rick; Celeda, Pavel; Trammell, Brian; Drago, Idilio; Sadre, Ramin; Sperotto, Anna; Pras, Aiko. "Flow Monitoring Explained: From Packet Capture to Data Analysis with NetFlow and IPFIX". IEEE Communications Surveys & Tutorials (IEEE Communications Society) 16 (4): 28. doi:10.1109/COMST.2014.2321898.
  2. IEEE communications magazine,http://ieeexplore.ieee.org.lcproxy.shu.ac.uk/stamp/stamp.jsp?tp=&arnumber=5741152

External links

This article is issued from Wikipedia - version of the Monday, April 18, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.