Flow-based Accounting: Applications and Standardisation

Similar documents
Traffic Flow Measurements within IP Networks: Requirements, Technologies and Standardization

Configuring NetFlow and NetFlow Data Export

Master Course Computer Networks IN2097

Master Course Computer Networks IN2097

RIPE75 - Network monitoring at scale. Louis Poinsignon

This chapter provides information to configure Cflowd.

Configuring NetFlow. About NetFlow. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

Experiences with IPFIX-based Traffic Measurement for IPv6 Networks. Nakjung Choi, Hyeongu Son*, Youngseok Lee* and Yanghee Choi

NetFlow and NetFlow Data Export.

Introduction to Netflow

Configuring NetFlow and NetFlow Data Export

Flexible Netflow Configuration Guide, Cisco IOS Release 15S

Network Security Monitoring with Flow Data

NetFlow Configuration Guide

DDoS Protection in Backbone Networks

Intelligent WAN NetFlow Monitoring Deployment Guide

NetFlow Configuration Guide, Cisco IOS Release 12.2SX

NetFlow Configuration Guide, Cisco IOS Release 15S

NetFlow Configuration Guide, Cisco IOS Release 15S

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

Flexible NetFlow IPFIX Export Format

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

From NetFlow to IPFIX the evolution of IP flow information export

Flexible NetFlow IPv6 Unicast Flows

Network Management and Monitoring

Configuring Flexible NetFlow

Configuring Flexible NetFlow

Flexible NetFlow IPv6 Unicast Flows

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

NetFlow Multiple Export Destinations

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

IPv6 Sampled NetFlow feature was introduced. Destination-based Netflow Accounting feature was introduced.

Domain Based Metering

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

Configuring NetFlow BGP Next Hop Support for Accounting and Analysis

D31 - MOME Standardisation Plan and Recommendations

Flow-based Traffic Visibility

Configuring MPLS Egress NetFlow Accounting and Analysis

Flow Sampling for ASR1K

Netflow v9 for IPv6. Finding Feature Information. Prerequisites for Netflow v9 for IPv6. Information About Netflow v9 for IPv6

CHAPTER 3 GRID MONITORING AND RESOURCE SELECTION

Using NetFlow Sampling to Select the Network Traffic to Track

Raw Data Formatting: The RDR Formatter and NetFlow Exporting

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

MPLS In Operation NANOG 39 Toronto February

Flexible NetFlow - MPLS Support

Configuring IP SLAs ICMP Echo Operations

Configuring NetFlow. Feature History for Configuring NetFlow. Release This feature was introduced.

FlowIntegrator. Integrating Flow Technologies with Mainstream Event Management Systems. Sasha Velednitsky

NfSen and NFDUMP 16th TF-CSIRT Meeting Sept 15th 2005, Lisbon Peter Haag

Using NetFlow Sampling to Select the Network Traffic to Track

Configuring IP SLAs ICMP Echo Operations

Packet Sampling for Flow Accounting: Challenges and Limitations

Sampling Challenges. Tanja Zseby Competence Center Network Research Fraunhofer Institute FOKUS Berlin. COST TMA September 22, 2008

Cisco Day Hotel Mons Wednesday

Configuring Flexible NetFlow

MPLS VPN Multipath Support for Inter-AS VPNs

Differentiated Services

Differentiated Services

Advanced NetFlow Accounting

Flexible NetFlow - Top N Talkers Support

NetFlow Reliable Export With SCTP

SCRIPT: An Architecture for IPFIX Data Distribution

Interface Utilization vs. Flow Analysis

Implementing Coarse, Long- Term Traffic Capture

Configuring AVC to Monitor MACE Metrics

Cisco dan Hotel Crowne Plaza Beograd, Srbija.

Configuring NetFlow Statistics Collection

Monitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;

Illegitimate Source IP Addresses At Internet Exchange Points

Traffic and Performance Visibility for Cisco Live 2010, Barcelona

Configuring Data Export for Flexible NetFlow with Flow Exporters

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Monitoring Data CHAPTER

Cisco Catalyst 6500 Supervisor Engine 2T: NetFlow Enhancements

Cisco IOS Flexible NetFlow Command Reference

Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands

How the Internet sees you

Power of Slicing in Internet Flow Measurement. Ramana Rao Kompella Cristian Estan

Real-Time Applications. Delay-adaptive: applications that can adjust their playback point (delay or advance over time).

Implementing Management Plane Protection

Cisco ASR 9000 Series Aggregation Services Router Netflow Command Reference, Release 4.3.x

Stager. A Web Based Application for Presenting Network Statistics. Arne Øslebø

Network Configuration Example

ibgp Multipath Load Sharing

Raw Data Formatting: The RDR Formatter and NetFlow Exporting

Using Flexible NetFlow Flow Sampling

This chapter describes how to configure NetFlow Data Export (NDE).

Using Flexible NetFlow Flow Sampling

Network and SLA Monitoring Guide Release 7.3

Measurement: Techniques, Strategies, and Pitfalls. Nick Feamster CS 7260 February 7, 2007

Lesson 3. IPv4 and IPv6 Protocols. Chapter-4 L03: "Internet of Things ", Raj Kamal, Publs.: McGraw-Hill Education

IBGP internals. BGP Advanced Topics. Agenda. BGP Continuity 1. L49 - BGP Advanced Topics. L49 - BGP Advanced Topics

Monitoring and Analysis

Flow export an visualization (Flowviz)

IBM Aurora Flow-Based Network Profiling System

Technology Overview. Overview CHAPTER

Cisco ASR 9000 Series Aggregation Services Router Netflow Configuration Guide, Release 5.2.x

Configuring Application Visibility and Control for Cisco Flexible Netflow

Transcription:

Flow-based Accounting: Applications and Standardisation SCAMPI Workshop May 3, 2004 Simon Leinen, SWITCH <simon@switch.ch>

Flow-based Accounting - Basic Idea Classify packets into flows (equivalence classes) Update per-flow account for each packet Export this accounting data when the flow ends Failing that, periodically

The Flow Concept Classical Flow = 5-Tuple Defined by ("Flow key") the combination of: source IP address destination IP address protocol (TCP, UDP, ICMP, GRE etc.) source port destination port for protocols that have port numbers (TCP, UDP, SCTP) Optionally: TOS (type of service)/dscp (Diffserv code point) input interface index

Metrics in per-flow Accounting Data # packets in flow # bytes in flow time first packet seen ("flow start") time last packet seen ("flow end") Route information for destination/source address destination interface next hop prefix length neighbour and/or origin AS Various inclusive-or of TCP flags during flow...

Implementations NeTraMet IETF standard LFAP Cabletron (Riverstone/Enterasys) NetFlow Cisco NetFlow switching (router acceleration) Cisco NetFlow accounting Sampled NetFlow Aggregated NetFlow Cisco NDE (TCAM-based) Juniper "cflow" other NetFlow implementations

Properties Good tradeoff between High level of accounting detail Modest resource consumption and simple implementation "Classic" NetFlow vulnerable to DoS Single 24-byte packet can generate 48 accounting bytes! Can be fixed by Sampling (Exporter-based) Aggregation

Common Applications Coarse-grained traffic analysis for traffic engineering for capacity planning for interconnection (peering) decisions Detection of anomalies security violations faults Usage-based charging Research on large-scale network/application behaviour

Example NetFlow Usage: SWITCH (I) (Swiss Education & Research Network) All external border (peering) routers send NetFlow non-sampled non-aggregated -> ~20000 flows/s during normal office hours ~800 kb/s accounting stream Representing 1-2 GB/s user traffic 5-10% packets not counted during peak hours due to contention for hardware NetFlow hash table mainly concerns small packets/flows Flow DoS/scans can cause high accounting loss But we can still switch 150 Mpps...

Example NetFlow Usage: SWITCH (II) Three consumers of accounting packet streams: Fluxoscope: system for per-site/as statistics used for billing heuristics for "application" breakdown DDoSVax: ETHZ research project records all flows for offline analysis (months, TBs) study spread of DDoS etc. SWITCH security group records full flows for forensics (days-weeks, 100s GBs) locate specific infected hosts

typical output Fluxoscope Coarse-grain aggregation for billing/planning

typical output DDoSVax Flow recording and offline analysis of anomalies

SWITCHcert Flow recording for forensics

IETF Standardisation I: RTFM Real-Time Flow Measurement, RFC2720-2724 flexible flow definitions SNMP-based access not widely implemented

IETF Standardisation II: IPFIX IP Flow Information export Working Group Established in September 2001 Workplan Specify requirements (done) Evaluate candidates (done) CRANE DIAMETER LFAP NetFlow v9 <<< selected Streaming IPDR Refine protocol, data model etc. (ongoing)

IPFIX/NetFlow v9 Overview Departure from previous NetFlow versions v1, v5, v6, v7: variants of 5-tuple flows v8: fixed set of aggregated flows NetFlow v9/ipfix is template-based Template FlowSets contain descriptions of Data FlowSets Data FlowSets contain actual accounting data Can accomodate variety of flow generalisations Cisco has implementations for IPv6, MPLS Support available in some NetFlow data processors Not widely used (or even tested) yet

Outlook "Classical" flow accounting impossible at high speed You HAVE to do sampling and/or aggregation The more you sample, the less you benefit from flow aggregation The more you aggregate, the more information you lose Sampling becomes an interesting alternative: Much simpler mechanism than NetFlow lower cost fewer bugs! Arbitrarily scalable Hard to cheat, given good random sampling

Prediction For high-speed routers, the mechanism of choice will be sampling (PSAMP) rather than flow export. NetFlow/IPFIX will still spread at the edges CPU-based routers Host stacks Mediation systems ("IP Detail Record")?

Thank you! Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback