[171603] in North American Network Operators' Group
Re: About NetFlow/IPFIX and DPI
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed May 7 10:45:34 2014
X-Original-To: nanog@nanog.org
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: "nanog@nanog.org list" <nanog@nanog.org>
Date: Wed, 7 May 2014 14:44:58 +0000
In-Reply-To: <CAL9VMAx0oo+0sj1SioLt2xeRRtJG7kXgcH2EUd=gTEorSPaF5w@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On May 7, 2014, at 8:11 PM, Antoine Meillet <antoine.meillet@gmail.com> wro=
te:
> Should those protocols be considered as tools to perform DPI ?
No - they're flow telemetry exported by routers and switches, and they prov=
ide layer-4 information.
It's possible with Cisco Flexible NetFlow and with PSAMP exported over IPFI=
X to get packet contents; however, few if any collection/analysis systems u=
tilize either extended telemetry format, to date. I've never seen either i=
mplemented in a production network.
NetFlow and IPFIX are primarily used for security purposes such as DDoS det=
ection/classification/traceback and botnet C&C identification; for traffic =
engineering analysis; capacity planning analysis; for troubleshooting; and =
for billing purposes. Flow telemetry is an essential tool that ISPs and la=
rger enterprises utilize in order to get a view into their network traffic,=
because it scales for large networks - and it does so because it doesn't t=
ypically include packet payloads, just the layer-4 information. It's sort =
of like a near-time mobile phone bill for the network.
'DPI' generally (but not always) refers to devices which are placed inline =
and perform full multi-packet payload reassembly and inspection. The term =
has been used (and misused) so broadly as to becoming essentially meaningle=
ss.
NetFlow and IPFIX are merely telemetry formats used by network engineers fo=
r the purposes noted above. =20
This presentation talks about how NetFlow is used by network operators:
<https://app.box.com/s/mnshn99c13uekrggy99b>
Network neutrality is largely an issue of policy and of economics, not of t=
echnology, per se.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
