[171605] in North American Network Operators' Group
Re: About NetFlow/IPFIX and DPI
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed May 7 12:16:05 2014
X-Original-To: nanog@nanog.org
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: "nanog@nanog.org list" <nanog@nanog.org>
Date: Wed, 7 May 2014 16:15:44 +0000
In-Reply-To: <20140507154506.GA11696@moussaka.pmacct.net>
Errors-To: nanog-bounces@nanog.org
On May 7, 2014, at 10:45 PM, Paolo Lucente <pl+list@pmacct.net> wrote:
> This model is supported on the export side by Cisco with their NetFlow/NB=
AR integration and on the collection side by some
> collector.=20
As you'll note in reading that report, NBAR didn't seem to work very well f=
or them; I haven't run across its use in any ISP network, on ISP-grade hard=
ware (i.e., not a small software-based router like a 7200), or even in a la=
rge-scale enterprise environment.
Again, I haven't yet run across anyone actually using this on a production =
network. It would be very interesting to hear from someone with first-hand=
experience with NBAR exported over Flexible NetFlow in a production enviro=
nment.
Also, it's important to note that this sort of thing doesn't scale across n=
etworks of any real size/speed. There's a great deal of potential utility =
in the security, troubleshooting, and traffic engineering arenas for on-dem=
and triggered packet sampling of this nature, but so far, the control-plane=
hooks aren't really there to do this in a programmatic manner (one presume=
s that SDN of one flavor or another might provide these capabilities). Tha=
t was my biggest gripe about Flexible NetFlow when I was at Cisco, and one =
which I felt ensured the technology wouldn't make it into production networ=
ks - no organic control-plane interface.
So, perhaps now we can de-conflate flow telemetry and 'DPI', since the real=
-life export, collection, and analysis of anything other than layer-4 infor=
mation via flow telemetry isn't at all commonplace (if it in fact exists at=
all) on production networks), at this juncture.
'DPI' generally alludes boxes positioned at points of ingress/egress symmet=
ry (either natural or purposely engineered) within a network. Flow telemet=
ry per se is not really within the rubric of 'DPI'.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
