[171606] in North American Network Operators' Group
Re: About NetFlow/IPFIX and DPI
daemon@ATHENA.MIT.EDU (Paolo Lucente)
Wed May 7 12:45:39 2014
X-Original-To: nanog@nanog.org
Date: Wed, 7 May 2014 16:43:38 +0000
From: Paolo Lucente <pl+list@pmacct.net>
To: "Dobbins, Roland" <rdobbins@arbor.net>
In-Reply-To: <5A3E2A55-8BAF-4A9F-A2A1-F755DAF1A1ED@arbor.net>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Reply-To: Paolo Lucente <pl+list@pmacct.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Please note NBAR/NetFlow integration wanted to be an example of
using NetFlow/ IPFIX as a transport for DPI classification info
(where classification could be performed with any other in-line
technology than NBAR).
Whether NBAR works or does not as a classification technology is
out of scope for me here - and seems also out of the op request.
Inline:
On Wed, May 07, 2014 at 04:15:44PM +0000, Dobbins, Roland wrote:
> So, perhaps now we can de-conflate flow telemetry and 'DPI', since the real-life export, collection, and analysis of anything other than layer-4 information via flow telemetry isn't at all commonplace (if it in fact exists at all) on production networks), at this juncture.
I disagree if anybody conflates here. I don't. I see two disjoint
pieces: classification technology and transport of classification
info to a central location. IPFIX, for example, is general (and
standardized) enough to transport/encapsulate other info than just
flow info, this might include DPI classification or other stuff.
You can also read this as: if you have to travel some info, why re
invent the wheel and not leverage a general-enough, standardized
transport protocol (that btw you can contribute at any point to
enhance if not satisfactory enough)?
And please it's nice to have different positions - no need to escalate.
Cheers,
Paolo
