IP net management could get easier

A proposed standard under construction at the Internet Engineering Task Force promises to extract more traffic statistics from corporations' network gear, which proponents say will help them develop usage-based billing and more easily spot security breaches.

IP Flow Information Export (IPFIX), expected to be in final draft by early next year, defines a method for routers and switches to export traffic-flow data to management systems. If adopted, the export standard would be included in network gear from Cisco, Nortel, Riverstone Networks and others. IPFIX-compliant management products then would be able to collect and analyze the traffic-flow data and correlate it with other network and application performance metrics in a management console.

Proponents say IPFIX-compliant gear will capture, store and deliver all traffic-flow data that crosses corporate routers and switches. Commercial products and protocols such as SNMP today can extract part of the traffic-flow data stored on network gear, but IPFIX would automatically package the raw data and send it to a collection point for correlation. In many cases, traffic-flow data can be lost on network gear because routers and switches don't have the memory to save the data. After the data is exported, management software could dissect the data, which today is difficult to gather and maintain.

"IPFIX is the foundation technology by which the raw data is transmitted between the network gear and a collector for subsequent analysis," says Dave Plonka, co-chair of the IPFIX working group for the IETF. "Flow-based measurements are a sweet spot between mere aggregate counters and complete packet traces."

To export data, routers present network traffic flow based on seven fields: source IP address; destination IP address; source port; destination port; Layer 3 protocol type; type-of-service byte; and input logical interface. If all seven fields in two packets match, the packets belong to the same flow.

IPFIX is expected to provide the format by which IP flow data can be transferred from the gear to a management collection point. Because IPFIX implementations will include templates, customers could define multiple templates for how various data should be exported. IPFIX-enabled devices then would package the data as defined and send it to IPFIX-compliant collection devices, either network management probes or a server loaded with network management software.

Mining the traffic flow and understanding more packet data could reveal details about how an application uses network devices, how routers respond to requests and which users make the most demands. That data could let network managers bill for IT services based on usage.

"Collecting raw packet data can reveal to network managers if there are different routes or links being used in ways they didn't realize or if there are better ways to route the traffic," says Paul Kohler, technical marketing engineer in the Internet Technologies Division at Cisco. He says IPFIX also could alert network managers to potential security breaches and help them fill any security holes. "It can go beyond just noticing if a link is down; it can identify flows that are the source of a problem."