IPFIX fine-tunes traffic analysis

Soon it will be easier for IT managers to extract and view important traffic statistics stored in their routers so they can better manage their networks.

The Internet Engineering Task Force (IETF) is standardizing the format used for exporting router-based information about network traffic flows to data collection devices and network management systems. The proposed standard, IP Flow Information Export (IPFIX), will work across any vendor's routers and management applications that support the protocol.

In other words, IT departments will no longer have to match routers supporting proprietary export formats with applications that have been developed specifically to support those formats. The export format also is extensible, so network managers won't have to upgrade their router software or management tools as their traffic-monitoring requirements change.

Exporting network traffic information from a router and viewing the statistics on a per-flow basis gives network managers information they can use to make key decisions. Administrators who know how many packets and bytes are sent to and from certain IP addresses or across specific network interfaces can create usage-based departmental charge-back systems. They also can use the information to traffic-engineer their networks for optimum performance.

The IETF chose Cisco NetFlow Version 9 data-export format as the basis for IPFIX. IPFIX defines the format by which IP flow information can be transferred from an exporter (router or switch) to a collector. Applications that support IPFIX will understand and display statistics received from any router that also supports the standard.

Network managers will be free to add or change the fields (the specific parameters and protocols) against which they want to monitor their IP traffic flows. This is possible because IPFIX is a template-based format for data export, which makes it extensible. The use of templates means network administrators and vendors don't have to alter their software to support a new format every time a company wants to view traffic statistics based on different criteria. Changes that corporations might desire include adding network accounting of IPv6 and/or IP Multicast packets to existing IPv4 packet monitoring.

To export data, routers represent each network traffic flow based on seven key fields:

• Source IP address.
  
  

• Destination IP address.
  
  

• Source port.
  
  

• Destination port.
  
  

• Layer 3 protocol type.
  
  

• Type-of-service byte.
  
  

• Input logical interface.
  
  

If all seven key fields in two different packets match, both packets are designated as belonging to the same flow. Packets in that flow are compared against the same match criteria and counted. Today there also are additional non-key fields that can be tracked for network accounting purposes in many systems, such as the source IP mask, destination IP mask, source autonomous system, destination autonomous system, TCP flags, destination interface and IP next-hop.

If network operators want to account for packets based on additional fields, the template-based format inserts a new field following the export packet header in which new template records can be added. Each template has a unique ID number that will match a traffic-flow ID number to associate a given template to the appropriate data record. The template flow-set establishes the field types and lengths, while the ID number ties the fields to the specific data-flow export.