IP net management could get easier

A proposed standard under construction at the Internet Engineering Task Force promises to extract more traffic statistics from corporations’ network gear, which proponents say will help them develop usage-based billing and more easily spot security breaches.

IP Flow Information Export (IPFIX), expected to be in final draft by early next year, defines a method for routers and switches to export traffic-flow data to management systems. If adopted, the export standard would be included in network gear from Cisco, Nortel, Riverstone Networks and others. IPFIX-compliant management products then would be able to collect and analyze the traffic-flow data and correlate it with other network and application performance metrics in a management console.

Proponents say IPFIX-compliant gear will capture, store and deliver all traffic-flow data that crosses corporate routers and switches. Commercial products and protocols such as SNMP today can extract part of the traffic-flow data stored on network gear, but IPFIX would automatically package the raw data and send it to a collection point for correlation. In many cases, traffic-flow data can be lost on network gear because routers and switches don’t have the memory to save the data. After the data is exported, management software could dissect the data, which today is difficult to gather and maintain.

“IPFIX is the foundation technology by which the raw data is transmitted between the network gear and a collector for subsequent analysis,” says Dave Plonka, co-chair of the IPFIX working group for the IETF. “Flow-based measurements are a sweet spot between mere aggregate counters and complete packet traces.”

To export data, routers present network traffic flow based on seven fields: source IP address; destination IP address; source port; destination port; Layer 3 protocol type; type-of-service byte; and input logical interface. If all seven fields in two packets match, the packets belong to the same flow.

IPFIX is expected to provide the format by which IP flow data can be transferred from the gear to a management collection point. Because IPFIX implementations will include templates, customers could define multiple templates for how various data should be exported. IPFIX-enabled devices then would package the data as defined and send it to IPFIX-compliant collection devices, either network management probes or a server loaded with network management software.

Mining the traffic flow and understanding more packet data could reveal details about how an application uses network devices, how routers respond to requests and which users make the most demands. That data could let network managers bill for IT services based on usage.

“Collecting raw packet data can reveal to network managers if there are different routes or links being used in ways they didn’t realize or if there are better ways to route the traffic,” says Paul Kohler, technical marketing engineer in the Internet Technologies Division at Cisco. He says IPFIX also could alert network managers to potential security breaches and help them fill any security holes. “It can go beyond just noticing if a link is down; it can identify flows that are the source of a problem.”

Benoit Claise, a technical leader at Cisco, and Kohler are working with the IETF on the IPFIX specification, partly because its roots are in Cisco. IPFIX is based on Cisco’s NetFlow Version 9 data-export protocol. (Cisco customers usually use NetFlow Version 5.) NetFlow comes with Cisco gear and can be enabled or disabled.

Customers could turn NetFlow on to collect more specific data on traffic flows and track the busiest applications. The same network managers might choose to turn NetFlow off and disable the protocol because the amount of data it across the network can bog a router down, consume bandwidth when it’s transmitted and get lost when the device runs out of storage capacity.

“NetFlow collects a lot of data, and lets you look deep into the packet, but you don’t know how long it will be before the network management software will ask for that data, Kohler says. “NetFlow follows a push model, and sends the data out because without a lot of memory on a switch, you can just lose that intensive data.”

Yet NetFlow resides on Cisco gear and the IETF wants to develop a standard for heterogeneous networks. Like SNMP and Realtime Traffic Flow Measurement (RTFM), the IETF wants the IPFIX working group to deliver a more-efficient way to export data to management systems.

Plonka, also a member of the Network Services group in the Division of Information Technology at the University of Wisconsin at Madison, says standards such as SNMP and RTFM can be used in such a way that would deliver the same results as IPFIX. For example, SNMP polls network devices and collects management data while RTFM measures traffic flows. Those working on IPFIX say it could provide one standard out of what now is cobbled together by enterprise network managers.

“[Our] long-term goal is to move from the present five standards toward just one,” says Nevil Brownlee, co-chair of the IPFIX working group for the IETF and an Internet researcher for the Cooperative Association for Internet Data Analysis at the University of California San Diego.