IP Flow Information Export
Encyclopedia
Internet Protocol Flow Information Export (IPFIX) is an IETF working group
. It was created from the need for a common, universal standard of export for Internet Protocol
flow information from routers, probes, and other devices that is used by mediation systems, accounting/billing systems, and network management systems to facilitate services such as measurement, accounting, and billing. The IPFIX standard will define how IP flow information is to be formatted and transferred from an exporter to a collector. Previously many data network operators were relying on the proprietary Cisco Systems
NetFlow
standard for traffic flow information export.
The IPFIX standards requirements were outlined in the original RFC 3917. The working group chose Cisco NetFlow
Version 9 as the basis for IPFIX. The working group submitted the IPFIX Protocol Specification to the IESG for approval in 2006.
Metering,
Exporter IPFIX Collector
O--------------------------->O
|
| Observation Point
v
---- IP Traffic --->
A Metering Process collects data packets at an Observation Point, optionally filters them and aggregates information about these packets. Using the IPFIX protocol, an Exporter then sends this information to a Collector. Exporters and Collectors are in a many-to-many
relationship: One Exporter can send data to many Collectors and one Collector can receive data from many Exporters.
IPFIX is a push protocol, i.e. each sender will periodically send IPFIX messages to configured receivers without any interaction by the receiver.
The actual makeup of data in IPFIX messages is to a great extent up to the sender. IPFIX introduces the makeup of these messages to the receiver with the help of special Templates. The sender is also free to use user-defined data types in its messages, so the protocol is freely extensible and can adapt to different scenarios.
IPFIX prefers the Stream Control Transmission Protocol
as its transport layer
protocol, but also allows the use of the Transmission Control Protocol
or User Datagram Protocol
.
Source Destination Packets
------------------------------------------
192.168.0.201 192.168.0.1 235
192.168.0.202 192.168.0.1 42
This information set would be sent in the following IPFIX message:
As can be seen, the message contains the IPFIX header and two IPFIX Sets: One Template Set that introduces the build-up of the Data Set used, as well as one Data Set, which contains the actual data. Because the Template Set is buffered in Collectors it will not need to be transmitted in subsequent messages.
Working group
A working group is an interdisciplinary collaboration of researchers working on new research activities that would be difficult to develop under traditional funding mechanisms . The lifespan of the WG can last anywhere between a few months and several years...
. It was created from the need for a common, universal standard of export for Internet Protocol
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
flow information from routers, probes, and other devices that is used by mediation systems, accounting/billing systems, and network management systems to facilitate services such as measurement, accounting, and billing. The IPFIX standard will define how IP flow information is to be formatted and transferred from an exporter to a collector. Previously many data network operators were relying on the proprietary Cisco Systems
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
NetFlow
Netflow
NetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information. NetFlow has become an industry standard for traffic monitoring and is supported by platforms other than Cisco IOS and NXOS such as Juniper routers, Enterasys Switches, vNetworking in version 5 of...
standard for traffic flow information export.
The IPFIX standards requirements were outlined in the original RFC 3917. The working group chose Cisco NetFlow
Netflow
NetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information. NetFlow has become an industry standard for traffic monitoring and is supported by platforms other than Cisco IOS and NXOS such as Juniper routers, Enterasys Switches, vNetworking in version 5 of...
Version 9 as the basis for IPFIX. The working group submitted the IPFIX Protocol Specification to the IESG for approval in 2006.
Architecture
The following figure shows a typical architecture of information flow in an IPFIX architecture:Metering,
Exporter IPFIX Collector
O--------------------------->O
|
| Observation Point
v
---- IP Traffic --->
A Metering Process collects data packets at an Observation Point, optionally filters them and aggregates information about these packets. Using the IPFIX protocol, an Exporter then sends this information to a Collector. Exporters and Collectors are in a many-to-many
Many-to-many
Many-to-many is a term that describes a communication paradigm and an associated media form. It is the third of three major Internet computing paradigms...
relationship: One Exporter can send data to many Collectors and one Collector can receive data from many Exporters.
Protocol
Similar to the NetFlow Protocol, IPFIX considers a flow to be any number of packets observed in a specific timeslot and sharing a number of properties, e.g. "same source, same destination, same protocol". Using IPFIX, devices like routers can inform a central monitoring station about their view of a potentially larger network.IPFIX is a push protocol, i.e. each sender will periodically send IPFIX messages to configured receivers without any interaction by the receiver.
The actual makeup of data in IPFIX messages is to a great extent up to the sender. IPFIX introduces the makeup of these messages to the receiver with the help of special Templates. The sender is also free to use user-defined data types in its messages, so the protocol is freely extensible and can adapt to different scenarios.
IPFIX prefers the Stream Control Transmission Protocol
Stream Control Transmission Protocol
In computer networking, the Stream Control Transmission Protocol is a Transport Layer protocol, serving in a similar role to the popular protocols Transmission Control Protocol and User Datagram Protocol...
as its transport layer
Transport layer
In computer networking, the transport layer or layer 4 provides end-to-end communication services for applications within a layered architecture of network components and protocols...
protocol, but also allows the use of the Transmission Control Protocol
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
or User Datagram Protocol
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
.
Example
A simple information set sent via IPFIX might look like this:Source Destination Packets
------------------------------------------
192.168.0.201 192.168.0.1 235
192.168.0.202 192.168.0.1 42
This information set would be sent in the following IPFIX message:
| Bits 0..15 | Bits 16..31 |
|---|---|
| Version = 0x000a | Message Length = 64 Bytes |
| Export Timestamp = 2005-12-31 23:59:60 | |
| Sequence Number = 0 | |
| Observation Domain ID = 12345678 | |
| Set ID = 2 (Template) | Set Length = 20 Bytes |
| Template ID = 256 | Number of Fields = 3 |
| Typ = sourceIPv4Address | Field Length = 4 Bytes |
| Typ = destinationIPv4Address | Field Length = 4 Bytes |
| Typ = packetDeltaCount | Field Length = 4 Bytes |
| Set ID = 256 (Data Set using Template 256) |
Set Length = 28 Bytes |
| Record 1, Field 1 = 192.168.0.201 | |
| Record 1, Field 2 = 192.168.0.1 | |
| Record 1, Field 3 = 235 Packets | |
| Record 2, Field 1 = 192.168.0.202 | |
| Record 2, Field 2 = 192.168.0.1 | |
| Record 2, Field 3 = 42 Packets | |
As can be seen, the message contains the IPFIX header and two IPFIX Sets: One Template Set that introduces the build-up of the Data Set used, as well as one Data Set, which contains the actual data. Because the Template Set is buffered in Collectors it will not need to be transmitted in subsequent messages.
See also
- Network traffic measurementNetwork traffic measurementIn computer networks, network traffic measurement is the process of measuring the amount and type of traffic on a particular network. This is especially important with regard to effective bandwidth management.- Tools :...
- RFC3954 - NetFlow Version 9
- RFC3955 - Candidate Protocols for IP Flow Information Export (IPFIX)
- RFC5101 - Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information (IPFIX)
- RFC5102 - Information Model for IP Flow Information Export
- RFC5103 - Bidirectional Flow Export Using IP Flow Information Export
- RFC5153 - IPFIX Implementation Guidelines
- RFC5470 - Architecture for IP Flow Information Export
- RFC5471 - Guidelines for IP Flow Information Export (IPFIX) Testing
- RFC5472 - IP Flow Information Export (IPFIX) Applicability
- RFC5473 - Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports