1 Minneapolis‘ IETF IPFIX Aggregation draft-dressler-ipfix-aggregation-00.txt.

Slides:

Advertisements

Similar presentations

Overview of IETF work on IP traffic flow measurement and current developments Dr. Jürgen Quittek General Manager Network Research Division, NEC Europe.

Advertisements

ICmyNet.Flow Network Traffic Analysis System If You Want to See Your Net

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

CS 457 – Lecture 16 Global Internet - BGP Spring 2012.

Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.

Traffic Shaping Why traffic shaping? Isochronous shaping

Flowspace revisited OpenFlow Basics Flow Table Entries Switch Port MAC src MAC dst Eth type VLAN ID IP Src IP Dst IP Prot L4 sport L4 dport Rule Action.

5/31/05CS118/Spring051 twisted pair hub 10BaseT, 100BaseT, hub r T= Twisted pair (copper wire) r Nodes connected to a hub, 100m max distance r Hub: physical.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-6961:Internet Protocols Quiz 1: Solutions Time: 60 min (strictly enforced) Points: 50 YOUR.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.

EEC-484/584 Computer Networks Lecture 11 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

CIS679: RTP and RTCP r Review of Last Lecture r Streaming from Web Server r RTP and RTCP.

IP Addressing INTW What is an IP address? An unique identifier for a computer or device (host) on a TCP/IP network A 32-bit binary number usually.

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 Diffserv Yang Model

Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.

Network Redundancy Multiple paths may exist between systems. Redundancy is not a requirement of a packet switching network. Redundancy was part of the.

1 PSAMP Protocol Specifications IPFIX IETF-64 November 10th, 2005 Benoit Claise Juergen Quittek Andrew Johnson.

Chapter 4: Managing LAN Traffic

Adapted from: Computer Networking, Kurose/Ross 1DT066 Distributed Information Systems Chapter 4 Network Layer.

Draft-molina-flow-selection-00 Maurizio Molina,. 2 © NEC Europe Ltd., 2002 Network Laboratories, Heidelberg Motivation, Background (1/2) Flow selection.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Fraunhofer FOKUSCompetence Center NET T. Zseby, CC NET1 IPFIX – IP Flow Information Export Overview Tanja Zseby Fraunhofer FOKUS, Network Research.

© 2002, Cisco Systems, Inc. All rights reserved..

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 5. Passive Monitoring Techniques.

NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.

Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.

DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy.

24/10/2015draft-novak-bmwg-ipflow-meth- 03.txt 1 IP Flow Information Accounting and Export Benchmarking Methodology

Multimedia Wireless Networks: Technologies, Standards, and QoS Chapter 3. QoS Mechanisms TTM8100 Slides edited by Steinar Andresen.

1 Network Layer Lecture 15 Imran Ahmed University of Management & Technology.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.

InfiniBand support for Socket- based connection model by CM Arkady Kanevsky November 16, 2005 version 4.

Open-Eye Georgios Androulidakis National Technical University of Athens.

Network Layer4-1 Datagram networks r no call setup at network layer r routers: no state about end-to-end connections m no network-level concept of “connection”

Flow Aware Packet Sampling

CSC 600 Internetworking with TCP/IP Unit 5: IP, IP Routing, and ICMP (ch. 7, ch. 8, ch. 9, ch. 10) Dr. Cheer-Sun Yang Spring 2001.

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

An end-to-end usage of the IPv6 flow label

PART3 Data collection methodology and NM paradigms 1.

Net Flow Network Protocol Presented By : Arslan Qamar.

NetVizura A network traffic analysis tool. Agenda Why NetVizura is needed How NetVizura works Where NetVizura is deployed Use cases.

1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.

Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 19 Omar Meqdadi Department of Computer Science and Software Engineering University.

POSTECH DP&NM Lab Detailed Design Document NetFlow Generator 정승화 DPNM Lab. in Postech.

1 PSAMP Protocol Specifications PSAMP IETF-58 November 11, 2003 Benoit Claise Juergen Quittek.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 10 Routing Fundamentals and Subnets.

IETF 62 NSIS WG1 Porgress Report: Metering NSLP (M-NSLP) Georg Carle, Falko Dressler, Changpeng Fan, Ali Fessi, Cornelia Kappler, Andreas Klenk, Juergen.

IPFIX Protocol Draft Benoit Claise, Cisco Systems Mark Fullmer, OARnet Reinaldo Penno, Nortel Networks Paul Calato, Riverstone Networks.

Flow sampling in IPFIX: Status and suggestion for its support Maurizio Molina,

Virtual Local Area Networks In Security By Mark Reed.

Network Models. 2.1 what is the Protocol? A protocol defines the rules that both the sender and receiver and all intermediate devices need to follow,

NetFlow Analyzer Best Practices, Tips, Tricks. Agenda Professional vs Enterprise Edition System Requirements Storage Settings Performance Tuning Configure.

IETF 64 PSAMP WG1 Path-coupled Meter Configuration Georg Carle, Falko Dressler, Changpeng Fan, Ali Fessi, Cornelia Kappler, Andreas Klenk, Juergen Quittek,

DiFMon Distributed Flow Monitor Salvatore D’Antonio 1, Claudio Mazzariello 2, Francesco Oliviero 2, Dario Salvi 1 1: Lab Item, Consorzio Interuniversitario.

Subnetting Divide a network to smaller networks (subnets) Reasons

Introduction to Networks

IPFIX Aggregation draft-dressler-ipfix-aggregation-01.txt.

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Monitoring MIPv6 Traffic with IPFIX

Chapter-5 TCP/IP Suite.

Zhenqiang Li Rong Gu China Mobile Jie Dong Huawei Technologies

Data collection methodology and NM paradigms

ECE 544 Protocol Design Project 2016

Chapter 8: Monitoring the Network

EEC-484/584 Computer Networks

2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.

Chapter 5 Transport Layer Introduction

Transport Layer Identification of P2P Traffic

Chapter 4: outline 4.1 Overview of Network layer data plane

Presentation transcript:

1 Minneapolis‘ IETF IPFIX Aggregation draft-dressler-ipfix-aggregation-00.txt

2 Minneapolis‘ IETF Motivation  Reduction of monitoring data Bandwidth savings and performance savings at the collector  Speed-up of netflow accounting Reduction of concurrent active streams in a monitor  Concentrating multiple IPFIX streams Definition of concentrator functionality  Transport of information about the aggregation rules For improved processing of IPFIX data

3 Minneapolis‘ IETF Application Examples  Accounting and charging Monitoring and accounting for charging applications requires to save information about each individual end system. Further information about each particular flow is not required. Therefore, aggregation rules are appropriate if the address of the end system is retained.  Intrusion detection If monitoring is employed for further analysis in terms of intrusion detection, i.e. anomaly detection, rule-based intrusion detection, etc, information about used protocols at transport layer as well as at application layer are mostly required. On the other hand, the analysis will typically work on the basis of sub-networks instead of single hosts because of the amount of data to process. Information about the traffic between individual end systems is required if suspicious transmissions were already detected.

4 Minneapolis‘ IETF Architecture (I) exported monitoring data (IPFIX Protocol) EP: Exporting Process AP: Aggregation Process MP: Metering Process EP MP EP MP AP

5 Minneapolis‘ IETF Architecture (II) exported monitoring data (IPFIX Protocol) EP: Exporting Process AP: Aggregation Process CP: Collector Process EP CP AP exported monitoring data (IPFIX Protocol)

6 Minneapolis‘ IETF Aggregation Rules (I)  Explicit rules Triple consisting of  IPFIX type field, e.g. destination IP  Matching pattern, e.g /16  Granularity modifier, keep field or discard field Implicit definition of  Minimal set of IPFIX fields required in each incoming record  Template for data export  Special fields Special treatment of the following fields to keep semantics  # packets, # bytes, # flows: aggregation by summation  Timestamps: aggregation by keeping min and max

7 Minneapolis‘ IETF Aggregation Rules (II)  Application of aggregation rules leads to shared properties  Example: Match Source Port 80 Match Destination IPs in /16, apply mask /24 Aggregate # packets  This rule creates multiple meta flows with the same source port (80) and destination network (one in x.0/24)  Can be transmitted in a standard IPFIX record  We suggest a new template type: data template

8 Minneapolis‘ IETF Example Src AddrSrc PortDst AddrDst Port# of Packets IP Flow Table: Src AddrSrc PortDst AddrDst Port# of Packets Metaflow Table: Aggregation Rules: 1.Dst Port = 80, keep Dst Addr 2.Dst Addr =

9 Minneapolis‘ IETF Data Export (I)  New data type PrecedingRule: based on unsigned16  If aggregation is done using a first match algorithm, the order of the rules must be clear at the collector  Implicit transmission of rule set

10 Minneapolis‘ IETF Data Export (II)  New data type PortRanges: based on unsigned16  Allows aggregation of flows for multiple transport protocol ports, e.g. 80,443 or 1:1023  Definition unsigned16: start port unsigned16: end port May appear multiple times to define disjoint port ranges May be casted down to one unsigned16

11 Minneapolis‘ IETF Data Export (III)  New template type Data Template  Allows to transport syntax information AND data  Combination of Data Set and Template Set | Template ID | Field Count | | Data Count | Reserved | | Field 1 Type | |... | | Field N Type | | Data 1 Type | |... | | Data M Type | | Data 1 Value | |... | | Data M Value |

12 Minneapolis‘ IETF Conclusions  Reduction of monitoring data Bandwidth savings and performance savings at the collector  Speed-up of netflow accounting Reduction of concurrent active streams in a monitor  Concentrating multiple IPFIX streams Definition of concentrator functionality  Transport of information about the aggregation rules For improved processing of IPFIX data  Thus, the scalability of IPFIX monitoring will be increased by enabling IPFIX aggregation / concentration.