NETFLOW FOR ACCOUNTING, ANALYSIS AND ATTACK

(1)

NETFLOW FOR ACCOUNTING,

ANALYSIS AND ATTACK

Chu-Sing Yang

Department of Electrical Engineering National Cheng Kung University

(2)

Outline

Introduction

Netflow Overview

Netflow Architecture

Netflow Formats

Netflow Feature Acceleration

Netflow Deployment

AAA

(3)

Introduction –

Goals

Service providers must have access to in-depth infomation

about their networks

A complete view of current use

Understand the behavior of their networks

Network Problem Determination and Analysis

Network security attack detection and prevention

Detailed network usage history reports

Analytical tools to analyze and predict usage trends

Plan for network deployment and expansion

(4)

Introduction –

Challenges

Capturing Characteristics

How to capture traffic characteristics from high-speed, high volume

networks (Mbps→Gbps→Tbps)?

Analysis

How to analyze and generate data needed quickly? Evolving network applications

Streaming media (Windows Media, Real, Quicktime) P2P traffic

Network Security Attacks

Log Generation & Storage

What kind of information to save to perform various/long-term

analysis?

(5)

T A N e t T A N e tT A N e t T A N e t

Tools Taxonomy

Data Collect RMON_RMON NetflowNetflow SNMPSNMP PacketDumpPacketDump

Analysis Tools cflowdcflowd Flow-Flow-toolstools FlowscanFlowscan PanoptisPanoptis MINDSMINDS RTFM

RTFM

Traffic Engineering, User Monitoring, Billing…. DDOS, Virus, Worms……

200

110

10 110

300 25

75

110 300

IN

OUT 2 110

(6)

Data Collection –

SNMP Data

Simple Network Management Protocol (SNMP)

Router CPU utilization, link utilization, link loss, … Collected from every router/link every few minutes

Applications

Detecting overloaded links and sudden traffic shifts Measuring link utilization

Advantage

Open standard, available for every router and switch

Disadvantage

Coarse granularity, both spatially and temporally

(7)

Data Collection –

Flow-Level Traces

Flow monitoring (e.g., Cisco Netflow)

Measurements at the level of sets of related packets Set of packets that “belong together”

Source/destination IP addresses and port numbers Same protocol, ToS bits, …

Same input/output interfaces at a router (if known) Number of bytes and packets, start and finish times

Applications

Computing application mix and detecting DoS attacks Measuring the traffic matrix for the network

Advantages

Medium-grain traffic view, supported on some routers

Disadvantages

Not uniformly supported across router products

(8)

Data Collection –

Packet-Level Traces

Packet monitoring

IP, TCP/UDP, and application-level headers

Collected by tapping individual links in the network

Applications

Fine-grain timing of the packets on the link Fine-grain view of packet header fields

Advantages

Most detailed view possible at the IP level

Disadvantages

Expensive to have in more than a few locations

Challenging to collect on very high-speed links

(9)

Business Requirements

How do I efficiently track network and application

resource usage?

How do I know if my customers are adhering

to usage policy agreements?

How do I account and bill for resources being

utilized?

How do I effectively plan to allocate and deploy

resources most efficiently?

How do I track customers to enhance

(10)

Accounting—What For?

Network monitoring Network planning Security analysis

Application monitoring and profiling User monitoring and profiling

Traffic engineering Peering agreements Usage-based billing

(11)

Accounting vs. Billing

Accounting Application

Src Add Dest Add 1.2.3.4

1.2.3.4 5.6.7.85.6.7.8 5.6.7.8

5.6.7.8 1.2.3.41.2.3.4 1.2.3.4

1.2.3.4 5.6.7.85.6.7.8 5.6.7.8

5.6.7.8 1.2.3.41.2.3.4

5.6.7.8 1.2.3.4

Steve

SAP

Billing

(12)

Accounting—Why?

Baselining, Performance

Network monitoring

Application monitoring

User monitoring

Trends, statistics

Deviation from normal

(13)

Accounting—Why?

Network Design

Capacity planning

Traffic engineering

Rome POP

Munich POP

Paris POP

London POP

ISP2

ISP3 Source

(14)

Accounting—Why?

Peering Agreements

(15)

Outline

Introduction

Netflow Overview

Netflow Architecture

Netflow Formats

Netflow Feature Acceleration

Netflow Deployment

AAA

(16)

NetFlow Origination

Developed by Darren Kerr and Barry Bruins at

Cisco Systems in 1996

US Patent 6,243,667

The value of information in the cache was a

secondary discovery

Initially designed as a switching path

NetFlow is now the primary network accounting

technology in the industry

Answers questions regarding IP traffic: who, what,

(17)

Principle NetFlow Benefits

Peering arrangements Network planning

Traffic engineering Accounting and billing Security monitoring

Internet access

monitoring (protocol

distribution, where traffic is going/coming)

User monitoring

Application monitoring Charge back billing for

departments

Security monitoring

(18)

NetFlow Enables

NetFlow statistics empowers users with the ability to

characterize their IP data flows

The who, what, where, when, and how much IP traffic

questions are answered

Usage-Based Billing

Traffic Analysis and Monitoring for

Network Planning

Traffic Analysis and Monitoring for

Network Planning

Router Feature Acceleration

(19)

NetFlow’s Value

NetFlow enables IP traffic flow analysis without

probes

Offers a rich data set to be mined for network

management, traffic engineering, and value-added service offerings

(i.e. marketing data, personal NMS data)

Increasing margins on existing Cisco

infrastructure is possible and economical with NetFlow usage based billing

(20)

What Is a Flow?

Source IP address

Destination IP address Source port

Destination port

Layer 3 protocol type TOS byte (DSCP)

Input logical interface

(ifIndex) _{Exported Data}

(21)

NetFlow Principles

Inbound traffic only Unidirectional flow

Accounts for both transit traffic and traffic destined for the router

Works with Cisco Express Forwarding (CEF) or fast switching

Not a switching path

Supported on all interfaces and Cisco IOS software platforms Returns the subinterface information in the flow records

(22)

Outline

Introduction

Netflow Overview

Netflow Architecture

Netflow Formats

Netflow Feature Acceleration

Netflow Deployment

AAA

(23)

NetFlow Components

• Data Switching • Data Export

• Data Aggregation

• Data Presentation

• NFC Control and Configuration

Partner Applications

Accounting/Billing Network Planning

RMON Probe

• Data Collection • Data Filtering • Data Aggregation • Data Storage

• File System Management

(24)

NetFlow Component: IOS

RMON Probe

(25)

A “Flow” is defined by Seven Characteristics:

Source/Destination IP address pair

Source/Destination application port pair IP Protocol

Input Physical Interface Index IP Type of Service (ToS) byte

Flows are unidirectional

NetFlow is enabled on a per input-interface basis

(26)

NetFlow Accelerates

NetFlow Policy Routing (NPR)

Router-based network data encryption Access Control Lists (ACL)

RSVP

In the future

Network Address Translation (NAT) Committed Access Rate (CAR)

Web Cache Control Protocol (WCCP) Others

Availability of such acceleration will be announced on a

feature-by-feature basis

(27)

•

•Source IP AddressSource IP Address

•

•Destination IP AddressDestination IP Address

•

•Next Hop AddressNext Hop Address

•

•Source AS NumberSource AS Number

•

•DestDest. AS Number. AS Number

•

•Source Prefix MaskSource Prefix Mask

•

•Dest.PrefixDest.Prefix MaskMask

•

•Input Interface PortInput Interface Port

•

•Output Interface PortOutput Interface Port

•

• Type of ServiceType of Service

•

• TCP FlagsTCP Flags

•

• ProtocolProtocol

•

•Packet CountPacket Count

•

•Byte CountByte Count

•

•Start TimestampStart Timestamp

•

•End TimestampEnd Timestamp

•

•Source TCP/UDP PortSource TCP/UDP Port

•

•Destination TCP/UDP PortDestination TCP/UDP Port

Usage QoS Time of Day Application Routing and Peering Port Utilization From/To

(28)

Router Based Aggregation

AS

Source Prefix

Dest. Prefix

Prefix Matrix

Protocol Type

(29)

NetFlow Components: FlowCollecter

RMON Probe

(30)

NetFlow FlowCollector

Flow record reception Data volume reduction

Filtering

Aggregation

Flexible thread language Flat file, binary, and/or

compressed file storage

File cleanup

Solaris and HP-UX

Flow Consumer Flow Consumer

Applications Applications

NetFlow FlowCollector

(31)

FlowCollector Aggregation

Schemes

Over 20 aggregation schemes

From Call Detail Records for billing

To AS information for statistics

(32)

Highlighted New Features in

FlowCollector 3.0

Support for RBA export data

8 additional aggregation schemes

Improved disk space management

Configuration and Control API

Autonomous Message Notification

High availability process monitoring on

(33)

NetFlow Components: Data Analyzer

• Data Presentation

• NFC Control and Configuration

Partner Applications

Accounting/Billing Network Planning

RMON Probe

(34)

Network Data Analyzer

Graphical display of NetFlow data

Consumes from NetFlow FlowCollector(s) Time-based analysis & data sorting

Histograms, Bar Charts, Piecharts Spreadsheet data export

NetFlow FlowCollectors

NetFlow FlowAnalyzer

(35)

Search operations

Address to Address transactions Address to Subnet transactions Subnet to Subnet transactions

Address “away from” Address/Subnet transactions

Multiple router, dataset selection or interface selection DetailASMatrix aggregation & drilldown

DNS address and AS number to name translation

Highlighted Features in

Network Data Analyzer

(36)

Highlighted Features in

Network Data Analyzer

NetFlow Collector Control

Traffic Matrix Statistics (TMS) Data

Collection Control and Analysis

View router-based aggregation schema

data

(37)

Outline

Introduction

Netflow Overview

Netflow Architecture

Netflow Formats

Netflow Feature Acceleration

Netflow Deployment

AAA

(38)

A “Flow” is defined by Seven Characteristics:

Source/Destination IP address pair

Source/Destination application port pair IP Protocol

Input Physical Interface Index IP Type of Service (ToS) byte

Flows are unidirectional

NetFlow is enabled on a per input-interface basis

(39)

Netflow Formats

Initial Version Not commonly used

Version 1

Superset of Version 1 Added AS accounting Datagram Sequencing

Commonly used

Version 5

Cat5K NFFC Only Not available in IOS

Version 7

Router based aggregation Available in 12.0(3)T, 12.0(3)S

Version 8

Configurable Flow Record Templates

Version 9

(40)

NetFlow Cache

… _RecordFlow

Flow Record

Header

• Sequence number

• Record count

• Version number

Cache Management & Data Export

Flow cache manager expires flows

No traffic/long life/TCP flags/cache full/etc.

Intelligent cache aging ensures cache entries are

always available

Distributed NetFlow Cache on VIPs

Router exports groups of expired flows every second Export uses UDP datagrams with sequence numbers

(41)

Cache Management & Export

Flow 1

NetFlow Cache

Flow Entries

• Flow expired

• Cache full

• Timer expired

Flow 2

Flow 3 _{To Collector}

UDP

Export Buffer

(42)

Flow Management

TCP connections which have been closed. That is, a FIN/RST has been received.

As the cache becomes full the cache is intelligently purged.

Long lived flows are expired and removed from the cache. Flows are expired after 30min, by default.

Flows which have been idle for a specified time are expired and removed from the cache. (This is configurable)

(43)

Data Export

When does NetFlow export data ?

• Flow datagrams are exported once per second, OR

• When a complete UDP datagram of flows is available

Variable

Version 8

27 flow records Version 7

Variable

Version 9

Number of Flow Records per Export Packet Netflow Version

(44)

NetFlow Versions

Specific to Cisco C6500 and 7600 Series Switches

Similar to Version 5, but Does Not Include AS, Interface, TCP Flag and ToS Information

7

Standard and Most Common

5

Flexible, Extensible File Export Format to Enable Easier Support of Additional Fields and Technologies e.g. MPLS, Multicast, BGP Next Hop, and IPv6

9

Choice of Eleven Aggregation Schemes Reduces Resource Usage

8

Original

1

Comments NetFlow

(45)

Version 1

Version 1 is the initial NetFlow format supported on 11.1, 11.2, 11.3, 12.0 On by default

No reason to use v.1 unless supporting a legacy

(46)

Outline

Introduction

Netflow Overview

Netflow Architecture

Netflow Formats

Netflow Feature Acceleration

Netflow Deployment

AAA

(47)

Netflow - Not a Switching Path

In the past (before CEF), Netflow was a

switching mechanism. But we faced

complications and performance problems…

When CEF was written, the Netflow code was

rewritten to do only the accounting job. No switching anymore.

Netflow runs now on the top of CEF to store

accounting statistics. We still look into the FIB for adjacencies, encapsulation info, route, …

As a consequence the Netflow switching name

(48)

Netflow Acceleration

An API used by the other IOS features Needs 12.0(3)T

Reserve extra space in the Netflow cache for

state information from other features.

Apply the feature processing on the first packet

versus every packets. Information from the first packet is used to be build the cache entry,

accessed by subsequent packets from the same flow

Access Control Lists is accelerated by default,

(49)

Netflow Acceleration

Depending on the train 12.0S, 12.0ST, 12.1 or

12.2, Netflow accelerates

Ip accounting

RSVP

Crypto encrypt and decrypt

Policy Routing

WCCP inbound redirection

Cisco Applications and Services Architecture

(50)

NetFlow Accelerates

NetFlow Policy Routing (NPR)

Router-based network data encryption Access Control Lists (ACL)

RSVP

In the future

Network Address Translation (NAT) Committed Access Rate (CAR)

Web Cache Control Protocol (WCCP) Others

Availability of such acceleration will be announced on a

feature-by-feature basis

(51)

Netflow Bypasses the Access-list

First packet in flow? Pass the ACL? Y Output i/f is null? N

Lookup entry in netflow cache N

Create an Netflow entry with output i/f null

Discard the packet Y Create an Netflow entry Forward the packet with CEF

N

Forward the packet with CEF

Update the Netflow entry stats Y

Go through the ACL Maybe deny packet

Update the Netflow entry stats

(52)

Acceleration - Netflow Policy

Routing

The first packet will go through the route-map

and the access-list

A Netflow cache entry will be created with extra

information for policy routing (for example the next hop)

Subsequent packets of the same flow will bypass

the route-map access-list checks

Note that the acceleration doesn’t change the

(53)

Performance (Approximate

Number)

Enabling Netflow version 5 on a router increases

the cpu utilization by 20 to 25 %

The Neflow export increases the cpu utilization

by 5 %

Enabling Neflow version 8 increases the cpu

utilization by 2 to 5%, depending on the number of aggregations enabled

With a multiple of 6% for multiple aggregations

Netflow is done in hardware on the cat6000

(54)

Outline

Introduction

Netflow Overview

Netflow Architecture

Netflow Formats

Netflow Feature Acceleration

Netflow Deployment

AAA

(55)

Where to Collect the Traffic:

Edge vs. Core

Communication pattern

Flow duplication

CPU impact

Data compression

Data reduction (filter)

Data aggregation

Edge

(56)

Where to Deploy Netflow?

On the “edges” of the network

All routers because Netflow accounts incoming

traffic only

For billing, on the aggregation routers because

some 12000 Line Cards only support sampled Netflow

For accounting, capacity planning, on the

aggregation routers or the 12000 router. Sampled netflow could be sufficient

(57)

Where to Deploy Netflow?

For BGP information, on the BGP peering

routers

Can monitor one link, egress and ingress, but

should be on a MPLS PE-CE link.

Basic principles:

Don’t account your exported data

Avoid a flow duplication design. Netflow Collector

doesn’t do flow de-duplication. Done by partner tools

export

traffic

(58)

Core Network

Creating Export Packets

UDP Export Packets

Approximately 1500 bytes Typically contain 20-50

flow records

Sent more frequently if traffic

increases on NetFlow-enabled interfaces

Enable NetFlow

Traffic

Collector

(Solaris, HP-UX, or Linux)

UDP Export

Application

GUI _StationNMS

SNMP MIB PE

(59)

Flow Export Format

•Source IP Address

•Destination IP Address • Packet count

• Byte count

Usage

QoS Time

of Day Application

Port Utilization From/To Routing and Peering

• Input ifIndex

• Output ifIndex

• Type of service

• TCP flags

• Protocol

• Start sysUpTime

• End sysUpTime

• Source TCP/UDP port

• Destination TCP/ UDP port

• Next Hop address • Source AS number • Dest. AS number • Source prefix mask • Dest. prefix mask

• Source IP address

• Destination IP address

Version 5 Is Used in This Example

Blue – key field

Black – standard field Red – lookup

(60)

NetFlow Cache Example

1. Create and update flows in NetFlow cache

3 1145.5 1428 10.0.23.2 15 /24 00A1 180 /24 00A1 10000 10 80 11 10.0.227.12 Fa0/0 173.100.20.2 Fa1/0 1 41.5 740 10.0.23.2 15 /24 15 196 /26 15 2491 0 40 6 10.0.227.12 Fa0/0 173.100.3.2 Fa1/0 4 1745 1528 10.0.23.2 15 /24 00A2 5 /24 00A2 11000 10 80 11 10.0.227.12 Fa0/0 173.100.21.2 Fa1/0 24.5 Active 14 Idle 10.0.23.2 NextHop 1040 Bytes/ Pkt 15 Dst AS /24 Dst Msk 19 Dst Port 180 Src AS /30 Src Msk 19 Src Port 2210 Pkts 0 Flgs 40 TOS 10.0.227.12 DstlPadd 6 Protocol Fa0/0 173.100.6.2 Fa1/0 Dstlf SrclPadd Srclf

• Inactive timerexpired (15 sec is default)

• Active timerexpired (30 min (1800 sec) is default)

• NetFlow cache is full(oldest flows are expired)

• RST or FINTCP Flag

2. Expiration 4 1800 1528 10.0.23.2 15 /24 00A2 5 /24 00A2 11000 10 80 11 10.0.227.12 Fa0/0 173.100.21.2 Fa1/0 Active Idle NextHop Bytes/_Pkt

Dst AS Dst Msk Dst Port Src AS Src Msk Src Port Pkts Flgs TOS DstlPadd Protocol Dstlf SrclPadd Srclf 3. Aggregation

4. Export version

5. Transport protocol

e.g. Protocol-Port Aggregation Scheme Becomes

Aggregated Flows—Export Version 8 or 9

Export Packet

Payload (Flows) Non-Aggregated Flows—Export Version 5 or 9

Yes No 1528 00A2 00A2 11000 11 Bytes/Pkt DstPort SrcPort Pkts Protocol H e a d e r

(61)

Features

and

Services

NetFlow Processing Order

• Packet Sampling

• Filtering

• IP

• Multicast

• MPLS

• IPv6

• Aggregation schemes

• Non-key fields lookup

• Export

Pre

Pre-

-Processing

Processing

(62)

Active/Inactive Timers

Inactive time = The flow expires once no packets are seen

for this time duration

Active time = If packets continue to be received on this flow

beyond this active time setting then the flow will expire and be exported while a new flow is created

Default values on software-based routers, 12000 and 10000:

Inactive timer: 15 seconds (minimum 1 second) Active timer: 30 minutes (minimum 1 minute)

Default values on a C6500/7600:

Aging time: 256 seconds

Fast aging time: disabled (flows that only switch a few packets and

are never used again)

Long aging time: 1920 seconds (used to prevent counter

wraparound and inaccurate stats)

Recommendation: Change normal aging time to 32 seconds and fast

(63)

Flow Timers and Expiration

Time

•SysUptime - Current time in milliseconds since router booted

•UTC - Coordinated Universal Time can be synchronized to NTP (Network Time Protocol)

1st _{Flow Start}

(sysUpTime)

1st _{Flow End}

(sysUpTime)

Router Boots (sysUpTime timer begins)

1st _{Flow Expires}

(sysUpTime)

2nd _{Flow Start}

(sysUpTime)

2nd _{Flow End}

(sysUpTime)

2nd_{Flow Expires}

(sysUpTime)

15 seconds Inactive

3rd _{Flow Start}

(sysUpTime)

1st _{& 3}rd _{Flows – Src 10.1.1.1, Dst 20.2.2.2, Prot 6, Src & Dst port 15, InIF FE0/0, ToS 128}

2nd _{Flow – Src 10.1.1.1, Dst 20.2.2.2, Prot 6, Src & Dst port 15, InIF FE0/0, ToS 192}

= packet from 1st _{or 3}rd _flow

= packet from 2nd _flow UDP Export Packet

containing 30-50 flows (sysUpTime & UTC)

(64)

Netflow and Security

There is no authentication mechanism between

the routers and the collector

The collector is only interpreting received UDP

packets, without any checks

Make sure your Data Communication Network is

secure, including the collector machine

Potential problem: someone sending wrong

accounting information to the collector with a router stolen IP address

(65)

How Many Netflow Collector?

In theory, one NFC per POP or Aggregation

Router (7x00 router)

For VPNSC (MPLS VPN environment), we

advice one NFC per PE

Basic principles:

Check your Sun capabilities

NFC sizer calculater. Reduce the number of routers

per NFC if needed.

(66)

Deployment Tricks

Enable the ifIndex persistence if accounting per

interface

Look at the router cpu (<60%) and memory before

enabling Netflow

Check the export link bandwidth Use a dedicated export lan

If you export too much traffic:

go for the aggregations, don’t export version 5 go for sampled if on a GSR

increase the aggregations timers

(67)

What to Collect:

Level of Collection Details

Link statistics or traffic details:

SA, DA

Application details (port numbers)

QoS

Time stamps

Routing and peering

Header or payload

Layer 2 or Layer 3 information Data export: push or pull model Collection interval and history

(68)

What to Collect:

The Two Extremes...

S N M P S N M P Usage QoS Time of Day Application Port Utilization From/To

• Input ifIndex

• Output ifIndex

• Input ifIndex

• Output ifIndex

• Type of service

• TCP flags

• Protocol

• Type of service

• TCP flags

• Protocol

• Packet count

• Byte count

• Packet count

• Byte count

• Destination TCP/UDP port

Routing and Peering

• Start sysUpTime

• End sysUpTime • Start sysUpTime

• End sysUpTime

• Next hop address

• Source AS number

• Dest. AS number

• Source prefix mask

• Dest. prefix mask • Next hop address

• Dest. AS number

• Dest. prefix mask

• Start sysUpTime

• End sysUpTime

• Start sysUpTime

• End sysUpTime

• Dest. AS number

N e t F l o w N e t F l o w

(69)

What to Collect:

Full Collection vs. Sampling

Processing every packet might not scale up to

very high-speed interfaces

Amount of collected data might be huge

It might take longer to process the data than to

generate it

Network Management traffic might fully utilize

the available bandwidth

Packet sampling can help to overcome those

(70)

Missed Flows: 2 out of 5 (35%)

What to Collect:

1 in „n“ Sampling

Sampling Interval: 1 in 5 Packets

Missed Flows: 1 out of 5 (15 %)

Sampling Interval: 1 in 2 Packets

(71)

What to Collect:

Sampling Best Practices

Sampling for monitoring is fine

Continuously sampling might be OK even

for billing purposes

Carefully determine the sampling rate Sampling algorithms:

1 in n (deterministic, random, hash-based) Filter, expressions

Time based

Trajectory sampling

(72)

IP Accounting/Billing

Many Different Flavors!

Flat-rate billing doesn’t always scale

Competitive pricing models can be created

with usage-based billing

Usage-based billing considerations

Time of day Within my network or off

Application Distance-based

QoS/CoS Bandwidth usage

Transit or peer Data transferred

Traffic class (i.e. going through a secure tunnel,

(73)

Users

(IP Address, Name, etc.)

Customers Co. 1 Co. 2 Co. 3 Co. 4 Co. 5 Co. 6 Co. 7

Departments Dept. 1Dept. 1 Dept. 2Dept. 2 Dept. 3Dept. 3 Dept. 4Dept. 4 Dept. 5Dept. 5

User 1 User 2 User 3 User 4 User 5 User 6 User 7

Reporting can be offered at any level

Customers can self-manage all sub-levels

Orange and blue can be sold at a premium

(74)

Which Aggregations to use on a

Router?

AS Protocol-Port Source-Prefix Destination-Prefix Prefix

Source Prefix •••• ••••

Source Prefix Mask •••• ••••

Destination Prefix •••• ••••

Destination Prefix Mask •••• ••••

Source App Port ••••

Destination App Port ••••

Input Interface •••• •••• ••••

Output Interface •••• •••• ••••

IP Protocol ••••

Source AS •••• •••• ••••

Destination AS •••• •••• ••••

First Timestamp •••• •••• •••• •••• ••••

Last Timestamp •••• •••• •••• •••• ••••

# of Flows •••• •••• •••• •••• ••••

# of Packets •••• •••• •••• •••• ••••

(75)

AS-TOS Protocol-Port-TOS Source-Prefix-TOS Destination-Prefix-TOS

Prefix-TOS Prefix-Port

Source Pre fix •••• •••• ••••

Source Prefix Mask •••• •••• ••••

Destination Prefix •••• •••• ••••

Destination Prefix Mask •••• •••• ••••

Source App Port •••• ••••

Destination App Port •••• ••••

Input Interface •••• •••• •••• •••• ••••

Output Interface •••• •••• •••• •••• ••••

IP Protocol •••• ••••

Source AS •••• •••• ••••

Destination AS •••• •••• ••••

TOS •••• •••• •••• •••• •••• ••••

First Timestamp •••• •••• •••• •••• •••• •••• Last Timestamp •••• •••• •••• •••• •••• •••• # of Flows •••• •••• •••• •••• •••• •••• # of Packets •••• •••• •••• •••• •••• •••• # of Bytes •••• •••• •••• •••• •••• ••••

Which Aggregation to use on a

Router?

(76)

Network Data Analyzer

Graphical display of NetFlow data

Consumes from NetFlow FlowCollector(s) Time-based analysis ands data sorting Configure routers and FlowCollectors Histograms, bar charts, and pie charts Spreadsheet data export

NetFlow FlowCollectors

NetFlow FlowAnalyzer

(77)

Open API’s Enable Third Parties

to Leverage NetFlow

Cflowd

- ANS, BBN and CAIDA

Traffic accounting port, AS, network and pure

flow matrices

NeTraMet/NetFlowMet

-

by Nevil Brownlee

IETF’s Realtime Traffic Flow Measurement (RTFM)

smurfind

- Walter Prue USC/ISI

(78)

End-to-end Coverage

Response Time/ Availability Stats. Element & L2/L3/Access Stats. Traffic Flow Stats.

Trend Reports Service Level Reports Health Reports Exceptions Reports Report for Thu 1/15/98 01/15/1998 09/13/1997 09/13/1997

Baseline: 6 weeks (02/04/98 to 03/17/98) Created : 05/15/98 12:00:16 Auto Range: Custom From: 09/04/1998 12:00 AM SAA SAA Agent Agent Router & LAN Stats. Router & Router & LAN Stats

LAN Stats.. Access_Stats.

Access Access Stats. Stats. RMON Probes RMON RMON Probes

Probes Ping_MIB

Ping Ping MIB MIB NetFlow Collector NetFlow NetFlow Collector Collector WAN Stats. WAN WAN Stats Stats..

(79)

Concord and NetFlow

NetFlow Collector Concord Workstation Reports Reports

• Link, LAN, router utilization

• Application mix

• Communicating pairs

Report for Thu 1/15/98 Report for Thu 1/15/98

Report for Thu 1/15/98

Benefits Benefits

• Within Cisco IOS, Lower cost of entry than

RMON/RMON2 probes

• Leverages large installed base of Cisco routers and switches NetFlow enabled Router NetFlow enabled L3 Switch

(80)

Cisco NetFlow support

Router

InfoVista NetFlow Agents

Router _{NetFlow Agents}InfoVista

Données

InfoVista Server

InfoVista Web Access Server

InfoVista Client

InfoVista Client Router

Router

Analyze traffic flows by source and destination

autonomous system, average packet size and

used protocols

Gather high volume

NetFlow data

Combine it with other

(81)

Cisco NetFlow support

End-User Benefits:

A Service Provider can

optimize its existing connections with other autonomous systems, plan new connections, and

proactively identify problem areas.

An Enterprise can use this

information to identify network use patterns and to plan the

evolution of its network infrastructure. Destination Autonomous System Destination Autonomous System Source Autonomous Systems Source Autonomous Systems Packet distribution by source AS Packet distribution by source AS Automatic resolution of Autonomous System name Automatic resolution of Autonomous System name

(82)

Outline

Introduction

Netflow Overview

Netflow Architecture

Netflow Formats

Netflow Feature Acceleration

Netflow Deployment

AAA

(83)

Description

RADIUS

and TACACS+

accounting allows

data to be sent at the start and end of

services, indicating the amount of

resources such as time, packets, bytes,

etc.…used during the session

AAA is used for login purposes in general

Dial-in

Telnet and ssh

(84)

RADIUS and TACACS+

Comparison

Remote Authentication Dial

In User Service

Standards-based

client-server

protocol (IETF)

UDP-based (fast)

Recommended for high

performance

Only password field

encrypted

Shared key, never sent in

clear over the network

User authentication to

network access/services

Terminal Access Control

Access Control System

Rich feature set: allows

command authorization and accounting

Cisco proprietary (but

supported by other vendors)

TCP-based (reliable)

Full packets are encrypted Shared key, never sent in

clear over the network

User authentication to

(85)

AAA: Principles

Incoming and outgoing packets/bytes of an incoming

call (no dial out accounting)

Each of the call can generate start and stop records Each call reports 2 logs:

Accounting request start with start time

Accounting request stop with stop time and full accounting

AA Accounting is an improved logging system,

but AAA is not used primarily for accounting

Adequate for billing because we have the username Supported on all switching paths

(86)

RADIUS Interaction

User Dials NAS Pre-Auth Access Request

Pre-Auth Access Accept Accept Call

Pre-Auth

User Auth

Call Connects _{Access Request}

Access Accept Accept User

Accounting Request (START)

Accounting Ack User Acctg

Call Disconnects _{Accounting Request (STOP)}

Accounting Ack User Acctg

User Connects

RADIUS Server

(87)

RADIUS Accounting Attributes,

RFC2866

40 Acct-status-type 41 Acct-delay-time 42 Acct-input-octets 43 Acct-output-octets 44 Acct-session-id 45 Acct-authentic

46 Acct-session-time 47 Acct-input-packets 48 Acct-output-packets 49 Acct-terminate-cause 50 Acct-multi-session-id 51 Acct-link-count

(88)

AAA Possible Applications

AAA AAA Network Planning Network Planning Application Monitoring Application Monitoring Security Analysis Security Analysis User Monitoring User Monitoring Peering Agreement Peering Agreement Traffic Engineering Traffic Engineering Network Monitoring Network Monitoring Usage-Based Billing Usage-Based Billing

Destination Sensitive Billing

X X X X X X

(89)

Outline

Introduction

Netflow Overview

Netflow Architecture

Netflow Formats

Netflow Feature Acceleration

Netflow Deployment

AAA

(90)

網路流量量測與分析

System design for Flow Capture Flow Analyzer

Distributed, load-balancing architecture for scalability Traffic Analysis & Data Reduction

Presentation & Reporting

Flow Capturer

Flow Generator

Scalability Flow

Analyzer

Presenter Web Site

Network Device

User Interface Web browser

raw packet Flow information Network Characteristics analyzed data

(91)

Ongoing Work

Support for various applications

Streaming services Other P2P services

Distributed, load-balancing architecture for

scalability

parallel or distributed architecture

subdivide monitoring system into several functional

components

efficient load sharing between each sites

Considerations for small storage requirements

Significant aggregation based on the ingress point Local reduction of the data should be effective

(92)

Combine SNMP & RMON

Utilize SNMP polling policies to gather key statistics

on backbone/core routers and on MIB objects not related to flow-by-flow measurements

Interface errors

memory and CPU utilization

Utilize RMON capabilities for detailed drilldown

Application tracking

Interface error analysis

Packet capture for problem diagnosis and resolution

Maximize network monitoring, management, and

(93)