IPFIX-Based Measurement and Monitoring Platform

Network management related activities such as traffic engineering and classification, monitoring, accounting and profiling, or intrusion detection and prevention, are based on the analysis of the measured network and traffic information.

What is IPFIX?

IPFIX is the official IETF internet standard for the export of information about IP flows. It is a widely recognised and accepted protocol. It can provide a full representation of all individual connections that travel through an observation point (e.g. switch, router, firewall, etc.).

What is an IP Flow?

IP flow or flow-level information refers to a set of packets sharing a common key that pass an observation point during a certain period of time. This flow key is usually defined by a five-tuple. The most commonly used flow key for flow creation is composed of the source and destination IP addresses, source and destination ports, and protocol identifier. If an observed packet differs from the other packets in at least one property, it belongs to another flow.

Main Components of the Platform

The general architecture of an IPFIX-based measurement and monitoring platform is as follows:

Traffic information is carried in flow records. The export of flow records represents a push-based mechanism, where the data are transmitted from the IPFIX exporter(s) to the IPFIX collector(s) over either TCP, UPD or the SCTP. The essential components of any IPFIX-based measurement platform are the exporter(s) and collector(s).

Exporter

The architecture of the exporter is as follows:

The exporter is a device which hosts one or more exporting processes. Each exporter sends flow records to one or more collectors. The flow records are generated by one or more metering processes. The metering process consists of a set of functions including packet capture, timestamping, packet selection (sampling and filtering), classification and maintaining (creating) flow records in the flow cache.

A layer higher is the exporting process. It provides an interface between the metering process(es) and the collecting process(es), i.e. it sends (exports) the flow records obtained from the metering process(es) to one or more collectors. Its further functional block is flow selection (sampling or filtering) that can provide additional data reduction.

Collector

The collector is a device which hosts a collecting process. The collecting process receives flow records from one or more exporting processes. The main goal of the collector is to extract the measured properties and features of the flows from the flow records. For efficiency, this information is stored and carried in Information Elements.

Template and Data Records

The IPFIX protocol defines how the flow records are exported from the exporter(s) to the collector(s). In practice, they are transmitted by two ”containers”: templates and data. Flow records are carried in data records and the structure of these data records is defined by the templates. It follows from the fact, that traffic information depends on the purpose of the measurement and the network structure.

Analyser

IPFIX specifies flow measurement only up to the collector. What happens with the data next, it is up to the developers/administrators.

In general, the information extracted from the data records can be stored in a database and/or directly sent to one or more external evaluating entities. Given the basic functionality of this external entity (i.e. analysis), we refer to this component as the analysing application or simply analyser.

The analyser provides further processing and analysis of the information about flows. More comprehensive analysers also provide a GUI for both the visualisation of the infor- mation obtained from the database/collector and the management of the architecture’s lower components (i.e. exporter and collector). It is worth mentioning that the analyser itself is not a part of the IPFIX specification.

Workflow

In summary, Measuring and analysing the network traffic using the IPFIX protocol can be split into the following steps:

  1. The information obtained from the captured packets are after timestamping, sampling, classification, etc.; encapsulated into IPFIX messages and sent from the exporter(s) to the collector(s).

  2. In the collector, after parsing the obtained template/data records, the obtained flow-level data are stored in a database and/or sent directly to the analyser.

  3. The analysis of flow-level information is performed in the analyser. The data obtained can be used in a number of ways. For example, the extracted flow features can be used to produce plots and graphs about the network condition.