Ethernet Flow Monitoring with IPFIX
Rick Hofstede, Idilio Drago, Anna Sperotto, Aiko Pras
University of Twente, The Netherlands
r.j.hofstede@student.utwente.nl, {i.drago, a.sperotto, a.pras}@utwente.nl
This work has been supported by SURFnet’s ‘GigaPort 3’ project for Next-Generation Networks.
Flow monitoring offers an aggregated view of network activity.
NetFlow v5: fixed data structures, IPv4.
NetFlow v9: templates, IPv4 + IPv6.
Flexible NetFlow/IPFIX: allows user selection of
flow keys and records.
Future: use flow monitoring in Carrier Ethernet
networks?
1. What is Flow Monitoring?
Network operators are considering deployments of Carrier Ethernet networks.
Monitoring at the Ethernet layer provides an overview of active layer 2+ protocols.
Our goal: evaluate the use of IPFIX for Next-Generation Ethernet (NGE) monitoring.
2. IPFIX at the Ethernet Layer
INVEA-Tech FlowMon Probes support IP flow export using NetFlow v5/v9/IPFIX. A special Ethernet-plugin was developed for exporting Ethernet flows.
Exported fields:
Start time, end time, source MAC address,
destination MAC address, EtherType, sVLAN,
cVLAN, sPriority, cPriority, header length, payload length, packets, octets
Two FlowMon Probes have been installed in our University’s campus network.
3. Probing Equipment
DECnet Phase IV traffic was found in our network. It was used in previous years for router configuration, but it was not disabled until now.
4. Case 1: Misconfiguration
12:00 0 2:00 4:00 6:00 8:00 10:00 45 0 10 20 30 40 Time (March 28, 2011) Fl o w r ec o rd s fo r DEC M O P (p er m in .)A misbehaving host generated a big amount of ARP traffic, which can cause serious damage to the health of the network.
Normal ARP traffic on campus network:
Erroneous ARP traffic on campus network:
5. Case 2: Security
0:00 0:00 2:00 4:00 6:00 8:00 10:00 12:00 14:00 16:00 18:00 20:00 22:00 4M 0 1M 2M 3M Time (March 28, 2011) A R P O cte ts ( p er m in .) 0:00 0:00 2:00 4:00 6:00 8:00 10:00 12:00 14:00 16:00 18:00 20:00 22:00 55M 0 10M 20M 30M 40M 50M Time (April 4, 2011) A R P O cte ts ( p er m in .)Although most IPv4 campus traffic is generated during working hours, IPv6 flows behave differently:
Many small flows are generated by IPv6, especially during evenings. What will be the effect on probing equipment, when more hosts make use of IPv6?
6. Case 3: Profiling
0:00 0:00 2:00 4:00 6:00 8:00 10:00 12:00 14:00 16:00 18:00 20:00 22:00 20k 0 4k 8k 12k 16k Time (March 28, 2011) Flowrecords for IPv
6 (per m in .) 0:00 0:00 2:00 4:00 6:00 8:00 10:00 12:00 14:00 16:00 18:00 20:00 22:00 3.5G 0 1G 2G 3G Time (March 28, 2011) O cte ts f o r IP v6 ( p er m in .)
Ethernet flow monitoring provides new insights into active traffic types in a network.
Besides profiling network activity, it can support network managers in detecting misconfigurations and security issues. Other use cases will be investigated as future work.
