IPFIX Overview
Full visibility into network usage and performance provides efficient information for data security, network troubleshooting, and adapting to everchanging business demands.
Packet capture and analysis is the optimal choice for many network performance and security applications, and it is critical for complete network visibility. For small businesses, it may not be practical cost wise. This is where Metadata-based tools can be used to quickly visualize network behavior and correlate issues to specific applications or data sources. Rather than always relying on full packet capture, protocols like NetFlow and IPFIX can generate valuable metadata for less-intensive network monitoring. This metadata is similar to how your mobile phone bill shows your calls, texts usage, displaying the source, destination and volume rather than showing the actual content of the conversations. With this information, you can gain insights at a lower impact on your network management plan.
The IPFIX (IP Flow Information Export) protocol was standardized by the Internet Engineering Task Force (IETF) in 2013 to be a multi-vendor universal metadata protocol for exporting IP flow information from network devices, such as switches, routers, firewalls to network monitoring and analysis applications or “collector” systems. The IETF IPFIX standard defines how flow information is exported, formatted and transferred from the IPFIX “agent” devices to collector systems for further segmentation, analysis and logging.
Based on Netflow Version 9, IPFIX utilizes similar procedures for exporting a “flow” to a collector, which operates in a many-to-many relationship with exporter network devices so that an exporter can transmit flow information to multiple collectors, each of which can collect information from any number of exporter devices.
Flow data utilized by IPFIX consists of all IP data traffic that belongs to the same “connection” or “conversation” between two devices on a particular protocol. Flow information is periodically transmitted to the collector devices without any interaction by the receiver and can be customized to include a range of pre-defined or user-defined information/data types. This flexibility is one of the protocol’s strong suits, as vendors can create custom templates with custom information they wish to collect and analyze.
Why IPFIX
IPFIX and Netflow are comparable. However, IPFIX is becoming more used by end-users and supported by networking and security vendors keen to adopt a much more pervasive and flexible protocol.
In comparing compatibility, IPFIX supports the similar base set of seventy nine field types as with Netflow V9. However, IPFIX goes beyond this to support a total of two hundred thirty-eight field types, providing a larger scope for monitoring any type of flow data required. Also, as an enhancement compared to NetFlow, IPFIX also allows for variable length fields which means that a field has no fixed length. Variable length fields can make transmitting information that varies frequently such as URLs (which vary from site to site), messages, and HTTP hosts easier.
IPFIX transport has to fulfil certain reliability and security requirements. Therefore Stream Control Transmission Protocol (SCTP) has been chosen as the preferred transport protocol for IPFIX for all fully compliant implementations while TCP and UDP can be used as optional protocols for backward compatibility. Preference to SCTP is significant because it is congestion-aware and reduces bandwidth use in case of congestion, thus preventing the monitoring application to reduce the performance of the monitored network.
IPFIX allows networking hardware vendors to specify a Vendor ID to create their own proprietary information to be exported. This enables the capturing and gathering of almost any data which typically may have required Syslog or SNMP directly using IPFIX for exporting it from collector devices for further analysis and monitoring.
Finally, as an open IETF standard, IPFIX provides benefits from the collective engineering efforts of thousands of individuals in the Internet community as well as support within products offered by dozens of companies in the networking marketplace.