Internet Protocol Flow Information Export
| application | IPFIX | ||||
| transport | UDP | TCP | SCTP | ||
| Internet | IP ( IPv4 , IPv6 ) | ||||
| Network access | Ethernet |
Token bus |
Token ring |
FDDI | ... |
The Internet Protocol Flow Information Export (IPFIX) is a further development of the Netflow protocol from Cisco Systems . It is being developed by the IETF to standardize the exchange of network monitoring information.
A flow is the term used to describe packets in a data stream that have common properties such as "same source, same destination and same protocol". Using IPFIX, for example, a router can now send information about its view of the current network load to a central monitoring station, which can react appropriately to this information.
IPFIX is a pure push protocol , which means the sending station sends IPFIX data packets at regular intervals.
The composition of IPFIX data packets is largely up to the sender, since he uses so-called templates to make the structure of the packets known in IPFIX before sending flow information . The data types used in data packets can also be freely expanded.
IPFIX is preferred as the SCTP transport protocol , but the alternative use of TCP or UDP is also provided.
architecture
The architecture of an IPFIX information flow typically looks like this:
Metering,
Exporter IPFIX Collector
O--------------------------->O
|
| Observation Point
v
---- IP Traffic --->
A metering process collects data packets at the observation point , pre-filters them if necessary and aggregates information about these packets. This information is then sent from the exporter to the collector . There is a many-to-many relationship between exporter and collector , i.e. an exporter can deliver to several collectors and a collector can obtain information from several exporters.
example
A simple data record sent using IPFIX could look like this, for example:
| source | target | Packages |
|---|---|---|
| 192.168.0.201 | 192.168.0.1 | 235 |
| 192.168.0.202 | 192.168.0.1 | 42 |
The IPFIX message used here could be structured as follows, for example:
| Bits 0..15 | Bits 16..31 |
|---|---|
| Version = 0x000a | Message length = 72 bytes |
| Export time = 2005-12-31 23:59:60 | |
| consecutive number = 0 | |
| Source system ID = 12345678 | |
| Set ID = 2 (template) | Set length = 20 bytes |
| Template ID = 256 | Number of fields = 3 |
| Type = sourceIPv4Address | Field length = 4 bytes |
| Type = destinationIPv4Address | Field length = 4 bytes |
| Type = packetDeltaCount | Field length = 8 bytes |
| Set ID = 256 (data set according to template 256) |
Set length = 28 bytes |
| Sentence 1, field 1 = 192.168.0.201 | |
| Set 1, field 2 = 192.168.0.1 | |
| Sentence 1, field 3 = 235 packages | |
| Sentence 2, field 1 = 192.168.0.202 | |
| Set 2, field 2 = 192.168.0.1 | |
| Sentence 2, field 3 = 42 packages | |
After the mandatory header, it contains two IPFIX sets: a template set that makes the structure of the data set used known and a data set that transfers the actual user data. The template set is buffered in the receiver and does not have to be transferred in the future.
Web links
- Ipfix Status Pages. tools.ietf.org
- Request for Comments: 5101. tools.ietf.org