NETFLOW FOR ACCOUNTING_ ANALYSIS AND ATTACK

Document Sample
NETFLOW FOR ACCOUNTING_ ANALYSIS AND ATTACK Powered By Docstoc
					NETFLOW FOR ACCOUNTING,
  ANALYSIS AND ATTACK

                Chu-Sing Yang

      Department of Electrical Engineering
        National Cheng Kung University
              Outline
Introduction
Netflow Overview
Netflow Architecture
Netflow Formats
Netflow Feature Acceleration
Netflow Deployment
AAA
Conclusion and Future Work
       Introduction – Goals
Service providers must have access to in-depth infomation
about their networks
A complete view of current use
Understand the behavior of their networks
Network Problem Determination and Analysis
Network security attack detection and prevention
Detailed network usage history reports
Analytical tools to analyze and predict usage trends
Plan for network deployment and expansion
   Etc…. Usage-based Billing, SLA monitoring …
Introduction – Challenges
Capturing Characteristics
  How to capture traffic characteristics from high-speed, high volume
  networks (Mbps→Gbps→Tbps)?

Analysis
  How to analyze and generate data needed quickly?
  Evolving network applications
     Streaming media (Windows Media, Real, Quicktime)
     P2P traffic
  Network Security Attacks

Log Generation & Storage
  What kind of information to save to perform various/long-term
  analysis?
  How to minimize storage requirements?
                     Tools Taxonomy
                                                       25

                                         110                110




                      200                            300
                                   300                           N
                                                            T A 75 e t
                                                                      OUT 2
                                               10
                          110                               110
          IN                                          50




 Data Collect    RTFM            RMON               Netflow        SNMP       PacketDump




Analysis Tools   cflowd         Flow-tools Flowscan                Panoptis     MINDS



 Traffic Engineering, User Monitoring, Billing….                  DDOS, Virus, Worms……
Data Collection – SNMP Data
Simple Network Management Protocol (SNMP)
  Router CPU utilization, link utilization, link loss, …
  Collected from every router/link every few minutes
Applications
  Detecting overloaded links and sudden traffic shifts
  Measuring link utilization
Advantage
  Open standard, available for every router and switch
Disadvantage
  Coarse granularity, both spatially and temporally
  Version consistency
Data Collection – Flow-Level Traces
 Flow monitoring (e.g., Cisco Netflow)
   Measurements at the level of sets of related packets
   Set of packets that “belong together”
      Source/destination IP addresses and port numbers
      Same protocol, ToS bits, …
      Same input/output interfaces at a router (if known)
      Number of bytes and packets, start and finish times
 Applications
   Computing application mix and detecting DoS attacks
   Measuring the traffic matrix for the network
 Advantages
   Medium-grain traffic view, supported on some routers
 Disadvantages
   Not uniformly supported across router products
   Large data volume, and may slow down some routers
Data Collection – Packet-Level Traces
    Packet monitoring
      IP, TCP/UDP, and application-level headers
      Collected by tapping individual links in the network
    Applications
      Fine-grain timing of the packets on the link
      Fine-grain view of packet header fields
    Advantages
      Most detailed view possible at the IP level
    Disadvantages
      Expensive to have in more than a few locations
      Challenging to collect on very high-speed links
      Extremely high volume of measurement data
    Business Requirements
How do I efficiently track network and application
resource usage?
How do I know if my customers are adhering
to usage policy agreements?
How do I account and bill for resources being
utilized?
How do I effectively plan to allocate and deploy
resources most efficiently?
How do I track customers to enhance
marketing customer service opportunities?
     Accounting—What For?
Network monitoring
Network planning
Security analysis
Application monitoring and profiling
User monitoring and profiling
Traffic engineering
Peering agreements
Usage-based billing
Destination sensitive billing
          Accounting vs. Billing


1.2.3.4                                         5.6.7.8
Steve
                                                 SAP

                          Src Add    Dest Add
            Accounting
                           1.2.3.4    5.6.7.8
            Application    5.6.7.8    1.2.3.4
                           1.2.3.4    5.6.7.8
                           5.6.7.8    1.2.3.4
              Billing      User      Resource
            Application    Steve      SAP
  Accounting—Why?
Baselining, Performance
Network monitoring
Application monitoring
User monitoring
Trends, statistics
Deviation from normal
History
Accounting—Why? Network Design
                    Capacity planning
                    Traffic engineering

         Rome POP               Paris POP
                                            ISP2
                                                   Dest.
Source                                      ISP3


    Munich POP                     London POP
Accounting—Why?
Peering Agreements

        ISP
              Outline
Introduction
Netflow Overview
Netflow Architecture
Netflow Formats
Netflow Feature Acceleration
Netflow Deployment
AAA
Conclusion and Future Work
      NetFlow Origination
Developed by Darren Kerr and Barry Bruins at
Cisco Systems in 1996
    US Patent 6,243,667
The value of information in the cache was a
secondary discovery
    Initially designed as a switching path
NetFlow is now the primary network accounting
technology in the industry
Answers questions regarding IP traffic: who, what,
where, when, and how
Principle NetFlow Benefits
Service Provider              Enterprise
 Peering arrangements     Internet access
 Network planning         monitoring (protocol
 Traffic engineering      distribution, where traffic
                          is going/coming)
 Accounting and billing
                          User monitoring
 Security monitoring
                          Application monitoring
                          Charge back billing for
                          departments
                          Security monitoring
            NetFlow Enables



  Traffic Analysis
                      Usage-Based      Router Feature
 and Monitoring for
                         Billing        Acceleration
 Network Planning

NetFlow statistics empowers users with the ability to
characterize their IP data flows
The who, what, where, when, and how much IP traffic
questions are answered
          NetFlow’s Value
NetFlow enables IP traffic flow analysis without
probes
Offers a rich data set to be mined for network
management, traffic engineering, and value-
added service offerings
(i.e. marketing data, personal NMS data)
Increasing margins on existing Cisco
infrastructure is possible and economical with
NetFlow usage based billing
          What Is a Flow?
Defined by Seven Unique Keys:

 Source IP address
 Destination IP address
 Source port
 Destination port
 Layer 3 protocol type
 TOS byte (DSCP)
 Input logical interface
 (ifIndex)                      Exported Data
              NetFlow Principles
Inbound traffic only
Unidirectional flow
Accounts for both transit traffic and traffic destined for the router
Works with Cisco Express Forwarding (CEF) or fast switching
    Not a switching path

Supported on all interfaces and Cisco IOS software platforms
Returns the subinterface information in the flow records
C6500/7600 enables NetFlow on all interfaces by default
              Outline
Introduction
Netflow Overview
Netflow Architecture
Netflow Formats
Netflow Feature Acceleration
Netflow Deployment
AAA
Conclusion and Future Work
            NetFlow Components
      IOS            Netflow FlowCollector        Netflow Data Analyzer




                                                      Network Planning
 RMON Probe




                                                      Accounting/Billing

                     • Data Collection
• Data Switching     • Data Filtering
• Data Export        • Data Aggregation         • Data Presentation
• Data Aggregation   • Data Storage             • NFC Control and Configuration
                     • File System Management   Partner Applications
      NetFlow Component: IOS
      IOS




 RMON Probe




• Data Switching
• Data Export
• Data Aggregation
 NetFlow Cache Tracks Flows
A “Flow” is defined by Seven Characteristics:
   Source/Destination IP address pair
   Source/Destination application port pair
   IP Protocol
   Input Physical Interface Index
   IP Type of Service (ToS) byte

Flows are unidirectional
NetFlow is enabled on a per input-interface basis
NetFlow Feature Acceleration
NetFlow Accelerates
   NetFlow Policy Routing (NPR)
   Router-based network data encryption
   Access Control Lists (ACL)
   RSVP
In the future
   Network Address Translation (NAT)
   Committed Access Rate (CAR)
   Web Cache Control Protocol (WCCP)
   Others
Availability of such acceleration will be announced on a
feature-by-feature basis
              NetFlow Data Record
              • Packet Count                                      From/To
    Usage                           • Source IP Address
              • Byte Count          • Destination IP Address

    Time      • Start Timestamp     • Source TCP/UDP Port
   of Day     • End Timestamp       • Destination TCP/UDP Port

       Port   • Input Interface Port • Next Hop Address        Application
Utilization   • Output Interface Port • Source AS Number         Routing
                                                                 and
                                    • Dest. AS Number            Peering
      QoS     • Type of Service     • Source Prefix Mask
              • TCP Flags           • Dest.Prefix Mask
              • Protocol
Router Based Aggregation

                                       AS


                              Prefix
                              Matrix

                     Dest.
                     Prefix
 Protocol   Source
   Type     Prefix
NetFlow Components: FlowCollecter
       IOS            Netflow FlowCollector




  RMON Probe




                      • Data Collection
 • Data Switching     • Data Filtering
 • Data Export        • Data Aggregation
 • Data Aggregation   • Data Storage
                      • File System Management
   NetFlow FlowCollector
Flow record reception           NetFlow
                             FlowCollector
Data volume reduction
   Filtering
   Aggregation
Flexible thread language
Flat file, binary, and/or
compressed file storage
                            Flow Consumer
File cleanup                 Applications
Solaris and HP-UX
 FlowCollector Aggregation
         Schemes
Over 20 aggregation schemes
From Call Detail Records for billing
To AS information for statistics
Many combinations in-between
Highlighted New Features in
     FlowCollector 3.0
Support for RBA export data
8 additional aggregation schemes
Improved disk space management
Configuration and Control API
Autonomous Message Notification
High availability process monitoring on
hosting workstation
NetFlow Components: Data Analyzer
       IOS            Netflow FlowCollector        Netflow Data Analyzer




                                                       Network Planning
  RMON Probe




                                                       Accounting/Billing

                      • Data Collection
 • Data Switching     • Data Filtering
 • Data Export        • Data Aggregation         • Data Presentation
 • Data Aggregation   • Data Storage             • NFC Control and Configuration
                      • File System Management   Partner Applications
Network Data Analyzer



                     NetFlow
                  FlowAnalyzer

    NetFlow
 FlowCollectors



  Graphical display of NetFlow data
  Consumes from NetFlow FlowCollector(s)
  Time-based analysis & data sorting
  Histograms, Bar Charts, Piecharts
  Spreadsheet data export
    Highlighted Features in
    Network Data Analyzer

Search operations
   Address to Address transactions
   Address to Subnet transactions
   Subnet to Subnet transactions
   Address “away from” Address/Subnet transactions
Multiple router, dataset selection or interface selection
DetailASMatrix aggregation & drilldown
DNS address and AS number to name translation
  Highlighted Features in
  Network Data Analyzer
NetFlow Collector Control
Traffic Matrix Statistics (TMS) Data
Collection Control and Analysis
View router-based aggregation schema
data
Router control for NetFlow and TMS
              Outline
Introduction
Netflow Overview
Netflow Architecture
Netflow Formats
Netflow Feature Acceleration
Netflow Deployment
AAA
Conclusion and Future Work
NetFlow Cache Tracks Flows
A “Flow” is defined by Seven Characteristics:
   Source/Destination IP address pair
   Source/Destination application port pair
   IP Protocol
   Input Physical Interface Index
   IP Type of Service (ToS) byte

Flows are unidirectional
NetFlow is enabled on a per input-interface basis
             Netflow Formats
     Version 1                         Version 8
   Initial Version              Router based aggregation
 Not commonly used            Available in 12.0(3)T, 12.0(3)S


     Version 5
                                       Version 9
Superset of Version 1
Added AS accounting             Configurable Flow Record
Datagram Sequencing                    Templates
  Commonly used


     Version 7
  Cat5K NFFC Only
 Not available in IOS



      Versions 2,3,4 and 6 were experimental
Cache Management & Data Export

                                 Header
                                 • Sequence number    Flow         Flow
                                 • Record count      Record   …   Record
                                 • Version number


      NetFlow Cache
 Flow cache manager expires flows
   No traffic/long life/TCP flags/cache full/etc.
 Intelligent cache aging ensures cache entries are
 always available
 Distributed NetFlow Cache on VIPs
 Router exports groups of expired flows every second
 Export uses UDP datagrams with sequence numbers
Cache Management & Export

NetFlow Cache   • Flow expired
                • Cache full
 Flow Entries
                • Timer expired
   Flow 1
   Flow 2                         Export       UDP
                                  Buffer
   Flow 3                                  To Collector
        Flow Management
Rules for expiring NetFlow cache Entries
  Flows which have been idle for a specified time are expired and
         removed from the cache. (This is configurable)

Long lived flows are expired and removed from the cache. Flows are
                   expired after 30min, by default.


    As the cache becomes full the cache is intelligently purged.


 TCP connections which have been closed. That is, a FIN/RST has
                        been received.
                Data Export
When does NetFlow export data ?
• Flow datagrams are exported once per second, OR
• When a complete UDP datagram of flows is available


                            Number of Flow Records
       Netflow Version
                              per Export Packet
          Version 1              24 flow records

          Version 5              30 flow records

          Version 7              27 flow records

          Version 8                 Variable

          Version 9                 Variable
          NetFlow Versions
NetFlow
                                 Comments
Version
   1      Original


   5      Standard and Most Common

          Specific to Cisco C6500 and 7600 Series Switches
   7      Similar to Version 5, but Does Not Include AS, Interface, TCP
          Flag and ToS Information

          Choice of Eleven Aggregation Schemes
   8
          Reduces Resource Usage

          Flexible, Extensible File Export Format to Enable Easier Support
   9      of Additional Fields and Technologies e.g. MPLS, Multicast,
          BGP Next Hop, and IPv6
               Version 1
Version 1 is the initial NetFlow format
supported on 11.1, 11.2, 11.3, 12.0
On by default
No reason to use v.1 unless supporting a legacy
collection system.
             Outline
Introduction
Netflow Overview
Netflow Architecture
Netflow Formats
Netflow Feature Acceleration
Netflow Deployment
AAA
Conclusion and Future Work
Netflow - Not a Switching Path
 In the past (before CEF), Netflow was a
 switching mechanism. But we faced
 complications and performance problems…
 When CEF was written, the Netflow code was
 rewritten to do only the accounting job.
 No switching anymore.
 Netflow runs now on the top of CEF to store
 accounting statistics. We still look into the FIB for
 adjacencies, encapsulation info, route, …
 As a consequence the Netflow switching name
 was changed to Netflow services
      Netflow Acceleration
An API used by the other IOS features
Needs 12.0(3)T
Reserve extra space in the Netflow cache for
state information from other features.
Apply the feature processing on the first packet
versus every packets. Information from the first
packet is used to be build the cache entry,
accessed by subsequent packets from the same
flow
Access Control Lists is accelerated by default,
nothing to configure
       Netflow Acceleration

Depending on the train 12.0S, 12.0ST, 12.1 or
12.2, Netflow accelerates
   Ip accounting
   RSVP
   Crypto encrypt and decrypt
   Policy Routing
   WCCP inbound redirection
   Cisco Applications and Services Architecture
Future: CAR, NAT, etc...
NetFlow Feature Acceleration
NetFlow Accelerates
   NetFlow Policy Routing (NPR)
   Router-based network data encryption
   Access Control Lists (ACL)
   RSVP
In the future
   Network Address Translation (NAT)
   Committed Access Rate (CAR)
   Web Cache Control Protocol (WCCP)
   Others
Availability of such acceleration will be announced on a
feature-by-feature basis
Netflow Bypasses the Access-list
                                                                   ACL acceleration
                              Y                   N
                                   First packet
                                     in flow?

                                                  Lookup entry in netflow cache
        Y                   N
                Pass the
                 ACL?
                                                      Y   Output i/f        N
                       Create an Netflow
                           entry with                      is null?
 Create an               output i/f null
Netflow entry
                                                                          Update the
                           Discard the         Update the              Netflow entry stats
  Forward the                packet         Netflow entry stats
packet with CEF                                                    Forward the packet
                                           Go through the ACL          with CEF
                                           Maybe deny packet
Acceleration - Netflow Policy
          Routing
The first packet will go through the route-map
and the access-list
A Netflow cache entry will be created with extra
information for policy routing (for example the
next hop)
Subsequent packets of the same flow will bypass
the route-map access-list checks
Note that the acceleration doesn’t change the
switching path!
Performance (Approximate
        Number)
Enabling Netflow version 5 on a router increases
the cpu utilization by 20 to 25 %
The Neflow export increases the cpu utilization
by 5 %
Enabling Neflow version 8 increases the cpu
utilization by 2 to 5%, depending on the number
of aggregations enabled
With a multiple of 6% for multiple aggregations
Netflow is done in hardware on the cat6000
supervisor
              Outline
Introduction
Netflow Overview
Netflow Architecture
Netflow Formats
Netflow Feature Acceleration
Netflow Deployment
AAA
Conclusion and Future Work
 Where to Collect the Traffic:
 Edge vs. Core
Edge




                           Core




       Communication pattern      Data compression
       Flow duplication           Data reduction (filter)
       CPU impact                 Data aggregation
 Where to Deploy Netflow?

On the “edges” of the network
All routers because Netflow accounts incoming
traffic only
For billing, on the aggregation routers because
some 12000 Line Cards only support sampled
Netflow
For accounting, capacity planning, on the
aggregation routers or the 12000 router.
Sampled netflow could be sufficient
 Where to Deploy Netflow?
For BGP information, on the BGP peering
routers
Can monitor one link, egress and ingress, but
should be on a MPLS PE-CE link.
Basic principles:
  Don’t account your exported data
  Avoid a flow duplication design. Netflow Collector
 doesn’t do flow de-duplication. Done by partner tools
                  export      export


              traffic
          Creating Export Packets
                            Traffic
                                                     Core Network

                                   PE

          Enable NetFlow                                        SNMP MIB

                        UDP
                      Export

UDP Export Packets
 Approximately 1500 bytes
 Typically contain 20-50                  Collector        Application      NMS
                                        (Solaris, HP-UX,      GUI
 flow records                                                              Station
                                           or Linux)
 Sent more frequently if traffic
 increases on NetFlow-enabled
 interfaces
   Flow Export Format
  Usage        • Packet count        ••Source IP Address
                                        Source IP address           From/To
               • Byte count             Destination IP address
                                     ••Destination IP Address
   Time        • Start sysUpTime      • Source TCP/UDP port
  of Day                                                           Application
               • End sysUpTime        • Destination TCP/
                                        UDP port
   Port
Utilization    • Input ifIndex        •   Next Hop address          Routing
               • Output ifIndex       •   Source AS number            and
                                                                    Peering
                                      •   Dest. AS number
   QoS
               • Type of service
               • TCP flags            •   Source prefix mask
               • Protocol             •   Dest. prefix mask

                                                  Blue – key field
           Version 5 Is Used in This Example      Black – standard field
                                                  Red – lookup
                  NetFlow Cache Example
         1. Create and update flows in NetFlow cache
                                                                                              Src    Src   Src    Dst     Dst     Dst                Bytes/
Srclf     SrclPadd      Dstlf    DstlPadd        Protocol    TOS      Flgs            Pkts                                              NextHop               Active      Idle
                                                                                              Port   Msk   AS     Port    Msk     AS                  Pkt
Fa1/0    173.100.21.2   Fa0/0   10.0.227.12        11            80   10              11000   00A2   /24    5    00A2     /24     15    10.0.23.2     1528    1745         4
Fa1/0    173.100.3.2    Fa0/0   10.0.227.12         6            40    0              2491     15    /26   196    15      /24     15    10.0.23.2     740      41.5        1
Fa1/0    173.100.20.2   Fa0/0   10.0.227.12        11            80   10              10000   00A1   /24   180   00A1     /24     15    10.0.23.2     1428    1145.5       3
Fa1/0    173.100.6.2    Fa0/0   10.0.227.12         6            40    0              2210     19    /30   180    19      /24     15    10.0.23.2     1040     24.5       14
                                            •   Inactive timer expired (15 sec is default)
         2. Expiration                      •   Active timer expired (30 min (1800 sec) is default)
                                            •   NetFlow cache is full (oldest flows are expired)
                                            •   RST or FIN TCP Flag



                                                                                              Src    Src   Src    Dst     Dst     Dst                Bytes/
 Srclf    SrclPadd      Dstlf    DstlPadd        Protocol    TOS      Flgs            Pkts                                              NextHop               Active      Idle
                                                                                              Port   Msk   AS     Port    Msk     AS                  Pkt
 Fa1/0   173.100.21.2   Fa0/0   10.0.227.12        11            80   10              11000   00A2   /24    5    00A2     /24     15    10.0.23.2     1528    1800         4


                                                                                                            Ye
         3. Aggregation                                     No                                                s

                                                                                                                 e.g. Protocol-Port Aggregation
         4. Export version                                                                                       Scheme Becomes
             Non-Aggregated Flows—Export Version 5 or 9                                                           Protocol      Pkts    SrcPort     DstPort   Bytes/Pkt
                                                                             Header




                                                                                                                     11         11000    00A2        00A2       1528
                                                            Export                      Payload
         5. Transport protocol                              Packet                       (Flows)                 Aggregated Flows—Export Version 8 or 9
NetFlow Processing Order

               Features
   Pre-                        Post-
                 and
Processing                  Processing
               Services


• Packet      • IP          • Aggregation
  Sampling                    schemes
              • Multicast
• Filtering                 • Non-key fields
              • MPLS
                              lookup
              • IPv6
                            • Export
          Active/Inactive Timers
Inactive time = The flow expires once no packets are seen
for this time duration
Active time = If packets continue to be received on this flow
beyond this active time setting then the flow will expire and
be exported while a new flow is created
Default values on software-based routers, 12000 and 10000:
   Inactive timer: 15 seconds (minimum 1 second)
   Active timer: 30 minutes (minimum 1 minute)
Default values on a C6500/7600:
   Aging time: 256 seconds
   Fast aging time: disabled (flows that only switch a few packets and
  are never used again)
   Long aging time: 1920 seconds (used to prevent counter
  wraparound and inaccurate stats)
   Recommendation: Change normal aging time to 32 seconds and fast
  aging time to 32 seconds and 32 packets
        Flow Timers and Expiration
1st & 3rd Flows – Src 10.1.1.1, Dst 20.2.2.2, Prot 6, Src & Dst port 15, InIF FE0/0, ToS 128
       2nd Flow – Src 10.1.1.1, Dst 20.2.2.2, Prot 6, Src & Dst port 15, InIF FE0/0, ToS 192
                       = packet from 1st or 3rd flow
                                                                              UDP Export Packet
 Router Boots
                       = packet from 2nd flow                                containing 30-50 flows
  (sysUpTime                                                                  (sysUpTime & UTC)
 timer begins)
                    2nd Flow Start                  2nd Flow End      2nd Flow Expires
                    (sysUpTime)                     (sysUpTime)         (sysUpTime)


                                                               15 seconds
                                                                 Inactive


                                                15 seconds
                                                  Inactive

                                                                                               Time
   1st Flow Start                    1st Flow End       1st Flow Expires            3rd Flow Start
   (sysUpTime)                       (sysUpTime)          (sysUpTime)               (sysUpTime)


 •SysUptime - Current time in milliseconds since router booted
 •UTC - Coordinated Universal Time can be synchronized to NTP (Network Time Protocol)
     Netflow and Security
There is no authentication mechanism between
the routers and the collector
The collector is only interpreting received UDP
packets, without any checks
Make sure your Data Communication Network is
secure, including the collector machine
Potential problem: someone sending wrong
accounting information to the collector with a
router stolen IP address
How Many Netflow Collector?
In theory, one NFC per POP or Aggregation
Router (7x00 router)
For VPNSC (MPLS VPN environment), we
advice one NFC per PE
Basic principles:
  Check your Sun capabilities
  NFC sizer calculater. Reduce the number of routers
 per NFC if needed.
  Rule of thumb: 10 routers per NFC
         Deployment Tricks
Enable the ifIndex persistence if accounting per
interface
Look at the router cpu (<60%) and memory before
enabling Netflow
Check the export link bandwidth
Use a dedicated export lan
If you export too much traffic:
    go for the aggregations, don’t export version 5
    go for sampled if on a GSR
    increase the aggregations timers
Access-lists still account the traffic
What to Collect: Level of Collection Details
   Link statistics or traffic details:
       SA, DA
       Application details (port numbers)
       QoS
       Time stamps
       Routing and peering

   Header or payload
   Layer 2 or Layer 3 information
   Data export: push or pull model
   Collection interval and history
   Consider the generated data volume
               What to Collect:
             The Two Extremes...
S
N
M
P

N       Usage     • Packet count      • Source IP address        From/To
e                 • Byte count        • Destination IP address

t       Time
       of Day
                  • Start sysUpTime   • Source TCP/UDP port
                  • End sysUpTime     • Destination TCP/UDP port
F                                                                   Application
           Port   • Input ifIndex
l   Utilization   • Output ifIndex
                                      • Next hop address
                                                                 Routing
                                      • Source AS number
o                 • Type of service
                                      • Dest. AS number          and
                                                                 Peering
          QoS                         • Source prefix mask
w                 • TCP flags
                                      • Dest. prefix mask
                  • Protocol
      What to Collect:
Full Collection vs. Sampling
Processing every packet might not scale up to
very high-speed interfaces
Amount of collected data might be huge
It might take longer to process the data than to
generate it
Network Management traffic might fully utilize
the available bandwidth
Packet sampling can help to overcome those
issues
 What to Collect:
1 in „n“ Sampling
 Sampling Interval: 1 in 2 Packets

 Missed Flows: 1 out of 5   (15 %)




Sampling Interval: 1 in 5 Packets

Missed Flows: 2 out of 5     (35%)
   What to Collect:
Sampling Best Practices
Sampling for monitoring is fine
Continuously sampling might be OK even
for billing purposes
Carefully determine the sampling rate
Sampling algorithms:
   1 in n (deterministic, random, hash-based)
   Filter, expressions
   Time based
   Trajectory sampling

Sampling White Paper: work in progress
     IP Accounting/Billing
    Many Different Flavors!
Flat-rate billing doesn’t always scale
   Competitive pricing models can be created
  with usage-based billing
Usage-based billing considerations
    Time of day                Within my network or off
    Application                Distance-based
    QoS/CoS                    Bandwidth usage
    Transit or peer            Data transferred
    Traffic class (i.e. going through a secure tunnel,
  high-speed link, or special arrangement)
DT1




                           User Definition
      Users                      User 1     User 2   User 3   User 4    User 5   User 6    User 7
      (IP Address, Name, etc.)




      Departments                 Dept. 1       Dept. 2       Dept. 3     Dept. 4        Dept. 5




      Customers      Co. 1  Co. 2 Co. 3  Co. 4                          Co. 5    Co. 6     Co. 7

       Reporting can be offered at any level
         Customers can self-manage all sub-levels
         Orange and blue can be sold at a premium
投影片 73
DT1      Note to speaker: We had to remove the gradient fill you had in the area b/w the Customers and Departments. When the file gets converted to PDF, it automatically
         fills in black.
         Dana Tagliafico, 2003/5/7
Which Aggregations to use on a
          Router?
                          AS   Protocol-Port   Source-Prefix   Destination-Prefix   Prefix

Source Prefix                                        •                                •
Source Prefix Mask                                   •                                •
Destination Prefix                                                     •              •
Destination Prefix Mask                                                •              •
Source App Port                      •
Destination App Port                 •
Input Interface           •                          •                                •
Output Interface          •                                            •              •
IP Protocol                          •
Source AS                 •                          •                                •
Destination AS            •                                            •              •
First Timestamp           •          •               •                 •              •
Last Timestamp            •          •               •                 •              •
# of Flows                •          •               •                 •              •
# of Packets              •          •               •                 •              •
# of Bytes                •          •               •                 •              •
  Which Aggregation to use on a
            Router?
                          AS-   Protocol-Port-   Source-Prefix-   Destination-Prefix-   Prefix-TOS   Prefix-Port
                          TOS       TOS              TOS                 TOS

Source Prefix                                          •                                    •            •
Source Prefix Mask                                     •                                    •            •
Destination Prefix                                                        •                 •            •
Destination Prefix Mask                                                   •                 •            •
Source App Port                       •                                                                  •
Destination App Port                  •                                                                  •
Input Interface            •          •                •                                    •            •
Output Interface           •          •                                   •                 •            •
IP Protocol                           •                                                                  •
Source AS                  •                           •                                    •
Destination AS             •                                              •                 •
TOS                        •          •                •                  •                 •            •
First Timestamp            •          •                •                  •                 •            •
Last Timestamp             •          •                •                  •                 •            •
# of Flows                 •          •                •                  •                 •            •
# of Packets               •          •                •                  •                 •            •
# of Bytes                 •          •                •                  •                 •            •
          Network Data Analyzer


   NetFlow
FlowCollectors


                    NetFlow
                 FlowAnalyzer




   Graphical display of NetFlow data
   Consumes from NetFlow FlowCollector(s)
   Time-based analysis ands data sorting
   Configure routers and FlowCollectors
   Histograms, bar charts, and pie charts
   Spreadsheet data export
Open API’s Enable Third Parties
     to Leverage NetFlow
Cflowd - ANS, BBN and CAIDA
   Traffic accounting port, AS, network and pure
 flow matrices
NeTraMet/NetFlowMet - by Nevil Brownlee
   IETF’s Realtime Traffic Flow Measurement (RTFM)
smurfind - Walter Prue USC/ISI
   Real time DOS attack warnings
             End-to-end Coverage
                     Service
                     Level                                                                                                             Trend
     Health
                     Reports                                                                                                         Reports
     Reports
                 Report for
                 Thu 1/15/98




                                                                                                  01/15/1998
                                                                                 Auto Range:
                                                                                 Custom                           09/13/1997
                                                                                 From:
                                                                                 09/04/1998
                                                                                 12:00 AM




                                                                                                                  09/13/1997




                                                                                                                               Exceptions
                 Baseline: 6 weeks (02/04/98 to 03/17/98)   Created : 05/15/98 12:00:16

                                                                                                                               Reports



 Router &
 Router &      WAN
               WAN                                     Access
                                                       Access                                  NetFlow
                                                                                                NetFlow        RMON
                                                                                                                RMON                             Ping
                                                                                                                                                 Ping
                                                                                                                                    SAA
LAN Stats.
LAN Stats.
    Stats.     Stats.
               Stats.
               Stats.                                   Stats.
                                                        Stats.                                 Collector
                                                                                               Collector       Probes
                                                                                                               Probes                            MIB
                                                                                                                                                 MIB
                                                                                                                                   Agent

                                                                                                                                  Response Time/
  Element & L2/L3/Access Stats.                                                                  Traffic Flow Stats.
                                                                                                                                  Availability Stats.
                                 Concord and NetFlow
                                                             Benefits
                                                             • Within Cisco IOS, Lower
                                                               cost of entry than
                                                               RMON/RMON2 probes
        Report for Thu 1/15/98
                                   Concord                   • Leverages large installed
     Report for Thu 1/15/98
                                   Workstation                 base of Cisco routers and
Report for Thu 1/15/98




                                                 NetFlow       switches
                                                 Collector




                                           NetFlow
                                           enabled
        Reports                             Router
        • Link, LAN, router                                                  NetFlow enabled
          utilization                                                           L3 Switch
        • Application mix
        • Communicating pairs
        Cisco NetFlow support

 Gather high volume
                          Router

NetFlow data              Router
                                                                    InfoVista
                                                                Web Access Server
                                      InfoVista
                                   NetFlow Agents
                                                    Données




  Combine it with other                                           InfoVista Client
                          Router                    InfoVista

InfoVista data            Router
                                                     Server


                                      InfoVista
                          Router   NetFlow Agents


                                                                  InfoVista Client




Analyze traffic flows by source and destination
autonomous system, average packet size and
used protocols
           Cisco NetFlow support
End-User Benefits:                   Destination
                                     Destination
                                     Autonomous
                                     Autonomous
                                     System
                                     System


  A Service Provider can
optimize its existing connections
with other autonomous systems,
plan new connections, and
proactively identify problem
areas.                          Source
                                Source
                                Autonomous
                                Autonomous                        Automatic
                                                                   Automatic
                                  Systems
                                  Systems                         resolution of
                                                                   resolution of
                                                   Packet
                                                   Packet         Autonomous
                                                                   Autonomous
                                                   distribution
                                                   distribution   System name
                                                                   System name
                                                   by source
                                                   by source
  An Enterprise can use this                       AS
                                                   AS

information to identify network
use patterns and to plan the
evolution of its network
infrastructure.
              Outline
Introduction
Netflow Overview
Netflow Architecture
Netflow Formats
Netflow Feature Acceleration
Netflow Deployment
AAA
Conclusion and Future Work
            Description
RADIUS and TACACS+ accounting allows
data to be sent at the start and end of
services, indicating the amount of
resources such as time, packets, bytes,
etc.…used during the session
AAA is used for login purposes in general
   Dial-in
   Telnet and ssh
   PPP
    RADIUS and TACACS+
        Comparison
Remote Authentication Dial   Terminal Access Control
In User Service              Access Control System
Standards-based client-      Rich feature set: allows
server                       command authorization and
protocol (IETF)              accounting
UDP-based (fast)             Cisco proprietary (but
Recommended for high         supported by other vendors)
performance                  TCP-based (reliable)
Only password field          Full packets are encrypted
encrypted                    Shared key, never sent in
Shared key, never sent in    clear over the network
clear over the network       User authentication to
User authentication to       network devices
network access/services
           AAA: Principles
Incoming and outgoing packets/bytes of an incoming
call (no dial out accounting)
Each of the call can generate start and stop records
Each call reports 2 logs:
   Accounting request start with start time
   Accounting request stop with stop time and full accounting
AA Accounting is an improved logging system,
but AAA is not used primarily for accounting
Adequate for billing because we have the username
Supported on all switching paths
          RADIUS Interaction
                                                                   RADIUS
                                                                    Server


User Dials NAS                   Pre-Auth Access Request
                     Pre-Auth
    Accept Call                           Pre-Auth Access Accept
   Call Connects                 Access Request
                    User Auth
   Accept User                                    Access Accept

  User Connects     User Acctg Accounting Request (START)
                                                  Accounting Ack

 Call Disconnects                 Accounting Request (STOP)
                    User Acctg
                                                  Accounting Ack
RADIUS Accounting Attributes,
         RFC2866
  40   Acct-status-type     46   Acct-session-time
  41   Acct-delay-time      47   Acct-input-packets
  42   Acct-input-octets    48   Acct-output-packets
  43   Acct-output-octets   49   Acct-terminate-cause
  44   Acct-session-id      50   Acct-multi-session-id
  45   Acct-authentic       51   Acct-link-count
AAA Possible Applications
                                  AAA
  Network Monitoring

  Network Planning

  Security Analysis                X

  Application Monitoring

  User Monitoring                  X

  Traffic Engineering

  Peering Agreement

  Usage-Based Billing              X

  Destination Sensitive Billing
             Outline
Introduction
Netflow Overview
Netflow Architecture
Netflow Formats
Netflow Feature Acceleration
Netflow Deployment
AAA
Conclusion and Future Work
                        網路流量量測與分析
                                  Flow           Scalability   Data Store      Presenter   User Interface
 Network   Flow     Flow                                                       Web Site
  Device Generator Capturer      Analyzer                                                  Web browser




raw packet        Flow information Network Characteristics             analyzed data

              System design for Flow Capture
              Flow Analyzer
              Distributed, load-balancing architecture for scalability
              Traffic Analysis & Data Reduction
              Presentation & Reporting
Ongoing Work
 Support for various applications
   Streaming services
   Other P2P services
 Distributed, load-balancing architecture for
 scalability
   parallel or distributed architecture
   subdivide monitoring system into several functional
   components
   efficient load sharing between each sites
 Considerations for small storage requirements
   Significant aggregation based on the ingress point
   Local reduction of the data should be effective
     Combine SNMP & RMON
Utilize SNMP polling policies to gather key statistics
on backbone/core routers and on MIB objects not
related to flow-by-flow measurements
  Interface errors
  memory and CPU utilization
Utilize RMON capabilities for detailed drilldown
  Application tracking
  Interface error analysis
  Packet capture for problem diagnosis and resolution
Maximize network monitoring, management, and
planning
93