Passive Traffic Monitoring Passive network traffic monitoring is based on packet sniffing. Passive network traffic monitoring is necessary for many activities including (but not limited to): – Traffic Accounting (Network Usage and Capacity Planning) – Billing (Cisco NetFlow) – Security (Intrusion Detection).
TNC 2004 - June 2004
What is Cisco Netflow ? • Cisco NetFlow is an open standard for network flow measurement. A network flow is a set of packets with the same protocol, source/destination IP/port. • NetFlow (with Radius and RMON) is the most important protocol for traffic accounting. • NetFlow is based on a client/server architecture: the server (probe), usually implemented into a network device, sends a client (collector), running on a host PC, flows encoded in NetFlow format. TNC 2004 - June 2004
NetFlow: State of the Art • The latest NetFlow version is v9. • Ability to specify flow format (template) – Template FlowSets contain descriptions of Data FlowSets – Data FlowSets contain actual accounting data
• Ability to define new templates/fields (not in the current Cisco implementation) • Supported in latest IOS versions (including MPLS and IPv6) TNC 2004 - June 2004
IPFIX in a NutShell • Goal: Find or develop a basic common IP Traffic Flow measurement technology to be available on (almost) all future routers. • Strongly based on NetFlow v9. • Ability to define new flow fields using a standard format (OID). • Transport based on SCTP (Stream Control Transport Protocol), optional UDP/TCP support. • Current status: draft protocol specification. • Bottom Line: IPFIX = NetFlow v9 over SCTP.
TNC 2004 - June 2004
Flow Monitoring: Requirements • Custom Flow Definition (à la NetFlow V9) • (Really) Open Flow Specification • Ability to provide (initial) payload access (useful for protocol decoding and lawful interception) • Flow Compression (save space dramatically) • Non Repudiation of Flows (via MD5 digest) • MPLS/VLAN/IPv6 Information in Flows TNC 2004 - June 2004
6
Flow Monitoring: Optional Features • Application/Network Performance (use flows also for performance measurement). • Support for connection oriented/connectionless transport. • Flow Encryption (a secure channel as SSH/SSL should provide this). • Ability to access hardware addresses (e.g. MAC addresses) on flows TNC 2004 - June 2004
7
A New Flow Protocol: nFlow • • • • • • • •
Open Specification Free Probe/Collector Available Based on NetFlow v9 Security (non repudiation via MD5 signature) Flow compression (gzip) MPLS/VLAN/IPv6 information Payload and fragment information Application/network performance.
TNC 2004 - June 2004
8
nFlow: Benefits • No Flow Templates: they make both collector (keep track of templates) and probe (send them periodically is an issue especially with connection-oriented transports) life hard. • Flow traffic is significantly reduced (at least 50%) with respect to the standard netflow (hence more flows per packet) with almost no performance loss. • Ability to perform payload analysis. • Passive network/application performance detection.
TNC 2004 - June 2004
nFlow: Some Flow-based Apps • Flow-based IDS (home grown NetFlow-based snort released this spring). • Applications for measuring network and application latency available at no cost with no additional effort (no need to have active tools). • Flow-based detection of protocols using high (> 1024) TCP/UDP ports by inspecting initial payload bytes (à la Cisco NBAR). • “Safer” billing by means of flow signature (nobody can ask you to pay traffic you didn’t make). TNC 2004 - June 2004
nProbe+PF_RING: Overview Application A
Application Z Outgoing Packets
mmap()
Userspace Kernel
Read Index
Socket (ring)
Socket (ring) Write Index PF_RING
Custom Packet Poller Network Adapter
Network Adapter
TNC 2004 - June 2004
nProbe+PF_RING: Performance Packet Size (Bytes)
Linux 2.4.23 with NAPI, RT_IRQ and Ring (Pkt Capture)
Linux 2.4.23 with NAPI, RT_IRQ and Ring (nProbe)
64
550’789 [~202 Mbit]
376’453 [~144 Mbit]
512
213’548 [~850 Mbit]
213’548 [~850 Mbit]
1500
81’616 [~970 Mbit]
81’616 [~970 Mbit]
Captured Packets and nProbe Flow Generation (packet/sec)
Testbed: Sender: Dual 1.8 GHz Athlon, Intel GE 32-bit Ethernet card Collector: Pentium 4 1.7 GHz, Intel GE 32-bit Ethernet card Traffic Generator: stream.c (DoS) TNC 2004 - June 2004
nFlow: Current Status • Available in both the nProbe probe (homegrown open-source probe) and ntop (collector) • Used in some research projects for comparing it to NetFlow. • Home page: http://www.ntop.org/nFlow/ • PF_RING: http://sf.net/projects/ntop/
