Technical Brief: Network Data Collection on TNSR using IPFIX

Introduction

Network data collection and analysis are critical for customers to manage and maintain their networks. Flow-based metrics can help with application response issues, usage-based accounting, traffic profiling, traffic engineering, attack/intrusion detection, QoS monitoring, compliance, and more.

Capturing all traffic is an option, but this can be impractical and costly in large networks. This can also cause compliance issues. Collecting flow metadata can still provide valuable insight without the performance burden or cost.

Netgate TNSR software leverages VPP (Vector Packet Processing) to offer a high-performance and efficient IPFIX service that customers can use to analyze general traffic flows. Additionally, customers can use IPFIX to log NAT translations. This allows the collector to observe the pre-NAT and post-NAT connection properties, such as IP addresses and ports. This is useful for security and auditing as it associates real IP addresses with their NAT translations.

Internet Protocol Flow Information Export (IPFIX) RFC 7011 is an IETF protocol designed to provide uniformity in representing flow information and communicating the data from network elements to collection points.

This paper focuses on the IPFIX exporter, which creates information about the flows and sends it to a collector. There are free and commercially available IPFIX collectors. We will not delve into details about the collectors, except how they relate to an IPFIX exporter.

IPFIX terminology

IP Flow

As defined in RFC 3917, a flow is a set of IP packets passing an Observation Point in the network during a specific time interval. All packets belonging to a particular flow have a set of common properties. TNSR uses the typical 5-Tuple flow keys (source IP address, source port, destination IP address, destination port, protocol). Packets with identical flow keys are considered part of a flow. Since the source and destination are the same in a flow, each flow represents data in one direction. A typical conversation will include multiple flows.

Observation Point

The Observation Point monitors IP packets for flows. Observation points are typically interfaces or line cards. Netgate TNSR appliance supports one Observation Point per appliance.

Observation Domain

An Observation Domain is the set of Observation Points in an IPFIX instance. Netgate TNSR supports one Observation Domain per appliance. The Observation Domain IDs are part of the IPFIX message header and allow the collector to identify IPFIX exporters.

Metering Process

The Metering Process generates Flow Records. It consists of a set of functions that include packet header capturing, timestamping, sampling, classifying, and maintaining Flow Records.

Flow Records

Created by the Metering Process, Flow Records consist of metadata about a specific flow. Netgate TNSR appliances provide a rich set of data in the Flow Records.

Template Sets

Template sets define the structure of the information sent in the IPFIX message by specifying the Type Length Values of the data set fields to follow. Template set formats are defined in RFC 7012 Information Model for IP Flow Export. As mentioned, Netgate TNSR appliances provide a rich data set through included appliance templates.

Data Sets

Data Sets are similar data records grouped in an IPFIX Message. A preceding Template Set defines data record formats. This enhances flexibility, allowing the collector to process flow records with different data models that are not all strictly predefined.

IPFIX Message

IPFIX Messages contain IPFIX records and are sent to an IPFIX collector by the exporter. Netgate TNSR encapsulates IPFIX Messages in UDP.

Exporter Process

The Exporter Process sends IPFIX Messages to the collector. TNSR supports one collector per exporter.

Collector Process

The IPFIX collector receives IPFIX messages from one or more IPFIX exporters.

TNSR IPFIX Flow Example

In the example below

GS1

An IPFIX Observation Point has been configured on the Netgate TNSR Appliance. The Observation Point contains two data plane interfaces, LAN and WAN, and is configured to inspect ingress and egress packets.

GS2

Ingress and egress packets are observed.

GS3

The TNSR IPFIX Selection Process configuration determines whether we want IPFIX inspection on IPV4, IPV6, or both.

GS4

IP packet headers are sent to the Metering Process.

GS5

The IPFIX Metering Process captures the packet headers, adds a timestamp (TNSR uses nanosecond flow start and end timing), and creates Flow Records.

GS6

The Metering Process sends the Flow Records to the IPFIX Exporter Process.

GS7

The exporter adds record flows to cache.

GS8

The exporter crafts the IPFIX message using Template Sets and corresponding Data Sets. Netgate TNSR encapsulates the IPFIX message in a UDP datagram and sends it to the exporter-configured IP address and UDP port.

Figure: TNSR IPFIX Flow

image2

TNSR IPFIX Configuration

1. Configure Netgate TNSR IPFIX Observation Point.

tnsr(config)# ipfix observation-point tnsr tnsr(config-ipfix-obs-pt)# direction both
tnsr(config-ipfix-obs-pt)# interface WAN
tnsr(config-ipfix-obs-pt)# exit

2. Configure Netgate TNSR IPFIX Selection Process

tnsr(config)# ipfix selection-process tnsr
tnsr(config-ipfix-sel-proc)# selector both
tnsr(config-ipfix-sel-proc)# exit

3. Configure Netgate TNSR IPFIX Exporter Process

tnsr(config)# ipfix exporter tnsr
tnsr(config-ipfix-exporter)# collector x.x.x.x port x
tnsr(config-ipfix-exporter)# source x.x.x.x
tnsr(config-ipfix-exporter)# template-interval 20
tnsr(config-ipfix-exporter)# checksum true
tnsr(config-ipfix-exporter)# pmtu 1400
tnsr(config-ipfix-exporter)# exit

Template interval specifies the number of seconds after which TNSR will resend template data to the collector. IPFIX does not send the template with every data record to save on bandwidth consumption. Sending the template periodically allows the data format to change as needed and ensures the collector receives the template data correctly.

The pmtu sets an upper bound on the size of IPFIX packets between TNSR and the IPFIX collector. The range is between 68-1450 bytes.

Checksum (true/false) controls whether or not TNSR will calculate UDP checksums for IPFIX flow data.

 

4. Configure Netgate TNSR IPFIX cache (optional)

The cache behavior for IPFIX flows can also be fine-tuned. Collectors may prefer to receive flows more or less often, or template changes may need to occur more frequently.

5. Configure Netgate TNSR IPFIX to log NAT translations. (Optional)

tnsr(config)# nat ipfix logging enable
tnsr(config)# nat ipfix logging domain <domain-id>
tnsr(config)# nat ipfix logging src-port <src-port>

Summary

Flow-based metrics are crucial in resolving application response issues, usage-based accounting, traffic profiling, traffic engineering, attack/intrusion detection, QoS monitoring, and more.

Netgate TNSR software leverages VPP to offer a high-performance and efficient IPFIX service that customers can use to analyze general traffic flows and NAT translations. Netgate TNSR provides a rich data set, ease of use, and low overhead.

To learn more about TNSR IPFIX Exporter, go to our documentation page. For additional information or questions, contact Netgate at +1(512) 646-4100 or sales@netgate.com.