Professional Documents
Culture Documents
Bidirectional Flow Measurement IPFIX and Security
Bidirectional Flow Measurement IPFIX and Security
net/publication/245587221
CITATIONS READS
4 572
2 authors, including:
Brian Trammell
ETH Zurich
53 PUBLICATIONS 1,428 CITATIONS
SEE PROFILE
All content following this page was uploaded by Brian Trammell on 25 March 2014.
2
packet header fields and other characteristics (cf., the IP- mation Element”. This reverse PEN serves as a “reverse
FIX definition of “IP Traffic Flow” [5]). direction flag”in the template; each information element
There are compelling reasons to export biflows as sin- number within this PEN space is assigned to the reverse
gle entities within IPFIX. The usefulness of bidirectional counterpart of the corresponding IANA-assigned public
association in flow data has already been established; in information element number.
addition, exporting biflows as single entities can result in
improved export efficiency by eliminating duplicate flow
5 Conclusions and Future Work
key data from the IPFIX message stream.
Biflow export with the IPFIX protocol, as proposed in IPFIX defines a message format, information model, and
the draft, will use a single flow record to represent each wire protocol for the collection of network flow data. All
biflow. Single-record export does introduce some addi- of the Internet-Drafts defining the protocol are near the
tional semantic considerations. When handling uniflows, end of the standards process and should be completed by
the semantics of “source” and “destination” information the end of 2006. IPFIX implementations will begin to
elements are clearly defined by the semantics of the un- supplant the various NetFlow versions in use to become
derlying packet header data. When grouping a biflow the standard for flow export over the coming years; the
into a single data record, the definitions of “source” and security-oriented flow analysis community can leverage
“destination” become less clear. this new standard to provide a basis for interoperable im-
We resolve this difficulty by defining the source and plementations of the entire flow collection and analysis
destination addresses of the flow as the source and desti- process, and to facilitate the sharing of data among tool
nation addresses of the packet initiating the flow, respec- chains and across administrative domain boundaries.
tively. The biflow is then defined to have two directions. As biflow measurement is beneficial for many com-
The “forward” direction contains packets sent from the mon flow analysis tasks, and the IPFIX protocol as it
flow source to the flow destination, and the “reverse” di- stood in 2005 had no native support for representing bi-
rection contains packets sent the other way. Each biflow flows, the authors undertook an effort to add biflow ex-
then has two sets of non-key fields, one for each of these port to the protocol, in order to facilitate biflow collec-
directions. tion all the way back down the collection stack to the
Choosing direction by biflow initiator can be roughly flow metering process. This effort has been successful;
approximated by a metering process by simply assum- it is expected the addition of biflow export support to IP-
ing the first packet seen in a given biflow is the packet FIX will be published as an Informational RFC in early
initiating the flow. Some metering technologies may im- 2007 [9]. This will represent an approximately eighteen-
prove upon this method using some knowledge of the month lifecycle from conception at FloCon 2005, at the
transport or application protocols (e.g., TCP flags, DNS suggestion of the assembled workshop, to completion.
question/answer counts) to better approximate the flow- This provides an excellent example of how the IETF
initiating packet. standards community and various protocol user commu-
Creating a “reverse” information element counterpart nities – in this case, the security-oriented flow analysis
to each presently defined “forward” information element community represented at FloCon – can interact and co-
will cover most or all of the information model, since operate in order to further the application of standards
only certain identifiers and metering and export process and the goals of the communities in question. Standards
properties (cf. the IPFIX Information Model [14]) are are good for this community: by adopting a common
not subject to reversal. Single-record biflow export will interchange format, flow meters and collectors can in-
require a great number of new reverse information el- teroperate, easing the deployment of flow measurement
ements. The IPFIX Information Model has more than both within and across organizational boundaries. Like-
adequate number space for official information element wise, this community has been good for the standards
expansion. However, the additional reverse information process: without the effort described here, one fewer po-
elements are not so much a discrete list of new infor- tential user community would be well-served by the IP-
mation elements as a new dimension in the information FIX standard. The authors look forward to being part of
model. the continued relationship between these two communi-
This new reverse information element number space ties.
can be created by leveraging the vendor-specific infor- As such, the authors are also involved in another
mation element feature of the IPFIX protocol. This fea- enhancement to IPFIX that we hope will benefit the
ture allows an entity other than IANA to define informa- security-oriented flow analysis community. The IP-
tion elements by scoping them to an IANA-assigned Pri- FIX protocol, as noted, is designed for the export of
vate Enterprise Number (PEN) [8]. This draft proposes flow information from metering processes, through any
defining a special PEN to signify “IPFIX Reverse Infor- number of optional intermediate processes, toward a fi-
3
nal collecting process for storage, reporting and analy- [8] I NTERNET A SSIGNED N UMBERS AUTHORITY. IANA Pri-
sis. This one-way data flow, required by IPFIX’s na- vate Enterprise Number registry. http://www.iana.org/
assignments/enterprise-numbers.
ture as a unidirectional message-stream oriented proto-
col, is well suited for the initial collection of flow data. [9] I NTERNET E NGINEERING TASK F ORCE. IP Flow Informa-
tion Export (ipfix) Charter. http://www.ietf.org/html.
It would not seem to apply as readily to the generally charters/ipfix-charter.html, June 2006. Last Vis-
more fluid, document-oriented workflows used by anal- ited: 29 June 2006.
ysis tool suites such as the NCSA visualization tools [1] [10] KOMPELLA , R. R., S INGH , S., AND VARGHESE , G. On Scal-
or the SiLK suite [7, 11]. able Attack Detection in the Network. In Proceedings of the
However, as also noted, at the core of the IPFIX pro- Internet Measurement Conference 2004 (Taormina, Sicily, Italy,
October 2004), Association for Computing Machinery, pp. 187 –
tocol lies a simple, efficient, flexible message format on 200.
which a common document format could easily be based.
[11] M C N UTT, J. R: A Proposed Analysis and Visualization Environ-
Such a document storage format could unify the infor- ment for Network Security Data. In FloCon 2005: Proceedings
mation model and data representation used by the vari- (Pittsburgh, Pennsylvania, USA, September 2005), CERT Net-
ety of analysis tool chains from metering and collection work Situational Awareness Group.
through storage and final analysis. To that end, the au- [12] PAXSON , V. Bro: A System for Detecting Network Intruders in
thors are presently working on a new Internet-Draft [17] Real-Time. Computer Networks 31, 23 – 24 (December 1999),
2435 – 2463.
to define the requirements for and the technical details of
[13] Q O S IENT, LLC. argus: network Audit Record Generation and
this format.
Utilization System. http://www.qosient.com/argus/,
2004. Last Visited: 9 May 2006.
[14] Q UITTEK , J., B RYANT, S., C LAISE , B., AND M EYER , J. In-
6 Acknowledgments formation Model for IP Flow Information Export, June 2006.
INTERNET-DRAFT draft-ietf-ipfix-info-12 (work in progress).
Special thanks to the attendees of FloCon for bringing [15] ROESCH , M. Snort: Lightweight Intrusion Detection for Net-
the biflow issue to the attention of the IETF IPFIX work- works. In Proceedings of LISA ’99: 13th Systems Administra-
ing group, and to the members of the IETF IPFIX work- tion Conference (Seattle, Washington, USA, November 1999),
ing group for attending to it. Thanks also to Lutz Mark, USENIX Organization, pp. 229 – 238.
Juergen Quittek, Andrew Johnson, Paul Aitken, Benoit [16] T RAMMELL , B., AND B OSCHI , E. Bidirectional Flow Export
using IPFIX, June 2006. INTERNET-DRAFT draft-trammell-
Claise, and Carsten Schmoll for their contributions and
ipfix-biflow-02 (work in progress).
comments to the biflow export draft itself.
[17] T RAMMELL , B., B OSCHI , E., M ARK , L., AND Z SEBY, T. An
IPFIX-based File Format, June 2006. INTERNET-DRAFT draft-
References trammell-ipfix-file-01 (work in progress).
[18] WATSON , D., S MART, M., M ALAN , G. R., AND JAHANIAN ,
[1] B EARAVOLU , R., L AKKARAJU , K., AND Y URCIK , W. NVi- F. Protocol Scrubbing: Network Security Through Transparent
sionIP: An Animated State Analysis Tool for Visualizing Net- Flow Modification. IEEE/ACM Transactions on Networking 12,
Flows. In FloCon 2005: Proceedings (Pittsburgh, Pennsylvania, 2 (April 2004), 261 – 273.
USA, September 2005), CERT Network Situational Awareness
Group.
[2] B RADNER , S. The Internet Standards Process – Revision 3. RFC Notes
2026 (Best Current Practice), Oct. 1996. Updated by RFCs 3667,
1 The Internet Standards Process, which defines the IETF-specific
3668, 3932, 3979, 3978.
terminology that appears in this section and this document in general,
[3] B ROWNLEE , N., M ILLS , C., AND RUTH , G. Traffic Flow Mea- is described in RFC 2026 [2]
surement: Architecture. RFC 2722 (Informational), Oct. 1999.
[4] C ISCO S YSTEMS. Cisco IOS Netflow. http:
//www.cisco.com/en/US/products/ps6601/
products ios protocol group home.html, 2006.
Last Visited: 28 June 2006.
[5] C LAISE , B. IPFIX Protocol Specification, June 2006.
INTERNET-DRAFT draft-ietf-ipfix-proto-22 (work in progress).
[6] F ULLMER , M., AND ROMIG , S. The OSU Flow-tools Package
and Cisco Netflow Logs. In Proceedings of the 14th Systems Ad-
ministration Conference (LISA 2000) (New Orleans, Louisiana,
USA, December 2000), USENIX Organization, pp. 291 – 303.
[7] G ATES , C., C OLLINS , M., D UGGAN , M., KOMPANEK , A.,
AND T HOMAS , M. More NetFlow Tools: For Performance and
Security. In Proceedings of the 18th Large Installation Systems
Administration Conference (LISA 2004) (Atlanta, Georgia, USA,
November 2004), USENIX Organization, pp. 121–132.