About NetFlow/IPFIX and DPI

Dobbins, Roland rdobbins at arbor.net
Wed May 7 14:44:58 UTC 2014


On May 7, 2014, at 8:11 PM, Antoine Meillet <antoine.meillet at gmail.com> wrote:

> Should those protocols be considered as tools to perform DPI ?

No - they're flow telemetry exported by routers and switches, and they provide layer-4 information.

It's possible with Cisco Flexible NetFlow and with PSAMP exported over IPFIX to get packet contents; however, few if any collection/analysis systems utilize either extended telemetry format, to date.  I've never seen either implemented in a production network.

NetFlow and IPFIX are primarily used for security purposes such as DDoS detection/classification/traceback and botnet C&C identification; for traffic engineering analysis; capacity planning analysis; for troubleshooting; and for billing purposes.  Flow telemetry is an essential tool that ISPs and larger enterprises utilize in order to get a view into their network traffic, because it scales for large networks - and it does so because it doesn't typically include packet payloads, just the layer-4 information.  It's sort of like a near-time mobile phone bill for the network.

'DPI' generally (but not always) refers to devices which are placed inline and perform full multi-packet payload reassembly and inspection.  The term has been used (and misused) so broadly as to becoming essentially meaningless.

NetFlow and IPFIX are merely telemetry formats used by network engineers for the purposes noted above.  

This presentation talks about how NetFlow is used by network operators:

<https://app.box.com/s/mnshn99c13uekrggy99b>

Network neutrality is largely an issue of policy and of economics, not of technology, per se.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton



More information about the NANOG mailing list