Agenda. Cisco Research SCRIPT and the Big Picture. Building Blocks for the SCRIPT Project

Transcription

1 Cisco Research SCRIPT and the Big Picture Ralf Wolter, Cisco Systems 1 Agenda Building Blocks for the SCRIPT Project Cisco Research Center (CRC) NetFlow: the story and the challenge IETF Cisco AXP SCRIPT - Motivation Q&A 2

2 Cisco Research Center 3 Cisco & Research at Universities External Research and Talent Cisco Cisco Motivation Push Cisco into new business areas Influence Access to the best talent Give back to the community Deliver combo of: - Short term results for BUs - Long term results for Cisco Researcher Motivation Calibration to real world Leverage Recognition 4

3 Cisco Research Center A 21st Century Strategy Include external research in our virtual team Build relationships with professors and students Connect BUs and researchers Our Tools: Gift research awards Contract awards In-kind donations: equipment & services Cisco champions and reviewers Internal lectures + symposia Conference sponsorships Graduate internships + full time hires 5 Results Example Successes CRS-1 Architecture: Washington U. St. Louis Jon Turner & Guru Parulkar GSR Architecture, NetFPGA: Stanford Nick McKeown Bloom Filters & Deep Packet Inspection, NetSift in Hawkeye (DCBU & IOS Software): UCSD George Varghese, Sumeet Singh AFD (Approximate Fair Dropping) in Cat 3k, 7600, NEXUS 7000, ISR (SPTG; ISBU; DCBU): Stanford Balaji Prabakar & Rong Pan (now at Cisco) Service Node, Improving Traffic Locality in BitTorrent via Biased Neighbor Selection: Stanford Bindal et. al. IP SLA, Traffic and Performance Measurement using Active Probing Techniques (Benoit Claise, Ernie Mikulic): Fraunhofer Institute (FOKUS) Tanja Zseby Packet classification for encrypted flows (CPOL ), Location based services (CPOL ), GSBU: Harvard Mitzenmacher LASOR (Label Switched Optical Router) Project, DARPA funded (Gary Epps, HERBU): UCSB Dan Blumenthal 6

4 Accuracy Impact Random Packet NetFlow Sampling Packet Sampling for Flow Accounting: Challenges and Limitations, Tanja Zseby, Thomas Hirsch, Benoit Claise, PAM 2008 Square sum of bytes available in flexible NetFlow #Packets N f Estimation Accuracy (PLT_NZIX1, S24D00, Cisco, f=5% Mean Packet Size μ f Packet Size Standard Deviation σ f 7 NetFlow the Story and the Challenge 8

5 NetFlow Origination Developed by Darren Kerr and Barry Bruins at Cisco Systems in 1996 US Patent 6,243,667 The value of information in the cache was a secondary discovery Initially designed as a switching path Answers questions regarding IP traffic: who, what, where, when, and how A looooooong journey from a stealth feature to the IETF Standard for Accounting Technology 9 Version 5 Flow Format Flow Key vs. Non-Key Field From/to Usage Time of Day Packet count Byte count Start sysuptime End sysuptime Source IP address Destination IP address Source TCP/UDP port Destination TCP/UDP port Port Utilization QoS Input ifindex Output ifindex Type of service TCP flags Protocol Next hop address Source AS number Dest. AS number Source prefix mask Dest. Prefix mask Application Routing and Peering 10

6 NetFlow Version 9 Export Packet Template 1 Template 2 H E A D E R Template FlowSet Template Record Template ID #1 (Specific Field Types and Lengths) Template Record Template ID #2 (Specific Field Types and Lengths) Data FlowSet FlowSet ID #1 Data Record (Field Values) Data Record (Field Values) Data FlowSet ID #1 FlowSet ID #2 Data Record (Field Values) 11 Flexible NetFlow Model Interface Monitor A Monitor B Monitor C Record X Exporter M Exporter M Exporter N Exporter N Record Z Record Y A single record per monitor Potentially multiple monitors per interface Potentially multiple exporters per monitor 12

7 Flexible Flow Record: Key Fields Flow IPv4 IPv6 Sampler ID Direction Interface Input Output Layer 2 Source VLAN Destination VLAN IP (Source or Prefix (Source or Mask (Source or Minimum-Mask (Source or Protocol Fragmentation Flags Payload Size Packet Section (Header) Packet Section (Payload) TTL Options bitmap Version IP (Source or Prefix (Source or Mask (Source or Minimum-Mask (Source or Protocol Traffic Class Payload Size Packet Section (Header) Packet Section (Payload) DSCP Extension Headers Hop-Limit Source MAC address Destination MAC address Fragmentation Offset Identification Header Length Total Length Precedence DSCP TOS Flow Label Option Header Header Length Payload Length Length Next-header Version 13 Network Based Application Recognition NetFlow + NBAR Link Layer Header IP Header Interface ToS Protocol Source IP Address NetFlow NetFlow Monitors data in Layers 2 thru 4 Determines applications by port Utilizes a seven-tuple for flow TCP/UDP Header Destination IP Address Source Port Destination Port Flow information who, what, when, where NBAR Examines data from Layers 3 thru 7 Data Packet Deep Packet (Payload) Inspection NBAR Utilizes Layers 3 and 4 plus packet inspection for classification Stateful inspection of dynamic-port traffic Packet and byte counts 14

8 IETF IP Flow Information Export WG (IPFIX) 15 IETF: IP Flow Information Export WG (IPFIX) IPFIX is an effort to: Define the notion of a "standard IP flow" Devise data encoding for IP flows Consider the notion of IP flow information export based upon packet sampling Identify and address any security privacy concerns affecting flow data Specify the transport mapping for carrying IP flow information (IETF approved congestion-aware transport protocol) IPFIX web sites Charter: All IPFIX related drafts: Internal alias: ipfix@cisco.com 16

9 IETF: IP Flow Information Export WG (IPFIX) RFC3954 Cisco Systems NetFlow Services Export Version 9 RFC3917 Requirements for IP Flow Information Export Gathers all IPFIX requirements for the IPFIX evaluation process RFC3955 Evaluation of Candidate Protocols for IPFIX RFC5101 Specification of the IPFIX Protocol for the Exchange of IP Traffic Flow Information RFC5102 Information Model for IP Flow Information Export RFC5103 Bidirectional Flow Export using IP Flow Information Export (IPFIX) 17 IPFIX History BOF at IETF51 draft-gsadasiv-ipfix-proposal Several candidates discussion: CRANE, LFAP, Diameter, sflow RFC3917: IPFIX Requirements RFC3954: NetFlow V9 RFC3955: Evaluation of the IPFIX Candidates Transport discussion: UDP vs TCP vs SCTP RFC5101: IPFIX Protocol RFC5102: IPFIX Information Model RFC5103: Biflow RFC5153: Implementation Guidelines

10 IPFIX History (Part 2) RFC5470: IPFIX Architecture RFC5471: IPFIX Guidelines for IPFIX testing RFC5472: IPFIX Applicability RFC5473: Reducing Redundancy more to come RFC5610: Exporting IPFIX type for IE PSAMP MIB moved to the IPFIX WG Cisco s Application extension Platform (AXP) 20

11 Branch Recorder Payment Gateway Health Care Router Fax-over-IP Router Green Router Device Mgmt. Router 2008 Cisco Systems, Inc. All rights reserved. 21 Cisco Public AXP High-Level Architecture Cisco ISR Router Cisco ISR IOS IOS Interface IOS Interface API API IOS Scripts, Workflow Processes, External Systems AXP Module AXP Module Plug-In Plug-In Plug-In Plug-In Application Middleware Management Agent System (AXP OS) (IOS) Extensible IOS-likeNetwork CLI Cisco Linux OS API Plug-In Management Console Open Schema Alerts 24x7 Network/Security Operations Center 2008 Cisco Systems, Inc. All rights reserved. Management Server Database Cisco Public Reports & Analysis 22

12 AXP Technical Overview Cisco ISR Router AXP Module Cisco IOS Configuration Monitoring Event Triggers Control Plane Data Plane IOS Interface (C/C++) App Perl/Python Virtualized OS Extensible IOS-like CLI Cisco Linux OS Java Application OSGI Java Virtualized OS Logging/Debugging facilities AUX GE-1 GE-2 23 SCRIPT Problem Statement 24

13 NetFlow Performance Challenge Moving Bottleneck Consumes a lot of CPU - Packet sampling - Metering process in hardware Collisions in the cache - Improved the hash function - Increased the cache size Consumes much bandwidth - Flexible flow record per interface, per direction - Export cache type per collector - Flow sampling CPU impact, bandwidth impact, and accuracy impact 25 Typical NetFlow Deployment NetFlow for Monitoring NetFlow for Security NetFlow for Core Traffic Matrix NetFlow for Peering ISP 26

14 SCRIPT Problem Statement Bottleneck: the collection infrastructure 27 Future 28

15 Questions? 29 30