NETFLOW FOR ACCOUNTING, ANALYSIS AND ATTACK

NETFLOW FOR ACCOUNTING, ANALYSIS AND ATTACK Chu-Sing Yang Department of Electrical Engineering National Cheng Kung University

Outline Introduction Netflow Overview Netflow Architecture Netflow Formats Netflow Feature Acceleration Netflow Deployment AAA Conclusion and Future Work

Introduction Goals Service providers must have access to in-depth infomation about their networks A complete view of current use Understand the behavior of their networks Network Problem Determination and Analysis Network security attack detection and prevention Detailed network usage history reports Analytical tools to analyze and predict usage trends Plan for network deployment and expansion Etc. Usage-based Billing, SLA monitoring

Introduction Challenges Capturing Characteristics How to capture traffic characteristics from high-speed, high volume networks (Mbps Gbps Tbps)? Analysis How to analyze and generate data needed quickly? Evolving network applications Streaming media (Windows Media, Real, Quicktime) P2P traffic Network Security Attacks Log Generation & Storage What kind of information to save to perform various/long-term analysis? How to minimize storage requirements?

Tools Taxonomy 25 110 110 IN 200 110 300 10 300 50 T A 75 N e t 110 OUT 2 Data Collect RTFM RMON Netflow SNMP PacketDump Analysis Tools cflowd Flow-tools Flowscan Panoptis MINDS Traffic Engineering, User Monitoring, Billing. DDOS, Virus, Worms

Data Collection SNMP Data Simple Network Management Protocol (SNMP) Router CPU utilization, link utilization, link loss, Collected from every router/link every few minutes Applications Detecting overloaded links and sudden traffic shifts Measuring link utilization Advantage Open standard, available for every router and switch Disadvantage Coarse granularity, both spatially and temporally Version consistency

Data Collection Flow-Level Traces Flow monitoring (e.g., Cisco Netflow) Measurements at the level of sets of related packets Set of packets that belong together Source/destination IP addresses and port numbers Same protocol, ToS bits, Same input/output interfaces at a router (if known) Number of bytes and packets, start and finish times Applications Computing application mix and detecting DoS attacks Measuring the traffic matrix for the network Advantages Medium-grain traffic view, supported on some routers Disadvantages Not uniformly supported across router products Large data volume, and may slow down some routers

Data Collection Packet-Level Traces Packet monitoring IP, TCP/UDP, and application-level headers Collected by tapping individual links in the network Applications Fine-grain timing of the packets on the link Fine-grain view of packet header fields Advantages Most detailed view possible at the IP level Disadvantages Expensive to have in more than a few locations Challenging to collect on very high-speed links Extremely high volume of measurement data

Business Requirements How do I efficiently track network and application resource usage? How do I know if my customers are adhering to usage policy agreements? How do I account and bill for resources being utilized? How do I effectively plan to allocate and deploy resources most efficiently? How do I track customers to enhance marketing customer service opportunities?

Accounting What For? Network monitoring Network planning Security analysis Application monitoring and profiling User monitoring and profiling Traffic engineering Peering agreements Usage-based billing Destination sensitive billing

Accounting vs. Billing 1.2.3.4 Steve 5.6.7.8 SAP Accounting Application Billing Application Src Add Dest Add 1.2.3.4 5.6.7.8 5.6.7.8 1.2.3.4 1.2.3.4 5.6.7.8 5.6.7.8 1.2.3.4 User Resource Steve SAP

Accounting Why? Baselining, Performance Network monitoring Application monitoring User monitoring Trends, statistics Deviation from normal History

Accounting Why? Network Design Capacity planning Traffic engineering Source Rome POP Paris POP ISP2 ISP3 Dest. Munich POP London POP

Accounting Why? Peering Agreements ISP

Outline Introduction Netflow Overview Netflow Architecture Netflow Formats Netflow Feature Acceleration Netflow Deployment AAA Conclusion and Future Work

NetFlow Origination Developed by Darren Kerr and Barry Bruins at Cisco Systems in 1996 US Patent 6,243,667 The value of information in the cache was a secondary discovery Initially designed as a switching path NetFlow is now the primary network accounting technology in the industry Answers questions regarding IP traffic: who, what, where, when, and how

Principle NetFlow Benefits Service Provider Peering arrangements Network planning Traffic engineering Accounting and billing Security monitoring Enterprise Internet access monitoring (protocol distribution, where traffic is going/coming) User monitoring Application monitoring Charge back billing for departments Security monitoring

NetFlow Enables Traffic Analysis and Monitoring for Network Planning Usage-Based Billing Router Feature Acceleration NetFlow statistics empowers users with the ability to characterize their IP data flows The who, what, where, when, and how much IP traffic questions are answered

NetFlow s Value NetFlow enables IP traffic flow analysis without probes Offers a rich data set to be mined for network management, traffic engineering, and valueadded service offerings (i.e. marketing data, personal NMS data) Increasing margins on existing Cisco infrastructure is possible and economical with NetFlow usage based billing

What Is a Flow? Defined by Seven Unique Keys: Source IP address Destination IP address Source port Destination port Layer 3 protocol type TOS byte (DSCP) Input logical interface (ifindex) Exported Data

NetFlow Principles Inbound traffic only Unidirectional flow Accounts for both transit traffic and traffic destined for the router Works with Cisco Express Forwarding (CEF) or fast switching Not a switching path Supported on all interfaces and Cisco IOS software platforms Returns the subinterface information in the flow records C6500/7600 enables NetFlow on all interfaces by default

Outline Introduction Netflow Overview Netflow Architecture Netflow Formats Netflow Feature Acceleration Netflow Deployment AAA Conclusion and Future Work

NetFlow Components IOS Netflow FlowCollector Netflow Data Analyzer RMON Probe Network Planning Accounting/Billing Data Switching Data Export Data Aggregation Data Collection Data Filtering Data Aggregation Data Storage File System Management Data Presentation NFC Control and Configuration Partner Applications

NetFlow Component: IOS IOS RMON Probe Data Switching Data Export Data Aggregation

NetFlow Cache Tracks Flows A Flow is defined by Seven Characteristics: Source/Destination IP address pair Source/Destination application port pair IP Protocol Input Physical Interface Index IP Type of Service (ToS) byte Flows are unidirectional NetFlow is enabled on a per input-interface basis

NetFlow Feature Acceleration NetFlow Accelerates NetFlow Policy Routing (NPR) Router-based network data encryption Access Control Lists (ACL) RSVP In the future Network Address Translation (NAT) Committed Access Rate (CAR) Web Cache Control Protocol (WCCP) Others Availability of such acceleration will be announced on a feature-by-feature basis

NetFlow Data Record Usage Packet Count Byte Count Source IP Address Destination IP Address From/To Time of Day Start Timestamp End Timestamp Source TCP/UDP Port Destination TCP/UDP Port Port Utilization QoS Input Interface Port Output Interface Port Type of Service TCP Flags Protocol Next Hop Address Source AS Number Dest.. AS Number Source Prefix Mask Dest.Prefix Mask Application Routing and Peering

Router Based Aggregation AS Prefix Matrix Protocol Type Source Prefix Dest. Prefix

NetFlow Components: FlowCollecter IOS Netflow FlowCollector RMON Probe Data Switching Data Export Data Aggregation Data Collection Data Filtering Data Aggregation Data Storage File System Management

NetFlow FlowCollector Flow record reception Data volume reduction Filtering Aggregation Flexible thread language Flat file, binary, and/or compressed file storage File cleanup Solaris and HP-UX NetFlow FlowCollector Flow Consumer Applications

FlowCollector Aggregation Schemes Over 20 aggregation schemes From Call Detail Records for billing To AS information for statistics Many combinations in-between

Highlighted New Features in FlowCollector 3.0 Support for RBA export data 8 additional aggregation schemes Improved disk space management Configuration and Control API Autonomous Message Notification High availability process monitoring on hosting workstation

NetFlow Components: Data Analyzer IOS Netflow FlowCollector Netflow Data Analyzer RMON Probe Network Planning Accounting/Billing Data Switching Data Export Data Aggregation Data Collection Data Filtering Data Aggregation Data Storage File System Management Data Presentation NFC Control and Configuration Partner Applications

Network Data Analyzer NetFlow FlowCollectors NetFlow FlowAnalyzer Graphical display of NetFlow data Consumes from NetFlow FlowCollector(s) Time-based analysis & data sorting Histograms, Bar Charts, Piecharts Spreadsheet data export

Highlighted Features in Network Data Analyzer Search operations Address to Address transactions Address to Subnet transactions Subnet to Subnet transactions Address away from Address/Subnet transactions Multiple router, dataset selection or interface selection DetailASMatrix aggregation & drilldown DNS address and AS number to name translation

Highlighted Features in Network Data Analyzer NetFlow Collector Control Traffic Matrix Statistics (TMS) Data Collection Control and Analysis View router-based aggregation schema data Router control for NetFlow and TMS

Outline Introduction Netflow Overview Netflow Architecture Netflow Formats Netflow Feature Acceleration Netflow Deployment AAA Conclusion and Future Work

NetFlow Cache Tracks Flows A Flow is defined by Seven Characteristics: Source/Destination IP address pair Source/Destination application port pair IP Protocol Input Physical Interface Index IP Type of Service (ToS) byte Flows are unidirectional NetFlow is enabled on a per input-interface basis

Netflow Formats Version 1 Initial Version Not commonly used Version 8 Router based aggregation Available in 12.0(3)T, 12.0(3)S Version 5 Superset of Version 1 Added AS accounting Datagram Sequencing Commonly used Version 9 Configurable Flow Record Templates Version 7 Cat5K NFFC Only Not available in IOS Versions 2,3,4 and 6 were experimental

Cache Management & Data Export Header Sequence number Record count Version number Flow Record Flow Record NetFlow Cache Flow cache manager expires flows No traffic/long life/tcp flags/cache full/etc. Intelligent cache aging ensures cache entries are always available Distributed NetFlow Cache on VIPs Router exports groups of expired flows every second Export uses UDP datagrams with sequence numbers

Cache Management & Export NetFlow Cache Flow Entries Flow 1 Flow 2 Flow 3 Flow expired Cache full Timer expired Export Buffer UDP To Collector

Flow Management Rules for expiring NetFlow cache Entries Flows which have been idle for a specified time are expired and removed from the cache. (This is configurable) Long lived flows are expired and removed from the cache. Flows are expired after 30min, by default. As the cache becomes full the cache is intelligently purged. TCP connections which have been closed. That is, a FIN/RST has been received.

Data Export When does NetFlow export data? Flow datagrams are exported once per second, OR When a complete UDP datagram of flows is available Netflow Version Version 1 Version 5 Version 7 Version 8 Version 9 Number of Flow Records per Export Packet 24 flow records 30 flow records 27 flow records Variable Variable

NetFlow Versions NetFlow Version Comments 1 Original 5 Standard and Most Common 7 8 9 Specific to Cisco C6500 and 7600 Series Switches Similar to Version 5, but Does Not Include AS, Interface, TCP Flag and ToS Information Choice of Eleven Aggregation Schemes Reduces Resource Usage Flexible, Extensible File Export Format to Enable Easier Support of Additional Fields and Technologies e.g. MPLS, Multicast, BGP Next Hop, and IPv6

Version 1 Version 1 is the initial NetFlow format supported on 11.1, 11.2, 11.3, 12.0 On by default No reason to use v.1 unless supporting a legacy collection system.

Outline Introduction Netflow Overview Netflow Architecture Netflow Formats Netflow Feature Acceleration Netflow Deployment AAA Conclusion and Future Work

Netflow - Not a Switching Path In the past (before CEF), Netflow was a switching mechanism. But we faced complications and performance problems When CEF was written, the Netflow code was rewritten to do only the accounting job. No switching anymore. Netflow runs now on the top of CEF to store accounting statistics. We still look into the FIB for adjacencies, encapsulation info, route, As a consequence the Netflow switching name was changed to Netflow services

Netflow Acceleration An API used by the other IOS features Needs 12.0(3)T Reserve extra space in the Netflow cache for state information from other features. Apply the feature processing on the first packet versus every packets. Information from the first packet is used to be build the cache entry, accessed by subsequent packets from the same flow Access Control Lists is accelerated by default, nothing to configure

Netflow Acceleration Depending on the train 12.0S, 12.0ST, 12.1 or 12.2, Netflow accelerates Ip accounting RSVP Crypto encrypt and decrypt Policy Routing WCCP inbound redirection Cisco Applications and Services Architecture Future: CAR, NAT, etc...

NetFlow Feature Acceleration NetFlow Accelerates NetFlow Policy Routing (NPR) Router-based network data encryption Access Control Lists (ACL) RSVP In the future Network Address Translation (NAT) Committed Access Rate (CAR) Web Cache Control Protocol (WCCP) Others Availability of such acceleration will be announced on a feature-by-feature basis

Netflow Bypasses the Access-list Y First packet in flow? N ACL acceleration Y Create an Netflow entry Forward the packet with CEF Pass the ACL? N Create an Netflow entry with output i/f null Discard the packet Lookup entry in netflow cache Y Update the Netflow entry stats Output i/f is null? Go through the ACL Maybe deny packet N Update the Netflow entry stats Forward the packet with CEF

Acceleration - Netflow Policy Routing The first packet will go through the route-map and the access-list A Netflow cache entry will be created with extra information for policy routing (for example the next hop) Subsequent packets of the same flow will bypass the route-map access-list checks Note that the acceleration doesn t change the switching path!

Performance (Approximate Number) Enabling Netflow version 5 on a router increases the cpu utilization by 20 to 25 % The Neflow export increases the cpu utilization by 5 % Enabling Neflow version 8 increases the cpu utilization by 2 to 5%, depending on the number of aggregations enabled With a multiple of 6% for multiple aggregations Netflow is done in hardware on the cat6000 supervisor

Outline Introduction Netflow Overview Netflow Architecture Netflow Formats Netflow Feature Acceleration Netflow Deployment AAA Conclusion and Future Work

Where to Collect the Traffic: Edge vs. Core Edge Core Communication pattern Flow duplication CPU impact Data compression Data reduction (filter) Data aggregation

Where to Deploy Netflow? On the edges of the network All routers because Netflow accounts incoming traffic only For billing, on the aggregation routers because some 12000 Line Cards only support sampled Netflow For accounting, capacity planning, on the aggregation routers or the 12000 router. Sampled netflow could be sufficient

Where to Deploy Netflow? For BGP information, on the BGP peering routers Can monitor one link, egress and ingress, but should be on a MPLS PE-CE link. Basic principles: Don t account your exported data Avoid a flow duplication design. Netflow Collector doesn t do flow de-duplication. Done by partner tools export export traffic

Creating Export Packets Traffic PE Core Network Enable NetFlow SNMP MIB UDP Export UDP Export Packets Approximately 1500 bytes Typically contain 20-50 flow records Sent more frequently if traffic increases on NetFlow-enabled interfaces Collector (Solaris, HP-UX, or Linux) Application GUI NMS Station

Flow Export Format Usage Packet count Byte count Source IP IP Address address Destination IP IP Address address From/To Time of Day Start sysuptime End sysuptime Source TCP/UDP port Destination TCP/ UDP port Application Port Utilization QoS Input ifindex Output ifindex Type of service TCP flags Protocol Next Hop address Source AS number Dest. AS number Source prefix mask Dest. prefix mask Routing and Peering Version 5 Is Used in This Example Blue key field Black standard field Red lookup

NetFlow Cache Example 1. Create and update flows in NetFlow cache Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts Src Port Src Msk Src AS Dst Port Dst Msk Dst AS NextHop Bytes/ Pkt Active Idle Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4 Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1 Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3 Fa1/0 173.100.6.2 Fa0/0 2. Expiration 10.0.227.12 6 40 0 2210 19 /30 180 Inactive timer expired (15 sec is default) Active timer expired (30 min (1800 sec) is default) NetFlow cache is full (oldest flows are expired) RST or FIN TCP Flag 19 /24 15 10.0.23.2 1040 24.5 14 Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts Src Port Src Msk Src AS Dst Port Dst Msk Dst AS NextHop Bytes/ Pkt Active Idle Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4 3. Aggregation No Yes 4. Export version Non-Aggregated Flows Export Version 5 or 9 5. Transport protocol Export Packet Header Payload (Flows) e.g. Protocol-Port Aggregation Scheme Becomes Protocol 11 Pkts 11000 SrcPort 00A2 DstPort 00A2 Bytes/Pkt 1528 Aggregated Flows Export Version 8 or 9

NetFlow Processing Order Features and Services Pre- Processing Post- Processing Packet Sampling Filtering IP Multicast MPLS IPv6 Aggregation schemes Non-key fields lookup Export

Active/Inactive Timers Inactive time = The flow expires once no packets are seen for this time duration Active time = If packets continue to be received on this flow beyond this active time setting then the flow will expire and be exported while a new flow is created Default values on software-based routers, 12000 and 10000: Inactive timer: 15 seconds (minimum 1 second) Active timer: 30 minutes (minimum 1 minute) Default values on a C6500/7600: Aging time: 256 seconds Fast aging time: disabled (flows that only switch a few packets and are never used again) Long aging time: 1920 seconds (used to prevent counter wraparound and inaccurate stats) Recommendation: Change normal aging time to 32 seconds and fast aging time to 32 seconds and 32 packets

Flow Timers and Expiration 1 st & 3 rd Flows Src 10.1.1.1, Dst 20.2.2.2, Prot 6, Src & Dst port 15, InIF FE0/0, ToS 128 2 nd Flow Src 10.1.1.1, Dst 20.2.2.2, Prot 6, Src & Dst port 15, InIF FE0/0, ToS 192 Router Boots (sysuptime timer begins) = packet from 1 st or 3 rd flow = packet from 2 nd flow 2 nd Flow Start (sysuptime) 2 nd Flow End (sysuptime) UDP Export Packet containing 30-50 flows (sysuptime & UTC) 2 nd Flow Expires (sysuptime) 15 seconds Inactive 1 st Flow Start (sysuptime) 1 st Flow End (sysuptime) 15 seconds Inactive 1 st Flow Expires (sysuptime) 3 rd Flow Start (sysuptime) Time SysUptime - Current time in milliseconds since router booted UTC - Coordinated Universal Time can be synchronized to NTP (Network Time Protocol)

Netflow and Security There is no authentication mechanism between the routers and the collector The collector is only interpreting received UDP packets, without any checks Make sure your Data Communication Network is secure, including the collector machine Potential problem: someone sending wrong accounting information to the collector with a router stolen IP address

How Many Netflow Collector? In theory, one NFC per POP or Aggregation Router (7x00 router) For VPNSC (MPLS VPN environment), we advice one NFC per PE Basic principles: Check your Sun capabilities NFC sizer calculater. Reduce the number of routers per NFC if needed. Rule of thumb: 10 routers per NFC

Deployment Tricks Enable the ifindex persistence if accounting per interface Look at the router cpu (<60%) and memory before enabling Netflow Check the export link bandwidth Use a dedicated export lan If you export too much traffic: go for the aggregations, don t export version 5 go for sampled if on a GSR increase the aggregations timers Access-lists still account the traffic

What to Collect: Level of Collection Details Link statistics or traffic details: SA, DA Application details (port numbers) QoS Time stamps Routing and peering Header or payload Layer 2 or Layer 3 information Data export: push or pull model Collection interval and history Consider the generated data volume

What to Collect: The Two Extremes... S N M P N e t F l o w Usage Time of Day Port Utilization QoS Packet count Byte count Start sysuptime End sysuptime Input ifindex Output ifindex Type of service TCP flags Protocol Source IP address Destination IP address Source TCP/UDP port Destination TCP/UDP port Next hop address Source AS number Dest. AS number Source prefix mask Dest. prefix mask From/To Application Routing and Peering

What to Collect: Full Collection vs. Sampling Processing every packet might not scale up to very high-speed interfaces Amount of collected data might be huge It might take longer to process the data than to generate it Network Management traffic might fully utilize the available bandwidth Packet sampling can help to overcome those issues

What to Collect: 1 in n Sampling Sampling Interval: 1 in 2 Packets Missed Flows: 1 out of 5 (15 %) Sampling Interval: 1 in 5 Packets Missed Flows: 2 out of 5 (35%)

What to Collect: Sampling Best Practices Sampling for monitoring is fine Continuously sampling might be OK even for billing purposes Carefully determine the sampling rate Sampling algorithms: 1 in n (deterministic, random, hash-based) Filter, expressions Time based Trajectory sampling Sampling White Paper: work in progress

IP Accounting/Billing Many Different Flavors! Flat-rate billing doesn t always scale Competitive pricing models can be created with usage-based billing Usage-based billing considerations Time of day Application QoS/CoS Transit or peer Within my network or off Distance-based Bandwidth usage Data transferred Traffic class (i.e. going through a secure tunnel, high-speed link, or special arrangement)

User Definition Users (IP Address, Name, etc.) User 1 User 2 User 3 User 4 User 5 User 6 User 7 Departments Dept. 1 Dept. 2 Dept. 3 Dept. 4 Dept. 5 Customers Co. 1 Co. 2 Co. 3 Co. 4 Co. 5 Co. 6 Co. 7 Reporting can be offered at any level Customers can self-manage all sub-levels Orange and blue can be sold at a premium

Which Aggregations to use on a Router? AS Protocol-Port Source-Prefix Destination-Prefix Prefix Source Prefix Source Prefix Mask Destination Prefix Destination Prefix Mask Source App Port Destination App Port Input Interface Output Interface IP Protocol Source AS Destination AS First Timestamp Last Timestamp # of Flows # of Packets # of Bytes

Which Aggregation to use on a Router? AS- TOS Protocol-Port- TOS Source-Prefix- TOS Destination-Prefix- TOS Prefix-TOS Prefix-Port Source Prefix Source Prefix Mask Destination Prefix Destination Prefix Mask Source App Port Destination App Port Input Interface Output Interface IP Protocol Source AS Destination AS TOS First Timestamp Last Timestamp # of Flows # of Packets # of Bytes

Network Data Analyzer NetFlow FlowCollectors NetFlow FlowAnalyzer Graphical display of NetFlow data Consumes from NetFlow FlowCollector(s) Time-based analysis ands data sorting Configure routers and FlowCollectors Histograms, bar charts, and pie charts Spreadsheet data export

Open API s Enable Third Parties to Leverage NetFlow Cflowd - ANS, BBN and CAIDA Traffic accounting port, AS, network and pure flow matrices NeTraMet/NetFlowMet - by Nevil Brownlee IETF s Realtime Traffic Flow Measurement (RTFM) smurfind - Walter Prue USC/ISI Real time DOS attack warnings

End-to-end Coverage Health Reports Service Level Reports Report for Thu 1/15/98 Trend Reports Auto Range: Custom From: 09/04/1998 12:00 AM 01/15/1998 09/13/1997 Baseline: 6 weeks (02/04/98 to 03/17/98) Created : 05/15/98 12:00:16 09/13/1997 Exceptions Reports Router & LAN Stats. WAN Stats. Access Stats. NetFlow Collector RMON Probes SAA Agent Ping MIB Element & L2/L3/Access Stats. Traffic Flow Stats. Response Time/ Availability Stats.

Concord and NetFlow Report for Thu 1/15/98 Report for Thu 1/15/98 Report for Thu 1/15/98 Concord Workstation NetFlow Collector Benefits Within Cisco IOS, Lower cost of entry than RMON/RMON2 probes Leverages large installed base of Cisco routers and switches NetFlow enabled Reports Router Link, LAN, router utilization Application mix Communicating pairs NetFlow enabled L3 Switch

Cisco NetFlow support Gather high volume NetFlow data Router Router InfoVista NetFlow Agents InfoVista Web Access Server Combine it with other InfoVista data Router Router Données InfoVista Server InfoVista Client Router InfoVista NetFlow Agents InfoVista Client Analyze traffic flows by source and destination autonomous system, average packet size and used protocols

Cisco NetFlow support End-User Benefits: A Service Provider can optimize its existing connections with other autonomous systems, plan new connections, and proactively identify problem areas. An Enterprise can use this information to identify network use patterns and to plan the evolution of its network infrastructure. Destination Autonomous System Source Autonomous Systems Packet distribution by source AS Automatic resolution of Autonomous System name

Outline Introduction Netflow Overview Netflow Architecture Netflow Formats Netflow Feature Acceleration Netflow Deployment AAA Conclusion and Future Work

Description RADIUS and TACACS+ accounting allows data to be sent at the start and end of services, indicating the amount of resources such as time, packets, bytes, etc. used during the session AAA is used for login purposes in general Dial-in Telnet and ssh PPP

RADIUS and TACACS+ Comparison Remote Authentication Dial In User Service Standards-based clientserver protocol (IETF) UDP-based (fast) Recommended for high performance Only password field encrypted Shared key, never sent in clear over the network User authentication to network access/services Terminal Access Control Access Control System Rich feature set: allows command authorization and accounting Cisco proprietary (but supported by other vendors) TCP-based (reliable) Full packets are encrypted Shared key, never sent in clear over the network User authentication to network devices

AAA: Principles Incoming and outgoing packets/bytes of an incoming call (no dial out accounting) Each of the call can generate start and stop records Each call reports 2 logs: Accounting request start with start time Accounting request stop with stop time and full accounting AA Accounting is an improved logging system, but AAA is not used primarily for accounting Adequate for billing because we have the username Supported on all switching paths

RADIUS Interaction RADIUS Server User Dials NAS Accept Call Pre-Auth Pre-Auth Access Request Pre-Auth Access Accept Call Connects Accept User User Auth Access Request Access Accept User Connects Call Disconnects User Acctg User Acctg Accounting Request (START) Accounting Ack Accounting Request (STOP) Accounting Ack

RADIUS Accounting Attributes, RFC2866 40 Acct-status-type 41 Acct-delay-time 42 Acct-input-octets 43 Acct-output-octets 44 Acct-session-id 45 Acct-authentic 46 Acct-session-time 47 Acct-input-packets 48 Acct-output-packets 49 Acct-terminate-cause 50 Acct-multi-session-id 51 Acct-link-count

AAA Possible Applications Network Monitoring AAA Network Planning Security Analysis X Application Monitoring User Monitoring X Traffic Engineering Peering Agreement Usage-Based Billing X Destination Sensitive Billing

Outline Introduction Netflow Overview Netflow Architecture Netflow Formats Netflow Feature Acceleration Netflow Deployment AAA Conclusion and Future Work

網 路 流 量 量 測 與 分 析 Network Device Flow Generator Flow Capturer Flow Analyzer Scalability Data Store Presenter Web Site User Interface Web browser raw packet Flow information Network Characteristics analyzed data System design for Flow Capture Flow Analyzer Distributed, load-balancing architecture for scalability Traffic Analysis & Data Reduction Presentation & Reporting

Ongoing Work Support for various applications Streaming services Other P2P services Distributed, load-balancing architecture for scalability parallel or distributed architecture subdivide monitoring system into several functional components efficient load sharing between each sites Considerations for small storage requirements Significant aggregation based on the ingress point Local reduction of the data should be effective

Combine SNMP & RMON Utilize SNMP polling policies to gather key statistics on backbone/core routers and on MIB objects not related to flow-by-flow measurements Interface errors memory and CPU utilization Utilize RMON capabilities for detailed drilldown Application tracking Interface error analysis Packet capture for problem diagnosis and resolution Maximize network monitoring, management, and planning

93