At Plixer, it has been a very optimistic year for the future of Netflow and IPFIX. More and more companies are recognizing the value of exporting flow information and this is of course good for the industry. Good because, NetFlow and IPFIX export data in a structured format. This makes the correlation of the data much faster and easier to query for flow reporting tools. This is not true of information exported using a format like Syslog.
If a vendor exporting flows today was wise enough to recognize that IPFIX (i.e. not NetFlow) was the future of flow technology, they are now in a better position to export pretty much anything they want in a flow record.
Unlike IPFIX, NetFlow does not allow for variable length strings.
Because they went with IPFIX over NetFlow, these vendors do not have to worry about trumping each others IDs as IPFIX allows vendors to reuse the same ID as long as it is preceded by a IANA assigned PEN. That's probably getting a bit too deep so I'll back up a bit.
Exporting 'anything' with Netflow outside of what Cisco defines is not wise because NetFlow technology is owned by Cisco and trying to reserve IDs for proprietary information is risky business. Why? Because it could get trumped by Cisco. I've seen it happen.
Did you know that Cisco is one of the largest advocates and developers of IPFIX which provides all of the benefits of NetFlow. And they do this to the benefit of the entire Internet community. How nice is that! And, seeing how Plixer is largely dependent on NetFlow and IPFIX technology, I thought I would take this opportunity to give kudo's to the vendors who are really leading the pack in terms of innovative flow exports. Although we are a few years away from an explosion in IPFIX support, the ground work is in place.
I've worked with over two dozen NetFlow and IPFIX exporting companies and in doing so, I've recognized trends in the common mistakes being made. It has also become clear to me who the vendors are that carefully planned out their IPFIX export and the appropriate relationships between the flow associated meta and option data before they started programming.
However, even though they are only beginning to make the transition to IPFIX, Cisco is still leading the pack in terms of stretching the boundaries on what can be exported as a flow.
Performance Routing: Metrics on when available bandwidth is out of policy for end user traffic (i.e. passive) and synthetic traffic (i.e. active).
NBAR2: Deep packet inspection to discover applications which might be sharing the same ports (e.g. TCP port 80).
Smart Logging Telemetry: Packets that violate ACLs are captured and transferred in NetFlow Datagrams.
NetFlow-Lite: Packet samples are transferred in NetFlow or IPFIX datagrams.
Option templates on exporter statistics and interface names.
Several other projects that are under NDA.
Although Cisco leads the industry in terms of flow innovation, this is not to say that they always lead the industry with the most innovative details exported as elements. For example, for VoIP traffic, both the SonicWALL and the nProbe export caller ID! How many customers want to know the telephone number dialed? Cisco has yet to export this information, however, Cisco has plans to do so.
Although Cisco is the leader, flow innovation is coming from manufacturers all over the world.
And just this week, I receive a NetFlow packet capture from a company in Asia called ZTE.
In summary, thank you Cisco and other flow supporting companies for your innovations. Please continue to reach out to Plixer for ideas on training and as a possible business partner. We all need to work together to ensure that this technology continues on a bright path.
