Within the context of computer networks, a flow is defined as an unidirectional sequence of packets between two network endpoints, one of which acts as the source and the other as the destination. Historically, the seven key fields that have been used to univocally identify an IPv4 flow are:
- Source IP Address
- Destination IP Address
- Layer 3 Protocol Type
- Source Port Number
- Destination Port Number
- Type of Service (ToS)
- Input Logical Interface
Netflow is a powerful functionality that was designed to raise awareness about the utilization of network resources. The flow distribution data obtained by means of Netflow may be applied to domains such as capacity planning, network application monitoring, accounting and security analysis.
Although Netflow was originally defined for IPv4, it is also available for IPv6 and, as such, it becomes an interesting resource for gaining more visibility about the traffic flowing through your v6 network.
Figure 1 revisits, as a quick reference, the base IPv6 header. The motivation for inserting it here is to make your life easier on understanding the Netflow fields that will be analyzed later.
Flexible Netflow is an evolution that allows us to elect the fields that should be part of the flow record, meaning that we are not limited to a set of predefined fields anymore. The set of fields selected may provide a different perspective about a given group of packets crossing the L3 device. For instance, certain fields may be useful for capacity planning while a distinct combination could be more meaningful for security tasks such as spotting Denial of Service (DoS) attempts.
A sample configuration of Flexible Netflow for IPv6 is summarized in Figure 2 to facilitate the understanding of the basic concepts:
- We established the fields that comprise the flow record. The match statements identify the key fields, whereas collect statements determine the non-key fields. (It is a good exercise to compare the IPv6 base header fields with those shown in Figure 2).
- If two packets differ in at least two of the key-fields they are not part of the same flow.
- The flow export entity defines the way in which flow data will be exported (destination IP, destination port and source interface). Notice that v6 flow information is still exported using IPv4.
- The flow monitor structure ties the flow record and flow export settings and is later bound to an interface (either in the ingress or egress direction).
- Figure 2 also exemplifies a possible view of the flow monitor cache.
** Related Posts:
- IPv6 Series: https://alexandremspmoraes.wordpress.com/tag/ipv6/