IPFIXExport at IXPs
Transcript of IPFIXExport at IXPs
![Page 1: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/1.jpg)
IPFIX Export at IXPsInsights into Your IXP
Thomas King, CTO, DE-CIX
Swinog #37
![Page 2: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/2.jpg)
3www.de-cix.net
Insights in traffic statistics
Beyond customer‘s rate limit / Access Port capacity
No load on customer‘s router
No router configuration needed
Motivation
2/12
DE-CIX FRA
![Page 3: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/3.jpg)
4www.de-cix.net
IPFIX Protocol
[1] https://tools.ietf.org/html/rfc7011
[2] http://www.iana.org/assignments/ipfix/ipfix.xhtml 3/12
RFC7011[1]
Templates
491 data fields defined[2]
Dead and alive timeout
![Page 4: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/4.jpg)
5www.de-cix.net
Architecture
4/12
Packet sampling rate 1:10k
Dead timeout: 15s, alive timeout 60s
![Page 5: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/5.jpg)
6www.de-cix.net
Front-End[3]
5/12
Customers choose
from their MAC
addresses
Enter any target IP
Select start/stop
[3] https://portal-beta.de-cix.net/statistics/ipfix-export
![Page 6: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/6.jpg)
7www.de-cix.net
Implementation Challenges
6/12
Incoming:
One large IPFIX stream
Outgoing:
N filtered IPFIX streams
to M target IP addresses
Need for new IPFIX
stream creation
/dev/null
Filter 1
Filter N-1
Filter N
Encrypter 1
Encrypter M
IPFIX Filtered
IPFIX
Encrypted
IPFIX Public
Internet
![Page 7: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/7.jpg)
8www.de-cix.net
Design Space
7/12
1 Vermont[4] instance
Config contains filters for every MAC address
Output redirected to encrypter on demand
[4] https://github.com/tumi8/vermont/
![Page 8: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/8.jpg)
10www.de-cix.net
Back-End
9/12
Dumping + filtering: Vermont
No interruption upon request
Approx. 1 minute delay
![Page 9: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/9.jpg)
11www.de-cix.net
Receiving Data
10/12
Open-source decrypter[5]
Pmacct[6]
FastNetMon[7]
[5] https://github.com/de-cix/udp-dtls-wrapper/
[6] http://www.pmacct.net/
[7] https://fastnetmon.com/
![Page 10: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/10.jpg)
12www.de-cix.net
02.12.2021The secret of the InternetSlide 12
https://youtu.be/HS-PkYJhT0A
![Page 11: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/11.jpg)
13www.de-cix.net
11/12
Configure transport port
Overview of running exports
Export via IPv6
Support other DE-CIX Locations (e.g. MUC, NYC)
Webinar [8] – We already have that! ☺
[8] https://www.de-cix.net/de/about-de-cix/academy
Planned Enhancements
![Page 12: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/12.jpg)
14www.de-cix.net
Summary
12/12
Self-Managed IPFIX collection
Sensible data encrypted
Analysis with own tools
Free beta service
![Page 13: IPFIXExport at IXPs](https://reader036.fdocuments.us/reader036/viewer/2022080222/62e87f5615d59b326f064a25/html5/thumbnails/13.jpg)
15www.de-cix.net
Thank you for your attention!
Any questions?