[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

sFlow vs netFlow/IPFIX

Subject: sFlow vs netFlow/IPFIX
From: rdobbins at arbor.net (Roland Dobbins)
Date: Mon, 29 Feb 2016 15:38:10 +0700
In-reply-to: <CALgsdbeH-m0SAWDqeogYVwkxgfVHwKUi9QEuLjjFdMeieG3Cmw@mail.gmail.com>
References: <[email protected]> <[email protected]> <CAPkb-7ApSOtGJg_E+LECSA83qVmVEeG82cbrfX_5M22KPGr57Q@mail.gmail.com> <[email protected]> <[email protected]> <CALgsdbfkth3YXg6xzUoOhRzkobgGie5i0f4uq-f2cjFFSF8dWg@mail.gmail.com> <[email protected]> <CALgsdbeLo-pmoU6h9tCckyKdjMiVS=fdwuD=GMgLe8-84088QQ@mail.gmail.com> <[email protected]> <CALgsdbeH-m0SAWDqeogYVwkxgfVHwKUi9QEuLjjFdMeieG3Cmw@mail.gmail.com>

On 29 Feb 2016, at 15:12, Pavel Odintsov wrote:

> Looks like you haven't so much field experience with sflow. I could
> help and offer some real field experience below.

I've already recounted my real-world operational experience with 
NetFlow.

> I have my own netflow collector implementation for netflow v5, netflow 
> v9 and IPFIX (just check my repository

Coding something and using something operationally are two different 
things.  I'm not a coder, but I've used NetFlow operationally since 
1998, primarily on Cisco platforms (some Junipers, but I don't know a 
lot about Juniper boxes).

> So you know about Mirkotik implementation of netflow (they have
> minimum possible active and inactive timeout - 60 seconds) ?

Yes.  That does not equate to a 60s delay in 
detection/classifying/tracing back a SYN-flood, or anything else.

> Or what about old Cisco routers which support only 180 seconds as 
> active timeouts?

I think you're referring to the *default* value for the active flow 
timer, which can of course be altered.

> Could they offer affordable time for telemetry delivery?

Yes, because there has never been any such router, and also because 
cache size and other tunable parameters, as well as FIFOing out of flows 
when the cache is full, guarantees that very few flows of the type seen 
in DDoS traffic hang around in the cache for any appreciable length of 
time.

> Because not all netflow implementations are OK. And definitely some 
> netflow implementations are broken.

You can search the archives on this list and see my previous detailed 
explanation of NetFlow caveats on Cisco 6500/7600 with EARL6 and EARL7 
ASICs.

Your statements about it taking an inordinately long time to 
detect/classify/traceback SYN-floods and other types of DDoS attacks 
utilizing NetFlow implementations (with the exceptions of crippled 
implementations like the aforementioned EARL6/EARL7 and pre-Sup7 Cisco 
4500) are simply untrue.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>

Follow-Ups:
- sFlow vs netFlow/IPFIX
  - From: pavel.odintsov at gmail.com (Pavel Odintsov)

References:
- sFlow vs netFlow/IPFIX
  - From: todd.crane at n5tech.com (Todd Crane)
- sFlow vs netFlow/IPFIX
  - From: nick at foobar.org (Nick Hilliard)
- sFlow vs netFlow/IPFIX
  - From: baldur.norddahl at gmail.com (Baldur Norddahl)
- sFlow vs netFlow/IPFIX
  - From: rdobbins at arbor.net (Roland Dobbins)
- sFlow vs netFlow/IPFIX
  - From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
- sFlow vs netFlow/IPFIX
  - From: pavel.odintsov at gmail.com (Pavel Odintsov)
- sFlow vs netFlow/IPFIX
  - From: rdobbins at arbor.net (Roland Dobbins)
- sFlow vs netFlow/IPFIX
  - From: pavel.odintsov at gmail.com (Pavel Odintsov)
- sFlow vs netFlow/IPFIX
  - From: rdobbins at arbor.net (Roland Dobbins)
- sFlow vs netFlow/IPFIX
  - From: pavel.odintsov at gmail.com (Pavel Odintsov)

Prev by Date: sFlow vs netFlow/IPFIX
Next by Date: sFlow vs netFlow/IPFIX
Previous by thread: sFlow vs netFlow/IPFIX
Next by thread: sFlow vs netFlow/IPFIX
Index(es):
- Date
- Thread