Building a Better NetFlow
Network operators need to determine the composition of the traffic mix
on links when looking for dominant applications, users, or estimating
traffic matrices. Cisco's NetFlow has evolved into a solution that
satisfies this need by reporting flow records that summarize a sample of
the traffic traversing the link. But sampled NetFlow has shortcomings
that hinder the collection and analysis of traffic data.
We propose Adaptive NetFlow, deployable through an update to router
software, which addresses many shortcomings of NetFlow by dynamically
adapting the sampling rate to achieve robustness without sacrificing
accuracy. To enable counting of non-TCP flows, we propose an optional
Flow Counting Extension that requires augmenting existing hardware at
routers. Both our proposed solutions readily provide descriptions of the
traffic of progressively smaller sizes. Transmitting these at
routers. Both our proposed solutions readily provide descriptions of the
traffic of progressively smaller sizes. Transmitting these at
progressively higher levels of reliability allows graceful degradation
of the accuracy of traffic reports in response to network congestion on
the reporting path.
Bio:
David Moore is a popular speaker and researcher with expertise in
Internet measurement and network security. He is a principal
investigator and the technical director of the Cooperative Association
for Internet Data Analysis (CAIDA) at the San Diego Supercomputer Center
at UCSD and also a computer science PhD candidate at the University of
California, San Diego.
His work with others on tracking denial-of-service attacks and Internet
worm spread has appeared in Information Security Magazine, IEEE Security
& Privacy Magazine and Scientific American and, of course, slashdot.
His presentations include invited talks at Usenix LISA, Usenix Security,
NANOG (North American Operators Group), and others.