I got this google alert the other day and it caught my attention because it talked about configuring IPFIX and the link went to a pdf on Juniper XGS 5000 IPFIX Support. Apparently the Juniper Networks Security Network Protection XGS 5000, a next generation IPS now supports IPFIX but really, it’s NetFlow. I got sort of excited because I love finding out about new gear that supports NetFlow or IPFIX. I clicked on the link and in the first paragraph I read:
“Juniper Networks Security Network Protection XGS 5000, a next generation IPS, is an example of a device that sends flow traffic in IPFIX flow format.” YEE HA! I want to get me some. I kept reading and and saw this “IPFIX provides more flow information and deeper insight than NetFlow v9.” Which isn’t exactly true. Although IPFIX is a bit more open to the Internet community than NetFlow and IPFIX allows for variable length strings among other things, NetFlow is still very much used to send information that provides incredibly deep insight. Never the less, I kept reading thinking I was going to run into something on JFlow Network Traffic Analysis. What I found was even more interesting:
- “The process of sending IPFIX data is often referred to as a NetFlow Data Export (NDE).” Really? Maybe at Juniper but, not in the industry.
- “IPFIX uses User Datagram Protocol (UDP) to deliver NDEs.” Use IPFIX to deliver NetFlow? What is going on here?
- “Ensure the IPFIX template from the IPFIX source includes the following fields:” And then most if not all NetFlow (i.e. not IPFIX) fields are listed:
- IN_BYTES or OUT_BYTES
- IN_PKTS or OUT_PKTS
- TCP_FLAGS (TCP flows only)
MESSAGE TO JUNIPER: NetFlow and IPFIX are very similar however, they are different technologies. As different as an orange is to a tangerine. The terms cannot be used interchangeably because they really are different technologies. END MESSAGE
My hunch is that what Juniper is exporting is NetFlow and not IPFIX. If they would send us a packet capture, we will look at this byte as we did for the wrongly claimed Nortel IPFIX Support. Where we pointed out that Nortel really wasn’t supporting IPFIX despite their marketing claims.
Notice above it says 00 09 (Version v9). According to the RFC, it should be 00 0a, if it was truly IPFIX.
<<< — begin paste from the RFC— >>>
RFC 5101 IPFIX Protocol Specification January 2008
Message Header Field Descriptions:
Version of Flow Record format exported in this message. The value of this field is 0x000a for the current version, incrementing by one the version used in the NetFlow services export version 9 [RFC3954].
<<< — end paste — >>>
We love working with new NetFlow and IPFIX hardware but, vendors need to read up before calling something IPFIX Vs. calling it NetFlow. Here is a great post on What is IPFIX. I hope it helps. Despite the issues I found, I would like to finish this blog by saying: nice work Juniper, it is good to see you getting on the IPFIX and NetFlow bandwagon!
NOTE: Any vendor interested in exporting IPFIX should reach out to us for complementary consulting.
For a free 30 day trial of Scrutinizer, Download Now!Tags: Juniper XGS IPFIX, NetFlow, Network Traffic Analysis