I have a question for you marketing folks out there. Why are so many companies renaming their implementation of NetFlow or IPFIX? Here are some examples:

  • NetStream is 3Com’s rename of NetFlow
  • JFlow is Juniper’s rename of NetFlow
  • AppFlow is the Citrix’s rename of IPFIX
  • Nortel called it IPFIX when really it was NetFlow

Why not just call it what it is (i.e. NetFlow or IPFIX)? Why do these industry leaders have to rename it? Many of the same companies above support SNMP, why didn’t they rename that? They export syslogs, why didn’t they rename that? I think it is causing confusion in the industry.  Here are some vendors that didn’t change their implementations:

  • SonicWALL supports IPFIX and they just call it IPFIX. They didn’t call it ‘SonicFlow(TM)’
  • Enterasys supports NetFlow, they didn’t rename it ‘EnteraFlow(TM)’
  • nBox supports NetFlow and IPFIX, they didn’t rename it ‘nBoxFlow(TM)’
  • Plixer Mailinizer exports IPFIX, they didn’t rename it ‘PlixFix(TM)’
  • I can list a few others, but I’m sure you get the point. If the intention is to help marketing, I don’t think it will work or help the industry. It’s sort of like of copying a technology and then saying “what we have is unique and better,” but in this case it really isn’t.

Why Not Re-Name sFlow?
We don’t see any of the vendors that support sFlow renaming it. How come?  To be fair, sFlow really isn’t as open as IPFIX. This is because sFlow is done in hardware via a proprietary chip and IPFIX and NetFlow may or may not be done in hardware.  It is still a great technology yet no one renames it.

 

It Isn’t Different, It’s Just Done Well
We are very familiar with all of the exports from these companies and there is nothing enhanced about their exports beyond the way that IPFIX was intended to be implemented. SonicWALL IPFIX exports URLs, VPN details, Latency, Packet Loss, CallerID, Virus details, Intrusions, Usernames, etc., etc. Yes, it is enhanced beyond traditional NetFlow v5 or even how most vendors implement IPFIX; however, it is still IPFIX and nothing more. And rightfully, SonicWALL calls it IPFIX.

To say that the SonicWALL, nBox and Citrix implementations of IPFIX are “very impressive” is something that I would whole heartedly agree with. Good job guys!

NetFlow and IPFIX Have Roots in SNMP
In the world of SNMP there is MIB II and the Enterprise MIB. Standards based SNMP values are under 1.3.6.1.2.1. Think of this as the basic export available in NetFlow v5. On the other hand, the Enterprise enhanced values are under the Enterprise MIB 1.3.6.1.4.1.. This would include all the cool stuff that the SonicWALL, nBox and Citrix are exporting related to Latency, URLs, Packet Loss, etc. IPFIX works the same way. In fact, you use the same IANA registered private enterprise number in IPFIX for vendor specific elements that was used in SNMP.

Why This Re-Name Strategy Causes Confusion
I think calling it something else is causing confusion.  In the end, the sales and support people at these companies consistently say, “it’s really just NetFlow,” when speaking with customers – and they do it for obvious reasons. They want customers to know that it is a standards-based solution. Check this out: The 3Com SR6600 Router NetFlow timers are incorrect and we don’t see an occurrence of Netstream anywhere on the page.

I’m sure Nortel’s mislabeling of NetFlow to IPFIX didn’t help their sales. Also, the Nortel IPFIX position that IPFIX is “an improvement on the NetFlow v9 protocol” simply is not true. NetFlow is alive and well and pretty much the same as IPFIX. I’m told that someday Cisco may switch to IPFIX and I doubt they will rename it. Imagine, they own NetFlow(TM) and will be moving away from it to take on what everyone else is using: IPFIX.

Juniper is now supporting IPFIX and to the best of my knowledge they just call it IPFIX (i.e. not JFlow).  I think calling it what it really is makes the most sense.

What do you think?

Jake Bergeron author pic

Jake

Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply