Re: About NetFlow/IPFIX and DPI

["Dobbins, Roland" <rdobbins () arbor net>]

On May 7, 2014, at 8:11 PM, Antoine Meillet <antoine.meillet () gmail com> wrote:

> Should those protocols be considered as tools to perform DPI ?

No - they're flow telemetry exported by routers and switches, and they provide layer-4 information.

It's possible with Cisco Flexible NetFlow and with PSAMP exported over IPFIX to get packet contents; however, few if 
any collection/analysis systems utilize either extended telemetry format, to date.  I've never seen either implemented 
in a production network.

NetFlow and IPFIX are primarily used for security purposes such as DDoS detection/classification/traceback and botnet 
C&C identification; for traffic engineering analysis; capacity planning analysis; for troubleshooting; and for billing 
purposes.  Flow telemetry is an essential tool that ISPs and larger enterprises utilize in order to get a view into 
their network traffic, because it scales for large networks - and it does so because it doesn't typically include 
packet payloads, just the layer-4 information.  It's sort of like a near-time mobile phone bill for the network.

'DPI' generally (but not always) refers to devices which are placed inline and perform full multi-packet payload 
reassembly and inspection.  The term has been used (and misused) so broadly as to becoming essentially meaningless.

NetFlow and IPFIX are merely telemetry formats used by network engineers for the purposes noted above.  

This presentation talks about how NetFlow is used by network operators:

<https://app.box.com/s/mnshn99c13uekrggy99b>

Network neutrality is largely an issue of policy and of economics, not of technology, per se.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton