What is IPFIX? IPFIX stands for IP Flow Information Export, is a term that most network admins and engineers may not be familiar with, but if you couple it with the term Netflow, which is commonly used when you reference analyzing network data, things will start to make more sense.
IPFIX is very similar to Netflow, in the sense that it allows for network engineers and administrators to collect flow information from Switches, Routers and any other network devices that support the protocol and analyze the the Traffic Flow information that is being sent by processing it through a Network/Netflow Analyzer.
Most commercial netflow analyzers have started integrating compatibility to collect and analyze IPFIX flow traffic as well as Netflow traffic.
History of The Protocol
IPFix protocol was created to be a common and universal protocol for Exporting IP flow information from network devices, including Switches, Routers, firewalls and such to a Collector or Network Management System.
It was a standard created by the IETF on how information would be exported, formatted and transferred from the agent to a collector/analzyer for further segmentation, analysis and logging.
Derived from Netflow Version 9, it uses many of the same procedures for Exporting a “flow” to a Collector, which operate in a many-to-many relationship – meaning that an Exporter (or network device) can send to multiple collectors and multiple collectors can collect information from any number of Exporters/Devices.
A flow consists of all traffic that belongs to the same communication context, which basically means all IP data packets that belong tot he same “connection”.
Flow information is Pushed to the collectors without the need to request anything from them, and can be customized to include any number of pre-defined or user-defined information/data types. This flexibility is one of the protocols strong suits, as vendors can create custom templates with custom information they wish to collect and analyze.
What's the Difference between IPFIX vs Netflow?
So if IPFIX is similar to Cisco’s Netflow, then what are the major differences between Netflow vs. IPFix? Lets highlight some of the major differences between the two:
- First off, IPFIX has the ability to integrate information that would normally be sent to Syslog or SNMP information directly in the IPFIX packet, thus eliminating the need for these additional services collecting data from each network device. This essentially allows hardware vendors to specify a Vender ID and put any proprietary information into a Flow and export it out of the collector/analyzer for further dissecting and monitoring.
- IPFIX also allows fields that are “Variable” length, which means that there is no fixed length an ID has to conform to. Netflow does not allow this type of variable length fields. Variable length fields allow you to then save information such as URL’s (which differ from site to site), Messages, HTTP hosts, and more.
- Netflow v9 now supports Flexible Netflow which is almost equal to IPFIX.
IPFIX Port Number is: 4739
Vendors who Support IPFIX
Soon after IPFIX standard came to fruiton, many network device and software vendors jumped on the bandwagon to support the protocol that has Netflow like capabilites.
Here's a list of some of the vendors that are now supported and manufacturing IPFix capable hardware and software.
- Barracuda Networks
- Blue Coat
- Cisco Systems
- Extreme Network
- F5 Networks
- Juniper Networks
- Open vSwitch
- Saisei Networks
This is a quick overview of “What is IPFIX” and what differences there are between it and Netflow.
If you get a chance, download one of these Netflow Analyzers that Support IPFIX to get a better understanding of how the protocol/standard is used and how it differs from Netflow and sFlow.
How do I implement IPFIX in my network?
To implement IPFIX in your network, you need to configure the network devices, such as routers and switches, to export network flow data using IPFIX, and set up a flow collector to receive and process the network flow data.
What is the difference between IPFIX and NetFlow?
IPFIX is an open standard for exporting network flow data, while NetFlow is a proprietary flow export protocol developed by Cisco Systems. IPFIX provides a more comprehensive and standardized approach to network flow data export, while NetFlow provides a more limited set of flow data export capabilities.
How do I analyze network flow data exported using IPFIX?
To analyze network flow data exported using IPFIX, you need to use a network management or security tool, such as a flow collector, that is capable of processing and analyzing IPFIX-exported flow data.
What are the security implications of IPFIX?
The security implications of IPFIX depend on how the IPFIX-exported flow data is processed and used. If the flow data is not properly secured, it can be used to gain unauthorized access to network resources or to perform other security attacks.
How does IPFIX support IPv6?
IPFIX supports IPv6 by providing flow data export capabilities for IPv6 flows, in addition to IPv4 flows.
How does IPFIX support custom flow types?
IPFIX supports custom flow types by providing the ability to define and export custom flow data fields, enabling organizations to export flow data that is specific to their network requirements.