At DE-CIX Frankfurt, the DE-CIX IPFIX Export enables customers to receive IPFIX data of flow activity on their physical access. With the help of IPFIX data, more detailed insights into traffic characteristics can be obtained.
IPFIX Export has some advantages compared to the DE-CIX Service Insights System service. While the Service Insights System shows you a visualization of the traffic exchanged between two peering partners on the DE-CIX platform, the IPFIX Export data is machine-readable, offering you multiple possibilities to process it. You can, for example, process the data in your own programs, do your own analysis, save the data, or build your own graphs. The exported data is encrypted according to the DTLS 1.2 standard.
Currently, the service is available as a beta version and only in Frankfurt.
What is IPFIX
IPFIX is a IP flow information export standard (RFC 7011). It is a packet sampling technology and based on the sampled packets, traffic insights can be determined.
Data source and filtering process
IPFIX is a IP flow information export standard (RFC 7011). The flow information Export is randomly sampled (1 out of 10,000 packets) accross the entire DE-CIX Frankfurt peering platform. We filter your MAC address to extract only your subset of IPFIX data, i.e. traffic from and to your physical access (all configured VPLS on this port). Both incoming and outgoing traffic of the selected MAC address is filtered and exported. IP addresses are neither processed nor stored, but exported via an encrypted DTLS data stream.
Collecting the IFPIX data
When requesting an IPFIX Export, our back-end verifies whether there is already an export running for the IPv4 address provided. If there is no export running at that moment, a new "Encrypter" is instantiated and sends DLTS 1.2 conform Hello Messages to the provided IPv4 address of the IPFIX collector – the “Decrypter”.
On the IPFIX collector side, a suitable DTLS 1.2 decrypter must run in order to handle DTLS handshaking and data decryption. DE-CIX makes available a DTLS decrypter, both as source code (to be compiled) and as binary to be directly executed. The standalone binary version is pre-compiled for x86 Ubuntu Linux, 64bit. Both versions can be downloaded from our repository. More details can be found in the README.md file at the same repository location. The DTLS 1.2. decrypter provided by DE-CIX sends decrypted IPFIX data to the loopback IP address of the IPFIX collector on port 2055.
The decrypter expects one argument, namely the IP address of the interface it should bind to for listening for incoming data. This is the same IPv4 address that has been configured in the web interface of the IPFIX Export, i.e. the target IPv4 address of the IPFIX collector.
You can shut down the decrypter at any time. If a decrypter needs to be restarted, it might take a couple of seconds before the DTLS handshaking is reestablished and the IPFIX Export changes the used encryption key. We recommend to stop all running exports to a given IPv4 address, restart the decrypter and then restart the IPFIX data export.
Using the web interface
The web interface for starting or stopping an export is available under "Accesses & Services" (DE-CIX portal navigation bar):
Choose the Service to start IPFIX Export process. Click "edit" (bottom right of Service-box)
A new window will open. Choose "Blackholing and Statistics"
To start the IPFIX Export enter the IPv4 address of the IPFIX collector where the IPFIX flow data should be exported to. Click "Enable"
By clicking "Enable" the IPFIX Export process starts. Currently there is no feedback implemented to show that the Export process started. The Export can be stopped by entering the IPv4 address and clicking "Disable"
Please do not forget to disable the Export when it is no longer needed
It is possible to submit start requests sequentially if you wish to receive IPFIX data from multiple of your services.
Please don’t forget to stop your exports if you do not need them anymore. All initiated exports need to be stopped manually. The order is not relevant.
Exemplary usage process
Open "Accesses & Services" (DE-CIX portal navigation bar)
Choose a Service and click "edit"
Open "Blackholing and Statistics", enter the IPv4 address where you want to receive the IPFIX data (e.g., 1.33.74.2)
Click "Enable"
Download the standalone DTLS decrypter from the repository
Execute the decrypter and provide it with the IP address of the interface it should bind to
Capture the decrypted IPFIX in PCAP files using tcpdump -i lo udp port 2055 -G 60 -w my_ipfix_%F-%T-%Z.pcap
Do not forget to switch off the IPFIX export if it is not needed any longer, by repeating steps 1-4, but clicking "Disable" instead of "Enable"
If you have any questions about the IPFIX Export, please do not hesitate to contact us at [email protected].