One of the reasons to analyze flow data is to make purchase\peering decisions. The sFlow standard seems to only include source and destination AS, though I know some route platforms have extensions to provide additional data.
- How common is it to have the additional extensions to include that data for analysis?
- I have seen flow tools that show the entire AS path. Are they just cherry picking which platforms they showcase for the best marketing, or are they enriching the data they receive from “lesser” platforms from an outside source?
For that purpose, knowing what ASes your data goes to is useful. It’s even more useful to find an upstream network that includes a bunch of those.
Full AS-path information isn’t typically included in flow telemetry records. One typically receives origin-AS and destination-AS from exporting devices, along with BGP next-hop information.
Tools which provide the detailed type of information you’re describing typically provide combinatorial analysis of both flow telemetry received from edge routers and either live or offline BGP routing information.
[Full disclosure: I work for a vendor of such tools.]
* nanog@ics-il.net (Mike Hammett) [Tue 04 Apr 2023, 15:06 CEST]:
1) How common is it to have the additional extensions to include that data for analysis?
pmacct is a commonly used tool to enrich flow data with such information.
-- Niels.
Export of destination AS-Path is supported in the sFlow extended_gateway structure.
/* Extended Gateway Data */
/* opaque = flow_data; enterprise = 0; format = 1003 */
struct extended_gateway {
next_hop nexthop; /* Address of the border router that should
be used for the destination network */
unsigned int as; /* Autonomous system number of router */
unsigned int src_as; /* Autonomous system number of source */
unsigned int src_peer_as; /* Autonomous system number of source peer */
as_path_type dst_as_path<>; /* Autonomous system path to the destination */
unsigned int communities<>; /* Communities associated with this route */
unsigned int localpref; /* LocalPref associated with this route */
}
Arista EOS supports aspath if you enable sflow extension bgp. Cisco also claims to support the feature on IOS XR platforms.
In addition to BGP, there are a number of MPLS, tunnel encap/decap etc. sFlow extended structures.
Also optical interface metrics, dropped packet notifications, and more:
[https://sflow.org/developers/specifications.php](https://sflow.org/developers/specifications.php)
Export of destination AS-Path is supported in the sFlow extended_gateway structure.
As a consumer of sFlow, [as well as NetFlow, IPFIX, etc.] I haven’t run into the use of this option in production, FWIW.
In addition to BGP, there are a number of MPLS, tunnel encap/decap etc. sFlow extended structures.
Some of these options are encountered fairly frequently; others, not so much. As you note, they have different applications.
Also optical interface metrics, dropped packet notifications, and more:
Dropped traffic is pretty much universally supported and utilized, in my experience. Other options, again, not very often.
Some flow telemetry implementations support packet export, to one degree or another; and, of course, there’s PSAMP, which utilizes IPFIX as its transport. AFAIK, these aren’t observed very often in production, to date.
Hi,
Extreme also supports it, and we use it for conducting statistics against dst_as/dst_peer_as to perform "traffic engineering" specifically for the transit paths. dst_as_path can also identify possible future peering situations or undesirable paths.
BR
Jörg