Netflow and IPv6

Now that I’m handing out IPv6 addresses to various VLANs on my network, I needed a way to see what percentage of my traffic was actually using IPv6. Enter pf, pflow, and ntop. pf is used by my router/firewall to process packets, and mark them for pflow processing. pflow is a psuedo device on the router/fw which exports pflow accounting data to a remote collector. ntop (and nprobe) is a collector and visualization application for digging into packet statistics. Below is the configuration to hook it all up. pf.conf snippet:

set state-defaults pflow

Using state-defaults allows you to apply state options to any rule without an explicit keep state. Given I have a deny-by-default firewall ruleset, allowing only specific traffic, each ‘allow’ statement will automatically be exported to the pflow interface. By default, the pflow interface is pflow0. # cat /etc/hostname.pflow0

flowsrc 10.10.2.1 flowdst 10.10.2.201:2055

The pflow0 interface is configured with a source and destination with which to send the accounting data. The flow data is sent via UDP to a collector on the configured flowdst host and port. Enter nprobe, a Netflow probe for receiving netflow data and sending it to nTop for visualization. The only command-line flag to nprobe which took some research was the v9/IPFIX template. The default template is pretty conservative,  and by default, does not handle IPv6. nprobe

--zmq tcp://*:5556
--collector-port 3001
--collector none
--interface none
--flow-version 10
-T=%IP_PROTOCOL_VERSION %IPV4_SRC_ADDR %IPV6_SRC_ADDR %IPV4_DST_ADDR %IPV6_DST_ADDR %IPV4_NEXT_HOP %IPV6_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS %IPV4_SRC_MASK %IPV6_SRC_MASK %IPV4_DST_MASK %IPV6_DST_MASK

The final piece is nTop, for actual visualization. The config file is pretty long, and in my case, I only needed to specify a few options. Local networks was important to me because it allows me to break down traffic graphs into local and remote traffic. (The whole part of this was to see how much of my local IPv6 requests were actually contacting remote IPv6 services). /etc/ntopng.conf

--community --interface="tcp://127.0.0.1:5556" --local-networks="10.10.0.0/16,2001:beef:b00c::/48" --dns-mode=1

As of September 2018. roughly 17% of my traffic is traversing the wire using IPv6.

Sources:

• https://man.openbsd.org/pflow.4
• https://home.nuug.no/~peter/pf/newest/pflow1.html
• https://home.nuug.no/~peter/pftutorial/
• https://www.ntop.org/guides/ntopng/cli_options.html
• https://blog.webernetz.net/ntopng-installation/
• http://packages.ntop.org/