Please note NBAR/NetFlow integration wanted to be an example of using NetFlow/ IPFIX as a transport for DPI classification info (where classification could be performed with any other in-line technology than NBAR). Whether NBAR works or does not as a classification technology is out of scope for me here - and seems also out of the op request. Inline: On Wed, May 07, 2014 at 04:15:44PM +0000, Dobbins, Roland wrote:
So, perhaps now we can de-conflate flow telemetry and 'DPI', since the real-life export, collection, and analysis of anything other than layer-4 information via flow telemetry isn't at all commonplace (if it in fact exists at all) on production networks), at this juncture.
I disagree if anybody conflates here. I don't. I see two disjoint pieces: classification technology and transport of classification info to a central location. IPFIX, for example, is general (and standardized) enough to transport/encapsulate other info than just flow info, this might include DPI classification or other stuff. You can also read this as: if you have to travel some info, why re invent the wheel and not leverage a general-enough, standardized transport protocol (that btw you can contribute at any point to enhance if not satisfactory enough)? And please it's nice to have different positions - no need to escalate. Cheers, Paolo