Flows vs. Sessions

by Sorell Slaymaker

Most network engineers think flows are the same as sessions, but they are not. Sessions are different from flows in six subtle, but important ways. Next generation networks are being driven to be session oriented due to the limitations of flow based networking.

Sessions have the following characteristics that flows do not:

  1. End-to-end – Flows go between two points on a network and do not cross NAT boundaries. As soon as a flow traverses a firewall, it is in a new routing domain with different QoS policies. As mobile, cloud, and IoT continue to grow, users, applications, and devices are more often than not, on different networks. In order to provide end-to-end network security and maintain Quality of Experience (QoE), the network routing, QoS, and security must be maintained end-to-end. Another driver of maintaining end-to-end control is the migration of IPv4 to IPv6 to NDN (Named Data Networking), which is another form of a NAT boundary.
  2. Stateful – IP routing is stateless and routes each packet based on the IP address and port. A stateless connection is one in which no information is retained by either sender or receiver. TCP is used to manage state and is managed by the end servers. Firewalls are stateful and keep track of TCP/UDP sessions. The firewall tracks the attributes of the session such as sequence numbers and keeps this information in dynamic state tables. Load balancers and WAN Optimizers are added to networks to manage the state of a session to solve the problem of stateless routers.
  3. Dynamic – IP routing creates a fixed path between two networks. While routes can change based on network outages, being able to dynamically route a flow over multiple paths is not possible in a stateless network. Flows are packet based whereas sessions are services/application based. In a flow, all packets that are alike, are treated the same. For instance, if there are six concurrent cloud based video streams, the router will treat all the UDP packets the same once the flow is established. Session based networking allows each session to be dynamically treated different such as priority and bandwidth shaping.
  4. Bi-directional – Asymmetrical routing is when the transmit path is different than the receive path. Asymmetric routing will cause problems when Network Address Translation (NAT) is used in the routed path. For example, in firewalls, state information is built when the packets flow from a higher security domain to a lower security domain. If the return path passes through another firewall, the packet will not be allowed to traverse the firewall from the lower to higher security domain because the firewall in the return path will not have the state information. Directionality also is important for security and which direction may initiate a session.
  5. Multiple sessions can be in a single flow allowing for more granular control of applications. For instance, in a WebRTC based video conference, voice, video, and data are separate sessions within a single WebRTC encrypted flow. Because it is seen as just one flow, the traditional router cannot prioritize voice above video and data. Users do not mind too much if their video and data is running slow, but if voice gets interrupted, the conference call stops.
  6. Deterministic – Flows follow the path that is in the current routing table and maybe the shortest logical path, but not the highest performing path (latency, jitter, dropped packets) and/or lowest cost. Whereas session can be programmed to follow a specific route. The PSTN was designed where routes between nodes are pre-programmed in order to ensure the optimal path based on cost, quality, and utilization for each session. Sessions also have an exact start (first packet) and end (last packet) which is critical for application performance monitoring and security controls.

As applications traverse many disparate networks and video consumes more of a network’s capacity, cloud providers and enterprise will need to add dynamic session management, end-to-end, to ensure network security and QoE of the application. Not all sessions and applications are equal, and networks can only do so much with traditional flow controls of ACLs, QoS and CAC.