During the LACNIC 44 meeting held in El Salvador, we presented the study titled “Telemetry Applied to Security Automation in IPv6 Networks,” the result of a collaboration between Universidad Católica de Salta (Argentina) and Universidade Estadual de Campinas (UNICAMP, Brasil).
The study provided practical evidence of how the use of modern telemetry protocols and programmable interfaces can transform the way we operate and protect IPv6 networks, combining visibility, automation, and security. As the number of devices, IoT sensors, and data flows have increased, network visibility and control have become essential.
For many years, network administrators relied on traditional technologies such as SNMP and CLI, which we became accustomed to using. However, these methods lack scalability, depend on unstructured formats, and offer limited real-time visibility, making it difficult to react quickly to security incidents or operational failures.
(Free access, no subscription required)
To address these limitations, the study introduced the concept of Network Telemetry, a new paradigm that replaces reactive data collection with a proactive and continuous model, integrating automation, security, and operational intelligence.
From Classic Monitoring to Smart Telemetry
Traditionally, network administrators used a polling model, periodically querying each device, usually via SNMP, to collect status information. This process not only generates operational overhead but also provides a fragmented and delayed view of network status.
In contrast, modern telemetry eliminates the need to poll devices and instead continuously transmits their performance metrics, CPU usage, traffic, or security events in structured, real-time data streams.
To address these limitations, the study introduced the concept of Network Telemetry, a new paradigm that replaces reactive data collection with a proactive and continuous model, integrating automation, security, and operational intelligence.
From Classic Monitoring to Smart Telemetry
Traditionally, network administrators used a polling model, periodically querying each device, usually via SNMP, to collect status information. This process not only generates operational overhead but also provides a fragmented and delayed view of network status.
In contrast, modern telemetry eliminates the need to poll devices and instead continuously transmits their performance metrics, CPU usage, traffic, or security events in structured, real-time data streams.
This shift is supported by next-generation protocols, such as:
NETCONF and RESTCONF, based on YANG models, which allow for standardized configuration and querying;
gNMI (gRPC Network Management Interface), designed for continuous and efficient streaming;
JSON-RPC, used for remote procedure calls in JSON format, ideal for integration with automation and security systems.
The combined use of these technologies forms what RFC 9232 defines as the Network Telemetry Framework, a set of processes and protocols that provide full visibility across the different network planes (data, control, and management).
Published by the IETF, RFC 9232 – Framework for Network Telemetry defines the architecture and fundamental principles of modern telemetry. It proposes implementation across all operational network planes, as outlined below:
Data plane telemetry: monitors traffic, packet statistics, losses, latencies, and flows.
Control plane telemetry: monitors routing and neighbor discovery protocols such as ICMPv6 ND, OSPFv3, and BGP.
Management plane telemetry: collects configuration metrics, logs, ACLs, policies, and security states.
The main goal of the framework is to enable visibility, automation, and smart event correlation, making it possible to detect anomalies, optimize performance, verify policy compliance, and—most importantly—automate incident responses in real time.
AI Applied to Network Automation
One of the distinctive aspects of this project is the use of Artificial Intelligence to support the research and development cycle. Python and Scapy scripts were automatically generated through prompt engineering, along with gNMI and JSON-RPC API configurations, integrated into an automated process control environment.
This methodology included three main phases:
Definition and Design: identification of the problem and modeling of the solution architecture.
Assisted Implementation: human-machine collaboration in the creation of scripts, commands, and component integration.
Validation and Control: security, performance, and robustness testing.
It should be noted that throughout the research, AI functioned strictly as a technical assistant. It did not replace the researcher, but instead increased efficiency and reduced task implementation times.
Case Study: IPv6 Telemetry and Security
The testing and simulation lab was developed on the Nokia SR Linux Streaming Telemetry Lab platform in a virtualized topology. Nodes were integrated with gNMIc (a gRPC-based client for collecting and subscribing to metrics) and visualized in Elasticsearch, Prometheus, and Grafana, an architecture that enabled real-time measurement of network behavior and dynamic response to events. Using this modern telemetry framework, we were able to address some of our research needs and overcome several challenges, such as:
Automatic discovery of hosts in IPv6 networks.
Detection of unknown or unauthorized devices.
Real-time mitigation of ICMPv6 Neighbor Discovery-based attacks through dynamic ACL enforcement.
Subscription to traffic and performance metrics on interfaces, ACLs, and CPU via gNMI streaming.
The following is part of an example of an automatically generated binding between a MAC address and IPv6:
Sends valid bindings via JSON-RPC to Elasticsearch for serialization and indexing, where they become a data source for visualization in Grafana.
Applies dynamic policies via JSON-RPC/YANG to accept or block ICMPv6 traffic according to predefined rules:
set acl acl-filter {iface} type ipv6 entry 10 match ipv6 next-header icmp6 source-ip prefix {ipv6_link_local}/128
set acl acl-filter {iface} type ipv6 entry 10 action accept
set acl acl-filter {iface} type ipv6 entry 11 match ipv6 next-header icmp6 source-ip prefix {ipv6_global}/128
set acl acl-filter {iface} type ipv6 entry 11 action accept
These metrics are collected via gNMI stream-mode sampling every five seconds and exported in Prometheus format, allowing instant visualization in Grafana.
Findings
The study demonstrated that modern telemetry based on gNMI and JSON-RPC not only monitors, but also integrates security, automation, and operational analytics into a single data stream. As a result, it is consolidating its role as a strategic element for IPv6 network reliability and security, enabling academic institutions, ISPs, and companies to advance toward the operation of smart, resilient, and autonomous networks.
Finally, the tests revealed significant improvements:
Early threat detection: streaming-based telemetry identifies traffic changes and anomalies almost instantly.
Mitigation automation: ACLs are dynamically applied, reducing human intervention and shortening response times.
True interoperability: the use of open YANG models (OpenConfig) eliminates vendor lock-in and simplifies integration.
