[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: next step



I also agree with Cristian that it is not clear from the proposed charter
whether PSAMP will include the export of packet headers. Could this be
clarified?

There are a number of advantages in making the packet headers available. For
example, a common way to characterize and document an attack is using
tcpdump. This would be possible if packet headers are available. If only
certain extracted fields are available, these fields may not include enough
information to fully characterize and document an attack.

In addition, if packet headers are made available, any analysis is possible.
New uses of traffic data are supported much more easily by upgrading a data
collection/analysis process rather than revising the code (and standard) at
the measurement point.

Sonia Panchen
InMon Corp

> -----Original Message-----
> From: owner-psamp@ops.ietf.org [mailto:owner-psamp@ops.ietf.org]On
> Behalf Of Cristian Estan
> Sent: Tuesday, April 09, 2002 10:16 AM
> To: Nick Duffield
> Cc: psamp@ops.ietf.org; Bert Wijnen; Randy Bush
> Subject: Re: next step
>
>
> Hi Nick,
>
> Sorry for the delay in answering, but I was caught up with other stuff.
> This might not be the right time to address some of the issues I raise
> below, but if so, just let me know.
>
> First of all what is the time scale? By when do we need to finish this
> charter? What about the other documents?
>
> Now feedback on the charter:
>
> 1. Filtering is not mentioned in the charter and neither is drill-down.
> My understanding is that we also want to do this. If so, the charter has
> to mention that we want to a) give a protocol for configuring new report
> streams in real time. Furthermore we also need to b) give the exact
> syntax and semantics for the filters we might want to use (e.g. only
> report on packets from prefix X because that's what we want to track for
> some reason). We might put this under the generic heading of selectors
> for packet sampling, but IMO we need to mention it explicitly.
>
> 2. There are some terms whose meaning is not exactly clear to me. I am
> specifically not clear about overlaps between these terms and other type
> of relations (e.g. A is an instantiation of B) between them.
>
> a) report structure defined in 2.
> b) format of packet reports defined in 3. i)
> c) the packet reports defined in 3 ii)
> d) report format used in 5.
> e) report stream format used in 5.
> f) export as used in 5.
>
> 3. Heading 2. seems to implicitly exclude the possibility of full
> packets or chunks thereof being forwarded/exported to the management
> station. I think we should explicitly say that unparsed packets (or
> parts of packets (e.g. the first x bytes)) can be included in the reports.
>
> 4. This overlaps a little with my point 1 a). 5. says that the export
> destination should be dynamically configurable. Why just the
> destination? Why not the other parameters too?
>
> 5. Minor point that's maybe not for the charter document to address, but
> are we living at layer 3 or layer 2 (or both)? More exactly do we care
> about MAC headers and the like or we specifically target only the IP
> packet from within?
>
> Cheers,
>
> Cristian
>
> Nick Duffield wrote:
>
> >Folks,
> >
> >as I understand from our area directors, the next step is for us to
> >agree upon a charter. This will be taken to the IESG, and that body
> >will decide whether to charter PSAMP as an IETF Working Group.
> >
> >This will involve reaching a consensus on the aims, scope, and
> >issues arising out of the talks and discussions at the BOF. As a
> >starting point, I'll take the draft charter from the BOF agenda
> >
> >http://www.ietf.org/ietf/02mar/psamp.txt
> >
> >and flesh out the thinner parts over the next few days.
> >Please send any comments on this draft charter to the list.
> >
> >Thanks,
> >
> >Nick
> >
> >--
> >to unsubscribe send a message to psamp-request@ops.ietf.org with
> >the word 'unsubscribe' in a single line as the message text body.
> >archive: <http://ops.ietf.org/lists/psamp/>
> >
>
>
>
> --
> to unsubscribe send a message to psamp-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/psamp/>
>


--
to unsubscribe send a message to psamp-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/psamp/>