[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: next step
Cristian,
I liked your summary .My thoughts about filtering& sampling
>SPECIFY THE TYPE OF FILTERING OPERATIONS THAT SELECTORS CAN
>PERFORM.
Filtering involves
1.Appling filtering opeartion at userspace,kernelspace ,card(logical
or physical interface ) in both inbound & outbound direction with
some matching predicates
2.After the filter match ,do logging or sampling or marking or
counting or applying some rate limiting
4.compile the filter code to optimize
5.Make sure your policies are applied to the prefix list
6.Filtering doesnt alone act as a pointer to sampling but
also to expose DoS attack,classify packet,rate limiting .
But,i am not sure whether packet filters can be modified real-time
which will be useful from security point of view.
I was of same thinking that filtering should be explicitly chartered.
But,my present understanding of filtering (as mentioned above ) sees
some reasons for obviating the explicit mentioning of filtering.
1.Filtering decision ( code generation& optimization ,predicate selection,
mapping operation) & type of filtering operation is higly dependent on
vendor's implementation and so types of filtering operations can be left
at the hands of customers sometimes.
2.Explicit mentioning will also force us to indulge in some operations other
than sampling as mentioned in point 6.
But,also filtering & sampling is highly interdependent and interleaving :-)
>It might make sense to make filters (or more complicated filters (e.g.
>the ones that involve digging up fields from the TCP header which is not
>at a fixed location because of IP options)) optional, but I think it's
>best to address these details later.
I dont think digging up TCP header will make the filter operation complex(IMHO).
The simple reason being ..BPF filter itself can do this operation in a
optimized way .This all depends on how well your predicate grammar is written
in the code generation part.There are many declarative languages for filter
specification to make this work simple.
- Senthil.
--
to unsubscribe send a message to psamp-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/psamp/>