[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: next step

>The filtering
>we are discussing is really "selection" (in fact, maybe we should
>avoid using the term "filter" because it seems to confuse people
>on this point).  As far as I understand it, psamp would not take
>any *actions* that would affect the flow of traffic in any way.
>Rather, psamp is just recording measurement records for the packets
>that are selected and sampled.
   Please correct me if i am wrong.My definition of packet filtering :
An operation which checks every packet across its port and if it maps
with a predicate,pass it to next level(in our case sampling).Here,filtering
essentially aids the selection procedure.
  At times ,we cannot avoid  explicit mentioning of *filter* as 
-filtering is one of the ways of selection
- selection can be also be done by other ways in addition to filtering.
>> 1.Appling filtering opeartion at userspace,kernelspace,card (logical
>> or physical interface) in both inbound & outbound direction with some
>> matching predicates
>I'm not sure I understand your point about user space, kernel space,
>and card.  We should define what the filtering criteria are, but we
>shouldn't take a stand on how/where the operation is implemented.
   Point 1 is more of an implementation issue as pointed out by you.
This will surely be outside the scope of psamp.Packet filtering 
can be done at:
 -user level  (writing our own code at user land using raw socktets&putting
  the ethernet card into promiscous mode and writing code for packet
  filtering ) 
-kernel level ( BPF filter - as a virtual machine)
- within cards (commercial vendors does at ASIC level )
- even inside routers (Loop back interface - difficult at high speeds as 
  mentioned by you )

>> 6.Filtering doesnt alone act as a pointer to sampling but
>> also to expose DoS attack,classify packet,rate limiting .
>Sorry, I didn't understand this point.  What do you mean by "act
>as a pointer to sampling" 
  My usage of words was wrong.I can explain to clarify my view.
In the filtering operation,incoming packets are compared with the 
predicates and mapped.The predicate may be a tuple <offset,length,mask,
value> as in path finder(http://citeseer.nj.nec.com/bailey94pathfinder.html).
For an uniform sampling i.e..selecting 1 in N packets can be done  by using 
a predicate * for every <N>  <pred> *.It will sample 1 in N packets meeting 
the <pred> predicate.
>and "expose Dos attack"? 
I totally misinterpreted at this point.Thanks for pointing out.This is once
again a rant about applications.Disregard the sixth point :-).
This was more to stress use of filtering for various on-board applications like:
- source address verification:
- tracing the DoS attack path