[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: next step
>The filtering
>we are discussing is really "selection" (in fact, maybe we should
>avoid using the term "filter" because it seems to confuse people
>on this point). As far as I understand it, psamp would not take
>any *actions* that would affect the flow of traffic in any way.
>Rather, psamp is just recording measurement records for the packets
>that are selected and sampled.
Please correct me if i am wrong.My definition of packet filtering :
An operation which checks every packet across its port and if it maps
with a predicate,pass it to next level(in our case sampling).Here,filtering
essentially aids the selection procedure.
At times ,we cannot avoid explicit mentioning of *filter* as
-filtering is one of the ways of selection
- selection can be also be done by other ways in addition to filtering.
>> 1.Appling filtering opeartion at userspace,kernelspace,card (logical
>> or physical interface) in both inbound & outbound direction with some
>> matching predicates
>
>I'm not sure I understand your point about user space, kernel space,
>and card. We should define what the filtering criteria are, but we
>shouldn't take a stand on how/where the operation is implemented.
Point 1 is more of an implementation issue as pointed out by you.
This will surely be outside the scope of psamp.Packet filtering
can be done at:
-user level (writing our own code at user land using raw socktets&putting
the ethernet card into promiscous mode and writing code for packet
filtering )
-kernel level ( BPF filter - as a virtual machine)
http://citeseer.nj.nec.com/mccanne92bsd.html
- within cards (commercial vendors does at ASIC level )
- even inside routers (Loop back interface - difficult at high speeds as
mentioned by you )
>> 6.Filtering doesnt alone act as a pointer to sampling but
>> also to expose DoS attack,classify packet,rate limiting .
>
>Sorry, I didn't understand this point. What do you mean by "act
>as a pointer to sampling"
My usage of words was wrong.I can explain to clarify my view.
In the filtering operation,incoming packets are compared with the
predicates and mapped.The predicate may be a tuple <offset,length,mask,
value> as in path finder(http://citeseer.nj.nec.com/bailey94pathfinder.html).
For an uniform sampling i.e..selecting 1 in N packets can be done by using
a predicate * for every <N> <pred> *.It will sample 1 in N packets meeting
the <pred> predicate.
>and "expose Dos attack"?
I totally misinterpreted at this point.Thanks for pointing out.This is once
again a rant about applications.Disregard the sixth point :-).
This was more to stress use of filtering for various on-board applications like:
- source address verification:
- tracing the DoS attack path
-Senthil
-¢éì¹»®&Þ±éÝjg¬±¨¶Šljjkz«ž²Ú)²'~ŠàÂ+a¶°¢·nžË›±Êâmè§jȧ‚W¥Šwš²Ø^™ë,j{[¡ÜšÈb½èm¶Ÿÿ¢›"z×è®åŠËlþ›šŸ