[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft on sampling techniques



Hi Tanja,

A couple of observations about the draft:

1) For content based sampling, you say that we can base the decision on field values or hash functions. Do we really want all devices in the network to support functionality as "sample all packets coming from IP address X"? Is this useful? Is this dangerous? Is this prone to misconfigurations that would result in too many packets being selected?
We *must* specify what the hash functions are that we base the sampling decision on and what fields they take as input and also in section 4.2 how the network operator can "seed" them so that the system cannot be manipulated/evaded by "the bad guys". This is because devices from different vendors have to be consistent. I would incline towards not making the fields the hash is computed on configurable (i.e. hard code in the standard what (invariant) fields we hash on). Other opinions?

2) Stratified sampling looks like it can get complex (although I never designed a switch or router), but it's useful. I propose we make it possible that devices don't support it at all or offer only limited support (e.g. limiting the number of classes and the type of classification they support). Also we need to clearly define what kind of classification rules we want. One option is to use the filtering rules for classification: the filter not only says if we want the packet or not but it also says which category it is in which decides what sampling parameters apply to it. Can the classes to which various parameters apply be overlapping? If so, does the packet go to all or just one of them (e.g. decrementing the counters that keep track of how far the next sampled packet from that class is)? If just one which one?

3) I believe this document should also contain the safeguards we need to put in to avoid floods of sampled packets due to misconfiguration or attacks on the measurement infrastructure. The simplest thing that comes to my mind is defining a leaky bucket regulator that would limit the rate and the burst size for the samples being sent to the collection station.

4) Definition of filters might go here too.

Cheers,

Cristian

Tanja Zseby wrote:

Dear psamp people,

I started a draft on sampling techniques for packet selection (document is attached). The document tries to define some terminology and describes various sampling methods and their parameters.
If you have any comments or if you like to contribute some text please let me know.
I know that there were once some volunteers for writing psamp documents. Are there people already working on other documents than the framework draft ?

Kind regards
Tanja



--
to unsubscribe send a message to psamp-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/psamp/>