[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection

To: Thomas Dietz <Thomas.Dietz@netlab.nec.de>
Subject: Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
From: Paul Aitken <paitken@cisco.com>
Date: Sat, 25 Mar 2006 16:39:21 +0000
Cc: Gerhard Muenz <muenz@informatik.uni-tuebingen.de>, psamp <psamp@ops.ietf.org>
In-reply-to: <200603241344.22667.Thomas.Dietz@netlab.nec.de>
References: <440C206A.9050902@cisco.com> <200603240944.38909.Thomas.Dietz@netlab.nec.de> <4423C3C4.30608@informatik.uni-tuebingen.de> <200603241344.22667.Thomas.Dietz@netlab.nec.de>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.10) Gecko/20050811 Fedora/1.7.10-1.2.1.legacy

Thomas,

I understand now that there are two decisions to take:

1 - do we allow payload in those IEs
2 - how do we encode it
So, I guess we all agreed that it may be benefitial in some cases to includepayload in those IEs. So the question remains how do I encode it that thecollector nows that there is payload and it is the real payload and notsomething that was just nulled to hide content.


I'd say that this text says you're not allowed to do that:

      If insufficient octets are available for the length specified in
      the template, the packet section must be sent with a new template
      using either a fixed length Information Element of the necessary
      size or a variable length Information Element.  It's not
      permissible to pad a short packet section to a longer length.

Reasons:

1. "insufficient octets are available" because of a security concern(rather than because they simply didn't exist).

2. nulling payload to hide the content is essentially padding out thepacket section to the necessary length, which is explicitly forbidden bythe last line.

I then would propose to use variable length elements by default.

It's definitely necessary if you want to export the packet from thestart of the IP header to the end of the L4 info to get the port numbers(assuming that the header packet section runs right through into thepayload).

It is a localdecision of the exporter if it will always export only header bytes or if itwill include some bytes of the payload. The localconfiguration/implementation may impose a maximum limit of those chunks butagain thats a design and implementation decision of the exporter.


You're clearly in favour of solution (2). I also favour this solution.

The collector should be able to decide where the header ends and the payloadstarts (if any payload is in).
Paul, I hope this also meets your requirements.


Yes, thanks.

So I propose to adopt solution (2) unless anyone raises seriousobjections by next Friday.


--
Paul Aitken
Cisco Systems Ltd, Edinburgh, Scotland.

--
to unsubscribe send a message to psamp-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/psamp/>

References:
- PSAMP: ipHeaderPacketSection and mplsLabelStackSection
  - From: Paul Aitken <paitken@cisco.com>
- Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
  - From: Thomas Dietz <Thomas.Dietz@netlab.nec.de>
- Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
  - From: Gerhard Muenz <muenz@informatik.uni-tuebingen.de>
- Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
  - From: Thomas Dietz <Thomas.Dietz@netlab.nec.de>

Prev by Date: Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
Next by Date: Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
Previous by thread: Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
Next by thread: Re: PSAMP: ipHeaderPacketSection and mplsLabelStackSection
Index(es):
- Date
- Thread