[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question on draft charter
Rae McLellan wrote:
> >> In the current draft charter for the PSAMP working group,
> >> Nick Duffield wrote:
> >> Network elements shall support several parallel packet samplers,
> >> each with independently configurable packet selectors, reports,
> >> report streams, and export.
> >> Are you using "network element" to refer to a an entire IP router,
> >> or individual linecards within an IP router? Is each linecard
> >> generating a single report stream and the sum of all linecards
> >> within a network element creating the "independently configurable
> >> packet selectors, reports, report streams, and export"? Or are
> >> you suggesting each linecard support multiple "parallel packet
> >> samplers, each with independently configurable packet selectors,
> >> reports, report streams, and export"?
> >> The use of "shall" in your text makes me worry if its the latter.
> >> Rae McLellan
> > can you be more specific about why you are worried?
It's the latter that is proposed: multiple parallel samplers on the same
element e.g. linecard.
There are two separate questions here (1) why have multiple parallel
packet selectors, and, if you do, then (2) why have separate reporting
streams from them.
For the first: there's demand for this from users. For example, have one
sampler do baseline reporting with 1 in N sampling for some large N,
a second dynamically configured as a filter to drill down on anomalous
traffic, and a third hash-sampling to an on-board security application.
> well... my biggest concern is for the amount and type of buffering
> for accumulating the samples prior to their being sent via a
> report stream. Multiple report streams imply multiple buffers.
> These buffers behave differently than other packet buffers in
> a linecard because their contents grows not in full packet
> increments, but sporadically as packets are sampled. They have
> to be kept separate to maintain their integrity (to prevent
> interdigitation of other data). Each report stream also requires
> a separate destination IP address and sequence number generator.
> For high speed routers, this will have to be maintained in
> hardware registers. Since there is a limit, (i.e. it can't be
> infinite) I'd suggest it be just one.
There's a big difference between one and infinity! The number
of parallel samplers is an area where hardware vendors can
distinguish themselves. A PSMAP WG could produce some guidelines
here. At least a handful would be useful.
Is buffer management really such a big issue? My expectation is
that once the packet is selected, it's comparatively easy to form
reports and perform other tasks in software, given the lower rate
of selected packets compared with the line rate. And there isn't need
for much buffering if the packet reports are exported immediately.
> Let the downstream collector
> create the multiple logical report streams for their potentially
> multiple network analysis stations based on a single physical
> report stream coming from each linecard.
For the second question: report streams to on-board applications need
to be separated from streams to off-board applications. Merging the
streams to different off-board apps carries its own costs: managing
non-uniform report format; each packet must indicate which selector(s)
is matched; export rate control becomes coupled across streams;
architectural requirements for the collection system.
> What is to be done for
> example if a single packet is sampled by multiple rulesets in
> a linecard and must go out on several different report streams?
> Copying the packet sample to each report stream creates an ugly
> bandwidth multiplication.
This is a small effect assuming the overlap between packet selectors is
small. For example, if there are two selectors, say 1 in N sampling and
filter, then packets matching both selector comprise only about 1 in N
But it's recognized that there may be recourse shortages if a
packet happens to match too many selectors. That's why item 4
in the draft charter talks about "allowed degradation of packet
reporting when packets are selected by multiple packet samplers",
> This is much easier and cleanly
> performed at a collection agent handling a geographical part
> of the network on behalf of multiple network management agents.
> Putting it all in the linecard is excessive, IMHO.
> Rae McLellan
> to unsubscribe send a message to email@example.com with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/psamp/>
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.