[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-morrow-filter-caps-00 comments
- To: "Howard C. Berkowitz" <hcb@gettcomm.com>
- Subject: Re: draft-morrow-filter-caps-00 comments
- From: George Jones <eludom@gmail.com>
- Date: Thu, 10 Mar 2005 14:21:29 -0600
- Cc: opsec@ops.ietf.org
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=Pdwef6jBusu4imWBC94z9flyOk8siIw5DyibhgAfHzeMICbkm8UwuQPUDAN6fyy2Pj0u7GnSO6LbIpXotbtn3VjDSbIF6m/Z3pEP9jXVmBll8RODmpXR4BSE6svwLrrDwstWN5v/Zl4b+6JZpKhdr/fJaXrbkXoFhtSySiXqzy0=
- In-reply-to: <p06110445be560157ed00@192.168.0.2>
- References: <Pine.LNX.4.61.0503061734000.7043@netcore.fi> <c1468ac50503080846477a4c62@mail.gmail.com> <p06110445be560157ed00@192.168.0.2>
- Reply-to: gmj@pobox.com
On Thu, 10 Mar 2005 08:58:57 -0500, Howard C. Berkowitz
<hcb@gettcomm.com> wrote:
> I'm sorry if I missed this being there already, but I'd like to see a
> survey of statistics/logging with respect to filters in operational
> practice.
Seems like another fine candidate for the Benchmark Methodology WG.
Clearly, too fine-grained a level of filtering (e.g., with
> static ACL logging), with a high traffic volume, will overwhelm most
> processors. Some means of reducing this load is probably going to be
> needed in any production system.
Or at least an understanding of the potential impact (silent drop, spike
processor, increased traffic due to logging)
>
> And what are these means? Certainly there's a spectrum. I'd put
> "diversion" at the top of the list -- rerouting problematic traffic
> to a sinkhole where detailed analysis can be done.
>
> At whatever point the filtering/inspection/whatever is done, there
> are a range of levels of detail that can be taken, such as:
>
> Complete packet capture with decode [1]
> Complete packet capture [1]
> Header capture [1]
Isn't that what PSAMP was doing ?
> Exact counts of packets matching complex expression [2]
> Exact counts of packets matching simple expression (e.g., source)
Counts are good. Accurate counts are better. I believe these are
already addressed.
> Sampling counts of packets matching complex expressions [3]
> Sampling counts of packets meeting expressions of lesser complexity [3]
See PSAMP ?
---George