Paolo,
it's my pleasure, hope you're doing great also. Wonderful to see all the
progress pmacct has been making since we last met.
Thanks for confirming IPFIX/DTLS is a topic that's still ongoing. While the
immediate need for encrypted transport can be alleviated by utilizing IPSEC
tunnels and the like, being able to produce encrypted streams will make
ingesting data over untrusted transport much simpler. Wondering how DE-CIX
produces theirs.
Out of curiosity I've been playing around with ncat, trying to encrypt a
regular IPFIX stream and sending it to nfacctd_dtls_port. While nfacctd
acknowledges that it's receiving DTLS there seem to be some issues that prevent
successful parsing of data. Hope I'll be able to find some more time to dig
deeper and make it work.
Stay safe,
Felix
Am 09.10.20, 21:49 schrieb "Paolo Lucente" <pa...@pmacct.net>:
Hi Felix,
Monumental pleasure to read from you, hope all is well.
The feature was conceived in conjunction with the great DE-CIX folks,
you can see the announcement here:
https://twitter.com/thking/status/1292903640877932544 .
In the context of pmacct, yes, i have indeed on the roadmap to
"disseminate" DTLS a bit further to the 'nfprobe' (export) and 'tee'
(replication) plugins. Yet another dimension would be to apply this to
sFlow - curious if anybody reading cares.
I am not aware of any vendors supporting this at this very moment but i
do agree with you that that would be intriguing (in general but perhaps
specifically) for all people that do rely on 3rd party services to run
their own infrastructure, thinking to L2/L3 MPLS VPNs and suchs.
Paolo
On 09/10/2020 13:28, Felix Stolba wrote:
> Hi everyone,
>
> so recently the config parameter nfacctd_dtls_port was introduced. By
using this, pmacct can consume flow data contained in a DTLS stream as
specified in RFC5153.
>
> Having an integrated, secure transport for flow data is an intriguing
idea. But that poses the question, how can such a stream be produced? Is this a
vendor specific feature on various network operating systems or is there a 3rd
party software that can handle the encryption? Which vendors support that?
Anyone willing to share any experience here?
>
> Has this feature been considered for the pmacct roadmap? Being able to
produce encrypted Netflow using the tee plugin would be very useful in certain
scenarios.
>
> Appreciate any input on the matter.
>
> Thanks,
> Felix
>
>
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
>
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
