Gentle people,
I will be sending a problem statement to the IETF
RMONMIB mailing list identifying the need to define
a standard remote packet capture facility. The goal
is to define a standard network mechanism for delivering
remotely captured packets to a collector, that addresses
the problems/shortcomings with exiting technology, such
as RMON packet capture and "port copy" facilities
that network switch vendors have implemented.
Because this list deals with just about every issue
relating to packet capture and processing, I would like
to get your comments. I've included the draft problem
statement below. If you have any comments/opinions/
thoughts/reactions/attitude/flames, please don't hesitate
to send them, as I would like to submit this statement
to the RMONMIB mailing list this week, if possible.
Thanks in advance for your attention,
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
[EMAIL PROTECTED]
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
------- Insert Rmonmib Problem Statement.txt -------
Packet capture is a fundamental mechanism in Internet network
management and is used in support of a wide range of network
operational tasks, such as fault detection, protocol analysis,
performance analysis, and security assessment. The IETF has specified
technology for packet capture in STD-59, Remote Network Monitoring
Management Information Base (RMON MIB) and RFC-1761, Snoop Version 2
Packet Capture File Format. Working groups, such as RMON and IPPM,
continue to describe various aspects of packet capture technology in
RFC-2021, "Remote Network Monitoring Management Information Base
Version 2 using SMIv2", RFC-2330, "Framework for IP Performance
Metrics", and RFC-2613, "Remote Network Monitoring MIB Extensions for
Switched Networks Version 1.0".
RFC-2613 identified 5 fundamental barriers that make packet monitoring
in modern networks difficult and noted that, "In order to overcome the
limitations of the existing standards, new monitoring mechanisms have
been implemented by vendors of switching equipment. All these
monitoring strategies are currently proprietary in nature". The
principal monitoring strategy referred to by RFC-2613 is "port copy",
which has been implemented by many switch and router vendors. While
RFC-2613 extended the RMON MIB standard definition of data source
objects to include "port copy" as a data source for RMON and SMON data,
RFC-2631 did not qualify these extended RMON and SMON data sources as
suitable for a particular task.
Packet analysis applications are being extended and new ones are being
proposed in several IETF working groups that cannot rely on "port copy"
mechanisms as a definitive source of packet data. Packet analysis
applications, such as Real Time Flow Monitors, Intrusion Detection
Devices and IPPM Framework based performance meters have difficultly
using "port copy" facilities, in part because the "port copy" mechanism
does not convey enough information regarding the source, disposition,
loss characteristics, order and time of replicated packets. As a
simple example, many "port copy" operating modes, such as N:1 port
copy, can result in multiple copies of the same packet being
delivered to an application, without any means to detect that
either packet is a duplicate. In these conditions, port copy
derived data will generate erroneous values in applications such
as RMON MIB.
In addition to the technical issues that limit port copy as a
definitive source of packet data for analytic functions, port copy
style mechanisms pose a significant threat to individual privacy. This
is because port copy mechanisms can only copy entire datagrams to
another interface. Without any mechanisms for minimizing user data
exposure or for limiting access to the resulting packet data, simple
port copy strategies introduce new significant threats to privacy.
As RFC-2613 indicated, vendors are implementing port copy schemes to
overcome limitations of the existing standards. We would like to
propose that the Remote Monitoring Working Group consider as a work
item, the specification of a packet copy facility that can act as a
definitive source of packet data for network analytic applications.
An internet draft that describes some of the issues and possible
requirements for a remote packet capture facility can be found at
http://search.ietf.org/internet-drafts/draft-bullard-pcap-01.txt.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
