I have been looking at Foundry's implementation of sFlow for the purpose
of doing network security monitoring of flows as a replacement/enhancement
for Cisco's Netflow.
By "flow", I mean a unique combination of source IP, destination IP,
source port, and destination port. A "flow" would be applicable to TCP
and UDP in IPv4. Since "port" is not applicable with ICMP, possibly the
ICMP type would be an adequate substitute. In an ideal world, a "flow"
would cover IPv6, too.
In particular, I need a method to track exactly when a flow is started,
when a flow ends, and in what direction the flow is moving; i.e. which
side is the client and which is the server. This is essential for doing
forensic analysis of network-based intrusions.
This is a pretty straight forward idea with TCP. With UDP, some type of
timer needs to be involved to track when the last UDP packet was seen in
the flow before expiring the flow record, thus marking the end of flow.
For ICMP, a similar timer would be needed for tracking stuff like
continuous ICMP echo request/replies, etc.
The sFlow flow sampling philosophy, while it has definite use in many
applications, is not entirely helpful in what I want to do. However, my
understanding is the version 5 might allow an implementor to give me this
type of functionality and still be compliant to the sFlow specification.
Unfortunately, I am having trouble locating this functionality in the
version 5 spec document. Have I missed this somehow, or does it require
an implementation specific extension to the spec?
The approach I am suggesting does require the resources for keeping track
of current flow table with timers, etc. So I am not sure if this fits in
with the low-cost, low- resource implementation that sFlow was designed
around.
Thanks.
Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
Received on Tue Mar 22 13:31:22 2005
This archive was generated by hypermail 2.1.8 : 03/22/05 PST