Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capture-format-03.txt

Jim Hague <jim@sinodun.com> Thu, 06 July 2017 09:17 UTC

Return-Path: <jim@sinodun.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46E4D120721 for <dnsop@ietfa.amsl.com>; Thu, 6 Jul 2017 02:17:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F7ntvBGroXz4 for <dnsop@ietfa.amsl.com>; Thu, 6 Jul 2017 02:17:30 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA7FE1201F8 for <dnsop@ietf.org>; Thu, 6 Jul 2017 02:17:30 -0700 (PDT)
Received: from [2001:470:1f09:d2::4a7] (port=55648 helo=cho.localnet) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <jim@sinodun.com>) id 1dT2ue-0003Il-5E; Thu, 06 Jul 2017 10:17:28 +0100
From: Jim Hague <jim@sinodun.com>
To: Richard Gibson <rgibson@dyn.com>
Cc: dnsop <dnsop@ietf.org>
Date: Thu, 06 Jul 2017 10:17:26 +0100
Message-ID: <2658248.mqps5m5hH4@cho>
Organization: Sinodun Ltd
X-Face: "YyOu7Hab"VGm^bAO1; {iOPso3{hw9JL`&?c6?!@&m`z?E\ZMv; T44B_v+/9i''$IUz\h: 7+|+U\Sm3S)ajt}IU6bG#OB^ma3dQ%l4]6jGS1:=9N]LF\ZmxO!"2bQ}v@,\x?0{/mu; a, g3:!#KL>aL\D; )@?UJG=m@@vt; LJJxqV.w-.VxYKp-r1'$`0+>4D72C#o5(tax+Dp:0UWU ]+s_'{u[#cEm^9VXGTf0+#@VwB/%U?KWb~C<@19.<sDNYm2}r|
User-Agent: KMail/5.2.3 (Linux/4.9.0-2-amd64; KDE/5.28.0; x86_64; ; )
In-Reply-To: <CAC94RYYBe5AzoBWEOeBrrBgKEcqw5V-z34TGtmcYpQW-JAz=KQ@mail.gmail.com>
References: <149907291397.4998.8059630450980375262@ietfa.amsl.com> <5ec26bfa-b7c9-cdcc-2594-5e2df7bec4c8@sinodun.com> <CAC94RYYBe5AzoBWEOeBrrBgKEcqw5V-z34TGtmcYpQW-JAz=KQ@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-BlackCat-Spam-Score: -28
X-Mythic-Debug: State = no_sa; Score =
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WBdp12r1NFOPeUW6H60SdohRI6o>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capture-format-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jul 2017 09:17:32 -0000

On Wednesday, 5 July 2017 13:06:12 BST Richard Gibson wrote:
> On Wed, Jul 5, 2017 at 8:05 AM, Jim Hague <jim@sinodun.com>; wrote:
> > Timestamps, on the other hand, I always regarded as a basic data type,
> > so naturally a structure. Plus, of course, there's one per
> > query/response item, so in a block the size savings are in the 10-15k
> > bytes region, which is rather more significant.
> 
> In that case, I'm even more convinced that all of them (block preamble
> "earliest-time", Q/R data item "time" and "delay", malformed packet item
> "time") should have the same structure—either variable-precision arrays or
> {"seconds", "useconds", "pseconds"} maps.

Q/R data item and malformed packet items have the same structure, though it's 
not an explicit data type in CDDL as Timeval is at the moment. I'll amend 
that. However, they are time deltas, not timestamps, so I don't think they 
should have the same type as the block earliest time. It it turns out that no-
better-then-second resolution is a common use case, there are potential 
savings to be made in using seconds as the time delta, because the deltas will 
tend to be very small numbers with consequent space savings in CDDL. We'll 
look at this.

> > * In section 7.18, "and an unsigned key" appears to be meaningless and 
> > > should probably be removed.
> > 
> > In most places where we are discussing a map, we've specified the type
> > of the map key in the text, though I notice we're not 100% consistent
> > with that.
> 
> All the keys in those maps (and in every map, as far as I can tell) are
> strings, for which "unsigned" is a meaningless concept.

No. All keys are unsigned ints, with values specified in the CDDL. We should 
make this more explicit in the text.

String keys would bloat the output file size enormously.

> > I don't quite follow why you'd need to put this informational-only stuff
> > into the block preamble rather than the file preamble/configuration. Can
> > you expand on that a bit?
> 
> Some of our processing can benefit from merging telemetry (e.g., all hosts
> at a site), which would produce files containing blocks that don't share
> values for fields currently in the file preamble. In fact, we might even
> decide to treat "block" as the only relevant unit, using block preamble
> extension fields for *everything* in the standard file preamble except
> version information.

Ah, so you are talking about doing a merge at the block level rather than the 
Q/R item level? We'll think about the implications of that.

The fields you cited, host-id and server-addresses, are purely informational 
anyway.

> > *Opt-in Lossyness*
> > This raises a question about a tension between the background of C-DNS
> > to date and the slightly different angle you are coming from. We've been
> > very much focused on using C-DNS to record traffic in a form where the
> > packets can be recreated in wire format (i.e. as PCAP). The optional
> > data items mean that data may be missing from those packets, but the
> > core query and response will still be present.
> 
> Agreed. But it's _so close_ that I felt these suggestions were worth
> raising—not to water down the primary use case, but to cover a few more
> with some tradeoffs.

Oh, absolutely! You've give an important use case we hadn't considered - we 
need to look into it.

> We'll be doing a 10 minute slot on C-DNS in Prague, and would welcome
> > discussion there.
> 
> I don't expect to be there personally, but we'll have a well-informed
> representative.

We'd definitely like to talk, then.
-- 
Jim Hague - jim@sinodun.com          Never trust a computer you can't lift.