Re: [ipfix-eval] Some comments on the evaluation team draft
Benoit Claise <bclaise@cisco.com> Tue, 19 November 2002 12:38 UTC
Received: from mil.doit.wisc.edu (mil.doit.wisc.edu [128.104.31.31]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA03402 for <ipfix-archive@lists.ietf.org>; Tue, 19 Nov 2002 07:38:53 -0500 (EST)
Received: from majordomo by mil.doit.wisc.edu with local (Exim 3.13 #1) id 18E7R0-0007W3-00 for ipfix-list@mil.doit.wisc.edu; Tue, 19 Nov 2002 06:24:54 -0600
Received: from odd-brew.cisco.com ([144.254.15.119] helo=strange-brew.cisco.com) by mil.doit.wisc.edu with esmtp (Exim 3.13 #1) id 18E7Qz-0007VE-00; Tue, 19 Nov 2002 06:24:53 -0600
Received: from cisco.com (ams-clip-vpn-dhcp4193.cisco.com [10.50.16.96]) by strange-brew.cisco.com (8.11.6+Sun/8.8.8) with ESMTP id gAJCOD715989; Tue, 19 Nov 2002 13:24:13 +0100 (CET)
Message-ID: <3DDA2D6C.600@cisco.com>
Date: Tue, 19 Nov 2002 13:24:12 +0100
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020815
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Reinaldo Penno <rpenno@nortelnetworks.com>
CC: Simon Leinen <simon@limmat.switch.ch>, ipfix-eval@net.doit.wisc.edu, ipfix-req@net.doit.wisc.edu
Subject: Re: [ipfix-eval] Some comments on the evaluation team draft
References: <0A11633F61BD9F40B43ABCC694004F9320258F@zsc3c026.us.nortel.com>
Content-Type: multipart/alternative; boundary="------------040002030404010205070502"
Precedence: bulk
Sender: majordomo listserver <majordomo@mil.doit.wisc.edu>
Reinaldo, > Benoit, > > you can use other fields, such as IP Proto, TCP Ports, packet size, > etc, etc.. My solution would be: I use a template which exports only IP proto, TCP ports, packet size, etc, etc... but not the IP addresses. And because I don't do any aggregation, I keep the same flow granularity. Now if I don't need the flow granularity, I can aggregate on the router. Again, my point was: "So what's the point to export something that you can't use?" Regards, Benoit. > There are several sites where you can download public data from > probes/exporters where the IP addresses are maked by a one-way > function but the other fields can be seen. See for instance > http://tracer.csl.sony.co.jp/mawi/guideline.txt > > "Protecting User Privacy > > There are 2 issues regarding user privacy. > > 1. Removing user data: > Leave only protocol headers and remove protocol > payload which could contain user data. > 2. Providing anonymity: > Scramble addresses which could be used to identify a > user. > " > > regards, > > Reinaldo > > -----Original Message----- > *From:* Benoit Claise [mailto:bclaise@cisco.com] > *Sent:* Friday, November 15, 2002 8:51 AM > *To:* Simon Leinen > *Cc:* ipfix-eval@net.doit.wisc.edu; ipfix-req@net.doit.wisc.edu > *Subject:* Re: [ipfix-eval] Some comments on the evaluation team draft > > Simon, > >>On Thu, 14 Nov 2002 16:52:35 +0100, Benoit Claise <bclaise@cisco.com> said: >> >> >>>5.7 Anonymization (6.7) LFAP: E CRANE: E IPDR: E >>>NetFlow: E Diameter: E >>> >>> >> >> >> >>>In my draft http://www.ietf.org/internet-drafts/draft-claise-ipfix-eval-netflow-03.txt, I wrote >>> >>> >> >> >> >> >>> 3.5.7 Anonymization (6.6) >>> "The exporting process MAY be capable of anonymizing >>>source and >>> destination IP addresses in flow data before exporting them." >>> _Total Compliance. _ >>> >>> >> >> >> >>>You can export the prefix is you want to and not the specific source >>>and destination IP addresses. >>> >>> >> >>I would call that "(router-based) aggregation" rather than >>"anonymization". With anonymization you somehow expect to maintain >>granularity, but want some kind of (non-reversible?) scrambling to >>cover up privacy-sensitive parts of the traffic data, such as IP >>addresses. >> > So what's the point to export something that you can't use? > > Benoit. > >>Don't take this requirement too seriously. None of the candidates has >>addressed this, and I think as a requirement it hasn't been thought >>through too well. It doesn't really reflect current practice, and >>personally I think this is better done on the collector side. >> >> > >
- [ipfix-eval] Some comments on the evaluation team… Benoit Claise
- RE: [ipfix-eval] Some comments on the evaluation … Reinaldo Penno
- Re: [ipfix-eval] Some comments on the evaluation … Simon Leinen
- Re: [ipfix-eval] Some comments on the evaluation … Simon Leinen
- Re: [ipfix-eval] Some comments on the evaluation … Vamsidhar Valluri
- RE: [ipfix-eval] Some comments on the evaluation … Tal Givoly
- Re: [ipfix-eval] Some comments on the evaluation … Benoit Claise
- RE: [ipfix-eval] Some comments on the evaluation … Reinaldo Penno
- Re: [ipfix-eval] Some comments on the evaluation … Benoit Claise