IETF Logo Mail Archive

Re: [OPSAWG] adopting draft-gharris-opsawg-pcap and draft-tuexen-opsawg-pcapng

Guy Harris <gharris@sonic.net> Sun, 04 July 2021 23:50 UTC

Return-Path: <gharris@sonic.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F9253A2AB8; Sun, 4 Jul 2021 16:50:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5Cv8gxUQJ55; Sun, 4 Jul 2021 16:50:02 -0700 (PDT)
Received: from c.mail.sonic.net (c.mail.sonic.net [64.142.111.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 144DF3A2AB6; Sun, 4 Jul 2021 16:50:01 -0700 (PDT)
Received: from smtpclient.apple (173-228-4-126.dsl.dynamic.fusionbroadband.com [173.228.4.126]) (authenticated bits=0) by c.mail.sonic.net (8.15.1/8.15.1) with ESMTPSA id 164Nnxlj006015 (version=TLSv1.2 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Sun, 4 Jul 2021 16:50:00 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Subject: Re: [OPSAWG] adopting draft-gharris-opsawg-pcap and draft-tuexen-opsawg-pcapng
From: Guy Harris <gharris@sonic.net>
In-Reply-To: <25597.1625012947@localhost>
Date: Sun, 04 Jul 2021 16:49:59 -0700
Cc: qlog@ietf.org, quic@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <0546D69C-6AE0-45FB-8C66-9929BE7B8942@sonic.net>
References: <162449794730.28597.16572068303470741654@ietfa.amsl.com> <25597.1625012947@localhost>
To: opsawg@ietf.org
X-Mailer: Apple Mail (2.3654.100.0.2.22)
X-Sonic-CAuth: UmFuZG9tSVaLCJg1k4naJCoUQ4K8m9CMpGqocFKa/5y+4SxIc2ZNCysoOHBEXDifPev2ls53l9dril2oD0AKBUjLhK6BtgIr
X-Sonic-ID: C;oPMviyLd6xGDU9vKcSgy2w== M;bDVjiyLd6xGDU9vKcSgy2w==
X-Sonic-Spam-Details: 0.0/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/jaIueAF1Y8KWMvuthyPpK--gFq4>
X-Mailman-Approved-At: Mon, 05 Jul 2021 23:50:35 -0700
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Jul 2021 23:50:07 -0000

On Jun 29, 2021, at 5:29 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:

> There was many comments about how we should have used CBOR for PCAPNG, and I
> would agree that in hindsight, it would be good.  New section types for
> PCAPNG could well be encoded in CBOR.  I also advocated that for
> draft-ietf-quic-qlog-h3-events,draft-ietf-quic-qlog-main-schema,
> draft-ietf-quic-qlog-quic-events, but they didn't go that way. (At least, not
> yet?).  I haven't time to do QUIC stuff, but if there is interest, and I'll
> read the documents above, and see if I can come up with a proposal.
> 
> The proposal is to adopt draft-gharris-opsawg-pcap as an Informational
> document.  This documents the ~30 year old pcap format used by tcpdump,
> wireshark, etc.   Almost all of IPv6, DNSSEC, DNS extensions, etc. research
> done by many researchers, including for instance, the
> https://www.caida.org/projects/network_telescope/ have used pcap files as
> their capture format.
> We need to do this as *WG* and can not do this as ISE, because the pcap
> document establishes the critical LinkType registry.  One of the exchanges
> above is about how to "load" this rather large legacy into IANA.

Do the link-layer types belong in a pcap I-D/RFC, given that they're used in both pcap and pcapng, and given that there are a lot of them, so that the link-layer types information might swap the pcap format information if they're in a single spec?

We might want to have a pcap spec, a pcapng spec, and another document that gives detailed descriptions - as detailed as what's in

	https://www.tcpdump.org/linktypes.html

of the existing types.  The registry could point to the I-D/RFC for descriptions of the types; new types would get new RFCs.

> pcapng would be an IETF controlled document, the "pcap 2.0", but we can't
> really do as many changes as we might like.
> (I'd sure like to name it pcap2.0, as I hate the whole "Next Generation"
> moniker, but I don't know if that would fly at this late stage).
> 
> *MAYBE* PCAPNG should also be Informational, given that we can't really mess
> with it too much.
> 
> *MAYBE* PCAP2.0 should be just the structure as IETF Standards Track, with
> the section structure which is in PCAPNG (which is not changeable) should be
> an Informational document.  This involves more documents, but no additional
> text.

So, with that proposal for pcapng/pcap 2.0 would there be, as separate documents:

	the overall structure, currently covered by sections 1-4 and 6-7 of the spec, and not very changeable;

	the definitions of blocks and block-specific options, currently covered by sections 4 and 5, with the blocks currently specified not being changeable other than using reserved fields and adding new options, but with adding new block types being allowed;

and a registry for block and block-specific option types, with the registry pointing to the second document or to any new documents specifying new block types?

v2.23.0 | Report a Bug | By Email