Realised that it's not that difficult to translate tcpdump patterns to the bpf programs, very good.
The major thing to do will be finding patterns that will cover most of the traffic, to leave as small classified data as possible (my goal is to leave no more, then 5% of traffic unclassified and, eventually, when it starts to be more then 10% start to classify it.)
The question is still open, as another way will be classifying only p2p traffic and leaving other, the weak side of it - it's unknown how actually p2p traffic was unclassified
One more thing to keep in mind - is maintenance of traffic patterns - they should be adjustable "on line". Need to check how ng_bpf handles this.
And still no real ideas on catching p2p by behaviour - either there is lots of reprogramming of ng_netflow required (this is more likely), or making of new
node - which is possible, but will kill bunch of time to get real and efficient solution.
Actually, the biggest problem of using ng_netflow is need to dig deeper in flows processing and create a kind of messaging protocol to tell classifier to mark
required traffic
One more thought and test - try to alter ToS inside packet during processing - need to think about it.
Ng_carp policing is pretty cheap in terms of resources, and it might be more expensive to forward traffic then to drop it.
If it's not - then classifier might just change ToS of packets and send them
directly out, which save some CPU and simplify processing.
This blog is a mixture of thoughts i'd like to share, interesting expereince, and a bit of history i'd like to read a few years later
No comments:
Post a Comment