[c-nsp] Sampled netflow & compliance issues
Phil Mayers
p.mayers at imperial.ac.uk
Thu Feb 9 04:44:38 EST 2012
On 02/08/2012 11:38 PM, Dobbins, Roland wrote:
> scale. This is why CRS-1/3, ASR9K, GSR/12K, et. al. only support
> sampled NetFlow (which is quite statistically accurate).
A related question, more from curiosity than anything:
When providers use sampled netflow, how do they typically deal with
issues where a miscreant simply denies they did it on the basis that
"sampling" was in use?
"Do you know for certain that IP x emitted packets Y?"
"Well, we have an X% confidence bound that..."
"Then I'll see you in court."
Or does this sort of issue not arise, because it's not used for those
kinds of things?
Or is there expected to be an unsampled copy of the flow from somewhere
closer to the edge?
Note that I am not suggesting there is an actual *problem* with sampled
netflow; just that the presence of the word "sampling" is liable to
change perceptions of the validity of the data, particularly in the mind
of a non-specialist, and I am curious how people get over that hump.
Also, does anyone have a good link to the stats underlying sampled
netflow, and how to generate a confidence bound for a given flow
(reconstructed from samples)? Or what the probability is that a given
flow will not appear in the output, given input traffic & flow rates? My
stats are 15 years rusty, and certainly not up to this ;o)
More information about the cisco-nsp
mailing list