[c-nsp] Sampled netflow & compliance issues
Gert Doering
gert at greenie.muc.de
Thu Feb 9 05:00:19 EST 2012
Hi,
On Thu, Feb 09, 2012 at 09:44:38AM +0000, Phil Mayers wrote:
> On 02/08/2012 11:38 PM, Dobbins, Roland wrote:
>
> >scale. This is why CRS-1/3, ASR9K, GSR/12K, et. al. only support
> >sampled NetFlow (which is quite statistically accurate).
>
> A related question, more from curiosity than anything:
>
> When providers use sampled netflow, how do they typically deal with
> issues where a miscreant simply denies they did it on the basis that
> "sampling" was in use?
>
> "Do you know for certain that IP x emitted packets Y?"
> "Well, we have an X% confidence bound that..."
> "Then I'll see you in court."
Well, it would be sort of silly to deny that the miscreant did something
if the ISP even saw it *with sampling*.
It's not like sampling would invent new packets, instead overlook some
of the miscreant activity - so the argument "you can't prove that I did
it because you might have not seen all of it!" is... interesting.
Billing using sampled netflow is more where I see problems arising,
because you know your numbers will not be accurate, but you don't know
how big the error is, and in which direction you err. With unsampled
netflow, you know that what you bill is never *more* than what the
customer actually used (if you overflow your TCAM or drop records,
you err on the side of the customer, which is OK) - but if you sample,
and then apply a correction factor, you could bill them too much, and
that's problematic.
Of course you don't want to bill based on any sort of IP accounting data,
but that cannot always be avoided either :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20120209/70d87f22/attachment.sig>
More information about the cisco-nsp
mailing list