[c-nsp] Sampled netflow & compliance issues

Gert Doering gert at greenie.muc.de
Thu Feb 9 05:00:19 EST 2012 

Hi,

On Thu, Feb 09, 2012 at 09:44:38AM +0000, Phil Mayers wrote:
> On 02/08/2012 11:38 PM, Dobbins, Roland wrote:
> 
> >scale.  This is why CRS-1/3, ASR9K, GSR/12K, et. al. only support
> >sampled NetFlow (which is quite statistically accurate).
> 
> A related question, more from curiosity than anything:
> 
> When providers use sampled netflow, how do they typically deal with 
> issues where a miscreant simply denies they did it on the basis that 
> "sampling" was in use?
> 
> "Do you know for certain that IP x emitted packets Y?"
> "Well, we have an X% confidence bound that..."
> "Then I'll see you in court."

Well, it would be sort of silly to deny that the miscreant did something
if the ISP even saw it *with sampling*.

It's not like sampling would invent new packets, instead overlook some 
of the miscreant activity - so the argument "you can't prove that I did
it because you might have not seen all of it!" is... interesting.

Billing using sampled netflow is more where I see problems arising,
because you know your numbers will not be accurate, but you don't know
how big the error is, and in which direction you err.  With unsampled
netflow, you know that what you bill is never *more* than what the
customer actually used (if you overflow your TCAM or drop records, 
you err on the side of the customer, which is OK) - but if you sample,
and then apply a correction factor, you could bill them too much, and
that's problematic.

Of course you don't want to bill based on any sort of IP accounting data,
but that cannot always be avoided either :-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20120209/70d87f22/attachment.sig>

More information about the cisco-nsp mailing list