[c-nsp] Sampled netflow & compliance issues
Giles Coochey
giles at coochey.net
Thu Feb 9 05:35:59 EST 2012
On 2012-02-09 10:17, Phil Mayers wrote:
> On 02/09/2012 10:00 AM, Gert Doering wrote:
>
>>>
>>> "Do you know for certain that IP x emitted packets Y?"
>>> "Well, we have an X% confidence bound that..."
>>> "Then I'll see you in court."
>>
>> Well, it would be sort of silly to deny that the miscreant did
>> something
>> if the ISP even saw it *with sampling*.
>>
>> It's not like sampling would invent new packets, instead overlook
>> some
>> of the miscreant activity - so the argument "you can't prove that I
>> did
>> it because you might have not seen all of it!" is... interesting.
>
> Ok, bad example.
>
> I'm specifically thinking about p2p downloads. At (say) 512:1
> sampling, they can simply deny they downloaded a 5Gb file, and claim
> it was a 10Mb file. Obviously this is ludicrously unlikely to be
> true,
> but, in theory, possible.
>
> I guess this is related to your next point...
>
When I was last in a ISP environment the main reason for using sampled
netflow was to have a general statistical view of our traffic) and to
use it to understand how our BGP peering was working and what tweaks
could be made to improve it and the service to our customers.
For legal purposes there are far better ways of seeing who has
downloaded a particular p2p file - locating the torrent in question and
joining it is by far a better way of seeing who has the file, who is
distributing the file etc... and that information is much more likely to
stand up in court. It's also a method that doesn't involve the ISP -
which most ISPs will be eternally grateful for, as they don't really
want to have anything to do with this type of stuff other than accept
and deliver packets for their customers, and manage their traffic
overall.
--
Message sent via my webmail account.
More information about the cisco-nsp
mailing list