IPsec flows

Carter Bullard carter at qosient.com
Wed Mar 12 18:45:50 EST 2003 

Hey Ciaran,
   The flow identifier for IPSec does indeed include the
SPI.  While IPSec flows can have differing SPI's for
the ingress and egress flows, this is of course not
always the case, and so for those implementations that
do pair the SPI's, argus is doing the right thing.

   Because argus is tracking packet loss for EPS,
we definitely do not want to ignore the SPI.  If you
want to aggregate eps protocol flows together to
provide an aggregated view, use ragator().

   The ARGUS_FLOW_STATUS_INTERVAL specifies how often
argus will report on the status of a persistent flow.
Your IPSec tunnels are not being renegotiated, they
are just bursty, obviously with 10-30 second idle times.
This is why your record durations are not 360.  Duration
is just ((last packet time) - (first packet time)).  When
a new packet comes in for a given flow, if argus
realizes that the combined flow duration would exceed the
ARGUS_FLOW_STATUS_INTERVAL, it writes the cached flow
information out, and then starts accumulating for the flow
again.


Hope this helps.

Carter



> -----Original Message-----
> From: owner-argus-info at lists.andrew.cmu.edu 
> [mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of 
> Ciaran Deignan
> Sent: Wednesday, March 12, 2003 11:51 AM
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: IPsec flows
> 
> 
> 
> 
> Peter Van Epp a écrit :
> > 
> >         The likely answer is indeed that the SPIs in and 
> out are different
> > (they are on our VPN) and thus argus treats them as 
> different flows each way.
> 
> well the SPIs certanly would be different. IPsec uses
> seperate incomming and outgoing Security Associations (SAs),
> while IKE uses just one, so for a complete tunnel
> there are 3 SAs...
> 
> But if argus does extrace the SPI from the ESP packet,
> is there any way to tell it to ignore it? I'm going
> to log the packets on the internal side anyway, so I'll
> know what's entering and leaving the tunnels...
> 
> Ho hum...
> Ciaran
> 
> -- 
> +---------------------------------------------------------+
> Ciaran Deignan                              04 38 49 87 27
> 
> Netcelo SA - IPsec VPN Solutions    http://www.netcelo.com/
> 18-20 rue Henri Barbusse - BP 2501, 38035 Grenoble Cedex 2
> +---------------------------------------------------------+
>

More information about the argus mailing list