argus and IETF IPFIX

Carter Bullard carter at qosient.com
Mon Jan 29 14:08:29 EST 2007


Gentle people,
I have been a participant in the IETF IPFIX working group since its
inception, and have come to some basic decisions as to what argus
will do with regard to IPFIX, at least the first round of IPFIX.

I'm pretty much of the opinion that argus/ra will eventually read IPFIX
data, much like we read CISCO Netflow data, but we will not transport
flow data via IPFIX.  This is based on my lack of success in trying to
get argus's fundamental feature set into IPFIX, specifically 'pull' data
support, integrated strong authentication/encryption in the protocol,
concepts like source filtering, reliable record recovery etc.... and of
course the argus data model, which includes bi-directional flows,
multiple multi-level flow models, non-sequential data record access,
indexing and processing, explicit support for record merging and
multi-probe record correlation.

My thinking is that IPFIX is unusable for some of argus's features,
which makes embracing it pretty difficult.

Does this position cause any heartache on this list?
Does anyone care?  Probably not, just wanted to get some
formal dialog going.

The reason that I mention this now, is that I am starting to transition
some of the gargoyle() file structure support over to argus(), which
includes things like indexing, author source identification, MD5
based integrity checking, and data anonymization.  IPFIX oriented
file support would have been a starting point, but I think that we'll
do something else, since the IPFIX effort is going in a different
direction.

Hope all is most excellent, and of course, opinions/suggestions/
comments/flames/whatever are always welcome!!!!!!

Carter




More information about the argus mailing list