Argus and SDN (software defined network) auditing

[Carter Bullard]

Gentle people,
Argus has all the encapsulation parsing capabilities to track flows within most of
what the industry are calling SDN's, whether argus is deployed in the end system or
within the core.  However, we haven't had a lot of testing of the parsing support for
multiple GRE tunnels, multiple VLAN tags and multiple MPLS labels, in the same
packet.  Issues, like what the minimum snaplen should be for SDNs is a bit of an
unknown.  We've guessed at 96 bytes, but more maybe needed as we go along.

Post processing of SDN flows also needs a bit of work.  The ability to identify specific
SDN traffic, based on the various flow tags that represent the SDN, hasn't been 
worked on, so there is work to do for argus to do a good job on SDN auditing.
We can label traffic based on multiple encapsulation id's, but we will need to
do better on configuration.

If you are running SDNs, looking at how argus works with that traffic, and how it
reports on encapsulation identifiers will help us to know how we're doing.

Of course, there are encapsulations that are used in SDNs that argus does not
parse.  Encapsulations used in Nicira's STT and  VXLAN, which are either new
protocols or are extensions to existing protocols, argus does not decode.   These
flows will stop at say a UDP header, rather than going into the SDN identifiers.

If you discover these situations in your testing, if you could grab some packets,
and describe what you think is going on with regard to encapsulations, we'd be
very happy to add the required parsing.

If you are running SDNs, and argus isn't quite right for you, holler on the mailing list
and we'll make it work better !!!!!

Carter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121101/d05704df/attachment.bin>