[13:57:41] --- rstory has joined
[13:58:47] --- rstory has left
[16:11:06] --- dbh2 has joined
[16:11:30] --- dbh2 has left
[16:13:02] --- j.schoenwaelder@jabber.eecs.iu-bremen.de has joined
[16:15:10] --- j.schoenwaelder@jabber.eecs.iu-bremen.de has left: Replaced by new connection
[17:31:19] --- sharonchisholm has joined
[17:43:18] --- irino has joined
[17:44:34] <sharonchisholm> Anyone not in the room?
[17:44:51] * sharonchisholm has changed the subject to: nmrg
[17:45:46] --- rstory has joined
[17:46:39] --- rstory has left
[17:46:40] --- rstory has joined
[17:47:22] <sharonchisholm> We're getting started.
[17:47:34] <sharonchisholm> Is everyone in the room or listening to the audio stream?
[17:47:49] <sharonchisholm> Dave Harrington has entered the building
[17:48:23] <sharonchisholm> http://www.ibr.cs.tu-bs.de/projects/nmrg/meeting/2006/montreal
[17:48:48] <sharonchisholm> the slides are there ... agenda ...
[17:48:58] <sharonchisholm> agenda bashing
[17:50:11] --- dbh2 has joined
[17:50:50] <sharonchisholm> originally planned a co-chair (other then dave?) but he couldn't make it to montreal
[17:51:20] <sharonchisholm> -
[17:51:33] <sharonchisholm> NMRG Status Report 2006
[17:51:59] <sharonchisholm> Back in 1998 in Lausanne
[17:52:10] <sharonchisholm> Bert looked younger ;-)
[17:52:41] --- marz has joined
[17:52:41] --- marz has left: Lost connection
[17:52:43] <sharonchisholm> Started as collaboration and discussion
[17:53:08] <sharonchisholm> bridge gaps between communities ... academia, industries, operators, SDOs
[17:53:18] <sharonchisholm> improve mutual understanding
[17:53:58] <sharonchisholm> general just have interum meetings. Short meetings are not as useful
[17:54:03] <sharonchisholm> This is the first time we met during the IETF
[17:54:20] --- miaofy has joined
[17:54:32] --- marz has joined
[17:54:46] <sharonchisholm> past topics ... SNMP, SNMP, SNMP
[17:55:15] <sharonchisholm> security of SNMP ... not allowed to do configuration.
[17:55:39] <sharonchisholm> had get-config and set-config in earlier SNMP-based research
[17:55:47] <sharonchisholm> SNMP versus COPS-PR
[17:56:23] <sharonchisholm> SMIng .... calling this ng makes it fail
[17:57:33] <sharonchisholm> SMI and XSD convergence
[17:58:27] <sharonchisholm> XML and web services ...
[17:58:43] <sharonchisholm> VoIP
[17:59:48] <sharonchisholm> NMRG Achievements
[17:59:58] <sharonchisholm> 16 workships .. 4 RFCs
[18:00:06] <sharonchisholm> 16 other publications
[18:00:56] <sharonchisholm> Influenced IETF work (SMIng ... which failed)
[18:01:09] <sharonchisholm> 140 people on mailing list
[18:01:30] <sharonchisholm> Experiences
[18:01:50] <sharonchisholm> building bridges is non-trivial
[18:02:21] --- psavola has joined
[18:02:21] <sharonchisholm> volunteers, so can't tell people what to work on
[18:02:30] <sharonchisholm> projects don't aways go to completion
[18:02:43] <sharonchisholm> references ...
[18:03:13] <sharonchisholm> -------
[18:03:38] <sharonchisholm> SNMP Traffic Measurements.
[18:05:27] <sharonchisholm> There is an internet draft that talks about what we would like to measure
[18:05:39] <sharonchisholm> Also, characterization of MIB Modules
[18:06:15] <sharonchisholm> 1. Motivation
[18:06:32] <sharonchisholm> SNMP well document and understood.
[18:07:11] <sharonchisholm> there are some SNMP books out there which are wrong
[18:07:47] <sharonchisholm> SNMP has 'fancy' features. discontinuity featutures ... row creation modules
[18:08:13] <sharonchisholm> But we don't know how it gets used in a real network
[18:09:16] <sharonchisholm> if you look at real SNMP traffic, can you tell if people use discontinuity indicators, or are there a waste of time
[18:09:27] <sharonchisholm> what is used, and what is used
[18:09:31] <sharonchisholm> and what is not used
[18:09:40] <dbh2> slide 6
[18:09:48] <sharonchisholm> how much of IETF work is artificial
[18:09:57] <sharonchisholm> Why is this important ....
[18:10:29] <sharonchisholm> - lots of people propose improvements to SNMP and there is no way to justify
[18:10:55] <sharonchisholm> So, the researcher picks their own examples ...
[18:10:57] <sharonchisholm> can't compare
[18:11:04] <sharonchisholm> or tell which is best
[18:11:50] <sharonchisholm> And in the IETF, we spend time reviewing things, is it time well spent?
[18:12:27] <sharonchisholm> ISMS example of session key ... the question is whether the traffic pattern in real networks ... does this support the idea of session to help amortorize the cost of the session set up over time?
[18:12:56] <sharonchisholm> questions to answer
[18:13:24] <sharonchisholm> which versions, manager to network element relationship, what protocol operations are being used
[18:13:32] <sharonchisholm> periodic versus not
[18:13:58] <sharonchisholm> message size and latency
[18:14:23] <sharonchisholm> concurrency levels
[18:14:28] --- jmclendon has joined
[18:14:39] <sharonchisholm> table retrieval approaches
[18:15:57] <sharonchisholm> trap-directed polling - myths or reality?
[18:17:01] <sharonchisholm> popular MIB definitions
[18:17:33] <sharonchisholm> deprecated or obsolete ... ipRouteTable for example
[18:17:48] <sharonchisholm> <yes, that one is implementated and widely used by management applications>
[18:18:51] <sharonchisholm> row creation ...
[18:19:51] <sharonchisholm> implementation and configuration errors
[18:20:29] <sharonchisholm> looking for additional questions from people
[18:20:40] <sharonchisholm> 2. Background: Characterization of MIB Modules
[18:22:19] <sharonchisholm> The MIBs on his list were the ones that were easy to get at
[18:22:39] <sharonchisholm> Cisco had lots, but took a while to sort out which were the actual enterprise MIBs
[18:23:49] <sharonchisholm> stopped gathering, but this amount was already a lot of work
[18:25:20] --- rstory has left: Replaced by new connection
[18:25:27] --- rstory has joined
[18:25:28] <sharonchisholm> graphing productivity
[18:26:44] <sharonchisholm> vendor modules are faster to revise then IETF or ATMF
[18:27:00] --- marz has left: Disconnected.
[18:27:31] <sharonchisholm> IETF typically only has one version of a MIB
[18:29:06] <sharonchisholm> mostly sending integers on the wire
[18:29:43] <sharonchisholm> or the SMI is integers ... but this might not be what is being sent over the wire
[18:30:24] <sharonchisholm> why ifTable and ifXTable.
[18:30:34] <sharonchisholm> People were worried taht a row might not fit into a single packet
[18:30:44] <sharonchisholm> tried to calculate how big a row was
[18:34:02] <sharonchisholm> encoding size distribution
[18:35:01] <sharonchisholm> Notification encoding
[18:35:30] <sharonchisholm> 90% seem to fit into the message boundary
[18:35:39] <sharonchisholm> 3. Measurement approach
[18:36:46] <sharonchisholm> Dave Partain - I wanted to find out about the environment for data collection
[18:37:21] <sharonchisholm> Robert - what do you want to do with the data you collect. What is the end goal. Things that MIB doctor makes people do, ... if to lighten the review process. are we thinking of that.
[18:38:00] <sharonchisholm> Juergen - I just want to get data. It is up to the IETF to decide what to do with it
[18:38:18] <sharonchisholm> Dave Perkins - design patterns ... split 32 bit counters, did you look at this?
[18:38:42] <sharonchisholm> Juergen - it would be hard to do. YOu would have to do it by hand or look at naming convensions
[18:38:54] <sharonchisholm> Dave perkins - also string indexing into tables
[18:39:10] <sharonchisholm> Juergen - did look at indexing. Integers were the most popular
[18:39:47] <sharonchisholm> John - Network management more an art then a science ... people collect information, and if they don't know what to do with it,would they make it worse
[18:40:06] <sharonchisholm> John - an insurance company wants to sell insurance, not manage networks
[18:40:17] <sharonchisholm> John - we seem to be in the same place we were 20 years ago
[18:40:26] <sharonchisholm> Juergen - I just want to find out what is happening
[18:40:37] <sharonchisholm> Juergen - can't figure out why they are doing it
[18:41:01] <sharonchisholm> Juergen - can look at what is on the wire. can't figure out why. Can sometimes go ask operator
[18:41:26] <sharonchisholm> John - do a lot of work and trying to understand the return on investment. Is it all over egineered
[18:41:55] <sharonchisholm> Dave perkins - I'm really excited about what Juergen is doing. This is the first time people have looked at things like this
[18:42:34] <sharonchisholm> Dan - As a human being ... spiritual fulfilment. Want to be healthy. In order to measure how healthy, doctor sends to health test.
[18:42:57] <sharonchisholm> B - will you meause of security in SNMP. How often is public left as the community string.
[18:43:02] <sharonchisholm> Juergen - yes
[18:43:20] <sharonchisholm> Measurement Process
[18:43:40] <sharonchisholm> put a box on the network where you think the manager is and run tcp dump
[18:43:57] <sharonchisholm> capture raw SNMP data. run a week to a month
[18:44:08] --- irino has left
[18:44:12] <sharonchisholm> convert ..
[18:45:10] <sharonchisholm> take out sensitive information
[18:45:31] <sharonchisholm> and ip address ...
[18:46:07] <sharonchisholm> analys it
[18:47:40] <sharonchisholm> wes - when you go to an institution, without knowing what they think they are trying to do. If you didn't see a set accross the wire, is it possible they didn't do anything requiring a set
[18:48:34] <sharonchisholm> Division of work ...
[18:48:46] <sharonchisholm> operator ... someone analysing the data
[18:49:14] <sharonchisholm> they have NDA agreements sometimes
[18:49:38] <sharonchisholm> and get raw data
[18:49:40] <sharonchisholm> that is nice
[18:50:07] <sharonchisholm> some operators will run our tools on their data themselves
[18:50:47] <sharonchisholm> created an XML format for their output
[18:51:56] <sharonchisholm> this mapping is also reversable
[18:52:31] <sharonchisholm> pros and cons to XML format
[18:53:01] --- irino has joined
[18:54:02] <sharonchisholm> scripting this stuff isn't as easy ... in perl looking for an event-driven API. Can't be DOM
[18:54:10] <sharonchisholm> Too big
[18:54:14] <sharonchisholm> that was the most worrying
[18:54:25] <sharonchisholm> writing complex code is nasty
[18:54:38] <sharonchisholm> created a CSV format
[18:55:18] <sharonchisholm> supports both formats. this one is popular
[18:59:03] <sharonchisholm> snmpdump and libanon
[18:59:38] <sharonchisholm> filter traffic into different flows
[19:00:30] --- LOGGING STARTED
[19:00:42] --- sharonchisholm has joined
[19:00:44] <sharonchisholm> test
[19:01:00] <sharonchisholm> they wrote different rules for different datatypes
[19:02:18] --- dbh2 has joined
[19:03:07] <sharonchisholm> how strong anon you can get depends on how much of the name space is used. There might not be much you can swap
[19:03:58] <sharonchisholm> libanon API
[19:04:31] --- irino has joined
[19:04:56] <sharonchisholm> flow indentification
[19:05:41] <sharonchisholm> assume one agent per box
[19:06:09] <sharonchisholm> analysis scripts
[19:06:21] <sharonchisholm> 5. First results
[19:06:37] <sharonchisholm> 5 traces
[19:07:41] <sharonchisholm> some of these are ongoing
[19:07:47] <sharonchisholm> other places offering data
[19:08:09] <sharonchisholm> good test of tools
[19:08:41] <sharonchisholm> if you know someone who runs a non-accademic network ...who might be willin to support us ... let us know
[19:10:20] <sharonchisholm> the number of syslog messages is a fraction of that of SNMP
[19:10:41] <sharonchisholm> no SNMPv3 packets
[19:11:09] <sharonchisholm> SNMPv1 and SNMPv2c are both popular
[19:11:24] <sharonchisholm> did not see set requests
[19:11:31] <sharonchisholm> didn't see informs
[19:11:55] <sharonchisholm> two locations liked to use get-builk
[19:12:50] <sharonchisholm> In some traces there are no 64 bit counters, in others, there are no 64 bit counters
[19:13:00] <sharonchisholm> Bert - there are also exceptions in get
[19:13:18] <sharonchisholm> Dave Perkins - did you look at get-bulk, were they trying to fill up the PDU
[19:13:28] <sharonchisholm> Juergen - currently looking at that, not in the slide
[19:14:11] <sharonchisholm> Wes - People could choose v2c, but not know why
[19:16:00] <sharonchisholm> Simon - the trace that has these mounds .. 42% of the messages are requests are small, if they are using get-bulk, many of the responses are large
[19:16:15] <sharonchisholm> (I think we are on slide 40)
[19:17:05] <sharonchisholm> Wes - people not using get-bulk for scalars might explain the left hand side
[19:17:20] --- psavola has joined
[19:17:54] <sharonchisholm> Jueregen - no it is get-bulk. The agent doesn't know size ... either think small and guarentee or go big and hope it will go through. One is conservative and one is being agrressive
[19:18:17] <sharonchisholm> Jueregen - single object per get-next
[19:18:53] <sharonchisholm> Discontinuty indicators
[19:19:41] <sharonchisholm> Margaret - some applications display if there is a discontinuty and let the user figure it out
[19:19:48] <sharonchisholm> Popular MIB modules
[19:19:52] <sharonchisholm> IF-MIB
[19:19:56] <sharonchisholm> IP-MIB
[19:20:00] <sharonchisholm> BGP4-MIB
[19:20:05] <sharonchisholm> SNMPv2-MIB
[19:20:08] <sharonchisholm> BRIDGE-MIB
[19:20:17] <sharonchisholm> Unknown
[19:21:30] <sharonchisholm> Wes - The interesting MIB there is the SNMPv2 MIB. I can tell which of those are using a comercial prodcut and I can name it.
[19:22:08] <sharonchisholm> Wes - to be blunt. I don't think most network operators care in most cases. How many packets are being sent to their agent. At least one of the commerial products looks for this by default.
[19:22:28] <sharonchisholm> Some of the difference in sizes is how much information is being collected and why.
[19:22:54] <sharonchisholm> The people with zero, probably have handgrown stuiff
[19:23:33] <sharonchisholm> Wes - it was probably the comercial products that used get-bulk. People start slow and then when stuff doesn't scale, they look into the more complicated stuff
[19:24:03] <sharonchisholm> wes - also curious as to what people actually do
[19:25:44] <sharonchisholm> are people looking at half the stuff in GUIs
[19:26:11] <sharonchisholm> sharon - I think 90% of MIBs never get used. Start finding what gets sucked down my management applications and then decide what gets looked at.
[19:26:28] <sharonchisholm> Sharon - also, even commerical management tools start out with get-next and then only use get-bulk when things don'
[19:26:30] <sharonchisholm> t scale
[19:26:46] <sharonchisholm> Conclusions
[19:26:54] <sharonchisholm> The goal is the understand what is happening
[19:27:50] <sharonchisholm> eventually what the manager is trying to do
[19:28:39] <sharonchisholm> Robert - have you looked at fingerprinting implementations ... figure out which implementations people might be using
[19:28:52] <sharonchisholm> Jueregen - thought about it, but it is not the goal.
[19:29:40] <sharonchisholm> Wes- some feedback on how hard it is to get traces? How many people have you asked? I looked inot getting traces a while back, and people didn't want to give it?
[19:30:30] <sharonchisholm> Jueregen - everyone told me this is impossible, that nobody is going to give you data. But, it isn't actually that hard. People need to trust you though. Approach the right people to talk to. And the right language.
[19:30:48] <sharonchisholm> It probably helps we have an NMRG label
[19:31:05] <sharonchisholm> Wes - it probably helps that you are talking about a single protocol and have well-defined anon algorithms
[19:31:30] <sharonchisholm> Dave - this is pretty exciting ... later, add to list ... behaviour is based on libraries being used. Some libraries do bad things
[19:31:42] <sharonchisholm> Dave - all applications that use those libraries do that same bad things
[19:31:48] <sharonchisholm> Dave - could filter those out
[19:32:10] <sharonchisholm> Dave - If you could find two different applications that did the same thing. Two bridge management applications and see how they differ.
[19:32:21] <sharonchisholm> Jueregen - not at that level yet.
[19:33:01] <sharonchisholm> Juergen - re-transmission behaviour was good for fingerprinting ... not on slides. Not our target goal
[19:33:16] <sharonchisholm> Jueregen - not interested in their stacks and applications
[19:33:53] <sharonchisholm> Wes - I don't have interesting networks from which you can steal data ... when you do get it to a point where you have information and send a website, I can then point to it and send to user basis.
[19:34:39] <sharonchisholm> Juergen - just showing the document was good enough for some people
[19:34:50] <sharonchisholm> Wes -some people will read, some people won't
[19:34:59] <sharonchisholm> Jueregen - no general way to approach operators
[19:38:22] <sharonchisholm> sharon - what about configuration ... do you think that is acheivable. More payback potentially then SNMP since we probably won't be fixing SNMP
[19:39:35] <sharonchisholm> Looking to define a list of research topics over the next 5 years
[19:39:50] <sharonchisholm> want to bring people together from different backgrounds like we do in the NMRG
[19:40:17] <sharonchisholm> Proposal is to have it driven by NMRG and 'this project'
[19:40:31] <sharonchisholm> In october ther eis something in europe. Co-locate an even with this
[19:40:47] <sharonchisholm> 2 days. Try to figure out what the reserach questions are and turn it into a reserach agenda
[19:41:15] <sharonchisholm> who wants to contribute and who wants to go?
[19:42:19] <sharonchisholm> sharon - can people send via email instead
[19:42:24] <sharonchisholm> jueregen - sure
[19:42:25] <sharonchisholm> Thanks
[19:42:30] <sharonchisholm> We are done
[19:42:38] --- irino has left
[19:44:36] --- miaofy has joined
[19:45:17] --- dbh2 has left
[19:45:27] --- sharonchisholm has left
[19:46:36] --- miaofy has left
[20:16:15] --- miaofy has joined
[20:32:23] --- psavola has left
[20:41:04] --- miaofy has left