[dns-operations] dnsflow again (Re: DNS Traffic Archive Protocol )

[Robert Edmonds]

Dobbins, Roland wrote:
> If nmsg could be piped over IPFIX a la PSAMP, this would allow for
> powerful combinatorial analysis of this data with traffic heuristics
> and other relevant network telemetry.

hm, i've looked at the draft you linked and skimmed some of the RFCs
referenced in the first section, and i'm confused as to how NMSG and
IPFIX could ever interoperate.  but multiple people have mentioned IPFIX
and NMSG together so i must be missing something.

when you say PSAMP is "piped over IPFIX" it makes it sound like IPFIX is
a transport protocol that PSAMP is layered on top of, but from skimming
these RFCs it seems like PSAMP is really a specification or message
schema composed in terms of IPFIX protocol elements rather than an
independent protocol.  a protocol enchilada, in other words.

also i should point out again that NMSG relies heavily upon google
protocol buffers:

    http://code.google.com/p/protobuf/

we are basically just multiplexing different protobuf schemas identified
by a unique vendor ID / message ID code on top of a common transport
with a minimalistic header.  (i've tried to avoid making assumptions in
the libnmsg implementation that prevent utilizing the NMSG encapsulation
format for non-protobuf payloads, but i've never had need to develop a
non-protobuf based message type for NMSG so i don't know how successful
i've been.)

if my initial impression of IPFIX/PSAMP is correct it would be quite a
difficult engineering feat to get NMSG and IPFIX to interoperate, as one
would basically need to map the protobuf data model to the IPFIX one,
and it looks like they are not good matches for each other.

are my impressions totally mistaken?

-- 
Robert Edmonds
edmonds at isc.org