Re: Open source Netflow analysis for monitoring AS-to-AS traffic

[Saku Ytti]

On Fri, 29 Mar 2024 at 02:15, Nick Hilliard  wrote:

> Overall, sflow has one major advantage over netflow/ipfix, namely that
> it's a stateless sampling mechanism.  Once you have hardware that can

> Obviously, not all netflow/ipfix implementations implement flow state,
> but most do; some implement stateless sampling ala sflow. Also many

> Tools should be chosen to fit the job. There are plenty of situations
> where sflow is ideal. There are others where netflow is preferable.

This seems like a long-winded way of saying, sFlow is a perfect subset of IPFIX.

We will increasingly see IPFIX implementations omit state, because
states don't do anything anymore in high-volume networks, you will
only ever create flow in cache, then delay exporting the information
for some seconds, but the flow is never hit twice, therefore paying
massive cost for caching, without getting anything out of it. Anyone
who actually needs caching, will have to buy specialised devices, as
it will no longer be economical for peering-routers to offer such
memory bandwidth and cache sizes that caches will actually do
something.
In a particular network we tried 1:5000 and 1:500 and in both cases
flow records were 1 packet long, at which point we hit record export
policer limit, and couldn't determine at which sampling rate we will
start to see cache being useful.

I've wondered for a long time, what would a graph look like, where you
graph sampling ratio and percentage of flows observed, it will be
linear to very high sampling ratios, but eventually it will start to
taper off, I just don't have any intuitive idea when. And I don't
think anyone really knows what ratio of flows they are observing in
the sFlow/IPFIX, if you keep sampling ratio static over a period of
time, say decade, you will continuously reduce your resolution, seeing
a smaller percentage of flows. This worries me a lot, because
statistician would say that you need this share of volume or this
share of flows if you want to use the data like this with this
confidence, therefore if we formally think the problem, we should
constantly adjust our sampling ratios to fit our statistical model to
keep same promises about data quality.

-- 
  ++ytti

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

[Saku Ytti]

On Thu, 28 Mar 2024 at 20:36, Peter Phaal  wrote:

> The documentation for IOS-XR suggests that enabling extended-router in the 
> sFlow configuration should export "Autonomous system path to the 
> destination", at least on the 8000 series routers:
> https://www.cisco.com/c/en/us/td/docs/iosxr/cisco8000/netflow/command/reference/b-netflow-cr-cisco8k/m-sflow-commands.html
> I couldn't find a similar option in the NetFlow/IPFIX configuration guide, 
> but I might have missed it.

Hope this clarifies.

--- 
https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-9/configuration/guide/b-netflow-cg-asr9k-79x/configuring-netflow.html
Use the record ipv4 [peer-as] command to record peer AS. Here, you
collect and export the peer AS numbers.
Note
Ensure that the bgp attribute-download command is configured. Else, no
AS is collected when the record ipv4 or record ipv4 peer-as command is
configured.


-- 
  ++ytti

Re: N91 Women mixer on Sunday?

[Mark Tinka]

On 3/29/24 07:03, Eric Parsonage wrote:

It's easily fixed by having a mixer at the same time for the other 
half of the gathering population thus showing all the population 
gathering matters equally.


My memory is a little fuzzy, but I think I recall one of the early WiT 
lunches hosted at NANOG that was women-only, where some men were upset 
for being "left out". Whether that was good or bad is less important 
than understanding what the outcome of a women-only activity is for 
women, especially for those for whom it may not be immediately obvious.


While equal access to opportunity between the genders is the most 
effective policy, I think there is utility in women having their own 
session, given that they face unique challenges in an industry where 
they are the minority operators.


Mark.

Re: N91 Women mixer on Sunday?

[Mark Tinka]

On 3/29/24 06:20, Ren Provo wrote:

I beg to differ here and second Ilissa’s comments.  I miss WiT.  Lunch 
during the meeting worked.  Giving up more of the weekend to travel 
does not show half the population gathering matters.


It would be interesting to survey the % of attending women who:

    - Would be able to make the mixer.
    - Would not be able to make the mixer due to family commitments.
    - Would not be able to make the mixer due to non-family commitments.
    - Would prefer a different women's meeting format and/or activity.

I think this data would be useful because while some women may voice 
difficulty with attending the mixer (or wanting a different women's 
meeting format/activity), it might be premature to attribute that 
difficulty to all women that would be in attendance.


Understanding where the majority of women lie can help the NANOG PC make 
better decisions about how to support both the majority and minority of 
women as it pertains to a mixer or other activity women may like to 
participate in at or around the conference.


Mark.

Re: N91 Women mixer on Sunday?

[Eric Parsonage]

It's easily fixed by having a mixer at the same time for the other half of the 
gathering population thus showing all the population gathering matters equally.



On 29 March 2024 2:50:19 pm ACDT, Ren Provo  wrote:
>I beg to differ here and second Ilissa’s comments.  I miss WiT.  Lunch
>during the meeting worked.  Giving up more of the weekend to travel does
>not show half the population gathering matters.
>
>
>On Thu, Mar 28, 2024 at 15:16 Morris, Tina via NANOG 
>wrote:
>
>> Illissa,
>> The mixer is at 5pm Sunday, this allows people to network and prepare for
>> the week. Sunday also has a hackathon, registration, and often a welcome
>> social. NANOG has a very compressed schedule and another time would
>> actually mean that the women participating would have to pick between this
>> event and another event or talk  that may be critical to their job
>> function, which is also unfair.
>>
>> We are advertising this mixer to make sure all are aware and can attend,
>> and the mixers will  be on the schedule at the same approximate time at
>> each meeting going forward.
>>
>> I hope we will see you there.
>>
>> Tina Morris
>>
>>
>> On Mar 28, 2024, at 14:12, Thomas Scott  wrote:
>>
>> 
>>
>> *CAUTION*: This email originated from outside of the organization. Do not
>> click links or open attachments unless you can confirm the sender and know
>> the content is safe.
>>
>> > While the times are changing, women continue to remain primary
>> caregivers for families and this will require them to desert their families
>> a day early.  I find it offensive personally and feel like you may have
>> missed the mark.
>>
>> The hackathon has for (as far as I’ve known about it) been on Sunday. I
>> don’t work on Sundays - it’s a day for my family (unless the almighty pager
>> goes off), so I’ve never gone - even though it’s one of the parts of NANOG
>> I’d enjoy, and would benefit from the most.
>>
>> There are tradeoffs for everything - perhaps the idea was to keep the
>> women’s mixer separate from the other evening events, so that those who
>> wish to participate, can do all of the evening events, and not have to give
>> up anything, at the cost of the extra day. That being said, I agree, moving
>> more to Sunday is not an acceptable answer to me.
>>
>> Best Regards,
>> -Thomas Scott
>>
>> On Mar 28, 2024 at 1:45:07 PM, Ilissa Miller  wrote:
>>
>>> For those that know me, I rarely provide constructive input about NANOG
>>> matters due to my past affiliation, however, I just saw that NANOG
>>> announced the Women mixer on Sunday before NANOG 91 and am outraged for all
>>> of the young professional women
>>> ZjQcmQRYFpfptBannerStart
>>> This Message Is From an Untrusted Sender
>>> You have not previously corresponded with this sender.
>>>
>>> ZjQcmQRYFpfptBannerEnd
>>>
>> For those that know me, I rarely provide constructive input about NANOG
>>> matters due to my past affiliation, however, I just saw that NANOG
>>> announced the Women mixer on Sunday before NANOG 91 and am outraged for all
>>> of the young professional women who would like to participate in NANOG.
>>> While the times are changing, women continue to remain primary caregivers
>>> for families and this will require them to desert their families a day
>>> early.  I find it offensive personally and feel like you may have missed
>>> the mark.
>>>
>>> The amount of times I hear people complain about having to leave their
>>> families is one of the reasons this industry has a problem keeping young
>>> people - especially women.
>>>
>>> Does anyone else feel the same?
>>>
>>>
>>>
>>> --
>>> *Ilissa Miller*
>>> *CEO, iMiller Public Relations
>>> *
>>>
>>>
>>>
>>>

Re: N91 Women mixer on Sunday?

[Ren Provo]

I beg to differ here and second Ilissa’s comments.  I miss WiT.  Lunch
during the meeting worked.  Giving up more of the weekend to travel does
not show half the population gathering matters.


On Thu, Mar 28, 2024 at 15:16 Morris, Tina via NANOG 
wrote:

> Illissa,
> The mixer is at 5pm Sunday, this allows people to network and prepare for
> the week. Sunday also has a hackathon, registration, and often a welcome
> social. NANOG has a very compressed schedule and another time would
> actually mean that the women participating would have to pick between this
> event and another event or talk  that may be critical to their job
> function, which is also unfair.
>
> We are advertising this mixer to make sure all are aware and can attend,
> and the mixers will  be on the schedule at the same approximate time at
> each meeting going forward.
>
> I hope we will see you there.
>
> Tina Morris
>
>
> On Mar 28, 2024, at 14:12, Thomas Scott  wrote:
>
> 
>
> *CAUTION*: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sender and know
> the content is safe.
>
> > While the times are changing, women continue to remain primary
> caregivers for families and this will require them to desert their families
> a day early.  I find it offensive personally and feel like you may have
> missed the mark.
>
> The hackathon has for (as far as I’ve known about it) been on Sunday. I
> don’t work on Sundays - it’s a day for my family (unless the almighty pager
> goes off), so I’ve never gone - even though it’s one of the parts of NANOG
> I’d enjoy, and would benefit from the most.
>
> There are tradeoffs for everything - perhaps the idea was to keep the
> women’s mixer separate from the other evening events, so that those who
> wish to participate, can do all of the evening events, and not have to give
> up anything, at the cost of the extra day. That being said, I agree, moving
> more to Sunday is not an acceptable answer to me.
>
> Best Regards,
> -Thomas Scott
>
> On Mar 28, 2024 at 1:45:07 PM, Ilissa Miller  wrote:
>
>> For those that know me, I rarely provide constructive input about NANOG
>> matters due to my past affiliation, however, I just saw that NANOG
>> announced the Women mixer on Sunday before NANOG 91 and am outraged for all
>> of the young professional women
>> ZjQcmQRYFpfptBannerStart
>> This Message Is From an Untrusted Sender
>> You have not previously corresponded with this sender.
>>
>> ZjQcmQRYFpfptBannerEnd
>>
> For those that know me, I rarely provide constructive input about NANOG
>> matters due to my past affiliation, however, I just saw that NANOG
>> announced the Women mixer on Sunday before NANOG 91 and am outraged for all
>> of the young professional women who would like to participate in NANOG.
>> While the times are changing, women continue to remain primary caregivers
>> for families and this will require them to desert their families a day
>> early.  I find it offensive personally and feel like you may have missed
>> the mark.
>>
>> The amount of times I hear people complain about having to leave their
>> families is one of the reasons this industry has a problem keeping young
>> people - especially women.
>>
>> Does anyone else feel the same?
>>
>>
>>
>> --
>> *Ilissa Miller*
>> *CEO, iMiller Public Relations
>> *
>>
>>
>>
>>

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

[Nick Hilliard]

Tom Beecher wrote on 28/03/2024 18:35:
Fundamentally I've always disagreed with how sFlow aggregates flow data 
with network state data.


"can aggregate" rather than "aggregates" - this is implementation 
dependent and most implementations don't bother with it.


Overall, sflow has one major advantage over netflow/ipfix, namely that 
it's a stateless sampling mechanism.  Once you have hardware that can 
reliably pick out one in N frames, the rest of the protocol is 
straightforward enough, which means that it's cheap to implement in 
hardware. If you're ok with 1. sampling and 2. the set of data that 
sflow provides, then sflow is great.


Netflow / ipfix, on the other hand, assumes that it's learning about 
flow state. For this, you need both a flow lookup mechanism and flow 
storage memory. Usually the flow lookup mechanism is implemented using 
the same technology as the packet forwarding lookup mechanism due to 
performance requirements, i.e. expensive. Similarly, the storage 
mechanism needs to be fast, which often precludes being large. Often 
both the lookup and storage mechanism are linked, e.g. tcam.


Obviously, not all netflow/ipfix implementations implement flow state, 
but most do; some implement stateless sampling ala sflow. Also many 
netflow implementations don't export mac address information, which 
limits usefulness in certain situations. But this is an implementation 
gap rather than a protocol weakness.


Tools should be chosen to fit the job. There are plenty of situations 
where sflow is ideal. There are others where netflow is preferable.


Nick

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

[Brian Knight via NANOG]

Thanks to all who took the time to comment and make suggestions. 

To summarize the private messages, one respondent suggested Argus as a
collector. Another mentioned that they are still using AS-Stats. 

I'm drawn to Akvorado. I like the self-contained nature of the
application. NF collector, database, and modern web GUI are all bundled
in one docker container. The full-featured demo [5] is fantastic. That
the app can enrich the Netflow data with BMP is an added bonus. 

The best part is, the GUI has the report viz I need, and it is actually
the default visualization in the demo. It also has the graph types that
I didn't know I needed, like the Sankey graph. 

FlowViewer looks interesting as well. I suspect getting the reports
right may take some time, given the amount of GUI filtering options. 

pmacct and Argus seem to be capable tools that have been around for a
long time, but I haven't seen a concise stack building guide to get
Netflow data into a good GUI using these. Looks like there are some
older Docker images available for both. I could write my own SQL or roll
my own stack, but I'd much rather spend my time on other things. 

I appreciate the conversation around sFlow. I actually wasn't aware that
XR supported it. AS path probably doesn't add a whole lot of value given
that I'm focused on flows across our IP transit circuits. I'm able to
determine my next AS hop simply by looking at the flow's associated
tuple of (flow exporter, interface). I can use other tools like
RouteViews or RIPE's RIS to determine the destination AS's upstreams if
needed. The rest of the path is probably not too helpful for determining
peering opportunities. 

I think I'm going to get Akvorado running in my environment. If that
doesn't pan out, I'll likely go back to AS-Stats. 

Can those running Akvorado comment on their system specs? The only spec
I've seen is a mention in this blog post [6]: "Akvorado is performant
enough to handle 100 000 flows per second with 64 GB of RAM and 24 vCPU.
With 2 TB of disk, you should expect to keep data for a few years." 

Thanks again all, 

-Brian 

On 2024-03-26 19:04, Brian Knight via NANOG wrote:

> What's presently the most commonly used open source toolset for monitoring 
> AS-to-AS traffic?
> 
> I want to see with which ASes I am exchanging the most traffic across my 
> transits and IX links. I want to look for opportunities to peer so I can 
> better sell expansion of peering to upper management. 
> 
> Our routers are mostly $VENDOR_C_XR so Netflow support is key.
> 
> In the past, I've used AS-Stats [1] for this purpose. However, it is 
> particularly CPU and disk IO intensive. Also, it has not been actively 
> maintained since 2017.
> 
> InfluxDB wants to sell me [2] on Telegraf + InfluxDB + Chronograf + 
> Kapacitor, but I can't find any clear guide on what hardware I would need for 
> that, never mind how to set up the software. It does appear to have an open 
> source option, however. 
> 
> pmacct seems to be good at gathering Netflow, but doesn't seem to analyze 
> data. I don't see any concise howto guides for setting this up for my 
> purpose, however. 
> 
> I'm aware Kentik does this very well, but I have no budget at the moment, my 
> testing window is longer than the 30 day trial, and we are not prepared to 
> share our Netflow data with a third party. 
> 
> Elastiflow [3] appears to have been open source [4] at one time in the past, 
> but no longer. Since it too appears to be hosted, I have the same objections 
> as I do with Kentik above. 
> 
> On-list and off-list replies are welcome. 
> 
> Thanks, 
> 
> -Brian

 

Links:
--
[1] https://github.com/manuelkasper/AS-Stats
[2] https://www.influxdata.com/what-are-netflow-and-sflow/
[3] https://www.elastiflow.com/
[4] https://github.com/robcowart/elastiflow?tab=readme-ov-file
[5] https://demo.akvorado.net/
[6] https://vincent.bernat.ch/en/blog/2022-akvorado-flow-collector

Re: N91 Women mixer on Sunday?

[Mark Tinka]

On 3/28/24 21:08, Tom Beecher wrote

There was a Women in Tech Mixer on Sunday in Charlotte as well. As I 
recall there was a pretty decent attendance.


During my time on the PC, we always got a lot of feedback about Sunday 
when the topic came up. Some members were strongly opposed to anything 
on Sunday and didn't even like the Hackathon there. Others wanted 
expansion, and more things slotted in. There certainly wasn't 
anything remotely close to a consensus. Sometimes people can make it 
in early on Sunday. Sometimes they can't. There's no one size fits all 
answer.


I'm not sure people realize how much crap that staff and the PC get 
*every meeting* about the agenda. There's always someone unhappy 
because this event wasn't the same, or why was it in this room over 
here, or OMG Wed afternoon, etc. Having seen how that sausage gets 
made, they don't get enough credit.


In my opinion, they found a spot that they had room for, and if people 
can make it with their schedules, then great. If not, hopefully a 
future slot can work.


Typical constraints such as scheduling and resources notwithstanding, 
100% participation is not often guaranteed in most things. It's about 
planning for as many as can make it. With some luck, it would be the 
majority.


Mark.

Re: N91 Women mixer on Sunday?

[Anne P. Mitchell, Esq.]

> I'm not sure people realize how much crap that staff and the PC get *every 
> meeting* about the agenda. There's always someone unhappy because this event 
> wasn't the same, or why was it in this room over here, or OMG Wed afternoon, 
> etc. Having seen how that sausage gets made, they don't get enough credit. 

Having been the chair of the Asilomar Microcomputer workshop, and the founder 
and chair of the original Email Deliverability Summits, as well as organizing 
many legal conferences, I have to say "^^^ this, 1000%."

Furthermore:

> On Mar 28, 2024, at 11:45 AM, Ilissa Miller  wrote:
> 
> For those that know me, I rarely provide constructive input about NANOG 
> matters 

..and you haven't here, either.  Pointing fingers and griping about things is 
not constructive.  If you really care about this issue, then get involved and 
help change it.

Anne

--- 
Anne P. Mitchell, Esq.
Internet Law & Policy Attorney
CEO Institute for Social Internet Public Policy (ISIPP)
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law)
Board of Directors, Denver Internet Exchange
Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School
Prof. Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
Counsel Emeritus, eMail Abuse Prevention System (MAPS)

WiT Mixer to Occur Before N91 Conference, Sponsorships, Talk of the Week + More

[Nanog News]

*Women in Tech Mixer to Occur Before Conference*

*Plan your Travel to Arrive Early to NANOG 91*
*The NANOG 91 Women in Tech Mixer will take place Sunday, 09, June in
Kansas City, MO.*

The Women In Tech Mixer welcomes all attendees that identify as female with
she/her pronouns.Take advantage of this incredible opportunity to make
career-changing relationships with other women in the industry.

*MORE INFO  *


*Sponsorships Available for NANOG 91 + Beyond! **Invest in the Strength of
the Community We Have Built*

*Sponsoring NANOG Conferences has many benefits: *

   - Showcase your newest technologies + solutions
   - Increase your brand’s visibility + reach
   - Amplify your organization’s message
   - Connect with industry influencers + decision makers
   - Empower people + inspire change

*MORE INFO
*

*NANOG Talk of the Week*
*Alerts Don't Suck, YOUR Alerts Suck! w/ Kentik's Leon Adato*

*Why it's worth your time:* With 775 views in the last month, this talk is
one of our most viewed videos from NANOG 90.

*Description:* Nobody "likes" getting alerts. In the best-case scenario, an
alert is received because something went (or is about to go) wrong. In
those cases, recipients can at least be grateful they found out before
things worsened. Far more often, however, people hate getting alerts for
the exact opposite reason: They are meaningless, trivial, or just plain
wrong—a source of constant interruptions, false alarms, unplanned work, and
"noise."

While many are convinced that this is the inherent nature of alerts (and
monitoring in general), it can be so much better...

*WATCH NOW  *

*Early Bird Gets the Worm*
*Take Advantage of Discounted Registration Prices + Access to Hotel Info*

Early registration prices will end on 08, April. Those who register early
will also have early access to hotel details.

*REGISTER NOW * 

Re: N91 Women mixer on Sunday?

[Morris, Tina via NANOG]

Illissa,
The mixer is at 5pm Sunday, this allows people to network and prepare for the 
week. Sunday also has a hackathon, registration, and often a welcome social. 
NANOG has a very compressed schedule and another time would actually mean that 
the women participating would have to pick between this event and another event 
or talk  that may be critical to their job function, which is also unfair.

We are advertising this mixer to make sure all are aware and can attend, and 
the mixers will  be on the schedule at the same approximate time at each 
meeting going forward.

I hope we will see you there.

Tina Morris


On Mar 28, 2024, at 14:12, Thomas Scott  wrote:



CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you can confirm the sender and know the 
content is safe.


> While the times are changing, women continue to remain primary caregivers for 
> families and this will require them to desert their families a day early.  I 
> find it offensive personally and feel like you may have missed the mark.

The hackathon has for (as far as I’ve known about it) been on Sunday. I don’t 
work on Sundays - it’s a day for my family (unless the almighty pager goes 
off), so I’ve never gone - even though it’s one of the parts of NANOG I’d 
enjoy, and would benefit from the most.

There are tradeoffs for everything - perhaps the idea was to keep the women’s 
mixer separate from the other evening events, so that those who wish to 
participate, can do all of the evening events, and not have to give up 
anything, at the cost of the extra day. That being said, I agree, moving more 
to Sunday is not an acceptable answer to me.

Best Regards,
-Thomas Scott

On Mar 28, 2024 at 1:45:07 PM, Ilissa Miller 
mailto:ili...@imillerpr.com>> wrote:
For those that know me, I rarely provide constructive input about NANOG matters 
due to my past affiliation, however, I just saw that NANOG announced the Women 
mixer on Sunday before NANOG 91 and am outraged for all of the young 
professional women
ZjQcmQRYFpfptBannerStart
This Message Is From an Untrusted Sender
You have not previously corresponded with this sender.

ZjQcmQRYFpfptBannerEnd
For those that know me, I rarely provide constructive input about NANOG matters 
due to my past affiliation, however, I just saw that NANOG announced the Women 
mixer on Sunday before NANOG 91 and am outraged for all of the young 
professional women who would like to participate in NANOG.  While the times are 
changing, women continue to remain primary caregivers for families and this 
will require them to desert their families a day early.  I find it offensive 
personally and feel like you may have missed the mark.

The amount of times I hear people complain about having to leave their families 
is one of the reasons this industry has a problem keeping young people - 
especially women.

Does anyone else feel the same?



--
Ilissa Miller
CEO, iMiller Public 
Relations

Re: N91 Women mixer on Sunday?

[Tom Beecher]

There was a Women in Tech Mixer on Sunday in Charlotte as well. As I recall
there was a pretty decent attendance.

During my time on the PC, we always got a lot of feedback about Sunday when
the topic came up. Some members were strongly opposed to anything on Sunday
and didn't even like the Hackathon there. Others wanted expansion, and more
things slotted in. There certainly wasn't anything remotely close to a
consensus. Sometimes people can make it in early on Sunday. Sometimes they
can't. There's no one size fits all answer.

I'm not sure people realize how much crap that staff and the PC get *every
meeting* about the agenda. There's always someone unhappy because this
event wasn't the same, or why was it in this room over here, or OMG Wed
afternoon, etc. Having seen how that sausage gets made, they don't get
enough credit.

In my opinion, they found a spot that they had room for, and if people can
make it with their schedules, then great. If not, hopefully a future slot
can work.

On Thu, Mar 28, 2024 at 1:46 PM Ilissa Miller  wrote:

> For those that know me, I rarely provide constructive input about NANOG
> matters due to my past affiliation, however, I just saw that NANOG
> announced the Women mixer on Sunday before NANOG 91 and am outraged for all
> of the young professional women who would like to participate in NANOG.
> While the times are changing, women continue to remain primary caregivers
> for families and this will require them to desert their families a day
> early.  I find it offensive personally and feel like you may have missed
> the mark.
>
> The amount of times I hear people complain about having to leave their
> families is one of the reasons this industry has a problem keeping young
> people - especially women.
>
> Does anyone else feel the same?
>
>
>
> --
> *Ilissa Miller*
> *CEO, iMiller Public Relations *
>
>
>
>

Re: N91 Women mixer on Sunday?

[Mark Tinka]

On 3/28/24 19:45, Ilissa Miller wrote:

For those that know me, I rarely provide constructive input 
about NANOG matters due to my past affiliation, however, I just saw 
that NANOG announced the Women mixer on Sunday before NANOG 91 and am 
outraged for all of the young professional women who would like to 
participate in NANOG.  While the times are changing, women continue to 
remain primary caregivers for families and this will require them to 
desert their families a day early.  I find it offensive personally and 
feel like you may have missed the mark.


Minds are hard to read, so asking the question before being offended is 
not an unproductive endeavour. That said, we are here now.



The amount of times I hear people complain about having to leave their 
families is one of the reasons this industry has a problem keeping 
young people - especially women.


Does anyone else feel the same?


If you have a better suggestion on what would work best, I'd be keen to 
hear it.


Mark.

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

[Peter Phaal]

The documentation for IOS-XR suggests that enabling extended-router in the
sFlow configuration should export "Autonomous system path to the
destination", at least on the 8000 series routers:

https://www.cisco.com/c/en/us/td/docs/iosxr/cisco8000/netflow/command/reference/b-netflow-cr-cisco8k/m-sflow-commands.html

I couldn't find a similar option in the NetFlow/IPFIX configuration guide,
but I might have missed it.


On Thu, Mar 28, 2024 at 10:48 AM Saku Ytti  wrote:

> Hey,
>
> On Thu, 28 Mar 2024 at 17:49, Peter Phaal  wrote:
>
> > sFlow was mentioned because I believe Brian's routers support the
> feature and may well export the as-path data directly via sFlow (I am not
> aware that it is a feature widely supported in vendor NetFlow/IPFIX
> implementations?).
>
> Exporting AS information is wire-format agnostic feature, if it's
> supported or not, it can equally be injected into sFlow, NetflowV5
> (src and dst only), NetflowV9 and IPFIX. The cost is that you need to
> program in FIB entries the information, so that the information
> becomes available at look-up time for record creation.
>
> In OP's case (IOS-XR) this means enabling 'attribute-download' for
> BGP, and I believe IOS-XR will never download any other asn but src
> and dst, therefore full information cannot be injected into any
> emitted wire-format.
> --
>   ++ytti
>

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

[Tom Beecher]

Yeah, cost to implement dst_as_path lookups far outweighs the usefulness
IMO. If you really want that it's much better to get it via BMP. ( Same
with communities and localpref in the extended gateway definition of
sflow.  )

Fundamentally I've always disagreed with how sFlow aggregates flow data
with network state data. IMO you collect the two things separately, and
join them off-device should you need to for analysis.

On Thu, Mar 28, 2024 at 1:50 PM Saku Ytti  wrote:

> Hey,
>
> On Thu, 28 Mar 2024 at 17:49, Peter Phaal  wrote:
>
> > sFlow was mentioned because I believe Brian's routers support the
> feature and may well export the as-path data directly via sFlow (I am not
> aware that it is a feature widely supported in vendor NetFlow/IPFIX
> implementations?).
>
> Exporting AS information is wire-format agnostic feature, if it's
> supported or not, it can equally be injected into sFlow, NetflowV5
> (src and dst only), NetflowV9 and IPFIX. The cost is that you need to
> program in FIB entries the information, so that the information
> becomes available at look-up time for record creation.
>
> In OP's case (IOS-XR) this means enabling 'attribute-download' for
> BGP, and I believe IOS-XR will never download any other asn but src
> and dst, therefore full information cannot be injected into any
> emitted wire-format.
> --
>   ++ytti
>

Re: N91 Women mixer on Sunday?

[Thomas Scott]

> While the times are changing, women continue to remain primary caregivers
for families and this will require them to desert their families a day
early.  I find it offensive personally and feel like you may have missed
the mark.

The hackathon has for (as far as I’ve known about it) been on Sunday. I
don’t work on Sundays - it’s a day for my family (unless the almighty pager
goes off), so I’ve never gone - even though it’s one of the parts of NANOG
I’d enjoy, and would benefit from the most.

There are tradeoffs for everything - perhaps the idea was to keep the
women’s mixer separate from the other evening events, so that those who
wish to participate, can do all of the evening events, and not have to give
up anything, at the cost of the extra day. That being said, I agree, moving
more to Sunday is not an acceptable answer to me.

Best Regards,
-Thomas Scott

On Mar 28, 2024 at 1:45:07 PM, Ilissa Miller  wrote:

> For those that know me, I rarely provide constructive input about NANOG
> matters due to my past affiliation, however, I just saw that NANOG
> announced the Women mixer on Sunday before NANOG 91 and am outraged for all
> of the young professional women
> ZjQcmQRYFpfptBannerStart
> This Message Is From an Untrusted Sender
> You have not previously corresponded with this sender.
>
> ZjQcmQRYFpfptBannerEnd
> For those that know me, I rarely provide constructive input about NANOG
> matters due to my past affiliation, however, I just saw that NANOG
> announced the Women mixer on Sunday before NANOG 91 and am outraged for all
> of the young professional women who would like to participate in NANOG.
> While the times are changing, women continue to remain primary caregivers
> for families and this will require them to desert their families a day
> early.  I find it offensive personally and feel like you may have missed
> the mark.
>
> The amount of times I hear people complain about having to leave their
> families is one of the reasons this industry has a problem keeping young
> people - especially women.
>
> Does anyone else feel the same?
>
>
>
> --
> *Ilissa Miller*
> *CEO, iMiller Public Relations
> *
>
>
>
>

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

[Saku Ytti]

Hey,

On Thu, 28 Mar 2024 at 17:49, Peter Phaal  wrote:

> sFlow was mentioned because I believe Brian's routers support the feature and 
> may well export the as-path data directly via sFlow (I am not aware that it 
> is a feature widely supported in vendor NetFlow/IPFIX implementations?).

Exporting AS information is wire-format agnostic feature, if it's
supported or not, it can equally be injected into sFlow, NetflowV5
(src and dst only), NetflowV9 and IPFIX. The cost is that you need to
program in FIB entries the information, so that the information
becomes available at look-up time for record creation.

In OP's case (IOS-XR) this means enabling 'attribute-download' for
BGP, and I believe IOS-XR will never download any other asn but src
and dst, therefore full information cannot be injected into any
emitted wire-format.
-- 
  ++ytti

N91 Women mixer on Sunday?

[Ilissa Miller]

For those that know me, I rarely provide constructive input about NANOG
matters due to my past affiliation, however, I just saw that NANOG
announced the Women mixer on Sunday before NANOG 91 and am outraged for all
of the young professional women who would like to participate in NANOG.
While the times are changing, women continue to remain primary caregivers
for families and this will require them to desert their families a day
early.  I find it offensive personally and feel like you may have missed
the mark.

The amount of times I hear people complain about having to leave their
families is one of the reasons this industry has a problem keeping young
people - especially women.

Does anyone else feel the same?



-- 
*Ilissa Miller*
*CEO, iMiller Public Relations *

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

[Peter Phaal]

I hope my comments were useful. I was trying to raise awareness that bgp
as-path information is an option and might be helpful in addressing Brian's
requirements, "I want to see with which ASes I am exchanging the most
traffic across my transits and IX links. I want to look for opportunities
to peer so I can better sell expansion of peering to upper management."

Possible reports that could be of interest are:
1. destination AS numbers by traffic volume and as-path length
2. destination AS numbers by traffic volume and second to last AS in path
(AS of peering with destination).
3. traffic volume by transit AS
4. traffic volume passing through AS allow / deny ASN list.

What other types of report might be interesting?

sFlow was mentioned because I believe Brian's routers support the feature
and may well export the as-path data directly via sFlow (I am not aware
that it is a feature widely supported in vendor NetFlow/IPFIX
implementations?). However, some of the tools mentioned (pmacct, Kentik,
Akvorado) can enrich flow data downstream (through BGP / BMP peering
session with router) if it isn't present in the sFlow/Netflow/IPFIX
records, although downstream enrichment does add a level of operational
complexity.

On Wed, Mar 27, 2024 at 11:03 PM Saku Ytti  wrote:

> On Wed, 27 Mar 2024 at 21:02, Peter Phaal  wrote:
>
> > Brian, you may want to see if your routers support sFlow (vendors have
> added the feature over the last few years).
>
> Why is this a solution, what does it solve for OP? Why is it
> meaningful what the wire-format of the records are? I read OP's
> question at a much higher level, about how to interact and reason
> about data, rather than how to emit it.
>
> Ultimately sFlow is a perfect subset of IPFIX, when you run IPFIX
> without caching you get the functional equivalent of sFlow (there is
> an IPFIX entity for emitting n bytes from frame as well as data).
>
> --
>   ++ytti
>

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

[Nick Plunkett]

In the same vein, if you can get your devices exporting sFlow, or for
others reading that do have sFlow capable devices: the sFlow-RT team has
built ready to deploy, all in one docker containers using Grafana and
Prometheus that you can stand up within minutes to start visualizing and
easily querying/processing sFlow data from your routers, with no prior
experience with the underlying software needed.

https://blog.sflow.com/2023/07/deploy-real-time-network-dashboards.html
https://github.com/sflow-rt/prometheus-grafana

On Wed, Mar 27, 2024 at 12:00 PM Peter Phaal  wrote:

> Brian, you may want to see if your routers support sFlow (vendors have
> added the feature over the last few years).
>
> In particular, see if it includes support for the sFlow extended_gateway
> structure:
>
> /* Extended Gateway Data */
> /* opaque = flow_data; enterprise = 0; format = 1003 */
>
> struct extended_gateway {
>next_hop nexthop;   /* Address of the border router that should
>   be used for the destination network */
>unsigned int as;/* Autonomous system number of router */
>unsigned int src_as;/* Autonomous system number of source */
>unsigned int src_peer_as;   /* Autonomous system number of source peer
> */
>as_path_type dst_as_path<>; /* Autonomous system path to the
> destination */
>unsigned int communities<>; /* Communities associated with this route */
>unsigned int localpref; /* LocalPref associated with this route */
> }
>
> The dst_as_path field is particularly valuable since it allows you to see
> who your customers are peering with.
>
> While not a complete solution, you might want to take a look at sflowtool,
> https://github.com/sflow/sflowtool, to decode the sFlow records and
> convert them to JSON. It's not hard to write a Python script to calculate
> BGP peering metrics and push the results into a time series database
> (Prometheus, InfluxDB, etc) and build dashboards in Grafana. The following
> article gives a few examples:
>
> https://blog.sflow.com/2018/12/sflow-to-json.html
>
> On Tue, Mar 26, 2024 at 5:06 PM Brian Knight via NANOG 
> wrote:
>
>> What's presently the most commonly used open source toolset for
>> monitoring AS-to-AS traffic?
>>
>> I want to see with which ASes I am exchanging the most traffic across my
>> transits and IX links. I want to look for opportunities to peer so I can
>> better sell expansion of peering to upper management.
>>
>> Our routers are mostly $VENDOR_C_XR so Netflow support is key.
>>
>> In the past, I've used AS-Stats
>>  for this purpose. However, it
>> is particularly CPU and disk IO intensive. Also, it has not been actively
>> maintained since 2017.
>>
>> InfluxDB wants to sell me
>>  on Telegraf +
>> InfluxDB + Chronograf + Kapacitor, but I can't find any clear guide on what
>> hardware I would need for that, never mind how to set up the software. It
>> does appear to have an open source option, however.
>>
>> pmacct seems to be good at gathering Netflow, but doesn't seem to analyze
>> data. I don't see any concise howto guides for setting this up for my
>> purpose, however.
>>
>> I'm aware Kentik does this very well, but I have no budget at the moment,
>> my testing window is longer than the 30 day trial, and we are not prepared
>> to share our Netflow data with a third party.
>>
>> Elastiflow  appears to have been open source
>>  at one time
>> in the past, but no longer. Since it too appears to be hosted, I have the
>> same objections as I do with Kentik above.
>>
>> On-list and off-list replies are welcome.
>>
>> Thanks,
>>
>> -Brian
>>
>>
>

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

[Tore Anderson]

On 27/03/24 01:04, Brian Knight via NANOG wrote:
What's presently the most commonly used open source toolset for 
monitoring AS-to-AS traffic?


I want to see with which ASes I am exchanging the most traffic across 
my transits and IX links. I want to look for opportunities to peer so 
I can better sell expansion of peering to upper management.

…
pmacct seems to be good at gathering Netflow, but doesn't seem to 
analyze data. I don't see any concise howto guides for setting this up 
for my purpose, however.


pmacct will do what you want and it's not particularly difficult to set 
it up.


For example, you can aggregate data into a database using:

aggregate[in]: src_as,src_net,src_mask
aggregate[out]: dst_as,dst_net,dst_mask

Now you can issue SQL queries that tell you which ASes or prefixes you 
send/receive the most bits or packets to/from.


Tore