Hi Mike.
On 08/21/2015 05:30 AM, Mike Perry wrote:
Anyone with netflow experience should feel free to chime in there (or here if you are not subscribed to tor-dev), but please be mindful of the adversarial considerations in section 3 (unless you believe that adversary model to be invalid, but please explain why).
I have some experience with netflow from $previousGig, and only had two potentially relevant thoughts when looking at your proposal.
- It is common practice to set the active timeout to 1min in SPs in order to speed detection of attacks with Arbor and similar tools.
- Cisco IOS (and likely other platforms) will immediately export flows if the cache fills to capacity. This will result in flows being exported in less than inactive timeout, and my understanding is that this is a common occurrence.
I hope this helps.
hope you are well tim