Hi, all.
Re: last week's thread on the Vice article -
I can only speak for Kentik, and *we* don't resell or give 3rd party access
to NetFlow data from our hundreds of customers. And never have.
But there is definitely interest out there. We do get approached about it
periodically and always sa
o get the data?
Thanks,
Avi Freedman
CEO, Kentik
nyone would like to help us test the free tier in
January.
Thanks,
Avi Freedman
CEO, Kentik
> Doesn't Kentik cost like $2000 a month minimum?
>
>
> On Mon, Dec 31, 2018 at 11:57 AM Matthew Crocker
> wrote:
>
> > +1 Kentik as well, DDoS, RTBH, Netflow. Cloud
to do count and
topN).
And MemSQL can operate in that mode as well though I don't think that was how
Mehrdad was showing it working with vFlow.
But again you can't ever go 'back in time' for an ad hoc query with
them so it's probably more interesting as an augment and offloader for most
uses where you'd normally think of storing many billions or a few trillion
flows.
Happy flow-ing...
Avi Freedman
CEO, Kentik
> "NANOG" wrote on 05/16/2017 03:34:39 PM:
> Nice analysis of the current state of the art.
Thanks; of DIY for store-all approaches, at least :)
Commercial options is a different thread and I'm conflicted so shouldn't
try to summarize those...
> > And then, the biggest flow store I know of
If there are any network+poker nerds in the Seattle area tomorrow, we have 5
seats left at a network nerd poker night I'm hosting tomorrow night.
Attendees are from cloud, content provider, hosting, infra services, travel,
and SaaS analytics industries.
We'll have food, drinks, a training sess
There's also SiLK from CMU. It's powerful but has a learning curve.
I also see pmacct being used both by some end networks and by
some vendors as part of systems.
Avi
> Hey There,
>
> I was just wondering, for people who are doing netflow analysis with
> open source tools and who are doing a
Forgive my potential lack of understanding; perhaps BGP behavior has
changed or the way people use it has but my understanding is -
Since BGP is used in almost all circumstances in a mode where only
the best path to a prefix can be re-advertised, only one of the
peer or customer path can be used
An important question...
I recall a peering panel at an ISPCON in 1996 when the current
Peering Badguys, BBN, were represented by John, who listened
to a ton of bitching for an hour about the unfairness of it all and
said (paraphrasing)...
"I understand you all have your opinions and desires bu
ing PCAP-y stuff.
But taps can be difficult or at least time consuming for people to
put in at scale. Even, we've seen, for folks with 10G networks.
Often because they can get 90% of what they need for 4 different
business purposes from just flow :)
> Best regards,
> Denys
Avi Freedman
the issue is not with your providing the info about fastnetmon,
its genesis, and what you see as the great use cases for it - more around
the statements on flow as an unusable source of data for various purposes.
Things seem to have died down around that though, which is good :)
> ---
> Best reg
t one click.
Sounds cool. You should write up that use case. Hopefully you've secured
the metadata/command push channel well enough :)
> Best regards,
> Denys
Avi Freedman| Your flow has something to show you; can you see it?|
CEO, CloudHelix | (avi at cloudhelix dot com) | my name one word on skype |
Looking at probably 100 networks' flow paths over the last year,
I'd say 1 or 2 have OOB for flow.
Maybe another 10-20 have interest in taking simpler time series
data of top talkers over their OOB networks, but not the flow
itself.
Agree w Roland that it can cause problems with telemetry if
the
don't see anyone really sending flow over that kind
of OOB network.
> ---
> Roland Dobbins
Avi Freedman
CEO, Kentik
avi at kentik dot com
ry to some other point on the Internet (so more for
reaching a per-pop OOB than for making a coherent OOB network with
a bunch of monitoring running 24x7).
Still, it's a good value for what it is.
> - Jared
Avi Freedman
CEO, Kentik
avi at kentik dot com
Agreed, we are as well :)
VLAN, VRF, whatever.
+ optimal tweaks include local flow proxy that can also rate
limit / re-sample, and send topk talkers over 'true' OOB.
Avi Freedman
CEO, Kentik
avi at kentik dot com
> On 2 Sep 2015, at 7:27, Avi Freedman wrote:
>
> >
eeing samples of packets
across flows).
Again, pointers to switches that have that capability and can run
*nix apps would be appreciated :)
Avi Freedman
CEO, Kentik
avi at kentik dot com
Re: limits -
For Cisco/Juniper it's in the low hundreds of thousands of flows/sec
per chipset/linecard for 1:1 NetFlow/IPFIX, I think.
Then of course, as has been mentioned, you'll need to be able to send
it and receive it to something - and store+query.
Avi Freedman
CEO, Kenti
he biggest
purchase-able from Cisco or Juniper, but are used as the big-boy backbone and
border routers by a good number of multi-terabit networks, and even some
multi-tens-of-terabit networks.
Good luck in your flow journeys.
Avi Freedman
CEO, Kentik
No, people never use *flow controllers* for anything.
People have been doing SDN since before Google was around.
OK, so it was horrible expect scripts but it worked.
Avi
> Unpossible. I heard that no one really uses sdn for anything.
>
> :)
>
> T
> On Sat, Aug 17, 2013 at 2:32 PM, Avi Freedman wrote:
>
> > No, people never use *flow controllers* for anything.
>
> > People have been doing SDN since before Google was around.
> > OK, so it was horrible expect scripts but it worked.
>
> Not really.
Note I
Hi, Arnaud. The design is to only watch the origin ASN, not the other
ASNs in the path. Support for doing something with the transit portion
wof the AS_PATH will be added, probably a very simple "alert if X is
in there" or "alert if Y is not in there".
As others have said it's imperfect so idea
> Nathan wrote:
> It is trivially easy for an attacker to falsify the origin AS. If 'they' are
> not doing it already, then I'm quite surprised.
> This isn't really a good thing to alarm on, in my opinion. Or, maybe it is,
> but
> there should be big bold text explaining that it's not reliable
> Nathan wrote:
> My best quick hack solution so far is to fire off a traceroute and make sure
> that the traceroute gets ICMP TTL expire messages from IP addresses that are
> in
> prefixes originated from all the ASes in the ASPATH.
> Still forgeable, but a bit more difficult.. still far from pe
Hi Erik -
There's a great button about Usenet -
"Reading Usenet is like drinking from a firehose;
Posting to Usenet is like shouting from a mountaintop;
Archiving Usenet is like saving used toilet tissue."
BGP may be somewhat more important, useful, and the results consumable
in the short-ter
Hmm, I'm trying to figure out the application here.
You have single prefixes originated or originate-able by more than
5 or 6 ASs?
I see - is it that you have, say a /16 with 13 potential ASs that might
be seen as originating more specifics inside that /16?
Hadn't considered that; we were envis
26 matches
Mail list logo
