|
Minutes From The 9/23/04 Bimonthly meeting |
|
Agenda
| Participants
|
- Review of Action Items
- Pilot Progress report
- Feedback on Pilot Site page
- Feedback on agenda for member meeting BoF
|
- George Brett - Internet2 (scribe)
- Chas DiFatta - CMU (chair)
- Matt Zekauskus - Internet2
- Russ Hobby - Internet2
|
Agenda Items
1. Review of Action Items
Matt mentioned that Matt Davy would be at the Internet2 Fall Member Meeting and that he would try to arrange a meeting with him during that time.
There was brief discussion about David Moore's paper about on network performance. Matt send he would send out a point to the paper.
George will be sending out invitations to the MWe2eD session to a list of key people. Chas is working on finalizing the slides for the presentation.
2. Pilot Progress
Chas reported that the Pilot is going pretty well. He mentioned that there had been a glitch with the switch in Pittsburgh, but that was corrected. They are now collectin data in SQL data base from hosts in San Francisco and Boston. The results have been eye opening, but there is a long way to go. There is strong interest in having bi-directional flow information like Argus provides.
Russ asked if there was any missing information. Chas was not sure, but he did say that newer equipment with faster processors would certainly help ensure accuracy.
Chas said they were going to have to address netflow uni-directional issue and tack details about scaling volume of incoming data. One possible direction in managing scaling is to evaluate using something other than XML in the data storage. Also, to speed up transfer process they are looking to replace SCP with SOAP. Matt agreed that it would be better to be pipelining data instead of buffering and copying it.
Chas reported that Jim is also writing applications to be able to look at events in real time. Most of this work has been done in Python, but they're thinking about whether or not the code may have to change to another language.
Chas mentioned that they will be working on debugging tools for the back plance.
3. Feedback on Pilot Site page
http://middleware.internet2.edu/e2ed/public/pilot/pilothome.html
Chas asked for feedback on the pilot site. Matt said that he had only skimmed it at that time, but it looked like all the necessary documents are there.
Chas pointed out that the goals of the project were to have something to release and then have something else for a 1.0 product. Only other things in progress are diagnostic questions to be answered. ccBay focused on two: What is the problem? and How to go about solving the problem?
Russ said that it would be useful to know what work is being done by others.
4. Feedback on agenda for member meeting BoF.
The proposed agenda for the Bof is:
- Review Activities of Year One
- Talk about the Pilot
- Open Floor to Discussion
Chas said he was boiling down the large slide deck into a presentation of 20 to 25 minutes. He hopes to get feedback from people. He'd like to discuss campus diagnostics to find out what information campus people would like to have.
There was discussion about the fact that when you have all this data, one can infer lots of information. We need to both archive and to clean the data. So there is a need to get an anonymization process up real quick. Russ said that similar issues exist with passive data as well. Matt suggested that we focus on the questions to be answered and just keep data necessary to answer those. Chas agreed said that the solution is not to have a large central facility, but to have data on the edges. ccBay would collect and pipeline data to a diagnostic engine in local archive whic would be pruned frequently. Events that generate warnings would be sent to next level for reporting. The data would go from lower to higher levels as the event relevance becomes clearer and associated with particular problems. Data will be collected generally at first and then trimmed later as focus on events sharpens. It was agreed that eventually it will be important to hav a dynamic filtering environment where the diagnostician could signal that she wants more of one type of information and less of another.
It was noted that the security aspects of the Pilot have been no less than amazing. Using events garnered from SNORT application have been very helpful. While it makes for a long Common Event Record (CER) the information is very useful. Russ asked how we know what's important. Chas replied that for now we're at an 80 to 20 threshold that should be good enough for now.
There was some more discussion about the BoF and trying to figure out how to get people engaged. Matt and Russ offered to have some questions prepared to ask to start things going.
| 
