gfr10598
commented
4 years ago Does this mean ~intra~ inter-machine? I don't think we should exclude anything ~intra~ inter-machine.
Open pboothe opened 4 years ago
gfr10598
commented
4 years ago Does this mean ~intra~ inter-machine? I don't think we should exclude anything ~intra~ inter-machine.
pboothe
commented
4 years ago I think that UUID annotation should skip those connections. I also think that whether it skips those addresses or not should be controlled by a command-line flag.
mattmathis
commented
4 years ago I consider it important to keep minimal forensic statistics on all connections: Start and end time, total packets and bytes, and if they are long running, periodic snapshots (e.g.every minute?).
Does this need UUIDs?
pboothe
commented
4 years ago UUID-annotator is for adding metadata to connections - Geolocation, ASN, metadata about the local machine state, etc.
It is not for adding summary information about connections - that is what tcpinfo is for. I think we SHOULD keep all tcpinfo data for all connections. I think we SHOULD NOT attempt to add gelocation and ASN metadata to RFC1918 connections.
This all reinforces to me that perhaps what I should put here is: We should prevent RFC1918 addresses from being annotated with Geo or ASN information. I think that is uncontroversial. I am changing the name of the issue to reflect that.
pboothe
commented
4 years ago Local machine state may still be important, as might the state of the switch, and both of those are (long-term) destined to appear in uuid-annotator, so all we want to do is prevent useless Geo and ASN annotations from appearing populated with empty strings and zero-length arrays.
We should, with a command-line flag, ensure that connections between RFC1918 IP addresses are filtered.