SPAN-aggregation and packet brokers. Protocol Stripping

SPAN-aggregation and packet brokers. Protocol Stripping
Why you may need protocol stripping function?
As you know there are 7 OSI model levels. Each one adds some particular volume header to the packet. 
name='more'>
In the easiest case for every network analyzer, packet contains source and destination MAC-addresses and then IP-addresses. If we mirror datacenter or even distribution level uplinks we can observe 802.1q-tagged or even MPLS-labeled traffic. Each of these headers is inserted between data link layer and network layer. I could see in my practice some situations when network sensors didn't understand these headers. In the best case they were ignored but in the worst one devices might start wrong calculation and higher level data interpretation according to hardcoded packet offset algorithm used for throughput increasing.

So, it is possible to delete unused headers if you don't need a detection of VLAN/VXLAN id, MPLS label etc.




If you need for the information security incident investigation:
  • Layer 2 or 2.5 info, 
  • entire access network traffic analysis including every subnet/VLAN,
  • traffic copy aggregation on the packet broker, 
then you may not need a packet stripping function but you must use packets deduplication feature. 

But if you mirror uplinks to IP/MPLS core or service level (it depends on the network architecture) with 802.1q tags or MPLS labels you may optimize your network sensors resources usage:
  • qualitatively - by packets structure unification;
  • quantitatively - by packets unused size minimization with unanalyzed headers elimination.
Some approx headers list for protocol stripping is shown on the picture below.


Alt text
Обращаем внимание, что все материалы в этом блоге представляют личное мнение их авторов. Редакция SecurityLab.ru не несет ответственности за точность, полноту и достоверность опубликованных данных. Вся информация предоставлена «как есть» и может не соответствовать официальной позиции компании.

Автоматизация для ИБ: меньше писем — больше контроля

Примите участие в воркшопе и уже завтра избавьтесь от ручной работы.

Реклама.18+. ООО «СЕКЪЮРИТМ», ИНН 7820074059


Андрей Дугин

Практическая информационная безопасность и защита информации | Information Security and Cyber Defense in Deed