Add network locality fields #288
Conversation
There was a problem hiding this comment.
@andrewkroh this seems useful - I have a few questions please:
-
If a user has available a list of internally managed IP addresses, even if routable, (e.g., via Infoblox) should those addresses be considered private as well? or just the ones specified by RFC's listed.? (I think this could be the distinction between "internal" and "private")
-
If private == internal, then could this information be represented in the
network.directionfield? It seems that:
network.direction: external==source.locality: public and destination.locality: public
network.direction: internal==source.locality: private and destination.locality: private
(but I think "inbound" and "outbound" will get us back into the troubling discussion about how to determine/define this.) -
In your example, isn't
network.locality:public and source.locality:public==source.locality:public? -
If we go forward with these fields, should we also have
client.localityandserver.localityfor performing similar filtering on bidirectional flows? If so, then we'd have to decide which one populates thenetwork.localityfield in the case where they conflict. (i.e. whensource.*<>client.*)
I'd like for this to strictly be based on the RFCs which makes it very easy to implement everywhere since it doesn't require much configuration.
What constitutes "internal" and "external" has some flexibility which is great. If someone treats internal as the RFC private addresses then yes, they are equivalent. You get a difference when if you configure your "internal" ranges to be a subset of the private address space like only 10.20.0.0/16 and you have outbound traffic to some other private address. You also get a difference if you have a mix of public and private addresses that you treat as "internal".
Indeed it is, my bad. I was trying to show that you could infer some directionality based on the query and meant to use a
I agree that we should decide on a precedence. I'm just have trouble imagining cases where the two sets of client/server and source/destination addresses are different (maybe DHCP). As long as client/server and source/destination are the same sets of addresses the computation for Let's say that source/destination take precedence? |
This adds `network.locality` that simply has a value of either private or public. If either `source.ip` or `destination.ip` are public IP addresses then network.locality is elevated to "public". Otherwise if both `source.ip` and `destination.ip` are non-public then `network.locality` is private. The IPv4 and IPv6 ranges that are considered private are strictly specified in the definition of `network.locality`. This is a useful means of filtering on flows. Some common queries I use are - network.locality:public and source.locality:public - network.locality:public and destination.locality:public
andrewkroh
force-pushed
the
feature-network-locality
branch
from
098d373 to
b7895d1
Compare
|
I've changed my thinking on this after seeing a user request to make the network ranges configurable. I'm thinking it's better to keep the
You can see how this would be used in elastic/beats#11147. |
|
The general idea behind having both a For example, a server connects to another server on the company's network. A network monitoring tool running on that server sets |
There was a problem hiding this comment.
@andrewkroh @MikePaquette I like this proposal, and I'd like to get this in soon.
Andrew, is the PR still in line with your latest thinking, as described in comments from March and your proposal in Beats?
I can help rebase/merge the PR if you'd like. Much has changed in the last little while.
If you attempt the merge yourself, you'll have to add a short: description as well
| @@ -20,6 +20,7 @@ All notable changes to this project will be documented in this file based on the | |||
|
|
|||
| * Added pointer in description of `http` field set to `url` field set. #330 | |||
| * Added an optional short field description. #330 | |||
| * Add `network.locality`, `source.locality`, and `desination.locality`. #288 | |||
There was a problem hiding this comment.
There's a typo in destination, and please add the new fields as well, under client & server
Yes, it is. And if you want to take over that would be much appreciated. |
|
You got it! 👍 |
|
@andrewkroh I have a branch where the code of this PR has been ported on top of master. However looking back at the later comments here, I realize that the PR code uses values "private" and "public", whereas this table and issue elastic/beats#11147 both talk about values "internal" and "external" for Another inconsistency between the PR and the discussion is that the PR states that the values for locality should be based on the RFCs, but the thinking seems to be that they should be configurable, by users based on their network address ranges. So I have a few things I'd like to discuss:
I do see the value in having the configurability. But my take is that starting with RFC & no configurability keeps it straightforward and useful, while avoiding the opening of pandora's box of "how much is the network trusted". In other words, my answer to Q 2 would be we separate the concepts for now, and when tackling the configurability, we also tackle the trust levels. I'm curious what you think about this. |
|
some thoughts:
additionally, looking at e.g. NAPM having some concepts of asset type categorization of network zones would be extremely useful (network.tag or similar would be useful for describing network "subnets" in relation to physical locations in the organization, but network.location (maybe internal geoip additions? or pipelines to track ips to a network name/cidr index) an array for network.tag could hold any of the 4 (pub/prv/int/ext), but a network.location could also hold organizational data identifying a specific location (Houston-DMZ, Data-Center, WAN-Hub, GCloud-Project, etc) Add one for source & destination and suddenly theres the possibility of n/apm (adding network info to APM information for troubleshooting - e.g. User -> (fw to WAF) -> (WAF to array of web Servers).. track the # of resets/retransmits, or QOS info across the various WEB servers to troubleshoot issues at the network level...) |
This adds
network.localitythat simply has a value of either private or public. If eithersource.ipordestination.ipare public IP addresses then network.locality is elevated to "public". Otherwise if bothsource.ipanddestination.ipare non-public thennetwork.localityis private.The IPv4 and IPv6 ranges that are considered private are strictly specified in the definition of
network.locality.This is a useful means of filtering on flows. Some common queries I use are
network.locality:public and source.locality:publicnetwork.locality:public and destination.locality:public