Sflow uses UDP datagrams to send packet samples to the collector and the samples include first N bytes of the actual payload data that may have sensitive information. UDP packets are not encrypted and hence prone to man-in-the-middle attacks. UDP being connectionless is also prone to packet losses that lead to inaccurate traffic measurements.
gNPSI (gRPC Network Packet Sampling Interface) addresses the security vulnerabilities in sending Sflow packets over UDP. gNPSI encapsulates the Sflow samples in gRPC format and hence adds authentication, re-transmission and encryption to the samples, enabling usage of these samples in critical network-control loops. gNPSI also changes the mode of the collector connection from a dial-out to dial-in.
This talk will cover the integration of gNPSI into SONiC Sflow stack and the benefits it brings to SONiC. It will cover the configuration, migration, monitoring and performance parity aspects of gNPSI in SONiC.