[Oisf-users] Linux bonding mode for passive traffic feeds

[Darren S.]

The Linux Ethernet bonding driver [1] is often used on IDS sensors to
create a single virtual interface aggregating traffic from multiple
receiving physical interfaces. The driver supports multiple "modes" or
aggregation/availability disciplines, which affect how it operates for
different use cases. The modes are as follows:

balance-rr or 0
active-backup or 1
balance-xor or 2
broadcast or 3
802.3ad or 4
balance-tlb or 5
balance-alb or 6

Many articles discuss setting up bonding interfaces to facilitate
traffic monitoring using an IDS, but I am not aware of any that
provide sound guidance on the optimal or correct mode for a traffic
monitoring use case (i.e. which mode and why), or if there is even
such a concept. For the common use case where passive monitoring TAPs
are used to send multiple half-duplex feed of network traffic to
multiple interfaces on an IDS sensor, is there a mode that is
"correct" and should be used? Are there modes that are "incorrect" and
lead to failure to receive and monitor all or some traffic?

For example purposes, assume 4 Ethernet TAPs, each with (2) monitor
outputs, resulting in 8 passive monitor (Rx-only) interfaces on a
Linux IDS sensor. Each connected monitor interface (eth2 - eth9) is a
slave to a master bonding interface (bond1). Should the bonding
interface be configured with a specific 'mode' for correct/reliable
frame receipt and inspection on all monitored interfaces by the IDS
process? Is propagation of promiscuous mode from the master (bond)
interface to slave interfaces important? (Some modes handle
promiscuous mode to slave interfaces differently and the behavior of
mode 0/balance-rr makes it look like the only mode that propagates to
all slaves).

[1] https://www.kernel.org/doc/Documentation/networking/bonding.txt

-- 
Darren Spruell
phatbuckett at gmail.com