Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog-nat-logging-01.txt
"Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com> Fri, 28 June 2013 17:45 UTC
Return-Path: <ssenthil@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C0C321F9C29 for <behave@ietfa.amsl.com>; Fri, 28 Jun 2013 10:45:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xrtXgdgl5uRZ for <behave@ietfa.amsl.com>; Fri, 28 Jun 2013 10:45:12 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 5495C21F9C26 for <behave@ietf.org>; Fri, 28 Jun 2013 10:45:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14334; q=dns/txt; s=iport; t=1372441512; x=1373651112; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=tJzgjsOEPrtB6vm9s3a9q8mkiEj0Q2Ywg/eZTmRw1ds=; b=RYfrmxQS1ain6J1wxuOrmdD9kCnm49Z3JcE7Q+XnObeGCAbpg9GsHaU4 v2rXNLv0d0NBbmwDdSbFtpibr+A4hQwPyxzs/j8BrekVRIuc/QjOnTDcA ImSzUEkWZnhKXX8agMw6LddWQHyXSUYJAPoBUn4la15i5Q9YWvPstphb5 A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhIFALHKzVGtJV2a/2dsb2JhbABRCoMJMkm/BoEKFnSCIwEBAQMBAQEBJEAHCxIBCBgKRQYLJQIEAQ0FCId1AwkGDLMiDYhOBIxugSQIBAEHfzEHgwRjA4hqjHSOB4UlgxGBaAEfIA
X-IronPort-AV: E=Sophos;i="4.87,960,1363132800"; d="scan'208";a="228729176"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-8.cisco.com with ESMTP; 28 Jun 2013 17:45:11 +0000
Received: from xhc-aln-x01.cisco.com (xhc-aln-x01.cisco.com [173.36.12.75]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r5SHjBWJ023123 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 28 Jun 2013 17:45:11 GMT
Received: from xmb-rcd-x15.cisco.com ([169.254.5.94]) by xhc-aln-x01.cisco.com ([173.36.12.75]) with mapi id 14.02.0318.004; Fri, 28 Jun 2013 12:45:10 -0500
From: "Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com>
To: "Dan Wing (dwing)" <dwing@cisco.com>, Tom Taylor <tom.taylor.stds@gmail.com>
Thread-Topic: [BEHAVE] I-D Action: draft-ietf-behave-syslog-nat-logging-01.txt
Thread-Index: AQHOTAMfYLBmigMp3EWmDtOmMJ6JaJj7xMiAgBOD44CAPH6HAA==
Date: Fri, 28 Jun 2013 17:45:10 +0000
Message-ID: <CB1B483277FEC94E9B58357040EE5D02325B9B1F@xmb-rcd-x15.cisco.com>
In-Reply-To: <6ACBECAC-F476-4947-8F02-FC267403219C@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
x-originating-ip: [10.117.198.132]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <159AC3FDAEB289498974EAF57A690388@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog-nat-logging-01.txt
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2013 17:45:17 -0000
Sorry for the long delay in responding.. Please see inline. On 5/20/13 9:56 PM, "Dan Wing (dwing)" <dwing@cisco.com> wrote: >Thanks for writing this document. > >My personal review, not as chair, > >Section 2.1 seems to be trying to distinguish between mechanisms that are >dynamic and those that are static. Static are DS-Lite with >[I-D.tsou-behave-natx4-log-reduction] and [I-D.pcp-port-set], MAP-E, and >lightweight 4over6. Dynamic is dynamic. Then there is the combination, >which is popularly described in draft-donley-behave-deterministic-cgn. I >would suggest separate sections explaining these three things, and more >concisely. Also, Section 2.1 is titled "NAT Logging Requirements For >Different Transition Methods" and has 3 paragraphs describing MAP-E, >which does not do network address translation in the ISP's network; a >different title for the section that discusses MAP-E seems useful. >Afterall, with MAP-E the NAT function occurs in the customer premise NAT, >which is not going to generate logging messages. It seems Section 2 >might be something we would want common between the SYSLOG and IPFIX >documents, perhaps? Do you think those would have to be repeated or one document just refers to the other. I prefer the later approach. > >I noticed the non-normative "Note:" regarding Gateway-Initiated DS-Lite >underneath Figure 1. Can that be moved to somewhere else so it is more >normative? (It looks like a centered <postamble>). Perhaps it should be >explained in Section 2.1, rather than here. This is specific to syslog. So I am going to let the syslog authors address this. > >In Figure 1, can the user identifier be generalized a bit? There are >lots of NATs which use interface identifiers (e.g., en0, en1, en2), VLAN >IDs, VRFs, to separate the inside addresses -- rather than using the >fields shown here in Figure 1. This seems to have happened in Section >3.1 (which shows VLAN ID and VRFs) but the table does not appear to allow >that sort of flexibility. This is specific to syslog. So I am going to let the syslog authors address this. > > >Section 3.1, > "NAT session creation and deletion events are recorded when a binding > to a specific destination address and port is recorded in or deleted > from the session database. See the discussion in Section 3 of > [RFC6146]." > >That does not align with the endpoint-independent mapping described in >Section 3 of RFC6146. That is, a 'creation' event does not occur with >every new destination address. > >I found Section 3.1 really difficult to understand what is generated for >a TCP/UDP mapping, versus what is supposed to be generated for an ICMP >mapping. > >" o Destination IPv4 (for NAT44) or IPv6 (for NAT64) address > (OPTIONAL);" > >A NAT64 would have an IPv4 destination address. Note this is for >*destination logging*, which needs its own discussion beyond just >"(OPTIONAL)" and beyond the citation that RFC6888 recommends against >destination logging. There are implementation issues with destination >logging (state creation in the logging device to avoid generating a log >event with every packet), and it deserves mentioning in a logging >document that destination logging more than destroys the log reduction >benefit of bulk port assignment. Agree, I will add a paragraph on the destination logging and its effects. > > >" o Post-NAT destination IPv4 address (OPTIONAL);" > >Seems redundant with the preceding item. > >"The pre-NAT value of destination > address will differ from the post-NAT value only in a double-NAT > situation. Hence in most cases even with destination logging the > pre-NAT value will not be recorded." > >I don't understand what that means. Please make it clearer in the >document. This is the first and only time the term "double-NAT" appears >in the document, which might be part of my confusion. Seems specific to syslog document. > > >Section 3.4 says: "The same allocation applies to each protocol supported >by the NAT." -> but you really only mean UDP and TCP, even though the NAT >supports ICMP (which doesn't use ports) or even if it were to support >SCTP (which does not expect NAPT devices to rewrite port numbers). So, >please say "The same ports are allocated for TCP and UDP." > >Section 3.4, why are the starting and ending port numbers optional, can >this work? > >Section 3.4, the Port Range Size and Range Step are too complicated. Are I guess your words are truncated here. There has been some interest on having non-contiguous ports. It has been established that this doesn¹t provide any added security, but it isnt as complex as you think it is to implement. There are implementations that uses a range and step size. > > >Section 3.4 needs to explain if the same single logging event will be >generated when ports are deleted, or if they are consolidated. For >example, let's say ports 100-200 are allocated to a subscriber and a >logging event generated, then ports 200-250 are (later) allocated to the >same subscriber and a logging event generated. Will that second logging >event indicate ports 100-250? (I could see someone reasonably >implementing that). Would two separate deletion log events be generated, >one deletion for 100-200, and another deletion for 201-250? Or would >only one log deletion event be generated? All of these corner cases need >discussion with some rules for how this is expected to work. This could >perhaps be left to implementation decision, but if that is the decision >it should clearly say. I think it is clearly an implementation choice. But I agree, we should have some text explaining some possible options and leave it to the implementation. > >General comment for all of sections 3.5, 3.6, and 3.7: Can a SYSLOG >message be generated *before* we hit a limit? It seems there is no >highwater mark for any of those. I expect operators would prefer knowing >before hitting a limit and also when hitting a limit (because users will >notice the hard failure when a limit is hit). Thoughts? Interesting thought. I have always thought that logging is more useful in case of post mortem, to understand what happened and when. And MIB is used as a proactive monitoring tool. We have added the threshold values in the new mib for the address and pool exhaustion, this would serve as an alarm/trap. > >"3.5. NAT Address Exhaustion Event", is there expected to be anything to >prevent this event from being continually generated? Because, if the NAT >is running near its limit and hits it, it will likely have a port >released, then one allocated (hitting the limit again), over and over >again. Same question for Section 3.4 (port exhaustion). And, are both >events generated when the final port is allocated (seems like both would >be generated). These events should be rate limited. It shouldn¹t be generated on a per-packet basis. In our current implementation, we generate an event when we first hit the limit, and then either periodically, every n secs if there are packets still getting dropped because of the lack of resources OR when some ports were released back into the pool and exhausted again. I am pretty sure there are other ways to implement this rate limiting but I think adding some text around this would be helpful to the implementors. I will do this in the ipfix document. > >Section 3.7, Quota exhausted -- for the (per-user) quota a citation to >REQ-11 of RFC6888 would be helpful. I found the paragraph describing >which fields are mandatory for which sort of quota difficult to >understand. I played around with a table (which did not help clarity) >and some alternative wording. But I couldn't improve the text much, >because I don't really know what fields are best to send for the >different sort of events. This feels very free-form and a cause of >interoperability problems with the various ways a NAT or the SYSLOG >parsing code would interpret the presence of certain fields. For >example, does the lack of a subscriber-identifying address mean that a >non-subscriber-specific administrative limit was hit? It seems that is >the case, which is okay, but more explicit explanation could be helpful. >Or creating separate events like was done with 3.5 and 3.6 > > >Section 5.2.1, "NTyp: NAT Type" where it mentions NAT44 it should cite >the canonical NAPT44 definition in RFC3022. For NAT64, probably want to >reference both stateful NAT64 (RFC6146) and stateless (RFC6145). > >5.2.5. PreS4: Pre-NAT IPv4 Source Address > > PARAM-VALUE: part or all of an IPv4 address, represented in dotted > decimal form. > >Why provide only part of the IPv4 address? For on-the-wire efficiency? >If some of the address is omitted, is it the first NNN bits that are >omitted, or the last NNN bits that are omitted. I would omit the first >NNN bits if all the internal addresses shared those same NNN bits (e.g., >all were 100.64/10, I could omit the first 10 bits). I would omit the >last NNN bits if assigning a /24 to a subscriber and I don't care which >of their devices caused the NAT event. > >5.2.6. PreS6: Pre-NAT IPv6 Source Address: "PARAM-VALUE: Part or all >of an IPv6 address, represented in the form specified by [ >RFC5952]." > >Same question -- the first part or the last part of the address? Most >subscribers are assigned a /64, so reporting the full 128 bit address is >awkward, I agree. But, similarly, most of an ISP's network will use the >same IPv6 prefix so reporting the first 8 or 24 bits is redundant. The >document needs to clarify. > >And as this is string-encoded, what rules should be followed for "::", as >that has changed in the last couple of years and would be good to cite. All of the above three comments are specific to Syslog, hence ignoring. > >In IANA considerations a new IANA registry is created. This needs to >additionally provide guidance for how that new registry can be extended >in teh future, and a few other things. RFC5226 has details. IPFIX registry is already in place and is being used by people to add new fields. > >Security considerations: > >" When logs are being recorded for regulatory reasons, preservation of > their integrity and authentication of their origin is essential." > >The accuracy and unambiguity of the information is important, as well. >To that point, the address compression has me concerned and address >compression needs more text in the document, and may deserve calling out >explicitly in the security considerations section. Also worth pointing >out is the address ranges and "step range" (whatever that is) might be >changed while the NAT is operating -- which impacts almost everything >reported to the SYSLOG server. Seems useful to add NAT Configuration >Changed events when such things occur? > >In security considerations, missing messages are not mentioned. They >should be. Would it be worthwhile to include a sequence number (which >does not appear to be part of the SYSLOG header, nor of the messages >defined in this spec.) Thanks for the review, let me know if there is anything specific to IPFIX that I have missed to respond in this review. Senthil > >-d > > >On May 8, 2013, at 8:55 AM, Tom Taylor <tom.taylor.stds@gmail.com> wrote: > >> Done at last. The updated document has two new sections: >> >> 2. Deployment Considerations >> - discusses the logging implications of the various Softwires >> transition methods, as well some considerations arising out >> of the architectural role of the NAT. >> >> 3. NAT-Related Events and Parameters >> - is a description at a generally coding-independent level of >> the events to be logged at NATs and their associated parameters. >> In principle the contents are the same as in the IPFIX >> document, but some reconciliation may be required. >> >> These sections are followed by SYSLOG-specific stuff: applicability >>statement, parameter and event encoding (with lots examples of complete >>logs), and an extensive IANA section. Then the usual remaining sections. >> >> Comments are welcome. Fire away. >> >> Tom Taylor >> >> On 08/05/2013 11:44 AM, internet-drafts@ietf.org wrote: >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts >>>directories. >>> This draft is a work item of the Behavior Engineering for Hindrance >>>Avoidance Working Group of the IETF. >>> >>> Title : Syslog Format for NAT Logging >>> Author(s) : Zhonghua Chen >>> Cathy Zhou >>> Tina Tsou >>> T. Taylor >>> Filename : draft-ietf-behave-syslog-nat-logging-01.txt >>> Pages : 31 >>> Date : 2013-05-08 >>> >>> Abstract: >>> With the wide deployment of Carrier Grade NAT (CGN) devices, the >>> logging of NAT-related events has become very important for legal >>> purposes. The logs may be required to identify a host that was used >>> to launch malicious attacks or engage in illegal behaviour, and/or >>> may be required for accounting purposes. This document identifies >>> the events that need to be logged and the parameters that are >>> required in the logs depending on the context in which the NAT is >>> being used. It goes on to standardize formats for reporting these >>> events and parameters using SYSLOG (RFC 5424). A companion document >>> specifies formats for reporting the same events and parameters using >>> IPFIX (RFC 5101). Applicability statements are provided in this >>> document and its companion to guide operators and implementors in >>> their choice of which technology to use for logging. >>> >> ... >> _______________________________________________ >> Behave mailing list >> Behave@ietf.org >> https://www.ietf.org/mailman/listinfo/behave > >_______________________________________________ >Behave mailing list >Behave@ietf.org >https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] I-D Action: draft-ietf-behave-syslog-nat… internet-drafts
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Tom Taylor
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Dan Wing
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Tom Taylor
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Tom Taylor
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Dan Wing
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Dan Wing
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Tom Taylor