Re: [BEHAVE] Comments on draft-ietf-behave-syslog-nat-logging-02
Tom Taylor <tom.taylor.stds@gmail.com> Sun, 28 July 2013 08:13 UTC
Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD22921F9E3A for <behave@ietfa.amsl.com>; Sun, 28 Jul 2013 01:13:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vq4JuTwiKwuc for <behave@ietfa.amsl.com>; Sun, 28 Jul 2013 01:12:59 -0700 (PDT)
Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 2834321F9E15 for <behave@ietf.org>; Sun, 28 Jul 2013 01:12:56 -0700 (PDT)
Received: by mail-ob0-f171.google.com with SMTP id tb18so7370281obb.30 for <behave@ietf.org>; Sun, 28 Jul 2013 01:12:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=bhBJ45FIAMHanQyrkiqJCuwOJ/Lg3bZabh2GLODFMwo=; b=mA3Kv+oGEPX3wF+dYQHbfROtnPMqUb99hay9otT7FazO+El6k5+jO69nTY4ZjkdvLn SX4OwRjxsdpxSBOmI9RIwv0DXXSGzR33cW2nlIU/Yest1ezRPALQqa9t/4v26s5qGVaS 9VIGNGfPTS69jx+FUL4GrZ7oS9q6LlVh4DC3O3yLDo/ypxJsh5xsCXCRu1XjIRBycx5v 7qJJwKXHK5mybCHhZ1BgaUjsbBEq8mnqdfcQ8HrU0dk323Xh8Z2qBKxiLenPIqocokB2 j/Vu7PQQrPgJKnTm46UX3z2j93u+RCptsBtcte1Qq3LMO4a2xlNje9zFW88uxZWd3hOy NveQ==
X-Received: by 10.60.92.162 with SMTP id cn2mr17563194oeb.103.1374999175567; Sun, 28 Jul 2013 01:12:55 -0700 (PDT)
Received: from [192.168.1.64] (dsl-173-206-92-228.tor.primus.ca. [173.206.92.228]) by mx.google.com with ESMTPSA id g1sm80844288oeq.6.2013.07.28.01.12.54 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 28 Jul 2013 01:12:54 -0700 (PDT)
Message-ID: <51F4D283.2040501@gmail.com>
Date: Sun, 28 Jul 2013 04:12:51 -0400
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Dave Thaler <dthaler@microsoft.com>
References: <9c6e4d956a264bd781bb66a412e5cce3@BY2PR03MB269.namprd03.prod.outlook.com>
In-Reply-To: <9c6e4d956a264bd781bb66a412e5cce3@BY2PR03MB269.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "draft-ietf-behave-syslog-nat-logging@tools.ietf.org" <draft-ietf-behave-syslog-nat-logging@tools.ietf.org>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] Comments on draft-ietf-behave-syslog-nat-logging-02
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jul 2013 08:13:03 -0000
Thanks for taking the time for this. Responses below. On 27/07/2013 1:45 PM, Dave Thaler wrote: > Of the 10 documents I read while traveling to Berlin, this one was the longest, but > also probably the easiest to read and most well written in my opinion, so thanks for > all the work put into this recently! > > A summary of my technical comments follows. > > > 1. The syslog doc and the NAT MIB are not currently aligned. > > The NAT MIB has low/high watermark objects for one type of notification > > (which I think is a good approach), but it appears to only affect SNMP notifications > > not Syslog notifications. The syslog doc requires rate limiting various things, > > with required knobs that are not in the NAT MIB. And the syslog doesn't > > recommend low/high watermarks but probably should, as I think it's currently > > underspecified. [PTT] I wonder if, in the interest of orderly procedure, we first draw up the configuration requirements by adding a Management Considerations section to the logging draft. Then we can figure out how to propagate that to the MIB or other configuration models. [PTT] The watermark system I'm familiar with from my telephony days would be based on observations over a fixed time interval (e.g., 5 minutes, 30 minutes, possibly an hour). Is this what you would have in mind, with a log being generated at the end of each observation interval? > > 2. The use of UTF-8 strings for identifiers needs clarification. Is non-ASCII really > > required? If so, what normalization form? Any constraints on set of legal > > characters? What are the uniqueness requirements? E.g., is it ok to have > > two values that differ only in normalization form? What about differing in > > case? What about being visually identical/confusable? [PTT] I agree this needs a closer look. We ended up having to add stuff to ANCP to support the use of UTF-8. I'm getting the picture of an occasional (hourly and whenever configuration changes) ADMIN event type which would have miscellaneous stuff like the byte masks used to truncate IPv4 and IPv6 addresses (suggested by Dan in his review), and could also have the additional information needed to make UTF-8 work. Of course, as you say, we should first determine whether anything more than US-ASCII is needed. > > 3. The document assumes a single "internal" and a single "external" realm. This > > Is not a safe assumption in general, and especially not in scenarios like > > "An IPv4 Network to An IPv6 Network" and vice versa, where there could > > be (for instance) 2 internal realms and 0 external realms. Furthermore, the > > terms are ambiguous. For example in the "IPv6 Internet to An IPv4 Network" > > scenario where sessions are initiated from the Internet, which side is > > "external"? [PTT] Ironic -- I changed the terminology because the terminology implicit in the IPFIX draft always takes the point of view of outgoing packets without saying so and I thought that was ambiguous. Looks like we need to fall back to that position and state the convention in the terminology section. > > 4. The type registry is not sufficiently motivated. Why are standard values > > needed here? And if they are, then why is FCFS not sufficient? [PTT] Because, to be blunt, I sense that if anyone wanted to add NAT66 to the list it would trigger a fairly strong reaction. > > 5. The mechanism should not be limited to cases where the external address > > is IPv4. Since it's passed as a string, there's no reason for such a limitation. > > A marked up copy that also includes my > editorial comments can be found at > http://research.microsoft.com/~dthaler/draft-ietf-behave-syslog-nat-logging-02.pdf > (or a .docx version if you replace .pdf with .docx). > > -Dave > > > > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave >