[BEHAVE] Fwd: New Version Notification for draft-ietf-behave-syslog-nat-logging-03.txt
Tom Taylor <tom.taylor.stds@gmail.com> Sat, 21 September 2013 02:40 UTC
Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 445DC21F9FCE for <behave@ietfa.amsl.com>; Fri, 20 Sep 2013 19:40:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.67
X-Spam-Level:
X-Spam-Status: No, score=-2.67 tagged_above=-999 required=5 tests=[AWL=-0.071, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lM4HEswHzzyr for <behave@ietfa.amsl.com>; Fri, 20 Sep 2013 19:40:44 -0700 (PDT)
Received: from mail-qe0-x22c.google.com (mail-qe0-x22c.google.com [IPv6:2607:f8b0:400d:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 4817421F9FC3 for <behave@ietf.org>; Fri, 20 Sep 2013 19:40:44 -0700 (PDT)
Received: by mail-qe0-f44.google.com with SMTP id 3so783821qeb.31 for <behave@ietf.org>; Fri, 20 Sep 2013 19:40:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=yHSMqzYREVouhWz3C8+1dHKJGG/eVYB1s3gxwgHRZ4A=; b=iiAqOfCZ2KLRRQ6XpvI7HWnHcpuvFnTlmKmv+XvtiqSoU6dSfBDK+1GuM0TYXAJB7o mAkNHVjqynZKVE/E26+H5Pt6ANintHvcujTnFE41gH9NwsLAzA50acK95AQYj4JEs389 cUNSuAjSY91CNOip1pJRY0H6So2aNDlAkKdIzmJ+onh69vJ3ZArIb8ZkXYsIDw9PmT11 or8gmI2DDEwS6GWQEi5SiUiCoLjUHjzYJB9s1raDasHi/fDRkUul5L6Qed/2qT5AwWlm dv8wlLm22hi2SEPpWDJ8I881VtRQ4lD87BJlwmrBAiP6nfezSoXplAhu8o65tq1jp0G7 ZBVw==
X-Received: by 10.229.116.197 with SMTP id n5mr364731qcq.22.1379731243736; Fri, 20 Sep 2013 19:40:43 -0700 (PDT)
Received: from [192.168.1.73] (dsl-173-206-79-23.tor.primus.ca. [173.206.79.23]) by mx.google.com with ESMTPSA id m6sm18770810qaa.13.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 20 Sep 2013 19:40:42 -0700 (PDT)
Message-ID: <523D0724.2050401@gmail.com>
Date: Fri, 20 Sep 2013 22:40:36 -0400
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: "behave@ietf.org" <behave@ietf.org>
References: <20130921020500.3240.7926.idtracker@ietfa.amsl.com>
In-Reply-To: <20130921020500.3240.7926.idtracker@ietfa.amsl.com>
X-Forwarded-Message-Id: <20130921020500.3240.7926.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [BEHAVE] Fwd: New Version Notification for draft-ietf-behave-syslog-nat-logging-03.txt
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Sep 2013 02:40:45 -0000
I have submitted an update, but THIS IS A PARTIAL UPDATE, CONSISTENT
ONLY THROUGH SECTION 3. Section 4 is probably OK too, but I haven't
reviewed it. While I propagate the changes through the rest of the
document, I would appreciate any comments on Sections 1-3 as they stand.
Dave T., I'm afraid I didn't fold in the editorial changes you provided
a link to in your pre-meeting review. Next update I'll look them over.
Tom Taylor
Major changes:
1. Adopted new definition of session (includes destination) from
RFC6164. This distinguishes the session from BIB entries.
2. New Sec. 2.2 discusses realms and address pools. Beginning in this
section, realigned terminology to talk about internal and external
realms, addresses, and ports rather than various other terms. Realms are
added as parameters of most of the event reports defined in Section 3.
3. New Sec. 2.3.1 introduces the generalized address in place of the
subscriber site identifier. This is encoded as
type-address-address/prefix length, but the types include IPv4, IPv6,
and GW-initiated DS-Lite SWID. The GW-initiated DS-Lite context is
characterized as a realm. In Section 3, got rid of the assumption that a
mapping or session always involved a subscriber, where this was not
necessary. Pulled the material that used to talk about subscriber site
ID out of the introductory Section 3.
4. Got rid of the reporting device identifier optional parameter.
Discussion on the OPSAWG list suggested we could get away with
specifying that the HOSTNAME in the SYSLOG header always identifies the
NAT device.
5. In Section 3.1, the session creation and deletion events always
report destination address and port. The discussion of destination
logging in Section 3.1.1 was modified to discourage destination logging
but not forbid it. A proposal was added for a special study capability
to enable destination logging only on a specified set of addresses.
6. BIB entry creation/deletion event added back in new Sec. 3.2, since
it is now clearly distinguishable from sessions.
7. Port set allocation and deallocation in Sec. 3.4 now uses same
notation as IPFIX, but I think Senthil and I have a basic disagreement
on the semantics of that notation. The SYSLOG semantics are clearly
spelled out in Sec. 3.4, with examples.
8. Took out the previous address exhausted and ports exhausted events
(and the invalid port event, for other reasons) and replaced them with
events based on the thresholds and limits in the NAT MIB. Hence new
sections:
3.5. Address Pool High- and Low-Water-Mark Threshold Events . 16
3.6. Global Address Mapping High-Water-Mark Threshold Event . 17
3.7. Global Address Mapping Limit Exceeded . . . . . . . . . . 17
3.8. Global Transport Mapping High-Water-Mark Threshold Event 18
3.9. Global Transport Mapping Limit Exceeded . . . . . . . . . 18
3.10. Subscriber-Specific Mapping Threshold Event . . . . . . . 19
3.11. Global Limit On Number of Active Subscribers Exceeded . . 20
3.12. Subscriber-Specific Limit On Number of Transport Mappings
Exceeded . . . . . . . . . . . . . . . . . . . . . . . . 21
3.14. Global Limit On Number Of Fragments Pending Reassembly
Exceeded
9. The Quota Exceeded event in Sec. 3.13 was simplified as suggested in
the meeting.
-------- Original Message --------
Subject: New Version Notification for
draft-ietf-behave-syslog-nat-logging-03.txt
Date: Fri, 20 Sep 2013 19:05:00 -0700
From: internet-drafts@ietf.org
To: Tina Tsou <tina.tsou.zouting@huawei.com>, T. Taylor
<tom.taylor.stds@gmail.com>, Tom Taylor <tom.taylor.stds@gmail.com>,
Cathy Zhou <cathy.zhou@huawei.com>, Zhonghua Chen <18918588897@189.cn>
A new version of I-D, draft-ietf-behave-syslog-nat-logging-03.txt
has been successfully submitted by Zhonghua Chen and posted to the
IETF repository.
Filename: draft-ietf-behave-syslog-nat-logging
Revision: 03
Title: Syslog Format for NAT Logging
Creation date: 2013-09-21
Group: behave
Number of pages: 38
URL:
http://www.ietf.org/internet-drafts/draft-ietf-behave-syslog-nat-logging-03.txt
Status:
http://datatracker.ietf.org/doc/draft-ietf-behave-syslog-nat-logging
Htmlized:
http://tools.ietf.org/html/draft-ietf-behave-syslog-nat-logging-03
Diff:
http://www.ietf.org/rfcdiff?url2=draft-ietf-behave-syslog-nat-logging-03
Abstract:
With the wide deployment of Carrier Grade NAT (CGN) devices, the
logging of NAT-related events has become very important for various
operational purposes. The logs may be required for troubleshooting,
to identify a host that was used to launch malicious attacks, and/or
for accounting purposes. This document identifies the events that
need to be logged and the parameters that are required in the logs
depending on the context in which the NAT is being used. It goes on
to standardize formats for reporting these events and parameters
using SYSLOG (RFC 5424). A companion document specifies formats for
reporting the same events and parameters using IPFIX (RFC 5101).
Applicability statements are provided in this document and its
companion to guide operators and implementors in their choice of
which technology to use for logging.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat