[BEHAVE] Fwd: New Version Notification for draft-ietf-behave-syslog-nat-logging-03.txt
Tom Taylor <tom.taylor.stds@gmail.com> Sat, 21 September 2013 02:40 UTC
Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 445DC21F9FCE for <behave@ietfa.amsl.com>; Fri, 20 Sep 2013 19:40:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.67
X-Spam-Level:
X-Spam-Status: No, score=-2.67 tagged_above=-999 required=5 tests=[AWL=-0.071, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lM4HEswHzzyr for <behave@ietfa.amsl.com>; Fri, 20 Sep 2013 19:40:44 -0700 (PDT)
Received: from mail-qe0-x22c.google.com (mail-qe0-x22c.google.com [IPv6:2607:f8b0:400d:c02::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 4817421F9FC3 for <behave@ietf.org>; Fri, 20 Sep 2013 19:40:44 -0700 (PDT)
Received: by mail-qe0-f44.google.com with SMTP id 3so783821qeb.31 for <behave@ietf.org>; Fri, 20 Sep 2013 19:40:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=yHSMqzYREVouhWz3C8+1dHKJGG/eVYB1s3gxwgHRZ4A=; b=iiAqOfCZ2KLRRQ6XpvI7HWnHcpuvFnTlmKmv+XvtiqSoU6dSfBDK+1GuM0TYXAJB7o mAkNHVjqynZKVE/E26+H5Pt6ANintHvcujTnFE41gH9NwsLAzA50acK95AQYj4JEs389 cUNSuAjSY91CNOip1pJRY0H6So2aNDlAkKdIzmJ+onh69vJ3ZArIb8ZkXYsIDw9PmT11 or8gmI2DDEwS6GWQEi5SiUiCoLjUHjzYJB9s1raDasHi/fDRkUul5L6Qed/2qT5AwWlm dv8wlLm22hi2SEPpWDJ8I881VtRQ4lD87BJlwmrBAiP6nfezSoXplAhu8o65tq1jp0G7 ZBVw==
X-Received: by 10.229.116.197 with SMTP id n5mr364731qcq.22.1379731243736; Fri, 20 Sep 2013 19:40:43 -0700 (PDT)
Received: from [192.168.1.73] (dsl-173-206-79-23.tor.primus.ca. [173.206.79.23]) by mx.google.com with ESMTPSA id m6sm18770810qaa.13.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 20 Sep 2013 19:40:42 -0700 (PDT)
Message-ID: <523D0724.2050401@gmail.com>
Date: Fri, 20 Sep 2013 22:40:36 -0400
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: "behave@ietf.org" <behave@ietf.org>
References: <20130921020500.3240.7926.idtracker@ietfa.amsl.com>
In-Reply-To: <20130921020500.3240.7926.idtracker@ietfa.amsl.com>
X-Forwarded-Message-Id: <20130921020500.3240.7926.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [BEHAVE] Fwd: New Version Notification for draft-ietf-behave-syslog-nat-logging-03.txt
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Sep 2013 02:40:45 -0000
I have submitted an update, but THIS IS A PARTIAL UPDATE, CONSISTENT ONLY THROUGH SECTION 3. Section 4 is probably OK too, but I haven't reviewed it. While I propagate the changes through the rest of the document, I would appreciate any comments on Sections 1-3 as they stand. Dave T., I'm afraid I didn't fold in the editorial changes you provided a link to in your pre-meeting review. Next update I'll look them over. Tom Taylor Major changes: 1. Adopted new definition of session (includes destination) from RFC6164. This distinguishes the session from BIB entries. 2. New Sec. 2.2 discusses realms and address pools. Beginning in this section, realigned terminology to talk about internal and external realms, addresses, and ports rather than various other terms. Realms are added as parameters of most of the event reports defined in Section 3. 3. New Sec. 2.3.1 introduces the generalized address in place of the subscriber site identifier. This is encoded as type-address-address/prefix length, but the types include IPv4, IPv6, and GW-initiated DS-Lite SWID. The GW-initiated DS-Lite context is characterized as a realm. In Section 3, got rid of the assumption that a mapping or session always involved a subscriber, where this was not necessary. Pulled the material that used to talk about subscriber site ID out of the introductory Section 3. 4. Got rid of the reporting device identifier optional parameter. Discussion on the OPSAWG list suggested we could get away with specifying that the HOSTNAME in the SYSLOG header always identifies the NAT device. 5. In Section 3.1, the session creation and deletion events always report destination address and port. The discussion of destination logging in Section 3.1.1 was modified to discourage destination logging but not forbid it. A proposal was added for a special study capability to enable destination logging only on a specified set of addresses. 6. BIB entry creation/deletion event added back in new Sec. 3.2, since it is now clearly distinguishable from sessions. 7. Port set allocation and deallocation in Sec. 3.4 now uses same notation as IPFIX, but I think Senthil and I have a basic disagreement on the semantics of that notation. The SYSLOG semantics are clearly spelled out in Sec. 3.4, with examples. 8. Took out the previous address exhausted and ports exhausted events (and the invalid port event, for other reasons) and replaced them with events based on the thresholds and limits in the NAT MIB. Hence new sections: 3.5. Address Pool High- and Low-Water-Mark Threshold Events . 16 3.6. Global Address Mapping High-Water-Mark Threshold Event . 17 3.7. Global Address Mapping Limit Exceeded . . . . . . . . . . 17 3.8. Global Transport Mapping High-Water-Mark Threshold Event 18 3.9. Global Transport Mapping Limit Exceeded . . . . . . . . . 18 3.10. Subscriber-Specific Mapping Threshold Event . . . . . . . 19 3.11. Global Limit On Number of Active Subscribers Exceeded . . 20 3.12. Subscriber-Specific Limit On Number of Transport Mappings Exceeded . . . . . . . . . . . . . . . . . . . . . . . . 21 3.14. Global Limit On Number Of Fragments Pending Reassembly Exceeded 9. The Quota Exceeded event in Sec. 3.13 was simplified as suggested in the meeting. -------- Original Message -------- Subject: New Version Notification for draft-ietf-behave-syslog-nat-logging-03.txt Date: Fri, 20 Sep 2013 19:05:00 -0700 From: internet-drafts@ietf.org To: Tina Tsou <tina.tsou.zouting@huawei.com>, T. Taylor <tom.taylor.stds@gmail.com>, Tom Taylor <tom.taylor.stds@gmail.com>, Cathy Zhou <cathy.zhou@huawei.com>, Zhonghua Chen <18918588897@189.cn> A new version of I-D, draft-ietf-behave-syslog-nat-logging-03.txt has been successfully submitted by Zhonghua Chen and posted to the IETF repository. Filename: draft-ietf-behave-syslog-nat-logging Revision: 03 Title: Syslog Format for NAT Logging Creation date: 2013-09-21 Group: behave Number of pages: 38 URL: http://www.ietf.org/internet-drafts/draft-ietf-behave-syslog-nat-logging-03.txt Status: http://datatracker.ietf.org/doc/draft-ietf-behave-syslog-nat-logging Htmlized: http://tools.ietf.org/html/draft-ietf-behave-syslog-nat-logging-03 Diff: http://www.ietf.org/rfcdiff?url2=draft-ietf-behave-syslog-nat-logging-03 Abstract: With the wide deployment of Carrier Grade NAT (CGN) devices, the logging of NAT-related events has become very important for various operational purposes. The logs may be required for troubleshooting, to identify a host that was used to launch malicious attacks, and/or for accounting purposes. This document identifies the events that need to be logged and the parameters that are required in the logs depending on the context in which the NAT is being used. It goes on to standardize formats for reporting these events and parameters using SYSLOG (RFC 5424). A companion document specifies formats for reporting the same events and parameters using IPFIX (RFC 5101). Applicability statements are provided in this document and its companion to guide operators and implementors in their choice of which technology to use for logging. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat