Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog-nat-logging-01.txt
Tom Taylor <tom.taylor.stds@gmail.com> Mon, 15 July 2013 02:17 UTC
Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4F9321F9CA0 for <behave@ietfa.amsl.com>; Sun, 14 Jul 2013 19:17:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8RuWGGV2TcYx for <behave@ietfa.amsl.com>; Sun, 14 Jul 2013 19:17:23 -0700 (PDT)
Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id 95F9821F9BA2 for <behave@ietf.org>; Sun, 14 Jul 2013 19:17:23 -0700 (PDT)
Received: by mail-ie0-f177.google.com with SMTP id aq17so23512196iec.8 for <behave@ietf.org>; Sun, 14 Jul 2013 19:17:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=PzfDXyxvKZA++O+Ld/p7BuTEmeBD47cBjBtZRxTN1So=; b=S72/ENaPFLhYEkTU7Vyy+kmtWDgHm9pxO0KYzA1TjR4NVgn3UKDbLbhRRIGPPolS8X IYTXZKpUZKQYhxLMrZ81xvgIOaIucWhE9ZBG6FxVi5a3uu+vb9FniUfnBrm9X24iR9xu 9nPqM19Lx7B3gGI/rmleMc5LorRS008PVHLBZ35tzVXOPhtIUNj2pJzWPqwwQCgCWgX1 W7Bv958YwhmKZLPwCmKFFLNaWrU4E+h09unU+ARBp3rn8ax+l00K5CrdXaTq5WsO/r73 PyCWWM6vQ4OlH3nsg33GbHKWzBkAOH8D6907ewcGb0CJeCWrDgCJsE8r3lhnxChfUsBR tWBg==
X-Received: by 10.50.120.103 with SMTP id lb7mr5860913igb.14.1373854643159; Sun, 14 Jul 2013 19:17:23 -0700 (PDT)
Received: from [192.168.1.64] ([216.254.161.150]) by mx.google.com with ESMTPSA id r6sm15684430igp.8.2013.07.14.19.17.21 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 14 Jul 2013 19:17:22 -0700 (PDT)
Message-ID: <51E35BB2.3010609@gmail.com>
Date: Sun, 14 Jul 2013 22:17:22 -0400
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Dan Wing <dwing@cisco.com>
References: <20130508154447.24024.36769.idtracker@ietfa.amsl.com> <518A757F.5000701@gmail.com> <6ACBECAC-F476-4947-8F02-FC267403219C@cisco.com>
In-Reply-To: <6ACBECAC-F476-4947-8F02-FC267403219C@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: behave@ietf.org
Subject: Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog-nat-logging-01.txt
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 02:17:25 -0000
This is a report on what I changed in response to your review. Thank you very much for your time and expertise. On 20/05/2013 9:56 PM, Dan Wing wrote: > Thanks for writing this document. > > My personal review, not as chair, > > Section 2.1 seems to be trying to distinguish between mechanisms that > are dynamic and those that are static. Static are DS-Lite with > [I-D.tsou-behave-natx4-log-reduction] and [I-D.pcp-port-set], MAP-E, > and lightweight 4over6. Dynamic is dynamic. Then there is the > combination, which is popularly described in > draft-donley-behave-deterministic-cgn. I would suggest separate > sections explaining these three things, and more concisely. Also, > Section 2.1 is titled "NAT Logging Requirements For Different > Transition Methods" and has 3 paragraphs describing MAP-E, which does > not do network address translation in the ISP's network; a different > title for the section that discusses MAP-E seems useful. Afterall, > with MAP-E the NAT function occurs in the customer premise NAT, which > is not going to generate logging messages. [PTT] Rewrote with 2.1 talking about static, dynamic, and hybrid, and 2.2 still talking about transition methods but with reference to 2.1. Dropped 2.3. It seems Section 2 might > be something we would want common between the SYSLOG and IPFIX > documents, perhaps? [PTT] I am hoping both Section 2 and Section 3 could be common once we get them in shape. > > I noticed the non-normative "Note:" regarding Gateway-Initiated > DS-Lite underneath Figure 1. Can that be moved to somewhere else so > it is more normative? (It looks like a centered <postamble>). > Perhaps it should be explained in Section 2.1, rather than here. [PTT] Explicitly accounted for when talking about the general-purpose subscriber site identifier in the introductory part of Section 3. > > In Figure 1, can the user identifier be generalized a bit? There are > lots of NATs which use interface identifiers (e.g., en0, en1, en2), > VLAN IDs, VRFs, to separate the inside addresses -- rather than using > the fields shown here in Figure 1. This seems to have happened in > Section 3.1 (which shows VLAN ID and VRFs) but the table does not > appear to allow that sort of flexibility. > [PTT] Done. I expect leaving the exact contents to implementation/deployment (current position) will be a matter of discussion. Section 3 does suggest what should theoretically be reported. > > Section 3.1, "NAT session creation and deletion events are recorded > when a binding to a specific destination address and port is recorded > in or deleted from the session database. See the discussion in > Section 3 of [RFC6146]." > > That does not align with the endpoint-independent mapping described > in Section 3 of RFC6146. That is, a 'creation' event does not occur > with every new destination address. > > I found Section 3.1 really difficult to understand what is generated > for a TCP/UDP mapping, versus what is supposed to be generated for an > ICMP mapping. [PTT] This may still be an open issue. Have to review. > > " o Destination IPv4 (for NAT44) or IPv6 (for NAT64) address > (OPTIONAL);" > > A NAT64 would have an IPv4 destination address. Note this is for > *destination logging*, which needs its own discussion beyond just > "(OPTIONAL)" and beyond the citation that RFC6888 recommends against > destination logging. There are implementation issues with > destination logging (state creation in the logging device to avoid > generating a log event with every packet), and it deserves mentioning > in a logging document that destination logging more than destroys the > log reduction benefit of bulk port assignment. > > > " o Post-NAT destination IPv4 address (OPTIONAL);" > > Seems redundant with the preceding item. > > "The pre-NAT value of destination address will differ from the > post-NAT value only in a double-NAT situation. Hence in most cases > even with destination logging the pre-NAT value will not be > recorded." > > I don't understand what that means. Please make it clearer in the > document. This is the first and only time the term "double-NAT" > appears in the document, which might be part of my confusion. [PTT] Dropped destination logging from the session creation/deletion events. This made them identical to the BIB entry events, so I dropped the latter. Added a sub-section of 3.1 explaining why destination logging would be so rare as to not merit standardization. > > > Section 3.4 says: "The same allocation applies to each protocol > supported by the NAT." -> but you really only mean UDP and TCP, even > though the NAT supports ICMP (which doesn't use ports) or even if it > were to support SCTP (which does not expect NAPT devices to rewrite > port numbers). So, please say "The same ports are allocated for TCP > and UDP." [PTT] Done. > > Section 3.4, why are the starting and ending port numbers optional, > can this work? > > Section 3.4, the Port Range Size and Range Step are too complicated. > Are > > Section 3.4 needs to explain if the same single logging event will be > generated when ports are deleted, or if they are consolidated. For > example, let's say ports 100-200 are allocated to a subscriber and a > logging event generated, then ports 200-250 are (later) allocated to > the same subscriber and a logging event generated. Will that second > logging event indicate ports 100-250? (I could see someone > reasonably implementing that). Would two separate deletion log > events be generated, one deletion for 100-200, and another deletion > for 201-250? Or would only one log deletion event be generated? All > of these corner cases need discussion with some rules for how this is > expected to work. This could perhaps be left to implementation > decision, but if that is the decision it should clearly say. [PTT] I realized there are even more potential complications than you have pointed out. Evaded all of them by redefining the log as a "Port Allocation Change" event, with a full report of the current allocation at the time of reporting. Added text to allow range consolidation. > > General comment for all of sections 3.5, 3.6, and 3.7: Can a SYSLOG > message be generated *before* we hit a limit? It seems there is no > highwater mark for any of those. I expect operators would prefer > knowing before hitting a limit and also when hitting a limit (because > users will notice the hard failure when a limit is hit). Thoughts? [PTT] I think Senthil answered this, but the first line of defense is the Quota event. > > "3.5. NAT Address Exhaustion Event", is there expected to be > anything to prevent this event from being continually generated? > Because, if the NAT is running near its limit and hits it, it will > likely have a port released, then one allocated (hitting the limit > again), over and over again. Same question for Section 3.4 (port > exhaustion). And, are both events generated when the final port is > allocated (seems like both would be generated). [PTT] For this and other error conditions, added text requiring implementations to provide the capability for event-specific rate limiting. > > Section 3.7, Quota exhausted -- for the (per-user) quota a citation > to REQ-11 of RFC6888 would be helpful. I found the paragraph > describing which fields are mandatory for which sort of quota > difficult to understand. I played around with a table (which did not > help clarity) and some alternative wording. But I couldn't improve > the text much, because I don't really know what fields are best to > send for the different sort of events. This feels very free-form and > a cause of interoperability problems with the various ways a NAT or > the SYSLOG parsing code would interpret the presence of certain > fields. For example, does the lack of a subscriber-identifying > address mean that a non-subscriber-specific administrative limit was > hit? It seems that is the case, which is okay, but more explicit > explanation could be helpful. Or creating separate events like was > done with 3.5 and 3.6 [PTT] Refactored the parameters to make things more understandable. Instead of QTyp, now have site scope (single, multiple, all) and protocol scope (TCP, UDP, ICMP, all). > > Section 5.2.1, "NTyp: NAT Type" where it mentions NAT44 it should > cite the canonical NAPT44 definition in RFC3022. For NAT64, probably > want to reference both stateful NAT64 (RFC6146) and stateless > (RFC6145). [PTT] Done. Also decided (absent input to the contrary) that no one would monitor logs at a universal CPE, so dropped that. Added the LW4over6 and MAP-E BR, hence renamed the field "Device Type" rather than "NAT Type". > > 5.2.5. PreS4: Pre-NAT IPv4 Source Address > > PARAM-VALUE: part or all of an IPv4 address, represented in dotted > decimal form. > > Why provide only part of the IPv4 address? For on-the-wire > efficiency? If some of the address is omitted, is it the first NNN > bits that are omitted, or the last NNN bits that are omitted. I > would omit the first NNN bits if all the internal addresses shared > those same NNN bits (e.g., all were 100.64/10, I could omit the first > 10 bits). I would omit the last NNN bits if assigning a /24 to a > subscriber and I don't care which of their devices caused the NAT > event. [PTT] Made PostS4 the full IPv4 address. All the Pre- addresses are absorbed into the general purpose SiteID. > > 5.2.6. PreS6: Pre-NAT IPv6 Source Address: "PARAM-VALUE: Part or > all of an IPv6 address, represented in the form specified by [ > RFC5952]." > > Same question -- the first part or the last part of the address? > Most subscribers are assigned a /64, so reporting the full 128 bit > address is awkward, I agree. But, similarly, most of an ISP's > network will use the same IPv6 prefix so reporting the first 8 or 24 > bits is redundant. The document needs to clarify. > > And as this is string-encoded, what rules should be followed for > "::", as that has changed in the last couple of years and would be > good to cite. [PTT] Absorbed into SiteID, which is left to local implementation with the requirement that it be a human-readable string. > > In IANA considerations a new IANA registry is created. This needs to > additionally provide guidance for how that new registry can be > extended in teh future, and a few other things. RFC5226 has details. [PTT] It already says "IETF Review", since I expect the IETF wants a strong say on what might be added (e.g., "66"). Is any more needed? > > Security considerations: > > " When logs are being recorded for regulatory reasons, preservation > of their integrity and authentication of their origin is essential." > > The accuracy and unambiguity of the information is important, as > well. To that point, the address compression has me concerned and > address compression needs more text in the document, and may deserve > calling out explicitly in the security considerations section. Also > worth pointing out is the address ranges and "step range" (whatever > that is) might be changed while the NAT is operating -- which impacts > almost everything reported to the SYSLOG server. Seems useful to add > NAT Configuration Changed events when such things occur? > > In security considerations, missing messages are not mentioned. They > should be. Would it be worthwhile to include a sequence number > (which does not appear to be part of the SYSLOG header, nor of the > messages defined in this spec.) [PTT] Haven't dealt with this yet. > > -d ...
- [BEHAVE] I-D Action: draft-ietf-behave-syslog-nat… internet-drafts
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Tom Taylor
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Dan Wing
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Tom Taylor
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Tom Taylor
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Dan Wing
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Dan Wing
- Re: [BEHAVE] I-D Action: draft-ietf-behave-syslog… Tom Taylor