Re: [BEHAVE] short review of draft-ietf-behave-ipfix-nat-logging-00
"Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com> Fri, 24 May 2013 16:50 UTC
Return-Path: <ssenthil@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 114CB21F8C4C for <behave@ietfa.amsl.com>; Fri, 24 May 2013 09:50:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7+eVsYueites for <behave@ietfa.amsl.com>; Fri, 24 May 2013 09:50:01 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 3732021F8624 for <behave@ietf.org>; Fri, 24 May 2013 09:50:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3170; q=dns/txt; s=iport; t=1369414201; x=1370623801; h=from:to:cc:subject:date:message-id:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=6w5jFJMttehVWWchouP4DB7z8BMmHz90Hx5xqkMNKZg=; b=TguMwoSwIt5jwor1LY5ArmgHa3QEa+48RLk4ftcVxdRPA9wEU/6SvLfj 54WUIDWgHCH0U0cyTwBBDLVTu4lcyOwzXy99bTs9qtYCXtYoLj94YxwMR DD/uHIfYrcgqseqORzu/1+JtdZtTrvZ5i59jGUtoosgzCIK/ORrvph27x 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkgGAEWZn1GtJXG+/2dsb2JhbABagwgwwiqBBhZ0giMBAQEDAQEBAWsLBQ0BCCJLCyUCBA4FCId/Bgy5ewSObDEHgnNhA4hnoBSDD4Im
X-IronPort-AV: E=Sophos;i="4.87,736,1363132800"; d="scan'208";a="214680038"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-8.cisco.com with ESMTP; 24 May 2013 16:50:00 +0000
Received: from xhc-aln-x06.cisco.com (xhc-aln-x06.cisco.com [173.36.12.80]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id r4OGo0gu011309 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 24 May 2013 16:50:00 GMT
Received: from xmb-rcd-x15.cisco.com ([169.254.5.94]) by xhc-aln-x06.cisco.com ([173.36.12.80]) with mapi id 14.02.0318.004; Fri, 24 May 2013 11:50:00 -0500
From: "Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com>
To: "Dan Wing (dwing)" <dwing@cisco.com>, draft-ietf-behave-ipfix-nat-logging <draft-ietf-behave-ipfix-nat-logging@tools.ietf.org>
Thread-Topic: [BEHAVE] short review of draft-ietf-behave-ipfix-nat-logging-00
Thread-Index: AQHOVciY51mhPGSAdUOHm3rR5Afi35kUoqUA
Date: Fri, 24 May 2013 16:49:59 +0000
Message-ID: <CB1B483277FEC94E9B58357040EE5D0232587555@xmb-rcd-x15.cisco.com>
In-Reply-To: <4ACE4A37-091D-433A-8112-98E201605046@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.4.130416
x-originating-ip: [10.117.198.134]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <4B5823A09CCE0544BC236F2357FC9C3A@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<behave@ietf.org>" <behave@ietf.org>
Subject: Re: [BEHAVE] short review of draft-ietf-behave-ipfix-nat-logging-00
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2013 16:50:06 -0000
On 5/20/13 10:11 PM, "Dan Wing (dwing)" <dwing@cisco.com> wrote: >This is a short review of draft-ietf-behave-ipfix-nat-logging-00. I >noticed several things in this document which are similar to my review of >the SYSLOG document. Please be sure to see that review and I'm sure you >will notice some similarities. Ok. Will respond back to the relevant ones in that thread. > >I noticed draft-ietf-behave-ipfix-nat-logging-00 also seems to not >explain the nuances of logging the destination. This not only could >increase log file size, but also impacts the memory of the NAT device and >forces state on otherwise-stateless devices (such as stateless NAT64, >MAP-E, or MAP-T, and others). Not to mention creates a log of user >activity which reduces subscriber privacy. Would add a paragraph explaining the disadvantages satisfy your concerns? I agree with your points on above except forcing state on the stateless device, which I don¹t understand how logging forces state on a stateless device. Also, note that the destination logging is not mandatory, and we can add text to make destination logging must be turned off by default. > >I see draft-ietf-behave-ipfix-nat-logging-00 also has a 'range step >size', but I am not aware of where 'step size' is explained or discussed >elsewhere. A citation within the document to wherever 'step size' is >explained would be useful. Ok. > >It reads strangely that the Address Binding event described in Section >5.4.8 shows "Mandatory: No" for both IPv4 and IPv6 source addresses -- >surely one or the other needs to be present for this event to make sense, >the text says: That should be read as either one of them is mandatory, but individually neither is. I don¹t know how to capture that in the table. I can add some text to indicate that either IPv4 or IPv6 source must be present. > This event will be generated when a NAT device binds a local address > with a global address. This binding event happens when the first > packet of the first flow from a host in the private realm. >but I can't tell if, when a brand-new TCP SYN is sent by a client, if >that causes both an Address Binding event and _also_ a "NAT44 BIB create" >event, because the document does not describe a "BIB" or a "Bind entry" >-- if those are well-understood terms, can a citation be added, or >in-place definition be added? Also would benefit from clarity around why >there is a Address Binding event in Section 5.4.8 versus the "BIB create" >events described earlier. For the first syn, an address binding event will happen AND either an NAT44/NAT64 BIB event or NAT44/NAT64 session event will happen. The subsequent SYNs and other packets from the same internal host will not create an address binding event. > >Similar observation as with SYSLOG on security considerations, > need for clarity of the logs, and suchlike (see my SYSLOG review posted >to BEHAVE). Ok, Thanks for the review. Senthil > >-d > > > >_______________________________________________ >Behave mailing list >Behave@ietf.org >https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] short review of draft-ietf-behave-ipfix-… Dan Wing
- Re: [BEHAVE] short review of draft-ietf-behave-ip… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] short review of draft-ietf-behave-ip… Dan Wing