[BEHAVE] short review of draft-ietf-behave-ipfix-nat-logging-00

Dan Wing <dwing@cisco.com> Tue, 21 May 2013 02:11 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B870721F977C for <behave@ietfa.amsl.com>; Mon, 20 May 2013 19:11:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id mBdeqJmqMr6I for <behave@ietfa.amsl.com>; Mon, 20 May 2013 19:11:54 -0700 (PDT)
Received: from mtv-iport-1.cisco.com (mtv-iport-1.cisco.com []) by ietfa.amsl.com (Postfix) with ESMTP id 9633A21F9774 for <behave@ietf.org>; Mon, 20 May 2013 19:11:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2007; q=dns/txt; s=iport; t=1369102314; x=1370311914; h=from:content-transfer-encoding:subject:date:message-id: cc:to:mime-version; bh=m1Zp5g6Yqa2GvzFK3yNhqWt3lHWJUTktmCw7dFL1Z8k=; b=Tl+oz/UKzDdHF/LPibX15Z1PwMOSwo39eQVofVhskmMiD5IxhMau/lbe C2SB8eO4WJg4pKoRUlneSdeyizdzuboxcKwewa1GBB4ao5BAO42rtVnWp WQdW/rzD58pC3U5v4CiQOMaJT6gWy0ZUi2/tGog0kDaYe9BJs33scGanZ c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgYFADHXmlGrRDoG/2dsb2JhbABZgwgxwU6BBhZ0gmA/gT6IH7xfjyGCemEDiR+OGYYeiyKDLxw
X-IronPort-AV: E=Sophos;i="4.87,711,1363132800"; d="scan'208";a="78617369"
Received: from mtv-core-1.cisco.com ([]) by mtv-iport-1.cisco.com with ESMTP; 21 May 2013 02:11:54 +0000
Received: from [] ([]) by mtv-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id r4L2BrAX023928; Tue, 21 May 2013 02:11:53 GMT
From: Dan Wing <dwing@cisco.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Mon, 20 May 2013 19:11:53 -0700
Message-Id: <4ACE4A37-091D-433A-8112-98E201605046@cisco.com>
To: draft-ietf-behave-ipfix-nat-logging <draft-ietf-behave-ipfix-nat-logging@tools.ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
X-Mailer: Apple Mail (2.1503)
Cc: "<behave@ietf.org>" <behave@ietf.org>
Subject: [BEHAVE] short review of draft-ietf-behave-ipfix-nat-logging-00
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 May 2013 02:11:59 -0000

This is a short review of draft-ietf-behave-ipfix-nat-logging-00.  I noticed several things in this document which are similar to my review of the SYSLOG document.  Please be sure to see that review and I'm sure you will notice some similarities.

I noticed draft-ietf-behave-ipfix-nat-logging-00 also seems to not explain the nuances of logging the destination.  This not only could increase log file size, but also impacts the memory of the NAT device and forces state on otherwise-stateless devices (such as stateless NAT64, MAP-E, or MAP-T, and others).  Not to mention creates a log of user activity which reduces subscriber privacy.

I see draft-ietf-behave-ipfix-nat-logging-00 also has a 'range step size', but I am not aware of where 'step size' is explained or discussed elsewhere.  A citation within the document to wherever 'step size' is explained would be useful.  

It reads strangely that the Address Binding event described in Section 5.4.8 shows "Mandatory: No" for both IPv4 and IPv6 source addresses -- surely one or the other needs to be present for this event to make sense, the text says:
   This event will be generated when a NAT device binds a local address
   with a global address.  This binding event happens when the first
   packet of the first flow from a host in the private realm.
but I can't tell if, when a brand-new TCP SYN is sent by a client, if that causes both an Address Binding event and _also_ a "NAT44 BIB create" event, because the document does not describe a "BIB" or a "Bind entry" -- if those are well-understood terms, can a citation be added, or in-place definition be added?  Also would benefit from clarity around why there is a Address Binding event in Section 5.4.8 versus the "BIB create" events described earlier.

Similar observation as with SYSLOG on security considerations, need for clarity of the logs, and suchlike (see my SYSLOG review posted to BEHAVE).