Re: [BEHAVE] four data models: SYSLOG, IPFIX, SNMP, RADIUS
David Harrington <ietfdbh@comcast.net> Tue, 17 July 2012 02:12 UTC
Return-Path: <ietfdbh@comcast.net>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFA1B11E8089 for <behave@ietfa.amsl.com>; Mon, 16 Jul 2012 19:12:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.299
X-Spam-Level:
X-Spam-Status: No, score=-102.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hd1PwhDpYEto for <behave@ietfa.amsl.com>; Mon, 16 Jul 2012 19:12:41 -0700 (PDT)
Received: from qmta14.emeryville.ca.mail.comcast.net (qmta14.emeryville.ca.mail.comcast.net [76.96.27.212]) by ietfa.amsl.com (Postfix) with ESMTP id 43CAE11E8087 for <behave@ietf.org>; Mon, 16 Jul 2012 19:12:41 -0700 (PDT)
Received: from omta05.emeryville.ca.mail.comcast.net ([76.96.30.43]) by qmta14.emeryville.ca.mail.comcast.net with comcast id bEDE1j0030vp7WLAEEDTaE; Tue, 17 Jul 2012 02:13:27 +0000
Received: from [192.168.6.52] ([64.134.178.150]) by omta05.emeryville.ca.mail.comcast.net with comcast id bED81j00M3F50cG8REDBS7; Tue, 17 Jul 2012 02:13:25 +0000
User-Agent: Microsoft-MacOutlook/14.2.2.120421
Date: Mon, 16 Jul 2012 22:13:05 -0400
From: David Harrington <ietfdbh@comcast.net>
To: "Reinaldo Penno (repenno)" <repenno@cisco.com>, Tassos Chatzithomaoglou <achatz@forthnetgroup.gr>, "Dan Wing (dwing)" <dwing@cisco.com>
Message-ID: <CC2A3FD7.23B95%ietfdbh@comcast.net>
Thread-Topic: [BEHAVE] four data models: SYSLOG, IPFIX, SNMP, RADIUS
In-Reply-To: <CC29E4F5.7E79%repenno@cisco.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] four data models: SYSLOG, IPFIX, SNMP, RADIUS
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 02:12:42 -0000
Hi, I agree we should try to standardize a limited **information model** (see rfc3444) for nat logging. Then we should standardize one or more protocol-specific data models. I do not think we should produce every variant of data model just because we can; there should be solid justification for each standard model. I would like to see what proprietary solutions are already being used widely, and would benefit from standardization. -- David Harrington Internet Engineering Task Force (IETF) Ietfdbh@comcast.net +1-603-828-1401 On 7/16/12 6:42 PM, "Reinaldo Penno (repenno)" <repenno@cisco.com> wrote: >I see the question a bit differently. > >I believe we should provide some level of standardization across these >protocols. For example, binding type representation, port ranges, mapping >count, etc should be represented by the same data model in all protocols. >We proposed that in Taipei but at that time maybe the problem wasn't ripe. > >Going on step further, in case of NAT logging we should agree on basic >information set irrespective if somebody would use Radius, IPFix or any >other protocol. > >Thanks, > >Reinaldo > >On 7/16/12 3:19 PM, "Tassos Chatzithomaoglou" <achatz@forthnetgroup.gr> >wrote: > >>Imho, every protocol is destined to cover specific needs. >> >>For auditing reasons (which is my primary concern curtently) i would >>prefer to use RADIUS >>(or DIAMETER or anything AAA related), as long as the frequency of acct >>records remains >>within limits. Passing information to subscriber sessions could also be >>done through >>RADIUS push. >>SYSLOG is good for fast one way communication and maybe it could be used >>for alerting. >>SNMP (notifications) could also be used for alerting, but its usage for >>on-demand or >>historical detailed statistics gatherings should be preferred. >>IPFIX could be used for near realtime logging and of course for >>statistics. >> >>Generally i agree with your concerns, but instead of "choosing" only one >>protocol, i would >>prefer to have the scope of each protocol clearly/strictly defined, so >>depending on my >>needs i knew what to deploy. >>For me, it would be an ugly joke if i had to deploy SNMP or IPFIX in >>order to have the >>historical correlation of username & IP-related stuff. >> >>-- >>Tassos >> >>Dan Wing wrote on 16/7/2012 20:55: >>> As an individual, I have been worried about the possibility of >>>disparate >>> data models for NATs. We currently have four ways to report >>>information >>> about a NAT or other address-sharing device, >>> >>> SYSLOG, >>>http://tools.ietf.org/html/draft-zhou-behave-syslog-nat-logging-00 >>> IPFIX, http://tools.ietf.org/html/draft-sivakumar-behave-nat-logging-05 >>> SNMP, http://tools.ietf.org/html/draft-perreault-sunset4-cgn-mib >>> RADIUS, >>> >>>http://tools.ietf.org/html/draft-cheng-behave-cgn-cfg-radius-ext-03#sect >>>i >>>on- >>> 4.2 >>> >>> My concern is that operators may find it necessary to deploy all four >>> protocols (IPFIX, SYSLOG, SNMP, and RADIUS) to get their needed logging >>>and. >>> This seems undesirable. Imagine, for example, that only one of those >>> protocols supported pseudo-random port assignment but only one other >>> protocol provided alarms for when a subscriber consumed all their ports >>>(and >>> thus might open a support case with the operator that "the Internet is >>> down"). >>> >>> Are my concerns misplaced? >>> >>> -d >>> >>> >>> _______________________________________________ >>> Behave mailing list >>> Behave@ietf.org >>> https://www.ietf.org/mailman/listinfo/behave >>> >> >> >>_______________________________________________ >>Behave mailing list >>Behave@ietf.org >>https://www.ietf.org/mailman/listinfo/behave > >_______________________________________________ >Behave mailing list >Behave@ietf.org >https://www.ietf.org/mailman/listinfo/behave
- Re: [BEHAVE] four data models: SYSLOG, IPFIX, SNM… Dan Wing
- [BEHAVE] four data models: SYSLOG, IPFIX, SNMP, R… Dan Wing
- Re: [BEHAVE] four data models: SYSLOG, IPFIX, SNM… Hannes Tschofenig
- Re: [BEHAVE] four data models: SYSLOG, IPFIX, SNM… Tassos Chatzithomaoglou
- Re: [BEHAVE] four data models: SYSLOG, IPFIX, SNM… Reinaldo Penno (repenno)
- Re: [BEHAVE] four data models: SYSLOG, IPFIX, SNM… David Harrington
- Re: [BEHAVE] four data models: SYSLOG, IPFIX, SNM… David Harrington