Re: [BEHAVE] AD Evaluation of draft-ietf-behave-ipfix-nat-logging-03
Spencer Dawkins <spencerdawkins.ietf@gmail.com> Fri, 27 June 2014 20:34 UTC
Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 803781A0107 for <behave@ietfa.amsl.com>; Fri, 27 Jun 2014 13:34:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.682
X-Spam-Level: *
X-Spam-Status: No, score=1.682 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YkxVqZSpxI_I for <behave@ietfa.amsl.com>; Fri, 27 Jun 2014 13:34:47 -0700 (PDT)
Received: from mail-oa0-x233.google.com (mail-oa0-x233.google.com [IPv6:2607:f8b0:4003:c02::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00E821A0105 for <behave@ietf.org>; Fri, 27 Jun 2014 13:34:46 -0700 (PDT)
Received: by mail-oa0-f51.google.com with SMTP id j17so6313197oag.10 for <behave@ietf.org>; Fri, 27 Jun 2014 13:34:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=h+qbPWlYmJQuMajS0JrgyYRE1B7C1ouURFkY/4RJO/c=; b=Ed2E/JZY4a/UDEVp1Z1S7ZADuf7zGuhpxAXn1X1+VPmWkXAdaBirR160Hoqhb1Ehgd z1aYKKS8TVctLv9pdH/TqTw4Gukd+JPESeDcQisyl+8LEiKaly65axsKfYUAh8KitKyM gSTJTA5iUBcVjuwoRJgTgDdyVUxxHas/VOsS0wjyjCXTNU5o2rV2xU1br5axWJVfGvkp eSz4+qMCAVrz+DFIa6awaopFDDIyw3P1PhWcq5vW18Szf0D1A5o6kPvkQ1wt5QEakrsX GnePgDABao7HdZKduVEK4XO6ZpMnrwHNbjvAS6Zi1+WroMg9V3XgVHvmQ9welCaBiWTC wMtA==
X-Received: by 10.60.35.104 with SMTP id g8mr26514188oej.41.1403901286311; Fri, 27 Jun 2014 13:34:46 -0700 (PDT)
Received: from [192.168.0.13] (cpe-76-187-7-89.tx.res.rr.com. [76.187.7.89]) by mx.google.com with ESMTPSA id b7sm40033527oed.7.2014.06.27.13.34.42 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 27 Jun 2014 13:34:44 -0700 (PDT)
Message-ID: <53ADD560.5060103@gmail.com>
Date: Fri, 27 Jun 2014 15:34:40 -0500
From: Spencer Dawkins <spencerdawkins.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com>, "draft-ietf-behave-ipfix-nat-logging@tools.ietf.org" <draft-ietf-behave-ipfix-nat-logging@tools.ietf.org>
References: <5362ADCB.4050802@gmail.com> <CF89605B.1009FB%ssenthil@cisco.com> <537FB834.3010705@gmail.com>
In-Reply-To: <537FB834.3010705@gmail.com>
Content-Type: multipart/alternative; boundary="------------000800050500050302020207"
Archived-At: http://mailarchive.ietf.org/arch/msg/behave/yROyId_fRYNA_JJdM_s5QsfhR5Q
X-Mailman-Approved-At: Sun, 29 Jun 2014 20:20:08 -0700
Cc: "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] AD Evaluation of draft-ietf-behave-ipfix-nat-logging-03
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jun 2014 20:34:59 -0000
Hi, Senthil, I'm just checking - are you planning to submit a update before the cutoff next Friday? Thanks, Spencer On 05/23/2014 04:05 PM, Spencer Dawkins wrote: > > On 05/02/2014 02:20 PM, Senthil Sivakumar (ssenthil) wrote: >> Hi Spencer, >> Thanks for the thorough review. >> Please see inline for [Senthil]. If you agree, I will submit another >> version fixing all the issues raised and agreed upon. I will wait for >> your response. > > Hi, Senthil, > > Thanks for being responsive! > > Just as a high-order bit, many of the questions I asked are whether > the draft uses "required" to mean "this is the way it works" - there's > a difference between "the sender transmits a log" and "the sender is > required to transmit a log". Does that make sense? > > Ths draft says it uses requirements language as per RFC 2119, and RFC > 2119 says > > 6. Guidance in the use of these Imperatives > > Imperatives of the type defined in this memo must be used with care > and sparingly. In particular, they MUST only be used where it is > actually required for interoperation or to limit behavior which has > potential for causing harm (e.g., limiting retransmisssions) For > example, they must not be used to try to impose a particular method > on implementors where the method is not required for > interoperability. > > It's also worth mentioning that RFC 2119 is silent on case for > requirements language, your requirements terminology section only > shows upper case examples, and most of the cases I'm asking about are > in lower case, which makes it less clear whether you intend "require" > to be an RFC 2119 requirement word or not. This is a continuing source > of controversy in the IETF, especially during cross-area review - my > suggestion is that you either change the requirements language > statement to include a statement about whether lower-case versions are > intended as requirements language, or don't use the lower-case terms > in the document. > > I'll try to be clear in my detailed comments, but that's often what > I'm trying to get at. > >> Thanks >> Senthil >> >> From: Spencer Dawkins <spencerdawkins.ietf@gmail.com >> <mailto:spencerdawkins.ietf@gmail.com>> >> Date: Thursday, May 1, 2014 4:25 PM >> To: "draft-ietf-behave-ipfix-nat-logging@tools.ietf.org >> <mailto:draft-ietf-behave-ipfix-nat-logging@tools.ietf.org>" >> <draft-ietf-behave-ipfix-nat-logging@tools.ietf.org >> <mailto:draft-ietf-behave-ipfix-nat-logging@tools.ietf.org>> >> Cc: "behave@ietf.org <mailto:behave@ietf.org>" <behave@ietf.org >> <mailto:behave@ietf.org>> >> Subject: AD Evaluation of draft-ietf-behave-ipfix-nat-logging-03 >> Resent-From: <draft-alias-bounces@tools.ietf.org >> <mailto:draft-alias-bounces@tools.ietf.org>> >> Resent-To: <repenno@cisco.com <mailto:repenno@cisco.com>>, Senthil >> Sivakumar <ssenthil@cisco.com <mailto:ssenthil@cisco.com>> >> Resent-Date: Thursday, May 1, 2014 4:26 PM >> >> Dear draft-ietf-behave-ipfix-nat-logging Authors, >> >> I've completed my AD evaluation for this draft. I found some things >> I'd like to see changed before proceeding, but most are editorial. >> Please take a look, and let me know what you think. >> >> My notes follow ... you should be able to find my questions and >> comments by searching for "SD:". >> >> Thanks, >> >> Spencer >> >> In the Abstract >> >> NAT devices are required to log events like creation and deletion of >> ^^^^^^^^ >> SD: Is this required, like, legally required, or ? Is it more like >> "Operators need NAT devices to log events ..."? >> [Senthil] : It is the later, the network operators require the NAT >> devices to be able to log events. > > We don't usually include requirements language in the Abstract (that > happens later, which is fine in the document body). > > The longer I look at this, the more I think it's something like > "Operators expect NAT devices to log events". > >> >> translations and information about the resources it is managing. The >> logs are required in many cases to identify an attacker or a host >> that was used to launch malicious attacks and/or for various other >> purposes of accounting. Since there is no standard way of logging >> this information, different NAT devices behave differently and hence >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> SD: Is this "different NAT devices log this information differently"? >> [Senthil] Correct, as the sentence says, "Since there is no standard >> way…", each NAT device logs information in its own proprietary format. > > I'm just trying to make sure the reader understands what you mean by > "behave differently" - NAT devices also behave differently when > NATting. I had to guess at the meaning. Maybe everyone else will > understand? > >> it is difficult to expect a consistent behavior. The lack of a >> consistent way makes it difficult to write the collector applications >> that would receive this data and process it to present useful >> information. This document describes the information that is >> required to be logged by the NAT devices. >> ^^^^^^^^^^^^^^^^^^^^^^^^ >> SD: Same as previous question - is this "logged by"? >> >> [Senthil] If a NAT device is logging events, these are the >> requirements that a NAT device should adhere to. > > I know this seems tedious, but I'm not able to map what you provided > as explanation onto the text you're explaining. What I'm seeing in the > text is > > A NAT MUST log this information > > and what I'm seeing in your explanation is > > IF a NAT is is logging information, here's how the NAT SHOULD log > information. > > I'm guessing that what you're saying is really "this document > describes the information that logging NAT devices produce". > > This doesn't matter yet (you're still in the abstract, which shouldn't > be providing requirements anyway), but in the body of the document, it > needs to be clear. > >> 2. Introduction >> >> The IPFIX Protocol [RFC5101bis] defines a generic push mechanism for >> exporting information and events. The IPFIX Information Model >> [IPFIX-IANA] defines a set of standard Information Elements (IEs) >> which can be carried by the IPFIX protocol. This document details >> the IPFIX Information Elements(IEs) that are required for logging by >> a NAT device. The document will specify the format of the IE's that >> are required to be logged by the NAT device and all the optional >> ^^^^^^^^^^^^^^^^^^^^^ >> SD: Now that we're in the document body, if this is required, >> shouldn't there be a reference to where the requirements are stated? >> [Senthil] This is the document that is specifying those requirements. >> Do you have any other suggestions of wording instead of "required >> by", would it be fine if I change the sentence from >> "required to be logged" to "SHOULD be logged"? > > Sorry, my first set of comments was bogus. What triggered my comments > was the use of lower-case terms from RFC 2119 (see my explanation above). > > This could be "are REQUIRED" (the RFC 2119 requirements language you > said you're using), or "are required" (if you change your paragraph > about requirements language to say that case doesn't matter). > > But "REQUIRED" is "MUST", so changing to "SHOULD" would be a change in > your intended meaning. > >> >> This document and [I-D.behave-syslog-nat-logging] are provided in >> order to standardize the events and parameters to be recorded, using >> IPFIX [RFC5101bis] and SYSLOG [RFC5424]respectively. > > I'm sorry I missed this question the first time. Is there a > relationship with the MIB revision? > >> 3. Scope >> >> This document provides the information model to be used for logging >> the NAT devices including Carrier Grade NAT (CGN) events. This >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> SD: This sentence seems somewhat turned around - "logging events", >> not "logging the NAT devices". >> [Senthil] Agree, I will change this to "logging the NAT events". > > Thanks. > >> document focuses exclusively on the specification of IPFIX IE's. >> This document does not provide guidance on the transport protocol >> like TCP, UDP or SCTP that is to be used to log NAT events. The log >> events SHOULD NOT be lost but the choice of the actual transport >> protocol is beyond the scope of this document. >> >> SD: I'm not understanding why this last sentence is needed, >> especially with a normative requirement for what you do when you are >> doing something outside the scope of the document ... >> [Senthil] Are you objecting to the second part of the last sentence >> "the choice of actual transport…", I think the requirement is that >> the LOG events should not be lost is valid. > > I'm sorry, my question wasn't clear. What I intended to say was that I > was confused because the text said "not providing guidance on the > choice of a transport protocol", but then provided a requirement about > the implications of that choice (using a SHOULD). > > So let me try to be clearer. I think what you're saying is > > - you can use any transport protocol, but you SHOULDn't lose anything > > I'm thinking this may be underspecified, although I don't know what > IPFIX usually expects from transport protocols, so please be patient. > > First, I'm confused by the SHOULD with no qualification. When is it OK > to lose LOG events? > > Second, you're not giving guidance on selecting a transport protocol, > but you are giving guidance about expecting a reliable data channel, > whether MUST be reliable or SHOULD be reliable. Are there other > transport characteristics that you expect? For instance, is in-order > delivery assumed? Is duplicate detection by IPFIX assumed (if a log > arrives twice, does IPFIX notice)? > > Third, are IPFIX implementations so transport protocol-agnostic that > if my NAT device decides to to send logs using SCTP with partial > reliability, I should expect that to work with any collector that > implements this specification? > > It happens that I co-chaired MEDIACTRL when the specification said > "TCP or SCTP", and got feedback during AD evaluation that if we didn't > pick a mandatory to implement transport protocol, that wouldn't > guarantee interoperation between two standard-conforming devices. > >> >> The existing IANA IPFIX IEs registry [IPFIX-IANA] already has >> assignments for many NAT logging events. For convenience, this >> document uses those same IEs. However, as stated earlier, this >> document is not defining IPFIX or NetFlow v9 as the framework for >> logging. Rather, the information contained in these elements is >> >> SD: I got lost on "these elements" - is that "the elements in the >> existing registry" >> [Senthil] Yes. How about "Rather, the information elements as defined >> in the IPFIX-IANA registry is within the scope of this document"? > > I think that's "are within", but yes, that works. Thanks. > >> within the scope of this document. >> >> This document assumes that the NAT device will use the existing IPFIX >> framework to send the log events to the collector. This would mean >> that the NAT device will specify the template that it is going to use >> for each of the events. The templates can be of varying length and >> there could be multiple templates that a NAT device could use to log >> the events. >> >> The implementation details of the collector application is beyond the >> scope of this document. >> >> The optimization of logging the NAT events are left to the >> ^^^ >> implementation and are beyond the scope of this document. >> ^^^ >> SD: It's a nit, but those "are"s should be "is"s. >> [Senthil] Ok. > > Thanks. > >> 4. Applicability >> >> NAT logging based on IPFIX uses binary encoding and hence is very >> efficient. IPFIX based logging is recommended for environments where >> a high volume of logging is required, for example, where per-flow >> logging is needed. However, IPFIX based logging requires a collector >> that processes the binary data and requires a network management >> application that converts this binary data to a human readable >> format. >> >> 5. Event based logging >> >> An event in a NAT device can be viewed as a happening as it relates >> ^^^^^^^^^ >> SD: Is this "a state transition"? I found "a happening" somewhat odd. >> [Senthil] Yes, I can rephrase this as "viewed as a state transition >> as it relates to" or "viewed as an action as it relates to", if that >> is ok. > > If "a state transition" is correct, I'd prefer that (if it's correct > :-) ). > >> to the management of NAT resources. The creation and deletion of NAT >> sessions and bindings are examples of events as it results in the >> resources (addresses and ports) being allocated or freed. The events >> can happen either through the processing of data packets flowing >> through the NAT device or through an external entity installing >> policies on the NAT router or as a result of an asynchronous event >> like a timer. The list of events are provided in Section 4.1. Each >> of these events SHOULD be logged, unless they are administratively >> prohibited. A NAT device MAY log these events to multiple collectors >> if redundancy is required. The network administrator will specify >> the collectors to which the log records are to be sent. >> >> A collector may receive NAT events from multiple CGN devices and >> should be able to distinguish between the devices. Each CGN device >> ^^^^^^ >> SD: I'm not sure why this isn't a SHOULD, or even a MUST. >> >> should have a unique source ID to identify themselves. The source ID >> ^^^^^^ >> SD: Again, I'm not sure why this isn't a SHOULD, or even a MUST. >> >> [Senthil] Well, this is NOT a statement for a NAT device, instead it >> is a collector that some application writer will >> develop. > > Don't you think you can levy requirements about that on the collector? > I don't understand. > > But beyond that, what I THINK the text is saying, is that multiple CGN > devices can ("may") send to a single collector, that none of the CDN > devices have to have a unique source ID to identify themselves > ("should", but not "must"), and that the collector is still expected > to be able to distinguish among logs coming from multiple CGNs ("should"). > > Am I misreading this? > > If not, do you think that works? > >> is part of the IPFIX template and data exchange. >> >> Prior to logging any events, the NAT device MUST send the template of >> the record to the collector to advertise the format of the data >> record that it is using to send the events. The templates can be >> exchanged as frequently as required given the reliability of the >> connection. There SHOULD be a configurable timer for controlling the >> template refresh. NAT device SHOULD combine as many events as >> possible in a single packet to effectively utilize the network >> bandwidth. >> >> 5.1. Logging of destination information >> >> Logging of destination information in a NAT event has been discussed >> in [RFC6302] and [RFC6888]. Logging of destination information >> increases the size of each record and increases the need for storage >> considerably. It increases the number of log events generated >> because when the same user connects to a different destination, it >> results in a log record per destination address. Logging of >> destination information also results in the loss of privacy and hence >> should be done with caution. However, this draft provides the >> necessary fields to log the destination information in cases where >> they are required to be logged. >> >> 5.2. Information Elements >> >> The templates could contain a subset of the Information Elements(IEs) >> shown in Table 1 depending upon the event being logged. For example >> a NAT44 session creation template record will contain, >> ^^^^ >> SD: Is this the only possible NAT44 template? If so, fine, but if >> not, perhaps "could contain", or "typically contains"? >> >> [Senthil] Yes, this is all the information that a NAT44 need to >> export as it is the least common denominator. > > My question is whether any other IEs might be added in the future, I > think. If not, "will" is OK, but "MUST" would be clearer. > >> {sourceIPv4Adress, postNATSourceIPv4Address, destinationIpv4Address, >> postNATDestinationIPv4Address, sourceTransportPort, >> postNAPTSourceTransportPort, destinationTransportPort, >> postNAPTDestTransportPort, internalAddressRealm, natEvent, timeStamp} >> >> An example of the actual event data record is shown below - in a >> readable form >> >> {192.168.16.1, 201.1.1.100, 207.85.231.104, 207.85.231.104, 14800, >> 1024, 80, 80, 0, 1, 09:20:10:789} >> >> A single NAT device could be exporting multiple templates and the >> collector should support receiving multiple templates from the same >> source.observationTimeMilliseconds >> >> The following is the table of all the IE's that a CGN device would >> need to export the events. The formats of the IE's and the IPFIX IDs >> are listed below. >> >> SD: I noticed that some IEs below have a name that matches >> http://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-information-elements >> for the same IPFIX ID number, but others do not ("timeStamp" here >> doesn't match "observationTimeMilliseconds", but both are IPFIX ID >> 323, aren't they?) Is there a reason to use names that don't match >> the IANA registry? >> >> [Senthil] Good question, in case of timeStamp, I was looking for >> something that already existed in the IPFIX registry rather than >> asking for a new one. However, the terminology of >> "observationTimeMilliseconds" is not the terminology that we use in >> the NAT drafts/rfc's. So I am open to suggestions here. I can clarify >> in the description that is called observationTimeMilliSeconds". The >> other field is internalAddressRealm and externalAddresRealm, this is >> the terminology that we used in NAT MIB, syslog and other documents. >> However, when we defined the IPFIX IE, we didn’t stick to the same >> terminology, so I don’t know if I can go and ask the IPFIX IANA to >> change the name. Again I am open to suggestions, the dillema is >> whether I should stick to the existing IPFIX IANA terminology or the >> behave documents terminology. > > I'm way out of my depth on this one (sorry!). > > Fortunately, the next stop for an AD-sponsored IPFIX specification is > the IPFIX review team. Could you just add a note pointing this > question out, and asking if they have any suggestions? > >> +----------------------------------+--------+-------+---------------+ >> | Field Name | Size | IANA | Description | >> | | (bits) | IPFIX | | >> | | | ID | | >> +----------------------------------+--------+-------+---------------+ >> | timeStamp | 64 | 323 | System Time | >> | | | | when the | >> | | | | event | >> | | | | occured. | >> | natInstanceId | 32 | TBD | NAT Instance | >> | | | | Identifier | >> | vlanID | 16 | 58 | VLAN ID in | >> | | | | case of | >> | | | | overlapping | >> | | | | networks | >> | ingressVRFID | 32 | 234 | VRF ID in | >> | | | | case of | >> | | | | overlapping | >> | | | | networks | >> | sourceIPv4Address | 32 | 8 | Source IPv4 | >> | | | | Address | >> | postNATSourceIPv4Address | 32 | 225 | Translated | >> | | | | Source IPv4 | >> | | | | Address | >> | protocolIdentifier | 8 | 4 | Transport | >> | | | | protocol | >> | sourceTransportPort | 16 | 7 | Source Port | >> | postNAPTsourceTransportPort | 16 | 227 | Translated | >> | | | | Source port | >> | destinationIPv4Address | 32 | 12 | Destination | >> | | | | IPv4 Address | >> | postNATDestinationIPv4Address | 32 | 226 | Translated | >> | | | | IPv4 | >> | | | | destination | >> | | | | address | >> | destinationTransportPort | 16 | 11 | Destination | >> | | | | port | >> | postNAPTdestinationTransportPort | 16 | 228 | Translated | >> | | | | Destination | >> | | | | port | >> | sourceIPv6Address | 27 | 128 | Source IPv6 | >> | | | | address | >> | destinationIPv6Address | 128 | 28 | Destination | >> | | | | IPv6 address | >> | postNATSourceIPv6Address | 128 | 281 | Translated | >> | | | | source IPv6 | >> | | | | addresss | >> | postNATDestinationIPv6Address | 128 | 282 | Translated | >> | | | | Destination | >> | | | | IPv6 address | >> | internalAddressRealm | 8 | 229 | Source | >> | | | | Address Realm | >> | externalAddressRealm | 8 | TBD | Destination | >> | | | | Address Realm | >> | natEvent | 8 | 230 | Type of Event | >> | portRangeStart | 16 | 361 | Allocated | >> | | | | port block | >> | | | | start | >> | portRangeEnd | 16 | 362 | Allocated | >> | | | | Port block | >> | | | | end | >> | natPoolID | 32 | 283 | NAT pool | >> | | | | Identifier | >> | natLimitEvent | 32 | TBD | Limit event | >> | | | | identifier | >> +----------------------------------+--------+-------+---------------+ >> >> Table 1: Template format Table >> >> 5.3. Definition of NAT Events >> >> The following are the list of NAT events and the proposed event >> values. The list can be expanded in the future as necessary. The >> data record will have the corresponding natEvent value to identify >> the event that is being logged. >> >> +--------------------------+--------+ >> | Event Name | Values | >> +--------------------------+--------+ >> | NAT44 Session create | 1 | >> | NAT44 Session delete | 2 | >> | NAT Addresses exhausted | 3 | >> | NAT64 Session create | 4 | >> | NAT64 Session delete | 5 | >> | NAT44 BIB create | 6 | >> | NAT44 BIB delete | 7 | >> | NAT64 BIB create | 8 | >> | NAT64 BIB delete | 9 | >> | NAT ports exhausted | 10 | >> | Quota exceeded | 11 | >> | Address binding create | 12 | >> | Address binding delete | 13 | >> | Port block allocation | 14 | >> | Port block de-allocation | 15 | >> | Threshold reached | 16 | >> +--------------------------+--------+ >> >> Table 2: NAT Event ID table >> >> 5.4. Quota exceeded Event types >> >> The following table shows the sub event types for the Quota exceeded >> or limits reached event. The events that can be reported are the >> Maximum session entries limit reached, Maximum BIB entries limit >> reached, Maximum session/BIB entries per user limit reached and >> maximum subscribers or hosts limit reached. >> >> +---------------------------------------+--------+ >> | Quota Exceeded Event Name | Values | >> +---------------------------------------+--------+ >> | Maximum Session entries | 1 | >> | Maximum BIB entries | 2 | >> | Maximum entries per user | 3 | >> | Maximum active hosts or subscribers | 4 | >> | Maximum fragments pending reassembly | 5 | >> +---------------------------------------+--------+ >> >> Table 3: Quota Exceeded event table >> >> 5.5. Threshold reached Event types >> >> The following table shows the sub event types for the threshold >> reached event. The administrator can configure the thresholds and >> whenever the threshold is reached or exceeded, the corresponding >> events are generated. >> >> The address pool high threshold event will be reported when the >> address pool reaches a high water mark as defined by the operator. >> This will sever as an indication that the operator might have to add >> more addresses to the pool or an indication that the subsequent users >> may be denied NAT translation mappings. >> >> The address and port mapping high threshold event is generated, when >> the number of ports in the configured address pool has reached a >> configured threshold. >> >> The per-user address and port mapping high threshold is generated >> when a single user uses more address and port mapping than a >> configured threshold. >> >> +---------------------------------------------------------+--------+ >> | Threshold Exceeded Event Name | Values | >> +---------------------------------------------------------+--------+ >> | Address pool high threshold event | 1 | >> | Address pool low threshold event | 2 | >> | Address and port mapping high threshold event | 3 | >> | Address and port mapping per user high threshold event | 4 | >> | Global Address mapping high threshold event | 5 | >> +---------------------------------------------------------+--------+ >> >> Table 4: Threshold event table >> >> 5.6. Templates for NAT Events >> >> The following is the template of events that will have to logged. >> ^^^^^^^^^^^^^^^^^^^ >> >> SD: I think this is a nit, but the sentence is garbled. "will be logged"? >> >> The events below are identified at the time of this writing but the >> events are expandable. Depending on the implementation and >> ^^^^^^^^^^^^^^^^^^^^^ >> SD: this is a nit, but "set of events is extensible", I think. >> >> [Senthil] Agree. (to both comments). > > Thanks, > >> configuration various IE's specified can be included or ignored. >> >> 5.6.1. NAT44 create and delete session events >> >> These events will be generated when a NAT44 session is created or >> deleted. The template will be the same, the natEvent will indicate >> whether it is a create or a delete event. The following is a >> template of the event. >> >> The destination address and port information is optional as required >> by [RFC6888]. However, when the destination information is >> suppressed, the session log event contains the same information as >> the BIB event. In such cases, the NAT device SHOULD NOT send both >> BIB and session events. >> >> +----------------------------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +----------------------------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | vlanID/ingressVRFID | 32 | No | >> | sourceIPv4Address | 32 | Yes | >> | postNATSourceIPv4Address | 32 | Yes | >> | protocolIdentifier | 8 | Yes | >> | sourceTransportPort | 16 | Yes | >> | postNAPTsourceTransportPort | 16 | Yes | >> | destinationIPv4Address | 32 | No | >> | postNATDestinationIPv4Address | 32 | No | >> | destinationTransportPort | 16 | No | >> | postNAPTdestinationTransportPort | 16 | No | >> | internalAddressRealm | 8 | No | >> | externalAddressRealm | 8 | No | >> | natEvent | 8 | Yes | >> +----------------------------------+-------------+-----------+ >> >> Table 5: NAT44 Session delete/create template >> >> 5.6.2. NAT64 create and delete session events >> >> These events will be generated when a NAT64 session is created or >> deleted. The following is a template of the event. >> >> +----------------------------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +----------------------------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | vlanID/ingressVRFID | 32 | No | >> | sourceIPv6Address | 128 | Yes | >> | postNATSourceIPv4Address | 32 | Yes | >> | protocolIdentifier | 8 | Yes | >> | sourceTransportPort | 16 | Yes | >> | postNAPTsourceTransportPort | 16 | Yes | >> | destinationIPv6Address | 128 | No | >> | postNATDestinationIPv4Address | 32 | No | >> | destinationTransportPort | 16 | No | >> | postNAPTdestinationTransportPort | 16 | No | >> | internalAddressRealm | 8 | No | >> | externalAddressRealm | 8 | No | >> | natEvent | 8 | Yes | >> +----------------------------------+-------------+-----------+ >> >> Table 6: NAT64 session create/delete event template >> >> 5.6.3. NAT44 BIB create and delete events >> >> These events will be generated when a NAT44 Bind entry is created or >> deleted. The following is a template of the event. >> >> +-----------------------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +-----------------------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | vlanID/ingressVRFID | 32 | No | >> | sourceIPv4Address | 32 | Yes | >> | postNATSourceIPv4Address | 32 | Yes | >> | protocolIdentifier | 8 | No | >> | sourceTransportPort | 16 | No | >> | postNAPTsourceTransportPort | 16 | No | >> | internalAddressRealm | 8 | No | >> | externalAddressRealm | 8 | No | >> | natEvent | 8 | Yes | >> +-----------------------------+-------------+-----------+ >> >> Table 7: NAT44 BIB create/delete event template >> >> 5.6.4. NAT64 BIB create and delete events >> >> These events will be generated when a NAT64 Bind entry is created or >> deleted. The following is a template of the event. >> >> +-----------------------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +-----------------------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | vlanID/ingressVRFID | 32 | No | >> | sourceIPv6Address | 128 | Yes | >> | postNATSourceIPv4Address | 32 | Yes | >> | protocolIdentifier | 8 | No | >> | sourceTransportPort | 16 | No | >> | postNAPTsourceTransportPort | 16 | No | >> | internalAddressRealm | 8 | No | >> | externalAddressRealm | 8 | No | >> | natEvent | 8 | Yes | >> +-----------------------------+-------------+-----------+ >> >> Table 8: NAT64 BIB create/delete event template >> >> 5.6.5. Addresses Exhausted event >> >> This event will be generated when a NAT device runs out of global >> IPv4 addresses in a given pool of addresses. Typically, this event >> would mean that the NAT device wont be able to create any new >> ^^^^ >> SD: "won't" >> >> [Senthil] Ok. > > Thanks, > >> >> translations until some addresses/ports are freed. This event SHOULD >> be rate limited as many packets hitting the device at the same time >> will trigger a burst of addresses exhausted events. >> >> The following is a template of the event. Note that either the NAT >> pool name or the nat pool identifier should be logged, but not both. >> >> SD: I lack understanding, but I didn't see anything that looked like >> a NAT pool name in the template. Did I miss something? >> >> [Senthil] We decided not to use a string like a pool name instead use >> a poolID, which is a unique identifier for each pool name. The reason >> being that the logs could become fairly large >> If we have to carry the names and some of the NAT engines implement >> this in the hardware that lacks the string processing capability. > > OK, that helps. I'm understanding that a different template might have > included a pool name, but not a poolID, is that right? > > I'm somewhat uneasy about the "either should be logged, but not both" > text. > > Same question as usual - is this an RFC 2119 SHOULD that helps with > interoperation, or is this about an implementation choice? > > If it's an RFC 2119 SHOULD, robust collectors will need to do > something if a log arrives with both a pool name and a poolID. If it's > a MUST, a collector wouldn't accept the log (however the collector > would decide to do that). > > If it's not an RFC 2119 SHOULD, but just implementation guidance, the > explanation you provided would be more helpful (something like "could > include a pool name, but some NAT engines are implemented in hardware > that lacks string processing capability, and these are permitted to > substitute a poolID. There's no reason to provide both a pool name and > a poolID"). > >> +---------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +---------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | natPoolID | 32 | Yes | >> +---------------+-------------+-----------+ >> >> Table 9: Address Exhausted event template >> >> 5.6.6. Ports Exhausted event >> >> This event will be generated when a NAT device runs out of ports for >> a global IPv4 address. Port exhaustion shall be reported per >> protocol (UDP, TCP etc). This event SHOULD be rate limited as many >> packets hitting the device at the same time will trigger a burst of >> port exhausted events. >> >> The following is a template of the event. >> >> +--------------------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +--------------------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | postNATSourceIPv4Address | 32 | Yes | >> | protocolIdentifier | 8 | Yes | >> +--------------------------+-------------+-----------+ >> >> Table 10: Ports Exhausted event template >> >> 5.6.7. Quota exceeded events >> >> This event will be generated when a NAT device cannot allocate >> resources as a result of an administratively defined policy. The >> quota exceeded event templates are described below >> ^ >> SD: missing period >> [Senthil] Ok. > > Thanks, > >> 5.6.7.1. Maximum session entries exceeded >> >> The maximum session entries exceeded is generated when the >> administratively configured limit is reached. The following is the >> template of the event. >> >> +-----------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +-----------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | natLimitEvent | 32 | Yes | >> | configuredLimit | 32 | Yes | >> +-----------------+-------------+-----------+ >> >> Table 11: Session Entries Exceeded event template >> >> 5.6.7.2. Maximum BIB entries exceeded >> >> The maximum BIB entries exceeded is generated when the >> administratively configured limit is reached. The following is the >> template of the event. >> >> +-----------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +-----------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | natLimitEvent | 32 | Yes | >> | configuredLimit | 32 | Yes | >> +-----------------+-------------+-----------+ >> >> Table 12: BIB Entries Exceeded event template >> >> 5.6.7.3. Maximum entries per user exceeded >> >> This event is generated when a single user reaches the >> administratively configured limit. The following is the template of >> the event. >> >> +---------------------+-------------+---------------+ >> | Field Name | Size (bits) | Mandatory | >> +---------------------+-------------+---------------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | natLimitEvent | 32 | Yes | >> | configuredLimit | 32 | Yes | >> | vlanID/ingressVRFID | 32 | No | >> | sourceIPv4 address | 32 | Yes for NAT44 | >> | sourceIPv6 address | 128 | Yes for NAT64 | >> +---------------------+-------------+---------------+ >> >> Table 13: Per-user Entries Exceeded event template >> >> 5.6.7.4. Maximum active host or subscribers exceeded >> >> This event is generated when the number of allowed hosts or >> subscribers reaches the administratively configured limit. The >> following is the template of the event. >> >> +-----------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +-----------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | natLimitEvent | 32 | Yes | >> | configuredLimit | 32 | Yes | >> +-----------------+-------------+-----------+ >> >> Table 14: Maximum hosts/subscribers Exceeded event template >> >> 5.6.7.5. Maximum fragments pending reassembly exceeded >> >> This event is generated when the number of fragments pending >> reassembly reaches the administratively configured limit. The >> following is the template of the event. >> >> +----------------------+-------------+---------------+ >> | Field Name | Size (bits) | Mandatory | >> +----------------------+-------------+---------------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | natLimitEvent | 32 | Yes | >> | configuredLimit | 32 | Yes | >> | internalAddressRealm | 8 | Yes | >> | vlanID/ingressVRFID | 32 | No | >> | sourceIPv4 address | 32 | Yes for NAT44 | >> | sourceIPv6 address | 128 | Yes for NAT64 | >> +----------------------+-------------+---------------+ >> >> Table 15: Maximum fragments pending reassembly Exceeded event >> template >> >> 5.6.8. Threshold reached events >> >> This event will be generated when a NAT device reaches a operator >> configured threshold when allocating resources. The threshold >> reached events are described in the section above. The following is >> a template of the individual events. >> >> 5.6.8.1. Address pool high or low threshold reached >> >> This event is generated when the high or low threshold is reached for >> the address pool. The template is the same for both high and low >> threshold events >> >> +-------------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +-------------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | natThresholdEvent | 32 | Yes | >> | natPoolID | 32 | Yes | >> | configuredLimit | 32 | Yes | >> +-------------------+-------------+-----------+ >> >> Table 16: Address pool high/low threshold reached event template >> >> 5.6.8.2. Address and port high threshold reached >> >> This event is generated when the high threshold is reached for the >> address pool and ports. >> >> +-------------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +-------------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | natThresholdEvent | 32 | Yes | >> | configuredLimit | 32 | Yes | >> +-------------------+-------------+-----------+ >> >> Table 17: Address port high threshold reached event template >> >> 5.6.8.3. Per-user Address and port high threshold reached >> >> This event is generated when the high threshold is reached for the >> per-user address pool and ports. >> >> +---------------------+-------------+---------------+ >> | Field Name | Size (bits) | Mandatory | >> +---------------------+-------------+---------------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | natThresholdEvent | 32 | Yes | >> | configuredLimit | 32 | Yes | >> | vlanID/ingressVRFID | 32 | No | >> | sourceIPv4 address | 32 | Yes for NAT44 | >> | sourceIPv6 address | 128 | Yes for NAT64 | >> +---------------------+-------------+---------------+ >> >> Table 18: Per-user Address port high threshold reached event template >> >> 5.6.8.4. Global Address mapping high threshold reached >> >> This event is generated when the high is reached for the per-user >> address pool and ports. This is generated only by NAT devices that >> use a address pooling behavior of paired. >> >> +---------------------+-------------+-----------+ >> | Field Name | Size (bits) | Mandatory | >> +---------------------+-------------+-----------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | natThresholdEvent | 32 | Yes | >> | configuredLimit | 32 | Yes | >> | vlanID/ingressVRFID | 32 | No | >> +---------------------+-------------+-----------+ >> >> Table 19: Global Address mapping high threshold reached event >> template >> >> 5.6.9. Address binding create and delete events >> >> These events will be generated when a NAT device binds a local >> address with a global address and when the global address is freed. >> This binding event happens when the first packet of the first flow >> from a host in the private realm. >> >> +--------------------------------+-------------+---------------+ >> | Field Name | Size (bits) | Mandatory | >> +--------------------------------+-------------+---------------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | sourceIPv4 address | 32 | Yes for NAT44 | >> | sourceIPv6 address | 128 | Yes for NAT64 | >> | Translated Source IPv4 Address | 32 | Yes | >> +--------------------------------+-------------+---------------+ >> >> Table 20: NAT Address Binding template >> >> 5.6.10. Port block allocation and de-allocation >> >> This event will be generated when a NAT device allocates/de-allocates >> ports in a bulk fashion, as opposed to allocating a port on a per >> flow basis. >> >> portRangeStart represents the starting value of the range. >> >> portRangeEnd represents the ending value of the range. >> >> NAT devices would do this in order to reduce logs and potentially to >> limit the number of connections a subscriber is allowed to use. In >> the following Port Block allocation template, the portRangeStart and >> portRangeEnd must be specified. >> >> >> Sivakumar & Penno Expires August 15, 2014 [Page 17] >> >> Internet-Draft IPFIX IEs for NAT logging February 2014 >> >> It is up to the implementation to choose to consolidate log records >> in case two consecutive port ranges for the same user are allocated >> or freed. >> >> +--------------------------------+-------------+---------------+ >> | Field Name | Size (bits) | Mandatory | >> +--------------------------------+-------------+---------------+ >> | timeStamp | 64 | Yes | >> | natInstanceID | 32 | No | >> | natEvent | 8 | Yes | >> | sourceIPv4 address | 32 | Yes for NAT44 | >> | sourceIPv6 address | 128 | Yes for NAT64 | >> | Translated Source IPv4 Address | 32 | Yes | >> | portRangeStart | 16 | Yes | >> | portRangeEnd | 16 | No | >> +--------------------------------+-------------+---------------+ >> >> Table 21: NAT Port Block Allocation event template >> >> 6. Encoding >> >> 6.1. IPFIX >> >> This document uses IPFIX as the encoding mechanism to describe the >> logging of NAT events. However, the information that should be >> logged SHOULD be the same irrespective of what kind of encoding >> scheme is used. IPFIX is chosen because is it an IETF standard that >> meets all the needs for a reliable logging mechanism. IPFIX provides >> the flexibility to the logging device to define the data sets that it >> is logging. The IEs specified for logging MUST be the same >> irrespective of the encoding mechanism used. >> >> 7. Acknowledgements >> >> Thanks to Dan Wing, Selvi Shanmugam, Mohamed Boucadir, Jacni Qin >> Ramji Vaithianathan, Simon Perreault, Jean-Francois Tremblay, Paul >> Aitken and Julia Renouard for their review and comments. >> >> 8. IANA Considerations >> >> The following information elements are requested from IANA IPFIX >> registry. >> >> natInstanceId >> >> externalAddressRealm >> >> natLimitEvent >> >> 9. Management Considerations >> >> This section considers requirements for management of the log system >> to support logging of the events described above. It first covers >> requirements applicable to log management in general. Any additional >> standardization required to fullfil these requirements is out of >> scope of the present document. Some management considerations is >> covered in [I-D.behave-syslog-nat-logging]. This document covers the >> additional considerations. >> >> 9.1. Ability to collect events from multiple NAT devices >> >> An IPFIX collector should be able to collect events from multiple NAT >> devices and be able to decipher events based on the sourceID in the >> IPFIX header. >> >> 9.2. Ability to suppress events >> >> The exhaustion events can be overwhelming during traffic bursts and >> hence should be handled by the NAT devices to rate limit them before >> sending them to the collectors. For eg. when the port exhaustion >> happens during bursty conditions, instead of sending a port >> exhaustion event for every packet, the exhaustion events should be >> rate limited by the NAT device. >> >> 10. Security Considerations >> >> None. >> >> 11. References >> >> 11.1. Normative References >> >> [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate >> Requirement Levels", BCP 14, RFC 2119, March 1997. >> >> [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address >> Translator (NAT) Terminology and Considerations", RFC >> 2663, August 1999. >> >> [RFC4787] Audet, F. and C. Jennings, "Network Address Translation >> (NAT) Behavioral Requirements for Unicast UDP", BCP 127, >> RFC 4787, January 2007. >> >> [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. >> Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, >> RFC 5382, October 2008. >> >> [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful >> NAT64: Network Address and Protocol Translation from IPv6 >> Clients to IPv4 Servers", RFC 6146, April 2011. >> >> [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, >> "Logging Recommendations for Internet-Facing Servers", BCP >> 162, RFC 6302, June 2011. >> >> [RFC6888] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A., >> and H. Ashida, "Common Requirements for Carrier-Grade NATs >> (CGNs)", BCP 127, RFC 6888, April 2013. >> >> 11.2. Informative References >> >> [I-D.ietf-behave-syslog-nat-logging] >> Chen, Z., Zhou, C., Tsou, T., and T. Taylor, "Syslog >> Format for NAT Logging", draft-ietf-behave-syslog-nat- >> logging-06 (work in progress), January 2014. >> >> [IPFIX-IANA] >> IANA, "IPFIX Information Elements registry", >> <http://www.iana.org/assignments/ipfix>. >> >> [RFC5101bis] >> Claise, B. and B. Trammel, "Specification of the IP Flow >> Information eXport (IPFIX) Protocol for the Exchange of >> Flow Information", July 2013. >> >> [RFC5102bis] >> Claise, B. and B. Trammel, "Information Model for IP Flow >> Information eXport (IPFIX)", February 2013. >> >> [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, >> "Architecture for IP Flow Information Export", RFC 5470, >> March 2009. >> >> Authors' Addresses >> >> Senthil Sivakumar >> Cisco Systems >> 7100-8 Kit Creek Road >> Research Triangle Park, North Carolina 27709 >> USA >> >> Phone: +1 919 392 5158 >> >> Renaldo Penno >> Cisco Systems >> 170 W Tasman Drive >> San Jose, California 95035 >> USA >> >> Email: repenno@cisco.com >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Sivakumar & Penno Expires August 15, 2014 [Page 21] >
- [BEHAVE] AD Evaluation of draft-ietf-behave-ipfix… Spencer Dawkins
- Re: [BEHAVE] AD Evaluation of draft-ietf-behave-i… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] AD Evaluation of draft-ietf-behave-i… Spencer Dawkins
- Re: [BEHAVE] AD Evaluation of draft-ietf-behave-i… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] AD Evaluation of draft-ietf-behave-i… Spencer Dawkins
- Re: [BEHAVE] AD Evaluation of draft-ietf-behave-i… Senthil Sivakumar (ssenthil)