Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capture-format-05.txt
Richard Gibson <richard.j.gibson@oracle.com> Wed, 28 February 2018 06:40 UTC
Return-Path: <richard.j.gibson@oracle.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A220B12DA26 for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2018 22:40:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.03
X-Spam-Level:
X-Spam-Status: No, score=-2.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ZNMYkRqM0Ly for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2018 22:40:14 -0800 (PST)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E8FC12DA14 for <dnsop@ietf.org>; Tue, 27 Feb 2018 22:40:14 -0800 (PST)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w1S6e69O114701; Wed, 28 Feb 2018 06:40:08 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : references : from : message-id : date : mime-version : in-reply-to : content-type; s=corp-2017-10-26; bh=PZpY9W30aSacXl8WILbahHZjDw+jJtz6rHk7AGXlXVQ=; b=n2+kmBQyEP8Rccap21skua4p9VrwvOCkVetakVySTs1zUmgGUdrufHeC+3AMOVIC+D92 cy/lQ4nu8hyKbyppL8fy0lRAQLK173kJonq/jUm3DD8e3Cucj7klFS9x4SJnoGJYw86f d//VYLonjmYjItRgR//cg02chqLmvqb1xn8lIOWKDwXPJHcgZjg4d6GfQe2lNr1mrP50 5rgF7lUyksg/7/98CsQtVeYJyk9/gCTOcTocws4chJHnqWyADNyHv170nF79xFfHVwCg DhHe+6XeeGorVEXAsoEIvY/7PPiKls0x538UPtOoIGnoI/rGlVGUV257qHyXivRs9li8 Yw==
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2gdpq106xc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 28 Feb 2018 06:40:06 +0000
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w1S6aqCZ025206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 28 Feb 2018 06:36:52 GMT
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w1S6apt2005745; Wed, 28 Feb 2018 06:36:51 GMT
Received: from [192.168.1.213] (/75.67.242.31) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 27 Feb 2018 22:36:51 -0800
To: Sara Dickinson <sara@sinodun.com>, IETF DNSOP WG <dnsop@ietf.org>
References: <151930246857.21149.14743687777831082425@ietfa.amsl.com> <522CCFCA-F01F-4D68-A7FB-D14B0F14C07D@sinodun.com>
From: Richard Gibson <richard.j.gibson@oracle.com>
Message-ID: <2a60a875-0f5a-3586-097d-12ec711af5cf@oracle.com>
Date: Wed, 28 Feb 2018 01:36:50 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <522CCFCA-F01F-4D68-A7FB-D14B0F14C07D@sinodun.com>
Content-Type: multipart/alternative; boundary="------------A7162A7582D3ADECF5949D7E"
Content-Language: en-US
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8817 signatures=668681
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802280078
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OADqnhAq-Q3GA9JVde1JDmvLNwo>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capture-format-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 06:40:18 -0000
Thank you so much for the changes, I am confident that this format is
now in a state where my organization could build on top of it to suit
our needs. I have a handful of remaining comments below, mostly
describing ways in which that process could be made more straightforward
and standardized.
* Section 6.2.1 and 7.5.3.4: At minimum, RR field "ttl" should be
optional in order to accommodate aggregation of resolver responses in
which that field is decremented over time. But probably "rdata-index"
should be optional as well.
* Section 7.1: Negative integer map keys are concise, but they come with
the potential for interoperability-hostile collisions. I think the
document should encourage restricting their use to tightly-controlled
closed systems, and then additionally propose a particular namespacing
pattern (e.g., "{namespaceName}-{keyName}") for use of
implementation-specific /string/ keys in other cases. Further, it should
explicitly reserve positive integer keys for future standardized
extensions to the C-DNS format.
* Section 7.4.1: Why is BlockParameters an array instead of a map?
* Section 7.4.1.1: StorageParameters fields "opcodes" and "rrtypes"
could be defined better... are they values /recorded/ (i.e., that were
actually observed) or values that are /recordable/ (i.e., that the
collection application was looking for)? And shouldn't they be optional
(in either case, but *especially* the latter, lest implementations write
out every possible rrtype value).
* Section 7.5.3: It's very good that the BlockTables "ip-address" items
can be truncated by prefix length, but we have actually run into cases
that call for /variable/ truncation (i.e., more precision in some
subnets than in others), especially true given that a single table holds
both client and server address data. What would you think about
representing addresses not as direct byte strings, but rather as
variable-length arrays or maps—index 0 encoding the prefix as a byte
string, and optional index 1 (when present) encoding a prefix-length
override? Or, if the extra size per address is too much, at least
allowing such representations via polymorphism (byte string for default
prefix-length, array/map for non-default)?
* Section 7.5.3.2: QueryResponseSignature field "qr-transport-flags"
seems to reserve 1 bit /each/ for UDP, TCP, TLS, and DTLS, but it seems
to me that UDP is mutually exclusive with TCP and that TLS is mutually
exclusive with DTLS. Couldn't that data be represented in two bits (one
in which 0 ⇒ UDP and 1 ⇒ TCP, the other in which 0 ⇒ plain-text and 1 ⇒
TLS)?
On 02/22/2018 07:31 AM, Sara Dickinson wrote:
> Hi Folks,
>
> We have an update to draft which we hope captures all the comments to-date.
>
> - Make all data items in Q/R, QuerySignature and Malformed Message arrays optional
> - Re-structure the FilePreamble and ConfigurationParameters into BlockParameters
> - BlockParameters has separate Storage and Collection Parameters
> - Storage Parameters includes information on what optional fields are present, and flags specifying anonymisation or sampling
> - Addresses can now be stored as prefixes.
> - Switch to using a variable sub-second timing granularity
> - Add response bailiwick and query response type
> - Add specifics of how to record malformed messages
> - Add implementation guidance
> - Improve terminology and naming consistency
>
> There are still a number of ‘QUESTIONS’ in the draft that we would appreciate feedback on.
>
> Regards
>
> Sara.
>
>> On 22 Feb 2018, at 12:27, internet-drafts@ietf.org wrote:
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Domain Name System Operations WG of the IETF.
>>
>> Title : C-DNS: A DNS Packet Capture Format
>> Authors : John Dickinson
>> Jim Hague
>> Sara Dickinson
>> Terry Manderson
>> John Bond
>> Filename : draft-ietf-dnsop-dns-capture-format-05.txt
>> Pages : 62
>> Date : 2018-02-22
>>
>> Abstract:
>> This document describes a data representation for collections of DNS
>> messages. The format is designed for efficient storage and
>> transmission of large packet captures of DNS traffic; it attempts to
>> minimize the size of such packet capture files but retain the full
>> DNS message contents along with the most useful transport metadata.
>> It is intended to assist with the development of DNS traffic
>> monitoring applications.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Ddnsop-2Ddns-2Dcapture-2Dformat_&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=-o8MJF7i0TzXAJRB0ncfTVfWKSyTG7nl_iTLU_A2B7c&m=S0pguE4aKgWT-7tOAVBInPr7s58myqhSmv9WtwMzeNA&s=522TfZMUJHLQox2FWFORwOQXhrlqwp36X9Ty1v54YeI&e=
>>
>> There are also htmlized versions available at:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Ddnsop-2Ddns-2Dcapture-2Dformat-2D05&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=-o8MJF7i0TzXAJRB0ncfTVfWKSyTG7nl_iTLU_A2B7c&m=S0pguE4aKgWT-7tOAVBInPr7s58myqhSmv9WtwMzeNA&s=Hc60T3mAF7VZgnUYR0LyhsTUTloEhCJIH3wIfUyCYmU&e=
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_html_draft-2Dietf-2Ddnsop-2Ddns-2Dcapture-2Dformat-2D05&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=-o8MJF7i0TzXAJRB0ncfTVfWKSyTG7nl_iTLU_A2B7c&m=S0pguE4aKgWT-7tOAVBInPr7s58myqhSmv9WtwMzeNA&s=oT9ecpv59bEHyd7Tpu69VbCmXsTBJYi3ePPp8kkuQGc&e=
>>
>> A diff from the previous version is available at:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_rfcdiff-3Furl2-3Ddraft-2Dietf-2Ddnsop-2Ddns-2Dcapture-2Dformat-2D05&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=-o8MJF7i0TzXAJRB0ncfTVfWKSyTG7nl_iTLU_A2B7c&m=S0pguE4aKgWT-7tOAVBInPr7s58myqhSmv9WtwMzeNA&s=WAyfWMq1ADNBRPEAlbUe-vsBwe1E7XGilSC9g498WkM&e=
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> https://urldefense.proofpoint.com/v2/url?u=ftp-3A__ftp.ietf.org_internet-2Ddrafts_&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=-o8MJF7i0TzXAJRB0ncfTVfWKSyTG7nl_iTLU_A2B7c&m=S0pguE4aKgWT-7tOAVBInPr7s58myqhSmv9WtwMzeNA&s=RS6uAkaKhYyD4CDe2_bX21qAvs0hkRPcFZ02B5wk_Kc&e=
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=-o8MJF7i0TzXAJRB0ncfTVfWKSyTG7nl_iTLU_A2B7c&m=S0pguE4aKgWT-7tOAVBInPr7s58myqhSmv9WtwMzeNA&s=8dC7W8NvScBDakKiehjmI17kYXh39QFcg488yknExDo&e=
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=-o8MJF7i0TzXAJRB0ncfTVfWKSyTG7nl_iTLU_A2B7c&m=S0pguE4aKgWT-7tOAVBInPr7s58myqhSmv9WtwMzeNA&s=8dC7W8NvScBDakKiehjmI17kYXh39QFcg488yknExDo&e=
- [DNSOP] I-D Action: draft-ietf-dnsop-dns-capture-… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capt… Sara Dickinson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capt… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capt… Richard Gibson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capt… Jim Hague
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capt… Jim Hague
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capt… Richard Gibson