Re: Last Call: <draft-ietf-behave-ipfix-nat-logging-06.txt> (IPFIX Information Elements for logging NAT Events)

"Senthil Sivakumar (ssenthil)" <> Mon, 07 March 2016 16:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C9B2F1B435A; Mon, 7 Mar 2016 08:00:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MrrPslZ97fct; Mon, 7 Mar 2016 08:00:19 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 118511B4357; Mon, 7 Mar 2016 08:00:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=16295; q=dns/txt; s=iport; t=1457366419; x=1458576019; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=JgtvUBjxEwnB6A6/mFNpfNKeAOV6KG88exFimPFIEhw=; b=FJ5kWYPbJc0x9CzHl1ERemQbE7aKvQJEchjxibqFOwdEMuv+5whP8gNx laLlXz1SDnHcBttd1q+7+8sdo3lA+2CJxvesdLy+IMfpxuhmeRIkeapcV t2uGZEsQA4vqtAHHxC4SPaUr9ZR3oe2vZTgxLx9DNevMpClWP8VH8wbpL g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="5.22,552,1449532800"; d="scan'208,217"; a="83882780"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Mar 2016 16:00:17 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id u27G0Hm0024585 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 7 Mar 2016 16:00:17 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 7 Mar 2016 10:00:16 -0600
Received: from ([]) by ([]) with mapi id 15.00.1104.009; Mon, 7 Mar 2016 10:00:16 -0600
From: "Senthil Sivakumar (ssenthil)" <>
To: Paul Aitken <>, "" <>
Subject: Re: Last Call: <draft-ietf-behave-ipfix-nat-logging-06.txt> (IPFIX Information Elements for logging NAT Events)
Thread-Topic: Last Call: <draft-ietf-behave-ipfix-nat-logging-06.txt> (IPFIX Information Elements for logging NAT Events)
Thread-Index: AQHRZNm5lzhUvHrQNUCIztsT3jxre58pJQsAgAEeHwCAAyMtgIAZS9mAgAepvYA=
Date: Mon, 07 Mar 2016 16:00:16 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_D30307FB16B190ssenthilciscocom_"
MIME-Version: 1.0
Archived-At: <>
X-Mailman-Approved-At: Tue, 08 Mar 2016 08:59:49 -0800
Cc: "" <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 07 Mar 2016 16:00:28 -0000

Please see inline for [Senthil]

From: Paul Aitken <<>>
Date: Wednesday, March 2, 2016 at 8:58 AM
To: Senthil Sivakumar <<>>, "<>" <<>>
Cc: "<>" <<>>
Subject: Re: Last Call: <draft-ietf-behave-ipfix-nat-logging-06.txt> (IPFIX Information Elements for logging NAT Events)

Senthil, I hadn't realised you'd published a new version of the draft. Please CC me if/when you update it again.

I've quickly reviewed the diffs between -06 and -07 :

1. Terminology

" Any non-IPFIX terminology used to convey NAT events are described in this section."

-> which section is "this" referring to? Since this paragraph seems only to serve as an introduction to the third paragraph which only contains a single exception, would it be better to remove these two lines and go directly to the third paragraph? :

   However, that causes
   confusion in terminology used in NAT specific terms and IPFIX IEs.
   Any non-IPFIX terminology used to convey NAT events are described in
   this section.

[Senthil]    How does this read?

          The IPFIX Information Elements that are NAT specific are created with

          NAT terminology. In order to avoid creating duplicate IEs, IEs

          are reused if they convey the same meaning.

          This document uses the term timestamp for the Information element which

          defines the time when an event is logged, this is the same as IPFIX

          term observationTimeMilliseconds as described in [IPFIX-IANA]. Since

          observationTimeMilliseconds is not self explanatory for NAT implementors,

          this document uses the term timeStamp.

2. Introduction

"This document details the IPFIX Information Elements(IEs)"

-> No need to repeat "(IEs)" since this was already explained in the Terminology section.

-> Remove the duplicated text:

   The IPFIX Protocol [RFC7011] defines a generic push mechanism for
   exporting information and events.  The IPFIX Information Model
   [IPFIX-IANA] defines a set of standard IEs which can be carried by
   the IPFIX protocol.  This document details the IPFIX Information
   Elements(IEs) that MUST be logged by a NAT device that supports NAT
   logging using IPFIX.  This document details the IPFIX Information
   Elements(IEs) that MUST be logged by a NAT device that supports NAT
   logging using IPFIX, and all the optional fields.  The fields
   specified in this document are gleaned from [RFC4787] and [RFC5382].

[Senthil] Done.

5.4. Quota exceeded Event types

-> In the " The events that can be reported are ...", I'd like to see the text be identical to the items listed in table 3 to remove any possible ambiguity.

[Senthil] All of the events do match the table. The text is a little more verbose and descriptive, so that the table doesn't have to have long text message.
Let me know if the below is any better than before.

       The events that can be reported are the Maximum session

      entries limit reached, Maximum BIB entries limit reached, Maximum
     (session/BIB) entries per user limit reached, Maximum active hosts limit

     reached or maximum subscribers limit reached and
     Maximum Fragments pending reassembly limit reached.

            |       Quota Exceeded Event Name       | Values |
            |        Maximum Session entries        |      1 |
            |          Maximum BIB entries          |      2 |
            |        Maximum entries per user       |      3 |
            |  Maximum active hosts or subscribers  |      4 |
            |  Maximum fragments pending reassembly |      5 |
            +---------------------------------------+--------+ Global Address mapping high threshold reached

-> Extra whitespace at the period: "paired address pooling behavior ."

[Senthil] Done.

8.1. New Information Elements / natLimitEvent, natThresholdEvent,

-> typo: " describer in Table below."

-> you should remove the "Table 22" and "Table 23" descriptions under those tables, because these won't make any sense when the text is transcribed into IANA's registry. E

[Senthil] I am not sure I understand why, because in section 8.1, for natInstanceI,  internalAddressRealm, externalAddressRealm we have this format of name/description/data type and references.
Why is natLimitEvent and natThresholdEvent different just because they have their values defined?

8.2. Modified Information Elements / natEvent

-> Again, you can't modify the definitions of the existing values.

[Senthil] Is there a process on how to modify/deprecate the previously defined values and replace it with new ones?