Re: Last Call: <draft-ietf-behave-ipfix-nat-logging-06.txt> (IPFIX Information Elements for logging NAT Events)

Paul Aitken <> Thu, 11 February 2016 14:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 342431B3266; Thu, 11 Feb 2016 06:37:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_DYNAMIC=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dhxzW3KcV9YT; Thu, 11 Feb 2016 06:37:18 -0800 (PST)
Received: from ( [IPv6:2620:100:9005:71::1]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E6DED1B3267; Thu, 11 Feb 2016 06:37:17 -0800 (PST)
Received: from pps.filterd ( []) by ( with SMTP id u1BEQZ9w009244; Thu, 11 Feb 2016 06:37:12 -0800
Received: from ([]) by with ESMTP id 20wh08c8u6-3 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 11 Feb 2016 06:37:11 -0800
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 11 Feb 2016 07:36:30 -0700
Received: from [] ( by ( with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 11 Feb 2016 15:36:26 +0100
From: Paul Aitken <>
Subject: Re: Last Call: <draft-ietf-behave-ipfix-nat-logging-06.txt> (IPFIX Information Elements for logging NAT Events)
Message-ID: <>
Date: Thu, 11 Feb 2016 14:36:19 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.5.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------090909040306090004050003"
X-Originating-IP: []
X-ClientProxiedBy: ( To (
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-02-11_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=12 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1601100000 definitions=main-1602110249
Archived-At: <>
X-Mailman-Approved-At: Thu, 11 Feb 2016 09:48:20 -0800
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Feb 2016 14:37:21 -0000

Section 1, second paragraph:

    The IPFIX Information elements that are NAT specific are created with
    NAT terminology.  In order to avoid creating duplicate IE's, IE's
    that are reused if they convey the same meaning.

Capitalise "Elements" and remove the redundant "that" in "that are reused".

The plural of "IE" is "IEs". See section 5 of RFC 7012. Please 
s/IE's/IE/ throughout the draft.

The draft defines "Information Element (IE)" in section 1 and 
"Information Elements (IEs)" in section 2. There's no need to repeat 
(IEs) in sections 2 and 5.2.

Section 2, first paragraph:

    This document details
    the IPFIX Information Elements(IEs) that MUST be logged by a NAT
    device that supports NAT logging using IPFIX.  The document will
    specify the format of the IE's that SHOULD be logged by the NAT
    device and all the optional fields.  The fields specified in this
    document are gleaned from [RFC4787 <>] and [RFC5382 <>].

I can't reconcile the "MUST" with the "SHOULD" and the "optional".

Section 5, first paragraph:

    The creation and
    deletion of NAT sessions and bindings are examples of events as it
    results in the resources (addresses and ports) being allocated or

s/as it results in the resources/as they result in resources/

Section 5, first paragraph:

    The events can happen either through the processing of data
    packets flowing through the NAT device or through an external entity
    installing policies on the NAT router or as a result of an
    asynchronous event like a timer.

Since this is either/or/or, simply remove the "either".

Section 5, first paragraph:

    The list of events are provided inSection 4.1 

There is no section 4.1.

Section 5, second paragraph:

    A collector may receive NAT events from multiple CGN devices and MUST
    be able to distinguish between the devices.  Each CGN device should
    have a unique source ID to identify themselves.  The source ID is
    part of the IPFIX template and data exchange.

No; this requires ID synchronisation across devices which is not 
required for IPFIX. IPFIX uniqueness is guaranteed by the combination of 
source address, source port, and source ID. The source address provides 
uniqueness across devices. The source port provides uniqueness when 
there are multiple exporters within a device (ie, the source addresses 
are identical). The source ID provides uniqueness when an exporter 
exports information from multiple unique sources (ie, the source address 
and source port are identical).

In IPFIX, the source ID is called the Observation Domain ID. See section 
3.1 of RFC 7011.

Section 5, third paragraph:

    The templates can be
    exchanged as frequently as required given the reliability of the
    connection.  There SHOULD be a configurable timer for controlling the
    template refresh.

It's not just about the reliability of the connection. eg the collecting 
process could restart with no knowledge of the previously exported 

Section 5, third paragraph:

    NAT device SHOULD combine as many events as
    possible in a single packet to effectively utilize the network

Say "The NAT device ...".

Section 5.2, table 1:

    |        sourceIPv6Address         |     27 |   128 |  Source IPv6  |
    |                                  |        |       |    address    |

Most IPv6 addresses have more than 27 bits. The size and ID values 
appear to be swapped.

Section 5.3:

	The list can be expanded in the future as necessary.

Define the process for expanding the table, eg Expert Review. Consider 
putting the table under IANA control to avoid implementers having to 
refer to a chain of RFCs for the complete definition.

Section 5.3, Table 2: NAT Event ID table

When / where is this table used? It seems to be an extension of the 
existing natEvent IE, though no mention of this is made in the IANA 
section and the proposed values constrain the existing "create" and 
"delete" events to be NAT44 specific.

Section 5.4:

    The Quota exceeded events are generated when the hard limits set by
    the administrator has reached or exceeded.

Say "has been reached or exceeded."

The text should mention that the values are used for the natLimitEvent 
element in section 8.

Section 5.4:

    The events that can be reported are the Maximum session entries limit
    reached, Maximum BIB entries limit reached, Maximum session/BIB
    entries per user limit reached and maximum subscribers or hosts limit

Capitalise "maximum subscribers". The "Maximum fragments pending 
reassembly" event isn't mentioned.

However there's really no reason to duplicate the information from the 
table in the preceding description.

Section 5.5:

The text doesn't describe the "Global Address mapping high threshold 
event" in Table 4.

The text should mention that the values are used for the 
natThresholdEvent element in section 8.

Section 5.6:

    The following is the template of events that will be logged.  The
    events below are identified at the time of this writing but the set
    of events is extensible.

Describe the process for extending the list of events, eg Expert Review.

Tables 5 - 21:

There's no need to describe the size of each field since that 
information has already been given in Table 1.
It draws unnecessary attention to the field sizes which should be invariant.

Section 5.6.5:

    The following is a template of the event.  Note that either the NAT
    pool name or the nat pool identifier SHOULD be logged, but not both.

No mention is made of how the NAT pool name could/should be logged 
(IPFIX IE #284). natPoolID is mandatory in Table 9 which suggests that 
mention of the NAT pool name should be removed from the text.

Sections and

    The maximum ... is generated when

Say "The maximum ... *event* is generated when" or "This event is 
generated when".


    when the administratively configured limit is reached.

Define what the limit is, eg "when the administratively configured *NAT 
session *limit is reached."


    when the administratively configured limit is reached.

Define what the limit is, eg "when the administratively configured *BIB 
entries *limit is reached."


    when a single user reaches the administratively configured limit.

Define what the limit is, eg "when a single user reaches the 
administratively configured *IPv4 or IPv6 address* limit."

Section 5.6.8

    This event will be generated

Say, "These events will be generated"

Section 5.6.8

    The threshold reached events are described in the section above.

Please add an xref to the relevant section.


    This event is generated when the high is reached

Say, "This event is generated when the high *threshold* is reached"


    This is generated only by NAT devices that use a address pooling behavior of paired.

Would it be clearer to say, "... that use a paired address pooling 
behavior." ?

Section 5.6.9

    This binding event happens when the first packet of the first flow
    from a host in the private realm.

Say, "These binding events happen when". The remainder of the sentence 
seems incomplete?

Section 7:


Section 9:

    Some management considerations is covered


Section 9.1:

    An IPFIX collector MUST be able to collect events from multiple NAT
    devices and be able to decipher events based on the sourceID in the
    IPFIX header.

s/sourceID/Observation Domain ID/ per RFC 7011, section 3.1.

Section 11.2:

The References to [RFC5101bis] and [RFC5102bis] should be updated to 
RFC7011 and RFC7012 respectively.