Fwd: [IANA #960326] [IANA]Re: AUTH48 [AC]: RFC 8158 <draft-ietf-behave-ipfix-nat-logging-13.txt> NOW AVAILABLE

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: [IANA #960326] [IANA]Re: AUTH48 [AC]: RFC 8158 <draft-ietf-behave-ipfix-nat-logging-13.txt> NOW AVAILABLE

Spencer Dawkins at IETF
Dear Behavers,

The IE doctors have completed their review of this draft, and said the configuredLimit IE was ambiguous because its meaning is context dependent, and an unambiguous definition requires multiple IEs, one per limit.

Senthil has proposed an update that looks fine to me, but this is a significant AUTH48 technical change, so I'd appreciate very much if other interested parties would look it over as well.

Please reply with any feedback (and especially technical objections) on this mailing list.

If I don't hear objections by Friday, August 18, I'll send the RFC Editor a note approving the change.

And thank you all, of course.

The feedback from the IE doctors was this:

    The proposal provides no way to sanely represent more than one
    limit per flow. A flow containing more than one natconfiguredLimit
    element cannot be disambiguated.

    The proposed IE has no standalone meaning, but depends upon other
    IEs which cannot always be guaranteed to be present.

    The correct IPFIX solution requires multiple IEs, one per limit, so each
    has a unique meaning. Unfortunately this in turn means multiple
    templates, which makes the exporter implementation more difficult.

Senthil's requested change follows.

---------- Forwarded message ----------
From: Senthil Sivakumar (ssenthil) <[hidden email]>
Date: Wed, Aug 9, 2017 at 10:43 AM
Subject: Re: [IANA #960326] [IANA]Re: AUTH48 [AC]: RFC 8158 <draft-ietf-behave-ipfix-nat-logging-13.txt> NOW AVAILABLE
To: "[hidden email]" <[hidden email]>
Cc: "[hidden email]" <[hidden email]>, "[hidden email]" <[hidden email]>, "Reinaldo Penno (repenno)" <[hidden email]>


Dear RFC-Editors,
Given the IE-doctors have turned down the request to have a single configuredLimit, I am requesting you to make the following changes to the draft.
Majority of the changes are to the IANA section, to request the new IEs. Please send me the updated version and I will review it before we resubmit to IANA.

Thanks
Senthil

1. Section 4.6.7.1 Table 11:
a. Change configuredLimit to maxSessionEntries
2. Section 4.6.7.2 Table 12:
a. Change configuredLimit to maxBIBEntries
3. Section 4.6.7.3 Table 13
a. Change configuredLimit to maxEntriesPerUser
4. Section 4.6.7.4 Table 14
a. Change configuredLimit to maxSubscribers
5. Section 4.6.7.5 Table 15
a.      Change configuredLimit to maxFragmentsPendingReassembly
6. Section 4.6.8.1 Table 16:
a. Change configuredLimit to addressPoolHighThreshold/addressPoolLowThreshold
7. Section 4.6.8.2 Table 17:
a. Change configuredLimit to addressPortMappingHighThreshold/addressPortMappingLowThreshold
8. Section 4.6.8.3 Table 18:
a. Change configuredLimit to addressPortMappingHighThreshold/addressPortMappingLowThreshold
9. Section 4.6.8.4 Table 19:
a. Change configuredLimit to globalAddressMappingHighThreshold
10. Section 4.2 Table 1:
a. Please add all the above new IEs to the end of the Table.
b. I noticed that the Table 1 is titled as “Template Format”. It should be “NAT IE List”


Section 6 : IANA Considerations

6.1.7  maxSessionEntries

   ElementID: TBD

   Name: maxSessionEntries

   Description: This element represents the maximum session entries that can be created by the NAT device.
   This limit is configured to prevent the resources of the device like CPU, memory etc and to prevent any
   Denial of service attacks on the device. When the configured value is reached a natQuotaExceeded event is
   generated.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference:
   See [RFC3022] for the definition of NAT.  See [RFC3234] for the
   definition of middleboxes.


6.1.8  maxBIBEntries

   ElementID: TBD

   Name: maxBIBEntries

   Description: This element represents the maximum BIB entries that can be created by the NAT device.
   This limit is configured to prevent the resources of the device like CPU, memory etc and to prevent any
   Denial of service attacks on the device. When the configured value is reached a natQuotaExceeded event is
   generated.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference:
   See [RFC3022] for the definition of NAT.  See [RFC3234] for the
   definition of middleboxes.

6.1.9  maxEntriesPerUser

   ElementID: TBD

   Name: maxEntriesPerUser

   Description: This element represents the maximum NAT entries that can be created per user by the NAT device.
   This limit is configured to protect the resources of the device like CPU, memory etc and to prevent any
   Denial of service attacks on the device. When the configured value is reached a natQuotaExceeded event is
   generated.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference:
   See [RFC3022] for the definition of NAT.  See [RFC3234] for the
   definition of middleboxes.


6.1.10  maxSubscribers

   ElementID: TBD

   Name: maxSubscribers

   Description: This element represents the maximum subscribers or maximum hosts that are allowed by the NAT device.
   This limit is configured to protect the resources of the device like CPU, memory etc and to prevent any
   Denial of service attacks on the device. When the configured value is reached a natQuotaExceeded event is
   generated.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference:
   See [RFC3022] for the definition of NAT.  See [RFC3234] for the
   definition of middleboxes.

6.1.11  maxFragmentsPendingReassembly

   ElementID: TBD

   Name: maxFragmentsPendingReassembly

   Description: This element represents the maximum fragments that the NAT device can store for reassembling the packet.
   This limit is configured to protect the resources of the device like CPU, memory etc and to prevent any
   Denial of service attacks on the device. When the configured value is reached a natQuotaExceeded event is
   generated.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference:
   See [RFC3022] for the definition of NAT.  See [RFC3234] for the
   definition of middleboxes.

6.1.12  addressPoolHighThreshold

   ElementID: TBD

   Name: addressPoolHighThreshold

   Description: This element represents the high threshold value of the number of public IP addresses in the address pool.
   This could serve as a warning message to the administrator that the address pool is running out and the network
   administrator would have to take corrective action. When the configured value is reached a natThresholdEvent event is generated.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference:
   See [RFC3022] for the definition of NAT.  See [RFC3234] for the
   definition of middleboxes.

6.1.13  addressPoolLowThreshold

   ElementID: TBD

   Name: addressPoolLowThreshold

   Description: This element represents the low threshold value of the number of public IP addresses in the address pool.
   This could serve as a warning message to the administrator that the address pool is under-utilized and the network
   administrator would have to take corrective action. When the configured value is reached a natThresholdEvent event
   is generated.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference:
   See [RFC3022] for the definition of NAT.  See [RFC3234] for the
   definition of middleboxes.

6.1.14  addressPortMappingHighThreshold

   ElementID: TBD

   Name: addressPortMappingHighThreshold

   Description: This element represents the high threshold value of the number of address and port mappings.
   A device doing NAPT uses ports in a public address to multiplex multiple hosts, which results in address and port mapping
   representing a flow or connection. When high threshold is reached, it could serve as a warning message
   to the administrator that the address pool is running out and the network administrator would have to take corrective
   action. When the configured value is reached a natThresholdEvent event is generated.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference:
   See [RFC3022] for the definition of NAT.  See [RFC3234] for the
   definition of middleboxes.

6.1.15  addressPortMappingLowThreshold

   ElementID: TBD

   Name: addressPoolLowThreshold

   Description: This element represents the low threshold value of the number of address and port mappings.
   A device doing NAPT uses ports in a public address to multiplex multiple hosts, which results in address and port mapping
   representing a flow or connection. When low threshold is reached,  it could serve as a warning message
   to the administrator that the address pool is under-utilized and the network administrator may have to take corrective
   action. When the configured value is reached a natThresholdEvent event is generated.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference:
   See [RFC3022] for the definition of NAT.  See [RFC3234] for the
   definition of middleboxes.

6.1.16  addressPortMappingPerUserHighThreshold

   ElementID: TBD

   Name: addressPortMappingPerUserHighThreshold

   Description: This element represents the high threshold value of the number of address and port mappings that a
   single user is allowed to create on a NAT device. A device doing NAPT uses ports in a public address to multiplex multiple
   hosts, which results in address and port mapping representing a flow or connection. When high threshold is reached,
   it could serve as a warning message to the administrator that a single user has reached a threshold and the network
   administrator may have to take corrective action. When the configured value is reached a natThresholdEvent event is generated.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference:
   See [RFC3022] for the definition of NAT.  See [RFC3234] for the
   definition of middleboxes.

6.1.17  globalAddressMappingHighThreshold

   ElementID: TBD

   Name: globalAddressMappingHighThreshold

   Description: This element represents the high threshold value of the number of address and port mappings that a
   single user is allowed to create on a NAT device in a paired address pooling behavior. A device doing NAPT uses ports
   in a public address to multiplex multiple hosts, which results in address and port mapping representing a flow or connection.
   When high threshold is reached, it could serve as a warning message to the administrator that a single user has reached
   a threshold and the network administrator may have to take corrective action. When the configured value is reached
   a natThresholdEvent event is generated.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference:
   See [RFC3022] for the definition of NAT.  See [RFC3234] for the
   definition of middleboxes. See [RFC4787] for the definition of
   paired address pooling behavior







_______________________________________________
Behave mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/behave
Loading...