Last Call Review of draft-ietf-behave-ipfix-nat-logging-06
review-ietf-behave-ipfix-nat-logging-06-genart-lc-kyzivat-2016-02-01-00

Request Review of draft-ietf-behave-ipfix-nat-logging
Requested rev. no specific revision (document currently at 13)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2016-02-12
Requested 2016-01-15
Authors Senthil Sivakumar, Reinaldo Penno
Draft last updated 2016-02-01
Completed reviews Genart Last Call review of -06 by Paul Kyzivat (diff)
Genart Telechat review of -11 by Paul Kyzivat (diff)
Secdir Last Call review of -06 by Phillip Hallam-Baker (diff)
Opsdir Last Call review of -06 by Dan Romascanu (diff)
Assignment Reviewer Paul Kyzivat
State Completed
Review review-ietf-behave-ipfix-nat-logging-06-genart-lc-kyzivat-2016-02-01
Reviewed rev. 06 (document currently at 13)
Review result Ready with Issues
Review completed: 2016-02-01

Review
review-ietf-behave-ipfix-nat-logging-06-genart-lc-kyzivat-2016-02-01

I am the assigned Gen-ART reviewer for this draft. The General Area 
Review Team (Gen-ART) reviews all IETF documents being processed by the 
IESG for the IETF Chair. Please treat these comments just like any other 
last call comments. For more information, please see the FAQ at 
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Document: draft-ietf-behave-ipfix-nat-logging-06
Reviewer: Paul Kyzivat
Review Date:
IETF LC End Date: 2016-02-12
IESG Telechat date:

Summary:

This draft is on the right track but has open issues, described in the 
review.

Major: 3
Minor: 5
Nits:  1

(Note: I've used Major for anything that is ambiguous, and Minor for 
things that are just unclear.)

(1) Major:

Section 5.2 starts with "The templates could contain a subset of the 
Information Elements(IEs) shown in Table 1 depending upon the event 
being logged."

This is not a normative statement. It isn't clear what is normative 
regarding the use and content of templates. If I understand RFC7011, a 
NAT device can use any number of templates, and those templates can 
reference any defined IE. Is *this* document intended to *restrict* the 
form and number of templates used for logging NAT devices? Or is it 
simply suggesting some templates that may be modified as desired to fit 
the needs of a particular NAT device device?

These templates do not have any Information Element that uniquely 
identifies to the IPFIX collector that this template is being used. So 
how does the collector know that the particular event is intended to 
follow the definitions in this draft, rather than simply some 
proprietary template? Absent that, how do normative statements of what 
must be in the template mean anything?

(2) Major:

As I understand it, Section 5.3 is defining valid values for the 
"natEvent" IE. That Information Element is already defined in the IANA 
registry, with values 1-3 that seem to correspond in semantics (but not 
name) to the first three values in Table 2. So I gather the intent is 
for Table 2 to replace what is currently in the registry for natEvent.

But I find nothing in the IANA Considerations section that calls for 
updating that entry in the registry. The IANA Considerations section 
needs to request a revision to the definition of this element.

(3) Major:

Section 5.6 says: "Depending on the implementation and configuration 
various IE's specified can be included or ignored."

What is the normative intent of this statement? Is it defining what is 
meant by the "Mandatory" field in the tables? (I.e., that in the 
templates it sends the NAT device MUST include fields with Mandatory=Yes 
but MAY omit fields with Mandatory=No.) This should be revised to make 
the normative behavior clearer.

(4) Minor:

The first sentence of Section 3 says: "This document focuses exclusively 
on the specification of IPFIX IE's." But this statement appears to be 
false. A large part of the document (Section 5.6) specifies Templates. 
It appears to be an important aspect of the document that goes beyond 
specifying just IEs. So the statement should be expanded.

(5) Minor:

The first paragraph of Section 5 has a reference to Section 4.1, but 
there is no such section in the document. Did this mean to refer to 
Table 2 in section 5.3?

(6) Minor:

Section 5.4 defines a set of values that are clearly intended to be 
conveyed in some IE. It calls them "sub event types for the Quota 
exceeded or Limits reached event". It does not name the IE. By 
examination of the templates I finally figured out that these are values 
for the "natLimitEvent" IE. This needs to be specified. (It is mentioned 
in the IANA considerations, but that is too late to help the reader.)

Also, is this list of values intended to be extensible? Should the list 
be in the IANA registry, with Expert Review for additions to it? Or is 
it expected that this RFC will need to be revised to extend the list? 
This needs to be spelled out.

(7) Minor:

Section 5.5 has an analogous issue to the one above above about section 
5.4, except that it pertains to the "natThresholdEvent" IE.

(8) Minor:

Section 9 appears to be normative, since it uses 2119 language. But it 
appears at a position in the document (after Acknowledgements and IANA 
Considerations, before Security Considerations), where I would normally 
not expect to find normative language.

Perhaps this is intended to be more of an appendix. If so, then the 
normative language should be removed, and it ought to be formatted as an 
appendix.

If it is intended to be normative, then I suggest that it be moved ahead 
of the Acknowledgements.

(9) Nit:

Running IDNits returns a number of issues, mostly regarding references. 
Please check these.