idnits 2.17.00 (12 Aug 2021) /tmp/idnits54672/draft-alexander-opsawg-ipfix-ipsec-logging-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 20, 2014) is 2739 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC5424' is mentioned on line 182, but not defined == Missing Reference: 'IANA-IPFIX' is mentioned on line 428, but not defined == Unused Reference: 'RFC2663' is defined on line 1208, but no explicit reference was found in the text == Unused Reference: 'RFC5101' is defined on line 1221, but no explicit reference was found in the text == Unused Reference: 'RFC5102' is defined on line 1225, but no explicit reference was found in the text == Unused Reference: 'RFC5470' is defined on line 1229, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2663 -- Obsolete informational reference (is this intentional?): RFC 5101 (Obsoleted by RFC 7011) -- Obsolete informational reference (is this intentional?): RFC 5102 (Obsoleted by RFC 7012) Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OPSAWG T. Alexander 3 Internet-Draft F. Detienne 4 Intended status: Standards Track S. Rao 5 Expires: May 24, 2015 T. Kandasamy 6 Cisco Systems, Inc. 7 November 20, 2014 9 IPFIX Information Elements for logging IPSec Events 10 draft-alexander-opsawg-ipfix-ipsec-logging-00 12 Abstract 14 Internet Protocol Security (IPSec) is an industry standard protocol 15 suite that provides secure services for traffic between IP peers in 16 the network. The purpose of IPSec is to provide key tenets of 17 security that include authentication, integrity protection, access 18 control and data confidentiality. The objectivities of IPSec are met 19 using a collection of intertwined components namely, the security 20 protocols, session and key management protocols and algorithms for 21 authentication and encryption. 23 An end-to-end IPSec operation is typically multi-step involving 24 various technologies. There are many events in IPSec process that 25 are of interest, such as - identities and connection status of 26 security peers, traffic or applications being protected, access 27 control and encryption policies being enforced. While many of these 28 are functionally discrete, they have an impact on end-to-end IPSec 29 operations. While network elements involved in IPSec process do 30 provide system logs, command line interfaces and management objects 31 that reflect the various states of operations, these are however 32 dissevered, inconsistent and not easily favorable for analyzing, 33 monitoring, auditing of end-to-end behavior 35 This document proposes an approach for common representation and 36 standardization of various IPSec operational data and events using 37 industry standard IPFIX information model. The IPFIX approach helps 38 to store and manage data in a consistent format, also provides 39 opportunity for a collector to correlate various IPSec events which 40 in turn can be exploited to obtain enriched end-to-end monitoring, 41 reporting and troubleshooting capabilities and provide various 42 security analytics on IPSec flows such as - host identification, 43 application detection, track user policy violations, protocol 44 failures and so on. 46 Status of This Memo 48 This Internet-Draft is submitted in full conformance with the 49 provisions of BCP 78 and BCP 79. 51 Internet-Drafts are working documents of the Internet Engineering 52 Task Force (IETF). Note that other groups may also distribute 53 working documents as Internet-Drafts. The list of current Internet- 54 Drafts is at http://datatracker.ietf.org/drafts/current/. 56 Internet-Drafts are draft documents valid for a maximum of six months 57 and may be updated, replaced, or obsoleted by other documents at any 58 time. It is inappropriate to use Internet-Drafts as reference 59 material or to cite them other than as "work in progress." 61 This Internet-Draft will expire on May 24, 2015. 63 Copyright Notice 65 Copyright (c) 2014 IETF Trust and the persons identified as the 66 document authors. All rights reserved. 68 This document is subject to BCP 78 and the IETF Trust's Legal 69 Provisions Relating to IETF Documents 70 (http://trustee.ietf.org/license-info) in effect on the date of 71 publication of this document. Please review these documents 72 carefully, as they describe your rights and restrictions with respect 73 to this document. Code Components extracted from this document must 74 include Simplified BSD License text as described in Section 4.e of 75 the Trust Legal Provisions and are provided without warranty as 76 described in the Simplified BSD License. 78 Table of Contents 80 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 81 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 82 3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 83 4. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 5 84 5. Event Logging . . . . . . . . . . . . . . . . . . . . . . . . 5 85 5.1. IKE Event Logging . . . . . . . . . . . . . . . . . . . . 6 86 5.1.1. IKE Information Elements . . . . . . . . . . . . . . 6 87 5.1.2. Definition of IKE Events . . . . . . . . . . . . . . 8 88 5.1.3. IKE Create, Update, Delete Events Template . . . . . 8 89 5.1.4. IKE Statistics and Errors Template . . . . . . . . . 9 90 5.2. IPSec Event Logging . . . . . . . . . . . . . . . . . . . 10 91 5.2.1. IPSec Information Elements . . . . . . . . . . . . . 10 92 5.2.2. Definition of IPSec Events . . . . . . . . . . . . . 12 93 5.2.3. IPSec Create, Delete, Update Template . . . . . . . . 13 94 5.2.4. IPSec Statistics and Errors Template . . . . . . . . 14 95 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 14 96 7. Considerations . . . . . . . . . . . . . . . . . . . . . . . 14 97 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 98 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 99 9.1. General Information Elements . . . . . . . . . . . . . . 15 100 9.1.1. timestamp . . . . . . . . . . . . . . . . . . . . . . 15 101 9.1.2. sessCreatetimeStamp . . . . . . . . . . . . . . . . . 15 102 9.1.3. interfaceId . . . . . . . . . . . . . . . . . . . . . 15 103 9.1.4. eventReason . . . . . . . . . . . . . . . . . . . . . 15 104 9.2. IKE Information Elements . . . . . . . . . . . . . . . . 16 105 9.2.1. ikeEvent . . . . . . . . . . . . . . . . . . . . . . 16 106 9.2.2. ikeSessionId . . . . . . . . . . . . . . . . . . . . 16 107 9.2.3. ikeTunLocalIdType . . . . . . . . . . . . . . . . . . 16 108 9.2.4. ikeTunLocalId . . . . . . . . . . . . . . . . . . . . 17 109 9.2.5. ikeTunLocalIPAddr* . . . . . . . . . . . . . . . . . 17 110 9.2.6. ikeTunLocalName . . . . . . . . . . . . . . . . . . . 17 111 9.2.7. ikeTunRemoteIdType . . . . . . . . . . . . . . . . . 17 112 9.2.8. ikeTunRemoteId . . . . . . . . . . . . . . . . . . . 18 113 9.2.9. ikeTunRemoteIPAddr* . . . . . . . . . . . . . . . . . 18 114 9.2.10. ikeTunRemoteName . . . . . . . . . . . . . . . . . . 18 115 9.2.11. ikeTunTransform . . . . . . . . . . . . . . . . . . . 18 116 9.2.12. ikeTunLocalAuthMethod . . . . . . . . . . . . . . . . 19 117 9.2.13. ikeTunRemoteAuthMethod . . . . . . . . . . . . . . . 19 118 9.2.14. ikeTunLifeTime . . . . . . . . . . . . . . . . . . . 19 119 9.2.15. ikeDPDSent . . . . . . . . . . . . . . . . . . . . . 19 120 9.2.16. ikeDPDRcvd . . . . . . . . . . . . . . . . . . . . . 20 121 9.2.17. ikePktsTX . . . . . . . . . . . . . . . . . . . . . . 20 122 9.2.18. ikePktsRX . . . . . . . . . . . . . . . . . . . . . . 20 123 9.2.19. ikeRetransTX . . . . . . . . . . . . . . . . . . . . 20 124 9.2.20. ikeRetransRX . . . . . . . . . . . . . . . . . . . . 21 125 9.2.21. ikeDecryptFailed . . . . . . . . . . . . . . . . . . 21 126 9.2.22. ikeEncryptFailed . . . . . . . . . . . . . . . . . . 21 127 9.2.23. ikeInvalidPayload . . . . . . . . . . . . . . . . . . 21 128 9.2.24. ikeFragFailed . . . . . . . . . . . . . . . . . . . . 22 129 9.3. IPSec Information Elements . . . . . . . . . . . . . . . 22 130 9.3.1. ipsecEvent . . . . . . . . . . . . . . . . . . . . . 22 131 9.3.2. ipsecTunSessionId . . . . . . . . . . . . . . . . . . 22 132 9.3.3. ipsecProxySrcType . . . . . . . . . . . . . . . . . . 22 133 9.3.4. ipSecDirection . . . . . . . . . . . . . . . . . . . 23 134 9.3.5. ipSecFrontVrfName . . . . . . . . . . . . . . . . . . 23 135 9.3.6. ipSecInsideVrfName . . . . . . . . . . . . . . . . . 23 136 9.3.7. ipSecTunLifeSize . . . . . . . . . . . . . . . . . . 23 137 9.3.8. ipSecTunLifeTime . . . . . . . . . . . . . . . . . . 24 138 9.3.9. ipSecTunEncapMode . . . . . . . . . . . . . . . . . . 24 139 9.3.10. ipSecTunSaTransform . . . . . . . . . . . . . . . . . 24 140 9.3.11. ipSecTunSaCompAlgo . . . . . . . . . . . . . . . . . 24 141 9.3.12. ipSecTrafficSelector . . . . . . . . . . . . . . . . 25 142 9.3.13. ipsecPktCount . . . . . . . . . . . . . . . . . . . . 25 143 9.3.14. ipsecPktComp . . . . . . . . . . . . . . . . . . . . 25 144 9.3.15. ipsecPktDecomp . . . . . . . . . . . . . . . . . . . 25 145 9.3.16. ipsecByteCount . . . . . . . . . . . . . . . . . . . 26 146 9.3.17. ipsecReplayErrors . . . . . . . . . . . . . . . . . . 26 147 9.3.18. ipsecReplayRollover . . . . . . . . . . . . . . . . . 26 148 9.3.19. ipsecMacErrors . . . . . . . . . . . . . . . . . . . 26 149 9.3.20. ipsecRecvdPktNotIpsec . . . . . . . . . . . . . . . . 27 150 9.3.21. ipsecRecvdPktInvalidId . . . . . . . . . . . . . . . 27 151 9.3.22. ipsecPktCompFailed . . . . . . . . . . . . . . . . . 27 152 9.3.23. ipsecPktDecompFailed . . . . . . . . . . . . . . . . 27 153 10. Security Considerations . . . . . . . . . . . . . . . . . . . 28 154 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 28 155 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 156 12.1. Normative References . . . . . . . . . . . . . . . . . . 28 157 12.2. Informative References . . . . . . . . . . . . . . . . . 28 158 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 160 1. Terminology 162 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 163 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 164 document are to be interpreted as described in [RFC2119]. 166 IPSec terminology used in this document is as per [RFC4301]. 168 The term "collector" here refers to any device that receives the 169 binary data from a IPSec device and converts that into meaningful 170 information. The usage of the term Information Element (IE) is 171 defined in [RFC7011]. Many of the IEs are reused from [IPFIX-IANA]. 172 however IPSec related IEs are created with IPSec semantics. 174 2. Introduction 176 The intent of this document is to define and standardize information 177 format of various functional events of an end-to-end IPSec operation. 178 This provides an opportunity for collectors to receive and process 179 information in a consistent way and instrument monitoring, 180 troubleshooting, maintenance and analytics related to IPSec 181 processes. The approach is to standardize the format of logging 182 events using IPFIX [RFC7011] and SYSLOG [RFC5424]. While this 183 document specifies IPFIX Information Elements that MUST be logged by 184 devices participating in IPSec process, the SYSLOG format will be 185 addressed in a separate document. The Information Elements are part 186 of the following two main categories of events: 188 - IKE events 189 - IPSec events 191 There are cases when the IPFIX collector and the VPN gateway are out 192 of sync. This can happen for various reasons such as network 193 connectivity issues, software errors, device reloads etc. In such 194 cases where the IPSec or IKE flow creation information is not 195 recorded on the collector, subsequent updates for that flow may not 196 be complete. Thus, some flow information has been made consciously 197 redundant in subsequent IPFIX updates such that the collectors can 198 rebuild a fair approximation of the flow timeline and creation 199 details. 201 3. Scope 203 The existing IANA IPFIX Information Elements registry [IPFIX-IANA] 204 already has assignments for many IPSec logging events. For being 205 consistent, this document uses those same Information Elements. 207 The implementation details of the collector application is beyond the 208 scope of this document. 210 The optimization of logging IPSec events are left to the 211 implementation and are beyond the scope of this document. 213 4. Applicability 215 IPFIX based IPSec logging is specifically applicable on network 216 devices that are performing IPSec encryption and support IPFIX 217 protocol. The binary encoding nature of IPFIX makes it efficient for 218 use even on IPSec gateways or peers that can experience high session 219 rates. As in an IPFIX model, there is a need for a collector 220 applications that can receive and interpret binary encoded 221 Information Elements and provide human visualization and other 222 required analytics. 224 5. Event Logging 226 In the context of this specification, we make use of three types of 227 events for IKE and IPsec. These events are: 229 - creation of an IKE or IPsec SA 231 - update (counters) of an IKE or IPsec SA 233 - deletion of an IKE or IPsec SA 235 While the creation and deletion events are triggered by protocol 236 (parent or child SA creation/deletion) or configuration, the update 237 event is triggered exclusively by timers. The purpose of update 238 events is to offer a chance to the IPFIX collector to capture 239 information about a session even if the creation or deletion (or 240 both) events are missed. For instance because of network 241 connectivity issues between the gateway and the collector or because 242 of the unavailability of the collector at the time the event was sent 243 by the gateway. Update events frequency SHOULD be controllable by a 244 user configurable element. 246 5.1. IKE Event Logging 248 5.1.1. IKE Information Elements 250 The following table lists all of the IKE Information Elements used in 251 events send to a collector. The formats of the IE's and the IPFIX 252 IDs are listed below. Some of the IPFIX IE's are not assigned yet, 253 and thus the detailed description of these fields are provided in the 254 IANA considerations section. New IPFIX Information Elements must be 255 allocated in IANA's IPFIX registry [IANA-IPFIX], as defined in the 256 sub-sections of section 6. The templates may contain a subset of the 257 Information Elements(IEs) shown in Table 1 depending upon the event 258 being logged. 260 Table 1: IKE Informational Elements 262 +-----------------------+----------------+------+-------------------+ 263 | IPFIX Field Name | Data Type | IANA | Description | 264 | | | IPFI | | 265 | | | X ID | | 266 +-----------------------+----------------+------+-------------------+ 267 | ikeEvent | unsigned8 | TBD0 | IKE event - | 268 | | | 1 | start, | 269 | | | | udpate,stop | 270 | timeStamp | dateTimeMillis | 323 | timestamp of | 271 | | econds | | event | 272 | sessionCreationTimeMi | dateTimeMillis | TBD0 | Tracks when a | 273 | lliSeconds | econds | 2 | session was | 274 | | | | created | 275 | ikeSessionId | unsigned32 | TBD0 | Session id used | 276 | | | 3 | by IKE | 277 | interfaceName | str | 82 | Interface name | 278 | InterfaceId | unsigned32 | TBD0 | | 279 | | | 4 | | 280 | ikeTunLocalIdType | unsigned8 | TBD0 | Id type - fqdn, | 281 | | | 5 | ip addr | 282 | ikeTunLocalId | str | TBD0 | | 283 | | | 6 | | 284 | ikeTunLocalIPAddr* | var | TBD0 | ikeTunLocalIPv4Ad | 285 | | | 7 | dr or ikeTunLocal | 286 | | | | IPv6Addr | 287 | ikeTunLocalName | str | TBD1 | Tunnel local name | 288 | | | 0 | | 289 | VRFname | str | 236 | virtual routing | 290 | | | | and Forwarding | 291 | | | | identifier | 292 | ikeTunRemoteIdtype | unsigned8 | TBD1 | ip addr, FQDN etc | 293 | | | 1 | | 294 | ikeTunRemoteId | var | TBD1 | remote id - fqdn, | 295 | | | 2 | ip etc ) | 296 | ikeTunRemoteIPAddr | var | TBD1 | either ikeTunRemo | 297 | | | 3 | teIPv4Addr or ike | 298 | | | | TunRemoteIPv6Addr | 299 | ikeTunRemoteName | str | TBD1 | Remote peer | 300 | | | 6 | logical name | 301 | ikeTunTransform | ike-encoding | TBD1 | RFC5996 3.3.2 IKE | 302 | | | 7 | encoding : DH, | 303 | | | | encryption algo, | 304 | | | | hash, PRF | 305 | ikeTunLocalAuthMethod | unsigned8 | TBD1 | values to | 306 | | | 8 | indicate psk,eap, | 307 | | | | cert | 308 | ikeTunRemoteAuthMetho | unsigned8 | TBD1 | values to | 309 | d | | 9 | indicate remote | 310 | | | | psk,eap, cert | 311 | ikeTunLifeTime | unsigned32 | TBD2 | sa lifetime | 312 | | | 0 | | 313 | eventReason | unsigned8 | TBD2 | Reason - delete | 314 | | | 1 | reason, rekey etc | 315 | ikeDPDSent | unsigned32 | TBD2 | DPD sent | 316 | | | 2 | | 317 | ikeDPDRcvd | unsigned32 | TBD2 | DPD Received | 318 | | | 3 | | 319 | ikePktsTX | unsigned32 | TBD2 | packets sent | 320 | | | 4 | | 321 | ikePktsRX | unsigned32 | TBD2 | packets received | 322 | | | 5 | | 323 | ikeRetransTX | unsigned32 | TBD2 | IKE retransmitted | 324 | | | 6 | | 325 | ikeRetransRX | unsigned32 | TBD2 | SA lifetime | 326 | | | 7 | | 327 | ikeDecryptFailed | unsigned32 | TBD2 | decrypt failed | 328 | | | 8 | | 329 | ikeEncryptFailed | unsigned32 | TBD2 | encrypt failed | 330 | | | 9 | | 331 | ikeInvalidPayload | unsigned32 | TBD3 | invalid payload | 332 | | | 0 | | 333 | ikeFragFailed | unsigned32 | TBD3 | fragmentation | 334 | | | 1 | failure | 335 +-----------------------+----------------+------+-------------------+ 337 Table 1: IKE Information Elements 339 5.1.2. Definition of IKE Events 341 Table 2 lists all the IKE event types related to a IKE session . The 342 events are an IKE session create , update , and delete. The update 343 session event type is used to provide updated statistics for the 344 flow, or if the collector was unavilable at the time of the session 345 create event and may have missed the create event. The Information 346 element ikeEvent is used indicate the the IKE event type 348 Table 2: Definition of IKE Events 350 +--------------------+---------+ 351 | Event Name | Values | 352 +--------------------+---------+ 353 | IKE Session Create | 1 | 354 | IKE Session Delete | 2 | 355 | IKE Session Update | 3 | 356 +--------------------+---------+ 358 Table 2: Definition of IKE Events 360 5.1.3. IKE Create, Update, Delete Events Template 362 Table 3 : IKE Create, Update, Delete Events Template 363 +---------------------------------+-----------+---------------------+ 364 | Field Name | Mandatory | Comments | 365 +---------------------------------+-----------+---------------------+ 366 | ikeEvent | Yes | | 367 | timeStamp | Yes | | 368 | sessionCreationTimeMilliSeconds | Yes | | 369 | ikeSessionId | Yes | | 370 | InterfaceName | Yes | | 371 | InterfaceId | No | | 372 | ikeTunLocalIdType | Yes | | 373 | ikeTunLocalId | Yes | | 374 | ikeTunLocalIPAddr* | Yes | ikeTunLocalIPv4Addr | 375 | | | or | 376 | | | ikeTunLocalIPv6Addr | 377 | ikeTunLocalName | Yes | | 378 | VRFname | No | | 379 | ikeTunRemoteIdtype | Yes | | 380 | ikeTunRemoteIPAddr* | Yes | ikeTunLocalIPv4Addr | 381 | | | or | 382 | | | ikeTunLocalIPv6Addr | 383 | ikeTunRemoteName | Yes | | 384 | ikeTunTransform | Yes | | 385 | ikeTunLifeTime | Yes | | 386 | eventReason | No | | 387 +---------------------------------+-----------+---------------------+ 389 Table 3 : IKE Create, Update, Delete Events Template 391 5.1.4. IKE Statistics and Errors Template 393 Table 4 : IKE Statistics and Errors Template 394 +------------------------------+--------------+---------------------+ 395 | Field Name | Mandatory | Comments | 396 +------------------------------+--------------+---------------------+ 397 | ikeEvent | Yes | | 398 | timeStamp | Yes | | 399 | SessCreationTimeMilliSeconds | Yes | | 400 | ikeSessionId | Yes | | 401 | ikeTunRemoteIP* | No | ikeTunLocalIPv4Addr | 402 | | | or | 403 | | | ikeTunLocalIPv6Addr | 404 | ikeTunRemoteName | No | | 405 | ikeDPDSent | No | | 406 | ikeDPDRcvd | No | | 407 | ikePktsTX | No | | 408 | ikePktsRX | No | | 409 | ikeRetransTX | No | | 410 | ikeRetransRX | No | | 411 | ikeDecryptFailed | No | | 412 | ikeEncryptFailed | No | | 413 | ikeInvalidPayload | No | | 414 | ikeFragFailed | No | | 415 +------------------------------+--------------+---------------------+ 417 Table 4 : IKE Statistics and Errors Template 419 5.2. IPSec Event Logging 421 5.2.1. IPSec Information Elements 423 The following table lists all of the IPsec Information Elements used 424 in events send to a collector. The formats of the IE's and the IPFIX 425 IDs are listed below. Some of the IPFIX IE's are not assigned yet, 426 and thus the detailed description of these fields are provided in the 427 IANA considerations section. New IPFIX Information Elements must be 428 allocated in IANA's IPFIX registry [IANA-IPFIX], as defined in the 429 sub-sections of section 9. The templates may contain a subset of the 430 Information Elements(IEs) shown in Table 5 depending upon the event 431 being logged. 433 Table 5 : IPSec Information Elements 435 +----------------------------+--------------+-------+---------------+ 436 | IPFIX Field Name | Data Type | IANA | Description | 437 | | | IPFIX | | 438 | | | ID | | 439 +----------------------------+--------------+-------+---------------+ 440 | ipsecEvent | unsigned8 | TBD32 | IPSec event - | 441 | | | | start, | 442 | | | | udpate,stop, | 443 | | | | error | 444 | timeStamp | unsigned64** | 323 | timestamp of | 445 | | * | | event | 446 | SessionCreationTimeMilliSe | unsigned64** | TBD33 | Tracks when a | 447 | conds | * | | session was | 448 | | | | created | 449 | ipsecTunSessionId | unsigned32 | TBD34 | Session id | 450 | | | | used by IPSec | 451 | ikeSessionId | unsigned32 | TBD03 | Session id | 452 | | | | used by IKE | 453 | ipsecproxySrcType | unsigned8 | TBD35 | proxy type | 454 | ipSecSpi | unsigned32 | 295 | SPI value | 455 | ipSecDirection | unsigned8 | TBD37 | inbound or | 456 | | | | outbound SA | 457 | ikeTunLocalIPAddr* | var | TBD08 | ikeTunLocalIP | 458 | | | | v4Addr or ike | 459 | | | | TunLocalIPv6A | 460 | | | | ddr | 461 | ikeTunRemoteIPAddr* | var | TBD14 | ikeTunRemoteI | 462 | | | | Pv4Addr or ik | 463 | | | | eTunRemoteIPv | 464 | | | | 6Addr | 465 | ikeTunRemoteName | str | TBD17 | Remote peer | 466 | | | | name | 467 | ipSecFrontVrfName | str | TBD38 | Front door | 468 | | | | vrf name | 469 | ipSecInsideVrfName | str | TBD39 | Inside VRF | 470 | | | | name | 471 | ipSecTunLifeSize | unsigned32 | TBD40 | IPSec Tunnel | 472 | | | | data volume | 473 | | | | lifetime | 474 | ipSecTunLifeTime | unsigned32 | TBD41 | IPSec Tunnel | 475 | | | | lifetime | 476 | ipSecTunEncapMode | unsigned8 | TBD42 | Tunnel or | 477 | | | | Transport | 478 | ipSecTunSaTransform | unsigned32 | TBD43 | Sequence of | 479 | | | | Transform | 480 | | | | (RFC5996, | 481 | | | | section | 482 | | | | 3.3.2) | 483 | | | | includes | 484 | | | | dh,prot, | 485 | | | | encr, auth | 486 | ipSecTunSaCompAlgo | IKE | TBD44 | check if it | 487 | | | | can combined | 488 | | | | with | 489 | | | | SaTransform | 490 | ipSecTrafficSelector | IKE | TBD45 | RFC5996, | 491 | | | | section | 492 | | | | 3.13.1 | 493 | eventReason | unsigned8 | TBD46 | Reason for | 494 | | | | event like | 495 | | | | create/delete | 496 | ipsecPktCount | unsigned64 | TBD47 | # of packet e | 497 | | | | ncrypted/decr | 498 | | | | ypted | 499 | ipsecPktComp | unsigned64 | TBD48 | Packets | 500 | | | | compressed | 501 | ipsecPktDecomp | unsigned64 | TBD49 | Packets | 502 | | | | decompressed | 503 | ipsecByteCount | unsigned128 | TBD50 | Bytes | 504 | | | | encrypted or | 505 | | | | decrypted | 506 | ipsecReplayErrors | unsigned32 | TBD51 | Replay errors | 507 | ipsecReplayRollover | unsigned32 | TBD52 | Replay | 508 | | | | rollovers | 509 | ipsecMacErrors | unsigned32 | TBD53 | Hash compare | 510 | | | | failed | 511 | ipsecRecvdPktNotIpsec | unsigned32 | TBD54 | Packet | 512 | | | | received in | 513 | | | | clear and | 514 | | | | should have | 515 | | | | been | 516 | | | | encrypted | 517 | ipsecRecvdPktInvalidId | unsigned32 | TBD55 | Received | 518 | | | | packet did | 519 | | | | not match | 520 | | | | proxy id of | 521 | | | | SA | 522 | ipsecPktCompFailed | unsigned32 | TBD56 | Compression | 523 | | | | Failed | 524 | ipsecPktDecompFailed | unsigned32 | TBD57 | De | 525 | | | | Compression | 526 | | | | Failed | 527 +----------------------------+--------------+-------+---------------+ 529 Table 5 : IPSec Information Elements 531 5.2.2. Definition of IPSec Events 533 Table 6 lists all the IPSEC event types related to a IPSEC session . 534 The events are an IPSEC session create , update , and delete. The 535 update session event type is used to either provide updated 536 statistics for the flow, or notify the flow if collector was 537 unavailable at the time of the session creation event and may have 538 missed the create event. The update event will also be used for 539 IPSEC rekey event. The Information element ipsecEvent is used to 540 indicate the the IPSEC event type 542 Table 6: Definition of IPSec Events 544 +----------------------+---------+ 545 | Event Name | Values | 546 +----------------------+---------+ 547 | IPsec Session Create | 1 | 548 | IPsec Session Delete | 2 | 549 | IPsec Session Update | 3 | 550 +----------------------+---------+ 552 Table 6: Definition of IPSec Events 554 5.2.3. IPSec Create, Delete, Update Template 556 Table 7: IPSec Create, Delete, Update Template 558 +-----------------------------+-----------+-------------------------+ 559 | IPFIX Field Name | Mandatory | Comments | 560 +-----------------------------+-----------+-------------------------+ 561 | ipsecEvent | Yes | | 562 | timeStamp | Yes | | 563 | SessionCreationMilliSeconds | Yes | | 564 | ipsecTunSessionId | Yes | | 565 | ikeSessionId | No | | 566 | ipsecproxySrcType | Yes | | 567 | ipSecSpi | Yes | | 568 | ipSecDirection | Yes | | 569 | ikeTunLocalIPAddr* | Yes | ikeTunLocalIPv4Addr or | 570 | | | ikeTunLocalIPv6Addr | 571 | ikeTunRemoteIPAddr* | Yes | ikeTunLocalIPv4Addr or | 572 | | | ikeTunLocalIPv6Addr | 573 | ipSecFrontVrfName | No | | 574 | ipSecInsideVrfName | No | | 575 | ipSecTunLifeSize | Yes | | 576 | ipSecTunLifeTime | Yes | | 577 | ipSecTunEncapMode | Yes | | 578 | ipSecTunSaTransform | Yes | | 579 | ipSecTunSacompAlgo | No | | 580 | ipSecTrafficSelector | Yes | | 581 | eventReason | No | | 582 +-----------------------------+-----------+-------------------------+ 584 Table 7: IPSec Create, Delete, Update Template 586 5.2.4. IPSec Statistics and Errors Template 588 +-----------------------------+-----------+----------+ 589 | IPFIX Field Name | Mandatory | Comments | 590 +-----------------------------+-----------+----------+ 591 | ipsecEvent | Yes | | 592 | timeStamp | Yes | | 593 | SessionCreationMilliSeconds | Yes | | 594 | ipsecTunSessionId | Yes | | 595 | ikeSessionId | No | | 596 | IPSecSPI | Yes | | 597 | ipSecDirection | Yes | | 598 | ipsecPktCount | No | | 599 | ipsecPktComp | No | | 600 | ipsecPktDecomp | No | | 601 | ipsecByteCount | No | | 602 | ipsecReplayErrors | No | | 603 | ipsecReplayRollover | No | | 604 | ipsecMacErrors | No | | 605 | ipsecRecvdPktNotIpsec | No | | 606 | ipsecRecvdPktInvalidId | No | | 607 | ipsecPktCompFailed | No | | 608 | ipsecPktDecompFailed | No | | 609 +-----------------------------+-----------+----------+ 611 IPSec Statistics and Error Template 613 6. Examples 615 TBD 617 7. Considerations 619 A collector may receive IPSec events from multiple devices and should 620 be able to distinguish between the devices. Each device should have 621 a unique source ID to identify themselves. The source ID is part of 622 the IPFIX template and data exchange. 624 Prior to logging any events, an IPSec device MUST send the template 625 of the record to the collector to advertise the format of the data 626 record that it is using to send the events. The templates can be 627 exchanged as frequently as required given the reliability of the 628 connection. There SHOULD be a configurable timer for controlling the 629 template refresh. IPSec device SHOULD combine as many events as 630 possible in a single packet to effectively utilize the network 631 bandwidth. 633 8. Acknowledgements 635 TBD 637 9. IANA Considerations 639 9.1. General Information Elements 641 9.1.1. timestamp 643 Description: Contains the timestamp of the flow record 645 Abstract Data Type: unsigned64 647 ElementId: 323 649 Semantics: identifier 651 9.1.2. sessCreatetimeStamp 653 Description: Used to track when the session was created especially if 654 its a update flow 656 Abstract Data Type: unsigned64 658 ElementId: TBD02 660 Semantics: identifier 662 9.1.3. interfaceId 664 Description: Used to uniquely identify the interface identifier used 665 on the system/device for IKE session 667 Abstract Data Type: unsigned32 669 ElementId: TBD04 671 Semantics: identifier 673 9.1.4. eventReason 675 Description: Reason for session delete or create / update. Example 676 reason for sesion delete could be "Administrator reset" As its a 677 unsigned8 data type, we will use a eventreason id to name mapping. 678 Example: 1 -> Delete by DPD Failure 2 -> Administrator Reset 680 Abstract Data Type: unsigned8 682 ElementId: TBD21 684 Semantics: identifier 686 9.2. IKE Information Elements 688 9.2.1. ikeEvent 690 Description: Contains the IKE Event Type 1=start, 2=update , 3=delete 692 Abstract Data Type: unsigned8 694 ElementId: TBD01 696 Semantics: identifier 698 9.2.2. ikeSessionId 700 Description: Its the session id used by IKE that will be used to 701 uniquely identify a IKE session and can be correlate from an IPsec 702 SA. A value of 0 is used for manual keying. 704 Abstract Data Type: unsigned32 706 ElementId: TBD03 708 Semantics: identifier 710 9.2.3. ikeTunLocalIdType 712 Description: Contains the IKE ID Type by the local device - FQDN, 713 addr. Will use the same as per the IKE RFC 715 Abstract Data Type: unsigned8 717 ElementId: TBD05 719 Semantics: identifier 721 9.2.4. ikeTunLocalId 723 Description: Local identity to be used for the IKE session: ip addr, 724 FQDN 726 Abstract Data Type: str 728 ElementId: TBD06 730 Semantics: identifier 732 9.2.5. ikeTunLocalIPAddr* 734 Description: ikeTunLocalIPv4Addr or ikeTunLocalIPv6Addr depending on 735 whether its a IPv4 or IPv6. IP address used by the local IKE device. 736 It will be either a IPv4 or a IPv6 address. 738 Abstract Data Type: var 740 ElementId: TBD07 742 Semantics: identifier 744 9.2.6. ikeTunLocalName 746 Description: A descriptive name given to identify the tunnel. Its 747 locally signficant and not used for IKE negotiation purposes 749 Abstract Data Type: str 751 ElementId: TBD10 753 Semantics: identifier 755 9.2.7. ikeTunRemoteIdType 757 Description: Contains the IKE ID Type by the remote peer - FQDN, ip 758 addr etc. Will use the same as per the IKE RFC 760 Abstract Data Type: unsigned8 762 ElementId: TBD11 764 Semantics: identifier 766 9.2.8. ikeTunRemoteId 768 Description: Remote identity to be used for the IKE session: ip addr, 769 FQDN 771 Abstract Data Type: var 773 ElementId: TBD12 775 Semantics: identifier 777 9.2.9. ikeTunRemoteIPAddr* 779 Description: exactlyOneOf (ikeTunRemoteIPv4Addr, 780 ikeTunRemoteIPv6Addr). IP address used by the local IKE device. It 781 will be either a IPv4 or a IPv6 address, thus a exactlyOneOf method 782 is used to derive that. 784 Abstract Data Type: var 786 ElementId: TBD13 788 Semantics: identifier 790 9.2.10. ikeTunRemoteName 792 Description: A logical name used to identify the remote VPN peer. Is 793 locally significant and not used in any IKE negotiation. 795 Abstract Data Type: str 797 ElementId: TBD16 799 Semantics: identifier 801 9.2.11. ikeTunTransform 803 Description: Transform used for IKE sa. Its based on RFC5996 3.3.2 804 IKE encoding : DH, encryption algo, hash, PRF. IKE encoding is used 805 so that collectors can easily understand this. 807 Abstract Data Type: ike-encoding 809 ElementId: TBD17 - Possible use of Structured Data Type such as 810 subTemplateList/SubTemplateMultiList 811 Semantics: identifier 813 9.2.12. ikeTunLocalAuthMethod 815 Description: Authentication method used by local device - pre-shared 816 key, certificate, EAP 818 Values: 1=PSK, 2=certificate, 3=EAP 820 Abstract Data Type: unsigned8 822 ElementId: TBD18 824 Semantics: identifier 826 9.2.13. ikeTunRemoteAuthMethod 828 Description: Authentication method used by remote peer- pre-shared 829 key, certificate, EAP 831 Values: 1=PSK, 2=certificate, 3=EAP 833 Abstract Data Type: unsigned8 835 ElementId: TBD19 837 Semantics: identifier 839 9.2.14. ikeTunLifeTime 841 Description: IKE SA lifetime in seconds 843 Abstract Data Type: unsigned32 845 ElementId: TBD20 847 Semantics: identifier 849 9.2.15. ikeDPDSent 851 Description: IKE Dead peer detection (DPD) packets sent 853 Abstract Data Type: unsigned32 854 ElementId: TBD22 856 Semantics: identifier 858 9.2.16. ikeDPDRcvd 860 Description: IKE Dead peer detection (DPD) packets received 862 Abstract Data Type: unsigned32 864 ElementId: TBD23 866 Semantics: identifier 868 9.2.17. ikePktsTX 870 Description: Number of IKE packets sent 872 Abstract Data Type: unsigned32 874 ElementId: TBD24 876 Semantics: identifier 878 9.2.18. ikePktsRX 880 Description: Number of IKE packets received 882 Abstract Data Type: unsigned32 884 ElementId: TBD25 886 Semantics: identifier 888 9.2.19. ikeRetransTX 890 Description: IKE Retransmitted 892 Abstract Data Type: unsigned32 894 ElementId: TBD26 896 Semantics: identifier 898 9.2.20. ikeRetransRX 900 Description: IKE Retransmitted 902 Abstract Data Type: unsigned32 904 ElementId: TBD27 906 Semantics: identifier 908 9.2.21. ikeDecryptFailed 910 Description: Number of IKE packets where the payload decryption 911 failed 913 Abstract Data Type: unsigned32 915 ElementId: TBD28 917 Semantics: identifier 919 9.2.22. ikeEncryptFailed 921 Description: Number of IKE packets where the payload encryption 922 failed 924 Abstract Data Type: unsigned32 926 ElementId: TBD29 928 Semantics: identifier 930 9.2.23. ikeInvalidPayload 932 Description: Number of packets received where the IKE payload was 933 invalid 935 Abstract Data Type: unsigned32 937 ElementId: TBD30 939 Semantics: identifier 941 9.2.24. ikeFragFailed 943 Description: Number of packets where it failed due to fragmentation 945 Abstract Data Type: unsigned32 947 ElementId: TBD31 949 Semantics: identifier 951 9.3. IPSec Information Elements 953 9.3.1. ipsecEvent 955 Description: Contains the Ipsec Event Type 1=start, 2=update , 956 3=delete 958 Abstract Data Type: unsigned8 960 ElementId: TBD32 962 Semantics: identifier 964 9.3.2. ipsecTunSessionId 966 Description: Session used to uniquely identify a ipsec sa 968 Abstract Data Type: ipv6Address 970 ElementId: TBD34 972 Semantics: identifier 974 9.3.3. ipsecProxySrcType 976 Description: Proxy type used by IPSEC 978 Abstract Data Type: unsigned8 980 ElementId: TBD35 982 Semantics: identifier 984 9.3.4. ipSecDirection 986 Description: Direction of the IPSEC sa : 1=Inbound 2=Outbound 988 Abstract Data Type: unsigned8 990 ElementId: TBD37 -- Possible reuse of flowDirection (61) 992 Semantics: identifier 994 9.3.5. ipSecFrontVrfName 996 Description: VRF name used after IPSEC encapsulation 998 Abstract Data Type: var 1000 ElementId: TBD38 1002 Semantics: identifier 1004 9.3.6. ipSecInsideVrfName 1006 Description: VRF name where the clear text packet/data resides before 1007 IPsec encapsulation or after decryption 1009 Abstract Data Type: str 1011 ElementId: TBD39 1013 Semantics: identifier 1015 9.3.7. ipSecTunLifeSize 1017 Description: The IPsec SA data volume based lifetime measured in 1018 bytes 1020 Abstract Data Type: unsigned32 1022 ElementId: TBD40 1024 Semantics: identifier 1026 9.3.8. ipSecTunLifeTime 1028 Description: The IPsec sa lifetime measured in seconds 1030 Abstract Data Type: unsigned32 1032 ElementId: TBD41 1034 Semantics: identifier 1036 9.3.9. ipSecTunEncapMode 1038 Description: Encapsulation mode used. 1=Tunnel 2=Transport 1040 Abstract Data Type: unsigned8 1042 ElementId: TBD42 1044 Semantics: identifier 1046 9.3.10. ipSecTunSaTransform 1048 Description: IPsec Transform used for encryption, DH 1049 algorithm,authentication. IKE encoding is used as per RFC 5996 1050 section 3.3.2 1052 Abstract Data Type: IKE 1054 ElementId: TBD43 1056 Semantics: identifier 1058 9.3.11. ipSecTunSaCompAlgo 1060 Description: Compression algorithm used 1062 Abstract Data Type: IKE 1064 ElementId: TBD44 1066 Semantics: identifier 1068 9.3.12. ipSecTrafficSelector 1070 Description: Defines the local and remote traffic selectors for 1071 encryption. Encoding is using IKE as per RFC 5996 3.13.1 1073 Abstract Data Type: IKE 1075 ElementId: TBD45 1077 Semantics: identifier 1079 9.3.13. ipsecPktCount 1081 Description: The number of packets encrypted or decrypted through 1082 this IPsec SA 1084 Abstract Data Type: unsigned64 1086 ElementId: TBD47 1088 Semantics: identifier 1090 9.3.14. ipsecPktComp 1092 Description: The number of packets compressed 1094 Abstract Data Type: unsigned64 1096 ElementId: TBD48 1098 Semantics: identifier 1100 9.3.15. ipsecPktDecomp 1102 Description: The number of packets de-compressed 1104 Abstract Data Type: unsigned64 1106 ElementId: TBD49 1108 Semantics: identifier 1110 9.3.16. ipsecByteCount 1112 Description: The number of bytes over an IPsec SA 1114 Abstract Data Type: unsigned128 1116 ElementId: TBD50 1118 Semantics: identifier 1120 9.3.17. ipsecReplayErrors 1122 Description: The number of replay errors 1124 Abstract Data Type: unsigned32 1126 ElementId: TBD51 1128 Semantics: identifier 1130 9.3.18. ipsecReplayRollover 1132 Description: The number of IPsec replay rollovers 1134 Abstract Data Type: unsigned32 1136 ElementId: TBD52 1138 Semantics: identifier 1140 9.3.19. ipsecMacErrors 1142 Description: The number of mac authentication errors 1144 Abstract Data Type: unsigned32 1146 ElementId: TBD53 1148 Semantics: identifier 1150 9.3.20. ipsecRecvdPktNotIpsec 1152 Description: The number of packets received which were not encrypted 1153 when they should have been as per security policy 1155 Abstract Data Type: unsigned32 1157 ElementId: TBD54 1159 Semantics: identifier 1161 9.3.21. ipsecRecvdPktInvalidId 1163 Description: The number of packets received where after decryption 1164 did not match the traffic selector for that IPSEC sa 1166 Abstract Data Type: unsigned32 1168 ElementId: TBD55 1170 Semantics: identifier 1172 9.3.22. ipsecPktCompFailed 1174 Description: The number of packets where compression failed 1176 Abstract Data Type: unsigned32 1178 ElementId: TBD56 1180 Semantics: identifier 1182 9.3.23. ipsecPktDecompFailed 1184 Description: The number of packets where de-compression failed 1186 Abstract Data Type: unsigned32 1188 ElementId: TBD57 1190 Semantics: identifier 1192 10. Security Considerations 1194 None. 1196 11. Acknowledgements 1198 We would like to thank Paul Aitken and Senthil Sivakumar for their 1199 detailed review and feedback on early versions of this document. 1201 12. References 1203 12.1. Normative References 1205 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1206 Requirement Levels", BCP 14, RFC 2119, March 1997. 1208 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 1209 Translator (NAT) Terminology and Considerations", RFC 1210 2663, August 1999. 1212 12.2. Informative References 1214 [IPFIX-IANA] 1215 IANA, "IPFIX Information Elements registry", 1216 . 1218 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1219 Internet Protocol", RFC 4301, December 2005. 1221 [RFC5101] Claise, B., "Specification of the IP Flow Information 1222 Export (IPFIX) Protocol for the Exchange of IP Traffic 1223 Flow Information", RFC 5101, January 2008. 1225 [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. 1226 Meyer, "Information Model for IP Flow Information Export", 1227 RFC 5102, January 2008. 1229 [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, 1230 "Architecture for IP Flow Information Export", RFC 5470, 1231 March 2009. 1233 [RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of 1234 the IP Flow Information Export (IPFIX) Protocol for the 1235 Exchange of Flow Information", STD 77, RFC 7011, September 1236 2013. 1238 Authors' Addresses 1240 Tom Alexander 1241 Cisco Systems, Inc. 1243 Email: thalexan@cisco.com 1245 Frederic Detienne 1246 Cisco Systems, Inc. 1248 Email: fd@cisco.com 1250 Sandeep Rao 1251 Cisco Systems, Inc. 1253 Email: rsandeep@cisco.com 1255 Thamilarasu Kandasamy 1256 Cisco Systems, Inc. 1258 Email: thamil@cisco.com