Internet DRAFT - draft-alexander-opsawg-ipfix-ipsec-logging
draft-alexander-opsawg-ipfix-ipsec-logging
OPSAWG T. Alexander
Internet-Draft F. Detienne
Intended status: Standards Track S. Rao
Expires: May 24, 2015 T. Kandasamy
Cisco Systems, Inc.
November 20, 2014
IPFIX Information Elements for logging IPSec Events
draft-alexander-opsawg-ipfix-ipsec-logging-00
Abstract
Internet Protocol Security (IPSec) is an industry standard protocol
suite that provides secure services for traffic between IP peers in
the network. The purpose of IPSec is to provide key tenets of
security that include authentication, integrity protection, access
control and data confidentiality. The objectivities of IPSec are met
using a collection of intertwined components namely, the security
protocols, session and key management protocols and algorithms for
authentication and encryption.
An end-to-end IPSec operation is typically multi-step involving
various technologies. There are many events in IPSec process that
are of interest, such as - identities and connection status of
security peers, traffic or applications being protected, access
control and encryption policies being enforced. While many of these
are functionally discrete, they have an impact on end-to-end IPSec
operations. While network elements involved in IPSec process do
provide system logs, command line interfaces and management objects
that reflect the various states of operations, these are however
dissevered, inconsistent and not easily favorable for analyzing,
monitoring, auditing of end-to-end behavior
This document proposes an approach for common representation and
standardization of various IPSec operational data and events using
industry standard IPFIX information model. The IPFIX approach helps
to store and manage data in a consistent format, also provides
opportunity for a collector to correlate various IPSec events which
in turn can be exploited to obtain enriched end-to-end monitoring,
reporting and troubleshooting capabilities and provide various
security analytics on IPSec flows such as - host identification,
application detection, track user policy violations, protocol
failures and so on.
Alexander, et al. Expires May 24, 2015 [Page 1]
Internet-Draft IPSec-Logging November 2014
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 24, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Event Logging . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. IKE Event Logging . . . . . . . . . . . . . . . . . . . . 6
5.1.1. IKE Information Elements . . . . . . . . . . . . . . 6
5.1.2. Definition of IKE Events . . . . . . . . . . . . . . 8
5.1.3. IKE Create, Update, Delete Events Template . . . . . 8
5.1.4. IKE Statistics and Errors Template . . . . . . . . . 9
5.2. IPSec Event Logging . . . . . . . . . . . . . . . . . . . 10
5.2.1. IPSec Information Elements . . . . . . . . . . . . . 10
5.2.2. Definition of IPSec Events . . . . . . . . . . . . . 12
5.2.3. IPSec Create, Delete, Update Template . . . . . . . . 13
Alexander, et al. Expires May 24, 2015 [Page 2]
Internet-Draft IPSec-Logging November 2014
5.2.4. IPSec Statistics and Errors Template . . . . . . . . 14
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 14
7. Considerations . . . . . . . . . . . . . . . . . . . . . . . 14
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
9.1. General Information Elements . . . . . . . . . . . . . . 15
9.1.1. timestamp . . . . . . . . . . . . . . . . . . . . . . 15
9.1.2. sessCreatetimeStamp . . . . . . . . . . . . . . . . . 15
9.1.3. interfaceId . . . . . . . . . . . . . . . . . . . . . 15
9.1.4. eventReason . . . . . . . . . . . . . . . . . . . . . 15
9.2. IKE Information Elements . . . . . . . . . . . . . . . . 16
9.2.1. ikeEvent . . . . . . . . . . . . . . . . . . . . . . 16
9.2.2. ikeSessionId . . . . . . . . . . . . . . . . . . . . 16
9.2.3. ikeTunLocalIdType . . . . . . . . . . . . . . . . . . 16
9.2.4. ikeTunLocalId . . . . . . . . . . . . . . . . . . . . 17
9.2.5. ikeTunLocalIPAddr* . . . . . . . . . . . . . . . . . 17
9.2.6. ikeTunLocalName . . . . . . . . . . . . . . . . . . . 17
9.2.7. ikeTunRemoteIdType . . . . . . . . . . . . . . . . . 17
9.2.8. ikeTunRemoteId . . . . . . . . . . . . . . . . . . . 18
9.2.9. ikeTunRemoteIPAddr* . . . . . . . . . . . . . . . . . 18
9.2.10. ikeTunRemoteName . . . . . . . . . . . . . . . . . . 18
9.2.11. ikeTunTransform . . . . . . . . . . . . . . . . . . . 18
9.2.12. ikeTunLocalAuthMethod . . . . . . . . . . . . . . . . 19
9.2.13. ikeTunRemoteAuthMethod . . . . . . . . . . . . . . . 19
9.2.14. ikeTunLifeTime . . . . . . . . . . . . . . . . . . . 19
9.2.15. ikeDPDSent . . . . . . . . . . . . . . . . . . . . . 19
9.2.16. ikeDPDRcvd . . . . . . . . . . . . . . . . . . . . . 20
9.2.17. ikePktsTX . . . . . . . . . . . . . . . . . . . . . . 20
9.2.18. ikePktsRX . . . . . . . . . . . . . . . . . . . . . . 20
9.2.19. ikeRetransTX . . . . . . . . . . . . . . . . . . . . 20
9.2.20. ikeRetransRX . . . . . . . . . . . . . . . . . . . . 21
9.2.21. ikeDecryptFailed . . . . . . . . . . . . . . . . . . 21
9.2.22. ikeEncryptFailed . . . . . . . . . . . . . . . . . . 21
9.2.23. ikeInvalidPayload . . . . . . . . . . . . . . . . . . 21
9.2.24. ikeFragFailed . . . . . . . . . . . . . . . . . . . . 22
9.3. IPSec Information Elements . . . . . . . . . . . . . . . 22
9.3.1. ipsecEvent . . . . . . . . . . . . . . . . . . . . . 22
9.3.2. ipsecTunSessionId . . . . . . . . . . . . . . . . . . 22
9.3.3. ipsecProxySrcType . . . . . . . . . . . . . . . . . . 22
9.3.4. ipSecDirection . . . . . . . . . . . . . . . . . . . 23
9.3.5. ipSecFrontVrfName . . . . . . . . . . . . . . . . . . 23
9.3.6. ipSecInsideVrfName . . . . . . . . . . . . . . . . . 23
9.3.7. ipSecTunLifeSize . . . . . . . . . . . . . . . . . . 23
9.3.8. ipSecTunLifeTime . . . . . . . . . . . . . . . . . . 24
9.3.9. ipSecTunEncapMode . . . . . . . . . . . . . . . . . . 24
9.3.10. ipSecTunSaTransform . . . . . . . . . . . . . . . . . 24
9.3.11. ipSecTunSaCompAlgo . . . . . . . . . . . . . . . . . 24
9.3.12. ipSecTrafficSelector . . . . . . . . . . . . . . . . 25
Alexander, et al. Expires May 24, 2015 [Page 3]
Internet-Draft IPSec-Logging November 2014
9.3.13. ipsecPktCount . . . . . . . . . . . . . . . . . . . . 25
9.3.14. ipsecPktComp . . . . . . . . . . . . . . . . . . . . 25
9.3.15. ipsecPktDecomp . . . . . . . . . . . . . . . . . . . 25
9.3.16. ipsecByteCount . . . . . . . . . . . . . . . . . . . 26
9.3.17. ipsecReplayErrors . . . . . . . . . . . . . . . . . . 26
9.3.18. ipsecReplayRollover . . . . . . . . . . . . . . . . . 26
9.3.19. ipsecMacErrors . . . . . . . . . . . . . . . . . . . 26
9.3.20. ipsecRecvdPktNotIpsec . . . . . . . . . . . . . . . . 27
9.3.21. ipsecRecvdPktInvalidId . . . . . . . . . . . . . . . 27
9.3.22. ipsecPktCompFailed . . . . . . . . . . . . . . . . . 27
9.3.23. ipsecPktDecompFailed . . . . . . . . . . . . . . . . 27
10. Security Considerations . . . . . . . . . . . . . . . . . . . 28
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 28
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 28
12.1. Normative References . . . . . . . . . . . . . . . . . . 28
12.2. Informative References . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29
1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
IPSec terminology used in this document is as per [RFC4301].
The term "collector" here refers to any device that receives the
binary data from a IPSec device and converts that into meaningful
information. The usage of the term Information Element (IE) is
defined in [RFC7011]. Many of the IEs are reused from [IPFIX-IANA].
however IPSec related IEs are created with IPSec semantics.
2. Introduction
The intent of this document is to define and standardize information
format of various functional events of an end-to-end IPSec operation.
This provides an opportunity for collectors to receive and process
information in a consistent way and instrument monitoring,
troubleshooting, maintenance and analytics related to IPSec
processes. The approach is to standardize the format of logging
events using IPFIX [RFC7011] and SYSLOG [RFC5424]. While this
document specifies IPFIX Information Elements that MUST be logged by
devices participating in IPSec process, the SYSLOG format will be
addressed in a separate document. The Information Elements are part
of the following two main categories of events:
- IKE events
Alexander, et al. Expires May 24, 2015 [Page 4]
Internet-Draft IPSec-Logging November 2014
- IPSec events
There are cases when the IPFIX collector and the VPN gateway are out
of sync. This can happen for various reasons such as network
connectivity issues, software errors, device reloads etc. In such
cases where the IPSec or IKE flow creation information is not
recorded on the collector, subsequent updates for that flow may not
be complete. Thus, some flow information has been made consciously
redundant in subsequent IPFIX updates such that the collectors can
rebuild a fair approximation of the flow timeline and creation
details.
3. Scope
The existing IANA IPFIX Information Elements registry [IPFIX-IANA]
already has assignments for many IPSec logging events. For being
consistent, this document uses those same Information Elements.
The implementation details of the collector application is beyond the
scope of this document.
The optimization of logging IPSec events are left to the
implementation and are beyond the scope of this document.
4. Applicability
IPFIX based IPSec logging is specifically applicable on network
devices that are performing IPSec encryption and support IPFIX
protocol. The binary encoding nature of IPFIX makes it efficient for
use even on IPSec gateways or peers that can experience high session
rates. As in an IPFIX model, there is a need for a collector
applications that can receive and interpret binary encoded
Information Elements and provide human visualization and other
required analytics.
5. Event Logging
In the context of this specification, we make use of three types of
events for IKE and IPsec. These events are:
- creation of an IKE or IPsec SA
- update (counters) of an IKE or IPsec SA
- deletion of an IKE or IPsec SA
While the creation and deletion events are triggered by protocol
(parent or child SA creation/deletion) or configuration, the update
Alexander, et al. Expires May 24, 2015 [Page 5]
Internet-Draft IPSec-Logging November 2014
event is triggered exclusively by timers. The purpose of update
events is to offer a chance to the IPFIX collector to capture
information about a session even if the creation or deletion (or
both) events are missed. For instance because of network
connectivity issues between the gateway and the collector or because
of the unavailability of the collector at the time the event was sent
by the gateway. Update events frequency SHOULD be controllable by a
user configurable element.
5.1. IKE Event Logging
5.1.1. IKE Information Elements
The following table lists all of the IKE Information Elements used in
events send to a collector. The formats of the IE's and the IPFIX
IDs are listed below. Some of the IPFIX IE's are not assigned yet,
and thus the detailed description of these fields are provided in the
IANA considerations section. New IPFIX Information Elements must be
allocated in IANA's IPFIX registry [IANA-IPFIX], as defined in the
sub-sections of section 6. The templates may contain a subset of the
Information Elements(IEs) shown in Table 1 depending upon the event
being logged.
Table 1: IKE Informational Elements
+-----------------------+----------------+------+-------------------+
| IPFIX Field Name | Data Type | IANA | Description |
| | | IPFI | |
| | | X ID | |
+-----------------------+----------------+------+-------------------+
| ikeEvent | unsigned8 | TBD0 | IKE event - |
| | | 1 | start, |
| | | | udpate,stop |
| timeStamp | dateTimeMillis | 323 | timestamp of |
| | econds | | event |
| sessionCreationTimeMi | dateTimeMillis | TBD0 | Tracks when a |
| lliSeconds | econds | 2 | session was |
| | | | created |
| ikeSessionId | unsigned32 | TBD0 | Session id used |
| | | 3 | by IKE |
| interfaceName | str | 82 | Interface name |
| InterfaceId | unsigned32 | TBD0 | |
| | | 4 | |
| ikeTunLocalIdType | unsigned8 | TBD0 | Id type - fqdn, |
| | | 5 | ip addr |
| ikeTunLocalId | str | TBD0 | |
| | | 6 | |
| ikeTunLocalIPAddr* | var | TBD0 | ikeTunLocalIPv4Ad |
Alexander, et al. Expires May 24, 2015 [Page 6]
Internet-Draft IPSec-Logging November 2014
| | | 7 | dr or ikeTunLocal |
| | | | IPv6Addr |
| ikeTunLocalName | str | TBD1 | Tunnel local name |
| | | 0 | |
| VRFname | str | 236 | virtual routing |
| | | | and Forwarding |
| | | | identifier |
| ikeTunRemoteIdtype | unsigned8 | TBD1 | ip addr, FQDN etc |
| | | 1 | |
| ikeTunRemoteId | var | TBD1 | remote id - fqdn, |
| | | 2 | ip etc ) |
| ikeTunRemoteIPAddr | var | TBD1 | either ikeTunRemo |
| | | 3 | teIPv4Addr or ike |
| | | | TunRemoteIPv6Addr |
| ikeTunRemoteName | str | TBD1 | Remote peer |
| | | 6 | logical name |
| ikeTunTransform | ike-encoding | TBD1 | RFC5996 3.3.2 IKE |
| | | 7 | encoding : DH, |
| | | | encryption algo, |
| | | | hash, PRF |
| ikeTunLocalAuthMethod | unsigned8 | TBD1 | values to |
| | | 8 | indicate psk,eap, |
| | | | cert |
| ikeTunRemoteAuthMetho | unsigned8 | TBD1 | values to |
| d | | 9 | indicate remote |
| | | | psk,eap, cert |
| ikeTunLifeTime | unsigned32 | TBD2 | sa lifetime |
| | | 0 | |
| eventReason | unsigned8 | TBD2 | Reason - delete |
| | | 1 | reason, rekey etc |
| ikeDPDSent | unsigned32 | TBD2 | DPD sent |
| | | 2 | |
| ikeDPDRcvd | unsigned32 | TBD2 | DPD Received |
| | | 3 | |
| ikePktsTX | unsigned32 | TBD2 | packets sent |
| | | 4 | |
| ikePktsRX | unsigned32 | TBD2 | packets received |
| | | 5 | |
| ikeRetransTX | unsigned32 | TBD2 | IKE retransmitted |
| | | 6 | |
| ikeRetransRX | unsigned32 | TBD2 | SA lifetime |
| | | 7 | |
| ikeDecryptFailed | unsigned32 | TBD2 | decrypt failed |
| | | 8 | |
| ikeEncryptFailed | unsigned32 | TBD2 | encrypt failed |
| | | 9 | |
| ikeInvalidPayload | unsigned32 | TBD3 | invalid payload |
| | | 0 | |
Alexander, et al. Expires May 24, 2015 [Page 7]
Internet-Draft IPSec-Logging November 2014
| ikeFragFailed | unsigned32 | TBD3 | fragmentation |
| | | 1 | failure |
+-----------------------+----------------+------+-------------------+
Table 1: IKE Information Elements
5.1.2. Definition of IKE Events
Table 2 lists all the IKE event types related to a IKE session . The
events are an IKE session create , update , and delete. The update
session event type is used to provide updated statistics for the
flow, or if the collector was unavilable at the time of the session
create event and may have missed the create event. The Information
element ikeEvent is used indicate the the IKE event type
Table 2: Definition of IKE Events
+--------------------+---------+
| Event Name | Values |
+--------------------+---------+
| IKE Session Create | 1 |
| IKE Session Delete | 2 |
| IKE Session Update | 3 |
+--------------------+---------+
Table 2: Definition of IKE Events
5.1.3. IKE Create, Update, Delete Events Template
Table 3 : IKE Create, Update, Delete Events Template
Alexander, et al. Expires May 24, 2015 [Page 8]
Internet-Draft IPSec-Logging November 2014
+---------------------------------+-----------+---------------------+
| Field Name | Mandatory | Comments |
+---------------------------------+-----------+---------------------+
| ikeEvent | Yes | |
| timeStamp | Yes | |
| sessionCreationTimeMilliSeconds | Yes | |
| ikeSessionId | Yes | |
| InterfaceName | Yes | |
| InterfaceId | No | |
| ikeTunLocalIdType | Yes | |
| ikeTunLocalId | Yes | |
| ikeTunLocalIPAddr* | Yes | ikeTunLocalIPv4Addr |
| | | or |
| | | ikeTunLocalIPv6Addr |
| ikeTunLocalName | Yes | |
| VRFname | No | |
| ikeTunRemoteIdtype | Yes | |
| ikeTunRemoteIPAddr* | Yes | ikeTunLocalIPv4Addr |
| | | or |
| | | ikeTunLocalIPv6Addr |
| ikeTunRemoteName | Yes | |
| ikeTunTransform | Yes | |
| ikeTunLifeTime | Yes | |
| eventReason | No | |
+---------------------------------+-----------+---------------------+
Table 3 : IKE Create, Update, Delete Events Template
5.1.4. IKE Statistics and Errors Template
Table 4 : IKE Statistics and Errors Template
Alexander, et al. Expires May 24, 2015 [Page 9]
Internet-Draft IPSec-Logging November 2014
+------------------------------+--------------+---------------------+
| Field Name | Mandatory | Comments |
+------------------------------+--------------+---------------------+
| ikeEvent | Yes | |
| timeStamp | Yes | |
| SessCreationTimeMilliSeconds | Yes | |
| ikeSessionId | Yes | |
| ikeTunRemoteIP* | No | ikeTunLocalIPv4Addr |
| | | or |
| | | ikeTunLocalIPv6Addr |
| ikeTunRemoteName | No | |
| ikeDPDSent | No | |
| ikeDPDRcvd | No | |
| ikePktsTX | No | |
| ikePktsRX | No | |
| ikeRetransTX | No | |
| ikeRetransRX | No | |
| ikeDecryptFailed | No | |
| ikeEncryptFailed | No | |
| ikeInvalidPayload | No | |
| ikeFragFailed | No | |
+------------------------------+--------------+---------------------+
Table 4 : IKE Statistics and Errors Template
5.2. IPSec Event Logging
5.2.1. IPSec Information Elements
The following table lists all of the IPsec Information Elements used
in events send to a collector. The formats of the IE's and the IPFIX
IDs are listed below. Some of the IPFIX IE's are not assigned yet,
and thus the detailed description of these fields are provided in the
IANA considerations section. New IPFIX Information Elements must be
allocated in IANA's IPFIX registry [IANA-IPFIX], as defined in the
sub-sections of section 9. The templates may contain a subset of the
Information Elements(IEs) shown in Table 5 depending upon the event
being logged.
Table 5 : IPSec Information Elements
+----------------------------+--------------+-------+---------------+
| IPFIX Field Name | Data Type | IANA | Description |
| | | IPFIX | |
| | | ID | |
+----------------------------+--------------+-------+---------------+
| ipsecEvent | unsigned8 | TBD32 | IPSec event - |
| | | | start, |
Alexander, et al. Expires May 24, 2015 [Page 10]
Internet-Draft IPSec-Logging November 2014
| | | | udpate,stop, |
| | | | error |
| timeStamp | unsigned64** | 323 | timestamp of |
| | * | | event |
| SessionCreationTimeMilliSe | unsigned64** | TBD33 | Tracks when a |
| conds | * | | session was |
| | | | created |
| ipsecTunSessionId | unsigned32 | TBD34 | Session id |
| | | | used by IPSec |
| ikeSessionId | unsigned32 | TBD03 | Session id |
| | | | used by IKE |
| ipsecproxySrcType | unsigned8 | TBD35 | proxy type |
| ipSecSpi | unsigned32 | 295 | SPI value |
| ipSecDirection | unsigned8 | TBD37 | inbound or |
| | | | outbound SA |
| ikeTunLocalIPAddr* | var | TBD08 | ikeTunLocalIP |
| | | | v4Addr or ike |
| | | | TunLocalIPv6A |
| | | | ddr |
| ikeTunRemoteIPAddr* | var | TBD14 | ikeTunRemoteI |
| | | | Pv4Addr or ik |
| | | | eTunRemoteIPv |
| | | | 6Addr |
| ikeTunRemoteName | str | TBD17 | Remote peer |
| | | | name |
| ipSecFrontVrfName | str | TBD38 | Front door |
| | | | vrf name |
| ipSecInsideVrfName | str | TBD39 | Inside VRF |
| | | | name |
| ipSecTunLifeSize | unsigned32 | TBD40 | IPSec Tunnel |
| | | | data volume |
| | | | lifetime |
| ipSecTunLifeTime | unsigned32 | TBD41 | IPSec Tunnel |
| | | | lifetime |
| ipSecTunEncapMode | unsigned8 | TBD42 | Tunnel or |
| | | | Transport |
| ipSecTunSaTransform | unsigned32 | TBD43 | Sequence of |
| | | | Transform |
| | | | (RFC5996, |
| | | | section |
| | | | 3.3.2) |
| | | | includes |
| | | | dh,prot, |
| | | | encr, auth |
| ipSecTunSaCompAlgo | IKE | TBD44 | check if it |
| | | | can combined |
| | | | with |
| | | | SaTransform |
Alexander, et al. Expires May 24, 2015 [Page 11]
Internet-Draft IPSec-Logging November 2014
| ipSecTrafficSelector | IKE | TBD45 | RFC5996, |
| | | | section |
| | | | 3.13.1 |
| eventReason | unsigned8 | TBD46 | Reason for |
| | | | event like |
| | | | create/delete |
| ipsecPktCount | unsigned64 | TBD47 | # of packet e |
| | | | ncrypted/decr |
| | | | ypted |
| ipsecPktComp | unsigned64 | TBD48 | Packets |
| | | | compressed |
| ipsecPktDecomp | unsigned64 | TBD49 | Packets |
| | | | decompressed |
| ipsecByteCount | unsigned128 | TBD50 | Bytes |
| | | | encrypted or |
| | | | decrypted |
| ipsecReplayErrors | unsigned32 | TBD51 | Replay errors |
| ipsecReplayRollover | unsigned32 | TBD52 | Replay |
| | | | rollovers |
| ipsecMacErrors | unsigned32 | TBD53 | Hash compare |
| | | | failed |
| ipsecRecvdPktNotIpsec | unsigned32 | TBD54 | Packet |
| | | | received in |
| | | | clear and |
| | | | should have |
| | | | been |
| | | | encrypted |
| ipsecRecvdPktInvalidId | unsigned32 | TBD55 | Received |
| | | | packet did |
| | | | not match |
| | | | proxy id of |
| | | | SA |
| ipsecPktCompFailed | unsigned32 | TBD56 | Compression |
| | | | Failed |
| ipsecPktDecompFailed | unsigned32 | TBD57 | De |
| | | | Compression |
| | | | Failed |
+----------------------------+--------------+-------+---------------+
Table 5 : IPSec Information Elements
5.2.2. Definition of IPSec Events
Table 6 lists all the IPSEC event types related to a IPSEC session .
The events are an IPSEC session create , update , and delete. The
update session event type is used to either provide updated
statistics for the flow, or notify the flow if collector was
unavailable at the time of the session creation event and may have
Alexander, et al. Expires May 24, 2015 [Page 12]
Internet-Draft IPSec-Logging November 2014
missed the create event. The update event will also be used for
IPSEC rekey event. The Information element ipsecEvent is used to
indicate the the IPSEC event type
Table 6: Definition of IPSec Events
+----------------------+---------+
| Event Name | Values |
+----------------------+---------+
| IPsec Session Create | 1 |
| IPsec Session Delete | 2 |
| IPsec Session Update | 3 |
+----------------------+---------+
Table 6: Definition of IPSec Events
5.2.3. IPSec Create, Delete, Update Template
Table 7: IPSec Create, Delete, Update Template
+-----------------------------+-----------+-------------------------+
| IPFIX Field Name | Mandatory | Comments |
+-----------------------------+-----------+-------------------------+
| ipsecEvent | Yes | |
| timeStamp | Yes | |
| SessionCreationMilliSeconds | Yes | |
| ipsecTunSessionId | Yes | |
| ikeSessionId | No | |
| ipsecproxySrcType | Yes | |
| ipSecSpi | Yes | |
| ipSecDirection | Yes | |
| ikeTunLocalIPAddr* | Yes | ikeTunLocalIPv4Addr or |
| | | ikeTunLocalIPv6Addr |
| ikeTunRemoteIPAddr* | Yes | ikeTunLocalIPv4Addr or |
| | | ikeTunLocalIPv6Addr |
| ipSecFrontVrfName | No | |
| ipSecInsideVrfName | No | |
| ipSecTunLifeSize | Yes | |
| ipSecTunLifeTime | Yes | |
| ipSecTunEncapMode | Yes | |
| ipSecTunSaTransform | Yes | |
| ipSecTunSacompAlgo | No | |
| ipSecTrafficSelector | Yes | |
| eventReason | No | |
+-----------------------------+-----------+-------------------------+
Table 7: IPSec Create, Delete, Update Template
Alexander, et al. Expires May 24, 2015 [Page 13]
Internet-Draft IPSec-Logging November 2014
5.2.4. IPSec Statistics and Errors Template
+-----------------------------+-----------+----------+
| IPFIX Field Name | Mandatory | Comments |
+-----------------------------+-----------+----------+
| ipsecEvent | Yes | |
| timeStamp | Yes | |
| SessionCreationMilliSeconds | Yes | |
| ipsecTunSessionId | Yes | |
| ikeSessionId | No | |
| IPSecSPI | Yes | |
| ipSecDirection | Yes | |
| ipsecPktCount | No | |
| ipsecPktComp | No | |
| ipsecPktDecomp | No | |
| ipsecByteCount | No | |
| ipsecReplayErrors | No | |
| ipsecReplayRollover | No | |
| ipsecMacErrors | No | |
| ipsecRecvdPktNotIpsec | No | |
| ipsecRecvdPktInvalidId | No | |
| ipsecPktCompFailed | No | |
| ipsecPktDecompFailed | No | |
+-----------------------------+-----------+----------+
IPSec Statistics and Error Template
6. Examples
TBD
7. Considerations
A collector may receive IPSec events from multiple devices and should
be able to distinguish between the devices. Each device should have
a unique source ID to identify themselves. The source ID is part of
the IPFIX template and data exchange.
Prior to logging any events, an IPSec device MUST send the template
of the record to the collector to advertise the format of the data
record that it is using to send the events. The templates can be
exchanged as frequently as required given the reliability of the
connection. There SHOULD be a configurable timer for controlling the
template refresh. IPSec device SHOULD combine as many events as
possible in a single packet to effectively utilize the network
bandwidth.
Alexander, et al. Expires May 24, 2015 [Page 14]
Internet-Draft IPSec-Logging November 2014
8. Acknowledgements
TBD
9. IANA Considerations
9.1. General Information Elements
9.1.1. timestamp
Description: Contains the timestamp of the flow record
Abstract Data Type: unsigned64
ElementId: 323
Semantics: identifier
9.1.2. sessCreatetimeStamp
Description: Used to track when the session was created especially if
its a update flow
Abstract Data Type: unsigned64
ElementId: TBD02
Semantics: identifier
9.1.3. interfaceId
Description: Used to uniquely identify the interface identifier used
on the system/device for IKE session
Abstract Data Type: unsigned32
ElementId: TBD04
Semantics: identifier
9.1.4. eventReason
Description: Reason for session delete or create / update. Example
reason for sesion delete could be "Administrator reset" As its a
Alexander, et al. Expires May 24, 2015 [Page 15]
Internet-Draft IPSec-Logging November 2014
unsigned8 data type, we will use a eventreason id to name mapping.
Example: 1 -> Delete by DPD Failure 2 -> Administrator Reset
Abstract Data Type: unsigned8
ElementId: TBD21
Semantics: identifier
9.2. IKE Information Elements
9.2.1. ikeEvent
Description: Contains the IKE Event Type 1=start, 2=update , 3=delete
Abstract Data Type: unsigned8
ElementId: TBD01
Semantics: identifier
9.2.2. ikeSessionId
Description: Its the session id used by IKE that will be used to
uniquely identify a IKE session and can be correlate from an IPsec
SA. A value of 0 is used for manual keying.
Abstract Data Type: unsigned32
ElementId: TBD03
Semantics: identifier
9.2.3. ikeTunLocalIdType
Description: Contains the IKE ID Type by the local device - FQDN,
addr. Will use the same as per the IKE RFC
Abstract Data Type: unsigned8
ElementId: TBD05
Semantics: identifier
Alexander, et al. Expires May 24, 2015 [Page 16]
Internet-Draft IPSec-Logging November 2014
9.2.4. ikeTunLocalId
Description: Local identity to be used for the IKE session: ip addr,
FQDN
Abstract Data Type: str
ElementId: TBD06
Semantics: identifier
9.2.5. ikeTunLocalIPAddr*
Description: ikeTunLocalIPv4Addr or ikeTunLocalIPv6Addr depending on
whether its a IPv4 or IPv6. IP address used by the local IKE device.
It will be either a IPv4 or a IPv6 address.
Abstract Data Type: var
ElementId: TBD07
Semantics: identifier
9.2.6. ikeTunLocalName
Description: A descriptive name given to identify the tunnel. Its
locally signficant and not used for IKE negotiation purposes
Abstract Data Type: str
ElementId: TBD10
Semantics: identifier
9.2.7. ikeTunRemoteIdType
Description: Contains the IKE ID Type by the remote peer - FQDN, ip
addr etc. Will use the same as per the IKE RFC
Abstract Data Type: unsigned8
ElementId: TBD11
Semantics: identifier
Alexander, et al. Expires May 24, 2015 [Page 17]
Internet-Draft IPSec-Logging November 2014
9.2.8. ikeTunRemoteId
Description: Remote identity to be used for the IKE session: ip addr,
FQDN
Abstract Data Type: var
ElementId: TBD12
Semantics: identifier
9.2.9. ikeTunRemoteIPAddr*
Description: exactlyOneOf (ikeTunRemoteIPv4Addr,
ikeTunRemoteIPv6Addr). IP address used by the local IKE device. It
will be either a IPv4 or a IPv6 address, thus a exactlyOneOf method
is used to derive that.
Abstract Data Type: var
ElementId: TBD13
Semantics: identifier
9.2.10. ikeTunRemoteName
Description: A logical name used to identify the remote VPN peer. Is
locally significant and not used in any IKE negotiation.
Abstract Data Type: str
ElementId: TBD16
Semantics: identifier
9.2.11. ikeTunTransform
Description: Transform used for IKE sa. Its based on RFC5996 3.3.2
IKE encoding : DH, encryption algo, hash, PRF. IKE encoding is used
so that collectors can easily understand this.
Abstract Data Type: ike-encoding
ElementId: TBD17 - Possible use of Structured Data Type such as
subTemplateList/SubTemplateMultiList
Alexander, et al. Expires May 24, 2015 [Page 18]
Internet-Draft IPSec-Logging November 2014
Semantics: identifier
9.2.12. ikeTunLocalAuthMethod
Description: Authentication method used by local device - pre-shared
key, certificate, EAP
Values: 1=PSK, 2=certificate, 3=EAP
Abstract Data Type: unsigned8
ElementId: TBD18
Semantics: identifier
9.2.13. ikeTunRemoteAuthMethod
Description: Authentication method used by remote peer- pre-shared
key, certificate, EAP
Values: 1=PSK, 2=certificate, 3=EAP
Abstract Data Type: unsigned8
ElementId: TBD19
Semantics: identifier
9.2.14. ikeTunLifeTime
Description: IKE SA lifetime in seconds
Abstract Data Type: unsigned32
ElementId: TBD20
Semantics: identifier
9.2.15. ikeDPDSent
Description: IKE Dead peer detection (DPD) packets sent
Abstract Data Type: unsigned32
Alexander, et al. Expires May 24, 2015 [Page 19]
Internet-Draft IPSec-Logging November 2014
ElementId: TBD22
Semantics: identifier
9.2.16. ikeDPDRcvd
Description: IKE Dead peer detection (DPD) packets received
Abstract Data Type: unsigned32
ElementId: TBD23
Semantics: identifier
9.2.17. ikePktsTX
Description: Number of IKE packets sent
Abstract Data Type: unsigned32
ElementId: TBD24
Semantics: identifier
9.2.18. ikePktsRX
Description: Number of IKE packets received
Abstract Data Type: unsigned32
ElementId: TBD25
Semantics: identifier
9.2.19. ikeRetransTX
Description: IKE Retransmitted
Abstract Data Type: unsigned32
ElementId: TBD26
Semantics: identifier
Alexander, et al. Expires May 24, 2015 [Page 20]
Internet-Draft IPSec-Logging November 2014
9.2.20. ikeRetransRX
Description: IKE Retransmitted
Abstract Data Type: unsigned32
ElementId: TBD27
Semantics: identifier
9.2.21. ikeDecryptFailed
Description: Number of IKE packets where the payload decryption
failed
Abstract Data Type: unsigned32
ElementId: TBD28
Semantics: identifier
9.2.22. ikeEncryptFailed
Description: Number of IKE packets where the payload encryption
failed
Abstract Data Type: unsigned32
ElementId: TBD29
Semantics: identifier
9.2.23. ikeInvalidPayload
Description: Number of packets received where the IKE payload was
invalid
Abstract Data Type: unsigned32
ElementId: TBD30
Semantics: identifier
Alexander, et al. Expires May 24, 2015 [Page 21]
Internet-Draft IPSec-Logging November 2014
9.2.24. ikeFragFailed
Description: Number of packets where it failed due to fragmentation
Abstract Data Type: unsigned32
ElementId: TBD31
Semantics: identifier
9.3. IPSec Information Elements
9.3.1. ipsecEvent
Description: Contains the Ipsec Event Type 1=start, 2=update ,
3=delete
Abstract Data Type: unsigned8
ElementId: TBD32
Semantics: identifier
9.3.2. ipsecTunSessionId
Description: Session used to uniquely identify a ipsec sa
Abstract Data Type: ipv6Address
ElementId: TBD34
Semantics: identifier
9.3.3. ipsecProxySrcType
Description: Proxy type used by IPSEC
Abstract Data Type: unsigned8
ElementId: TBD35
Semantics: identifier
Alexander, et al. Expires May 24, 2015 [Page 22]
Internet-Draft IPSec-Logging November 2014
9.3.4. ipSecDirection
Description: Direction of the IPSEC sa : 1=Inbound 2=Outbound
Abstract Data Type: unsigned8
ElementId: TBD37 -- Possible reuse of flowDirection (61)
Semantics: identifier
9.3.5. ipSecFrontVrfName
Description: VRF name used after IPSEC encapsulation
Abstract Data Type: var
ElementId: TBD38
Semantics: identifier
9.3.6. ipSecInsideVrfName
Description: VRF name where the clear text packet/data resides before
IPsec encapsulation or after decryption
Abstract Data Type: str
ElementId: TBD39
Semantics: identifier
9.3.7. ipSecTunLifeSize
Description: The IPsec SA data volume based lifetime measured in
bytes
Abstract Data Type: unsigned32
ElementId: TBD40
Semantics: identifier
Alexander, et al. Expires May 24, 2015 [Page 23]
Internet-Draft IPSec-Logging November 2014
9.3.8. ipSecTunLifeTime
Description: The IPsec sa lifetime measured in seconds
Abstract Data Type: unsigned32
ElementId: TBD41
Semantics: identifier
9.3.9. ipSecTunEncapMode
Description: Encapsulation mode used. 1=Tunnel 2=Transport
Abstract Data Type: unsigned8
ElementId: TBD42
Semantics: identifier
9.3.10. ipSecTunSaTransform
Description: IPsec Transform used for encryption, DH
algorithm,authentication. IKE encoding is used as per RFC 5996
section 3.3.2
Abstract Data Type: IKE
ElementId: TBD43
Semantics: identifier
9.3.11. ipSecTunSaCompAlgo
Description: Compression algorithm used
Abstract Data Type: IKE
ElementId: TBD44
Semantics: identifier
Alexander, et al. Expires May 24, 2015 [Page 24]
Internet-Draft IPSec-Logging November 2014
9.3.12. ipSecTrafficSelector
Description: Defines the local and remote traffic selectors for
encryption. Encoding is using IKE as per RFC 5996 3.13.1
Abstract Data Type: IKE
ElementId: TBD45
Semantics: identifier
9.3.13. ipsecPktCount
Description: The number of packets encrypted or decrypted through
this IPsec SA
Abstract Data Type: unsigned64
ElementId: TBD47
Semantics: identifier
9.3.14. ipsecPktComp
Description: The number of packets compressed
Abstract Data Type: unsigned64
ElementId: TBD48
Semantics: identifier
9.3.15. ipsecPktDecomp
Description: The number of packets de-compressed
Abstract Data Type: unsigned64
ElementId: TBD49
Semantics: identifier
Alexander, et al. Expires May 24, 2015 [Page 25]
Internet-Draft IPSec-Logging November 2014
9.3.16. ipsecByteCount
Description: The number of bytes over an IPsec SA
Abstract Data Type: unsigned128
ElementId: TBD50
Semantics: identifier
9.3.17. ipsecReplayErrors
Description: The number of replay errors
Abstract Data Type: unsigned32
ElementId: TBD51
Semantics: identifier
9.3.18. ipsecReplayRollover
Description: The number of IPsec replay rollovers
Abstract Data Type: unsigned32
ElementId: TBD52
Semantics: identifier
9.3.19. ipsecMacErrors
Description: The number of mac authentication errors
Abstract Data Type: unsigned32
ElementId: TBD53
Semantics: identifier
Alexander, et al. Expires May 24, 2015 [Page 26]
Internet-Draft IPSec-Logging November 2014
9.3.20. ipsecRecvdPktNotIpsec
Description: The number of packets received which were not encrypted
when they should have been as per security policy
Abstract Data Type: unsigned32
ElementId: TBD54
Semantics: identifier
9.3.21. ipsecRecvdPktInvalidId
Description: The number of packets received where after decryption
did not match the traffic selector for that IPSEC sa
Abstract Data Type: unsigned32
ElementId: TBD55
Semantics: identifier
9.3.22. ipsecPktCompFailed
Description: The number of packets where compression failed
Abstract Data Type: unsigned32
ElementId: TBD56
Semantics: identifier
9.3.23. ipsecPktDecompFailed
Description: The number of packets where de-compression failed
Abstract Data Type: unsigned32
ElementId: TBD57
Semantics: identifier
Alexander, et al. Expires May 24, 2015 [Page 27]
Internet-Draft IPSec-Logging November 2014
10. Security Considerations
None.
11. Acknowledgements
We would like to thank Paul Aitken and Senthil Sivakumar for their
detailed review and feedback on early versions of this document.
12. References
12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", RFC
2663, August 1999.
12.2. Informative References
[IPFIX-IANA]
IANA, "IPFIX Information Elements registry",
<http://www.iana.org/assignments/ipfix>.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC5101] Claise, B., "Specification of the IP Flow Information
Export (IPFIX) Protocol for the Exchange of IP Traffic
Flow Information", RFC 5101, January 2008.
[RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J.
Meyer, "Information Model for IP Flow Information Export",
RFC 5102, January 2008.
[RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
"Architecture for IP Flow Information Export", RFC 5470,
March 2009.
[RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of
the IP Flow Information Export (IPFIX) Protocol for the
Exchange of Flow Information", STD 77, RFC 7011, September
2013.
Alexander, et al. Expires May 24, 2015 [Page 28]
Internet-Draft IPSec-Logging November 2014
Authors' Addresses
Tom Alexander
Cisco Systems, Inc.
Email: thalexan@cisco.com
Frederic Detienne
Cisco Systems, Inc.
Email: fd@cisco.com
Sandeep Rao
Cisco Systems, Inc.
Email: rsandeep@cisco.com
Thamilarasu Kandasamy
Cisco Systems, Inc.
Email: thamil@cisco.com
Alexander, et al. Expires May 24, 2015 [Page 29]