OPSAWG T. Alexander Internet-Draft F. Detienne Intended status: Standards Track S. Rao Expires: May 24, 2015 T. Kandasamy Cisco Systems, Inc. November 20, 2014 IPFIX Information Elements for logging IPSec Events draft-alexander-opsawg-ipfix-ipsec-logging-00 Abstract Internet Protocol Security (IPSec) is an industry standard protocol suite that provides secure services for traffic between IP peers in the network. The purpose of IPSec is to provide key tenets of security that include authentication, integrity protection, access control and data confidentiality. The objectivities of IPSec are met using a collection of intertwined components namely, the security protocols, session and key management protocols and algorithms for authentication and encryption. An end-to-end IPSec operation is typically multi-step involving various technologies. There are many events in IPSec process that are of interest, such as - identities and connection status of security peers, traffic or applications being protected, access control and encryption policies being enforced. While many of these are functionally discrete, they have an impact on end-to-end IPSec operations. While network elements involved in IPSec process do provide system logs, command line interfaces and management objects that reflect the various states of operations, these are however dissevered, inconsistent and not easily favorable for analyzing, monitoring, auditing of end-to-end behavior This document proposes an approach for common representation and standardization of various IPSec operational data and events using industry standard IPFIX information model. The IPFIX approach helps to store and manage data in a consistent format, also provides opportunity for a collector to correlate various IPSec events which in turn can be exploited to obtain enriched end-to-end monitoring, reporting and troubleshooting capabilities and provide various security analytics on IPSec flows such as - host identification, application detection, track user policy violations, protocol failures and so on. Alexander, et al. Expires May 24, 2015 [Page 1] Internet-Draft IPSec-Logging November 2014 Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 24, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 5 5. Event Logging . . . . . . . . . . . . . . . . . . . . . . . . 5 5.1. IKE Event Logging . . . . . . . . . . . . . . . . . . . . 6 5.1.1. IKE Information Elements . . . . . . . . . . . . . . 6 5.1.2. Definition of IKE Events . . . . . . . . . . . . . . 8 5.1.3. IKE Create, Update, Delete Events Template . . . . . 8 5.1.4. IKE Statistics and Errors Template . . . . . . . . . 9 5.2. IPSec Event Logging . . . . . . . . . . . . . . . . . . . 10 5.2.1. IPSec Information Elements . . . . . . . . . . . . . 10 5.2.2. Definition of IPSec Events . . . . . . . . . . . . . 12 5.2.3. IPSec Create, Delete, Update Template . . . . . . . . 13 Alexander, et al. Expires May 24, 2015 [Page 2] Internet-Draft IPSec-Logging November 2014 5.2.4. IPSec Statistics and Errors Template . . . . . . . . 14 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 14 7. Considerations . . . . . . . . . . . . . . . . . . . . . . . 14 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 9.1. General Information Elements . . . . . . . . . . . . . . 15 9.1.1. timestamp . . . . . . . . . . . . . . . . . . . . . . 15 9.1.2. sessCreatetimeStamp . . . . . . . . . . . . . . . . . 15 9.1.3. interfaceId . . . . . . . . . . . . . . . . . . . . . 15 9.1.4. eventReason . . . . . . . . . . . . . . . . . . . . . 15 9.2. IKE Information Elements . . . . . . . . . . . . . . . . 16 9.2.1. ikeEvent . . . . . . . . . . . . . . . . . . . . . . 16 9.2.2. ikeSessionId . . . . . . . . . . . . . . . . . . . . 16 9.2.3. ikeTunLocalIdType . . . . . . . . . . . . . . . . . . 16 9.2.4. ikeTunLocalId . . . . . . . . . . . . . . . . . . . . 17 9.2.5. ikeTunLocalIPAddr* . . . . . . . . . . . . . . . . . 17 9.2.6. ikeTunLocalName . . . . . . . . . . . . . . . . . . . 17 9.2.7. ikeTunRemoteIdType . . . . . . . . . . . . . . . . . 17 9.2.8. ikeTunRemoteId . . . . . . . . . . . . . . . . . . . 18 9.2.9. ikeTunRemoteIPAddr* . . . . . . . . . . . . . . . . . 18 9.2.10. ikeTunRemoteName . . . . . . . . . . . . . . . . . . 18 9.2.11. ikeTunTransform . . . . . . . . . . . . . . . . . . . 18 9.2.12. ikeTunLocalAuthMethod . . . . . . . . . . . . . . . . 19 9.2.13. ikeTunRemoteAuthMethod . . . . . . . . . . . . . . . 19 9.2.14. ikeTunLifeTime . . . . . . . . . . . . . . . . . . . 19 9.2.15. ikeDPDSent . . . . . . . . . . . . . . . . . . . . . 19 9.2.16. ikeDPDRcvd . . . . . . . . . . . . . . . . . . . . . 20 9.2.17. ikePktsTX . . . . . . . . . . . . . . . . . . . . . . 20 9.2.18. ikePktsRX . . . . . . . . . . . . . . . . . . . . . . 20 9.2.19. ikeRetransTX . . . . . . . . . . . . . . . . . . . . 20 9.2.20. ikeRetransRX . . . . . . . . . . . . . . . . . . . . 21 9.2.21. ikeDecryptFailed . . . . . . . . . . . . . . . . . . 21 9.2.22. ikeEncryptFailed . . . . . . . . . . . . . . . . . . 21 9.2.23. ikeInvalidPayload . . . . . . . . . . . . . . . . . . 21 9.2.24. ikeFragFailed . . . . . . . . . . . . . . . . . . . . 22 9.3. IPSec Information Elements . . . . . . . . . . . . . . . 22 9.3.1. ipsecEvent . . . . . . . . . . . . . . . . . . . . . 22 9.3.2. ipsecTunSessionId . . . . . . . . . . . . . . . . . . 22 9.3.3. ipsecProxySrcType . . . . . . . . . . . . . . . . . . 22 9.3.4. ipSecDirection . . . . . . . . . . . . . . . . . . . 23 9.3.5. ipSecFrontVrfName . . . . . . . . . . . . . . . . . . 23 9.3.6. ipSecInsideVrfName . . . . . . . . . . . . . . . . . 23 9.3.7. ipSecTunLifeSize . . . . . . . . . . . . . . . . . . 23 9.3.8. ipSecTunLifeTime . . . . . . . . . . . . . . . . . . 24 9.3.9. ipSecTunEncapMode . . . . . . . . . . . . . . . . . . 24 9.3.10. ipSecTunSaTransform . . . . . . . . . . . . . . . . . 24 9.3.11. ipSecTunSaCompAlgo . . . . . . . . . . . . . . . . . 24 9.3.12. ipSecTrafficSelector . . . . . . . . . . . . . . . . 25 Alexander, et al. Expires May 24, 2015 [Page 3] Internet-Draft IPSec-Logging November 2014 9.3.13. ipsecPktCount . . . . . . . . . . . . . . . . . . . . 25 9.3.14. ipsecPktComp . . . . . . . . . . . . . . . . . . . . 25 9.3.15. ipsecPktDecomp . . . . . . . . . . . . . . . . . . . 25 9.3.16. ipsecByteCount . . . . . . . . . . . . . . . . . . . 26 9.3.17. ipsecReplayErrors . . . . . . . . . . . . . . . . . . 26 9.3.18. ipsecReplayRollover . . . . . . . . . . . . . . . . . 26 9.3.19. ipsecMacErrors . . . . . . . . . . . . . . . . . . . 26 9.3.20. ipsecRecvdPktNotIpsec . . . . . . . . . . . . . . . . 27 9.3.21. ipsecRecvdPktInvalidId . . . . . . . . . . . . . . . 27 9.3.22. ipsecPktCompFailed . . . . . . . . . . . . . . . . . 27 9.3.23. ipsecPktDecompFailed . . . . . . . . . . . . . . . . 27 10. Security Considerations . . . . . . . . . . . . . . . . . . . 28 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 28 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 12.1. Normative References . . . . . . . . . . . . . . . . . . 28 12.2. Informative References . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. IPSec terminology used in this document is as per [RFC4301]. The term "collector" here refers to any device that receives the binary data from a IPSec device and converts that into meaningful information. The usage of the term Information Element (IE) is defined in [RFC7011]. Many of the IEs are reused from [IPFIX-IANA]. however IPSec related IEs are created with IPSec semantics. 2. Introduction The intent of this document is to define and standardize information format of various functional events of an end-to-end IPSec operation. This provides an opportunity for collectors to receive and process information in a consistent way and instrument monitoring, troubleshooting, maintenance and analytics related to IPSec processes. The approach is to standardize the format of logging events using IPFIX [RFC7011] and SYSLOG [RFC5424]. While this document specifies IPFIX Information Elements that MUST be logged by devices participating in IPSec process, the SYSLOG format will be addressed in a separate document. The Information Elements are part of the following two main categories of events: - IKE events Alexander, et al. Expires May 24, 2015 [Page 4] Internet-Draft IPSec-Logging November 2014 - IPSec events There are cases when the IPFIX collector and the VPN gateway are out of sync. This can happen for various reasons such as network connectivity issues, software errors, device reloads etc. In such cases where the IPSec or IKE flow creation information is not recorded on the collector, subsequent updates for that flow may not be complete. Thus, some flow information has been made consciously redundant in subsequent IPFIX updates such that the collectors can rebuild a fair approximation of the flow timeline and creation details. 3. Scope The existing IANA IPFIX Information Elements registry [IPFIX-IANA] already has assignments for many IPSec logging events. For being consistent, this document uses those same Information Elements. The implementation details of the collector application is beyond the scope of this document. The optimization of logging IPSec events are left to the implementation and are beyond the scope of this document. 4. Applicability IPFIX based IPSec logging is specifically applicable on network devices that are performing IPSec encryption and support IPFIX protocol. The binary encoding nature of IPFIX makes it efficient for use even on IPSec gateways or peers that can experience high session rates. As in an IPFIX model, there is a need for a collector applications that can receive and interpret binary encoded Information Elements and provide human visualization and other required analytics. 5. Event Logging In the context of this specification, we make use of three types of events for IKE and IPsec. These events are: - creation of an IKE or IPsec SA - update (counters) of an IKE or IPsec SA - deletion of an IKE or IPsec SA While the creation and deletion events are triggered by protocol (parent or child SA creation/deletion) or configuration, the update Alexander, et al. Expires May 24, 2015 [Page 5] Internet-Draft IPSec-Logging November 2014 event is triggered exclusively by timers. The purpose of update events is to offer a chance to the IPFIX collector to capture information about a session even if the creation or deletion (or both) events are missed. For instance because of network connectivity issues between the gateway and the collector or because of the unavailability of the collector at the time the event was sent by the gateway. Update events frequency SHOULD be controllable by a user configurable element. 5.1. IKE Event Logging 5.1.1. IKE Information Elements The following table lists all of the IKE Information Elements used in events send to a collector. The formats of the IE's and the IPFIX IDs are listed below. Some of the IPFIX IE's are not assigned yet, and thus the detailed description of these fields are provided in the IANA considerations section. New IPFIX Information Elements must be allocated in IANA's IPFIX registry [IANA-IPFIX], as defined in the sub-sections of section 6. The templates may contain a subset of the Information Elements(IEs) shown in Table 1 depending upon the event being logged. Table 1: IKE Informational Elements +-----------------------+----------------+------+-------------------+ | IPFIX Field Name | Data Type | IANA | Description | | | | IPFI | | | | | X ID | | +-----------------------+----------------+------+-------------------+ | ikeEvent | unsigned8 | TBD0 | IKE event - | | | | 1 | start, | | | | | udpate,stop | | timeStamp | dateTimeMillis | 323 | timestamp of | | | econds | | event | | sessionCreationTimeMi | dateTimeMillis | TBD0 | Tracks when a | | lliSeconds | econds | 2 | session was | | | | | created | | ikeSessionId | unsigned32 | TBD0 | Session id used | | | | 3 | by IKE | | interfaceName | str | 82 | Interface name | | InterfaceId | unsigned32 | TBD0 | | | | | 4 | | | ikeTunLocalIdType | unsigned8 | TBD0 | Id type - fqdn, | | | | 5 | ip addr | | ikeTunLocalId | str | TBD0 | | | | | 6 | | | ikeTunLocalIPAddr* | var | TBD0 | ikeTunLocalIPv4Ad | Alexander, et al. Expires May 24, 2015 [Page 6] Internet-Draft IPSec-Logging November 2014 | | | 7 | dr or ikeTunLocal | | | | | IPv6Addr | | ikeTunLocalName | str | TBD1 | Tunnel local name | | | | 0 | | | VRFname | str | 236 | virtual routing | | | | | and Forwarding | | | | | identifier | | ikeTunRemoteIdtype | unsigned8 | TBD1 | ip addr, FQDN etc | | | | 1 | | | ikeTunRemoteId | var | TBD1 | remote id - fqdn, | | | | 2 | ip etc ) | | ikeTunRemoteIPAddr | var | TBD1 | either ikeTunRemo | | | | 3 | teIPv4Addr or ike | | | | | TunRemoteIPv6Addr | | ikeTunRemoteName | str | TBD1 | Remote peer | | | | 6 | logical name | | ikeTunTransform | ike-encoding | TBD1 | RFC5996 3.3.2 IKE | | | | 7 | encoding : DH, | | | | | encryption algo, | | | | | hash, PRF | | ikeTunLocalAuthMethod | unsigned8 | TBD1 | values to | | | | 8 | indicate psk,eap, | | | | | cert | | ikeTunRemoteAuthMetho | unsigned8 | TBD1 | values to | | d | | 9 | indicate remote | | | | | psk,eap, cert | | ikeTunLifeTime | unsigned32 | TBD2 | sa lifetime | | | | 0 | | | eventReason | unsigned8 | TBD2 | Reason - delete | | | | 1 | reason, rekey etc | | ikeDPDSent | unsigned32 | TBD2 | DPD sent | | | | 2 | | | ikeDPDRcvd | unsigned32 | TBD2 | DPD Received | | | | 3 | | | ikePktsTX | unsigned32 | TBD2 | packets sent | | | | 4 | | | ikePktsRX | unsigned32 | TBD2 | packets received | | | | 5 | | | ikeRetransTX | unsigned32 | TBD2 | IKE retransmitted | | | | 6 | | | ikeRetransRX | unsigned32 | TBD2 | SA lifetime | | | | 7 | | | ikeDecryptFailed | unsigned32 | TBD2 | decrypt failed | | | | 8 | | | ikeEncryptFailed | unsigned32 | TBD2 | encrypt failed | | | | 9 | | | ikeInvalidPayload | unsigned32 | TBD3 | invalid payload | | | | 0 | | Alexander, et al. Expires May 24, 2015 [Page 7] Internet-Draft IPSec-Logging November 2014 | ikeFragFailed | unsigned32 | TBD3 | fragmentation | | | | 1 | failure | +-----------------------+----------------+------+-------------------+ Table 1: IKE Information Elements 5.1.2. Definition of IKE Events Table 2 lists all the IKE event types related to a IKE session . The events are an IKE session create , update , and delete. The update session event type is used to provide updated statistics for the flow, or if the collector was unavilable at the time of the session create event and may have missed the create event. The Information element ikeEvent is used indicate the the IKE event type Table 2: Definition of IKE Events +--------------------+---------+ | Event Name | Values | +--------------------+---------+ | IKE Session Create | 1 | | IKE Session Delete | 2 | | IKE Session Update | 3 | +--------------------+---------+ Table 2: Definition of IKE Events 5.1.3. IKE Create, Update, Delete Events Template Table 3 : IKE Create, Update, Delete Events Template Alexander, et al. Expires May 24, 2015 [Page 8] Internet-Draft IPSec-Logging November 2014 +---------------------------------+-----------+---------------------+ | Field Name | Mandatory | Comments | +---------------------------------+-----------+---------------------+ | ikeEvent | Yes | | | timeStamp | Yes | | | sessionCreationTimeMilliSeconds | Yes | | | ikeSessionId | Yes | | | InterfaceName | Yes | | | InterfaceId | No | | | ikeTunLocalIdType | Yes | | | ikeTunLocalId | Yes | | | ikeTunLocalIPAddr* | Yes | ikeTunLocalIPv4Addr | | | | or | | | | ikeTunLocalIPv6Addr | | ikeTunLocalName | Yes | | | VRFname | No | | | ikeTunRemoteIdtype | Yes | | | ikeTunRemoteIPAddr* | Yes | ikeTunLocalIPv4Addr | | | | or | | | | ikeTunLocalIPv6Addr | | ikeTunRemoteName | Yes | | | ikeTunTransform | Yes | | | ikeTunLifeTime | Yes | | | eventReason | No | | +---------------------------------+-----------+---------------------+ Table 3 : IKE Create, Update, Delete Events Template 5.1.4. IKE Statistics and Errors Template Table 4 : IKE Statistics and Errors Template Alexander, et al. Expires May 24, 2015 [Page 9] Internet-Draft IPSec-Logging November 2014 +------------------------------+--------------+---------------------+ | Field Name | Mandatory | Comments | +------------------------------+--------------+---------------------+ | ikeEvent | Yes | | | timeStamp | Yes | | | SessCreationTimeMilliSeconds | Yes | | | ikeSessionId | Yes | | | ikeTunRemoteIP* | No | ikeTunLocalIPv4Addr | | | | or | | | | ikeTunLocalIPv6Addr | | ikeTunRemoteName | No | | | ikeDPDSent | No | | | ikeDPDRcvd | No | | | ikePktsTX | No | | | ikePktsRX | No | | | ikeRetransTX | No | | | ikeRetransRX | No | | | ikeDecryptFailed | No | | | ikeEncryptFailed | No | | | ikeInvalidPayload | No | | | ikeFragFailed | No | | +------------------------------+--------------+---------------------+ Table 4 : IKE Statistics and Errors Template 5.2. IPSec Event Logging 5.2.1. IPSec Information Elements The following table lists all of the IPsec Information Elements used in events send to a collector. The formats of the IE's and the IPFIX IDs are listed below. Some of the IPFIX IE's are not assigned yet, and thus the detailed description of these fields are provided in the IANA considerations section. New IPFIX Information Elements must be allocated in IANA's IPFIX registry [IANA-IPFIX], as defined in the sub-sections of section 9. The templates may contain a subset of the Information Elements(IEs) shown in Table 5 depending upon the event being logged. Table 5 : IPSec Information Elements +----------------------------+--------------+-------+---------------+ | IPFIX Field Name | Data Type | IANA | Description | | | | IPFIX | | | | | ID | | +----------------------------+--------------+-------+---------------+ | ipsecEvent | unsigned8 | TBD32 | IPSec event - | | | | | start, | Alexander, et al. Expires May 24, 2015 [Page 10] Internet-Draft IPSec-Logging November 2014 | | | | udpate,stop, | | | | | error | | timeStamp | unsigned64** | 323 | timestamp of | | | * | | event | | SessionCreationTimeMilliSe | unsigned64** | TBD33 | Tracks when a | | conds | * | | session was | | | | | created | | ipsecTunSessionId | unsigned32 | TBD34 | Session id | | | | | used by IPSec | | ikeSessionId | unsigned32 | TBD03 | Session id | | | | | used by IKE | | ipsecproxySrcType | unsigned8 | TBD35 | proxy type | | ipSecSpi | unsigned32 | 295 | SPI value | | ipSecDirection | unsigned8 | TBD37 | inbound or | | | | | outbound SA | | ikeTunLocalIPAddr* | var | TBD08 | ikeTunLocalIP | | | | | v4Addr or ike | | | | | TunLocalIPv6A | | | | | ddr | | ikeTunRemoteIPAddr* | var | TBD14 | ikeTunRemoteI | | | | | Pv4Addr or ik | | | | | eTunRemoteIPv | | | | | 6Addr | | ikeTunRemoteName | str | TBD17 | Remote peer | | | | | name | | ipSecFrontVrfName | str | TBD38 | Front door | | | | | vrf name | | ipSecInsideVrfName | str | TBD39 | Inside VRF | | | | | name | | ipSecTunLifeSize | unsigned32 | TBD40 | IPSec Tunnel | | | | | data volume | | | | | lifetime | | ipSecTunLifeTime | unsigned32 | TBD41 | IPSec Tunnel | | | | | lifetime | | ipSecTunEncapMode | unsigned8 | TBD42 | Tunnel or | | | | | Transport | | ipSecTunSaTransform | unsigned32 | TBD43 | Sequence of | | | | | Transform | | | | | (RFC5996, | | | | | section | | | | | 3.3.2) | | | | | includes | | | | | dh,prot, | | | | | encr, auth | | ipSecTunSaCompAlgo | IKE | TBD44 | check if it | | | | | can combined | | | | | with | | | | | SaTransform | Alexander, et al. Expires May 24, 2015 [Page 11] Internet-Draft IPSec-Logging November 2014 | ipSecTrafficSelector | IKE | TBD45 | RFC5996, | | | | | section | | | | | 3.13.1 | | eventReason | unsigned8 | TBD46 | Reason for | | | | | event like | | | | | create/delete | | ipsecPktCount | unsigned64 | TBD47 | # of packet e | | | | | ncrypted/decr | | | | | ypted | | ipsecPktComp | unsigned64 | TBD48 | Packets | | | | | compressed | | ipsecPktDecomp | unsigned64 | TBD49 | Packets | | | | | decompressed | | ipsecByteCount | unsigned128 | TBD50 | Bytes | | | | | encrypted or | | | | | decrypted | | ipsecReplayErrors | unsigned32 | TBD51 | Replay errors | | ipsecReplayRollover | unsigned32 | TBD52 | Replay | | | | | rollovers | | ipsecMacErrors | unsigned32 | TBD53 | Hash compare | | | | | failed | | ipsecRecvdPktNotIpsec | unsigned32 | TBD54 | Packet | | | | | received in | | | | | clear and | | | | | should have | | | | | been | | | | | encrypted | | ipsecRecvdPktInvalidId | unsigned32 | TBD55 | Received | | | | | packet did | | | | | not match | | | | | proxy id of | | | | | SA | | ipsecPktCompFailed | unsigned32 | TBD56 | Compression | | | | | Failed | | ipsecPktDecompFailed | unsigned32 | TBD57 | De | | | | | Compression | | | | | Failed | +----------------------------+--------------+-------+---------------+ Table 5 : IPSec Information Elements 5.2.2. Definition of IPSec Events Table 6 lists all the IPSEC event types related to a IPSEC session . The events are an IPSEC session create , update , and delete. The update session event type is used to either provide updated statistics for the flow, or notify the flow if collector was unavailable at the time of the session creation event and may have Alexander, et al. Expires May 24, 2015 [Page 12] Internet-Draft IPSec-Logging November 2014 missed the create event. The update event will also be used for IPSEC rekey event. The Information element ipsecEvent is used to indicate the the IPSEC event type Table 6: Definition of IPSec Events +----------------------+---------+ | Event Name | Values | +----------------------+---------+ | IPsec Session Create | 1 | | IPsec Session Delete | 2 | | IPsec Session Update | 3 | +----------------------+---------+ Table 6: Definition of IPSec Events 5.2.3. IPSec Create, Delete, Update Template Table 7: IPSec Create, Delete, Update Template +-----------------------------+-----------+-------------------------+ | IPFIX Field Name | Mandatory | Comments | +-----------------------------+-----------+-------------------------+ | ipsecEvent | Yes | | | timeStamp | Yes | | | SessionCreationMilliSeconds | Yes | | | ipsecTunSessionId | Yes | | | ikeSessionId | No | | | ipsecproxySrcType | Yes | | | ipSecSpi | Yes | | | ipSecDirection | Yes | | | ikeTunLocalIPAddr* | Yes | ikeTunLocalIPv4Addr or | | | | ikeTunLocalIPv6Addr | | ikeTunRemoteIPAddr* | Yes | ikeTunLocalIPv4Addr or | | | | ikeTunLocalIPv6Addr | | ipSecFrontVrfName | No | | | ipSecInsideVrfName | No | | | ipSecTunLifeSize | Yes | | | ipSecTunLifeTime | Yes | | | ipSecTunEncapMode | Yes | | | ipSecTunSaTransform | Yes | | | ipSecTunSacompAlgo | No | | | ipSecTrafficSelector | Yes | | | eventReason | No | | +-----------------------------+-----------+-------------------------+ Table 7: IPSec Create, Delete, Update Template Alexander, et al. Expires May 24, 2015 [Page 13] Internet-Draft IPSec-Logging November 2014 5.2.4. IPSec Statistics and Errors Template +-----------------------------+-----------+----------+ | IPFIX Field Name | Mandatory | Comments | +-----------------------------+-----------+----------+ | ipsecEvent | Yes | | | timeStamp | Yes | | | SessionCreationMilliSeconds | Yes | | | ipsecTunSessionId | Yes | | | ikeSessionId | No | | | IPSecSPI | Yes | | | ipSecDirection | Yes | | | ipsecPktCount | No | | | ipsecPktComp | No | | | ipsecPktDecomp | No | | | ipsecByteCount | No | | | ipsecReplayErrors | No | | | ipsecReplayRollover | No | | | ipsecMacErrors | No | | | ipsecRecvdPktNotIpsec | No | | | ipsecRecvdPktInvalidId | No | | | ipsecPktCompFailed | No | | | ipsecPktDecompFailed | No | | +-----------------------------+-----------+----------+ IPSec Statistics and Error Template 6. Examples TBD 7. Considerations A collector may receive IPSec events from multiple devices and should be able to distinguish between the devices. Each device should have a unique source ID to identify themselves. The source ID is part of the IPFIX template and data exchange. Prior to logging any events, an IPSec device MUST send the template of the record to the collector to advertise the format of the data record that it is using to send the events. The templates can be exchanged as frequently as required given the reliability of the connection. There SHOULD be a configurable timer for controlling the template refresh. IPSec device SHOULD combine as many events as possible in a single packet to effectively utilize the network bandwidth. Alexander, et al. Expires May 24, 2015 [Page 14] Internet-Draft IPSec-Logging November 2014 8. Acknowledgements TBD 9. IANA Considerations 9.1. General Information Elements 9.1.1. timestamp Description: Contains the timestamp of the flow record Abstract Data Type: unsigned64 ElementId: 323 Semantics: identifier 9.1.2. sessCreatetimeStamp Description: Used to track when the session was created especially if its a update flow Abstract Data Type: unsigned64 ElementId: TBD02 Semantics: identifier 9.1.3. interfaceId Description: Used to uniquely identify the interface identifier used on the system/device for IKE session Abstract Data Type: unsigned32 ElementId: TBD04 Semantics: identifier 9.1.4. eventReason Description: Reason for session delete or create / update. Example reason for sesion delete could be "Administrator reset" As its a Alexander, et al. Expires May 24, 2015 [Page 15] Internet-Draft IPSec-Logging November 2014 unsigned8 data type, we will use a eventreason id to name mapping. Example: 1 -> Delete by DPD Failure 2 -> Administrator Reset Abstract Data Type: unsigned8 ElementId: TBD21 Semantics: identifier 9.2. IKE Information Elements 9.2.1. ikeEvent Description: Contains the IKE Event Type 1=start, 2=update , 3=delete Abstract Data Type: unsigned8 ElementId: TBD01 Semantics: identifier 9.2.2. ikeSessionId Description: Its the session id used by IKE that will be used to uniquely identify a IKE session and can be correlate from an IPsec SA. A value of 0 is used for manual keying. Abstract Data Type: unsigned32 ElementId: TBD03 Semantics: identifier 9.2.3. ikeTunLocalIdType Description: Contains the IKE ID Type by the local device - FQDN, addr. Will use the same as per the IKE RFC Abstract Data Type: unsigned8 ElementId: TBD05 Semantics: identifier Alexander, et al. Expires May 24, 2015 [Page 16] Internet-Draft IPSec-Logging November 2014 9.2.4. ikeTunLocalId Description: Local identity to be used for the IKE session: ip addr, FQDN Abstract Data Type: str ElementId: TBD06 Semantics: identifier 9.2.5. ikeTunLocalIPAddr* Description: ikeTunLocalIPv4Addr or ikeTunLocalIPv6Addr depending on whether its a IPv4 or IPv6. IP address used by the local IKE device. It will be either a IPv4 or a IPv6 address. Abstract Data Type: var ElementId: TBD07 Semantics: identifier 9.2.6. ikeTunLocalName Description: A descriptive name given to identify the tunnel. Its locally signficant and not used for IKE negotiation purposes Abstract Data Type: str ElementId: TBD10 Semantics: identifier 9.2.7. ikeTunRemoteIdType Description: Contains the IKE ID Type by the remote peer - FQDN, ip addr etc. Will use the same as per the IKE RFC Abstract Data Type: unsigned8 ElementId: TBD11 Semantics: identifier Alexander, et al. Expires May 24, 2015 [Page 17] Internet-Draft IPSec-Logging November 2014 9.2.8. ikeTunRemoteId Description: Remote identity to be used for the IKE session: ip addr, FQDN Abstract Data Type: var ElementId: TBD12 Semantics: identifier 9.2.9. ikeTunRemoteIPAddr* Description: exactlyOneOf (ikeTunRemoteIPv4Addr, ikeTunRemoteIPv6Addr). IP address used by the local IKE device. It will be either a IPv4 or a IPv6 address, thus a exactlyOneOf method is used to derive that. Abstract Data Type: var ElementId: TBD13 Semantics: identifier 9.2.10. ikeTunRemoteName Description: A logical name used to identify the remote VPN peer. Is locally significant and not used in any IKE negotiation. Abstract Data Type: str ElementId: TBD16 Semantics: identifier 9.2.11. ikeTunTransform Description: Transform used for IKE sa. Its based on RFC5996 3.3.2 IKE encoding : DH, encryption algo, hash, PRF. IKE encoding is used so that collectors can easily understand this. Abstract Data Type: ike-encoding ElementId: TBD17 - Possible use of Structured Data Type such as subTemplateList/SubTemplateMultiList Alexander, et al. Expires May 24, 2015 [Page 18] Internet-Draft IPSec-Logging November 2014 Semantics: identifier 9.2.12. ikeTunLocalAuthMethod Description: Authentication method used by local device - pre-shared key, certificate, EAP Values: 1=PSK, 2=certificate, 3=EAP Abstract Data Type: unsigned8 ElementId: TBD18 Semantics: identifier 9.2.13. ikeTunRemoteAuthMethod Description: Authentication method used by remote peer- pre-shared key, certificate, EAP Values: 1=PSK, 2=certificate, 3=EAP Abstract Data Type: unsigned8 ElementId: TBD19 Semantics: identifier 9.2.14. ikeTunLifeTime Description: IKE SA lifetime in seconds Abstract Data Type: unsigned32 ElementId: TBD20 Semantics: identifier 9.2.15. ikeDPDSent Description: IKE Dead peer detection (DPD) packets sent Abstract Data Type: unsigned32 Alexander, et al. Expires May 24, 2015 [Page 19] Internet-Draft IPSec-Logging November 2014 ElementId: TBD22 Semantics: identifier 9.2.16. ikeDPDRcvd Description: IKE Dead peer detection (DPD) packets received Abstract Data Type: unsigned32 ElementId: TBD23 Semantics: identifier 9.2.17. ikePktsTX Description: Number of IKE packets sent Abstract Data Type: unsigned32 ElementId: TBD24 Semantics: identifier 9.2.18. ikePktsRX Description: Number of IKE packets received Abstract Data Type: unsigned32 ElementId: TBD25 Semantics: identifier 9.2.19. ikeRetransTX Description: IKE Retransmitted Abstract Data Type: unsigned32 ElementId: TBD26 Semantics: identifier Alexander, et al. Expires May 24, 2015 [Page 20] Internet-Draft IPSec-Logging November 2014 9.2.20. ikeRetransRX Description: IKE Retransmitted Abstract Data Type: unsigned32 ElementId: TBD27 Semantics: identifier 9.2.21. ikeDecryptFailed Description: Number of IKE packets where the payload decryption failed Abstract Data Type: unsigned32 ElementId: TBD28 Semantics: identifier 9.2.22. ikeEncryptFailed Description: Number of IKE packets where the payload encryption failed Abstract Data Type: unsigned32 ElementId: TBD29 Semantics: identifier 9.2.23. ikeInvalidPayload Description: Number of packets received where the IKE payload was invalid Abstract Data Type: unsigned32 ElementId: TBD30 Semantics: identifier Alexander, et al. Expires May 24, 2015 [Page 21] Internet-Draft IPSec-Logging November 2014 9.2.24. ikeFragFailed Description: Number of packets where it failed due to fragmentation Abstract Data Type: unsigned32 ElementId: TBD31 Semantics: identifier 9.3. IPSec Information Elements 9.3.1. ipsecEvent Description: Contains the Ipsec Event Type 1=start, 2=update , 3=delete Abstract Data Type: unsigned8 ElementId: TBD32 Semantics: identifier 9.3.2. ipsecTunSessionId Description: Session used to uniquely identify a ipsec sa Abstract Data Type: ipv6Address ElementId: TBD34 Semantics: identifier 9.3.3. ipsecProxySrcType Description: Proxy type used by IPSEC Abstract Data Type: unsigned8 ElementId: TBD35 Semantics: identifier Alexander, et al. Expires May 24, 2015 [Page 22] Internet-Draft IPSec-Logging November 2014 9.3.4. ipSecDirection Description: Direction of the IPSEC sa : 1=Inbound 2=Outbound Abstract Data Type: unsigned8 ElementId: TBD37 -- Possible reuse of flowDirection (61) Semantics: identifier 9.3.5. ipSecFrontVrfName Description: VRF name used after IPSEC encapsulation Abstract Data Type: var ElementId: TBD38 Semantics: identifier 9.3.6. ipSecInsideVrfName Description: VRF name where the clear text packet/data resides before IPsec encapsulation or after decryption Abstract Data Type: str ElementId: TBD39 Semantics: identifier 9.3.7. ipSecTunLifeSize Description: The IPsec SA data volume based lifetime measured in bytes Abstract Data Type: unsigned32 ElementId: TBD40 Semantics: identifier Alexander, et al. Expires May 24, 2015 [Page 23] Internet-Draft IPSec-Logging November 2014 9.3.8. ipSecTunLifeTime Description: The IPsec sa lifetime measured in seconds Abstract Data Type: unsigned32 ElementId: TBD41 Semantics: identifier 9.3.9. ipSecTunEncapMode Description: Encapsulation mode used. 1=Tunnel 2=Transport Abstract Data Type: unsigned8 ElementId: TBD42 Semantics: identifier 9.3.10. ipSecTunSaTransform Description: IPsec Transform used for encryption, DH algorithm,authentication. IKE encoding is used as per RFC 5996 section 3.3.2 Abstract Data Type: IKE ElementId: TBD43 Semantics: identifier 9.3.11. ipSecTunSaCompAlgo Description: Compression algorithm used Abstract Data Type: IKE ElementId: TBD44 Semantics: identifier Alexander, et al. Expires May 24, 2015 [Page 24] Internet-Draft IPSec-Logging November 2014 9.3.12. ipSecTrafficSelector Description: Defines the local and remote traffic selectors for encryption. Encoding is using IKE as per RFC 5996 3.13.1 Abstract Data Type: IKE ElementId: TBD45 Semantics: identifier 9.3.13. ipsecPktCount Description: The number of packets encrypted or decrypted through this IPsec SA Abstract Data Type: unsigned64 ElementId: TBD47 Semantics: identifier 9.3.14. ipsecPktComp Description: The number of packets compressed Abstract Data Type: unsigned64 ElementId: TBD48 Semantics: identifier 9.3.15. ipsecPktDecomp Description: The number of packets de-compressed Abstract Data Type: unsigned64 ElementId: TBD49 Semantics: identifier Alexander, et al. Expires May 24, 2015 [Page 25] Internet-Draft IPSec-Logging November 2014 9.3.16. ipsecByteCount Description: The number of bytes over an IPsec SA Abstract Data Type: unsigned128 ElementId: TBD50 Semantics: identifier 9.3.17. ipsecReplayErrors Description: The number of replay errors Abstract Data Type: unsigned32 ElementId: TBD51 Semantics: identifier 9.3.18. ipsecReplayRollover Description: The number of IPsec replay rollovers Abstract Data Type: unsigned32 ElementId: TBD52 Semantics: identifier 9.3.19. ipsecMacErrors Description: The number of mac authentication errors Abstract Data Type: unsigned32 ElementId: TBD53 Semantics: identifier Alexander, et al. Expires May 24, 2015 [Page 26] Internet-Draft IPSec-Logging November 2014 9.3.20. ipsecRecvdPktNotIpsec Description: The number of packets received which were not encrypted when they should have been as per security policy Abstract Data Type: unsigned32 ElementId: TBD54 Semantics: identifier 9.3.21. ipsecRecvdPktInvalidId Description: The number of packets received where after decryption did not match the traffic selector for that IPSEC sa Abstract Data Type: unsigned32 ElementId: TBD55 Semantics: identifier 9.3.22. ipsecPktCompFailed Description: The number of packets where compression failed Abstract Data Type: unsigned32 ElementId: TBD56 Semantics: identifier 9.3.23. ipsecPktDecompFailed Description: The number of packets where de-compression failed Abstract Data Type: unsigned32 ElementId: TBD57 Semantics: identifier Alexander, et al. Expires May 24, 2015 [Page 27] Internet-Draft IPSec-Logging November 2014 10. Security Considerations None. 11. Acknowledgements We would like to thank Paul Aitken and Senthil Sivakumar for their detailed review and feedback on early versions of this document. 12. References 12.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, August 1999. 12.2. Informative References [IPFIX-IANA] IANA, "IPFIX Information Elements registry", . [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [RFC5101] Claise, B., "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", RFC 5101, January 2008. [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, "Information Model for IP Flow Information Export", RFC 5102, January 2008. [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, "Architecture for IP Flow Information Export", RFC 5470, March 2009. [RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, September 2013. Alexander, et al. Expires May 24, 2015 [Page 28] Internet-Draft IPSec-Logging November 2014 Authors' Addresses Tom Alexander Cisco Systems, Inc. Email: thalexan@cisco.com Frederic Detienne Cisco Systems, Inc. Email: fd@cisco.com Sandeep Rao Cisco Systems, Inc. Email: rsandeep@cisco.com Thamilarasu Kandasamy Cisco Systems, Inc. Email: thamil@cisco.com Alexander, et al. Expires May 24, 2015 [Page 29]