idnits 2.17.1 draft-sivakumar-behave-nat-logging-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 14, 2013) is 4119 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'IPFIX-IANA' is mentioned on line 121, but not defined == Unused Reference: 'NAT-EVENT-LOG-IANA' is defined on line 549, but no explicit reference was found in the text == Unused Reference: 'RFC5101' is defined on line 553, but no explicit reference was found in the text == Unused Reference: 'RFC5102' is defined on line 557, but no explicit reference was found in the text == Unused Reference: 'RFC5470' is defined on line 561, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2663 -- Obsolete informational reference (is this intentional?): RFC 5101 (Obsoleted by RFC 7011) -- Obsolete informational reference (is this intentional?): RFC 5102 (Obsoleted by RFC 7012) Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Behave S. Sivakumar 3 Internet-Draft R. Penno 4 Intended status: Standards Track Cisco Systems 5 Expires: July 18, 2013 January 14, 2013 7 IPFIX Information Elements for logging NAT Events 8 draft-sivakumar-behave-nat-logging-06 10 Abstract 12 NAT devices are required to log events like creation and deletion of 13 translations and information about the resources it is managing. 14 With the wide deployment of Carrier Grade NAT (CGN) devices, the 15 logging of events have become very important for legal purposes. The 16 logs are required in many cases to identify an attacker or a host 17 that was used to launch malicious attacks and/or for various other 18 purposes of accounting. Since there is no standard way of logging 19 this information, different NAT devices behave differently and hence 20 it is difficult to expect a consistent behavior. The lack of a 21 consistent way makes it difficult to write the collector applications 22 that would receive this data and process it to present useful 23 information. This document describes the information that is 24 required to be logged by the NAT devices. 26 Status of this Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on July 18, 2013. 43 Copyright Notice 45 Copyright (c) 2013 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 63 3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 4. Event based logging . . . . . . . . . . . . . . . . . . . . . 4 65 4.1. Information Elements . . . . . . . . . . . . . . . . . . . 4 66 4.2. Definition of NAT Events . . . . . . . . . . . . . . . . . 7 67 4.3. Quota exceeded - Sub Event types . . . . . . . . . . . . . 8 68 4.4. Templates for NAT Events . . . . . . . . . . . . . . . . . 8 69 4.4.1. NAT44 create and delete session event . . . . . . . . 8 70 4.4.2. NAT64 create and delete session event . . . . . . . . 9 71 4.4.3. NAT44 BIB create and delete event . . . . . . . . . . 10 72 4.4.4. NAT64 BIB create and delete event . . . . . . . . . . 10 73 4.4.5. Addresses Exhausted event . . . . . . . . . . . . . . 10 74 4.4.6. Ports Exhausted event . . . . . . . . . . . . . . . . 11 75 4.4.7. Quota exceeded . . . . . . . . . . . . . . . . . . . . 11 76 4.4.8. Address Binding . . . . . . . . . . . . . . . . . . . 12 77 4.4.9. Port block allocation and de-allocation . . . . . . . 12 78 5. Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 79 5.1. IPFIX . . . . . . . . . . . . . . . . . . . . . . . . . . 13 80 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 81 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 82 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13 83 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 84 9.1. Normative References . . . . . . . . . . . . . . . . . . . 13 85 9.2. Informative References . . . . . . . . . . . . . . . . . . 14 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 88 1. Terminology 90 The usage of the term "NAT device" in this document refer to any 91 NAT44 and NAT64 devices. The usage of the term "collector" refers to 92 any device that receives the binary data from a NAT device and 93 converts that into meaningful information. This document uses the 94 term "Session" as it is defined in [RFC2663] and the term BIB as it 95 is defined in [RFC6146] 97 2. Introduction 99 This document details the IPFIX Information Elements(IEs) that are 100 required for logging by a NAT device. The document will specify the 101 format of the IE's that are required to be logged by the NAT device 102 and all the optional fields. The fields specified in this document 103 are gleaned from [RFC4787] and [RFC5382]. 105 2.1. Requirements Language 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 109 document are to be interpreted as described in [RFC2119]. 111 3. Scope 113 This document provides the information model to be used for logging 114 the NAT devices including Carrier Grade NAT (CGN) events. This 115 document focuses exclusively on the specification of IPFIX IE's. 116 This document does not provide guidance on the transport protocol 117 like TCP, UDP or SCTP that is to be used to log NAT events. The log 118 events SHOULD NOT be lost but the choice of the actual transport 119 protocol is beyond the scope of this document. 121 The existing IANA IPFIX Information Elements registry [IPFIX-IANA] 122 already has assignments for many NAT logging events. For 123 convenience, this document uses those same Information Elements. 124 However, as stated earlier, this document is not defining IPFIX or 125 Netflow 9 as the framework for logging. Rather, the information 126 contained in these elements is within the scope of this document. 128 This document assumes that the NAT device will use the existing IPFIX 129 framework to send the log events to the collector. This would mean 130 that the NAT device will specify the template that it is going to use 131 for each of the events. The templates can be of varying length and 132 there could be multiple templates that a NAT device could use to log 133 the events. 135 The implementation details of the collector application is beyond the 136 scope of this document. 138 The optimization of logging the NAT events are left to the 139 implementation and are beyond the scope of this document. 141 4. Event based logging 143 An event in a NAT device can be viewed as a happening as it relates 144 to the management of NAT resources. The creation and deletion of NAT 145 sessions and bindings are examples of events as it results in the 146 resources (addresses and ports) being allocated or freed. The events 147 can happen either through the processing of data packets flowing 148 through the NAT device or through an external entity installing 149 policies on the NAT router or as a result of an asynchronous event 150 like a timer. The list of events are provided in Section 4.1. Each 151 of these events SHOULD be logged, unless they are administratively 152 prohibited. A NAT device MAY log these events to multiple collectors 153 if redundancy is required. The network administrator will specify 154 the collectors to which the log records are to be sent. 156 A collector may receive NAT events from multiple CGN devices and 157 should be able to distinguish between the devices. Each CGN device 158 should have a unique source ID to identify themselves. The source ID 159 is part of the IPFIX template and data exchange. 161 Prior to logging any events, the NAT device MUST send the template of 162 the record to the collector to advertise the format of the data 163 record that it is using to send the events. The templates can be 164 exchanged as frequently as required given the reliability of the 165 connection. There SHOULD be a configurable timer for controlling the 166 template refresh. NAT device SHOULD combine as many events as 167 possible in a single packet to effectively utilize the network 168 bandwidth. 170 4.1. Information Elements 172 The templates could contain a subset of the Information Elements(IEs) 173 shown in Table 1 depending upon the event being logged. For example 174 a NAT44 session creation template record will contain, 176 {sourceIPv4Adress, postNATSourceIPv4Address, destinationIpv4Address, 177 postNATDestinationIPv4Address, sourceTransportPort, 178 postNAPTSourceTransportPort, destinationTransportPort, 179 postNAPTDestTransportPort, natOriginatingAddressRealm, natEvent, 180 timeStamp} 181 An example of the actual event data record is shown below - in a 182 readable form 184 {192.168.16.1, 201.1.1.100, 207.85.231.104, 207.85.231.104, 14800, 185 1024, 80, 80, 0, 1, 09:20:10:789} 187 A single NAT device could be exporting multiple templates and the 188 collector should support receiving multiple templates from the same 189 source. 191 The following is the table of all the IE's that a CGN device would 192 need to export the events. The formats of the IE's and the IPFIX IDs 193 are listed below. 195 +----------------------------------+--------+-------+---------------+ 196 | Field Name | Size | IANA | Description | 197 | | (bits) | IPFIX | | 198 | | | ID | | 199 +----------------------------------+--------+-------+---------------+ 200 | timeStamp | 64 | 323 | System Time | 201 | | | | when the | 202 | | | | event | 203 | | | | occured. | 204 | vlanID | 16 | 58 | VLAN ID in | 205 | | | | case of | 206 | | | | overlapping | 207 | | | | networks | 208 | ingressVRFID | 32 | 234 | VRF ID in | 209 | | | | case of | 210 | | | | overlapping | 211 | | | | networks | 212 | sourceIPv4Address | 32 | 8 | Source IPv4 | 213 | | | | Address | 214 | postNATSourceIPv4Address | 32 | 225 | Translated | 215 | | | | Source IPv4 | 216 | | | | Address | 217 | protocolIdentifier | 8 | 4 | Transport | 218 | | | | protocol | 219 | sourceTransportPort | 16 | 7 | Source Port | 220 | postNAPTsourceTransportPort | 16 | 227 | Translated | 221 | | | | Source port | 222 | destinationIPv4Address | 32 | 12 | Destination | 223 | | | | IPv4 Address | 224 | postNATDestinationIPv4Address | 32 | 226 | Translated | 225 | | | | IPv4 | 226 | | | | destination | 227 | | | | address | 228 | destinationTransportPort | 16 | 11 | Destination | 229 | | | | port | 230 | postNAPTdestinationTransportPort | 16 | 228 | Translated | 231 | | | | Destination | 232 | | | | port | 233 | sourceIPv6Address | 27 | 128 | Source IPv6 | 234 | | | | address | 235 | destinationIPv6Address | 128 | 28 | Destination | 236 | | | | IPv6 address | 237 | postNATSourceIPv6Address | 128 | 281 | Translated | 238 | | | | source IPv6 | 239 | | | | addresss | 240 | postNATDestinationIPv6Address | 128 | 282 | Translated | 241 | | | | Destination | 242 | | | | IPv6 address | 243 | natOriginatingAddressRealm | 8 | 229 | Address Realm | 244 | natEvent | 8 | 230 | Type of Event | 245 | portRangeStart | 16 | 361 | Allocated | 246 | | | | port block | 247 | | | | start | 248 | portRangeEnd | 16 | 362 | Allocated | 249 | | | | Port block | 250 | | | | end | 251 | portRangeStepSize | 16 | 363 | Step size of | 252 | | | | next port | 253 | portRangeNumPorts | 16 | 364 | Number of | 254 | | | | ports | 255 +----------------------------------+--------+-------+---------------+ 257 Table 1: Template format Table 259 4.2. Definition of NAT Events 261 The following are the list of NAT events and the proposed event 262 values. The list can be expanded in the future as necessary. The 263 data record will have the corresponding natEvent value to identify 264 the event that is being logged. 266 +--------------------------+--------+ 267 | Event Name | Values | 268 +--------------------------+--------+ 269 | NAT44 Session create | 1 | 270 | NAT44 Session delete | 2 | 271 | NAT Addresses exhausted | 3 | 272 | NAT64 Session create | 4 | 273 | NAT64 Session delete | 5 | 274 | NAT44 BIB create | 6 | 275 | NAT44 BIB delete | 7 | 276 | NAT64 BIB create | 8 | 277 | NAT64 BIB delete | 9 | 278 | NAT ports exhausted | 10 | 279 | Quota exceeded | 11 | 280 | Address Binding | 12 | 281 | Port block allocation | 13 | 282 | Port block de-allocation | 14 | 283 +--------------------------+--------+ 284 Table 2: NAT Event ID table 286 4.3. Quota exceeded - Sub Event types 288 The following table shows the sub event types for the Quota exceeded 289 event 291 +---------------------------+--------+ 292 | Quota Exceeded Event Name | Values | 293 +---------------------------+--------+ 294 | Max Session entries | 1 | 295 | Max BIB entries | 2 | 296 | Max entries per user | 3 | 297 +---------------------------+--------+ 299 Table 3: Sub Event ID table 301 4.4. Templates for NAT Events 303 The following is the template of events that will have to logged. 304 The events below are identified at the time of this writing but the 305 events are expandable. Depending on the implementation and 306 configuration various IE's specified can be included or ignored. 308 4.4.1. NAT44 create and delete session event 310 This event will be generated when a NAT44 session is created or 311 deleted. The template will be the same, the natEvent will indicate 312 whether it is a create or a delete event. The following is a 313 template of the event. 315 +----------------------------------+-------------+-----------+ 316 | Field Name | Size (bits) | Mandatory | 317 +----------------------------------+-------------+-----------+ 318 | timeStamp | 64 | Yes | 319 | vlanID/ingressVRFID | 32 | No | 320 | sourceIPv4Address | 32 | Yes | 321 | postNATSourceIPv4Address | 32 | Yes | 322 | protocolIdentifier | 8 | Yes | 323 | sourceTransportPort | 16 | Yes | 324 | postNAPTsourceTransportPort | 16 | Yes | 325 | destinationIPv4Address | 32 | No | 326 | postNATDestinationIPv4Address | 32 | No | 327 | destinationTransportPort | 16 | No | 328 | postNAPTdestinationTransportPort | 16 | No | 329 | natOriginatingAddressRealm | 8 | No | 330 | natEvent | 8 | Yes | 331 +----------------------------------+-------------+-----------+ 333 Table 4: NAT44 Session delete/create template 335 4.4.2. NAT64 create and delete session event 337 This event will be generated when a NAT64 session is created. The 338 following is a template of the event. 340 +----------------------------------+-------------+-----------+ 341 | Field Name | Size (bits) | Mandatory | 342 +----------------------------------+-------------+-----------+ 343 | timeStamp | 64 | Yes | 344 | vlanID/ingressVRFID | 32 | No | 345 | sourceIPv6Address | 128 | Yes | 346 | postNATSourceIPv4Address | 32 | Yes | 347 | protocolIdentifier | 8 | Yes | 348 | sourceTransportPort | 16 | Yes | 349 | postNAPTsourceTransportPort | 16 | Yes | 350 | destinationIPv6Address | 128 | No | 351 | postNATDestinationIPv4Address | 32 | No | 352 | destinationTransportPort | 16 | No | 353 | postNAPTdestinationTransportPort | 16 | No | 354 | natOriginatingAddressRealm | 8 | No | 355 | natEvent | 8 | Yes | 356 +----------------------------------+-------------+-----------+ 358 Table 5: NAT64 session create/delete event template 360 4.4.3. NAT44 BIB create and delete event 362 This event will be generated when a NAT44 Bind entry is created. The 363 following is a template of the event. 365 +-----------------------------+-------------+-----------+ 366 | Field Name | Size (bits) | Mandatory | 367 +-----------------------------+-------------+-----------+ 368 | timeStamp | 64 | Yes | 369 | vlanID/ingressVRFID | 32 | No | 370 | sourceIPv4Address | 32 | Yes | 371 | postNATSourceIPv4Address | 32 | Yes | 372 | protocolIdentifier | 8 | No | 373 | sourceTransportPort | 16 | No | 374 | postNAPTsourceTransportPort | 16 | No | 375 | natOriginatingAddressRealm | 8 | No | 376 | natEvent | 8 | Yes | 377 +-----------------------------+-------------+-----------+ 379 Table 6: NAT44 BIB create/delete event template 381 4.4.4. NAT64 BIB create and delete event 383 This event will be generated when a NAT64 Bind entry is created. The 384 following is a template of the event. 386 +-----------------------------+-------------+-----------+ 387 | Field Name | Size (bits) | Mandatory | 388 +-----------------------------+-------------+-----------+ 389 | timeStamp | 64 | Yes | 390 | vlanID/ingressVRFID | 32 | No | 391 | sourceIPv6Address | 128 | Yes | 392 | postNATSourceIPv4Address | 32 | Yes | 393 | protocolIdentifier | 8 | No | 394 | sourceTransportPort | 16 | No | 395 | postNAPTsourceTransportPort | 16 | No | 396 | natOriginatingAddressRealm | 8 | No | 397 | natEvent | 8 | Yes | 398 +-----------------------------+-------------+-----------+ 400 Table 7: NAT64 BIB create/delete event template 402 4.4.5. Addresses Exhausted event 404 This event will be generated when a NAT device runs out of global 405 IPv4 addresses in a given pool of addresses. Typically, this event 406 would mean that the NAT device wont be able to create any new 407 translations until some addresses/ports are freed. The following is 408 a template of the event. 410 +-------------+-------------+-----------+ 411 | Field Name | Size (bits) | Mandatory | 412 +-------------+-------------+-----------+ 413 | timeStamp | 64 | Yes | 414 | natEvent | 8 | Yes | 415 | natPoolName | String | Yes | 416 +-------------+-------------+-----------+ 418 Table 8: NAT Address Exhausted event template 420 4.4.6. Ports Exhausted event 422 This event will be generated when a NAT device runs out of ports for 423 a global IPv4 address. Port exhaustion shall be reported per 424 protocol (UDP, TCP etc) The following is a template of the event. 426 +--------------------------+-------------+-----------+ 427 | Field Name | Size (bits) | Mandatory | 428 +--------------------------+-------------+-----------+ 429 | timeStamp | 64 | Yes | 430 | natEvent | 8 | Yes | 431 | postNATSourceIPv4Address | 32 | Yes | 432 | protocolIdentifier | 8 | Yes | 433 +--------------------------+-------------+-----------+ 435 Table 9: NAT Ports Exhausted event template 437 4.4.7. Quota exceeded 439 This event will be generated when a NAT device cannot allocate 440 resources as a result of an administratively defined policy. The 441 examples of Quota exceeded are to allow only certain number of NAT 442 sessions per device, certain number of NAT sessions per user etc. 443 The following is a template of the event. 445 +--------------------+-------------+-----------+ 446 | Field Name | Size (bits) | Mandatory | 447 +--------------------+-------------+-----------+ 448 | timeStamp | 64 | Yes | 449 | natEvent | 8 | Yes | 450 | natLimitEvent | 32 | Yes | 451 | sourceIPv4 address | 32 | No | 452 | sourceIPv6 address | 128 | No | 453 +--------------------+-------------+-----------+ 455 Table 10: NAT Quota Exceeded event template 457 4.4.8. Address Binding 459 This event will be generated when a NAT device binds a local address 460 with a global address. This binding event happens when the first 461 packet of the first flow from a host in the private realm. 463 +--------------------------------+-------------+-----------+ 464 | Field Name | Size (bits) | Mandatory | 465 +--------------------------------+-------------+-----------+ 466 | timeStamp | 64 | Yes | 467 | natEvent | 8 | Yes | 468 | sourceIPv4 address | 32 | No | 469 | sourceIPv6 address | 128 | No | 470 | Translated Source IPv4 Address | 32 | 8 | 471 +--------------------------------+-------------+-----------+ 473 Table 11: NAT Address Binding template 475 4.4.9. Port block allocation and de-allocation 477 This event will be generated when a NAT device allocates/de-allocates 478 ports in a bulk fashion, as opposed to allocating a port on a per 479 flow basis. NAT devices would do this in order to reduce logs and 480 potentially to limit the number of connections a subscriber is 481 allowed to use. In the following Port Block allocation template, the 482 portRangeStart must be specified. Along with portRangeStart, atleast 483 one of portRangeEnd, portRangeStepSize or portRangeNumPorts MUST be 484 specified. If portRangeEnd is specified, it MUST NOT be lesser than 485 portRangeStart. The value of portRangeStepSize MUST be between 1 and 486 32K. 488 +-------------------+-------------+-----------+ 489 | Field Name | Size (bits) | Mandatory | 490 +-------------------+-------------+-----------+ 491 | timeStamp | 64 | Yes | 492 | portRangeStart | 16 | Yes | 493 | portRangeEnd | 16 | No | 494 | portRangeStepSize | 16 | No | 495 | portRangeNumPorts | 16 | No | 496 +-------------------+-------------+-----------+ 498 Table 12: NAT Port Block Allocation event template 500 5. Encoding 501 5.1. IPFIX 503 This document uses IPFIX as the encoding mechanism to describe the 504 logging of NAT events. However, the information that should be 505 logged SHOULD be the same irrespective of what kind of encoding 506 scheme is used. IPFIX is chosen because is it an IETF standard that 507 meets all the needs for a reliable logging mechanism. IPFIX provides 508 the flexibility to the logging device to define the data sets that it 509 is logging. The information elements specified for logging MUST be 510 the same irrespective of the encoding mechanism used. 512 6. Acknowledgements 514 Thanks to Dan Wing, Selvi Shanmugam, Mohamed Boucadir, Jacni Qin 515 Ramji Vaithianathan, Simon Perreault, Jean-Francois Tremblay and 516 Julia Renouard for their review and comments. 518 7. IANA Considerations 520 8. Security Considerations 522 None. 524 9. References 526 9.1. Normative References 528 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 529 Requirement Levels", BCP 14, RFC 2119, March 1997. 531 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 532 Translator (NAT) Terminology and Considerations", 533 RFC 2663, August 1999. 535 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 536 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 537 RFC 4787, January 2007. 539 [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. 540 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 541 RFC 5382, October 2008. 543 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 544 NAT64: Network Address and Protocol Translation from IPv6 545 Clients to IPv4 Servers", RFC 6146, April 2011. 547 9.2. Informative References 549 [NAT-EVENT-LOG-IANA] 550 IANA, "NAT event log entities", 2012, . 553 [RFC5101] Claise, B., "Specification of the IP Flow Information 554 Export (IPFIX) Protocol for the Exchange of IP Traffic 555 Flow Information", RFC 5101, January 2008. 557 [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. 558 Meyer, "Information Model for IP Flow Information Export", 559 RFC 5102, January 2008. 561 [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, 562 "Architecture for IP Flow Information Export", RFC 5470, 563 March 2009. 565 Authors' Addresses 567 Senthil Sivakumar 568 Cisco Systems 569 7100-8 Kit Creek Road 570 Research Triangle Park, North Carolina 27709 571 USA 573 Phone: +1 919 392 5158 574 Email: ssenthil@cisco.com 576 Renaldo Penno 577 Cisco Systems 578 170 W Tasman Drive 579 San Jose, California 95035 580 USA 582 Phone: 583 Email: repenno@cisco.com