idnits 2.17.1 draft-ietf-behave-ipfix-nat-logging-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 19, 2013) is 4049 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'IPFIX-IANA' is mentioned on line 121, but not defined == Unused Reference: 'NAT-EVENT-LOG-IANA' is defined on line 568, but no explicit reference was found in the text == Unused Reference: 'RFC5101' is defined on line 572, but no explicit reference was found in the text == Unused Reference: 'RFC5102' is defined on line 576, but no explicit reference was found in the text == Unused Reference: 'RFC5470' is defined on line 580, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2663 -- Obsolete informational reference (is this intentional?): RFC 5101 (Obsoleted by RFC 7011) -- Obsolete informational reference (is this intentional?): RFC 5102 (Obsoleted by RFC 7012) Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Behave S. Sivakumar 3 Internet-Draft R. Penno 4 Intended status: Standards Track Cisco Systems 5 Expires: September 20, 2013 March 19, 2013 7 IPFIX Information Elements for logging NAT Events 8 draft-ietf-behave-ipfix-nat-logging-00 10 Abstract 12 NAT devices are required to log events like creation and deletion of 13 translations and information about the resources it is managing. 14 With the wide deployment of Carrier Grade NAT (CGN) devices, the 15 logging of events have become very important for legal purposes. The 16 logs are required in many cases to identify an attacker or a host 17 that was used to launch malicious attacks and/or for various other 18 purposes of accounting. Since there is no standard way of logging 19 this information, different NAT devices behave differently and hence 20 it is difficult to expect a consistent behavior. The lack of a 21 consistent way makes it difficult to write the collector applications 22 that would receive this data and process it to present useful 23 information. This document describes the information that is 24 required to be logged by the NAT devices. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on September 20, 2013. 43 Copyright Notice 45 Copyright (c) 2013 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 63 3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 4. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 4 65 5. Event based logging . . . . . . . . . . . . . . . . . . . . . 4 66 5.1. Information Elements . . . . . . . . . . . . . . . . . . 4 67 5.2. Definition of NAT Events . . . . . . . . . . . . . . . . 7 68 5.3. Quota exceeded - Sub Event types . . . . . . . . . . . . 8 69 5.4. Templates for NAT Events . . . . . . . . . . . . . . . . 8 70 5.4.1. NAT44 create and delete session event . . . . . . . . 8 71 5.4.2. NAT64 create and delete session event . . . . . . . . 9 72 5.4.3. NAT44 BIB create and delete event . . . . . . . . . . 9 73 5.4.4. NAT64 BIB create and delete event . . . . . . . . . . 10 74 5.4.5. Addresses Exhausted event . . . . . . . . . . . . . . 10 75 5.4.6. Ports Exhausted event . . . . . . . . . . . . . . . . 10 76 5.4.7. Quota exceeded . . . . . . . . . . . . . . . . . . . 11 77 5.4.8. Address Binding . . . . . . . . . . . . . . . . . . . 11 78 5.4.9. Port block allocation and de-allocation . . . . . . . 12 79 6. Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . 12 80 6.1. IPFIX . . . . . . . . . . . . . . . . . . . . . . . . . . 12 81 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 82 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 83 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 84 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 85 10.1. Normative References . . . . . . . . . . . . . . . . . . 13 86 10.2. Informative References . . . . . . . . . . . . . . . . . 13 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 89 1. Terminology 90 The usage of the term "NAT device" in this document refer to any 91 NAT44 and NAT64 devices. The usage of the term "collector" refers to 92 any device that receives the binary data from a NAT device and 93 converts that into meaningful information. This document uses the 94 term "Session" as it is defined in [RFC2663] and the term BIB as it 95 is defined in [RFC6146] 97 2. Introduction 99 This document details the IPFIX Information Elements(IEs) that are 100 required for logging by a NAT device. The document will specify the 101 format of the IE's that are required to be logged by the NAT device 102 and all the optional fields. The fields specified in this document 103 are gleaned from [RFC4787] and [RFC5382]. 105 2.1. Requirements Language 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 109 document are to be interpreted as described in [RFC2119]. 111 3. Scope 113 This document provides the information model to be used for logging 114 the NAT devices including Carrier Grade NAT (CGN) events. This 115 document focuses exclusively on the specification of IPFIX IE's. 116 This document does not provide guidance on the transport protocol 117 like TCP, UDP or SCTP that is to be used to log NAT events. The log 118 events SHOULD NOT be lost but the choice of the actual transport 119 protocol is beyond the scope of this document. 121 The existing IANA IPFIX Information Elements registry [IPFIX-IANA] 122 already has assignments for many NAT logging events. For 123 convenience, this document uses those same Information Elements. 124 However, as stated earlier, this document is not defining IPFIX or 125 Netflow 9 as the framework for logging. Rather, the information 126 contained in these elements is within the scope of this document. 128 This document assumes that the NAT device will use the existing IPFIX 129 framework to send the log events to the collector. This would mean 130 that the NAT device will specify the template that it is going to use 131 for each of the events. The templates can be of varying length and 132 there could be multiple templates that a NAT device could use to log 133 the events. 135 The implementation details of the collector application is beyond the 136 scope of this document. 138 The optimization of logging the NAT events are left to the 139 implementation and are beyond the scope of this document. 141 4. Applicability 143 NAT logging based on IPFIX uses binary encoding and hence is very 144 efficient. IPFIX based logging is recommended for environments where 145 a high volume of logging is required, for example, where per-flow 146 logging is needed. However, IPFIX based logging requires a collector 147 that processes the binary data and requires a network management 148 application that converts this binary data to a human readable 149 format. 151 5. Event based logging 153 An event in a NAT device can be viewed as a happening as it relates 154 to the management of NAT resources. The creation and deletion of NAT 155 sessions and bindings are examples of events as it results in the 156 resources (addresses and ports) being allocated or freed. The events 157 can happen either through the processing of data packets flowing 158 through the NAT device or through an external entity installing 159 policies on the NAT router or as a result of an asynchronous event 160 like a timer. The list of events are provided in Section 4.1. Each 161 of these events SHOULD be logged, unless they are administratively 162 prohibited. A NAT device MAY log these events to multiple collectors 163 if redundancy is required. The network administrator will specify 164 the collectors to which the log records are to be sent. 166 A collector may receive NAT events from multiple CGN devices and 167 should be able to distinguish between the devices. Each CGN device 168 should have a unique source ID to identify themselves. The source ID 169 is part of the IPFIX template and data exchange. 171 Prior to logging any events, the NAT device MUST send the template of 172 the record to the collector to advertise the format of the data 173 record that it is using to send the events. The templates can be 174 exchanged as frequently as required given the reliability of the 175 connection. There SHOULD be a configurable timer for controlling the 176 template refresh. NAT device SHOULD combine as many events as 177 possible in a single packet to effectively utilize the network 178 bandwidth. 180 5.1. Information Elements 182 The templates could contain a subset of the Information Elements(IEs) 183 shown in Table 1 depending upon the event being logged. For example 184 a NAT44 session creation template record will contain, 185 {sourceIPv4Adress, postNATSourceIPv4Address, destinationIpv4Address, 186 postNATDestinationIPv4Address, sourceTransportPort, 187 postNAPTSourceTransportPort, destinationTransportPort, 188 postNAPTDestTransportPort, natOriginatingAddressRealm, natEvent, 189 timeStamp} 191 An example of the actual event data record is shown below - in a 192 readable form 194 {192.168.16.1, 201.1.1.100, 207.85.231.104, 207.85.231.104, 14800, 195 1024, 80, 80, 0, 1, 09:20:10:789} 197 A single NAT device could be exporting multiple templates and the 198 collector should support receiving multiple templates from the same 199 source. 201 The following is the table of all the IE's that a CGN device would 202 need to export the events. The formats of the IE's and the IPFIX IDs 203 are listed below. 205 +----------------------------------+--------+---------+-------------+ 206 | Field Name | Size | IANA | Description | 207 | | (bits) | IPFIX | | 208 | | | ID | | 209 +----------------------------------+--------+---------+-------------+ 210 | timeStamp | 64 | 323 | System Time | 211 | | | | when the | 212 | | | | event | 213 | | | | occured. | 214 | vlanID | 16 | 58 | VLAN ID in | 215 | | | | case of | 216 | | | | overlapping | 217 | | | | networks | 218 | ingressVRFID | 32 | 234 | VRF ID in | 219 | | | | case of | 220 | | | | overlapping | 221 | | | | networks | 222 | sourceIPv4Address | 32 | 8 | Source IPv4 | 223 | | | | Address | 224 | postNATSourceIPv4Address | 32 | 225 | Translated | 225 | | | | Source IPv4 | 226 | | | | Address | 227 | protocolIdentifier | 8 | 4 | Transport | 228 | | | | protocol | 229 | sourceTransportPort | 16 | 7 | Source Port | 230 | postNAPTsourceTransportPort | 16 | 227 | Translated | 231 | | | | Source port | 232 | destinationIPv4Address | 32 | 12 | Destination | 233 | | | | IPv4 | 234 | | | | Address | 235 | postNATDestinationIPv4Address | 32 | 226 | Translated | 236 | | | | IPv4 | 237 | | | | destination | 238 | | | | address | 239 | destinationTransportPort | 16 | 11 | Destination | 240 | | | | port | 241 | postNAPTdestinationTransportPort | 16 | 228 | Translated | 242 | | | | Destination | 243 | | | | port | 244 | sourceIPv6Address | 27 | 128 | Source IPv6 | 245 | | | | address | 246 | destinationIPv6Address | 128 | 28 | Destination | 247 | | | | IPv6 | 248 | | | | address | 249 | postNATSourceIPv6Address | 128 | 281 | Translated | 250 | | | | source IPv6 | 251 | | | | addresss | 252 | postNATDestinationIPv6Address | 128 | 282 | Translated | 253 | | | | Destination | 254 | | | | IPv6 | 255 | | | | address | 256 | natOriginatingAddressRealm | 8 | 229 | Address | 257 | | | | Realm | 258 | natEvent | 8 | 230 | Type of | 259 | | | | Event | 260 | portRangeStart | 16 | 361 | Allocated | 261 | | | | port block | 262 | | | | start | 263 | portRangeEnd | 16 | 362 | Allocated | 264 | | | | Port block | 265 | | | | end | 266 | portRangeStepSize | 16 | 363 | Step size | 267 | | | | of next | 268 | | | | port | 269 | portRangeNumPorts | 16 | 364 | Number of | 270 | | | | ports | 271 +----------------------------------+--------+---------+-------------+ 273 Table 1: Template format Table 275 5.2. Definition of NAT Events 277 The following are the list of NAT events and the proposed event 278 values. The list can be expanded in the future as necessary. The 279 data record will have the corresponding natEvent value to identify 280 the event that is being logged. 282 +--------------------------+--------+ 283 | Event Name | Values | 284 +--------------------------+--------+ 285 | NAT44 Session create | 1 | 286 | NAT44 Session delete | 2 | 287 | NAT Addresses exhausted | 3 | 288 | NAT64 Session create | 4 | 289 | NAT64 Session delete | 5 | 290 | NAT44 BIB create | 6 | 291 | NAT44 BIB delete | 7 | 292 | NAT64 BIB create | 8 | 293 | NAT64 BIB delete | 9 | 294 | NAT ports exhausted | 10 | 295 | Quota exceeded | 11 | 296 | Address Binding | 12 | 297 | Port block allocation | 13 | 298 | Port block de-allocation | 14 | 299 +--------------------------+--------+ 301 Table 2: NAT Event ID table 303 5.3. Quota exceeded - Sub Event types 305 The following table shows the sub event types for the Quota exceeded 306 event 308 +---------------------------+--------+ 309 | Quota Exceeded Event Name | Values | 310 +---------------------------+--------+ 311 | Max Session entries | 1 | 312 | Max BIB entries | 2 | 313 | Max entries per user | 3 | 314 +---------------------------+--------+ 316 Table 3: Sub Event ID table 318 5.4. Templates for NAT Events 320 The following is the template of events that will have to logged. 321 The events below are identified at the time of this writing but the 322 events are expandable. Depending on the implementation and 323 configuration various IE's specified can be included or ignored. 325 5.4.1. NAT44 create and delete session event 327 This event will be generated when a NAT44 session is created or 328 deleted. The template will be the same, the natEvent will indicate 329 whether it is a create or a delete event. The following is a 330 template of the event. 332 +----------------------------------+-------------+-----------+ 333 | Field Name | Size (bits) | Mandatory | 334 +----------------------------------+-------------+-----------+ 335 | timeStamp | 64 | Yes | 336 | vlanID/ingressVRFID | 32 | No | 337 | sourceIPv4Address | 32 | Yes | 338 | postNATSourceIPv4Address | 32 | Yes | 339 | protocolIdentifier | 8 | Yes | 340 | sourceTransportPort | 16 | Yes | 341 | postNAPTsourceTransportPort | 16 | Yes | 342 | destinationIPv4Address | 32 | No | 343 | postNATDestinationIPv4Address | 32 | No | 344 | destinationTransportPort | 16 | No | 345 | postNAPTdestinationTransportPort | 16 | No | 346 | natOriginatingAddressRealm | 8 | No | 347 | natEvent | 8 | Yes | 348 +----------------------------------+-------------+-----------+ 350 Table 4: NAT44 Session delete/create template 352 5.4.2. NAT64 create and delete session event 354 This event will be generated when a NAT64 session is created. The 355 following is a template of the event. 357 +----------------------------------+-------------+-----------+ 358 | Field Name | Size (bits) | Mandatory | 359 +----------------------------------+-------------+-----------+ 360 | timeStamp | 64 | Yes | 361 | vlanID/ingressVRFID | 32 | No | 362 | sourceIPv6Address | 128 | Yes | 363 | postNATSourceIPv4Address | 32 | Yes | 364 | protocolIdentifier | 8 | Yes | 365 | sourceTransportPort | 16 | Yes | 366 | postNAPTsourceTransportPort | 16 | Yes | 367 | destinationIPv6Address | 128 | No | 368 | postNATDestinationIPv4Address | 32 | No | 369 | destinationTransportPort | 16 | No | 370 | postNAPTdestinationTransportPort | 16 | No | 371 | natOriginatingAddressRealm | 8 | No | 372 | natEvent | 8 | Yes | 373 +----------------------------------+-------------+-----------+ 375 Table 5: NAT64 session create/delete event template 377 5.4.3. NAT44 BIB create and delete event 379 This event will be generated when a NAT44 Bind entry is created. The 380 following is a template of the event. 382 +-----------------------------+-------------+-----------+ 383 | Field Name | Size (bits) | Mandatory | 384 +-----------------------------+-------------+-----------+ 385 | timeStamp | 64 | Yes | 386 | vlanID/ingressVRFID | 32 | No | 387 | sourceIPv4Address | 32 | Yes | 388 | postNATSourceIPv4Address | 32 | Yes | 389 | protocolIdentifier | 8 | No | 390 | sourceTransportPort | 16 | No | 391 | postNAPTsourceTransportPort | 16 | No | 392 | natOriginatingAddressRealm | 8 | No | 393 | natEvent | 8 | Yes | 394 +-----------------------------+-------------+-----------+ 396 Table 6: NAT44 BIB create/delete event template 398 5.4.4. NAT64 BIB create and delete event 400 This event will be generated when a NAT64 Bind entry is created. The 401 following is a template of the event. 403 +-----------------------------+-------------+-----------+ 404 | Field Name | Size (bits) | Mandatory | 405 +-----------------------------+-------------+-----------+ 406 | timeStamp | 64 | Yes | 407 | vlanID/ingressVRFID | 32 | No | 408 | sourceIPv6Address | 128 | Yes | 409 | postNATSourceIPv4Address | 32 | Yes | 410 | protocolIdentifier | 8 | No | 411 | sourceTransportPort | 16 | No | 412 | postNAPTsourceTransportPort | 16 | No | 413 | natOriginatingAddressRealm | 8 | No | 414 | natEvent | 8 | Yes | 415 +-----------------------------+-------------+-----------+ 417 Table 7: NAT64 BIB create/delete event template 419 5.4.5. Addresses Exhausted event 421 This event will be generated when a NAT device runs out of global 422 IPv4 addresses in a given pool of addresses. Typically, this event 423 would mean that the NAT device wont be able to create any new 424 translations until some addresses/ports are freed. The following is 425 a template of the event. 427 +-------------+-------------+-----------+ 428 | Field Name | Size (bits) | Mandatory | 429 +-------------+-------------+-----------+ 430 | timeStamp | 64 | Yes | 431 | natEvent | 8 | Yes | 432 | natPoolName | String | Yes | 433 +-------------+-------------+-----------+ 435 Table 8: NAT Address Exhausted event template 437 5.4.6. Ports Exhausted event 438 This event will be generated when a NAT device runs out of ports for 439 a global IPv4 address. Port exhaustion shall be reported per 440 protocol (UDP, TCP etc) The following is a template of the event. 442 +--------------------------+-------------+-----------+ 443 | Field Name | Size (bits) | Mandatory | 444 +--------------------------+-------------+-----------+ 445 | timeStamp | 64 | Yes | 446 | natEvent | 8 | Yes | 447 | postNATSourceIPv4Address | 32 | Yes | 448 | protocolIdentifier | 8 | Yes | 449 +--------------------------+-------------+-----------+ 451 Table 9: NAT Ports Exhausted event template 453 5.4.7. Quota exceeded 455 This event will be generated when a NAT device cannot allocate 456 resources as a result of an administratively defined policy. The 457 examples of Quota exceeded are to allow only certain number of NAT 458 sessions per device, certain number of NAT sessions per user etc. 459 The following is a template of the event. 461 +--------------------+-------------+-----------+ 462 | Field Name | Size (bits) | Mandatory | 463 +--------------------+-------------+-----------+ 464 | timeStamp | 64 | Yes | 465 | natEvent | 8 | Yes | 466 | natLimitEvent | 32 | Yes | 467 | sourceIPv4 address | 32 | No | 468 | sourceIPv6 address | 128 | No | 469 +--------------------+-------------+-----------+ 471 Table 10: NAT Quota Exceeded event template 473 5.4.8. Address Binding 475 This event will be generated when a NAT device binds a local address 476 with a global address. This binding event happens when the first 477 packet of the first flow from a host in the private realm. 479 +--------------------------------+-------------+-----------+ 480 | Field Name | Size (bits) | Mandatory | 481 +--------------------------------+-------------+-----------+ 482 | timeStamp | 64 | Yes | 483 | natEvent | 8 | Yes | 484 | sourceIPv4 address | 32 | No | 485 | sourceIPv6 address | 128 | No | 486 | Translated Source IPv4 Address | 32 | 8 | 487 +--------------------------------+-------------+-----------+ 489 Table 11: NAT Address Binding template 491 5.4.9. Port block allocation and de-allocation 493 This event will be generated when a NAT device allocates/de-allocates 494 ports in a bulk fashion, as opposed to allocating a port on a per 495 flow basis. NAT devices would do this in order to reduce logs and 496 potentially to limit the number of connections a subscriber is 497 allowed to use. In the following Port Block allocation template, the 498 portRangeStart must be specified. Along with portRangeStart, atleast 499 one of portRangeEnd, portRangeStepSize or portRangeNumPorts MUST be 500 specified. If portRangeEnd is specified, it MUST NOT be lesser than 501 portRangeStart. The value of portRangeStepSize MUST be between 1 and 502 32K. 504 +--------------------------------+-------------+-----------+ 505 | Field Name | Size (bits) | Mandatory | 506 +--------------------------------+-------------+-----------+ 507 | timeStamp | 64 | Yes | 508 | sourceIPv4 address | 32 | No | 509 | sourceIPv6 address | 128 | No | 510 | Translated Source IPv4 Address | 32 | Yes | 511 | portRangeStart | 16 | Yes | 512 | portRangeEnd | 16 | No | 513 | portRangeStepSize | 16 | No | 514 | portRangeNumPorts | 16 | No | 515 +--------------------------------+-------------+-----------+ 517 Table 12: NAT Port Block Allocation event template 519 6. Encoding 521 6.1. IPFIX 523 This document uses IPFIX as the encoding mechanism to describe the 524 logging of NAT events. However, the information that should be 525 logged SHOULD be the same irrespective of what kind of encoding 526 scheme is used. IPFIX is chosen because is it an IETF standard that 527 meets all the needs for a reliable logging mechanism. IPFIX provides 528 the flexibility to the logging device to define the data sets that it 529 is logging. The information elements specified for logging MUST be 530 the same irrespective of the encoding mechanism used. 532 7. Acknowledgements 533 Thanks to Dan Wing, Selvi Shanmugam, Mohamed Boucadir, Jacni Qin 534 Ramji Vaithianathan, Simon Perreault, Jean-Francois Tremblay, Paul 535 Aitken and Julia Renouard for their review and comments. 537 8. IANA Considerations 539 9. Security Considerations 541 None. 543 10. References 545 10.1. Normative References 547 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 548 Requirement Levels", BCP 14, RFC 2119, March 1997. 550 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 551 Translator (NAT) Terminology and Considerations", RFC 552 2663, August 1999. 554 [RFC4787] Audet, F. and C. Jennings, "Network Address Translation 555 (NAT) Behavioral Requirements for Unicast UDP", BCP 127, 556 RFC 4787, January 2007. 558 [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. 559 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 560 RFC 5382, October 2008. 562 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 563 NAT64: Network Address and Protocol Translation from IPv6 564 Clients to IPv4 Servers", RFC 6146, April 2011. 566 10.2. Informative References 568 [NAT-EVENT-LOG-IANA] 569 IANA, , "NAT event log entities", 2012, . 572 [RFC5101] Claise, B., "Specification of the IP Flow Information 573 Export (IPFIX) Protocol for the Exchange of IP Traffic 574 Flow Information", RFC 5101, January 2008. 576 [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. 577 Meyer, "Information Model for IP Flow Information Export", 578 RFC 5102, January 2008. 580 [RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, 581 "Architecture for IP Flow Information Export", RFC 5470, 582 March 2009. 584 Authors' Addresses 586 Senthil Sivakumar 587 Cisco Systems 588 7100-8 Kit Creek Road 589 Research Triangle Park, North Carolina 27709 590 USA 592 Phone: +1 919 392 5158 593 Email: ssenthil@cisco.com 595 Renaldo Penno 596 Cisco Systems 597 170 W Tasman Drive 598 San Jose, California 95035 599 USA 601 Email: repenno@cisco.com