idnits 2.17.1 draft-ietf-behave-ipfix-nat-logging-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 9, 2017) is 2661 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Behave S. Sivakumar 3 Internet-Draft R. Penno 4 Intended status: Standards Track Cisco Systems 5 Expires: July 13, 2017 January 9, 2017 7 IPFIX Information Elements for logging NAT Events 8 draft-ietf-behave-ipfix-nat-logging-13 10 Abstract 12 Network operators require NAT devices to log events like creation and 13 deletion of translations and information about the resources that the 14 NAT device is managing. The logs are essential in many cases to 15 identify an attacker or a host that was used to launch malicious 16 attacks and for various other purposes of accounting. Since there is 17 no standard way of logging this information, different NAT devices 18 log the information using proprietary formats and hence it is 19 difficult to expect a consistent behavior. The lack of a consistent 20 way to log the data makes it difficult to write the collector 21 applications that would receive this data and process it to present 22 useful information. This document describes the formats for logging 23 of NAT events. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on July 13, 2017. 42 Copyright Notice 44 Copyright (c) 2017 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 60 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 61 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 4 62 2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 3. Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 5 64 4. Event based logging . . . . . . . . . . . . . . . . . . . . . 5 65 4.1. Logging of destination information . . . . . . . . . . . 6 66 4.2. Information Elements . . . . . . . . . . . . . . . . . . 6 67 4.3. Definition of NAT Events . . . . . . . . . . . . . . . . 8 68 4.4. Quota exceeded Event types . . . . . . . . . . . . . . . 9 69 4.5. Threshold reached Event types . . . . . . . . . . . . . . 10 70 4.6. Templates for NAT Events . . . . . . . . . . . . . . . . 11 71 4.6.1. NAT44 create and delete session events . . . . . . . 11 72 4.6.2. NAT64 create and delete session events . . . . . . . 12 73 4.6.3. NAT44 BIB create and delete events . . . . . . . . . 13 74 4.6.4. NAT64 BIB create and delete events . . . . . . . . . 13 75 4.6.5. Addresses Exhausted event . . . . . . . . . . . . . . 14 76 4.6.6. Ports Exhausted event . . . . . . . . . . . . . . . . 14 77 4.6.7. Quota exceeded events . . . . . . . . . . . . . . . . 15 78 4.6.7.1. Maximum session entries exceeded . . . . . . . . 15 79 4.6.7.2. Maximum BIB entries exceeded . . . . . . . . . . 15 80 4.6.7.3. Maximum entries per user exceeded . . . . . . . . 15 81 4.6.7.4. Maximum active host or subscribers exceeded . . . 16 82 4.6.7.5. Maximum fragments pending reassembly exceeded . . 16 83 4.6.8. Threshold reached events . . . . . . . . . . . . . . 17 84 4.6.8.1. Address pool high or low threshold reached . . . 17 85 4.6.8.2. Address and port high threshold reached . . . . . 17 86 4.6.8.3. Per-user Address and port high threshold reached 18 87 4.6.8.4. Global Address mapping high threshold reached . . 18 88 4.6.9. Address binding create and delete events . . . . . . 19 89 4.6.10. Port block allocation and de-allocation . . . . . . . 19 90 5. Management Considerations . . . . . . . . . . . . . . . . . . 20 91 5.1. Ability to collect events from multiple NAT devices . . . 20 92 5.2. Ability to suppress events . . . . . . . . . . . . . . . 20 93 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21 94 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 95 7.1. Information Elements . . . . . . . . . . . . . . . . . . 21 96 7.1.1. natInstanceID . . . . . . . . . . . . . . . . . . . . 21 97 7.1.2. internalAddressRealm . . . . . . . . . . . . . . . . 21 98 7.1.3. externalAddressRealm . . . . . . . . . . . . . . . . 22 99 7.1.4. natQuotaExceededEvent . . . . . . . . . . . . . . . . 22 100 7.1.5. natThresholdEvent . . . . . . . . . . . . . . . . . . 23 101 7.1.6. natEvent . . . . . . . . . . . . . . . . . . . . . . 24 102 8. Security Considerations . . . . . . . . . . . . . . . . . . . 25 103 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 104 9.1. Normative References . . . . . . . . . . . . . . . . . . 25 105 9.2. Informative References . . . . . . . . . . . . . . . . . 26 106 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 108 1. Introduction 110 The IPFIX Protocol [RFC7011] defines a generic push mechanism for 111 exporting information and events. The IPFIX Information Model 112 [IPFIX-IANA] defines a set of standard IEs which can be carried by 113 the IPFIX protocol. This document details the IPFIX Information 114 Elements(IEs) that MUST be logged by a NAT device that supports NAT 115 logging using IPFIX, and all the optional fields. The fields 116 specified in this document are gleaned from [RFC4787] and [RFC5382]. 118 This document and [I-D.ietf-behave-syslog-nat-logging] are written in 119 order to standardize the events and parameters to be recorded, using 120 IPFIX [RFC7011] and SYSLOG [RFC5424]respectively. The intent is to 121 provide a consistent way to log information irrespective of the 122 mechanism that is used. 124 This document uses IPFIX as the encoding mechanism to describe the 125 logging of NAT events. However, the information that is logged 126 should be the same irrespective of what kind of encoding scheme is 127 used. IPFIX is chosen because is it an IETF standard that meets all 128 the needs for a reliable logging mechanism. IPFIX provides the 129 flexibility to the logging device to define the data sets that it is 130 logging. The IEs specified for logging must be the same irrespective 131 of the encoding mechanism used. 133 1.1. Terminology 135 The usage of the term "NAT device" in this document refer to any 136 NAT44 and NAT64 devices. The usage of the term "collector" refers to 137 any device that receives the binary data from a NAT device and 138 converts that into meaningful information. This document uses the 139 term "Session" as it is defined in [RFC2663] and the term Binding 140 Information Base (BIB) as it is defined in [RFC6146]. The usage of 141 the term Information Element (IE) is defined in [RFC7011]. The term 142 Carrier Grade NAT refers to a large scale NAT device as described in 143 [RFC6888] 144 The IPFIX Information Elements that are NAT specific are created with 145 NAT terminology. In order to avoid creating duplicate IEs, IEs are 146 reused if they convey the same meaning. This document uses the term 147 timestamp for the Information element which defines the time when an 148 event is logged, this is the same as IPFIX term 149 observationTimeMilliseconds as described in [IPFIX-IANA]. Since 150 observationTimeMilliseconds is not self explanatory for NAT 151 implementors, this document uses the term timeStamp. This document 152 refers to event templates, that refers to IPFIX template records. 153 This document refers to log events that refers to IPFIX Flow records. 155 1.2. Requirements Language 157 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 158 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 159 document are to be interpreted as described in [RFC2119]. 161 2. Scope 163 This document provides the information model to be used for logging 164 the NAT events including Carrier Grade NAT (CGN) events. [RFC7011] 165 provides guidance on the choices of the transport protocols used for 166 IPFIX and their effects. This document does not provide guidance on 167 the transport protocol like TCP, UDP or SCTP that is to be used to 168 log NAT events. The logs SHOULD be reliably sent to the collector to 169 ensure that the log events are not lost. The choice of the actual 170 transport protocol is beyond the scope of this document. 172 The existing IANA IPFIX IEs registry [IPFIX-IANA] already has 173 assignments for most of the NAT logging events. This document uses 174 the allocated IPFIX IEs and will request IANA for the ones that are 175 defined in this document but not yet allocated. 177 This document assumes that the NAT device will use the existing IPFIX 178 framework to send the log events to the collector. This would mean 179 that the NAT device will specify the template that it is going to use 180 for each of the events. The templates can be of varying length and 181 there could be multiple templates that a NAT device could use to log 182 the events. 184 The implementation details of the collector application is beyond the 185 scope of this document. 187 The optimization of logging the NAT events is left to the 188 implementation and is beyond the scope of this document. 190 3. Deployment 192 NAT logging based on IPFIX uses binary encoding and hence is very 193 efficient. IPFIX based logging is recommended for environments where 194 a high volume of logging is required, for example, where per-flow 195 logging is needed or in case of Carrier Grade NAT. However, IPFIX 196 based logging requires a collector that processes the binary data and 197 requires a network management application that converts this binary 198 data to a human readable format. 200 A collector may receive NAT events from multiple CGN devices. The 201 collector distinguishes between the devices using the source IP 202 address, source port, and Observation Domain ID in the IPFIX header. 203 The collector can decide to store the information based on the 204 administrative policies that are inline with the operator and the 205 local juridiction. The retention policy is not dictated by the 206 exporter and is left to the policies that are defined at the 207 collector. 209 A collector may have scale issues if it is overloaded by a large 210 number of simultaneous events. An appropriate throttling mechanism 211 may be used to handle the oversubscription. 213 The logs that are exported can be used for a variety of reasons. An 214 example use case is to do accounting based on when the users logged 215 on and off. The translation will be installed when the user logs on 216 and removed when the user logs off. These events create log records. 217 Another use case is to identify an attacker or a host in a provider 218 network. The network administrators can use these logs to identify 219 the usage patterns, need for additional IP addresses etc. The 220 deployment of NAT logging is not limited to just these cases. 222 4. Event based logging 224 An event in a NAT device can be viewed as a state transition as it 225 relates to the management of NAT resources. The creation and 226 deletion of NAT sessions and bindings are examples of events as they 227 result in resources (addresses and ports) being allocated or freed. 228 The events can happen through the processing of data packets flowing 229 through the NAT device or through an external entity installing 230 policies on the NAT router or as a result of an asynchronous event 231 like a timer. The list of events are provided in Table 2. Each of 232 these events SHOULD be logged, unless they are administratively 233 prohibited. A NAT device MAY log these events to multiple collectors 234 if redundancy is required. The network administrator will specify 235 the collectors to which the log records are to be sent. It is 236 necessary to preserve the list of collectors and its associated 237 information like the IPv4/IPv6 address, port and protocol across 238 reboots so that the configuration information is not lost when the 239 device is restarted. The NAT device implementing the IPFIX logging 240 MUST follow the IPFIX specs as specified in RFC 7011. 242 4.1. Logging of destination information 244 Logging of destination information in a NAT event has been discussed 245 in [RFC6302] and [RFC6888]. Logging of destination information 246 increases the size of each record and increases the need for storage 247 considerably. It increases the number of log events generated 248 because when the same user connects to a different destination, it 249 results in a log record per destination address. Logging of the 250 source and destination addresses result in loss of privacy. Logging 251 of destination addresses and ports, pre or post NAT, SHOULD NOT be 252 done [RFC6888]. However, this draft provides the necessary fields to 253 log the destination information in cases where they must be logged. 255 4.2. Information Elements 257 The templates could contain a subset of the IEs shown in Table 1 258 depending upon the event being logged. For example a NAT44 session 259 creation template record will contain, 261 {sourceIPv4Adress, postNATSourceIPv4Address, destinationIpv4Address, 262 postNATDestinationIPv4Address, sourceTransportPort, 263 postNAPTSourceTransportPort, destinationTransportPort, 264 postNAPTDestTransportPort, internalAddressRealm, natEvent, timeStamp} 266 An example of the actual event data record is shown below - in a 267 human readable form 269 {192.0.2.1, 203.0.113.100, 192.0.2.104, 192.0.2.104, 14800, 1024, 80, 270 80, 0, 1, 09:20:10:789} 272 A single NAT device could be exporting multiple templates and the 273 collector MUST support receiving multiple templates from the same 274 source. 276 The following is the table of all the IEs that a NAT device would 277 need to export the events. The formats of the IEs and the IPFIX IDs 278 are listed below. Some of the IPFIX IEs are not yet assigned. The 279 detailed description of these fields that are requested are in the 280 IANA considerations section. 282 +--------------------------------+------------+-------+-------------+ 283 | Field Name | Size | IANA | Description | 284 | | (bits) | IPFIX | | 285 | | | ID | | 286 +--------------------------------+------------+-------+-------------+ 287 | timeStamp | 64 | 323 | System Time | 288 | | | | when the | 289 | | | | event | 290 | | | | occured. | 291 | natInstanceId | 32 | TBD | NAT | 292 | | | | Instance | 293 | | | | Identifier | 294 | vlanID | 16 | 58 | VLAN ID in | 295 | | | | case of | 296 | | | | overlapping | 297 | | | | networks | 298 | ingressVRFID | 32 | 234 | VRF ID in | 299 | | | | case of | 300 | | | | overlapping | 301 | | | | networks | 302 | sourceIPv4Address | 32 | 8 | Source IPv4 | 303 | | | | Address | 304 | postNATSourceIPv4Address | 32 | 225 | Translated | 305 | | | | Source IPv4 | 306 | | | | Address | 307 | protocolIdentifier | 8 | 4 | Transport | 308 | | | | protocol | 309 | sourceTransportPort | 16 | 7 | Source Port | 310 | postNAPTsourceTransportPort | 16 | 227 | Translated | 311 | | | | Source port | 312 | destinationIPv4Address | 32 | 12 | Destination | 313 | | | | IPv4 | 314 | | | | Address | 315 | postNATDestinationIPv4Address | 32 | 226 | Translated | 316 | | | | IPv4 | 317 | | | | destination | 318 | | | | address | 319 | destinationTransportPort | 16 | 11 | Destination | 320 | | | | port | 321 | postNAPTdestinationTransportPo | 16 | 228 | Translated | 322 | rt | | | Destination | 323 | | | | port | 324 | sourceIPv6Address | 128 | 27 | Source IPv6 | 325 | | | | address | 326 | destinationIPv6Address | 128 | 28 | Destination | 327 | | | | IPv6 | 328 | | | | address | 329 | postNATSourceIPv6Address | 128 | 281 | Translated | 330 | | | | source IPv6 | 331 | | | | addresss | 332 | postNATDestinationIPv6Address | 128 | 282 | Translated | 333 | | | | Destination | 334 | | | | IPv6 | 335 | | | | address | 336 | internalAddressRealm | OctetArray | TBD | Source | 337 | | | | Address | 338 | | | | Realm | 339 | externalAddressRealm | OctetArray | TBD | Destination | 340 | | | | Address | 341 | | | | Realm | 342 | natEvent | 8 | 230 | Type of | 343 | | | | Event | 344 | portRangeStart | 16 | 361 | Allocated | 345 | | | | port block | 346 | | | | start | 347 | portRangeEnd | 16 | 362 | Allocated | 348 | | | | Port block | 349 | | | | end | 350 | natPoolID | 32 | 283 | NAT pool | 351 | | | | Identifier | 352 | natQuotaExceededEvent | 32 | TBD | Limit event | 353 | | | | identifier | 354 | natThresholdEvent | 32 | TBD | Threshold | 355 | | | | event | 356 | | | | identifier | 357 +--------------------------------+------------+-------+-------------+ 359 Table 1: Template format Table 361 4.3. Definition of NAT Events 363 The following is the complete list of NAT events and the proposed 364 event type values. The natEvent IE is defined in the IPFIX IANA 365 registry in http://www.iana.org/assignments/ipfix/ipfix.xml. The 366 list can be expanded in the future as necessary. The data record 367 will have the corresponding natEvent value to indicate the event that 368 is being logged. 370 Note that the first two events are marked historic. These values 371 were defined prior to the existence of this draft and outside the 372 IETF working group. These events are not standalone and require more 373 information need to be conveyed to qualify the event. For example, 374 the NAT Translation create event does not specify if it is a NAT44 or 375 NAT64. As a result the Behave WG decided to have explicit definition 376 for each one of the unique events. The historic events are listed 377 here for the purpose of completeness and are already defined in the 378 IPFIX IANA registry. Any compliant implementation SHOULD NOT 379 implement the events that are marked historic. 381 +-------------------------------------+--------+ 382 | Event Name | Values | 383 +-------------------------------------+--------+ 384 | NAT Translation create (Historic) | 1 | 385 | NAT Translation Delete (Historic) | 2 | 386 | NAT Addresses exhausted | 3 | 387 | NAT44 Session create | 4 | 388 | NAT44 Session delete | 5 | 389 | NAT64 Session create | 6 | 390 | NAT64 Session delete | 7 | 391 | NAT44 BIB create | 8 | 392 | NAT44 BIB delete | 9 | 393 | NAT64 BIB create | 10 | 394 | NAT64 BIB delete | 11 | 395 | NAT ports exhausted | 12 | 396 | Quota exceeded | 13 | 397 | Address binding create | 14 | 398 | Address binding delete | 15 | 399 | Port block allocation | 16 | 400 | Port block de-allocation | 17 | 401 | Threshold reached | 18 | 402 +-------------------------------------+--------+ 404 Table 2: NAT Event ID table 406 4.4. Quota exceeded Event types 408 The Quota Exceeded event is a natEvent IE described in Table 2. The 409 Quota exceeded events are generated when the hard limits set by the 410 administrator has been reached or exceeded. The following table 411 shows the sub event types for the Quota exceeded or limits reached 412 event. The events that can be reported are the Maximum session 413 entries limit reached, Maximum BIB entries limit reached, Maximum 414 (session/BIB) entries per user limit reached, Maximum active hosts 415 limit reached or maximum subscribers limit reached and Maximum 416 Fragments pending reassembly limit reached. 418 +---------------------------------------+--------+ 419 | Quota Exceeded Event Name | Values | 420 +---------------------------------------+--------+ 421 | Maximum Session entries | 1 | 422 | Maximum BIB entries | 2 | 423 | Maximum entries per user | 3 | 424 | Maximum active hosts or subscribers | 4 | 425 | Maximum fragments pending reassembly | 5 | 426 +---------------------------------------+--------+ 428 Table 3: Quota Exceeded event table 430 4.5. Threshold reached Event types 432 The following table shows the sub event types for the threshold 433 reached event. The administrator can configure the thresholds and 434 whenever the threshold is reached or exceeded, the corresponding 435 events are generated. The main difference between Quota Exceeded and 436 the Threshold reached events is that, once the Quota exceeded events 437 are hit, the packets are dropped or mappings wont be created etc, 438 whereas, the threshold reached events will provide the operator a 439 chance to take action before the traffic disruptions can happen. A 440 NAT device can choose to implement one or the other or both. 442 The address pool high threshold event will be reported when the 443 address pool reaches a high water mark as defined by the operator. 444 This will serve as an indication that the operator might have to add 445 more addresses to the pool or an indication that the subsequent users 446 may be denied NAT translation mappings. 448 The address pool low threshold event will be reported when the 449 address pool reaches a low water mark as defined by the operator. 450 This will serve as an indication that the operator can reclaim some 451 of the global IPv4 addresses in the pool. 453 The address and port mapping high threshold event is generated, when 454 the number of ports in the configured address pool has reached a 455 configured threshold. 457 The per-user address and port mapping high threshold is generated 458 when a single user uses more address and port mapping than a 459 configured threshold. We don't track the low threshold for per-user 460 address and port mappings, because as the ports are freed, the 461 address will become available. The address pool low threhold event 462 will then be triggered so that the IPv4 global address can be 463 reclaimed. 465 The Global address mapping high threshold event is generated when the 466 maximum mappings per-user is reached for a NAT device doing paired 467 address pooling. 469 +---------------------------------------------------------+--------+ 470 | Threshold Exceeded Event Name | Values | 471 +---------------------------------------------------------+--------+ 472 | Address pool high threshold event | 1 | 473 | Address pool low threshold event | 2 | 474 | Address and port mapping high threshold event | 3 | 475 | Address and port mapping per user high threshold event | 4 | 476 | Global Address mapping high threshold event | 5 | 477 +---------------------------------------------------------+--------+ 479 Table 4: Threshold event table 481 4.6. Templates for NAT Events 483 The following is the template of events that will be logged. The 484 events below are identified at the time of this writing but the set 485 of events is extensible. A NAT device that implements a given NAT 486 event MUST support the mandatory IE's in the templates. Depending on 487 the implementation and configuration various IEs that are not 488 mandatory can be included or ignored. 490 4.6.1. NAT44 create and delete session events 492 These events will be generated when a NAT44 session is created or 493 deleted. The template will be the same, the natEvent will indicate 494 whether it is a create or a delete event. The following is a 495 template of the event. 497 The destination address and port information is optional as required 498 by [RFC6888]. However, when the destination information is 499 suppressed, the session log event contains the same information as 500 the BIB event. In such cases, the NAT device SHOULD NOT send both 501 BIB and session events. 503 +----------------------------------+-------------+-----------+ 504 | Field Name | Size (bits) | Mandatory | 505 +----------------------------------+-------------+-----------+ 506 | timeStamp | 64 | Yes | 507 | natEvent | 8 | Yes | 508 | sourceIPv4Address | 32 | Yes | 509 | postNATSourceIPv4Address | 32 | Yes | 510 | protocolIdentifier | 8 | Yes | 511 | sourceTransportPort | 16 | Yes | 512 | postNAPTsourceTransportPort | 16 | Yes | 513 | destinationIPv4Address | 32 | No | 514 | postNATDestinationIPv4Address | 32 | No | 515 | destinationTransportPort | 16 | No | 516 | postNAPTdestinationTransportPort | 16 | No | 517 | natInstanceID | 32 | No | 518 | vlanID/ingressVRFID | 32 | No | 519 | internalAddressRealm | OctetArray | No | 520 | externalAddressRealm | OctetArray | No | 521 +----------------------------------+-------------+-----------+ 523 Table 5: NAT44 Session delete/create template 525 4.6.2. NAT64 create and delete session events 527 These events will be generated when a NAT64 session is created or 528 deleted. The following is a template of the event. 530 +----------------------------------+-------------+-----------+ 531 | Field Name | Size (bits) | Mandatory | 532 +----------------------------------+-------------+-----------+ 533 | timeStamp | 64 | Yes | 534 | natEvent | 8 | Yes | 535 | sourceIPv6Address | 128 | Yes | 536 | postNATSourceIPv4Address | 32 | Yes | 537 | protocolIdentifier | 8 | Yes | 538 | sourceTransportPort | 16 | Yes | 539 | postNAPTsourceTransportPort | 16 | Yes | 540 | destinationIPv6Address | 128 | No | 541 | postNATDestinationIPv4Address | 32 | No | 542 | destinationTransportPort | 16 | No | 543 | postNAPTdestinationTransportPort | 16 | No | 544 | natInstanceID | 32 | No | 545 | vlanID/ingressVRFID | 32 | No | 546 | internalAddressRealm | OctetArray | No | 547 | externalAddressRealm | OctetArray | No | 548 +----------------------------------+-------------+-----------+ 550 Table 6: NAT64 session create/delete event template 552 4.6.3. NAT44 BIB create and delete events 554 These events will be generated when a NAT44 Bind entry is created or 555 deleted. The following is a template of the event. 557 +-----------------------------+-------------+-----------+ 558 | Field Name | Size (bits) | Mandatory | 559 +-----------------------------+-------------+-----------+ 560 | timeStamp | 64 | Yes | 561 | natEvent | 8 | Yes | 562 | sourceIPv4Address | 32 | Yes | 563 | postNATSourceIPv4Address | 32 | Yes | 564 | protocolIdentifier | 8 | No | 565 | sourceTransportPort | 16 | No | 566 | postNAPTsourceTransportPort | 16 | No | 567 | natInstanceID | 32 | No | 568 | vlanID/ingressVRFID | 32 | No | 569 | internalAddressRealm | OctetArray | No | 570 | externalAddressRealm | OctetArray | No | 571 +-----------------------------+-------------+-----------+ 573 Table 7: NAT44 BIB create/delete event template 575 4.6.4. NAT64 BIB create and delete events 577 These events will be generated when a NAT64 Bind entry is created or 578 deleted. The following is a template of the event. 580 +-----------------------------+-------------+-----------+ 581 | Field Name | Size (bits) | Mandatory | 582 +-----------------------------+-------------+-----------+ 583 | timeStamp | 64 | Yes | 584 | natEvent | 8 | Yes | 585 | sourceIPv6Address | 128 | Yes | 586 | postNATSourceIPv4Address | 32 | Yes | 587 | protocolIdentifier | 8 | No | 588 | sourceTransportPort | 16 | No | 589 | postNAPTsourceTransportPort | 16 | No | 590 | natInstanceID | 32 | No | 591 | vlanID/ingressVRFID | 32 | No | 592 | internalAddressRealm | OctetArray | No | 593 | externalAddressRealm | OctetArray | No | 594 +-----------------------------+-------------+-----------+ 596 Table 8: NAT64 BIB create/delete event template 598 4.6.5. Addresses Exhausted event 600 This event will be generated when a NAT device runs out of global 601 IPv4 addresses in a given pool of addresses. Typically, this event 602 would mean that the NAT device won't be able to create any new 603 translations until some addresses/ports are freed. This event SHOULD 604 be rate limited as many packets hitting the device at the same time 605 will trigger a burst of addresses exhausted events. 607 The following is a template of the event. 609 +---------------+-------------+-----------+ 610 | Field Name | Size (bits) | Mandatory | 611 +---------------+-------------+-----------+ 612 | timeStamp | 64 | Yes | 613 | natEvent | 8 | Yes | 614 | natPoolID | 32 | Yes | 615 | natInstanceID | 32 | No | 616 +---------------+-------------+-----------+ 618 Table 9: Address Exhausted event template 620 4.6.6. Ports Exhausted event 622 This event will be generated when a NAT device runs out of ports for 623 a global IPv4 address. Port exhaustion shall be reported per 624 protocol (UDP, TCP etc). This event SHOULD be rate limited as many 625 packets hitting the device at the same time will trigger a burst of 626 port exhausted events. 628 The following is a template of the event. 630 +--------------------------+-------------+-----------+ 631 | Field Name | Size (bits) | Mandatory | 632 +--------------------------+-------------+-----------+ 633 | timeStamp | 64 | Yes | 634 | natEvent | 8 | Yes | 635 | postNATSourceIPv4Address | 32 | Yes | 636 | protocolIdentifier | 8 | Yes | 637 | natInstanceID | 32 | No | 638 +--------------------------+-------------+-----------+ 640 Table 10: Ports Exhausted event template 642 4.6.7. Quota exceeded events 644 This event will be generated when a NAT device cannot allocate 645 resources as a result of an administratively defined policy. The 646 quota exceeded event templates are described below. 648 4.6.7.1. Maximum session entries exceeded 650 The maximum session entries exceeded event is generated when the 651 administratively configured NAT session limit is reached. The 652 following is the template of the event. 654 +-----------------------+-------------+-----------+ 655 | Field Name | Size (bits) | Mandatory | 656 +-----------------------+-------------+-----------+ 657 | timeStamp | 64 | Yes | 658 | natEvent | 8 | Yes | 659 | natQuotaExceededEvent | 32 | Yes | 660 | configuredLimit | 32 | Yes | 661 | natInstanceID | 32 | No | 662 +-----------------------+-------------+-----------+ 664 Table 11: Session Entries Exceeded event template 666 4.6.7.2. Maximum BIB entries exceeded 668 The maximum BIB entries exceeded event is generated when the 669 administratively configured BIB entry limit is reached. The 670 following is the template of the event. 672 +-----------------------+-------------+-----------+ 673 | Field Name | Size (bits) | Mandatory | 674 +-----------------------+-------------+-----------+ 675 | timeStamp | 64 | Yes | 676 | natEvent | 8 | Yes | 677 | natQuotaExceededEvent | 32 | Yes | 678 | configuredLimit | 32 | Yes | 679 | natInstanceID | 32 | No | 680 +-----------------------+-------------+-----------+ 682 Table 12: BIB Entries Exceeded event template 684 4.6.7.3. Maximum entries per user exceeded 686 This event is generated when a single user reaches the 687 administratively configured NAT translation limit. The following is 688 the template of the event. 690 +-----------------------+-------------+---------------+ 691 | Field Name | Size (bits) | Mandatory | 692 +-----------------------+-------------+---------------+ 693 | timeStamp | 64 | Yes | 694 | natEvent | 8 | Yes | 695 | natQuotaExceededEvent | 32 | Yes | 696 | configuredLimit | 32 | Yes | 697 | sourceIPv4 address | 32 | Yes for NAT44 | 698 | sourceIPv6 address | 128 | Yes for NAT64 | 699 | natInstanceID | 32 | No | 700 | vlanID/ingressVRFID | 32 | No | 701 +-----------------------+-------------+---------------+ 703 Table 13: Per-user Entries Exceeded event template 705 4.6.7.4. Maximum active host or subscribers exceeded 707 This event is generated when the number of allowed hosts or 708 subscribers reaches the administratively configured limit. The 709 following is the template of the event. 711 +-----------------------+-------------+-----------+ 712 | Field Name | Size (bits) | Mandatory | 713 +-----------------------+-------------+-----------+ 714 | timeStamp | 64 | Yes | 715 | natEvent | 8 | Yes | 716 | natQuotaExceededEvent | 32 | Yes | 717 | configuredLimit | 32 | Yes | 718 | natInstanceID | 32 | No | 719 +-----------------------+-------------+-----------+ 721 Table 14: Maximum hosts/subscribers Exceeded event template 723 4.6.7.5. Maximum fragments pending reassembly exceeded 725 This event is generated when the number of fragments pending 726 reassembly reaches the administratively configured limit. Note that 727 in case of NAT64, when this condition is detected in the IPv6 to IPv4 728 direction, the IPv6 source address is mandatory in the template. 729 Similarly, when this condition is detected in IPv4 to IPv6 direction, 730 the source IPv4 address is mandatory in the template below. The 731 following is the template of the event. 733 +-----------------------+-------------+----------------+ 734 | Field Name | Size (bits) | Mandatory | 735 +-----------------------+-------------+----------------+ 736 | timeStamp | 64 | Yes | 737 | natEvent | 8 | Yes | 738 | natQuotaExceededEvent | 32 | Yes | 739 | configuredLimit | 32 | Yes | 740 | sourceIPv4 address | 32 | Yes for NAT44 | 741 | sourceIPv6 address | 128 | Yes for NAT64 | 742 | natInstanceID | 32 | No | 743 | vlanID/ingressVRFID | 32 | No | 744 | internalAddressRealm | OctetArray | No | 745 +-----------------------+-------------+----------------+ 747 Table 15: Maximum fragments pending reassembly Exceeded event 748 template 750 4.6.8. Threshold reached events 752 This event will be generated when a NAT device reaches a operator 753 configured threshold when allocating resources. The threshold 754 reached events are described in the section above. The following is 755 a template of the individual events. 757 4.6.8.1. Address pool high or low threshold reached 759 This event is generated when the high or low threshold is reached for 760 the address pool. The template is the same for both high and low 761 threshold events 763 +-------------------+-------------+-----------+ 764 | Field Name | Size (bits) | Mandatory | 765 +-------------------+-------------+-----------+ 766 | timeStamp | 64 | Yes | 767 | natEvent | 8 | Yes | 768 | natThresholdEvent | 32 | Yes | 769 | natPoolID | 32 | Yes | 770 | configuredLimit | 32 | Yes | 771 | natInstanceID | 32 | No | 772 +-------------------+-------------+-----------+ 774 Table 16: Address pool high/low threshold reached event template 776 4.6.8.2. Address and port high threshold reached 778 This event is generated when the high threshold is reached for the 779 address pool and ports. 781 +-------------------+-------------+-----------+ 782 | Field Name | Size (bits) | Mandatory | 783 +-------------------+-------------+-----------+ 784 | timeStamp | 64 | Yes | 785 | natEvent | 8 | Yes | 786 | natThresholdEvent | 32 | Yes | 787 | configuredLimit | 32 | Yes | 788 | natInstanceID | 32 | No | 789 +-------------------+-------------+-----------+ 791 Table 17: Address port high threshold reached event template 793 4.6.8.3. Per-user Address and port high threshold reached 795 This event is generated when the high threshold is reached for the 796 per-user address pool and ports. 798 +---------------------+-------------+---------------+ 799 | Field Name | Size (bits) | Mandatory | 800 +---------------------+-------------+---------------+ 801 | timeStamp | 64 | Yes | 802 | natEvent | 8 | Yes | 803 | natThresholdEvent | 32 | Yes | 804 | configuredLimit | 32 | Yes | 805 | sourceIPv4 address | 32 | Yes for NAT44 | 806 | sourceIPv6 address | 128 | Yes for NAT64 | 807 | natInstanceID | 32 | No | 808 | vlanID/ingressVRFID | 32 | No | 809 +---------------------+-------------+---------------+ 811 Table 18: Per-user Address port high threshold reached event template 813 4.6.8.4. Global Address mapping high threshold reached 815 This event is generated when the high threshold is reached for the 816 per-user address pool and ports. This is generated only by NAT 817 devices that use a paired address pooling behavior. 819 +---------------------+-------------+-----------+ 820 | Field Name | Size (bits) | Mandatory | 821 +---------------------+-------------+-----------+ 822 | timeStamp | 64 | Yes | 823 | natEvent | 8 | Yes | 824 | natThresholdEvent | 32 | Yes | 825 | configuredLimit | 32 | Yes | 826 | natInstanceID | 32 | No | 827 | vlanID/ingressVRFID | 32 | No | 828 +---------------------+-------------+-----------+ 830 Table 19: Global Address mapping high threshold reached event 831 template 833 4.6.9. Address binding create and delete events 835 These events will be generated when a NAT device binds a local 836 address with a global address and when the global address is freed. 837 A NAT device will generate the binding events when it receives the 838 first packet of the first flow from a host in the private realm. 840 +--------------------------------+-------------+---------------+ 841 | Field Name | Size (bits) | Mandatory | 842 +--------------------------------+-------------+---------------+ 843 | timeStamp | 64 | Yes | 844 | natEvent | 8 | Yes | 845 | sourceIPv4 address | 32 | Yes for NAT44 | 846 | sourceIPv6 address | 128 | Yes for NAT64 | 847 | Translated Source IPv4 Address | 32 | Yes | 848 | natInstanceID | 32 | No | 849 +--------------------------------+-------------+---------------+ 851 Table 20: NAT Address Binding template 853 4.6.10. Port block allocation and de-allocation 855 This event will be generated when a NAT device allocates/de-allocates 856 ports in a bulk fashion, as opposed to allocating a port on a per 857 flow basis. 859 portRangeStart represents the starting value of the range. 861 portRangeEnd represents the ending value of the range. 863 NAT devices would do this in order to reduce logs and potentially to 864 limit the number of connections a subscriber is allowed to use. In 865 the following Port Block allocation template, the portRangeStart and 866 portRangeEnd MUST be specified. 868 It is up to the implementation to choose to consolidate log records 869 in case two consecutive port ranges for the same user are allocated 870 or freed. 872 +--------------------------------+-------------+---------------+ 873 | Field Name | Size (bits) | Mandatory | 874 +--------------------------------+-------------+---------------+ 875 | timeStamp | 64 | Yes | 876 | natEvent | 8 | Yes | 877 | sourceIPv4 address | 32 | Yes for NAT44 | 878 | sourceIPv6 address | 128 | Yes for NAT64 | 879 | Translated Source IPv4 Address | 32 | Yes | 880 | portRangeStart | 16 | Yes | 881 | portRangeEnd | 16 | No | 882 | natInstanceID | 32 | No | 883 +--------------------------------+-------------+---------------+ 885 Table 21: NAT Port Block Allocation event template 887 5. Management Considerations 889 This section considers requirements for management of the log system 890 to support logging of the events described above. It first covers 891 requirements applicable to log management in general. Any additional 892 standardization required to fullfil these requirements is out of 893 scope of the present document. Some management considerations are 894 covered in [I-D.ietf-behave-syslog-nat-logging]. This document 895 covers the additional considerations. 897 5.1. Ability to collect events from multiple NAT devices 899 An IPFIX collector MUST be able to collect events from multiple NAT 900 devices and be able to decipher events based on the Observation 901 Domain ID in the IPFIX header. 903 5.2. Ability to suppress events 905 The exhaustion events can be overwhelming during traffic bursts and 906 hence SHOULD be handled by the NAT devices to rate limit them before 907 sending them to the collectors. For eg. when the port exhaustion 908 happens during bursty conditions, instead of sending a port 909 exhaustion event for every packet, the exhaustion events SHOULD be 910 rate limited by the NAT device. 912 6. Acknowledgements 914 Thanks to Dan Wing, Selvi Shanmugam, Mohamed Boucadir, Jacni Qin 915 Ramji Vaithianathan, Simon Perreault, Jean-Francois Tremblay, Paul 916 Aitken, Julia Renouard, Spencer Dawkins and Brian Trammell for their 917 review and comments. 919 7. IANA Considerations 921 7.1. Information Elements 923 IANA will register the following IEs in the IPFIX Information 924 Elements registry at http://www.iana.org/assignments/ipfix/ipfix.xml 926 7.1.1. natInstanceID 928 Name : natInstanceID 930 Description: This Information Element uniquely identifies an Instance 931 of the NAT that runs on a NAT middlebox function after the packet 932 passed the Observation Point. natInstanceID is defined in RFC 7659 933 [RFC7659] 935 Abstract Data Type: unsigned32 937 Data Type Semantics: identifier 939 Reference: 941 See RFC 791 [RFC0791] for the definition of the IPv4 source address 942 field. See RFC 3022 [RFC3022] for the definition of NAT. See RFC 943 3234 [RFC3234] for the definition of middleboxes. 945 7.1.2. internalAddressRealm 947 Name: internalAddressRealm 949 Description: This Information Element represents the internal address 950 realm where the packet is originated from or destined to. By 951 definition, a NAT mapping can be created from two address realms, one 952 from internal and one from external. Realms are implementation 953 dependent and can represent a VRF ID or a VLAN ID or some unique 954 identifier. Realms are optional and when left unspecified would mean 955 that the external and internal realms are the same. 957 Abstract Data Type: octetArray 959 Data Type Semantics: identifier 960 Reference: 962 See RFC 791 [RFC0791] for the definition of the IPv4 source address 963 field. See RFC 3022 [RFC3022] for the definition of NAT. See RFC 964 3234 [RFC3234] for the definition of middleboxes. 966 7.1.3. externalAddressRealm 968 Name: externalAddressRealm 970 Description: This Information Element represents the external address 971 realm where the packet is originated from or destined to. The 972 detailed definition is in the internal address realm as specified 973 above. 975 Abstract Data Type: octetArray 977 Data Type Semantics: identifier 979 Reference: 981 See RFC 791 [RFC0791] for the definition of the IPv4 source address 982 field. See RFC 3022 [RFC3022] for the definition of NAT. See RFC 983 3234 [RFC3234] for the definition of middleboxes. 985 7.1.4. natQuotaExceededEvent 987 Values of this Information Element are defined in a registry 988 maintained by IANA at . New assignments of values will be 990 administered by IANA, subject to Expert Review [RFC5226]. Experts 991 need to check definitions of new values for completeness, accuracy, 992 and redundancy. 994 Name : natQuotaExceededEvent 996 Description: This Information Element identifies the type of a NAT 997 quota exceeded event. Values for this Information Element are listed 998 in the NAT quota exceed event type registry, see 999 [http://www.iana.org/assignments/ipfix/ipfix.xml#TBD-by-IANA] Initial 1000 values in the registry are defined by the table below. 1002 +---------------------------------------+--------+ 1003 | Quota Exceeded Event Name | Values | 1004 +---------------------------------------+--------+ 1005 | Maximum Session entries | 1 | 1006 | Maximum BIB entries | 2 | 1007 | Maximum entries per user | 3 | 1008 | Maximum active hosts or subscribers | 4 | 1009 | Maximum fragments pending reassembly | 5 | 1010 +---------------------------------------+--------+ 1012 Table 22 1014 Abstract Data Type: unsigned32 1016 Data Type Semantics: identifier 1018 Reference: 1020 See RFC 791 [RFC0791] for the definition of the IPv4 source address 1021 field. See RFC 3022 [RFC3022] for the definition of NAT. See RFC 1022 3234 [RFC3234] for the definition of middleboxes. 1024 7.1.5. natThresholdEvent 1026 Values of this Information Element are defined in a registry 1027 maintained by IANA at http://www.iana.org/assignments/ipfix/ 1028 ipfix.xml#TBD-by-IANA. New assignments of values will be 1029 administered by IANA, subject to Expert Review [RFC5226]. Experts 1030 need to check definitions of new values for completeness, accuracy, 1031 and redundancy. 1033 Name: natThresholdEvent 1035 Description: This Information Element identifies a type of a NAT 1036 threshold event. Values for this Information Element are listed in 1037 the NAT threshhold event type registry, see 1038 . 1039 Initial values in the registry are defined by the table below. 1041 +---------------------------------------------------------+--------+ 1042 | Threshold Exceeded Event Name | Values | 1043 +---------------------------------------------------------+--------+ 1044 | Address pool high threshold event | 1 | 1045 | Address pool low threshold event | 2 | 1046 | Address and port mapping high threshold event | 3 | 1047 | Address and port mapping per user high threshold event | 4 | 1048 | Global Address mapping high threshold event | 5 | 1049 +---------------------------------------------------------+--------+ 1051 Table 23 1053 Abstract Data Type: unsigned32 1055 Data Type Semantics: identifier 1057 Reference: 1059 See RFC 791 [RFC0791] for the definition of the IPv4 source address 1060 field. See RFC 3022 [RFC3022] for the definition of NAT. See RFC 1061 3234 [RFC3234] for the definition of middleboxes. 1063 7.1.6. natEvent 1065 The original definition of this Information Element specified only 1066 three values 1, 2, and 3. This definition is replaced by a registry, 1067 to which new values can be added. The semantics of the three 1068 originally defined values remains unchanged. IANA maintains the 1069 registry for values of this Information Element at 1070 . New 1071 assignments of values will be administered by IANA, subject to Expert 1072 Review [RFC5226]. Experts need to check definitions of new values 1073 for completeness, accuracy, and redundancy. 1075 Name : natEvent 1077 Description: Description: This Information Element identifies a NAT 1078 event. This IE identifies the type of a NAT event. Examples of NAT 1079 events include but not limited to, creation or deletion of a NAT 1080 translation entry, a threshold reached or exceeded etc. Values for 1081 this Information Element are listed in the NAT event type registry, 1082 see [http://www.iana.org/assignments/ipfix/ipfix.xml#TBD-by-IANA] The 1083 NAT Event values in the registry are defined by the Table 2 in 1084 Section 5.3. 1086 Abstract Data Type: unsigned8 1088 Data Type Semantics: identifier 1089 Element ID : 230 1091 Reference: 1093 See RFC 3022 [RFC3022] for the definition of NAT. See RFC 3234 1094 [RFC3234] for the definition of middleboxes. See [thisRFC] for the 1095 definitions of values 4-16. 1097 8. Security Considerations 1099 The security considerations listed in detail for IPFIX in [RFC7011] 1100 applies to this draft as well. As described in [RFC7011] the 1101 messages exchanged between the NAT device and the collector MUST be 1102 protected to provide confidentiality, integrity and authenticity. 1103 Without those characteristics, the messages are subject to various 1104 kinds of attacks. These attacks are described in great detail in 1105 [RFC7011]. 1107 This document re-emphasizes the use of TLS or DTLS for exchanging the 1108 log messages between the NAT device and the collector. The log 1109 events sent in clear text can result in confidential data being 1110 exposed to attackers, who could then spoof log events based on the 1111 information in clear text messages. Hence, the log events SHOULD NOT 1112 be sent in clear text. 1114 The logging of NAT events can result in privacy concerns as result of 1115 exporting information such as source address and port information. 1116 The logging of destinaion information can also cause privacy concerns 1117 but it has been well documented in [RFC6888]. A NAT device can 1118 choose to operate in various logging modes if it wants to avoid 1119 logging of private information. The collector that receives the 1120 information can also choose to mask the private information but 1121 generate reports based on abstract data. It is outside the scope of 1122 this document to address the implementation of logging modes for 1123 privacy considerations. 1125 9. References 1127 9.1. Normative References 1129 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1130 Requirement Levels", BCP 14, RFC 2119, 1131 DOI 10.17487/RFC2119, March 1997, 1132 . 1134 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 1135 Translation (NAT) Behavioral Requirements for Unicast 1136 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 1137 2007, . 1139 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 1140 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 1141 RFC 5382, DOI 10.17487/RFC5382, October 2008, 1142 . 1144 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1145 NAT64: Network Address and Protocol Translation from IPv6 1146 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 1147 April 2011, . 1149 [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 1150 "Logging Recommendations for Internet-Facing Servers", 1151 BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, 1152 . 1154 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1155 A., and H. Ashida, "Common Requirements for Carrier-Grade 1156 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1157 April 2013, . 1159 [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, 1160 "Specification of the IP Flow Information Export (IPFIX) 1161 Protocol for the Exchange of Flow Information", STD 77, 1162 RFC 7011, DOI 10.17487/RFC7011, September 2013, 1163 . 1165 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 1166 "Definitions of Managed Objects for Network Address 1167 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 1168 October 2015, . 1170 9.2. Informative References 1172 [I-D.ietf-behave-syslog-nat-logging] 1173 Chen, Z., Zhou, C., Tsou, T., and T. Taylor, "Syslog 1174 Format for NAT Logging", draft-ietf-behave-syslog-nat- 1175 logging-06 (work in progress), January 2014. 1177 [IPFIX-IANA] 1178 IANA, "IPFIX Information Elements registry", 1179 . 1181 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1182 DOI 10.17487/RFC0791, September 1981, 1183 . 1185 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 1186 Translator (NAT) Terminology and Considerations", 1187 RFC 2663, DOI 10.17487/RFC2663, August 1999, 1188 . 1190 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 1191 Address Translator (Traditional NAT)", RFC 3022, 1192 DOI 10.17487/RFC3022, January 2001, 1193 . 1195 [RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and 1196 Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002, 1197 . 1199 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1200 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1201 DOI 10.17487/RFC5226, May 2008, 1202 . 1204 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, 1205 DOI 10.17487/RFC5424, March 2009, 1206 . 1208 Authors' Addresses 1210 Senthil Sivakumar 1211 Cisco Systems 1212 7100-8 Kit Creek Road 1213 Research Triangle Park, North Carolina 27709 1214 USA 1216 Phone: +1 919 392 5158 1217 Email: ssenthil@cisco.com 1219 Renaldo Penno 1220 Cisco Systems 1221 170 W Tasman Drive 1222 San Jose, California 95035 1223 USA 1225 Email: repenno@cisco.com