Behave
Internet Engineering Task Force (IETF)                      S. Sivakumar
Internet-Draft
Request for Comments: 8158                                      R. Penno
Intended status:
Category: Standards Track                                  Cisco Systems
Expires: July 13, 2017                                   January 9,
ISSN: 2070-1721                                            December 2017

           IPFIX

        IP Flow Information Export (IPFIX) Information Elements
                         for logging Logging NAT Events
                 draft-ietf-behave-ipfix-nat-logging-13

Abstract

   Network operators require NAT devices to log events like creation and
   deletion of translations and information about the resources that the
   NAT device is managing.  The  In many cases, the logs are essential in many cases to
   identify an attacker or a host that was used to launch malicious
   attacks and for various other purposes of accounting.  Since there is
   no standard way of logging this information, different NAT devices
   log the information using
   use proprietary formats and hence formats; hence, it is difficult to expect a consistent
   behavior.  The  This lack of a consistent
   way to log the data standardization makes it difficult to write
   the collector Collector applications that would receive this data and process
   it to present useful information.  This document describes the
   formats for logging
   of NAT events.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list  It represents the consensus of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid the IETF community.  It has
   received public review and has been approved for a maximum publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of six months RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 13, 2017.
   https://www.rfc-editor.org/info/rfc8158.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info)
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
     1.2.  Requirements Language . . . . . . . . . . . . . . . . . .   4
   2.  Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Deployment  . . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Event based logging  Event-Based Logging . . . . . . . . . . . . . . . . . . . . .   5
     4.1.  Logging of destination information Destination Information . . . . . . . . . . . . .   6
     4.2.  Information Elements  . . . . . . . . . . . . . . . . . .   6
     4.3.  Definition of NAT Events  . . . . . . . . . . . . . . . .   8  10
     4.4.  Quota exceeded Exceeded Event types Types  . . . . . . . . . . . . . . .   9  11
     4.5.  Threshold reached Reached Event types Types . . . . . . . . . . . . . .  10  12
     4.6.  Templates for NAT Events  . . . . . . . . . . . . . . . .  11  13
       4.6.1.  NAT44 create Session Create and delete session events Delete Events  . . . . . . .  11  13
       4.6.2.  NAT64 create Session Create and delete session events Delete Events  . . . . . . .  12  14
       4.6.3.  NAT44 BIB create Create and delete events Delete Events  . . . . . . . . .  13  15
       4.6.4.  NAT64 BIB create Create and delete events Delete Events  . . . . . . . . .  13  15
       4.6.5.  Addresses Exhausted event Event . . . . . . . . . . . . . .  14  16
       4.6.6.  Ports Exhausted event Event . . . . . . . . . . . . . . . .  14  16
       4.6.7.  Quota exceeded events Exceeded Events . . . . . . . . . . . . . . . .  15  17
         4.6.7.1.  Maximum session entries exceeded Session Entries Exceeded  . . . . . . . .  15  17
         4.6.7.2.  Maximum BIB entries exceeded Entries Exceeded  . . . . . . . . . .  15  17
         4.6.7.3.  Maximum entries Entries per user exceeded User Exceeded . . . . . . . .  15  17
         4.6.7.4.  Maximum active host Active Hosts or subscribers exceeded . Subscribers Exceeded  . .  16  18
         4.6.7.5.  Maximum fragments pending reassembly exceeded Fragments Pending Reassembly Exceeded . .  16  18
       4.6.8.  Threshold reached events Reached Events  . . . . . . . . . . . . . .  17  19
         4.6.8.1.  Address pool high Pool High or low threshold reached Low Threshold Reached  . . .  17  19
         4.6.8.2.  Address and port high threshold reached Port Mapping High Threshold Reached .  20
         4.6.8.3.  Address and Port Mapping per User High Threshold
                   Reached . . . .  17
         4.6.8.3.  Per-user Address and port high threshold reached   18 . . . . . . . . . . . . . . . . .  20
         4.6.8.4.  Global Address mapping high threshold reached Mapping High Threshold Reached . .  18  21
       4.6.9.  Address binding create Binding Create and delete events Delete Events  . . . . . .  19  21
       4.6.10. Port block allocation Block Allocation and de-allocation De-allocation . . . . . . .  19  21
   5.  Management Considerations . . . . . . . . . . . . . . . . . .  20  22
     5.1.  Ability to collect events Collect Events from multiple Multiple NAT devices Devices . . .  20  22
     5.2.  Ability to suppress events Suppress Events  . . . . . . . . . . . . . . .  20  22
   6.  Acknowledgements  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  23
     6.1.  Information Elements  .  21
   7.  IANA Considerations . . . . . . . . . . . . . . . . .  23
       6.1.1.  natInstanceID . . . .  21
     7.1.  Information Elements . . . . . . . . . . . . . . . .  23
       6.1.2.  internalAddressRealm  . .  21
       7.1.1.  natInstanceID . . . . . . . . . . . . . .  23
       6.1.3.  externalAddressRealm  . . . . . .  21
       7.1.2.  internalAddressRealm . . . . . . . . . .  24
       6.1.4.  natQuotaExceededEvent . . . . . .  21
       7.1.3.  externalAddressRealm . . . . . . . . . .  24
       6.1.5.  natThresholdEvent . . . . . .  22
       7.1.4.  natQuotaExceededEvent . . . . . . . . . . . .  25
       6.1.6.  natEvent  . . . .  22
       7.1.5.  natThresholdEvent . . . . . . . . . . . . . . . . . .  23
       7.1.6.  natEvent  26
       6.1.7.  maxSessionEntries . . . . . . . . . . . . . . . . . .  26
       6.1.8.  maxBIBEntries . . . .  24
   8.  Security Considerations . . . . . . . . . . . . . . . .  27
       6.1.9.  maxEntriesPerUser . . .  25
   9.  References . . . . . . . . . . . . . . .  27
       6.1.10. maxSubscribers  . . . . . . . . . .  25
     9.1.  Normative References . . . . . . . . .  27
       6.1.11. maxFragmentsPendingReassembly . . . . . . . . .  25
     9.2.  Informative . . .  28
       6.1.12. addressPoolHighThreshold  . . . . . . . . . . . . . .  28
       6.1.13. addressPoolLowThreshold . . . . . . . . . . . . . . .  28
       6.1.14. addressPortMappingHighThreshold . . . . . . . . . . .  29
       6.1.15. addressPortMappingLowThreshold  . . . . . . . . . . .  29
       6.1.16. addressPortMappingPerUserHighThreshold  . . . . . . .  29
       6.1.17. globalAddressMappingHighThreshold . . . . . . . . . .  30
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  30
   8.  References  . . . . . . . . . . . . . . . . .  26
   Authors' Addresses . . . . . . . .  31
     8.1.  Normative References  . . . . . . . . . . . . . . .  27

1.  Introduction

   The IPFIX Protocol [RFC7011] defines a generic push mechanism for
   exporting information and events.  The IPFIX Information Model
   [IPFIX-IANA] defines a set . . .  31
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  32
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  32
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  33

1.  Introduction

   The IP Flow Information Export (IPFIX) Protocol [RFC7011] defines a
   generic push mechanism for exporting information and events.  The
   IPFIX Information Model [IPFIX-IANA] defines a set of standard IEs which
   Information Elements (IEs) that can be carried by the IPFIX protocol.
   This document details the IPFIX Information
   Elements(IEs) IEs that MUST be logged by a NAT
   device that supports NAT logging using IPFIX, IPFIX and all the optional
   fields.  The fields specified in this document are gleaned from
   [RFC4787] and [RFC5382].

   This document and [I-D.ietf-behave-syslog-nat-logging] [NAT-LOG] are written in order to standardize the
   events and parameters to be recorded, recorded using IPFIX [RFC7011] and SYSLOG [RFC5424]respectively.  The intent is to
   provide a consistent way to log information irrespective of the
   mechanism that is used.
   [RFC5424], respectively.  This document uses IPFIX as the encoding
   mechanism to describe the logging of NAT events.  However, the
   information that is logged should be the same irrespective of what
   kind of encoding scheme is used.  IPFIX is chosen because is it is an
   IETF standard that meets all the needs for a reliable logging
   mechanism.  IPFIX provides the flexibility to the logging device to
   define the data sets datasets that it is logging.  The IEs specified for
   logging must be the same irrespective of the encoding mechanism used.

1.1.  Terminology

   The usage of the term "NAT device" in this document refer refers to any NAT44 and or NAT64 devices.
   device.  The usage of the term "collector" "Collector" refers to any device that receives the
   binary data from a NAT device and converts that it into meaningful
   information.  This document uses the term "Session" "session" as it is defined in [RFC2663]
   [RFC2663], and the term Binding "Binding Information Base Base" (BIB) as it is defined
   in [RFC6146].  The usage of
   the term Information Element (IE) "Information Element" or "IE" is defined in
   [RFC7011].  The term
   Carrier Grade NAT "Carrier-Grade NAT" refers to a large scale large-scale NAT
   device as described in [RFC6888]

   The IPFIX Information Elements IEs that are NAT specific are created with NAT terminology.
   In order to avoid creating duplicate IEs, duplicates, IEs are reused if they convey
   the same meaning.  This document uses the term
   timestamp "timestamp" for the Information element
   IE, which defines the time when an event is logged, logged; this is the same
   as the IPFIX term
   observationTimeMilliseconds "observationTimeMilliseconds" as described in
   [IPFIX-IANA].  Since observationTimeMilliseconds is not self self-
   explanatory for NAT implementors, this document uses the term timeStamp.  This document
   refers to event "timeStamp" is used.
   Event templates, that refers which refer to IPFIX template records.
   This document refers to Template Records, as well as
   log events that refers events, which refer to IPFIX Flow records. Records, are also used in this
   document.

1.2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  Scope

   This document provides the information model to be used for logging
   the NAT events events, including Carrier Grade Carrier-Grade NAT (CGN) events.  [RFC7011]
   provides guidance on the choices of the transport protocols used for
   IPFIX and their effects.  This document does not provide guidance on
   the
   transport protocol protocols like TCP, UDP UDP, or SCTP that is Stream Control Transmission
   Protocol (SCTP), which are to be used to log NAT events.  The logs
   SHOULD be reliably sent to the collector Collector to ensure that the log
   events are not lost.  The choice of the actual transport protocol is
   beyond the scope of this document.

   The existing IANA IPFIX IEs registry [IPFIX-IANA] already has
   assignments for most of the NAT logging events.

   This document uses the allocated IPFIX IEs and will request IANA for the ones that are
   defined in this document but not yet allocated. the IANA "IPFIX
   Information Elements" registry [IPFIX-IANA] and registers some new
   ones.

   This document assumes that the NAT device will use the existing IPFIX
   framework to send the log events to the collector. Collector.  This would mean
   that the NAT device will specify the template that it is going to use
   for each of the events.  The templates can be of varying length length, and
   there could be multiple templates that a NAT device could use to log
   the events.

   The implementation details of the collector Collector application is are beyond
   the scope of this document.

   The optimization of logging the NAT events is left to the
   implementation and is beyond the scope of this document.

3.  Deployment

   NAT logging based on IPFIX uses binary encoding and hence encoding; hence, it is very
   efficient.  IPFIX based  IPFIX-based logging is recommended for environments where
   a high volume of logging is required, for example, where per-flow
   logging is needed or in case of Carrier Grade Carrier-Grade NAT.  However, IPFIX IPFIX-
   based logging requires a collector Collector that processes the binary data and
   requires a network management application that converts this binary
   data to a human readable human-readable format.

   A collector Collector may receive NAT events from multiple CGN devices.  The
   collector
   Collector distinguishes between the devices using the source IP
   address, source port, and Observation Domain ID in the IPFIX header.
   The collector Collector can decide to store the information based on the
   administrative policies that are inline in line with the operator and the
   local juridiction. jurisdiction.  The retention policy is not dictated by the
   exporter
   Exporter and is left to the policies that are defined at the
   collector.
   Collector.

   A collector Collector may have scale issues if it is overloaded by a large
   number of simultaneous events.  An appropriate throttling mechanism
   may be used to handle the oversubscription.

   The logs that are exported can be used for a variety of reasons.  An
   example use case is to do accounting based on when the users logged
   on and off.  The translation will be installed when the user logs on
   and removed when the user logs off.  These events create log records.
   Another use case is to identify an attacker or a host in a provider
   network.  The network administrators can use these logs to identify
   the usage patterns, the need for additional IP addresses addresses, and etc.
   The deployment of NAT logging is not limited to just these cases.

4.  Event based logging  Event-Based Logging

   An event in a NAT device can be viewed as a state transition as because
   it relates to the management of NAT resources.  The creation and
   deletion of NAT sessions and bindings are examples of events events, as they
   result in resources (addresses and ports) being allocated or freed.
   The events can happen through the processing of data packets flowing
   through the NAT device or device, through an external entity installing
   policies on the NAT router router, or as a result of an asynchronous event
   like a timer.  The list of events are is provided in Table 2.  Each of
   these events SHOULD be logged, unless they are this is administratively
   prohibited.  A NAT device MAY log these events to multiple collectors Collectors
   if redundancy is required.  The network administrator will specify
   the collectors Collectors to which the log records are to be sent.  It is
   necessary to preserve the list of collectors Collectors and its associated
   information like the IPv4/IPv6 address, port port, and protocol across
   reboots so that the configuration information is not lost when the
   device is restarted.  The NAT device implementing the IPFIX logging
   MUST follow the IPFIX specs as specified specification in RFC 7011. [RFC7011].

4.1.  Logging of destination information Destination Information

   Logging of destination information in a NAT event has been is discussed in
   [RFC6302] and [RFC6888].  Logging of destination information increases
   the size of each record and increases the need for storage
   considerably.  It increases the number of log events generated
   because when the same user connects to a different destination, it
   results in a log record per destination address.  Logging of the source
   and destination addresses result results in loss of privacy.  Logging of
   destination addresses and ports, pre pre- or post NAT, post-NAT, SHOULD NOT be done
   [RFC6888].  However, this draft document provides the necessary fields to
   log the destination information in cases where they must be logged.

4.2.  Information Elements

   The templates could contain a subset of the IEs shown in Table 1 1,
   depending upon the event being logged.  For example example, a NAT44 session
   creation template record will contain,

   {sourceIPv4Adress, contain:

   {sourceIPv4Address, postNATSourceIPv4Address, destinationIpv4Address, destinationIPv4Address,
   postNATDestinationIPv4Address, sourceTransportPort,
   postNAPTSourceTransportPort, destinationTransportPort,
   postNAPTDestTransportPort,
   postNAPTDestinationTransportPort, internalAddressRealm, natEvent,
   timeStamp}

   An example of the actual event data record is shown below - in a
   human human-
   readable form form:

   {192.0.2.1, 203.0.113.100, 192.0.2.104, 192.0.2.104, 14800, 1024, 80,
   80, 0, 1, 09:20:10:789}

   A single NAT device could be exporting multiple templates templates, and the
   collector
   Collector MUST support receiving multiple templates from the same
   source.

   The following is the table of includes all the IEs that a NAT device would need
   to export the events.  The formats of the IEs and the IPFIX IDs are listed below.  Some
   listed.  Detailed descriptions of the IPFIX IEs are not yet assigned.  The
   detailed description of these fields that are requested natInstanceID,
   internalAddressRealm, externalAddressRealm, natQuotaExceededEvent,
   and natThresholdEvent are included in the IANA considerations Considerations
   section.

   +--------------------------------+------------+-------+-------------+

   +----------------------------------+----------+-------+-------------+
   | Field Name                       |   Size   |  IANA | Description |
   |                                  |  (bits)  | IPFIX |             |
   |                                  |          |   ID  |             |
   +--------------------------------+------------+-------+-------------+
   +----------------------------------+----------+-------+-------------+
   | timeStamp                        |    64    |  323  | System Time |
   |                                  |          |       | when the    |
   |                                  |          |       | event       |
   |                                  |          |       |   occured. occurred    |
   |         natInstanceId                                  |          |       |             |
   | natInstanceID                    |    32    |   TBD  463  | NAT         |
   |                                  |          |       | Instance    |
   |                                  |          |       | Identifier  |
   |             vlanID                                  |          |       |             |
   | vlanId                           |    16    |   58  | VLAN ID in  |
   |                                  |          |       | case of     |
   |                                  |          |       | overlapping |
   |                                  |          |       | networks    |
   |                                  |          |       |             |
   | ingressVRFID                     |    32    |  234  | VRF ID in   |
   |                                  |          |       | case of     |
   |                                  |          |       | overlapping |
   |                                  |          |       | networks    |
   |                                  |          |       |             |
   | sourceIPv4Address                |    32    |   8   | Source IPv4 |
   |                                  |          |       | Address     |
   |                                  |          |       |             |
   | postNATSourceIPv4Address         |    32    |  225  | Translated  |
   |                                  |          |       | Source IPv4 |
   |                                  |          |       | Address     |
   |                                  |          |       |             |
   | protocolIdentifier               |    8     |   4   | Transport   |
   |                                  |          |       | protocol    |
   |                                  |          |       |             |
   | sourceTransportPort              |    16    |   7   | Source Port |
   |  postNAPTsourceTransportPort                                  |          |       |             |
   | postNAPTSourceTransportPort      |    16    |  227  | Translated  |
   |                                  |          |       | Source port |
   |                                  |          |       |             |
   | destinationIPv4Address           |    32    |   12  | Destination |
   |                                  |          |       | IPv4        |
   |                                  |          |       | Address     |
   |                                  |          |       |             |
   | postNATDestinationIPv4Address    |    32    |  226  | Translated  |
   |                                  |          |       | IPv4        |
   |                                  |          |       | destination |
   |                                  |          |       | address     |
   |                                  |          |       |             |
   | destinationTransportPort         |    16    |   11  | Destination |
   |                                  |          |       | port        |
   | postNAPTdestinationTransportPo                                  |          |       |             |
   | postNAPTDestinationTransportPort |    16    |  228  | Translated  |
   |               rt                                  |          |       | Destination |
   |                                  |          |       | port        |
   |                                  |          |       |             |
   | sourceIPv6Address                |   128    |   27  | Source IPv6 |
   |                                  |          |       | address     |
   |                                  |          |       |             |
   | destinationIPv6Address           |   128    |   28  | Destination |
   |                                  |          |       | IPv6        |
   |                                  |          |       | address     |
   |                                  |          |       |             |
   | postNATSourceIPv6Address         |   128    |  281  | Translated  |
   |                                  |          |       | source IPv6 |
   |                                  |          |       |   addresss address     |
   |                                  |          |       |             |
   | postNATDestinationIPv6Address    |   128    |  282  | Translated  |
   |                                  |          |       | Destination |
   |                                  |          |       | IPv6        |
   |                                  |          |       | address     |
   |                                  |          |       |             |
   | internalAddressRealm             | OctetArray octetArr |   TBD  464  | Source      |
   |                                  |    ay    |       | Address     |
   |                                  |          |       | Realm       |
   |                                  |          |       |             |
   | externalAddressRealm             | OctetArray octetArr |   TBD  465  | Destination |
   |                                  |    ay    |       | Address     |
   |                                  |          |       | Realm       |
   |                                  |          |       |             |
   | natEvent                         |    8     |  230  | Type of     |
   |                                  |          |       | Event       |
   |                                  |          |       |             |
   | portRangeStart                   |    16    |  361  | Allocated   |
   |                                  |          |       | port block  |
   |                                  |          |       | start       |
   |                                  |          |       |             |
   | portRangeEnd                     |    16    |  362  | Allocated   |
   |                                  |          |       | Port block  |
   |                                  |          |       | end         |
   |           natPoolID                                  |          |       |             |
   | natPoolId                        |    32    |  283  | NAT pool    |
   |                                  |          |       | Identifier  |
   |                                  |          |       |             |
   | natQuotaExceededEvent            |    32    |   TBD  466  | Limit event |
   |                                  |          |       | identifier  |
   |                                  |          |       |             |
   | natThresholdEvent                |    32    |   TBD  467  | Threshold   |
   |                                  |          |       | event       |
   |                                  |          |       | identifier  |
   +--------------------------------+------------+-------+-------------+

                      Table 1: Template format Table

4.3.  Definition of NAT Events

   The following is the complete list of NAT events and the proposed
   event type values.  The natEvent IE is defined in the IPFIX IANA
   registry in http://www.iana.org/assignments/ipfix/ipfix.xml.  The
   list can be expanded in the future as necessary.  The data record
   will have the corresponding natEvent value to indicate the event that
   is being logged.

   Note that the first two events are marked historic.  These values
   were defined prior to the existence of this draft and outside the
   IETF working group.  These events are not standalone and require more
   information need to be conveyed to qualify the event.  For example,
   the NAT Translation create event does not specify if it is a NAT44 or
   NAT64.  As a result the Behave WG decided to have explicit definition
   for each one of the unique events.  The historic events are listed
   here for the purpose of completeness and are already defined in the
   IPFIX IANA registry.  Any compliant implementation SHOULD NOT
   implement the events that are marked historic.

             +-------------------------------------+--------+
   |              Event Name                                  | Values          |
             +-------------------------------------+--------+       |  NAT Translation create (Historic)             |      1
   | maxSessionEntries                |  NAT Translation Delete (Historic)    32    |      2  471  | Maximum     |       NAT Addresses exhausted
   |      3                                  |          |         NAT44 Session create       |      4 session     |
   |         NAT44 Session delete                                  |      5          |       |         NAT64 Session create entries     |      6
   |                                  |         NAT64 Session delete          |      7       |             |           NAT44 BIB create
   |      8 maxBIBEntries                    |    32    |           NAT44 BIB delete  472  |      9 Maximum     |
   |           NAT64 BIB create                                  |     10          |       |           NAT64 BIB delete bind        |     11
   |                                  |         NAT ports exhausted          |     12       | entries     |            Quota exceeded
   |     13                                  |          |        Address binding create       |     14             |
   |        Address binding delete maxEntriesPerUser                |     15    32    |  473  |        Port block allocation Maximum     |     16
   |                                  |       Port block de-allocation          |     17       | entries     |          Threshold reached
   |     18                                  |
             +-------------------------------------+--------+

                        Table 2: NAT Event ID table

4.4.  Quota exceeded Event types

   The Quota Exceeded event is a natEvent IE described in Table 2.  The
   Quota exceeded events are generated when the hard limits set by the
   administrator has been reached or exceeded.  The following table
   shows the sub event types for the Quota exceeded or limits reached
   event.  The events that can be reported are the Maximum session
   entries limit reached, Maximum BIB entries limit reached, Maximum
   (session/BIB) entries per user limit reached, Maximum active hosts
   limit reached or maximum subscribers limit reached and Maximum
   Fragments pending reassembly limit reached.

            +---------------------------------------+--------+          |       Quota Exceeded Event Name       | Values per-user    |
            +---------------------------------------+--------+
   |        Maximum Session entries                                  |      1          |       |          Maximum BIB entries             |      2
   | maxSubscribers                   |    32    |  474  | Maximum entries per user     |      3
   |                                  |  Maximum active hosts or          |       | subscribers |      4
   |                                  |          |       |             |
   | maxFragmentsPendingReassembly    |    32    |  475  | Maximum     |
   |                                  |          |       | fragments pending reassembly   |      5
   |
            +---------------------------------------+--------+

                    Table 3: Quota Exceeded event table

4.5.  Threshold reached Event types

   The following table shows the sub event types                                  |          |       | for the threshold
   reached event.  The administrator can configure the thresholds and
   whenever the threshold is reached or exceeded, the corresponding
   events are generated.  The main difference between Quota Exceeded and
   the Threshold reached events is that, once the Quota exceeded events
   are hit, the packets are dropped or mappings wont be created etc,
   whereas, the         |
   |                                  |          |       | ressembly   |
   |                                  |          |       |             |
   | addressPoolHighThreshold         |    32    |  476  | High        |
   |                                  |          |       | threshold reached events will provide the operator a
   chance to take action before the traffic disruptions can happen.  A
   NAT device can choose to implement one or the other or both.

   The   |
   |                                  |          |       | for address |
   |                                  |          |       | pool high        |
   |                                  |          |       |             |
   | addressPoolLowThreshold          |    32    |  477  | Low         |
   |                                  |          |       | threshold event will be reported when the   |
   |                                  |          |       | for address |
   |                                  |          |       | pool reaches a high water mark as defined by the operator.
   This will serve as an indication that the operator might have to add
   more addresses to the pool or an indication that the subsequent users
   may be denied NAT translation mappings.

   The address pool low threshold event will be reported when the
   address pool reaches a low water mark as defined by the operator.
   This will serve as an indication that the operator can reclaim some
   of the global IPv4 addresses in the pool.

   The address and port mapping high threshold event is generated, when
   the number of ports in the configured address pool has reached a
   configured threshold.

   The per-user address and port mapping high threshold is generated
   when a single user uses more address and port mapping than a
   configured threshold.  We don't track the low threshold for per-user
   address and port mappings, because as the ports are freed, the
   address will become available.  The address pool low threhold event
   will then be triggered so that the IPv4 global address can be
   reclaimed.

   The Global address mapping high        |
   |                                  |          |       |             |
   | addressPortMappingHighThreshold  |    32    |  478  | High        |
   |                                  |          |       | threshold event is generated when the
   maximum mappings per-user is reached   |
   |                                  |          |       | for a NAT device doing paired address pooling.

   +---------------------------------------------------------+--------+ |              Threshold Exceeded Event Name
   | Values                                  |
   +---------------------------------------------------------+--------+          |            Address pool high threshold event       |      1 /port       |
   |             Address pool low threshold event                                  |      2          |       |      Address and port mapping high threshold event     |      3
   |                                  |  Address and port mapping per user high threshold event          |      4       |             |       Global Address mapping high
   | addressPortMappingLowThreshold   |    32    |  479  | Low         |
   |                                  |          |       | threshold event   |      5
   |
   +---------------------------------------------------------+--------+

                      Table 4: Threshold event table

4.6.  Templates                                  |          |       | for NAT Events

   The following is the template of events that will be logged.  The
   events below are identified at the time of this writing but the set
   of events is extensible.  A NAT device that implements a given NAT
   event MUST support the mandatory IE's in the templates.  Depending on
   the implementation and configuration various IEs that are not
   mandatory can be included or ignored.

4.6.1.  NAT44 create and delete session events

   These events will be generated when a NAT44 session is created or
   deleted.  The template will be the same, the natEvent will indicate
   whether it is a create or a delete event.  The following is a
   template of the event.

   The destination address and port information is optional as required
   by [RFC6888].  However, when the destination information is
   suppressed, the session log event contains the same information as
   the BIB event.  In such cases, the NAT device SHOULD NOT send both
   BIB and session events.

      +----------------------------------+-------------+-----------+ |            Field Name
   | Size (bits)                                  | Mandatory          |
      +----------------------------------+-------------+-----------+       |            timeStamp /port       |          64
   |    Yes                                  |          |             natEvent       |           8 mapping     |    Yes
   |                                  |        sourceIPv4Address          |          32       |    Yes             |
   |     postNATSourceIPv4Address addressPortMappingPerUserHighThr |    32    |    Yes    |  480  |        protocolIdentifier High        |           8
   |    Yes eshold                           |          |       sourceTransportPort       |          16 threshold   |    Yes
   |                                  |   postNAPTsourceTransportPort          |          16       |    Yes for per-    |
   |      destinationIPv4Address                                  |          32          |     No       | user addres |  postNATDestinationIPv4Address
   |          32                                  |     No          |       |     destinationTransportPort s/port      |          16
   |     No                                  |          | postNAPTdestinationTransportPort       |          16 mapping     |     No
   |                                  |          natInstanceID          |          32       |     No             |
   |       vlanID/ingressVRFID globalAddressMappingHighThreshol |    32    |     No  481  | High        |       internalAddressRealm
   |  OctetArray d                                |     No          |       |       externalAddressRealm threshold   |  OctetArray
   |     No                                  |
      +----------------------------------+-------------+-----------+

               Table 5: NAT44 Session delete/create template

4.6.2.  NAT64 create and delete session events

   These events will be generated when a NAT64 session is created or
   deleted.  The following is a template of the event.

      +----------------------------------+-------------+-----------+          |            Field Name       | Size (bits) for global  | Mandatory
   |
      +----------------------------------+-------------+-----------+                                  |            timeStamp          |          64       |    Yes address     |
   |             natEvent                                  |           8          |    Yes       | mapping     |        sourceIPv6Address
   +----------------------------------+----------+-------+-------------+

                           Table 1: NAT IE List

4.3.  Definition of NAT Events

   The following is the complete list of NAT events and the proposed
   event type values.  The natEvent IE is defined in the "IPFIX
   Information Elements" registry [IPFIX-IANA];.  The list can be
   expanded in the future as necessary.  The data record will have the
   corresponding natEvent value to indicate the event that is being
   logged.

   Note that the first two events are marked "Historic" and are listed
   here for the sole purpose of completeness.  Any compliant
   implementation SHOULD NOT use the events that are marked "Historic".
   These values were defined prior to the existence of this document and
   outside the IETF.  These events are not standalone and require more
   information to be conveyed to qualify the event.  For example, the
   NAT translation create event does not specify if it is NAT44 or
   NAT64.  As a result, the Behave working group decided to have an
   explicit definition for each one of the unique events.

              +-------+------------------------------------+
              |         128 Value |    Yes Event Name                         |
              +-------+------------------------------------+
              |     postNATSourceIPv4Address 0     |          32 Reserved                           |    Yes
              | 1     |        protocolIdentifier NAT translation create (Historic)  |           8
              |    Yes 2     | NAT translation delete (Historic)  |       sourceTransportPort
              |          16 3     |    Yes NAT Addresses exhausted            |
              |   postNAPTsourceTransportPort 4     |          16 NAT44 session create               |    Yes
              | 5     |      destinationIPv6Address NAT44 session delete               |         128
              |     No 6     | NAT64 session create               |  postNATDestinationIPv4Address
              |          32 7     |     No NAT64 session delete               |
              |     destinationTransportPort 8     |          16 NAT44 BIB create                   |     No
              | 9     | postNAPTdestinationTransportPort NAT44 BIB delete                   |          16
              |     No 10    | NAT64 BIB create                   |          natInstanceID
              |          32 11    |     No NAT64 BIB delete                   |
              |       vlanID/ingressVRFID 12    |          32 NAT ports exhausted                |     No
              | 13    |       internalAddressRealm Quota Exceeded                     |  OctetArray
              |     No 14    | Address binding create             |       externalAddressRealm
              |  OctetArray 15    |     No    |
      +----------------------------------+-------------+-----------+

            Table 6: NAT64 session create/delete event template

4.6.3.  NAT44 BIB create and delete events

   These events will be generated when a NAT44 Bind entry is created or
   deleted.  The following is a template of the event.

         +-----------------------------+-------------+-----------+
         |          Field Name         | Size (bits) | Mandatory |
         +-----------------------------+-------------+-----------+
         |          timeStamp          |          64 |    Yes    |
         |           natEvent          |           8 |    Yes    |
         |      sourceIPv4Address      |          32 |    Yes    |
         |   postNATSourceIPv4Address  |          32 |    Yes    |
         |      protocolIdentifier     |           8 |     No Address binding delete             |
              |     sourceTransportPort     |          16 |     No    |
         | postNAPTsourceTransportPort | 16    |     No    |
         |        natInstanceID        |          32 |     No    |
         |     vlanID/ingressVRFID     |          32 |     No    |
         |     internalAddressRealm Port block allocation              |  OctetArray
              |     No 17    | Port block de-allocation           |     externalAddressRealm
              |  OctetArray 18    |     No Threshold Reached                  |
         +-----------------------------+-------------+-----------+
              +-------+------------------------------------+

                           Table 7: NAT44 BIB create/delete 2: NAT Event ID

4.4.  Quota Exceeded Event Types

   The Quota Exceeded event template

4.6.4.  NAT64 BIB create and delete events

   These is a natEvent IE described in Table 2.  The
   Quota Exceeded events will be are generated when a NAT64 Bind entry is created the hard limits set by the
   administrator have been reached or
   deleted. exceeded.  The following is a template of table
   shows the sub-event types for the Quota Exceeded event.

         +-----------------------------+-------------+-----------+  The events
   that can be reported are the maximum session entries limit reached,
   maximum BIB entries limit reached, maximum (session/BIB) entries per
   user limit reached, maximum active hosts or subscribers limit
   reached, and maximum Fragments pending reassembly limit reached.

             +-------+---------------------------------------+
             |          Field Value | Quota Exceeded Event Name             | Size (bits)
             +-------+---------------------------------------+
             | Mandatory 0     |
         +-----------------------------+-------------+-----------+ Reserved                              |          timeStamp
             |          64 1     |    Yes Maximum session entries               |
             |           natEvent 2     |           8 Maximum BIB entries                   |    Yes
             | 3     |      sourceIPv6Address Maximum entries per user              |         128
             |    Yes    |
         |   postNATSourceIPv4Address  |          32 |    Yes    |
         |      protocolIdentifier     |           8 |     No    |
         |     sourceTransportPort     |          16 |     No    |
         | postNAPTsourceTransportPort |          16 |     No    |
         |        natInstanceID        |          32 |     No    |
         |     vlanID/ingressVRFID     |          32 |     No    |
         |     internalAddressRealm    |  OctetArray |     No 4     | Maximum active hosts or subscribers   |     externalAddressRealm
             |  OctetArray 5     |     No Maximum fragments pending reassembly  |
         +-----------------------------+-------------+-----------+
             +-------+---------------------------------------+

                       Table 8: NAT64 BIB create/delete event template

4.6.5.  Addresses Exhausted event

   This event 3: Quota Exceeded Event

4.5.  Threshold Reached Event Types

   The following table shows the sub-event types for the Threshold
   Reached event.  The administrator can configure the thresholds, and
   whenever the threshold is reached or exceeded, the corresponding
   events are generated.  The main difference between the Quota Exceeded
   and Threshold Reached events is that, once the Quota Exceeded events
   are hit, the packets are dropped or mappings will not be generated when a NAT device runs out of global
   IPv4 addresses in created,
   whereas the Threshold Reached events will provide the operator a given pool of addresses.  Typically, this event
   would mean that
   chance to take action before the traffic disruptions can happen.  A
   NAT device won't be able can choose to create any new
   translations until some addresses/ports are freed.  This implement one or the other, or both.

   The address pool high threshold event SHOULD will be rate limited as many packets hitting reported when the device at
   address pool reaches a high-water mark as defined by the same time operator.
   This will trigger a burst of serve as an indication that either the operator might have
   to add more addresses exhausted events.

   The following is a template of to the event.

                +---------------+-------------+-----------+
                |   Field Name  | Size (bits) | Mandatory |
                +---------------+-------------+-----------+
                |   timeStamp   |          64 |    Yes    |
                |    natEvent   |           8 |    Yes    |
                |   natPoolID   |          32 |    Yes    |
                | natInstanceID |          32 |     No    |
                +---------------+-------------+-----------+

                 Table 9: Address Exhausted event template

4.6.6.  Ports Exhausted event

   This pool or the subsequent users may be
   denied NAT translation mappings.

   The address pool low threshold event will be generated reported when the
   address pool reaches a NAT device runs out low-water mark as defined by the operator.
   This will serve as an indication that the operator can reclaim some
   of ports for
   a the global IPv4 address.  Port exhaustion shall be reported per
   protocol (UDP, TCP etc).  This addresses in the pool.

   The address and port mapping high threshold event SHOULD be rate limited as many
   packets hitting is generated when
   the device at number of ports in the same time will trigger configured address pool has reached a burst of
   port exhausted events.
   configured threshold.

   The following per-user address and port mapping high threshold is generated
   when a template of single user utilizes more address and port mapping than a
   configured threshold.  We don't track the event.

          +--------------------------+-------------+-----------+ low threshold for per-user
   address and port mappings because, as the ports are freed, the
   address will become available.  The address pool low threshold event
   will then be triggered so that the global IPv4 address can be
   reclaimed.

   The global address mapping high threshold event is generated when the
   maximum number of mappings per user is reached for a NAT device doing
   paired-address pooling.

    +-------+---------------------------------------------------------+
    |        Field Name Value | Size (bits) Threshold Exceeded Event Name                           | Mandatory
    +-------+---------------------------------------------------------+
    |
          +--------------------------+-------------+-----------+ 0     |        timeStamp Reserved                                                |          64
    |    Yes 1     | Address pool high threshold event                       |         natEvent
    |           8 2     |    Yes    |
          | postNATSourceIPv4Address |          32 Address pool low threshold event                        |    Yes
    | 3     |    protocolIdentifier Address and port mapping high threshold event           |           8
    |    Yes 4     | Address and port mapping per user high threshold event  |      natInstanceID
    |          32 5     |     No Global address mapping high threshold event             |
          +--------------------------+-------------+-----------+
    +-------+---------------------------------------------------------+

                         Table 10: Ports Exhausted event 4: Threshold Event

4.6.  Templates for NAT Events

   The following is the template

4.6.7.  Quota exceeded of events

   This event that will be generated when a logged.  The
   events below are identified at the time of this writing, but the set
   of events is extensible.  A NAT device cannot allocate
   resources as that implements a result of an administratively defined policy.  The
   quota exceeded given NAT
   event templates MUST support the mandatory IEs in the templates.  Depending on
   the implementation and configuration, various IEs that are described below.

4.6.7.1.  Maximum session entries exceeded

   The maximum session entries exceeded event is not
   mandatory can be included or ignored.

4.6.1.  NAT44 Session Create and Delete Events

   These events will be generated when the
   administratively configured NAT a NAT44 session limit is reached. created or
   deleted.  The template will be the same; the natEvent will indicate
   whether it is a create or a delete event.  The following is the a
   template of the event.

            +-----------------------+-------------+-----------+

   The destination address and port information is optional as required
   by [RFC6888].  However, when the destination information is
   suppressed, the session log event contains the same information as
   the BIB event.  In such cases, the NAT device SHOULD NOT send both
   BIB and session events.

      +----------------------------------+-------------+-----------+
      | Field Name                       | Size (bits) | Mandatory |
            +-----------------------+-------------+-----------+
      +----------------------------------+-------------+-----------+
      | timeStamp                        |      64     |    Yes    |
      | natEvent                         |      8      |    Yes    |
      | natQuotaExceededEvent sourceIPv4Address                |      32     |    Yes    |
      |    configuredLimit postNATSourceIPv4Address         |      32     |    Yes    |
      |     natInstanceID protocolIdentifier               |          32      8      |     No    Yes    |
            +-----------------------+-------------+-----------+

             Table 11: Session Entries Exceeded event template

4.6.7.2.  Maximum BIB entries exceeded

   The maximum BIB entries exceeded event is generated when the
   administratively configured BIB entry limit is reached.  The
   following is the template of the event.

            +-----------------------+-------------+-----------+
      |       Field Name sourceTransportPort              | Size (bits)      16     | Mandatory    Yes    |
            +-----------------------+-------------+-----------+
      |       timeStamp postNAPTSourceTransportPort      |          64      16     |    Yes    |
      |        natEvent destinationIPv4Address           |           8      32     |    Yes     No    |
      | natQuotaExceededEvent postNATDestinationIPv4Address    |      32     |    Yes     No    |
      |    configuredLimit destinationTransportPort         |          32      16     |    Yes     No    |
      | postNAPTDestinationTransportPort |      16     |     No    |
      | natInstanceID                    |      32     |     No    |
            +-----------------------+-------------+-----------+
      | vlanID/ingressVRFID              |    16/32    |     No    |
      | internalAddressRealm             |  octetArray |     No    |
      | externalAddressRealm             |  octetArray |     No    |
      +----------------------------------+-------------+-----------+

               Table 12: BIB Entries Exceeded event template

4.6.7.3.  Maximum entries per user exceeded

   This event is 5: NAT44 Session Delete/Create Template

4.6.2.  NAT64 Session Create and Delete Events

   These events will be generated when a single user reaches the
   administratively configured NAT translation limit. NAT64 session is created or
   deleted.  The following is
   the a template of the event.

          +-----------------------+-------------+---------------+

      +----------------------------------+-------------+-----------+
      | Field Name                       | Size (bits) | Mandatory |
          +-----------------------+-------------+---------------+
      +----------------------------------+-------------+-----------+
      | timeStamp                        |      64     |    Yes    |
      | natEvent                         |      8      |    Yes    |
      | natQuotaExceededEvent sourceIPv6Address                |          32     128     |    Yes    |
      |    configuredLimit postNATSourceIPv4Address         |      32     |    Yes    |
      |   sourceIPv4 address protocolIdentifier               |          32      8      |    Yes for NAT44    |
      |   sourceIPv6 address sourceTransportPort              |         128      16     |    Yes for NAT64    |
      | postNAPTSourceTransportPort      |      16     |    Yes    |
      | destinationIPv6Address           |     128     |     No    |
      | postNATDestinationIPv4Address    |      32     |     No    |
      | destinationTransportPort         |      16     |     No    |
      | postNAPTDestinationTransportPort |      16     |     No    |
      | natInstanceID                    |      32     |     No    |
      | vlanID/ingressVRFID              |          32    16/32    |     No    |
          +-----------------------+-------------+---------------+
      | internalAddressRealm             |  octetArray |     No    |
      | externalAddressRealm             |  octetArray |     No    |
      +----------------------------------+-------------+-----------+

            Table 13: Per-user Entries Exceeded event template

4.6.7.4.  Maximum active host or subscribers exceeded

   This event is 6: NAT64 Session Create/Delete Event Template

4.6.3.  NAT44 BIB Create and Delete Events

   These events will be generated when the number of allowed hosts a NAT44 Bind entry is created or
   subscribers reaches the administratively configured limit.
   deleted.  The following is the a template of the event.

            +-----------------------+-------------+-----------+

         +-----------------------------+-------------+-----------+
         | Field Name                  | Size (bits) | Mandatory |
            +-----------------------+-------------+-----------+
         +-----------------------------+-------------+-----------+
         | timeStamp                   |      64     |    Yes    |
         | natEvent                    |      8      |    Yes    |
         | natQuotaExceededEvent sourceIPv4Address           |      32     |    Yes    |
         |    configuredLimit postNATSourceIPv4Address    |      32     |    Yes    |
         |     natInstanceID protocolIdentifier          |          32      8      |     No    |
            +-----------------------+-------------+-----------+
         | sourceTransportPort         |      16     |     No    |
         | postNAPTSourceTransportPort |      16     |     No    |
         | natInstanceID               |      32     |     No    |
         | vlanID/ingressVRFID         |    16/32    |     No    |
         | internalAddressRealm        |  octetArray |     No    |
         | externalAddressRealm        |  octetArray |     No    |
         +-----------------------------+-------------+-----------+

              Table 14: Maximum hosts/subscribers Exceeded event template

4.6.7.5.  Maximum fragments pending reassembly exceeded

   This event is 7: NAT44 BIB Create/Delete Event Template

4.6.4.  NAT64 BIB Create and Delete Events

   These events will be generated when the number of fragments pending
   reassembly reaches the administratively configured limit.  Note that
   in case of NAT64, when this condition is detected in the IPv6 to IPv4
   direction, the IPv6 source address is mandatory in the template.
   Similarly, when this condition is detected in IPv4 to IPv6 direction,
   the source IPv4 address a NAT64 Bind entry is mandatory in the template below. created or
   deleted.  The following is the a template of the event.

         +-----------------------+-------------+----------------+

         +-----------------------------+-------------+-----------+
         | Field Name                  | Size (bits) | Mandatory |
         +-----------------------+-------------+----------------+
         +-----------------------------+-------------+-----------+
         | timeStamp                   |      64     |    Yes    |
         | natEvent                    |      8      |    Yes    |
         | natQuotaExceededEvent sourceIPv6Address           |          32     128     |    Yes    |
         |    configuredLimit postNATSourceIPv4Address    |      32     |    Yes    |
         |   sourceIPv4 address protocolIdentifier          |          32      8      | Yes for NAT44     No    |
         |   sourceIPv6 address sourceTransportPort         |         128      16     | Yes for NAT64     No    |
         | postNAPTSourceTransportPort |      16     |     No    |
         | natInstanceID               |      32     |     No    |
         | vlanID/ingressVRFID         |          32    16/32    |     No    |
         | internalAddressRealm        |  OctetArray  octetArray |     No    |
         | externalAddressRealm        |  octetArray |     No    |
         +-----------------------+-------------+----------------+
         +-----------------------------+-------------+-----------+

              Table 15: Maximum fragments pending reassembly Exceeded event
                                 template

4.6.8.  Threshold reached events 8: NAT64 BIB Create/Delete Event Template

4.6.5.  Addresses Exhausted Event

   This event will be generated when a NAT device reaches a operator
   configured threshold when allocating resources.  The threshold
   reached events are described runs out of global
   IPv4 addresses in the section above.  The following is a template of the individual events.

4.6.8.1.  Address given pool high or low threshold reached

   This of addresses.  Typically, this event is generated when the high or low threshold is reached for
   would mean that the address pool. NAT device won't be able to create any new
   translations until some addresses/ports are freed.  This event SHOULD
   be rate-limited, as many packets hitting the device at the same time
   will trigger a burst of addresses exhausted events.

   The template following is a template of the same for both high and low
   threshold events

              +-------------------+-------------+-----------+ event.

                +---------------+-------------+-----------+
                | Field Name    | Size (bits) | Mandatory |
              +-------------------+-------------+-----------+
                +---------------+-------------+-----------+
                | timeStamp     |      64     |    Yes    |
                | natEvent      |      8      |    Yes    |
                | natThresholdEvent |          32 |    Yes    |
              | natPoolID     |      32     |    Yes    |
                |  configuredLimit  |          32 |    Yes    |
              | natInstanceID |      32     |     No    |
              +-------------------+-------------+-----------+
                +---------------+-------------+-----------+

                Table 16: Address pool high/low threshold reached event template

4.6.8.2.  Address and port high threshold reached 9: Addresses Exhausted Event Template

4.6.6.  Ports Exhausted Event

   This event is will be generated when a NAT device runs out of ports for
   a global IPv4 address.  Port exhaustion shall be reported per
   protocol (UDP, TCP, etc.).  This event SHOULD be rate-limited, as
   many packets hitting the high threshold device at the same time will trigger a burst
   of port exhausted events.

   The following is reached for a template of the
   address pool and ports.

              +-------------------+-------------+-----------+ event.

          +--------------------------+-------------+-----------+
          | Field Name               | Size (bits) | Mandatory |
              +-------------------+-------------+-----------+
          +--------------------------+-------------+-----------+
          | timeStamp                |      64     |    Yes    |
          | natEvent                 |      8      |    Yes    |
          | natThresholdEvent postNATSourceIPv4Address |      32     |    Yes    |
          |  configuredLimit protocolIdentifier       |          32      8      |    Yes    |
          | natInstanceID            |      32     |     No    |
              +-------------------+-------------+-----------+
          +--------------------------+-------------+-----------+

                 Table 17: Address port high threshold reached event template

4.6.8.3.  Per-user Address and port high threshold reached 10: Ports Exhausted Event Template

4.6.7.  Quota Exceeded Events

   This event will be generated when a NAT device cannot allocate
   resources as a result of an administratively defined policy.  The
   Quota Exceeded event templates are described below.

4.6.7.1.  Maximum Session Entries Exceeded

   The maximum session entries exceeded event is generated when the high threshold
   administratively configured NAT session limit is reached.  The
   following is reached for the
   per-user address pool and ports.

           +---------------------+-------------+---------------+ template of the event.

            +-----------------------+-------------+-----------+
            | Field Name            | Size (bits) | Mandatory |
           +---------------------+-------------+---------------+
            +-----------------------+-------------+-----------+
            | timeStamp             |      64     |    Yes    |
            | natEvent              |      8      |    Yes    |
            |  natThresholdEvent natQuotaExceededEvent |      32     |    Yes    |
            |   configuredLimit maxSessionEntries     |      32     |    Yes    |
            |  sourceIPv4 address natInstanceID         |      32     | Yes for NAT44 |
           |  sourceIPv6 address     No    |         128 | Yes for NAT64 |
           |    natInstanceID    |          32 |       No      |
           | vlanID/ingressVRFID |          32 |       No      |
           +---------------------+-------------+---------------+
            +-----------------------+-------------+-----------+

             Table 18: Per-user Address port high threshold reached event template

4.6.8.4.  Global Address mapping high threshold reached

   This 11: Session Entries Exceeded Event Template

4.6.7.2.  Maximum BIB Entries Exceeded

   The maximum BIB entries exceeded event is generated when the high threshold
   administratively configured BIB entry limit is reached for the
   per-user address pool and ports.  This reached.  The
   following is generated only by NAT
   devices that use a paired address pooling behavior.

             +---------------------+-------------+-----------+ the template of the event.

            +-----------------------+-------------+-----------+
            | Field Name            | Size (bits) | Mandatory |
             +---------------------+-------------+-----------+
            +-----------------------+-------------+-----------+
            | timeStamp             |      64     |    Yes    |
            | natEvent              |      8      |    Yes    |
            |  natThresholdEvent natQuotaExceededEvent |      32     |    Yes    |
            |   configuredLimit maxBIBEntries         |      32     |    Yes    |
            | natInstanceID         |      32     |     No    |
             | vlanID/ingressVRFID |          32 |     No    |
             +---------------------+-------------+-----------+
            +-----------------------+-------------+-----------+

               Table 19: Global Address mapping high threshold reached 12: BIB Entries Exceeded Event Template

4.6.7.3.  Maximum Entries per User Exceeded

   This event
                                 template

4.6.9.  Address binding create and delete events

   These events will be is generated when a NAT device binds a local
   address with a global address and when single user reaches the global address is freed.
   A
   administratively configured NAT device will generate the binding events when it receives translation limit.  The following is
   the
   first packet template of the first flow from a host in the private realm.

     +--------------------------------+-------------+---------------+ event.

          +-----------------------+-------------+---------------+
          | Field Name            | Size (bits) |   Mandatory   |
     +--------------------------------+-------------+---------------+
          +-----------------------+-------------+---------------+
          | timeStamp             |      64     |      Yes      |
          | natEvent              |      8      |      Yes      |
          |       sourceIPv4 address natQuotaExceededEvent |      32     |      Yes      |
          | maxEntriesPerUser     |      32     |      Yes      |
          | sourceIPv4Address     |      32     | Yes for NAT44 |
          |       sourceIPv6 address sourceIPv6Address     |     128     | Yes for NAT64 |
          | Translated Source IPv4 Address natInstanceID         |      32     |      Yes       No      |
          |         natInstanceID vlanID/ingressVRFID   |          32    16/32    |       No      |
     +--------------------------------+-------------+---------------+
          +-----------------------+-------------+---------------+

            Table 20: NAT Address Binding template

4.6.10.  Port block allocation and de-allocation 13: Per-User Entries Exceeded Event Template

4.6.7.4.  Maximum Active Hosts or Subscribers Exceeded

   This event will be is generated when a NAT device allocates/de-allocates
   ports in a bulk fashion, as opposed to allocating a port on a per
   flow basis.

   portRangeStart represents the starting value number of allowed hosts or
   subscribers reaches the range.

   portRangeEnd represents administratively configured limit.  The
   following is the ending value template of the range.

   NAT devices would do this in order to reduce logs and potentially to
   limit event.

            +-----------------------+-------------+-----------+
            | Field Name            | Size (bits) | Mandatory |
            +-----------------------+-------------+-----------+
            | timeStamp             |      64     |    Yes    |
            | natEvent              |      8      |    Yes    |
            | natQuotaExceededEvent |      32     |    Yes    |
            | maxSubscribers        |      32     |    Yes    |
            | natInstanceID         |      32     |     No    |
            +-----------------------+-------------+-----------+

        Table 14: Maximum Hosts/Subscribers Exceeded Event Template

4.6.7.5.  Maximum Fragments Pending Reassembly Exceeded

   This event is generated when the number of connections a subscriber fragments pending
   reassembly reaches the administratively configured limit.  Note that
   in the case of NAT64, when this condition is allowed to use.  In detected in the following Port Block allocation template, IPv6-to-
   IPv4 direction, the portRangeStart and
   portRangeEnd MUST be specified.

   It IPv6 source address is up to mandatory in the implementation to choose to consolidate log records template.
   Similarly, when this condition is detected in case two consecutive port ranges for IPv4-to-IPv6 direction,
   the same user are allocated
   or freed.

     +--------------------------------+-------------+---------------+ source IPv4 address is mandatory in the template below.  The
   following is the template of the event.

     +-------------------------------+-------------+----------------+
     | Field Name                    | Size (bits) |   Mandatory    |
     +--------------------------------+-------------+---------------+
     +-------------------------------+-------------+----------------+
     | timeStamp                     |      64     |      Yes       |
     | natEvent                      |      8      |      Yes       |
     |       sourceIPv4 address natQuotaExceededEvent         |      32     |      Yes for NAT44       |
     |       sourceIPv6 address maxFragmentsPendingReassembly |         128      32     |      Yes for NAT64       |
     | Translated Source IPv4 Address sourceIPv4Address             |      32     | Yes for NAT44  |
     |         portRangeStart sourceIPv6Address             |          16     128     | Yes for NAT64  |
     |          portRangeEnd natInstanceID                 |          16      32     |       No       |
     |         natInstanceID vlanID/ingressVRFID           |          32    16/32    |       No       |
     | internalAddressRealm          |  octetArray |       No       |
     +--------------------------------+-------------+---------------+
     +-------------------------------+-------------+----------------+

       Table 21: NAT Port Block Allocation event template

5.  Management Considerations 15: Maximum Fragments Pending Reassembly Exceeded Event
                                 Template

4.6.8.  Threshold Reached Events

   This section considers requirements for management of the log system
   to support logging event will be generated when a NAT device reaches an operator-
   configured threshold when allocating resources.  The Threshold
   Reached events are described in the section above.  The following is
   a template of the individual events.

4.6.8.1.  Address Pool High or Low Threshold Reached

   This event is generated when the high or low threshold is reached for
   the address pool.  The template is the same for both high and low
   threshold events

   +----------------------------------------------+--------+-----------+
   | Field Name                                   |  Size  | Mandatory |
   |                                              | (bits) |           |
   +----------------------------------------------+--------+-----------+
   | timeStamp                                    |   64   |    Yes    |
   | natEvent                                     |   8    |    Yes    |
   | natThresholdEvent                            |   32   |    Yes    |
   | natPoolID                                    |   32   |    Yes    |
   | addressPoolHighThreshold/                    |   32   |    Yes    |
   | addressPoolLowThreshold                      |        |           |
   | natInstanceID                                |   32   |     No    |
   +----------------------------------------------+--------+-----------+

     Table 16: Address Pool High/Low Threshold Reached Event Template

4.6.8.2.  Address and Port Mapping High Threshold Reached

   This event is generated when the high threshold is reached for the
   address pool and ports.

   +----------------------------------------------+--------+-----------+
   | Field Name                                   |  Size  | Mandatory |
   |                                              | (bits) |           |
   +----------------------------------------------+--------+-----------+
   | timeStamp                                    |   64   |    Yes    |
   | natEvent                                     |   8    |    Yes    |
   | natThresholdEvent                            |   32   |    Yes    |
   | addressPortMappingHighThreshold/             |   32   |    Yes    |
   | addressPortMappingLowThreshold               |        |           |
   | natInstanceID                                |   32   |     No    |
   +----------------------------------------------+--------+-----------+

       Table 17: Address Port High Threshold Reached Event Template

4.6.8.3.  Address and Port Mapping per User High Threshold Reached

   This event is generated when the high threshold is reached for the
   per-user address pool and ports.

   +----------------------------------------------+--------+-----------+
   | Field Name                                   |  Size  | Mandatory |
   |                                              | (bits) |           |
   +----------------------------------------------+--------+-----------+
   | timeStamp                                    |   64   |    Yes    |
   | natEvent                                     |   8    |    Yes    |
   | natThresholdEvent                            |   32   |    Yes    |
   | addressPortMappingHighThreshold/             |   32   |    Yes    |
   | addressPortMappingLowThreshold               |        |           |
   | sourceIPv4Address                            |   32   |  Yes for  |
   |                                              |        |   NAT44   |
   | sourceIPv6Address                            |  128   |  Yes for  |
   |                                              |        |   NAT64   |
   | natInstanceID                                |   32   |     No    |
   | vlanID/ingressVRFID                          | 16/32  |     No    |
   +----------------------------------------------+--------+-----------+

    Table 18: Address and Port Mapping per User High Threshold Reached
                              Event Template

4.6.8.4.  Global Address Mapping High Threshold Reached

   This event is generated when the high threshold is reached for the
   per-user address pool and ports.  This is generated only by NAT
   devices that use a paired-address-pooling behavior.

      +-----------------------------------+-------------+-----------+
      | Field Name                        | Size (bits) | Mandatory |
      +-----------------------------------+-------------+-----------+
      | timeStamp                         |      64     |    Yes    |
      | natEvent                          |      8      |    Yes    |
      | natThresholdEvent                 |      32     |    Yes    |
      | globalAddressMappingHighThreshold |      32     |    Yes    |
      | natInstanceID                     |      32     |     No    |
      | vlanID/ingressVRFID               |    16/32    |     No    |
      +-----------------------------------+-------------+-----------+

       Table 19: Global Address Mapping High Threshold Reached Event
                                 Template

4.6.9.  Address Binding Create and Delete Events

   These events will be generated when a NAT device binds a local
   address with a global address and when the global address is freed.
   A NAT device will generate the binding events when it receives the
   first packet of the first flow from a host in the private realm.

        +--------------------------+-------------+---------------+
        | Field Name               | Size (bits) |   Mandatory   |
        +--------------------------+-------------+---------------+
        | timeStamp                |      64     |      Yes      |
        | natEvent                 |      8      |      Yes      |
        | sourceIPv4Address        |      32     | Yes for NAT44 |
        | sourceIPv6Address        |     128     | Yes for NAT64 |
        | postNATSourceIPv4Address |      32     |      Yes      |
        | natInstanceID            |      32     |       No      |
        +--------------------------+-------------+---------------+

                  Table 20: NAT Address Binding Template

4.6.10.  Port Block Allocation and De-allocation

   This event will be generated when a NAT device allocates/de-allocates
   ports in a bulk fashion, as opposed to allocating a port on a per-
   flow basis.

   portRangeStart represents the starting value of the range.

   portRangeEnd represents the ending value of the range.

   NAT devices would do this in order to reduce logs and to potentially
   limit the number of connections a subscriber is allowed to use.  In
   the following Port Block allocation template, the portRangeStart and
   portRangeEnd MUST be specified.

   It is up to the implementation to choose to consolidate log records
   in case two consecutive port ranges for the same user are allocated
   or freed.

        +--------------------------+-------------+---------------+
        | Field Name               | Size (bits) |   Mandatory   |
        +--------------------------+-------------+---------------+
        | timeStamp                |      64     |      Yes      |
        | natEvent                 |      8      |      Yes      |
        | sourceIPv4Address        |      32     | Yes for NAT44 |
        | sourceIPv6Address        |     128     | Yes for NAT64 |
        | postNATSourceIPv4Address |      32     |      Yes      |
        | portRangeStart           |      16     |      Yes      |
        | portRangeEnd             |      16     |       No      |
        | natInstanceID            |      32     |       No      |
        +--------------------------+-------------+---------------+

            Table 21: NAT Port Block Allocation Event Template

5.  Management Considerations

   This section considers requirements for management of the log system
   to support logging of the events described above.  It first covers
   requirements applicable to log management in general.  Any additional
   standardization required to fulfill these requirements is out of
   scope of the present document.  Some management considerations are
   covered in [NAT-LOG].  This document covers the additional
   considerations.

5.1.  Ability to Collect Events from Multiple NAT Devices

   An IPFIX Collector MUST be able to collect events from multiple NAT
   devices and decipher events based on the Observation Domain ID in the
   IPFIX header.

5.2.  Ability to Suppress Events

   The exhaustion events can be overwhelming during traffic bursts;
   hence, they SHOULD be handled by the NAT devices to rate-limit them
   before sending them to the Collectors.  For example, when the port
   exhaustion happens during bursty conditions, instead of sending a
   port exhaustion event for every packet, the exhaustion events SHOULD
   be rate-limited by the NAT device.

6.  IANA Considerations

6.1.  Information Elements

   IANA has registered the following IEs in the "IPFIX Information
   Elements" registry at [IPFIX-IANA].

6.1.1.  natInstanceID

   ElementID: 463

   Name: natInstanceID

   Description: This Information Element uniquely identifies an Instance
   of the NAT that runs on a NAT middlebox function after the packet
   passes the Observation Point. natInstanceID is defined in [RFC7659].

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference: See [RFC791] for the definition of the IPv4 source address
   field.  See [RFC3022] for the definition of NAT.  See [RFC3234] for
   the definition of middleboxes.

6.1.2.  internalAddressRealm

   ElementID: 464

   Name: internalAddressRealm

   Description: This Information Element represents the internal address
   realm where the packet is originated from or destined to.  By
   definition, a NAT mapping can be created from two address realms, one
   from internal and one from external.  Realms are implementation
   dependent and can represent a Virtual Routing and Forwarding (VRF)
   ID, a VLAN ID, or some unique identifier.  Realms are optional and,
   when left unspecified, would mean that the external and internal
   realms are the same.

   Abstract Data Type: octetArray

   Data Type Semantics: identifier
   Reference: See [RFC791] for the definition of the IPv4 source address
   field.  See [RFC3022] for the definition of NAT.  See [RFC3234] for
   the definition of middleboxes.

6.1.3.  externalAddressRealm

   ElementID: 465

   Name: externalAddressRealm

   Description: This Information Element represents the external address
   realm where the packet is originated from or destined to.  The
   detailed definition is in the internal address realm as specified
   above.

   Abstract Data Type: octetArray

   Data Type Semantics: identifier

   Reference: See [RFC791] for the definition of the IPv4 source address
   field.  See [RFC3022] for the definition of NAT.  See [RFC3234] for
   the definition of middleboxes.

6.1.4.  natQuotaExceededEvent

   ElementID: 466

   Name: natQuotaExceededEvent

   Description: This Information Element identifies the type of a NAT
   Quota Exceeded event.  Values for this Information Element are listed
   in the "NAT Quota Exceeded Event Type" registry, see [IPFIX-IANA].
   Initial values in the registry are defined by the table below.  New
   assignments of values will be administered by IANA and are subject to
   Expert Review [RFC8126].  Experts need to check definitions of new
   values for completeness, accuracy, and redundancy.

              +--------+---------------------------------------+
              | Value  | Quota Exceeded Event Name             |
              +--------+---------------------------------------+
              | 0      | Reserved                              |
              | 1      | Maximum session entries               |
              | 2      | Maximum BIB entries                   |
              | 3      | Maximum entries per user              |
              | 4      | Maximum active hosts or subscribers   |
              | 5      | Maximum fragments pending reassembly  |
              +--------+---------------------------------------+

                    Note: This is the same as Table 3.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference: See [RFC791] for the definition of the IPv4 source address
   field.  See [RFC3022] for the definition of NAT.  See [RFC3234] for
   the definition of middleboxes.

6.1.5.  natThresholdEvent

   ElementID: 467

   Name: natThresholdEvent

   Description: This Information Element identifies a type of a NAT
   Threshold event.  Values for this Information Element are listed in
   the "NAT Threshold Event Type" registry, see [IPFIX-IANA].  Initial
   values in the registry are defined by the table below.  New
   assignments of values will be administered by IANA and are subject to
   Expert Review [RFC8126].  Experts need to check definitions of new
   values for completeness, accuracy, and redundancy.

   +--------+---------------------------------------------------------+
   | Value  | Threshold Exceeded Event Name                           |
   +--------+---------------------------------------------------------+
   | 0      | Reserved                                                |
   | 1      | Address pool high threshold event                       |
   | 2      | Address pool low threshold event                        |
   | 3      | Address and port mapping high threshold event           |
   | 4      | Address and port mapping per user high threshold event  |
   | 5      | Global address mapping high threshold event             |
   +--------+---------------------------------------------------------+

                    Note: This is the same as Table 4.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference: See [RFC791] for the definition of the events described above.  It first covers
   requirements applicable to log management in general.  Any additional
   standardization required to fullfil these requirements is out IPv4 source address
   field.  See [RFC3022] for the definition of
   scope NAT.  See [RFC3234] for
   the definition of middleboxes.

6.1.6.  natEvent

   The original definition of this Information Element specified only
   three values: 1, 2, and 3.  This definition has been replaced by a
   registry, to which new values can be added.  The semantics of the present document.  Some management considerations are
   covered in [I-D.ietf-behave-syslog-nat-logging].
   three originally defined values remain unchanged.  IANA maintains the
   "NAT Event Type (Value 230)" registry for values of this Information
   Element at [IPFIX-IANA].

   ElementID: 230

   Name: natEvent

   Description: This document
   covers Information Element identifies a NAT event.  This
   IE identifies the additional considerations.

5.1.  Ability to collect events from multiple type of a NAT devices

   An IPFIX collector MUST be able to collect events from multiple event.  Examples of NAT
   devices and be able to decipher events based on the Observation
   Domain ID
   include, but are not limited to, NAT translation create, NAT
   translation delete, Threshold Reached, or Threshold Exceeded, etc.
   Values for this Information Element are listed in the IPFIX header.

5.2.  Ability to suppress events "NAT Event
   Type" registry, see [IPFIX-IANA].  The exhaustion events can be overwhelming during traffic bursts and
   hence SHOULD be handled by the NAT devices to rate limit them before
   sending them to the collectors.  For eg. when the port exhaustion
   happens during bursty conditions, instead of sending a port
   exhaustion event for every packet, values in the exhaustion events SHOULD
   registry are defined by Table 2 in Section 4.3.  New assignments of
   values will be
   rate limited administered by the NAT device.

6.  Acknowledgements

   Thanks to Dan Wing, Selvi Shanmugam, Mohamed Boucadir, Jacni Qin
   Ramji Vaithianathan, Simon Perreault, Jean-Francois Tremblay, Paul
   Aitken, Julia Renouard, Spencer Dawkins IANA and Brian Trammell are subject to Expert Review
   [RFC8126].  Experts need to check definitions of new values for their
   review
   completeness, accuracy, and comments.

7.  IANA Considerations

7.1.  Information Elements

   IANA will register redundancy.

   Abstract Data Type: unsigned8

   Data Type Semantics: identifier

   Reference: See [RFC3022] for the following IEs in definition of NAT.  See [RFC3234]
   for the IPFIX Information
   Elements registry at http://www.iana.org/assignments/ipfix/ipfix.xml

7.1.1.  natInstanceID

   Name : natInstanceID definition of middleboxes.  See RFC 8158 for the definitions
   of values 4-16.

6.1.7.  maxSessionEntries

   ElementID: 471

   Name: maxSessionEntries

   Description: This Information Element uniquely identifies an Instance
   of element represents the NAT maximum session entries that runs on a NAT middlebox function after the packet
   passed
   can be created by the Observation Point. natInstanceID is defined in RFC 7659
   [RFC7659] NAT device.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference: See RFC 791 [RFC0791] [RFC3022] for the definition of NAT.  See [RFC3234]
   for the definition of middleboxes.

6.1.8.  maxBIBEntries

   ElementID: 472

   Name: maxBIBEntries

   Description: This element represents the IPv4 source address
   field. maximum BIB entries that can
   be created by the NAT device.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference: See RFC 3022 [RFC3022] for the definition of NAT.  See RFC
   3234 [RFC3234]
   for the definition of middleboxes.

7.1.2.  internalAddressRealm

6.1.9.  maxEntriesPerUser

   ElementID: 473

   Name: internalAddressRealm maxEntriesPerUser

   Description: This Information Element element represents the internal address
   realm where the packet is originated from or destined to.  By
   definition, a maximum NAT mapping entries that can
   be created from two address realms, one
   from internal and one from external.  Realms are implementation
   dependent and can represent a VRF ID or a VLAN ID or some unique
   identifier.  Realms are optional and when left unspecified would mean
   that the external and internal realms are per user by the same. NAT device.

   Abstract Data Type: octetArray unsigned32

   Data Type Semantics: identifier

   Reference: See RFC 791 [RFC0791] for the definition of the IPv4 source address
   field.  See RFC 3022 [RFC3022] for the definition of NAT.  See RFC
   3234 [RFC3234]
   for the definition of middleboxes.

7.1.3.  externalAddressRealm

6.1.10.  maxSubscribers

   ElementID: 474

   Name: externalAddressRealm maxSubscribers

   Description: This Information Element element represents the external address
   realm where the packet is originated from maximum subscribers or destined to.  The
   detailed definition is in
   maximum hosts that are allowed by the internal address realm as specified
   above. NAT device.

   Abstract Data Type: octetArray unsigned32

   Data Type Semantics: identifier

   Reference: See RFC 791 [RFC0791] [RFC3022] for the definition of NAT.  See [RFC3234]
   for the IPv4 source address
   field. definition of middleboxes.

6.1.11.  maxFragmentsPendingReassembly

   ElementID: 475

   Name: maxFragmentsPendingReassembly

   Description: This element represents the maximum fragments that the
   NAT device can store for reassembling the packet.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference: See RFC 3022 [RFC3022] for the definition of NAT.  See RFC
   3234 [RFC3234]
   for the definition of middleboxes.

7.1.4.  natQuotaExceededEvent

   Values of this Information Element are defined in a registry
   maintained by IANA at <http://www.iana.org/assignments/ipfix/
   ipfix.xml#TBD-by-IANA>.  New assignments of values will be
   administered by IANA, subject to Expert Review [RFC5226].  Experts
   need to check definitions of new values for completeness, accuracy,
   and redundancy.

   Name : natQuotaExceededEvent

6.1.12.  addressPoolHighThreshold

   ElementID: 476

   Name: addressPoolHighThreshold

   Description: This Information Element identifies element represents the type high threshold value of a NAT
   quota exceeded event.  Values for this Information Element are listed
   in the NAT quota exceed event type registry, see
   [http://www.iana.org/assignments/ipfix/ipfix.xml#TBD-by-IANA] Initial
   values
   number of public IP addresses in the registry are defined by the table below.

            +---------------------------------------+--------+
            |       Quota Exceeded Event Name       | Values |
            +---------------------------------------+--------+
            |        Maximum Session entries        |      1 |
            |          Maximum BIB entries          |      2 |
            |        Maximum entries per user       |      3 |
            |  Maximum active hosts or subscribers  |      4 |
            |  Maximum fragments pending reassembly |      5 |
            +---------------------------------------+--------+

                                 Table 22 address pool.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference: See RFC 791 [RFC0791] [RFC3022] for the definition of NAT.  See [RFC3234]
   for the definition of middleboxes.

6.1.13.  addressPoolLowThreshold

   ElementID: 477

   Name: addressPoolLowThreshold

   Description: This element represents the low threshold value of the
   number of public IP addresses in the IPv4 source address
   field. pool.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference: See RFC 3022 [RFC3022] for the definition of NAT.  See RFC
   3234 [RFC3234]
   for the definition of middleboxes.

7.1.5.  natThresholdEvent

   Values of this Information Element are defined in a registry
   maintained by IANA at http://www.iana.org/assignments/ipfix/
   ipfix.xml#TBD-by-IANA.  New assignments of values will be
   administered by IANA, subject to Expert Review [RFC5226].  Experts
   need to check definitions of new values for completeness, accuracy,
   and redundancy.

6.1.14.  addressPortMappingHighThreshold

   ElementID: 478

   Name: natThresholdEvent addressPortMappingHighThreshold

   Description: This Information Element identifies a type of a NAT
   threshold event.  Values for this Information Element are listed in
   the NAT threshhold event type registry, see
   <http://www.iana.org/assignments/ipfix/ipfix.xml#TBD-by-IANA>.
   Initial values in the registry are defined by element represents the table below.

   +---------------------------------------------------------+--------+
   |              Threshold Exceeded Event Name              | Values |
   +---------------------------------------------------------+--------+
   |            Address pool high threshold event            |      1 |
   |             Address pool low threshold event            |      2 |
   |      Address and port mapping high threshold event      |      3 |
   |  Address value of the
   number of address and port mapping per user high threshold event |      4 |
   |       Global Address mapping high threshold event       |      5 |
   +---------------------------------------------------------+--------+

                                 Table 23 mappings.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference: See RFC 791 [RFC0791] for the definition of the IPv4 source address
   field.  See RFC 3022 [RFC3022] for the definition of NAT.  See RFC
   3234 [RFC3234]
   for the definition of middleboxes.

7.1.6.  natEvent

   The original definition of this Information Element specified only
   three values 1, 2, and 3.

6.1.15.  addressPortMappingLowThreshold

   ElementID: 479

   Name: addressPortMappingLowThreshold

   Description: This definition is replaced by a registry,
   to which new values can be added.  The semantics of the three
   originally defined values remains unchanged.  IANA maintains element represents the
   registry for values low threshold value of this Information Element at
   <http://www.iana.org/assignments/ipfix/ipfix.xml#TBD-by-IANA>.  New
   assignments the
   number of values will be administered by IANA, subject to Expert
   Review [RFC5226].  Experts need to check definitions address and port mappings.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference: See [RFC3022] for the definition of new values NAT.  See [RFC3234]
   for completeness, accuracy, and redundancy.

   Name : natEvent

   Description: the definition of middleboxes.

6.1.16.  addressPortMappingPerUserHighThreshold

   ElementID: 480

   Name: addressPortMappingPerUserHighThreshold

   Description: This Information Element identifies a NAT
   event.  This IE identifies element represents the type of a NAT event.  Examples high threshold value of NAT
   events include but not limited to, creation or deletion the
   number of address and port mappings that a NAT
   translation entry, single user is allowed to
   create on a threshold reached or exceeded etc.  Values NAT device.

   Abstract Data Type: unsigned32

   Data Type Semantics: identifier

   Reference: See [RFC3022] for
   this Information Element are listed in the NAT event type registry,
   see [http://www.iana.org/assignments/ipfix/ipfix.xml#TBD-by-IANA] The
   NAT Event values in definition of NAT.  See [RFC3234]
   for the registry are defined by definition of middleboxes.

6.1.17.  globalAddressMappingHighThreshold

   ElementID: 481

   Name: globalAddressMappingHighThreshold

   Description: This element represents the Table 2 high threshold value of the
   number of address and port mappings that a single user is allowed to
   create on a NAT device in
   Section 5.3. a paired address pooling behavior.

   Abstract Data Type: unsigned8 unsigned32

   Data Type Semantics: identifier
   Element ID : 230

   Reference: See RFC 3022 [RFC3022] for the definition of NAT.  See RFC 3234 [RFC3234]
   for the definition of middleboxes.  See [thisRFC] [RFC4787] for the
   definitions definition
   of values 4-16.

8. paired address pooling behavior.

7.  Security Considerations

   The security considerations listed in detail for IPFIX in [RFC7011]
   applies
   apply to this draft document as well.  As described in [RFC7011] [RFC7011], the
   messages exchanged between the NAT device and the collector Collector MUST be
   protected to provide confidentiality, integrity integrity, and authenticity.
   Without those characteristics, the messages are subject to various
   kinds of attacks.  These attacks are described in great detail in
   [RFC7011].

   This document re-emphasizes the use of TLS Transport Layer Security (TLS)
   or DTLS Datagram Transport Layer Security (DTLS) for exchanging the log
   messages between the NAT device and the collector. Collector.  The log events
   sent in clear text cleartext can result in confidential data being exposed to
   attackers, who could then spoof log events based on the information
   in clear text cleartext messages.  Hence, the log events SHOULD NOT be sent in clear text.
   cleartext.

   The logging of NAT events can result in privacy concerns as a result
   of exporting information such as the source address and port
   information.  The logging of destinaion destination information can also cause
   privacy concerns concerns, but it has been well documented in [RFC6888].  A
   NAT device can choose to operate in various logging modes if it wants
   to avoid logging of private information.  The collector Collector that receives
   the information can also choose to mask the private information but
   generate reports based on abstract data.  It is outside the scope of
   this document to address the implementation of logging modes for
   privacy considerations.

9.

8.  References

9.1.

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC4787]  Audet, F., Ed. and C. Jennings, "Network Address
              Translation (NAT) Behavioral Requirements for Unicast
              UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
              2007, <http://www.rfc-editor.org/info/rfc4787>. <https://www.rfc-editor.org/info/rfc4787>.

   [RFC5382]  Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P.
              Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
              RFC 5382, DOI 10.17487/RFC5382, October 2008,
              <http://www.rfc-editor.org/info/rfc5382>.
              <https://www.rfc-editor.org/info/rfc5382>.

   [RFC6146]  Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
              NAT64: Network Address and Protocol Translation from IPv6
              Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
              April 2011, <http://www.rfc-editor.org/info/rfc6146>. <https://www.rfc-editor.org/info/rfc6146>.

   [RFC6302]  Durand, A., Gashinsky, I., Lee, D., and S. Sheppard,
              "Logging Recommendations for Internet-Facing Servers",
              BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011,
              <http://www.rfc-editor.org/info/rfc6302>.
              <https://www.rfc-editor.org/info/rfc6302>.

   [RFC6888]  Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
              A., and H. Ashida, "Common Requirements for Carrier-Grade
              NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
              April 2013, <http://www.rfc-editor.org/info/rfc6888>. <https://www.rfc-editor.org/info/rfc6888>.

   [RFC7011]  Claise, B., Ed., Trammell, B., Ed., and P. Aitken,
              "Specification of the IP Flow Information Export (IPFIX)
              Protocol for the Exchange of Flow Information", STD 77,
              RFC 7011, DOI 10.17487/RFC7011, September 2013,
              <http://www.rfc-editor.org/info/rfc7011>.
              <https://www.rfc-editor.org/info/rfc7011>.

   [RFC7659]  Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor,
              "Definitions of Managed Objects for Network Address
              Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659,
              October 2015, <http://www.rfc-editor.org/info/rfc7659>.

9.2. <https://www.rfc-editor.org/info/rfc7659>.

8.2.  Informative References

   [I-D.ietf-behave-syslog-nat-logging]

   [IPFIX-IANA]
              IANA, "IPFIX Information Elements",
              <http://www.iana.org/assignments/ipfix>.

   [NAT-LOG]  Chen, Z., Zhou, C., Tsou, T., and T. Taylor, Ed., "Syslog
              Format for NAT Logging", draft-ietf-behave-syslog-nat-
              logging-06 (work Work in progress), Progress, draft-ietf-
              behave-syslog-nat-logging-06, January 2014.

   [IPFIX-IANA]
              IANA, "IPFIX Information Elements registry",
              <http://www.iana.org/assignments/ipfix>.

   [RFC0791]

   [RFC791]   Postel, J., "Internet Protocol", STD 5, RFC 791,
              DOI 10.17487/RFC0791, September 1981,
              <http://www.rfc-editor.org/info/rfc791>.
              <https://www.rfc-editor.org/info/rfc791>.

   [RFC2663]  Srisuresh, P. and M. Holdrege, "IP Network Address
              Translator (NAT) Terminology and Considerations",
              RFC 2663, DOI 10.17487/RFC2663, August 1999,
              <http://www.rfc-editor.org/info/rfc2663>.
              <https://www.rfc-editor.org/info/rfc2663>.

   [RFC3022]  Srisuresh, P. and K. Egevang, "Traditional IP Network
              Address Translator (Traditional NAT)", RFC 3022,
              DOI 10.17487/RFC3022, January 2001,
              <http://www.rfc-editor.org/info/rfc3022>.
              <https://www.rfc-editor.org/info/rfc3022>.

   [RFC3234]  Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and
              Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002,
              <http://www.rfc-editor.org/info/rfc3234>.

   [RFC5226]  Narten, T.
              <https://www.rfc-editor.org/info/rfc3234>.

   [RFC5424]  Gerhards, R., "The Syslog Protocol", RFC 5424,
              DOI 10.17487/RFC5424, March 2009,
              <https://www.rfc-editor.org/info/rfc5424>.

   [RFC8126]  Cotton, M., Leiba, B., and H. Alvestrand, T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 5226,
              DOI 10.17487/RFC5226, May 2008,
              <http://www.rfc-editor.org/info/rfc5226>.

   [RFC5424]  Gerhards, R., "The Syslog Protocol", RFC 5424, 8126, DOI 10.17487/RFC5424, March 2009,
              <http://www.rfc-editor.org/info/rfc5424>. 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

Acknowledgements

   Thanks to Dan Wing, Selvi Shanmugam, Mohamed Boucadir, Jacni Qin,
   Ramji Vaithianathan, Simon Perreault, Jean-Francois Tremblay, Paul
   Aitken, Julia Renouard, Spencer Dawkins, and Brian Trammell for their
   review and comments.

Authors' Addresses

   Senthil Sivakumar
   Cisco Systems
   7100-8 Kit Creek Road
   Research Triangle Park, North Carolina NC  27709
   USA
   United States of America

   Phone: +1 919 392 5158
   Email: ssenthil@cisco.com

   Renaldo

   Reinaldo Penno
   Cisco Systems
   170 W Tasman Drive
   San Jose, California CA  95035
   USA
   United States of America

   Email: repenno@cisco.com