BehaveInternet Engineering Task Force (IETF) S. SivakumarInternet-DraftRequest for Comments: 8158 R. PennoIntended status:Category: Standards Track Cisco SystemsExpires: July 13, 2017 January 9,ISSN: 2070-1721 December 2017IPFIXIP Flow Information Export (IPFIX) Information Elements forloggingLogging NAT Eventsdraft-ietf-behave-ipfix-nat-logging-13Abstract Network operators require NAT devices to log events like creation and deletion of translations and information about the resources that the NAT device is managing.TheIn many cases, the logs are essentialin many casesto identify an attacker or a host that was used to launch malicious attacks and for various other purposes of accounting. Since there is no standard way of logging this information, different NAT deviceslog the information usinguse proprietaryformats and henceformats; hence, it is difficult to expectaconsistent behavior.TheThis lack ofa consistent way to log the datastandardization makes it difficult to write thecollectorCollector applications that would receive this data and process it to present useful information. This document describes the formats for loggingofNAT events. Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 ofsix monthsRFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 13, 2017.https://www.rfc-editor.org/info/rfc8158. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents(http://trustee.ietf.org/license-info)(https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 4 2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.Event based loggingEvent-Based Logging . . . . . . . . . . . . . . . . . . . . . 5 4.1. Loggingof destination informationDestination Information . . . . . . . . . . . . . 6 4.2. Information Elements . . . . . . . . . . . . . . . . . . 6 4.3. Definition of NAT Events . . . . . . . . . . . . . . . .810 4.4. QuotaexceededExceeded EventtypesTypes . . . . . . . . . . . . . . .911 4.5. ThresholdreachedReached EventtypesTypes . . . . . . . . . . . . . .1012 4.6. Templates for NAT Events . . . . . . . . . . . . . . . .1113 4.6.1. NAT44createSession Create anddelete session eventsDelete Events . . . . . . .1113 4.6.2. NAT64createSession Create anddelete session eventsDelete Events . . . . . . .1214 4.6.3. NAT44 BIBcreateCreate anddelete eventsDelete Events . . . . . . . . .1315 4.6.4. NAT64 BIBcreateCreate anddelete eventsDelete Events . . . . . . . . .1315 4.6.5. Addresses ExhaustedeventEvent . . . . . . . . . . . . . .1416 4.6.6. Ports ExhaustedeventEvent . . . . . . . . . . . . . . . .1416 4.6.7. Quotaexceeded eventsExceeded Events . . . . . . . . . . . . . . . .1517 4.6.7.1. Maximumsession entries exceededSession Entries Exceeded . . . . . . . .1517 4.6.7.2. Maximum BIBentries exceededEntries Exceeded . . . . . . . . . .1517 4.6.7.3. MaximumentriesEntries peruser exceededUser Exceeded . . . . . . . .1517 4.6.7.4. Maximumactive hostActive Hosts orsubscribers exceeded .Subscribers Exceeded . .1618 4.6.7.5. Maximumfragments pending reassembly exceededFragments Pending Reassembly Exceeded . .1618 4.6.8. Thresholdreached eventsReached Events . . . . . . . . . . . . . .1719 4.6.8.1. Addresspool highPool High orlow threshold reachedLow Threshold Reached . . .1719 4.6.8.2. Address andport high threshold reachedPort Mapping High Threshold Reached . 20 4.6.8.3. Address and Port Mapping per User High Threshold Reached . . . .17 4.6.8.3. Per-user Address and port high threshold reached 18. . . . . . . . . . . . . . . . . 20 4.6.8.4. Global Addressmapping high threshold reachedMapping High Threshold Reached . .1821 4.6.9. Addressbinding createBinding Create anddelete eventsDelete Events . . . . . .1921 4.6.10. Portblock allocationBlock Allocation andde-allocationDe-allocation . . . . . . .1921 5. Management Considerations . . . . . . . . . . . . . . . . . .2022 5.1. Ability tocollect eventsCollect Events frommultipleMultiple NATdevicesDevices . . .2022 5.2. Ability tosuppress eventsSuppress Events . . . . . . . . . . . . . . .2022 6.AcknowledgementsIANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 6.1. Information Elements .21 7. IANA Considerations. . . . . . . . . . . . . . . . . 23 6.1.1. natInstanceID . . . .21 7.1. Information Elements. . . . . . . . . . . . . . . . 23 6.1.2. internalAddressRealm . .21 7.1.1. natInstanceID. . . . . . . . . . . . . . 23 6.1.3. externalAddressRealm . . . . . .21 7.1.2. internalAddressRealm. . . . . . . . . . 24 6.1.4. natQuotaExceededEvent . . . . . .21 7.1.3. externalAddressRealm. . . . . . . . . . 24 6.1.5. natThresholdEvent . . . . . .22 7.1.4. natQuotaExceededEvent. . . . . . . . . . . . 25 6.1.6. natEvent . . . .22 7.1.5. natThresholdEvent. . . . . . . . . . . . . . . . . .23 7.1.6. natEvent26 6.1.7. maxSessionEntries . . . . . . . . . . . . . . . . . . 26 6.1.8. maxBIBEntries . . . .24 8. Security Considerations. . . . . . . . . . . . . . . . 27 6.1.9. maxEntriesPerUser . . .25 9. References. . . . . . . . . . . . . . . 27 6.1.10. maxSubscribers . . . . . . . . . .25 9.1. Normative References. . . . . . . . . 27 6.1.11. maxFragmentsPendingReassembly . . . . . . . . .25 9.2. Informative. . . 28 6.1.12. addressPoolHighThreshold . . . . . . . . . . . . . . 28 6.1.13. addressPoolLowThreshold . . . . . . . . . . . . . . . 28 6.1.14. addressPortMappingHighThreshold . . . . . . . . . . . 29 6.1.15. addressPortMappingLowThreshold . . . . . . . . . . . 29 6.1.16. addressPortMappingPerUserHighThreshold . . . . . . . 29 6.1.17. globalAddressMappingHighThreshold . . . . . . . . . . 30 7. Security Considerations . . . . . . . . . . . . . . . . . . . 30 8. References . . . . . . . . . . . . . . . . .26 Authors' Addresses. . . . . . . . 31 8.1. Normative References . . . . . . . . . . . . . . .27 1. Introduction The IPFIX Protocol [RFC7011] defines a generic push mechanism for exporting information and events. The IPFIX Information Model [IPFIX-IANA] defines a set. . . 31 8.2. Informative References . . . . . . . . . . . . . . . . . 32 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 32 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 1. Introduction The IP Flow Information Export (IPFIX) Protocol [RFC7011] defines a generic push mechanism for exporting information and events. The IPFIX Information Model [IPFIX-IANA] defines a set of standardIEs whichInformation Elements (IEs) that can be carried by the IPFIX protocol. This document details the IPFIXInformation Elements(IEs)IEs that MUST be logged by a NAT device that supports NAT logging usingIPFIX,IPFIX and all the optional fields. The fields specified in this document are gleaned from [RFC4787] and [RFC5382]. This document and[I-D.ietf-behave-syslog-nat-logging][NAT-LOG] are written in order to standardize the events and parameters to berecorded,recorded using IPFIX [RFC7011] and SYSLOG[RFC5424]respectively. The intent is to provide a consistent way to log information irrespective of the mechanism that is used.[RFC5424], respectively. This document uses IPFIX as the encoding mechanism to describe the logging of NAT events. However, the information that is logged should be the same irrespective of what kind of encoding scheme is used. IPFIX is chosen becauseisit is an IETF standard that meets all the needs for a reliable logging mechanism. IPFIX provides the flexibility to the logging device to define thedata setsdatasets that it is logging. The IEs specified for logging must be the same irrespective of the encoding mechanism used. 1.1. Terminology Theusage of theterm "NAT device" in this documentreferrefers to any NAT44andor NAT64devices.device. Theusage of theterm"collector""Collector" refers to any device that receivesthebinary data from a NAT device and convertsthatit into meaningful information. This document uses the term"Session""session" asit isdefined in[RFC2663][RFC2663], and the termBinding"Binding InformationBaseBase" (BIB) asit isdefined in [RFC6146]. Theusage of thetermInformation Element (IE)"Information Element" or "IE" is defined in [RFC7011]. The termCarrier Grade NAT"Carrier-Grade NAT" refers to alarge scalelarge-scale NAT device as described in [RFC6888] The IPFIXInformation ElementsIEs that are NAT specific are created with NAT terminology. In order to avoid creatingduplicate IEs,duplicates, IEs are reused if they convey the same meaning. This document uses the termtimestamp"timestamp" for theInformation elementIE, which defines the time when an event islogged,logged; this is the same as the IPFIX termobservationTimeMilliseconds"observationTimeMilliseconds" as described in [IPFIX-IANA]. Since observationTimeMilliseconds is notselfself- explanatory for NAT implementors,this document usesthe termtimeStamp. This document refers to event"timeStamp" is used. Event templates,that referswhich refer to IPFIXtemplate records. This document refers toTemplate Records, as well as logevents that refersevents, which refer to IPFIX Flowrecords.Records, are also used in this document. 1.2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Scope This document provides the information model to be used for logging the NATeventsevents, includingCarrier GradeCarrier-Grade NAT (CGN) events. [RFC7011] provides guidance on the choices of the transport protocols used for IPFIX and their effects. This document does not provide guidance onthetransportprotocolprotocols like TCP,UDPUDP, orSCTP that isStream Control Transmission Protocol (SCTP), which are to be used to log NAT events. The logs SHOULD be reliably sent to thecollectorCollector to ensure that the log events are not lost. The choice of the actual transport protocol is beyond the scope of this document.The existing IANA IPFIX IEs registry [IPFIX-IANA] already has assignments for most of the NAT logging events.This document uses the allocated IPFIX IEsand will request IANA for the ones that are definedinthis document but not yet allocated.the IANA "IPFIX Information Elements" registry [IPFIX-IANA] and registers some new ones. This document assumes that the NAT device will use the existing IPFIX framework to send the log events to thecollector.Collector. This would mean that the NAT device will specify the template that it is going to use for each of the events. The templates can be of varyinglengthlength, and there could be multiple templates that a NAT device could use to log the events. The implementation details of thecollectorCollector applicationisare beyond the scope of this document. The optimization of logging the NAT events is left to the implementation and is beyond the scope of this document. 3. Deployment NAT logging based on IPFIX uses binaryencoding and henceencoding; hence, it is very efficient.IPFIX basedIPFIX-based logging is recommended for environments where a high volume of logging is required, for example, where per-flow logging is needed or in case ofCarrier GradeCarrier-Grade NAT. However,IPFIXIPFIX- based logging requires acollectorCollector that processes the binary data and requires a network management application that converts this binary data to ahuman readablehuman-readable format. AcollectorCollector may receive NAT events from multiple CGN devices. ThecollectorCollector distinguishes between the devices using the source IP address, source port, and Observation Domain ID in the IPFIX header. ThecollectorCollector can decide to store the information based on the administrative policies that areinlinein line with the operator and the localjuridiction.jurisdiction. The retention policy is not dictated by theexporterExporter and is left to the policies that are defined at thecollector.Collector. AcollectorCollector may have scale issues if it is overloaded by a large number of simultaneous events. An appropriate throttling mechanism may be used to handle the oversubscription. The logs that are exported can be used for a variety of reasons. An example use case is to do accounting based on when the users logged on and off. The translation will be installed when the user logs on and removed when the user logs off. These events create log records. Another use case is to identify an attacker or a host in a provider network. The network administrators can use these logs to identify the usage patterns, the need for additional IPaddressesaddresses, and etc. The deployment of NAT logging is not limited to just these cases. 4.Event based loggingEvent-Based Logging An event in a NAT device can be viewed as a state transitionasbecause it relates to the management of NAT resources. The creation and deletion of NAT sessions and bindings are examples ofeventsevents, as they result in resources (addresses and ports) being allocated or freed. The events can happen through the processing of data packets flowing through the NATdevice ordevice, through an external entity installing policies on the NATrouterrouter, or as a result of an asynchronous event like a timer. The list of eventsareis provided in Table 2. Each of these events SHOULD be logged, unlessthey arethis is administratively prohibited. A NAT device MAY log these events to multiplecollectorsCollectors if redundancy is required. The network administrator will specify thecollectorsCollectors to which the log records are to be sent. It is necessary to preserve the list ofcollectorsCollectors and its associated information like the IPv4/IPv6 address,portport, and protocol across reboots so that the configuration information is not lost when the device is restarted. The NAT device implementing the IPFIX logging MUST follow the IPFIXspecs as specifiedspecification inRFC 7011.[RFC7011]. 4.1. Loggingof destination informationDestination Information Loggingofdestination information in a NAT eventhas beenis discussed in [RFC6302] and [RFC6888]. Loggingofdestination information increases the size of each record and increases the need for storage considerably. It increases the number of log events generated because when the same user connects to a different destination, it results in a log record per destination address. Loggingofthe source and destination addressesresultresults in loss of privacy. Logging of destination addresses and ports,prepre- orpost NAT,post-NAT, SHOULD NOT be done [RFC6888]. However, thisdraftdocument provides the necessary fields to log the destination information in cases where they must be logged. 4.2. Information Elements The templates could contain a subset of the IEs shown in Table11, depending upon the event being logged. Forexampleexample, a NAT44 session creation template record willcontain, {sourceIPv4Adress,contain: {sourceIPv4Address, postNATSourceIPv4Address,destinationIpv4Address,destinationIPv4Address, postNATDestinationIPv4Address, sourceTransportPort, postNAPTSourceTransportPort, destinationTransportPort,postNAPTDestTransportPort,postNAPTDestinationTransportPort, internalAddressRealm, natEvent, timeStamp} An example of the actual event data record is shown below-in ahumanhuman- readableformform: {192.0.2.1, 203.0.113.100, 192.0.2.104, 192.0.2.104, 14800, 1024, 80, 80, 0, 1, 09:20:10:789} A single NAT device could be exporting multipletemplatestemplates, and thecollectorCollector MUST support receiving multiple templates from the same source. The followingis thetableofincludes all the IEs that a NAT device would need to export the events. The formats of the IEs and the IPFIX IDs arelisted below. Somelisted. Detailed descriptions of theIPFIX IEs are not yet assigned. The detailed description of thesefieldsthat are requestednatInstanceID, internalAddressRealm, externalAddressRealm, natQuotaExceededEvent, and natThresholdEvent are included in the IANAconsiderationsConsiderations section.+--------------------------------+------------+-------+-------------++----------------------------------+----------+-------+-------------+ | Field Name | Size | IANA | Description | | | (bits) | IPFIX | | | | | ID | |+--------------------------------+------------+-------+-------------++----------------------------------+----------+-------+-------------+ | timeStamp | 64 | 323 | System Time | | | | | when the | | | | | event | | | | |occured.occurred | |natInstanceId| | | | | natInstanceID | 32 |TBD463 | NAT | | | | | Instance | | | | | Identifier | |vlanID| | | | | vlanId | 16 | 58 | VLAN ID in | | | | | case of | | | | | overlapping | | | | | networks | | | | | | | ingressVRFID | 32 | 234 | VRF ID in | | | | | case of | | | | | overlapping | | | | | networks | | | | | | | sourceIPv4Address | 32 | 8 | Source IPv4 | | | | | Address | | | | | | | postNATSourceIPv4Address | 32 | 225 | Translated | | | | | Source IPv4 | | | | | Address | | | | | | | protocolIdentifier | 8 | 4 | Transport | | | | | protocol | | | | | | | sourceTransportPort | 16 | 7 | Source Port | |postNAPTsourceTransportPort| | | | | postNAPTSourceTransportPort | 16 | 227 | Translated | | | | | Source port | | | | | | | destinationIPv4Address | 32 | 12 | Destination | | | | | IPv4 | | | | | Address | | | | | | | postNATDestinationIPv4Address | 32 | 226 | Translated | | | | | IPv4 | | | | | destination | | | | | address | | | | | | | destinationTransportPort | 16 | 11 | Destination | | | | | port | |postNAPTdestinationTransportPo| | | | | postNAPTDestinationTransportPort | 16 | 228 | Translated | |rt| | | Destination | | | | | port | | | | | | | sourceIPv6Address | 128 | 27 | Source IPv6 | | | | | address | | | | | | | destinationIPv6Address | 128 | 28 | Destination | | | | | IPv6 | | | | | address | | | | | | | postNATSourceIPv6Address | 128 | 281 | Translated | | | | | source IPv6 | | | | |addresssaddress | | | | | | | postNATDestinationIPv6Address | 128 | 282 | Translated | | | | | Destination | | | | | IPv6 | | | | | address | | | | | | | internalAddressRealm |OctetArrayoctetArr |TBD464 | Source | | | ay | | Address | | | | | Realm | | | | | | | externalAddressRealm |OctetArrayoctetArr |TBD465 | Destination | | | ay | | Address | | | | | Realm | | | | | | | natEvent | 8 | 230 | Type of | | | | | Event | | | | | | | portRangeStart | 16 | 361 | Allocated | | | | | port block | | | | | start | | | | | | | portRangeEnd | 16 | 362 | Allocated | | | | | Port block | | | | | end | |natPoolID| | | | | natPoolId | 32 | 283 | NAT pool | | | | | Identifier | | | | | | | natQuotaExceededEvent | 32 |TBD466 | Limit event | | | | | identifier | | | | | | | natThresholdEvent | 32 |TBD467 | Threshold | | | | | event | | | | | identifier |+--------------------------------+------------+-------+-------------+ Table 1: Template format Table 4.3. Definition of NAT Events The following is the complete list of NAT events and the proposed event type values. The natEvent IE is defined in the IPFIX IANA registry in http://www.iana.org/assignments/ipfix/ipfix.xml. The list can be expanded in the future as necessary. The data record will have the corresponding natEvent value to indicate the event that is being logged. Note that the first two events are marked historic. These values were defined prior to the existence of this draft and outside the IETF working group. These events are not standalone and require more information need to be conveyed to qualify the event. For example, the NAT Translation create event does not specify if it is a NAT44 or NAT64. As a result the Behave WG decided to have explicit definition for each one of the unique events. The historic events are listed here for the purpose of completeness and are already defined in the IPFIX IANA registry. Any compliant implementation SHOULD NOT implement the events that are marked historic. +-------------------------------------+--------+|Event Name|Values|+-------------------------------------+--------+|NAT Translation create (Historic)|1| maxSessionEntries |NAT Translation Delete (Historic)32 |2471 | Maximum |NAT Addresses exhausted|3| |NAT44 Session create|4session | |NAT44 Session delete|5| |NAT64 Session createentries |6| |NAT64 Session delete|7| |NAT44 BIB create|8maxBIBEntries | 32 |NAT44 BIB delete472 |9Maximum | |NAT64 BIB create|10| |NAT64 BIB deletebind |11| |NAT ports exhausted|12| entries |Quota exceeded|13| |Address binding create|14| |Address binding deletemaxEntriesPerUser |1532 | 473 |Port block allocationMaximum |16| |Port block de-allocation|17| entries |Threshold reached|18|+-------------------------------------+--------+ Table 2: NAT Event ID table 4.4. Quota exceeded Event types The Quota Exceeded event is a natEvent IE described in Table 2. The Quota exceeded events are generated when the hard limits set by the administrator has been reached or exceeded. The following table shows the sub event types for the Quota exceeded or limits reached event. The events that can be reported are the Maximum session entries limit reached, Maximum BIB entries limit reached, Maximum (session/BIB) entries per user limit reached, Maximum active hosts limit reached or maximum subscribers limit reached and Maximum Fragments pending reassembly limit reached. +---------------------------------------+--------+|Quota Exceeded Event Name|Valuesper-user |+---------------------------------------+--------+|Maximum Session entries|1| |Maximum BIB entries|2| maxSubscribers | 32 | 474 | Maximumentries per user|3| |Maximum active hosts or| | subscribers |4| | | | | | maxFragmentsPendingReassembly | 32 | 475 | Maximum | | | | | fragmentspending reassembly|5|+---------------------------------------+--------+ Table 3: Quota Exceeded event table 4.5. Threshold reached Event types The following table shows the sub event types| | | forthe threshold reached event. The administrator can configure the thresholds and whenever the threshold is reached or exceeded, the corresponding events are generated. The main difference between Quota Exceeded and the Threshold reached events is that, once the Quota exceeded events are hit, the packets are dropped or mappings wont be created etc, whereas, the| | | | | ressembly | | | | | | | addressPoolHighThreshold | 32 | 476 | High | | | | | thresholdreached events will provide the operator a chance to take action before the traffic disruptions can happen. A NAT device can choose to implement one or the other or both. The| | | | | for address | | | | | poolhigh| | | | | | | addressPoolLowThreshold | 32 | 477 | Low | | | | | thresholdevent will be reported when the| | | | | for address | | | | | poolreaches a high water mark as defined by the operator. This will serve as an indication that the operator might have to add more addresses to the pool or an indication that the subsequent users may be denied NAT translation mappings. The address pool low threshold event will be reported when the address pool reaches a low water mark as defined by the operator. This will serve as an indication that the operator can reclaim some of the global IPv4 addresses in the pool. The address and port mapping high threshold event is generated, when the number of ports in the configured address pool has reached a configured threshold. The per-user address and port mapping high threshold is generated when a single user uses more address and port mapping than a configured threshold. We don't track the low threshold for per-user address and port mappings, because as the ports are freed, the address will become available. The address pool low threhold event will then be triggered so that the IPv4 global address can be reclaimed. The Global address mapping high| | | | | | | addressPortMappingHighThreshold | 32 | 478 | High | | | | | thresholdevent is generated when the maximum mappings per-user is reached| | | | | fora NAT device doing pairedaddresspooling. +---------------------------------------------------------+--------+|Threshold Exceeded Event Name|Values|+---------------------------------------------------------+--------+|Address pool high threshold event|1/port | |Address pool low threshold event|2| |Address and portmappinghigh threshold event|3| |Address and port mapping per user high threshold event|4| |Global Address mapping high| addressPortMappingLowThreshold | 32 | 479 | Low | | | | | thresholdevent|5|+---------------------------------------------------------+--------+ Table 4: Threshold event table 4.6. Templates| | | forNAT Events The following is the template of events that will be logged. The events below are identified at the time of this writing but the set of events is extensible. A NAT device that implements a given NAT event MUST support the mandatory IE's in the templates. Depending on the implementation and configuration various IEs that are not mandatory can be included or ignored. 4.6.1. NAT44 create and delete session events These events will be generated when a NAT44 session is created or deleted. The template will be the same, the natEvent will indicate whether it is a create or a delete event. The following is a template of the event. The destinationaddressand port information is optional as required by [RFC6888]. However, when the destination information is suppressed, the session log event contains the same information as the BIB event. In such cases, the NAT device SHOULD NOT send both BIB and session events. +----------------------------------+-------------+-----------+|Field Name|Size (bits)|Mandatory|+----------------------------------+-------------+-----------+|timeStamp/port |64|Yes| |natEvent|8mapping |Yes| |sourceIPv4Address|32|Yes| |postNATSourceIPv4AddressaddressPortMappingPerUserHighThr | 32 |Yes |480 |protocolIdentifierHigh |8|Yeseshold | |sourceTransportPort|16threshold |Yes| |postNAPTsourceTransportPort|16|Yesfor per- | |destinationIPv4Address|32|No| user addres |postNATDestinationIPv4Address|32|No| |destinationTransportPorts/port |16|No| |postNAPTdestinationTransportPort|16mapping |No| |natInstanceID|32|No| |vlanID/ingressVRFIDglobalAddressMappingHighThreshol | 32 |No481 | High |internalAddressRealm|OctetArrayd |No| |externalAddressRealmthreshold |OctetArray|No|+----------------------------------+-------------+-----------+ Table 5: NAT44 Session delete/create template 4.6.2. NAT64 create and delete session events These events will be generated when a NAT64 session is created or deleted. The following is a template of the event. +----------------------------------+-------------+-----------+|Field Name|Size (bits)for global |Mandatory|+----------------------------------+-------------+-----------+|timeStamp|64|Yesaddress | |natEvent|8|Yes| mapping |sourceIPv6Address+----------------------------------+----------+-------+-------------+ Table 1: NAT IE List 4.3. Definition of NAT Events The following is the complete list of NAT events and the proposed event type values. The natEvent IE is defined in the "IPFIX Information Elements" registry [IPFIX-IANA];. The list can be expanded in the future as necessary. The data record will have the corresponding natEvent value to indicate the event that is being logged. Note that the first two events are marked "Historic" and are listed here for the sole purpose of completeness. Any compliant implementation SHOULD NOT use the events that are marked "Historic". These values were defined prior to the existence of this document and outside the IETF. These events are not standalone and require more information to be conveyed to qualify the event. For example, the NAT translation create event does not specify if it is NAT44 or NAT64. As a result, the Behave working group decided to have an explicit definition for each one of the unique events. +-------+------------------------------------+ |128Value |YesEvent Name | +-------+------------------------------------+ |postNATSourceIPv4Address0 |32Reserved |Yes| 1 |protocolIdentifierNAT translation create (Historic) |8|Yes2 | NAT translation delete (Historic) |sourceTransportPort|163 |YesNAT Addresses exhausted | |postNAPTsourceTransportPort4 |16NAT44 session create |Yes| 5 |destinationIPv6AddressNAT44 session delete |128|No6 | NAT64 session create |postNATDestinationIPv4Address|327 |NoNAT64 session delete | |destinationTransportPort8 |16NAT44 BIB create |No| 9 |postNAPTdestinationTransportPortNAT44 BIB delete |16|No10 | NAT64 BIB create |natInstanceID|3211 |NoNAT64 BIB delete | |vlanID/ingressVRFID12 |32NAT ports exhausted |No| 13 |internalAddressRealmQuota Exceeded |OctetArray|No14 | Address binding create |externalAddressRealm|OctetArray15 |No | +----------------------------------+-------------+-----------+ Table 6: NAT64 session create/delete event template 4.6.3. NAT44 BIB create and delete events These events will be generated when a NAT44 Bind entry is created or deleted. The following is a template of the event. +-----------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv4Address | 32 | Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | NoAddress binding delete | |sourceTransportPort | 16 | No | | postNAPTsourceTransportPort |16 |No | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 32 | No | | internalAddressRealmPort block allocation |OctetArray|No17 | Port block de-allocation |externalAddressRealm|OctetArray18 |NoThreshold Reached |+-----------------------------+-------------+-----------++-------+------------------------------------+ Table7: NAT44 BIB create/delete2: NAT Event ID 4.4. Quota Exceeded Event Types The Quota Exceeded eventtemplate 4.6.4. NAT64 BIB create and delete events Theseis a natEvent IE described in Table 2. The Quota Exceeded eventswill beare generated whena NAT64 Bind entry is createdthe hard limits set by the administrator have been reached ordeleted.exceeded. The followingis a template oftable shows the sub-event types for the Quota Exceeded event.+-----------------------------+-------------+-----------+The events that can be reported are the maximum session entries limit reached, maximum BIB entries limit reached, maximum (session/BIB) entries per user limit reached, maximum active hosts or subscribers limit reached, and maximum Fragments pending reassembly limit reached. +-------+---------------------------------------+ |FieldValue | Quota Exceeded Event Name |Size (bits)+-------+---------------------------------------+ |Mandatory0 |+-----------------------------+-------------+-----------+Reserved |timeStamp|641 |YesMaximum session entries | |natEvent2 |8Maximum BIB entries |Yes| 3 |sourceIPv6AddressMaximum entries per user |128|Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | No | | sourceTransportPort | 16 | No | | postNAPTsourceTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 32 | No | | internalAddressRealm | OctetArray | No4 | Maximum active hosts or subscribers |externalAddressRealm|OctetArray5 |NoMaximum fragments pending reassembly |+-----------------------------+-------------+-----------++-------+---------------------------------------+ Table8: NAT64 BIB create/delete event template 4.6.5. Addresses Exhausted event This event3: Quota Exceeded Event 4.5. Threshold Reached Event Types The following table shows the sub-event types for the Threshold Reached event. The administrator can configure the thresholds, and whenever the threshold is reached or exceeded, the corresponding events are generated. The main difference between the Quota Exceeded and Threshold Reached events is that, once the Quota Exceeded events are hit, the packets are dropped or mappings will not begenerated when a NAT device runs out of global IPv4 addresses increated, whereas the Threshold Reached events will provide the operator agiven pool of addresses. Typically, this event would mean thatchance to take action before the traffic disruptions can happen. A NAT devicewon't be ablecan choose tocreate any new translations until some addresses/ports are freed. Thisimplement one or the other, or both. The address pool high threshold eventSHOULDwill berate limited as many packets hittingreported when thedevice ataddress pool reaches a high-water mark as defined by thesame timeoperator. This willtrigger a burst ofserve as an indication that either the operator might have to add more addressesexhausted events. The following is a template ofto theevent. +---------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +---------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natPoolID | 32 | Yes | | natInstanceID | 32 | No | +---------------+-------------+-----------+ Table 9: Address Exhausted event template 4.6.6. Ports Exhausted event Thispool or the subsequent users may be denied NAT translation mappings. The address pool low threshold event will begeneratedreported when the address pool reaches aNAT device runs outlow-water mark as defined by the operator. This will serve as an indication that the operator can reclaim some ofports for athe global IPv4address. Port exhaustion shall be reported per protocol (UDP, TCP etc). Thisaddresses in the pool. The address and port mapping high threshold eventSHOULD be rate limited as many packets hittingis generated when thedevice atnumber of ports in thesame time will triggerconfigured address pool has reached aburst of port exhausted events.configured threshold. Thefollowingper-user address and port mapping high threshold is generated when atemplate ofsingle user utilizes more address and port mapping than a configured threshold. We don't track theevent. +--------------------------+-------------+-----------+low threshold for per-user address and port mappings because, as the ports are freed, the address will become available. The address pool low threshold event will then be triggered so that the global IPv4 address can be reclaimed. The global address mapping high threshold event is generated when the maximum number of mappings per user is reached for a NAT device doing paired-address pooling. +-------+---------------------------------------------------------+ |Field NameValue |Size (bits)Threshold Exceeded Event Name |Mandatory+-------+---------------------------------------------------------+ |+--------------------------+-------------+-----------+0 |timeStampReserved |64|Yes1 | Address pool high threshold event |natEvent|82 |Yes | | postNATSourceIPv4Address | 32Address pool low threshold event |Yes| 3 |protocolIdentifierAddress and port mapping high threshold event |8|Yes4 | Address and port mapping per user high threshold event |natInstanceID|325 |NoGlobal address mapping high threshold event |+--------------------------+-------------+-----------++-------+---------------------------------------------------------+ Table10: Ports Exhausted event4: Threshold Event 4.6. Templates for NAT Events The following is the template4.6.7. Quota exceededof eventsThis eventthat will begenerated when alogged. The events below are identified at the time of this writing, but the set of events is extensible. A NAT devicecannot allocate resources asthat implements aresult of an administratively defined policy. The quota exceededgiven NAT eventtemplatesMUST support the mandatory IEs in the templates. Depending on the implementation and configuration, various IEs that aredescribed below. 4.6.7.1. Maximum session entries exceeded The maximum session entries exceeded event isnot mandatory can be included or ignored. 4.6.1. NAT44 Session Create and Delete Events These events will be generated whenthe administratively configured NATa NAT44 sessionlimitisreached.created or deleted. The template will be the same; the natEvent will indicate whether it is a create or a delete event. The following isthea template of the event.+-----------------------+-------------+-----------+The destination address and port information is optional as required by [RFC6888]. However, when the destination information is suppressed, the session log event contains the same information as the BIB event. In such cases, the NAT device SHOULD NOT send both BIB and session events. +----------------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory |+-----------------------+-------------+-----------++----------------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | |natQuotaExceededEventsourceIPv4Address | 32 | Yes | |configuredLimitpostNATSourceIPv4Address | 32 | Yes | |natInstanceIDprotocolIdentifier |328 |NoYes |+-----------------------+-------------+-----------+ Table 11: Session Entries Exceeded event template 4.6.7.2. Maximum BIB entries exceeded The maximum BIB entries exceeded event is generated when the administratively configured BIB entry limit is reached. The following is the template of the event. +-----------------------+-------------+-----------+|Field NamesourceTransportPort |Size (bits)16 |MandatoryYes |+-----------------------+-------------+-----------+|timeStamppostNAPTSourceTransportPort |6416 | Yes | |natEventdestinationIPv4Address |832 |YesNo | |natQuotaExceededEventpostNATDestinationIPv4Address | 32 |YesNo | |configuredLimitdestinationTransportPort |3216 |YesNo | | postNAPTDestinationTransportPort | 16 | No | | natInstanceID | 32 | No |+-----------------------+-------------+-----------+| vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | | externalAddressRealm | octetArray | No | +----------------------------------+-------------+-----------+ Table12: BIB Entries Exceeded event template 4.6.7.3. Maximum entries per user exceeded This event is5: NAT44 Session Delete/Create Template 4.6.2. NAT64 Session Create and Delete Events These events will be generated when asingle user reaches the administratively configured NAT translation limit.NAT64 session is created or deleted. The following isthea template of the event.+-----------------------+-------------+---------------++----------------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory |+-----------------------+-------------+---------------++----------------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | |natQuotaExceededEventsourceIPv6Address |32128 | Yes | |configuredLimitpostNATSourceIPv4Address | 32 | Yes | |sourceIPv4 addressprotocolIdentifier |328 | Yesfor NAT44| |sourceIPv6 addresssourceTransportPort |12816 | Yesfor NAT64| | postNAPTSourceTransportPort | 16 | Yes | | destinationIPv6Address | 128 | No | | postNATDestinationIPv4Address | 32 | No | | destinationTransportPort | 16 | No | | postNAPTDestinationTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID |3216/32 | No |+-----------------------+-------------+---------------+| internalAddressRealm | octetArray | No | | externalAddressRealm | octetArray | No | +----------------------------------+-------------+-----------+ Table13: Per-user Entries Exceeded event template 4.6.7.4. Maximum active host or subscribers exceeded This event is6: NAT64 Session Create/Delete Event Template 4.6.3. NAT44 BIB Create and Delete Events These events will be generated whenthe number of allowed hostsa NAT44 Bind entry is created orsubscribers reaches the administratively configured limit.deleted. The following isthea template of the event.+-----------------------+-------------+-----------++-----------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory |+-----------------------+-------------+-----------++-----------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | |natQuotaExceededEventsourceIPv4Address | 32 | Yes | |configuredLimitpostNATSourceIPv4Address | 32 | Yes | |natInstanceIDprotocolIdentifier |328 | No |+-----------------------+-------------+-----------+| sourceTransportPort | 16 | No | | postNAPTSourceTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | | externalAddressRealm | octetArray | No | +-----------------------------+-------------+-----------+ Table14: Maximum hosts/subscribers Exceeded event template 4.6.7.5. Maximum fragments pending reassembly exceeded This event is7: NAT44 BIB Create/Delete Event Template 4.6.4. NAT64 BIB Create and Delete Events These events will be generated whenthe number of fragments pending reassembly reaches the administratively configured limit. Note that in case of NAT64, when this condition is detected in the IPv6 to IPv4 direction, the IPv6 source address is mandatory in the template. Similarly, when this condition is detected in IPv4 to IPv6 direction, the source IPv4 addressa NAT64 Bind entry ismandatory in the template below.created or deleted. The following isthea template of the event.+-----------------------+-------------+----------------++-----------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory |+-----------------------+-------------+----------------++-----------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | |natQuotaExceededEventsourceIPv6Address |32128 | Yes | |configuredLimitpostNATSourceIPv4Address | 32 | Yes | |sourceIPv4 addressprotocolIdentifier |328 |Yes for NAT44No | |sourceIPv6 addresssourceTransportPort |12816 |Yes for NAT64No | | postNAPTSourceTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID |3216/32 | No | | internalAddressRealm |OctetArrayoctetArray | No | | externalAddressRealm | octetArray | No |+-----------------------+-------------+----------------++-----------------------------+-------------+-----------+ Table15: Maximum fragments pending reassembly Exceeded event template 4.6.8. Threshold reached events8: NAT64 BIB Create/Delete Event Template 4.6.5. Addresses Exhausted Event This event will be generated when a NAT devicereaches a operator configured threshold when allocating resources. The threshold reached events are describedruns out of global IPv4 addresses inthe section above. The following isatemplate of the individual events. 4.6.8.1. Addressgiven poolhigh or low threshold reached Thisof addresses. Typically, this eventis generated when the high or low threshold is reached forwould mean that theaddress pool.NAT device won't be able to create any new translations until some addresses/ports are freed. This event SHOULD be rate-limited, as many packets hitting the device at the same time will trigger a burst of addresses exhausted events. Thetemplatefollowing is a template of thesame for both high and low threshold events +-------------------+-------------+-----------+event. +---------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory |+-------------------+-------------+-----------++---------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | |natThresholdEvent | 32 | Yes | |natPoolID | 32 | Yes | |configuredLimit | 32 | Yes | |natInstanceID | 32 | No |+-------------------+-------------+-----------++---------------+-------------+-----------+ Table16: Address pool high/low threshold reached event template 4.6.8.2. Address and port high threshold reached9: Addresses Exhausted Event Template 4.6.6. Ports Exhausted Event This eventiswill be generated when a NAT device runs out of ports for a global IPv4 address. Port exhaustion shall be reported per protocol (UDP, TCP, etc.). This event SHOULD be rate-limited, as many packets hitting thehigh thresholddevice at the same time will trigger a burst of port exhausted events. The following isreached fora template of theaddress pool and ports. +-------------------+-------------+-----------+event. +--------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory |+-------------------+-------------+-----------++--------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | |natThresholdEventpostNATSourceIPv4Address | 32 | Yes | |configuredLimitprotocolIdentifier |328 | Yes | | natInstanceID | 32 | No |+-------------------+-------------+-----------++--------------------------+-------------+-----------+ Table17: Address port high threshold reached event template 4.6.8.3. Per-user Address and port high threshold reached10: Ports Exhausted Event Template 4.6.7. Quota Exceeded Events This event will be generated when a NAT device cannot allocate resources as a result of an administratively defined policy. The Quota Exceeded event templates are described below. 4.6.7.1. Maximum Session Entries Exceeded The maximum session entries exceeded event is generated when thehigh thresholdadministratively configured NAT session limit is reached. The following isreached fortheper-user address pool and ports. +---------------------+-------------+---------------+template of the event. +-----------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory |+---------------------+-------------+---------------++-----------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | |natThresholdEventnatQuotaExceededEvent | 32 | Yes | |configuredLimitmaxSessionEntries | 32 | Yes | |sourceIPv4 addressnatInstanceID | 32 |Yes for NAT44 | | sourceIPv6 addressNo |128 | Yes for NAT64 | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 32 | No | +---------------------+-------------+---------------++-----------------------+-------------+-----------+ Table18: Per-user Address port high threshold reached event template 4.6.8.4. Global Address mapping high threshold reached This11: Session Entries Exceeded Event Template 4.6.7.2. Maximum BIB Entries Exceeded The maximum BIB entries exceeded event is generated when thehigh thresholdadministratively configured BIB entry limit isreached for the per-user address pool and ports. Thisreached. The following isgenerated only by NAT devices that use a paired address pooling behavior. +---------------------+-------------+-----------+the template of the event. +-----------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory |+---------------------+-------------+-----------++-----------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | |natThresholdEventnatQuotaExceededEvent | 32 | Yes | |configuredLimitmaxBIBEntries | 32 | Yes | | natInstanceID | 32 | No || vlanID/ingressVRFID | 32 | No | +---------------------+-------------+-----------++-----------------------+-------------+-----------+ Table19: Global Address mapping high threshold reached12: BIB Entries Exceeded Event Template 4.6.7.3. Maximum Entries per User Exceeded This eventtemplate 4.6.9. Address binding create and delete events These events will beis generated when aNAT device binds a local address with a global address and whensingle user reaches theglobal address is freed. Aadministratively configured NATdevice will generate the binding events when it receivestranslation limit. The following is thefirst packettemplate of thefirst flow from a host in the private realm. +--------------------------------+-------------+---------------+event. +-----------------------+-------------+---------------+ | Field Name | Size (bits) | Mandatory |+--------------------------------+-------------+---------------++-----------------------+-------------+---------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | |sourceIPv4 addressnatQuotaExceededEvent | 32 | Yes | | maxEntriesPerUser | 32 | Yes | | sourceIPv4Address | 32 | Yes for NAT44 | |sourceIPv6 addresssourceIPv6Address | 128 | Yes for NAT64 | |Translated Source IPv4 AddressnatInstanceID | 32 |YesNo | |natInstanceIDvlanID/ingressVRFID |3216/32 | No |+--------------------------------+-------------+---------------++-----------------------+-------------+---------------+ Table20: NAT Address Binding template 4.6.10. Port block allocation and de-allocation13: Per-User Entries Exceeded Event Template 4.6.7.4. Maximum Active Hosts or Subscribers Exceeded This eventwill beis generated whena NAT device allocates/de-allocates ports in a bulk fashion, as opposed to allocating a port on a per flow basis. portRangeStart representsthestarting valuenumber of allowed hosts or subscribers reaches therange. portRangeEnd representsadministratively configured limit. The following is theending valuetemplate of therange. NAT devices would do this in order to reduce logs and potentially to limitevent. +-----------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natQuotaExceededEvent | 32 | Yes | | maxSubscribers | 32 | Yes | | natInstanceID | 32 | No | +-----------------------+-------------+-----------+ Table 14: Maximum Hosts/Subscribers Exceeded Event Template 4.6.7.5. Maximum Fragments Pending Reassembly Exceeded This event is generated when the number ofconnections a subscriberfragments pending reassembly reaches the administratively configured limit. Note that in the case of NAT64, when this condition isallowed to use. Indetected in thefollowing Port Block allocation template,IPv6-to- IPv4 direction, theportRangeStart and portRangeEnd MUST be specified. ItIPv6 source address isup tomandatory in theimplementation to choose to consolidate log recordstemplate. Similarly, when this condition is detected incase two consecutive port ranges forIPv4-to-IPv6 direction, thesame user are allocated or freed. +--------------------------------+-------------+---------------+source IPv4 address is mandatory in the template below. The following is the template of the event. +-------------------------------+-------------+----------------+ | Field Name | Size (bits) | Mandatory |+--------------------------------+-------------+---------------++-------------------------------+-------------+----------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | |sourceIPv4 addressnatQuotaExceededEvent | 32 | Yesfor NAT44| |sourceIPv6 addressmaxFragmentsPendingReassembly |12832 | Yesfor NAT64| |Translated Source IPv4 AddresssourceIPv4Address | 32 | Yes for NAT44 | |portRangeStartsourceIPv6Address |16128 | Yes for NAT64 | |portRangeEndnatInstanceID |1632 | No | |natInstanceIDvlanID/ingressVRFID |3216/32 | No | | internalAddressRealm | octetArray | No |+--------------------------------+-------------+---------------++-------------------------------+-------------+----------------+ Table21: NAT Port Block Allocation event template 5. Management Considerations15: Maximum Fragments Pending Reassembly Exceeded Event Template 4.6.8. Threshold Reached Events Thissection considers requirements for management of the log system to support loggingevent will be generated when a NAT device reaches an operator- configured threshold when allocating resources. The Threshold Reached events are described in the section above. The following is a template of the individual events. 4.6.8.1. Address Pool High or Low Threshold Reached This event is generated when the high or low threshold is reached for the address pool. The template is the same for both high and low threshold events +----------------------------------------------+--------+-----------+ | Field Name | Size | Mandatory | | | (bits) | | +----------------------------------------------+--------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | natPoolID | 32 | Yes | | addressPoolHighThreshold/ | 32 | Yes | | addressPoolLowThreshold | | | | natInstanceID | 32 | No | +----------------------------------------------+--------+-----------+ Table 16: Address Pool High/Low Threshold Reached Event Template 4.6.8.2. Address and Port Mapping High Threshold Reached This event is generated when the high threshold is reached for the address pool and ports. +----------------------------------------------+--------+-----------+ | Field Name | Size | Mandatory | | | (bits) | | +----------------------------------------------+--------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | addressPortMappingHighThreshold/ | 32 | Yes | | addressPortMappingLowThreshold | | | | natInstanceID | 32 | No | +----------------------------------------------+--------+-----------+ Table 17: Address Port High Threshold Reached Event Template 4.6.8.3. Address and Port Mapping per User High Threshold Reached This event is generated when the high threshold is reached for the per-user address pool and ports. +----------------------------------------------+--------+-----------+ | Field Name | Size | Mandatory | | | (bits) | | +----------------------------------------------+--------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | addressPortMappingHighThreshold/ | 32 | Yes | | addressPortMappingLowThreshold | | | | sourceIPv4Address | 32 | Yes for | | | | NAT44 | | sourceIPv6Address | 128 | Yes for | | | | NAT64 | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | +----------------------------------------------+--------+-----------+ Table 18: Address and Port Mapping per User High Threshold Reached Event Template 4.6.8.4. Global Address Mapping High Threshold Reached This event is generated when the high threshold is reached for the per-user address pool and ports. This is generated only by NAT devices that use a paired-address-pooling behavior. +-----------------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | globalAddressMappingHighThreshold | 32 | Yes | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | +-----------------------------------+-------------+-----------+ Table 19: Global Address Mapping High Threshold Reached Event Template 4.6.9. Address Binding Create and Delete Events These events will be generated when a NAT device binds a local address with a global address and when the global address is freed. A NAT device will generate the binding events when it receives the first packet of the first flow from a host in the private realm. +--------------------------+-------------+---------------+ | Field Name | Size (bits) | Mandatory | +--------------------------+-------------+---------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv4Address | 32 | Yes for NAT44 | | sourceIPv6Address | 128 | Yes for NAT64 | | postNATSourceIPv4Address | 32 | Yes | | natInstanceID | 32 | No | +--------------------------+-------------+---------------+ Table 20: NAT Address Binding Template 4.6.10. Port Block Allocation and De-allocation This event will be generated when a NAT device allocates/de-allocates ports in a bulk fashion, as opposed to allocating a port on a per- flow basis. portRangeStart represents the starting value of the range. portRangeEnd represents the ending value of the range. NAT devices would do this in order to reduce logs and to potentially limit the number of connections a subscriber is allowed to use. In the following Port Block allocation template, the portRangeStart and portRangeEnd MUST be specified. It is up to the implementation to choose to consolidate log records in case two consecutive port ranges for the same user are allocated or freed. +--------------------------+-------------+---------------+ | Field Name | Size (bits) | Mandatory | +--------------------------+-------------+---------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv4Address | 32 | Yes for NAT44 | | sourceIPv6Address | 128 | Yes for NAT64 | | postNATSourceIPv4Address | 32 | Yes | | portRangeStart | 16 | Yes | | portRangeEnd | 16 | No | | natInstanceID | 32 | No | +--------------------------+-------------+---------------+ Table 21: NAT Port Block Allocation Event Template 5. Management Considerations This section considers requirements for management of the log system to support logging of the events described above. It first covers requirements applicable to log management in general. Any additional standardization required to fulfill these requirements is out of scope of the present document. Some management considerations are covered in [NAT-LOG]. This document covers the additional considerations. 5.1. Ability to Collect Events from Multiple NAT Devices An IPFIX Collector MUST be able to collect events from multiple NAT devices and decipher events based on the Observation Domain ID in the IPFIX header. 5.2. Ability to Suppress Events The exhaustion events can be overwhelming during traffic bursts; hence, they SHOULD be handled by the NAT devices to rate-limit them before sending them to the Collectors. For example, when the port exhaustion happens during bursty conditions, instead of sending a port exhaustion event for every packet, the exhaustion events SHOULD be rate-limited by the NAT device. 6. IANA Considerations 6.1. Information Elements IANA has registered the following IEs in the "IPFIX Information Elements" registry at [IPFIX-IANA]. 6.1.1. natInstanceID ElementID: 463 Name: natInstanceID Description: This Information Element uniquely identifies an Instance of the NAT that runs on a NAT middlebox function after the packet passes the Observation Point. natInstanceID is defined in [RFC7659]. Abstract Data Type: unsigned32 Data Type Semantics: identifier Reference: See [RFC791] for the definition of the IPv4 source address field. See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes. 6.1.2. internalAddressRealm ElementID: 464 Name: internalAddressRealm Description: This Information Element represents the internal address realm where the packet is originated from or destined to. By definition, a NAT mapping can be created from two address realms, one from internal and one from external. Realms are implementation dependent and can represent a Virtual Routing and Forwarding (VRF) ID, a VLAN ID, or some unique identifier. Realms are optional and, when left unspecified, would mean that the external and internal realms are the same. Abstract Data Type: octetArray Data Type Semantics: identifier Reference: See [RFC791] for the definition of the IPv4 source address field. See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes. 6.1.3. externalAddressRealm ElementID: 465 Name: externalAddressRealm Description: This Information Element represents the external address realm where the packet is originated from or destined to. The detailed definition is in the internal address realm as specified above. Abstract Data Type: octetArray Data Type Semantics: identifier Reference: See [RFC791] for the definition of the IPv4 source address field. See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes. 6.1.4. natQuotaExceededEvent ElementID: 466 Name: natQuotaExceededEvent Description: This Information Element identifies the type of a NAT Quota Exceeded event. Values for this Information Element are listed in the "NAT Quota Exceeded Event Type" registry, see [IPFIX-IANA]. Initial values in the registry are defined by the table below. New assignments of values will be administered by IANA and are subject to Expert Review [RFC8126]. Experts need to check definitions of new values for completeness, accuracy, and redundancy. +--------+---------------------------------------+ | Value | Quota Exceeded Event Name | +--------+---------------------------------------+ | 0 | Reserved | | 1 | Maximum session entries | | 2 | Maximum BIB entries | | 3 | Maximum entries per user | | 4 | Maximum active hosts or subscribers | | 5 | Maximum fragments pending reassembly | +--------+---------------------------------------+ Note: This is the same as Table 3. Abstract Data Type: unsigned32 Data Type Semantics: identifier Reference: See [RFC791] for the definition of the IPv4 source address field. See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes. 6.1.5. natThresholdEvent ElementID: 467 Name: natThresholdEvent Description: This Information Element identifies a type of a NAT Threshold event. Values for this Information Element are listed in the "NAT Threshold Event Type" registry, see [IPFIX-IANA]. Initial values in the registry are defined by the table below. New assignments of values will be administered by IANA and are subject to Expert Review [RFC8126]. Experts need to check definitions of new values for completeness, accuracy, and redundancy. +--------+---------------------------------------------------------+ | Value | Threshold Exceeded Event Name | +--------+---------------------------------------------------------+ | 0 | Reserved | | 1 | Address pool high threshold event | | 2 | Address pool low threshold event | | 3 | Address and port mapping high threshold event | | 4 | Address and port mapping per user high threshold event | | 5 | Global address mapping high threshold event | +--------+---------------------------------------------------------+ Note: This is the same as Table 4. Abstract Data Type: unsigned32 Data Type Semantics: identifier Reference: See [RFC791] for the definition of theevents described above. It first covers requirements applicable to log management in general. Any additional standardization required to fullfil these requirements is outIPv4 source address field. See [RFC3022] for the definition ofscopeNAT. See [RFC3234] for the definition of middleboxes. 6.1.6. natEvent The original definition of this Information Element specified only three values: 1, 2, and 3. This definition has been replaced by a registry, to which new values can be added. The semantics of thepresent document. Some management considerations are covered in [I-D.ietf-behave-syslog-nat-logging].three originally defined values remain unchanged. IANA maintains the "NAT Event Type (Value 230)" registry for values of this Information Element at [IPFIX-IANA]. ElementID: 230 Name: natEvent Description: Thisdocument coversInformation Element identifies a NAT event. This IE identifies theadditional considerations. 5.1. Ability to collect events from multipletype of a NATdevices An IPFIX collector MUST be able to collect events from multipleevent. Examples of NATdevices and be able to deciphereventsbased on the Observation Domain IDinclude, but are not limited to, NAT translation create, NAT translation delete, Threshold Reached, or Threshold Exceeded, etc. Values for this Information Element are listed in theIPFIX header. 5.2. Ability to suppress events"NAT Event Type" registry, see [IPFIX-IANA]. Theexhaustion events can be overwhelming during traffic bursts and hence SHOULD be handled by theNATdevices to rate limit them before sending them to the collectors. For eg. when the port exhaustion happens during bursty conditions, instead of sending a port exhaustioneventfor every packet,values in theexhaustion events SHOULDregistry are defined by Table 2 in Section 4.3. New assignments of values will berate limitedadministered bythe NAT device. 6. Acknowledgements Thanks to Dan Wing, Selvi Shanmugam, Mohamed Boucadir, Jacni Qin Ramji Vaithianathan, Simon Perreault, Jean-Francois Tremblay, Paul Aitken, Julia Renouard, Spencer DawkinsIANA andBrian Trammellare subject to Expert Review [RFC8126]. Experts need to check definitions of new values fortheir reviewcompleteness, accuracy, andcomments. 7. IANA Considerations 7.1. Information Elements IANA will registerredundancy. Abstract Data Type: unsigned8 Data Type Semantics: identifier Reference: See [RFC3022] for thefollowing IEs indefinition of NAT. See [RFC3234] for theIPFIX Information Elements registry at http://www.iana.org/assignments/ipfix/ipfix.xml 7.1.1. natInstanceID Name : natInstanceIDdefinition of middleboxes. See RFC 8158 for the definitions of values 4-16. 6.1.7. maxSessionEntries ElementID: 471 Name: maxSessionEntries Description: ThisInformation Element uniquely identifies an Instance ofelement represents theNATmaximum session entries thatruns on a NAT middlebox function after the packet passedcan be created by theObservation Point. natInstanceID is defined in RFC 7659 [RFC7659]NAT device. Abstract Data Type: unsigned32 Data Type Semantics: identifier Reference: SeeRFC 791 [RFC0791][RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes. 6.1.8. maxBIBEntries ElementID: 472 Name: maxBIBEntries Description: This element represents theIPv4 source address field.maximum BIB entries that can be created by the NAT device. Abstract Data Type: unsigned32 Data Type Semantics: identifier Reference: SeeRFC 3022[RFC3022] for the definition of NAT. SeeRFC 3234[RFC3234] for the definition of middleboxes.7.1.2. internalAddressRealm6.1.9. maxEntriesPerUser ElementID: 473 Name:internalAddressRealmmaxEntriesPerUser Description: ThisInformation Elementelement represents theinternal address realm where the packet is originated from or destined to. By definition, amaximum NATmappingentries that can be createdfrom two address realms, one from internal and one from external. Realms are implementation dependent and can represent a VRF ID or a VLAN ID or some unique identifier. Realms are optional and when left unspecified would mean that the external and internal realms areper user by thesame.NAT device. Abstract Data Type:octetArrayunsigned32 Data Type Semantics: identifier Reference: SeeRFC 791 [RFC0791] for the definition of the IPv4 source address field. See RFC 3022[RFC3022] for the definition of NAT. SeeRFC 3234[RFC3234] for the definition of middleboxes.7.1.3. externalAddressRealm6.1.10. maxSubscribers ElementID: 474 Name:externalAddressRealmmaxSubscribers Description: ThisInformation Elementelement represents theexternal address realm where the packet is originated frommaximum subscribers ordestined to. The detailed definition is inmaximum hosts that are allowed by theinternal address realm as specified above.NAT device. Abstract Data Type:octetArrayunsigned32 Data Type Semantics: identifier Reference: SeeRFC 791 [RFC0791][RFC3022] for the definition of NAT. See [RFC3234] for theIPv4 source address field.definition of middleboxes. 6.1.11. maxFragmentsPendingReassembly ElementID: 475 Name: maxFragmentsPendingReassembly Description: This element represents the maximum fragments that the NAT device can store for reassembling the packet. Abstract Data Type: unsigned32 Data Type Semantics: identifier Reference: SeeRFC 3022[RFC3022] for the definition of NAT. SeeRFC 3234[RFC3234] for the definition of middleboxes.7.1.4. natQuotaExceededEvent Values of this Information Element are defined in a registry maintained by IANA at <http://www.iana.org/assignments/ipfix/ ipfix.xml#TBD-by-IANA>. New assignments of values will be administered by IANA, subject to Expert Review [RFC5226]. Experts need to check definitions of new values for completeness, accuracy, and redundancy. Name : natQuotaExceededEvent6.1.12. addressPoolHighThreshold ElementID: 476 Name: addressPoolHighThreshold Description: ThisInformation Element identifieselement represents thetypehigh threshold value ofa NAT quota exceeded event. Values for this Information Element are listed intheNAT quota exceed event type registry, see [http://www.iana.org/assignments/ipfix/ipfix.xml#TBD-by-IANA] Initial valuesnumber of public IP addresses in theregistry are defined by the table below. +---------------------------------------+--------+ | Quota Exceeded Event Name | Values | +---------------------------------------+--------+ | Maximum Session entries | 1 | | Maximum BIB entries | 2 | | Maximum entries per user | 3 | | Maximum active hosts or subscribers | 4 | | Maximum fragments pending reassembly | 5 | +---------------------------------------+--------+ Table 22address pool. Abstract Data Type: unsigned32 Data Type Semantics: identifier Reference: SeeRFC 791 [RFC0791][RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes. 6.1.13. addressPoolLowThreshold ElementID: 477 Name: addressPoolLowThreshold Description: This element represents the low threshold value of the number of public IP addresses in theIPv4 sourceaddressfield.pool. Abstract Data Type: unsigned32 Data Type Semantics: identifier Reference: SeeRFC 3022[RFC3022] for the definition of NAT. SeeRFC 3234[RFC3234] for the definition of middleboxes.7.1.5. natThresholdEvent Values of this Information Element are defined in a registry maintained by IANA at http://www.iana.org/assignments/ipfix/ ipfix.xml#TBD-by-IANA. New assignments of values will be administered by IANA, subject to Expert Review [RFC5226]. Experts need to check definitions of new values for completeness, accuracy, and redundancy.6.1.14. addressPortMappingHighThreshold ElementID: 478 Name:natThresholdEventaddressPortMappingHighThreshold Description: ThisInformation Element identifies a type of a NAT threshold event. Values for this Information Element are listed in the NAT threshhold event type registry, see <http://www.iana.org/assignments/ipfix/ipfix.xml#TBD-by-IANA>. Initial values in the registry are defined byelement represents thetable below. +---------------------------------------------------------+--------+ | Threshold Exceeded Event Name | Values | +---------------------------------------------------------+--------+ | Address pool high threshold event | 1 | | Address pool low threshold event | 2 | | Address and port mappinghigh thresholdevent | 3 | | Addressvalue of the number of address and portmapping per user high threshold event | 4 | | Global Address mapping high threshold event | 5 | +---------------------------------------------------------+--------+ Table 23mappings. Abstract Data Type: unsigned32 Data Type Semantics: identifier Reference: SeeRFC 791 [RFC0791] for the definition of the IPv4 source address field. See RFC 3022[RFC3022] for the definition of NAT. SeeRFC 3234[RFC3234] for the definition of middleboxes.7.1.6. natEvent The original definition of this Information Element specified only three values 1, 2, and 3.6.1.15. addressPortMappingLowThreshold ElementID: 479 Name: addressPortMappingLowThreshold Description: Thisdefinition is replaced by a registry, to which new values can be added. The semantics of the three originally defined values remains unchanged. IANA maintainselement represents theregistry for valueslow threshold value ofthis Information Element at <http://www.iana.org/assignments/ipfix/ipfix.xml#TBD-by-IANA>. New assignmentsthe number ofvalues will be administered by IANA, subject to Expert Review [RFC5226]. Experts need to check definitionsaddress and port mappings. Abstract Data Type: unsigned32 Data Type Semantics: identifier Reference: See [RFC3022] for the definition ofnew valuesNAT. See [RFC3234] forcompleteness, accuracy, and redundancy. Name : natEvent Description:the definition of middleboxes. 6.1.16. addressPortMappingPerUserHighThreshold ElementID: 480 Name: addressPortMappingPerUserHighThreshold Description: ThisInformation Element identifies a NAT event. This IE identifieselement represents thetype of a NAT event. Exampleshigh threshold value ofNAT events include but not limited to, creation or deletionthe number of address and port mappings that aNAT translation entry,single user is allowed to create on athreshold reached or exceeded etc. ValuesNAT device. Abstract Data Type: unsigned32 Data Type Semantics: identifier Reference: See [RFC3022] forthis Information Element are listed intheNAT event type registry, see [http://www.iana.org/assignments/ipfix/ipfix.xml#TBD-by-IANA] The NAT Event values indefinition of NAT. See [RFC3234] for theregistry are defined bydefinition of middleboxes. 6.1.17. globalAddressMappingHighThreshold ElementID: 481 Name: globalAddressMappingHighThreshold Description: This element represents theTable 2high threshold value of the number of address and port mappings that a single user is allowed to create on a NAT device inSection 5.3.a paired address pooling behavior. Abstract Data Type:unsigned8unsigned32 Data Type Semantics: identifierElement ID : 230Reference: SeeRFC 3022[RFC3022] for the definition of NAT. SeeRFC 3234[RFC3234] for the definition of middleboxes. See[thisRFC][RFC4787] for thedefinitionsdefinition ofvalues 4-16. 8.paired address pooling behavior. 7. Security Considerations The security considerations listed in detail for IPFIX in [RFC7011]appliesapply to thisdraftdocument as well. As described in[RFC7011][RFC7011], the messages exchanged between the NAT device and thecollectorCollector MUST be protected to provide confidentiality,integrityintegrity, and authenticity. Without those characteristics, the messages are subject to various kinds of attacks. These attacks are described in great detail in [RFC7011]. This document re-emphasizes the use ofTLSTransport Layer Security (TLS) orDTLSDatagram Transport Layer Security (DTLS) for exchanging the log messages between the NAT device and thecollector.Collector. The log events sent inclear textcleartext can result in confidential data being exposed to attackers, who could then spoof log events based on the information inclear textcleartext messages. Hence, the log events SHOULD NOT be sent inclear text.cleartext. The logging of NAT events can result in privacy concerns as a result of exporting information such as the source address and port information. The logging ofdestinaiondestination information can also cause privacyconcernsconcerns, but it has been well documented in [RFC6888]. A NAT device can choose to operate in various logging modes if it wants to avoid logging of private information. ThecollectorCollector that receives the information can also choose to mask the private information but generate reports based on abstract data. It is outside the scope of this document to address the implementation of logging modes for privacy considerations.9.8. References9.1.8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997,<http://www.rfc-editor.org/info/rfc2119>.<https://www.rfc-editor.org/info/rfc2119>. [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2007,<http://www.rfc-editor.org/info/rfc4787>.<https://www.rfc-editor.org/info/rfc4787>. [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, RFC 5382, DOI 10.17487/RFC5382, October 2008,<http://www.rfc-editor.org/info/rfc5382>.<https://www.rfc-editor.org/info/rfc5382>. [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, April 2011,<http://www.rfc-editor.org/info/rfc6146>.<https://www.rfc-editor.org/info/rfc6146>. [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, "Logging Recommendations for Internet-Facing Servers", BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011,<http://www.rfc-editor.org/info/rfc6302>.<https://www.rfc-editor.org/info/rfc6302>. [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, A., and H. Ashida, "Common Requirements for Carrier-Grade NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, April 2013,<http://www.rfc-editor.org/info/rfc6888>.<https://www.rfc-editor.org/info/rfc6888>. [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, DOI 10.17487/RFC7011, September 2013,<http://www.rfc-editor.org/info/rfc7011>.<https://www.rfc-editor.org/info/rfc7011>. [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, "Definitions of Managed Objects for Network Address Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, October 2015,<http://www.rfc-editor.org/info/rfc7659>. 9.2.<https://www.rfc-editor.org/info/rfc7659>. 8.2. Informative References[I-D.ietf-behave-syslog-nat-logging][IPFIX-IANA] IANA, "IPFIX Information Elements", <http://www.iana.org/assignments/ipfix>. [NAT-LOG] Chen, Z., Zhou, C., Tsou, T., and T. Taylor, Ed., "Syslog Format for NAT Logging",draft-ietf-behave-syslog-nat- logging-06 (workWork inprogress),Progress, draft-ietf- behave-syslog-nat-logging-06, January 2014.[IPFIX-IANA] IANA, "IPFIX Information Elements registry", <http://www.iana.org/assignments/ipfix>. [RFC0791][RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI 10.17487/RFC0791, September 1981,<http://www.rfc-editor.org/info/rfc791>.<https://www.rfc-editor.org/info/rfc791>. [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, DOI 10.17487/RFC2663, August 1999,<http://www.rfc-editor.org/info/rfc2663>.<https://www.rfc-editor.org/info/rfc2663>. [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, DOI 10.17487/RFC3022, January 2001,<http://www.rfc-editor.org/info/rfc3022>.<https://www.rfc-editor.org/info/rfc3022>. [RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002,<http://www.rfc-editor.org/info/rfc3234>. [RFC5226] Narten, T.<https://www.rfc-editor.org/info/rfc3234>. [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, DOI 10.17487/RFC5424, March 2009, <https://www.rfc-editor.org/info/rfc5424>. [RFC8126] Cotton, M., Leiba, B., andH. Alvestrand,T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC5226, DOI 10.17487/RFC5226, May 2008, <http://www.rfc-editor.org/info/rfc5226>. [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424,8126, DOI10.17487/RFC5424, March 2009, <http://www.rfc-editor.org/info/rfc5424>.10.17487/RFC8126, June 2017, <https://www.rfc-editor.org/info/rfc8126>. Acknowledgements Thanks to Dan Wing, Selvi Shanmugam, Mohamed Boucadir, Jacni Qin, Ramji Vaithianathan, Simon Perreault, Jean-Francois Tremblay, Paul Aitken, Julia Renouard, Spencer Dawkins, and Brian Trammell for their review and comments. Authors' Addresses Senthil Sivakumar Cisco Systems 7100-8 Kit Creek Road Research Triangle Park,North CarolinaNC 27709USAUnited States of America Phone: +1 919 392 5158 Email: ssenthil@cisco.comRenaldoReinaldo Penno Cisco Systems 170 W Tasman Drive San Jose,CaliforniaCA 95035USAUnited States of America Email: repenno@cisco.com