[BEHAVE] AD Evaluation of draft-ietf-behave-ipfix-nat-logging-03
Spencer Dawkins <spencerdawkins.ietf@gmail.com> Thu, 01 May 2014 20:25 UTC
Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF9991A0976 for <behave@ietfa.amsl.com>; Thu, 1 May 2014 13:25:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fdPtQ4QCkLu for <behave@ietfa.amsl.com>; Thu, 1 May 2014 13:25:53 -0700 (PDT)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 2769E1A0956 for <behave@ietf.org>; Thu, 1 May 2014 13:25:53 -0700 (PDT)
Received: by mail-ob0-f176.google.com with SMTP id wp4so4173996obc.35 for <behave@ietf.org>; Thu, 01 May 2014 13:25:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type; bh=NU6dOhW7FemRm6I9T9eqIFq47k4TOcG3YTOcSRZJRMk=; b=hbkRgkf5IRXvcK5lJxcwCUtByppJK3siJeMB8PkFz21gnZxSbQ82pddlxdyzMJVmt9 4oZcMSSEJj7zlL9iUrvDKimmW3Pc6EalPDw3PeDVhP82wD5PtVSTKaKyysc3zkJGA496 QMQfwUmCpsaZbBR82lIcq1wDJC5Xm5dgJd1wyoCVXYUv6Ffh7VpyMmPMl8QX+bjs58qa qA3FFPFu8VCehtFkoQRVZgrhjWwRe3QBmoqiKm/NMJLM7Mf+IoT74xu+agX48vjkKo0c 8qvrX9ibmRuVRAH3056ZkgyryOAwVFYUQgxuCynU95in0xmy73ABqzhquKaLW/iTYlYa jrzQ==
X-Received: by 10.60.125.72 with SMTP id mo8mr13111173oeb.36.1398975951077; Thu, 01 May 2014 13:25:51 -0700 (PDT)
Received: from [192.168.0.13] (cpe-76-187-7-89.tx.res.rr.com. [76.187.7.89]) by mx.google.com with ESMTPSA id w4sm36848363oem.8.2014.05.01.13.25.48 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 01 May 2014 13:25:50 -0700 (PDT)
Message-ID: <5362ADCB.4050802@gmail.com>
Date: Thu, 01 May 2014 15:25:47 -0500
From: Spencer Dawkins <spencerdawkins.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: draft-ietf-behave-ipfix-nat-logging@tools.ietf.org
Content-Type: multipart/alternative; boundary="------------070305050403020606040406"
Archived-At: http://mailarchive.ietf.org/arch/msg/behave/IICMnBJnXq9CV8-yJNb6TJkmIao
X-Mailman-Approved-At: Fri, 02 May 2014 08:33:22 -0700
Cc: behave@ietf.org
Subject: [BEHAVE] AD Evaluation of draft-ietf-behave-ipfix-nat-logging-03
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 May 2014 20:25:59 -0000
Dear draft-ietf-behave-ipfix-nat-logging Authors,
I've completed my AD evaluation for this draft. I found some things I'd
like to see changed before proceeding, but most are editorial. Please
take a look, and let me know what you think.
My notes follow ... you should be able to find my questions and comments
by searching for "SD:".
Thanks,
Spencer
In the Abstract
NAT devices are required to log events like creation and deletion of
^^^^^^^^
SD: Is this required, like, legally required, or ? Is it more like
"Operators need NAT devices to log events ..."?
translations and information about the resources it is managing. The
logs are required in many cases to identify an attacker or a host
that was used to launch malicious attacks and/or for various other
purposes of accounting. Since there is no standard way of logging
this information, different NAT devices behave differently and hence
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SD: Is this "different NAT devices log this information differently"?
it is difficult to expect a consistent behavior. The lack of a
consistent way makes it difficult to write the collector applications
that would receive this data and process it to present useful
information. This document describes the information that is
required to be logged by the NAT devices.
^^^^^^^^^^^^^^^^^^^^^^^^
SD: Same as previous question - is this "logged by"?
2. Introduction
The IPFIX Protocol [RFC5101bis] defines a generic push mechanism for
exporting information and events. The IPFIX Information Model
[IPFIX-IANA] defines a set of standard Information Elements (IEs)
which can be carried by the IPFIX protocol. This document details
the IPFIX Information Elements(IEs) that are required for logging by
a NAT device. The document will specify the format of the IE's that
are required to be logged by the NAT device and all the optional
^^^^^^^^^^^^^^^^^^^^^
SD: Now that we're in the document body, if this is required, shouldn't
there be a reference to where the requirements are stated?
fields. The fields specified in this document are gleaned from
[RFC4787] and [RFC5382].
Test [3GPP]
^^^^^^^^^^^
SD: Is something missing here? It's just the word "Test" and a reference.
This document and [I-D.behave-syslog-nat-logging] are provided in
order to standardize the events and parameters to be recorded, using
IPFIX [RFC5101bis] and SYSLOG [RFC5424]respectively.
3. Scope
This document provides the information model to be used for logging
the NAT devices including Carrier Grade NAT (CGN) events. This
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SD: This sentence seems somewhat turned around - "logging events", not
"logging the NAT devices".
document focuses exclusively on the specification of IPFIX IE's.
This document does not provide guidance on the transport protocol
like TCP, UDP or SCTP that is to be used to log NAT events. The log
events SHOULD NOT be lost but the choice of the actual transport
protocol is beyond the scope of this document.
SD: I'm not understanding why this last sentence is needed, especially
with a normative requirement for what you do when you are doing
something outside the scope of the document ...
The existing IANA IPFIX IEs registry [IPFIX-IANA] already has
assignments for many NAT logging events. For convenience, this
document uses those same IEs. However, as stated earlier, this
document is not defining IPFIX or NetFlow v9 as the framework for
logging. Rather, the information contained in these elements is
SD: I got lost on "these elements" - is that "the elements in the
existing registry"
within the scope of this document.
This document assumes that the NAT device will use the existing IPFIX
framework to send the log events to the collector. This would mean
that the NAT device will specify the template that it is going to use
for each of the events. The templates can be of varying length and
there could be multiple templates that a NAT device could use to log
the events.
The implementation details of the collector application is beyond the
scope of this document.
The optimization of logging the NAT events are left to the
^^^
implementation and are beyond the scope of this document.
^^^
SD: It's a nit, but those "are"s should be "is"s.
4. Applicability
NAT logging based on IPFIX uses binary encoding and hence is very
efficient. IPFIX based logging is recommended for environments where
a high volume of logging is required, for example, where per-flow
logging is needed. However, IPFIX based logging requires a collector
that processes the binary data and requires a network management
application that converts this binary data to a human readable
format.
5. Event based logging
An event in a NAT device can be viewed as a happening as it relates
^^^^^^^^^
SD: Is this "a state transition"? I found "a happening" somewhat odd.
to the management of NAT resources. The creation and deletion of NAT
sessions and bindings are examples of events as it results in the
resources (addresses and ports) being allocated or freed. The events
can happen either through the processing of data packets flowing
through the NAT device or through an external entity installing
policies on the NAT router or as a result of an asynchronous event
like a timer. The list of events are provided in Section 4.1. Each
of these events SHOULD be logged, unless they are administratively
prohibited. A NAT device MAY log these events to multiple collectors
if redundancy is required. The network administrator will specify
the collectors to which the log records are to be sent.
A collector may receive NAT events from multiple CGN devices and
should be able to distinguish between the devices. Each CGN device
^^^^^^
SD: I'm not sure why this isn't a SHOULD, or even a MUST.
should have a unique source ID to identify themselves. The source ID
^^^^^^
SD: Again, I'm not sure why this isn't a SHOULD, or even a MUST.
is part of the IPFIX template and data exchange.
Prior to logging any events, the NAT device MUST send the template of
the record to the collector to advertise the format of the data
record that it is using to send the events. The templates can be
exchanged as frequently as required given the reliability of the
connection. There SHOULD be a configurable timer for controlling the
template refresh. NAT device SHOULD combine as many events as
possible in a single packet to effectively utilize the network
bandwidth.
5.1. Logging of destination information
Logging of destination information in a NAT event has been discussed
in [RFC6302] and [RFC6888]. Logging of destination information
increases the size of each record and increases the need for storage
considerably. It increases the number of log events generated
because when the same user connects to a different destination, it
results in a log record per destination address. Logging of
destination information also results in the loss of privacy and hence
should be done with caution. However, this draft provides the
necessary fields to log the destination information in cases where
they are required to be logged.
5.2. Information Elements
The templates could contain a subset of the Information Elements(IEs)
shown in Table 1 depending upon the event being logged. For example
a NAT44 session creation template record will contain,
^^^^
SD: Is this the only possible NAT44 template? If so, fine, but if not,
perhaps "could contain", or "typically contains"?
{sourceIPv4Adress, postNATSourceIPv4Address, destinationIpv4Address,
postNATDestinationIPv4Address, sourceTransportPort,
postNAPTSourceTransportPort, destinationTransportPort,
postNAPTDestTransportPort, internalAddressRealm, natEvent, timeStamp}
An example of the actual event data record is shown below - in a
readable form
{192.168.16.1, 201.1.1.100, 207.85.231.104, 207.85.231.104, 14800,
1024, 80, 80, 0, 1, 09:20:10:789}
A single NAT device could be exporting multiple templates and the
collector should support receiving multiple templates from the same
source.observationTimeMilliseconds
The following is the table of all the IE's that a CGN device would
need to export the events. The formats of the IE's and the IPFIX IDs
are listed below.
SD: I noticed that some IEs below have a name that matches
http://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-information-elements
for the same IPFIX ID number, but others do not ("timeStamp" here
doesn't match "observationTimeMilliseconds", but both are IPFIX ID 323,
aren't they?) Is there a reason to use names that don't match the IANA
registry?
+----------------------------------+--------+-------+---------------+
| Field Name | Size | IANA | Description |
| | (bits) | IPFIX | |
| | | ID | |
+----------------------------------+--------+-------+---------------+
| timeStamp | 64 | 323 | System Time |
| | | | when the |
| | | | event |
| | | | occured. |
| natInstanceId | 32 | TBD | NAT Instance |
| | | | Identifier |
| vlanID | 16 | 58 | VLAN ID in |
| | | | case of |
| | | | overlapping |
| | | | networks |
| ingressVRFID | 32 | 234 | VRF ID in |
| | | | case of |
| | | | overlapping |
| | | | networks |
| sourceIPv4Address | 32 | 8 | Source IPv4 |
| | | | Address |
| postNATSourceIPv4Address | 32 | 225 | Translated |
| | | | Source IPv4 |
| | | | Address |
| protocolIdentifier | 8 | 4 | Transport |
| | | | protocol |
| sourceTransportPort | 16 | 7 | Source Port |
| postNAPTsourceTransportPort | 16 | 227 | Translated |
| | | | Source port |
| destinationIPv4Address | 32 | 12 | Destination |
| | | | IPv4 Address |
| postNATDestinationIPv4Address | 32 | 226 | Translated |
| | | | IPv4 |
| | | | destination |
| | | | address |
| destinationTransportPort | 16 | 11 | Destination |
| | | | port |
| postNAPTdestinationTransportPort | 16 | 228 | Translated |
| | | | Destination |
| | | | port |
| sourceIPv6Address | 27 | 128 | Source IPv6 |
| | | | address |
| destinationIPv6Address | 128 | 28 | Destination |
| | | | IPv6 address |
| postNATSourceIPv6Address | 128 | 281 | Translated |
| | | | source IPv6 |
| | | | addresss |
| postNATDestinationIPv6Address | 128 | 282 | Translated |
| | | | Destination |
| | | | IPv6 address |
| internalAddressRealm | 8 | 229 | Source |
| | | | Address Realm |
| externalAddressRealm | 8 | TBD | Destination |
| | | | Address Realm |
| natEvent | 8 | 230 | Type of Event |
| portRangeStart | 16 | 361 | Allocated |
| | | | port block |
| | | | start |
| portRangeEnd | 16 | 362 | Allocated |
| | | | Port block |
| | | | end |
| natPoolID | 32 | 283 | NAT pool |
| | | | Identifier |
| natLimitEvent | 32 | TBD | Limit event |
| | | | identifier |
+----------------------------------+--------+-------+---------------+
Table 1: Template format Table
5.3. Definition of NAT Events
The following are the list of NAT events and the proposed event
values. The list can be expanded in the future as necessary. The
data record will have the corresponding natEvent value to identify
the event that is being logged.
+--------------------------+--------+
| Event Name | Values |
+--------------------------+--------+
| NAT44 Session create | 1 |
| NAT44 Session delete | 2 |
| NAT Addresses exhausted | 3 |
| NAT64 Session create | 4 |
| NAT64 Session delete | 5 |
| NAT44 BIB create | 6 |
| NAT44 BIB delete | 7 |
| NAT64 BIB create | 8 |
| NAT64 BIB delete | 9 |
| NAT ports exhausted | 10 |
| Quota exceeded | 11 |
| Address binding create | 12 |
| Address binding delete | 13 |
| Port block allocation | 14 |
| Port block de-allocation | 15 |
| Threshold reached | 16 |
+--------------------------+--------+
Table 2: NAT Event ID table
5.4. Quota exceeded Event types
The following table shows the sub event types for the Quota exceeded
or limits reached event. The events that can be reported are the
Maximum session entries limit reached, Maximum BIB entries limit
reached, Maximum session/BIB entries per user limit reached and
maximum subscribers or hosts limit reached.
+---------------------------------------+--------+
| Quota Exceeded Event Name | Values |
+---------------------------------------+--------+
| Maximum Session entries | 1 |
| Maximum BIB entries | 2 |
| Maximum entries per user | 3 |
| Maximum active hosts or subscribers | 4 |
| Maximum fragments pending reassembly | 5 |
+---------------------------------------+--------+
Table 3: Quota Exceeded event table
5.5. Threshold reached Event types
The following table shows the sub event types for the threshold
reached event. The administrator can configure the thresholds and
whenever the threshold is reached or exceeded, the corresponding
events are generated.
The address pool high threshold event will be reported when the
address pool reaches a high water mark as defined by the operator.
This will sever as an indication that the operator might have to add
more addresses to the pool or an indication that the subsequent users
may be denied NAT translation mappings.
The address and port mapping high threshold event is generated, when
the number of ports in the configured address pool has reached a
configured threshold.
The per-user address and port mapping high threshold is generated
when a single user uses more address and port mapping than a
configured threshold.
+---------------------------------------------------------+--------+
| Threshold Exceeded Event Name | Values |
+---------------------------------------------------------+--------+
| Address pool high threshold event | 1 |
| Address pool low threshold event | 2 |
| Address and port mapping high threshold event | 3 |
| Address and port mapping per user high threshold event | 4 |
| Global Address mapping high threshold event | 5 |
+---------------------------------------------------------+--------+
Table 4: Threshold event table
5.6. Templates for NAT Events
The following is the template of events that will have to logged.
^^^^^^^^^^^^^^^^^^^
SD: I think this is a nit, but the sentence is garbled. "will be logged"?
The events below are identified at the time of this writing but the
events are expandable. Depending on the implementation and
^^^^^^^^^^^^^^^^^^^^^
SD: this is a nit, but "set of events is extensible", I think.
configuration various IE's specified can be included or ignored.
5.6.1. NAT44 create and delete session events
These events will be generated when a NAT44 session is created or
deleted. The template will be the same, the natEvent will indicate
whether it is a create or a delete event. The following is a
template of the event.
The destination address and port information is optional as required
by [RFC6888]. However, when the destination information is
suppressed, the session log event contains the same information as
the BIB event. In such cases, the NAT device SHOULD NOT send both
BIB and session events.
+----------------------------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+----------------------------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| vlanID/ingressVRFID | 32 | No |
| sourceIPv4Address | 32 | Yes |
| postNATSourceIPv4Address | 32 | Yes |
| protocolIdentifier | 8 | Yes |
| sourceTransportPort | 16 | Yes |
| postNAPTsourceTransportPort | 16 | Yes |
| destinationIPv4Address | 32 | No |
| postNATDestinationIPv4Address | 32 | No |
| destinationTransportPort | 16 | No |
| postNAPTdestinationTransportPort | 16 | No |
| internalAddressRealm | 8 | No |
| externalAddressRealm | 8 | No |
| natEvent | 8 | Yes |
+----------------------------------+-------------+-----------+
Table 5: NAT44 Session delete/create template
5.6.2. NAT64 create and delete session events
These events will be generated when a NAT64 session is created or
deleted. The following is a template of the event.
+----------------------------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+----------------------------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| vlanID/ingressVRFID | 32 | No |
| sourceIPv6Address | 128 | Yes |
| postNATSourceIPv4Address | 32 | Yes |
| protocolIdentifier | 8 | Yes |
| sourceTransportPort | 16 | Yes |
| postNAPTsourceTransportPort | 16 | Yes |
| destinationIPv6Address | 128 | No |
| postNATDestinationIPv4Address | 32 | No |
| destinationTransportPort | 16 | No |
| postNAPTdestinationTransportPort | 16 | No |
| internalAddressRealm | 8 | No |
| externalAddressRealm | 8 | No |
| natEvent | 8 | Yes |
+----------------------------------+-------------+-----------+
Table 6: NAT64 session create/delete event template
5.6.3. NAT44 BIB create and delete events
These events will be generated when a NAT44 Bind entry is created or
deleted. The following is a template of the event.
+-----------------------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+-----------------------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| vlanID/ingressVRFID | 32 | No |
| sourceIPv4Address | 32 | Yes |
| postNATSourceIPv4Address | 32 | Yes |
| protocolIdentifier | 8 | No |
| sourceTransportPort | 16 | No |
| postNAPTsourceTransportPort | 16 | No |
| internalAddressRealm | 8 | No |
| externalAddressRealm | 8 | No |
| natEvent | 8 | Yes |
+-----------------------------+-------------+-----------+
Table 7: NAT44 BIB create/delete event template
5.6.4. NAT64 BIB create and delete events
These events will be generated when a NAT64 Bind entry is created or
deleted. The following is a template of the event.
+-----------------------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+-----------------------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| vlanID/ingressVRFID | 32 | No |
| sourceIPv6Address | 128 | Yes |
| postNATSourceIPv4Address | 32 | Yes |
| protocolIdentifier | 8 | No |
| sourceTransportPort | 16 | No |
| postNAPTsourceTransportPort | 16 | No |
| internalAddressRealm | 8 | No |
| externalAddressRealm | 8 | No |
| natEvent | 8 | Yes |
+-----------------------------+-------------+-----------+
Table 8: NAT64 BIB create/delete event template
5.6.5. Addresses Exhausted event
This event will be generated when a NAT device runs out of global
IPv4 addresses in a given pool of addresses. Typically, this event
would mean that the NAT device wont be able to create any new
^^^^
SD: "won't"
translations until some addresses/ports are freed. This event SHOULD
be rate limited as many packets hitting the device at the same time
will trigger a burst of addresses exhausted events.
The following is a template of the event. Note that either the NAT
pool name or the nat pool identifier should be logged, but not both.
SD: I lack understanding, but I didn't see anything that looked like a
NAT pool name in the template. Did I miss something?
+---------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+---------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| natPoolID | 32 | Yes |
+---------------+-------------+-----------+
Table 9: Address Exhausted event template
5.6.6. Ports Exhausted event
This event will be generated when a NAT device runs out of ports for
a global IPv4 address. Port exhaustion shall be reported per
protocol (UDP, TCP etc). This event SHOULD be rate limited as many
packets hitting the device at the same time will trigger a burst of
port exhausted events.
The following is a template of the event.
+--------------------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+--------------------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| postNATSourceIPv4Address | 32 | Yes |
| protocolIdentifier | 8 | Yes |
+--------------------------+-------------+-----------+
Table 10: Ports Exhausted event template
5.6.7. Quota exceeded events
This event will be generated when a NAT device cannot allocate
resources as a result of an administratively defined policy. The
quota exceeded event templates are described below
^
SD: missing period
5.6.7.1. Maximum session entries exceeded
The maximum session entries exceeded is generated when the
administratively configured limit is reached. The following is the
template of the event.
+-----------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+-----------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| natLimitEvent | 32 | Yes |
| configuredLimit | 32 | Yes |
+-----------------+-------------+-----------+
Table 11: Session Entries Exceeded event template
5.6.7.2. Maximum BIB entries exceeded
The maximum BIB entries exceeded is generated when the
administratively configured limit is reached. The following is the
template of the event.
+-----------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+-----------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| natLimitEvent | 32 | Yes |
| configuredLimit | 32 | Yes |
+-----------------+-------------+-----------+
Table 12: BIB Entries Exceeded event template
5.6.7.3. Maximum entries per user exceeded
This event is generated when a single user reaches the
administratively configured limit. The following is the template of
the event.
+---------------------+-------------+---------------+
| Field Name | Size (bits) | Mandatory |
+---------------------+-------------+---------------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| natLimitEvent | 32 | Yes |
| configuredLimit | 32 | Yes |
| vlanID/ingressVRFID | 32 | No |
| sourceIPv4 address | 32 | Yes for NAT44 |
| sourceIPv6 address | 128 | Yes for NAT64 |
+---------------------+-------------+---------------+
Table 13: Per-user Entries Exceeded event template
5.6.7.4. Maximum active host or subscribers exceeded
This event is generated when the number of allowed hosts or
subscribers reaches the administratively configured limit. The
following is the template of the event.
+-----------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+-----------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| natLimitEvent | 32 | Yes |
| configuredLimit | 32 | Yes |
+-----------------+-------------+-----------+
Table 14: Maximum hosts/subscribers Exceeded event template
5.6.7.5. Maximum fragments pending reassembly exceeded
This event is generated when the number of fragments pending
reassembly reaches the administratively configured limit. The
following is the template of the event.
+----------------------+-------------+---------------+
| Field Name | Size (bits) | Mandatory |
+----------------------+-------------+---------------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| natLimitEvent | 32 | Yes |
| configuredLimit | 32 | Yes |
| internalAddressRealm | 8 | Yes |
| vlanID/ingressVRFID | 32 | No |
| sourceIPv4 address | 32 | Yes for NAT44 |
| sourceIPv6 address | 128 | Yes for NAT64 |
+----------------------+-------------+---------------+
Table 15: Maximum fragments pending reassembly Exceeded event
template
5.6.8. Threshold reached events
This event will be generated when a NAT device reaches a operator
configured threshold when allocating resources. The threshold
reached events are described in the section above. The following is
a template of the individual events.
5.6.8.1. Address pool high or low threshold reached
This event is generated when the high or low threshold is reached for
the address pool. The template is the same for both high and low
threshold events
+-------------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+-------------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| natThresholdEvent | 32 | Yes |
| natPoolID | 32 | Yes |
| configuredLimit | 32 | Yes |
+-------------------+-------------+-----------+
Table 16: Address pool high/low threshold reached event template
5.6.8.2. Address and port high threshold reached
This event is generated when the high threshold is reached for the
address pool and ports.
+-------------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+-------------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| natThresholdEvent | 32 | Yes |
| configuredLimit | 32 | Yes |
+-------------------+-------------+-----------+
Table 17: Address port high threshold reached event template
5.6.8.3. Per-user Address and port high threshold reached
This event is generated when the high threshold is reached for the
per-user address pool and ports.
+---------------------+-------------+---------------+
| Field Name | Size (bits) | Mandatory |
+---------------------+-------------+---------------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| natThresholdEvent | 32 | Yes |
| configuredLimit | 32 | Yes |
| vlanID/ingressVRFID | 32 | No |
| sourceIPv4 address | 32 | Yes for NAT44 |
| sourceIPv6 address | 128 | Yes for NAT64 |
+---------------------+-------------+---------------+
Table 18: Per-user Address port high threshold reached event template
5.6.8.4. Global Address mapping high threshold reached
This event is generated when the high is reached for the per-user
address pool and ports. This is generated only by NAT devices that
use a address pooling behavior of paired.
+---------------------+-------------+-----------+
| Field Name | Size (bits) | Mandatory |
+---------------------+-------------+-----------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| natThresholdEvent | 32 | Yes |
| configuredLimit | 32 | Yes |
| vlanID/ingressVRFID | 32 | No |
+---------------------+-------------+-----------+
Table 19: Global Address mapping high threshold reached event
template
5.6.9. Address binding create and delete events
These events will be generated when a NAT device binds a local
address with a global address and when the global address is freed.
This binding event happens when the first packet of the first flow
from a host in the private realm.
+--------------------------------+-------------+---------------+
| Field Name | Size (bits) | Mandatory |
+--------------------------------+-------------+---------------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| sourceIPv4 address | 32 | Yes for NAT44 |
| sourceIPv6 address | 128 | Yes for NAT64 |
| Translated Source IPv4 Address | 32 | Yes |
+--------------------------------+-------------+---------------+
Table 20: NAT Address Binding template
5.6.10. Port block allocation and de-allocation
This event will be generated when a NAT device allocates/de-allocates
ports in a bulk fashion, as opposed to allocating a port on a per
flow basis.
portRangeStart represents the starting value of the range.
portRangeEnd represents the ending value of the range.
NAT devices would do this in order to reduce logs and potentially to
limit the number of connections a subscriber is allowed to use. In
the following Port Block allocation template, the portRangeStart and
portRangeEnd must be specified.
Sivakumar & Penno Expires August 15, 2014 [Page 17]
Internet-Draft IPFIX IEs for NAT logging February 2014
It is up to the implementation to choose to consolidate log records
in case two consecutive port ranges for the same user are allocated
or freed.
+--------------------------------+-------------+---------------+
| Field Name | Size (bits) | Mandatory |
+--------------------------------+-------------+---------------+
| timeStamp | 64 | Yes |
| natInstanceID | 32 | No |
| natEvent | 8 | Yes |
| sourceIPv4 address | 32 | Yes for NAT44 |
| sourceIPv6 address | 128 | Yes for NAT64 |
| Translated Source IPv4 Address | 32 | Yes |
| portRangeStart | 16 | Yes |
| portRangeEnd | 16 | No |
+--------------------------------+-------------+---------------+
Table 21: NAT Port Block Allocation event template
6. Encoding
6.1. IPFIX
This document uses IPFIX as the encoding mechanism to describe the
logging of NAT events. However, the information that should be
logged SHOULD be the same irrespective of what kind of encoding
scheme is used. IPFIX is chosen because is it an IETF standard that
meets all the needs for a reliable logging mechanism. IPFIX provides
the flexibility to the logging device to define the data sets that it
is logging. The IEs specified for logging MUST be the same
irrespective of the encoding mechanism used.
7. Acknowledgements
Thanks to Dan Wing, Selvi Shanmugam, Mohamed Boucadir, Jacni Qin
Ramji Vaithianathan, Simon Perreault, Jean-Francois Tremblay, Paul
Aitken and Julia Renouard for their review and comments.
8. IANA Considerations
The following information elements are requested from IANA IPFIX
registry.
natInstanceId
externalAddressRealm
natLimitEvent
9. Management Considerations
This section considers requirements for management of the log system
to support logging of the events described above. It first covers
requirements applicable to log management in general. Any additional
standardization required to fullfil these requirements is out of
scope of the present document. Some management considerations is
covered in [I-D.behave-syslog-nat-logging]. This document covers the
additional considerations.
9.1. Ability to collect events from multiple NAT devices
An IPFIX collector should be able to collect events from multiple NAT
devices and be able to decipher events based on the sourceID in the
IPFIX header.
9.2. Ability to suppress events
The exhaustion events can be overwhelming during traffic bursts and
hence should be handled by the NAT devices to rate limit them before
sending them to the collectors. For eg. when the port exhaustion
happens during bursty conditions, instead of sending a port
exhaustion event for every packet, the exhaustion events should be
rate limited by the NAT device.
10. Security Considerations
None.
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", RFC
2663, August 1999.
[RFC4787] Audet, F. and C. Jennings, "Network Address Translation
(NAT) Behavioral Requirements for Unicast UDP", BCP 127,
RFC 4787, January 2007.
[RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P.
Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
RFC 5382, October 2008.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, April 2011.
[RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard,
"Logging Recommendations for Internet-Facing Servers", BCP
162, RFC 6302, June 2011.
[RFC6888] Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A.,
and H. Ashida, "Common Requirements for Carrier-Grade NATs
(CGNs)", BCP 127, RFC 6888, April 2013.
11.2. Informative References
[I-D.ietf-behave-syslog-nat-logging]
Chen, Z., Zhou, C., Tsou, T., and T. Taylor, "Syslog
Format for NAT Logging", draft-ietf-behave-syslog-nat-
logging-06 (work in progress), January 2014.
[IPFIX-IANA]
IANA, "IPFIX Information Elements registry",
<http://www.iana.org/assignments/ipfix>.
[RFC5101bis]
Claise, B. and B. Trammel, "Specification of the IP Flow
Information eXport (IPFIX) Protocol for the Exchange of
Flow Information", July 2013.
[RFC5102bis]
Claise, B. and B. Trammel, "Information Model for IP Flow
Information eXport (IPFIX)", February 2013.
[RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
"Architecture for IP Flow Information Export", RFC 5470,
March 2009.
Authors' Addresses
Senthil Sivakumar
Cisco Systems
7100-8 Kit Creek Road
Research Triangle Park, North Carolina 27709
USA
Phone: +1 919 392 5158
Renaldo Penno
Cisco Systems
170 W Tasman Drive
San Jose, California 95035
USA
Email: repenno@cisco.com
Sivakumar & Penno Expires August 15, 2014 [Page 21]
- [BEHAVE] AD Evaluation of draft-ietf-behave-ipfix… Spencer Dawkins
- Re: [BEHAVE] AD Evaluation of draft-ietf-behave-i… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] AD Evaluation of draft-ietf-behave-i… Spencer Dawkins
- Re: [BEHAVE] AD Evaluation of draft-ietf-behave-i… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] AD Evaluation of draft-ietf-behave-i… Spencer Dawkins
- Re: [BEHAVE] AD Evaluation of draft-ietf-behave-i… Senthil Sivakumar (ssenthil)