Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 803781A0107
 for <behave@ietfa.amsl.com>; Fri, 27 Jun 2014 13:34:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.682
X-Spam-Level: *
X-Spam-Status: No, score=1.682 tagged_above=-999 required=5
 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_FACE_BAD=0.981,
 HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id YkxVqZSpxI_I for <behave@ietfa.amsl.com>;
 Fri, 27 Jun 2014 13:34:47 -0700 (PDT)
Received: from mail-oa0-x233.google.com (mail-oa0-x233.google.com
 [IPv6:2607:f8b0:4003:c02::233])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 00E821A0105
 for <behave@ietf.org>; Fri, 27 Jun 2014 13:34:46 -0700 (PDT)
Received: by mail-oa0-f51.google.com with SMTP id j17so6313197oag.10
 for <behave@ietf.org>; Fri, 27 Jun 2014 13:34:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; 
 h=message-id:date:from:user-agent:mime-version:to:cc:subject
 :references:in-reply-to:content-type;
 bh=h+qbPWlYmJQuMajS0JrgyYRE1B7C1ouURFkY/4RJO/c=;
 b=Ed2E/JZY4a/UDEVp1Z1S7ZADuf7zGuhpxAXn1X1+VPmWkXAdaBirR160Hoqhb1Ehgd
 z1aYKKS8TVctLv9pdH/TqTw4Gukd+JPESeDcQisyl+8LEiKaly65axsKfYUAh8KitKyM
 gSTJTA5iUBcVjuwoRJgTgDdyVUxxHas/VOsS0wjyjCXTNU5o2rV2xU1br5axWJVfGvkp
 eSz4+qMCAVrz+DFIa6awaopFDDIyw3P1PhWcq5vW18Szf0D1A5o6kPvkQ1wt5QEakrsX
 GnePgDABao7HdZKduVEK4XO6ZpMnrwHNbjvAS6Zi1+WroMg9V3XgVHvmQ9welCaBiWTC
 wMtA==
X-Received: by 10.60.35.104 with SMTP id g8mr26514188oej.41.1403901286311;
 Fri, 27 Jun 2014 13:34:46 -0700 (PDT)
Received: from [192.168.0.13] (cpe-76-187-7-89.tx.res.rr.com. [76.187.7.89])
 by mx.google.com with ESMTPSA id b7sm40033527oed.7.2014.06.27.13.34.42
 for <multiple recipients>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Fri, 27 Jun 2014 13:34:44 -0700 (PDT)
Message-ID: <53ADD560.5060103@gmail.com>
Date: Fri, 27 Jun 2014 15:34:40 -0500
From: Spencer Dawkins <spencerdawkins.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com>, 
 "draft-ietf-behave-ipfix-nat-logging@tools.ietf.org"
 <draft-ietf-behave-ipfix-nat-logging@tools.ietf.org>
References: <5362ADCB.4050802@gmail.com> <CF89605B.1009FB%ssenthil@cisco.com>
 <537FB834.3010705@gmail.com>
In-Reply-To: <537FB834.3010705@gmail.com>
Content-Type: multipart/alternative;
 boundary="------------000800050500050302020207"
Archived-At: http://mailarchive.ietf.org/arch/msg/behave/yROyId_fRYNA_JJdM_s5QsfhR5Q
X-Mailman-Approved-At: Sun, 29 Jun 2014 20:20:08 -0700
Cc: "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] AD Evaluation of draft-ietf-behave-ipfix-nat-logging-03
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>,
 <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>,
 <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jun 2014 20:34:59 -0000

This is a multi-part message in MIME format.
--------------000800050500050302020207
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit

Hi, Senthil,

I'm just checking - are you planning to submit a update before the 
cutoff next Friday?

Thanks,

Spencer

On 05/23/2014 04:05 PM, Spencer Dawkins wrote:
>
> On 05/02/2014 02:20 PM, Senthil Sivakumar (ssenthil) wrote:
>> Hi Spencer,
>> Thanks for the thorough review.
>> Please see inline for [Senthil]. If you agree, I will submit another 
>> version fixing all the issues raised and agreed upon. I will wait for 
>> your response.
>
> Hi, Senthil,
>
> Thanks for being responsive!
>
> Just as a high-order bit, many of the questions I asked are whether 
> the draft uses "required" to mean "this is the way it works" - there's 
> a difference between "the sender transmits a log" and "the sender is 
> required to transmit a log". Does that make sense?
>
> Ths draft says it uses requirements language as per RFC 2119, and RFC 
> 2119 says
>
> 6. Guidance in the use of these Imperatives
>
>    Imperatives of the type defined in this memo must be used with care
>    and sparingly.  In particular, they MUST only be used where it is
>    actually required for interoperation or to limit behavior which has
>    potential for causing harm (e.g., limiting retransmisssions) For
>    example, they must not be used to try to impose a particular method
>    on implementors where the method is not required for
>    interoperability.
>
> It's also worth mentioning that RFC 2119 is silent on case for 
> requirements language, your requirements terminology section only 
> shows upper case examples, and most of the cases I'm asking about are 
> in lower case, which makes it less clear whether you intend "require" 
> to be an RFC 2119 requirement word or not. This is a continuing source 
> of controversy in the IETF, especially during cross-area review - my 
> suggestion is that you either change the requirements language 
> statement to include a statement about whether lower-case versions are 
> intended as requirements language, or don't use the lower-case terms 
> in the document.
>
> I'll try to be clear in my detailed comments, but that's often what 
> I'm trying to get at.
>
>> Thanks
>> Senthil
>>
>> From: Spencer Dawkins <spencerdawkins.ietf@gmail.com 
>> <mailto:spencerdawkins.ietf@gmail.com>>
>> Date: Thursday, May 1, 2014 4:25 PM
>> To: "draft-ietf-behave-ipfix-nat-logging@tools.ietf.org 
>> <mailto:draft-ietf-behave-ipfix-nat-logging@tools.ietf.org>" 
>> <draft-ietf-behave-ipfix-nat-logging@tools.ietf.org 
>> <mailto:draft-ietf-behave-ipfix-nat-logging@tools.ietf.org>>
>> Cc: "behave@ietf.org <mailto:behave@ietf.org>" <behave@ietf.org 
>> <mailto:behave@ietf.org>>
>> Subject: AD Evaluation of draft-ietf-behave-ipfix-nat-logging-03
>> Resent-From: <draft-alias-bounces@tools.ietf.org 
>> <mailto:draft-alias-bounces@tools.ietf.org>>
>> Resent-To: <repenno@cisco.com <mailto:repenno@cisco.com>>, Senthil 
>> Sivakumar <ssenthil@cisco.com <mailto:ssenthil@cisco.com>>
>> Resent-Date: Thursday, May 1, 2014 4:26 PM
>>
>> Dear draft-ietf-behave-ipfix-nat-logging Authors,
>>
>> I've completed my AD evaluation for this draft. I found some things 
>> I'd like to see changed before proceeding, but most are editorial. 
>> Please take a look, and let me know what you think.
>>
>> My notes follow ... you should be able to find my questions and 
>> comments by searching for "SD:".
>>
>> Thanks,
>>
>> Spencer
>>
>> In the Abstract
>>
>>    NAT devices are required to log events like creation and deletion of
>>                    ^^^^^^^^
>> SD: Is this required, like, legally required, or ? Is it more like 
>> "Operators need NAT devices to log events ..."?
>> [Senthil] : It is the later, the network operators require the NAT 
>> devices to be able to log events.
>
> We don't usually include requirements language in the Abstract (that 
> happens later, which is fine in the document body).
>
> The longer I look at this, the more I think it's something like 
> "Operators expect NAT devices to log events".
>
>>
>>    translations and information about the resources it is managing.  The
>>    logs are required in many cases to identify an attacker or a host
>>    that was used to launch malicious attacks and/or for various other
>>    purposes of accounting.  Since there is no standard way of logging
>>    this information, different NAT devices behave differently and hence
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> SD: Is this "different NAT devices log this information differently"?
>> [Senthil] Correct, as the sentence says, "Since there is no standard 
>> way…", each NAT device logs information in its own proprietary format.
>
> I'm just trying to make sure the reader understands what you mean by 
> "behave differently" - NAT devices also behave differently when 
> NATting.  I had to guess at the meaning. Maybe everyone else will 
> understand?
>
>>    it is difficult to expect a consistent behavior.  The lack of a
>>    consistent way makes it difficult to write the collector applications
>>    that would receive this data and process it to present useful
>>    information.  This document describes the information that is
>>    required to be logged by the NAT devices.
>>    ^^^^^^^^^^^^^^^^^^^^^^^^
>> SD: Same as previous question - is this "logged by"?
>>
>> [Senthil] If a NAT device is logging events, these are the 
>> requirements that a NAT device should adhere to.
>
> I know this seems tedious, but I'm not able to map what you provided 
> as explanation onto the text you're explaining. What I'm seeing in the 
> text is
>
> A NAT MUST log this information
>
> and what I'm seeing in your explanation is
>
> IF a NAT is is logging information, here's how the NAT SHOULD log 
> information.
>
> I'm guessing that what you're saying is really "this document 
> describes the information that logging NAT devices produce".
>
> This doesn't matter yet (you're still in the abstract, which shouldn't 
> be providing requirements anyway), but in the body of the document, it 
> needs to be clear.
>
>> 2.  Introduction
>>
>>    The IPFIX Protocol [RFC5101bis] defines a generic push mechanism for
>>    exporting information and events.  The IPFIX Information Model
>>    [IPFIX-IANA] defines a set of standard Information Elements (IEs)
>>    which can be carried by the IPFIX protocol.  This document details
>>    the IPFIX Information Elements(IEs) that are required for logging by
>>    a NAT device.  The document will specify the format of the IE's that
>>    are required to be logged by the NAT device and all the optional
>>        ^^^^^^^^^^^^^^^^^^^^^
>> SD: Now that we're in the document body, if this is required, 
>> shouldn't there be a reference to where the requirements are stated?
>> [Senthil] This is the document that is specifying those requirements. 
>> Do you have any other suggestions of wording instead of "required 
>> by", would it be fine if I change the sentence from
>> "required to be logged" to "SHOULD be logged"?
>
> Sorry, my first set of comments was bogus. What triggered my comments 
> was the use of lower-case terms from RFC 2119 (see my explanation above).
>
> This could be "are REQUIRED" (the RFC 2119 requirements language you 
> said you're using), or "are required" (if you change your paragraph 
> about requirements language to say that case doesn't matter).
>
> But "REQUIRED" is "MUST", so changing to "SHOULD" would be a change in 
> your intended meaning.
>
>>
>>    This document and [I-D.behave-syslog-nat-logging] are provided in
>>    order to standardize the events and parameters to be recorded, using
>>    IPFIX [RFC5101bis] and SYSLOG [RFC5424]respectively.
>
> I'm sorry I missed this question the first time. Is there a 
> relationship with the MIB revision?
>
>> 3.  Scope
>>
>>    This document provides the information model to be used for logging
>>    the NAT devices including Carrier Grade NAT (CGN) events.  This
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> SD: This sentence seems somewhat turned around - "logging events", 
>> not "logging the NAT devices".
>> [Senthil] Agree, I will change this to "logging the NAT events".
>
> Thanks.
>
>>    document focuses exclusively on the specification of IPFIX IE's.
>>    This document does not provide guidance on the transport protocol
>>    like TCP, UDP or SCTP that is to be used to log NAT events.  The log
>>    events SHOULD NOT be lost but the choice of the actual transport
>>    protocol is beyond the scope of this document.
>>
>> SD: I'm not understanding why this last sentence is needed, 
>> especially with a normative requirement for what you do when you are 
>> doing something outside the scope of the document ...
>> [Senthil] Are you objecting to the second part of the last sentence 
>> "the choice of actual transport…", I think the requirement is that 
>> the LOG events should not be lost is valid.
>
> I'm sorry, my question wasn't clear. What I intended to say was that I 
> was confused because the text said "not providing guidance on the 
> choice of a transport protocol", but then provided a requirement about 
> the implications of that choice (using a SHOULD).
>
> So let me try to be clearer. I think what you're saying is
>
> - you can use any transport protocol, but you SHOULDn't lose anything
>
> I'm thinking this may be underspecified, although I don't know what 
> IPFIX usually expects from transport protocols, so please be patient.
>
> First, I'm confused by the SHOULD with no qualification. When is it OK 
> to lose LOG events?
>
> Second, you're not giving guidance on selecting a transport protocol, 
> but you are giving guidance about expecting a reliable data channel, 
> whether MUST be reliable or SHOULD be reliable. Are there other 
> transport characteristics that you expect? For instance, is in-order 
> delivery assumed? Is duplicate detection by IPFIX assumed (if a log 
> arrives twice, does IPFIX notice)?
>
> Third, are IPFIX implementations so transport protocol-agnostic that 
> if my NAT device decides to to send logs using SCTP with partial 
> reliability, I should expect that to work with any collector that 
> implements this specification?
>
> It happens that I co-chaired MEDIACTRL when the specification said 
> "TCP or SCTP", and got feedback during AD evaluation that if we didn't 
> pick a mandatory to implement transport protocol, that wouldn't 
> guarantee interoperation between two standard-conforming devices.
>
>>
>>    The existing IANA IPFIX IEs registry [IPFIX-IANA] already has
>>    assignments for many NAT logging events.  For convenience, this
>>    document uses those same IEs.  However, as stated earlier, this
>>    document is not defining IPFIX or NetFlow v9 as the framework for
>>    logging.  Rather, the information contained in these elements is
>>
>> SD: I got lost on "these elements" - is that "the elements in the 
>> existing registry"
>> [Senthil] Yes. How about "Rather, the information elements as defined 
>> in the IPFIX-IANA registry is within the scope of this document"?
>
> I think that's "are within", but yes, that works. Thanks.
>
>>    within the scope of this document.
>>
>>    This document assumes that the NAT device will use the existing IPFIX
>>    framework to send the log events to the collector.  This would mean
>>    that the NAT device will specify the template that it is going to use
>>    for each of the events.  The templates can be of varying length and
>>    there could be multiple templates that a NAT device could use to log
>>    the events.
>>
>>    The implementation details of the collector application is beyond the
>>    scope of this document.
>>
>>    The optimization of logging the NAT events are left to the
>>                                               ^^^
>>    implementation and are beyond the scope of this document.
>>                       ^^^
>> SD: It's a nit, but those "are"s should be "is"s.
>> [Senthil] Ok.
>
> Thanks.
>
>> 4.  Applicability
>>
>>    NAT logging based on IPFIX uses binary encoding and hence is very
>>    efficient.  IPFIX based logging is recommended for environments where
>>    a high volume of logging is required, for example, where per-flow
>>    logging is needed.  However, IPFIX based logging requires a collector
>>    that processes the binary data and requires a network management
>>    application that converts this binary data to a human readable
>>    format.
>>
>> 5.  Event based logging
>>
>>    An event in a NAT device can be viewed as a happening as it relates
>>                                                ^^^^^^^^^
>> SD: Is this "a state transition"? I found "a happening" somewhat odd.
>> [Senthil] Yes, I can rephrase this as "viewed as a state transition 
>> as it relates to" or "viewed as an action as it relates to", if that 
>> is ok.
>
> If "a state transition" is correct, I'd prefer that (if it's correct 
> :-) ).
>
>>    to the management of NAT resources.  The creation and deletion of NAT
>>    sessions and bindings are examples of events as it results in the
>>    resources (addresses and ports) being allocated or freed.  The events
>>    can happen either through the processing of data packets flowing
>>    through the NAT device or through an external entity installing
>>    policies on the NAT router or as a result of an asynchronous event
>>    like a timer.  The list of events are provided in Section 4.1.  Each
>>    of these events SHOULD be logged, unless they are administratively
>>    prohibited.  A NAT device MAY log these events to multiple collectors
>>    if redundancy is required.  The network administrator will specify
>>    the collectors to which the log records are to be sent.
>>
>>    A collector may receive NAT events from multiple CGN devices and
>>    should be able to distinguish between the devices.  Each CGN device
>>    ^^^^^^
>> SD: I'm not sure why this isn't a SHOULD, or even a MUST.
>>
>>    should have a unique source ID to identify themselves. The source ID
>>    ^^^^^^
>> SD: Again, I'm not sure why this isn't a SHOULD, or even a MUST.
>>
>> [Senthil] Well, this is NOT a statement for a NAT device, instead it 
>> is a collector that some application writer will
>> develop.
>
> Don't you think you can levy requirements about that on the collector? 
> I don't understand.
>
> But beyond that, what I THINK the text is saying, is that multiple CGN 
> devices can ("may") send to a single collector, that none of the CDN 
> devices have to have a unique source ID to identify themselves 
> ("should", but not "must"), and that the collector is still expected 
> to be able to distinguish among logs coming from multiple CGNs ("should").
>
> Am I misreading this?
>
> If not, do you think that works?
>
>>    is part of the IPFIX template and data exchange.
>>
>>    Prior to logging any events, the NAT device MUST send the template of
>>    the record to the collector to advertise the format of the data
>>    record that it is using to send the events.  The templates can be
>>    exchanged as frequently as required given the reliability of the
>>    connection.  There SHOULD be a configurable timer for controlling the
>>    template refresh.  NAT device SHOULD combine as many events as
>>    possible in a single packet to effectively utilize the network
>>    bandwidth.
>>
>> 5.1.  Logging of destination information
>>
>>    Logging of destination information in a NAT event has been discussed
>>    in [RFC6302] and [RFC6888].  Logging of destination information
>>    increases the size of each record and increases the need for storage
>>    considerably.  It increases the number of log events generated
>>    because when the same user connects to a different destination, it
>>    results in a log record per destination address.  Logging of
>>    destination information also results in the loss of privacy and hence
>>    should be done with caution.  However, this draft provides the
>>    necessary fields to log the destination information in cases where
>>    they are required to be logged.
>>
>> 5.2.  Information Elements
>>
>>    The templates could contain a subset of the Information Elements(IEs)
>>    shown in Table 1 depending upon the event being logged. For example
>>    a NAT44 session creation template record will contain,
>>                                             ^^^^
>> SD: Is this the only possible NAT44 template? If so, fine, but if 
>> not, perhaps "could contain", or "typically contains"?
>>
>> [Senthil] Yes, this is all the information that a NAT44 need to 
>> export as it is the least common denominator.
>
> My question is whether any other IEs might be added in the future, I 
> think. If not, "will" is OK, but "MUST" would be clearer.
>
>>    {sourceIPv4Adress, postNATSourceIPv4Address, destinationIpv4Address,
>>    postNATDestinationIPv4Address, sourceTransportPort,
>>    postNAPTSourceTransportPort, destinationTransportPort,
>>    postNAPTDestTransportPort, internalAddressRealm, natEvent, timeStamp}
>>
>>    An example of the actual event data record is shown below - in a
>>    readable form
>>
>>    {192.168.16.1, 201.1.1.100, 207.85.231.104, 207.85.231.104, 14800,
>>    1024, 80, 80, 0, 1, 09:20:10:789}
>>
>>    A single NAT device could be exporting multiple templates and the
>>    collector should support receiving multiple templates from the same
>>    source.observationTimeMilliseconds
>>
>>    The following is the table of all the IE's that a CGN device would
>>    need to export the events.  The formats of the IE's and the IPFIX IDs
>>    are listed below.
>>
>> SD: I noticed that some IEs below have a name that matches 
>> http://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-information-elements 
>> for the same IPFIX ID number, but others do not ("timeStamp" here 
>> doesn't match "observationTimeMilliseconds", but both are IPFIX ID 
>> 323, aren't they?) Is there a reason to use names that don't match 
>> the IANA registry?
>>
>> [Senthil] Good question, in case of timeStamp, I was looking for 
>> something that already existed in the IPFIX registry rather than 
>> asking for a new one. However, the terminology of 
>> "observationTimeMilliseconds" is not the terminology that we use in 
>> the NAT drafts/rfc's. So I am open to suggestions here. I can clarify 
>> in the description that is called observationTimeMilliSeconds". The 
>> other field is internalAddressRealm and externalAddresRealm, this is 
>> the terminology that we used in NAT MIB, syslog and other documents. 
>> However, when we defined the IPFIX IE, we didn’t stick to the same 
>> terminology, so I don’t know if I can go and ask the IPFIX IANA to 
>> change the name. Again I am open to suggestions, the dillema is 
>> whether I should stick to the existing IPFIX IANA terminology or the 
>> behave documents terminology.
>
> I'm way out of my depth on this one (sorry!).
>
> Fortunately, the next stop for an AD-sponsored IPFIX specification is 
> the IPFIX review team. Could you just add a note pointing this 
> question out, and asking if they have any suggestions?
>
>> +----------------------------------+--------+-------+---------------+
>>    |            Field Name            |   Size |  IANA |  Description  |
>>    |                                  | (bits) | IPFIX |               |
>>    |                                  |        |    ID |               |
>> +----------------------------------+--------+-------+---------------+
>>    |            timeStamp             |     64 |   323 |  System Time  |
>>    |                                  |        | |    when the   |
>>    |                                  |        | |     event     |
>>    |                                  |        | |    occured.   |
>>    |          natInstanceId           |     32 |   TBD |  NAT Instance |
>>    |                                  |        | |   Identifier  |
>>    |              vlanID              |     16 |    58 |   VLAN ID in  |
>>    |                                  |        | |    case of    |
>>    |                                  |        | |  overlapping  |
>>    |                                  |        | |    networks   |
>>    |           ingressVRFID           |     32 |   234 |   VRF ID in   |
>>    |                                  |        | |    case of    |
>>    |                                  |        | |  overlapping  |
>>    |                                  |        | |    networks   |
>>    |        sourceIPv4Address         |     32 |     8 |  Source IPv4  |
>>    |                                  |        | |    Address    |
>>    |     postNATSourceIPv4Address     |     32 |   225 |   Translated  |
>>    |                                  |        | |  Source IPv4  |
>>    |                                  |        | |    Address    |
>>    |        protocolIdentifier        |      8 |     4 |   Transport   |
>>    |                                  |        | |    protocol   |
>>    |       sourceTransportPort        |     16 |     7 |  Source Port  |
>>    |   postNAPTsourceTransportPort    |     16 |   227 |   Translated  |
>>    |                                  |        | |  Source port  |
>>    |      destinationIPv4Address      |     32 |    12 |  Destination  |
>>    |                                  |        | |  IPv4 Address |
>>    |  postNATDestinationIPv4Address   |     32 |   226 |   Translated  |
>>    |                                  |        | |      IPv4     |
>>    |                                  |        | |  destination  |
>>    |                                  |        | |    address    |
>>    |     destinationTransportPort     |     16 |    11 |  Destination  |
>>    |                                  |        | |      port     |
>>    | postNAPTdestinationTransportPort |     16 |   228 |   Translated  |
>>    |                                  |        | |  Destination  |
>>    |                                  |        | |      port     |
>>    |        sourceIPv6Address         |     27 |   128 |  Source IPv6  |
>>    |                                  |        | |    address    |
>>    |      destinationIPv6Address      |    128 |    28 |  Destination  |
>>    |                                  |        | |  IPv6 address |
>>    |     postNATSourceIPv6Address     |    128 |   281 |   Translated  |
>>    |                                  |        | |  source IPv6  |
>>    |                                  |        | |    addresss   |
>>    |  postNATDestinationIPv6Address   |    128 |   282 |   Translated  |
>>    |                                  |        | |  Destination  |
>>    |                                  |        | |  IPv6 address |
>>    |       internalAddressRealm       |      8 |   229 |     Source    |
>>    |                                  |        |       | Address Realm |
>>    |       externalAddressRealm       |      8 |   TBD |  Destination  |
>>    |                                  |        |       | Address Realm |
>>    |             natEvent             |      8 |   230 | Type of Event |
>>    |          portRangeStart          |     16 |   361 |   Allocated   |
>>    |                                  |        | |   port block  |
>>    |                                  |        | |     start     |
>>    |           portRangeEnd           |     16 |   362 |   Allocated   |
>>    |                                  |        | |   Port block  |
>>    |                                  |        | |      end      |
>>    |            natPoolID             |     32 |   283 |    NAT pool   |
>>    |                                  |        | |   Identifier  |
>>    |          natLimitEvent           |     32 |   TBD |  Limit event  |
>>    |                                  |        | |   identifier  |
>> +----------------------------------+--------+-------+---------------+
>>
>>                       Table 1: Template format Table
>>
>> 5.3.  Definition of NAT Events
>>
>>    The following are the list of NAT events and the proposed event
>>    values.  The list can be expanded in the future as necessary.  The
>>    data record will have the corresponding natEvent value to identify
>>    the event that is being logged.
>>
>>                    +--------------------------+--------+
>>                    |        Event Name        | Values |
>>                    +--------------------------+--------+
>>                    |   NAT44 Session create   |      1 |
>>                    |   NAT44 Session delete   |      2 |
>>                    | NAT Addresses exhausted  |      3 |
>>                    |   NAT64 Session create   |      4 |
>>                    |   NAT64 Session delete   |      5 |
>>                    |     NAT44 BIB create     |      6 |
>>                    |     NAT44 BIB delete     |      7 |
>>                    |     NAT64 BIB create     |      8 |
>>                    |     NAT64 BIB delete     |      9 |
>>                    |   NAT ports exhausted    |     10 |
>>                    |      Quota exceeded      |     11 |
>>                    |  Address binding create  |     12 |
>>                    |  Address binding delete  |     13 |
>>                    |  Port block allocation   |     14 |
>>                    | Port block de-allocation |     15 |
>>                    |    Threshold reached     |     16 |
>>                    +--------------------------+--------+
>>
>>                         Table 2: NAT Event ID table
>>
>> 5.4.  Quota exceeded Event types
>>
>>    The following table shows the sub event types for the Quota exceeded
>>    or limits reached event.  The events that can be reported are the
>>    Maximum session entries limit reached, Maximum BIB entries limit
>>    reached, Maximum session/BIB entries per user limit reached and
>>    maximum subscribers or hosts limit reached.
>>
>> +---------------------------------------+--------+
>>             |       Quota Exceeded Event Name       | Values |
>> +---------------------------------------+--------+
>>             |        Maximum Session entries |      1 |
>>             |          Maximum BIB entries |      2 |
>>             |        Maximum entries per user |      3 |
>>             |  Maximum active hosts or subscribers |      4 |
>>             |  Maximum fragments pending reassembly |      5 |
>> +---------------------------------------+--------+
>>
>>                     Table 3: Quota Exceeded event table
>>
>> 5.5.  Threshold reached Event types
>>
>>    The following table shows the sub event types for the threshold
>>    reached event.  The administrator can configure the thresholds and
>>    whenever the threshold is reached or exceeded, the corresponding
>>    events are generated.
>>
>>    The address pool high threshold event will be reported when the
>>    address pool reaches a high water mark as defined by the operator.
>>    This will sever as an indication that the operator might have to add
>>    more addresses to the pool or an indication that the subsequent users
>>    may be denied NAT translation mappings.
>>
>>    The address and port mapping high threshold event is generated, when
>>    the number of ports in the configured address pool has reached a
>>    configured threshold.
>>
>>    The per-user address and port mapping high threshold is generated
>>    when a single user uses more address and port mapping than a
>>    configured threshold.
>>
>> +---------------------------------------------------------+--------+
>>    |              Threshold Exceeded Event Name              | Values |
>> +---------------------------------------------------------+--------+
>>    |            Address pool high threshold event            |      1 |
>>    |             Address pool low threshold event            |      2 |
>>    |      Address and port mapping high threshold event      |      3 |
>>    |  Address and port mapping per user high threshold event |      4 |
>>    |       Global Address mapping high threshold event       |      5 |
>> +---------------------------------------------------------+--------+
>>
>>                       Table 4: Threshold event table
>>
>> 5.6.  Templates for NAT Events
>>
>>    The following is the template of events that will have to logged.
>> ^^^^^^^^^^^^^^^^^^^
>>
>> SD: I think this is a nit, but the sentence is garbled. "will be logged"?
>>
>>    The events below are identified at the time of this writing but the
>>    events are expandable.  Depending on the implementation and
>>    ^^^^^^^^^^^^^^^^^^^^^
>> SD: this is a nit, but "set of events is extensible", I think.
>>
>> [Senthil] Agree. (to both comments).
>
> Thanks,
>
>>    configuration various IE's specified can be included or ignored.
>>
>> 5.6.1.  NAT44 create and delete session events
>>
>>    These events will be generated when a NAT44 session is created or
>>    deleted.  The template will be the same, the natEvent will indicate
>>    whether it is a create or a delete event.  The following is a
>>    template of the event.
>>
>>    The destination address and port information is optional as required
>>    by [RFC6888].  However, when the destination information is
>>    suppressed, the session log event contains the same information as
>>    the BIB event.  In such cases, the NAT device SHOULD NOT send both
>>    BIB and session events.
>>
>> +----------------------------------+-------------+-----------+
>>       |            Field Name            | Size (bits) | Mandatory |
>> +----------------------------------+-------------+-----------+
>>       |            timeStamp             |          64 |    Yes    |
>>       |          natInstanceID           |          32 |     No    |
>>       |       vlanID/ingressVRFID        |          32 |     No    |
>>       |        sourceIPv4Address         |          32 |    Yes    |
>>       |     postNATSourceIPv4Address     |          32 |    Yes    |
>>       |        protocolIdentifier        |           8 |    Yes    |
>>       |       sourceTransportPort        |          16 |    Yes    |
>>       |   postNAPTsourceTransportPort    |          16 |    Yes    |
>>       |      destinationIPv4Address      |          32 |     No    |
>>       |  postNATDestinationIPv4Address   |          32 |     No    |
>>       |     destinationTransportPort     |          16 |     No    |
>>       | postNAPTdestinationTransportPort |          16 |     No    |
>>       |       internalAddressRealm       |           8 |     No    |
>>       |       externalAddressRealm       |           8 |     No    |
>>       |             natEvent             |           8 |    Yes    |
>> +----------------------------------+-------------+-----------+
>>
>>                Table 5: NAT44 Session delete/create template
>>
>> 5.6.2.  NAT64 create and delete session events
>>
>>    These events will be generated when a NAT64 session is created or
>>    deleted.  The following is a template of the event.
>>
>> +----------------------------------+-------------+-----------+
>>       |            Field Name            | Size (bits) | Mandatory |
>> +----------------------------------+-------------+-----------+
>>       |            timeStamp             |          64 |    Yes    |
>>       |          natInstanceID           |          32 |     No    |
>>       |       vlanID/ingressVRFID        |          32 |     No    |
>>       |        sourceIPv6Address         |         128 |    Yes    |
>>       |     postNATSourceIPv4Address     |          32 |    Yes    |
>>       |        protocolIdentifier        |           8 |    Yes    |
>>       |       sourceTransportPort        |          16 |    Yes    |
>>       |   postNAPTsourceTransportPort    |          16 |    Yes    |
>>       |      destinationIPv6Address      |         128 |     No    |
>>       |  postNATDestinationIPv4Address   |          32 |     No    |
>>       |     destinationTransportPort     |          16 |     No    |
>>       | postNAPTdestinationTransportPort |          16 |     No    |
>>       |       internalAddressRealm       |           8 |     No    |
>>       |       externalAddressRealm       |           8 |     No    |
>>       |             natEvent             |           8 |    Yes    |
>> +----------------------------------+-------------+-----------+
>>
>>             Table 6: NAT64 session create/delete event template
>>
>> 5.6.3.  NAT44 BIB create and delete events
>>
>>    These events will be generated when a NAT44 Bind entry is created or
>>    deleted.  The following is a template of the event.
>>
>> +-----------------------------+-------------+-----------+
>>          |          Field Name         | Size (bits) | Mandatory |
>> +-----------------------------+-------------+-----------+
>>          |          timeStamp          |          64 |    Yes    |
>>          |        natInstanceID        |          32 |     No    |
>>          |     vlanID/ingressVRFID     |          32 |     No    |
>>          |      sourceIPv4Address      |          32 |    Yes    |
>>          |   postNATSourceIPv4Address  |          32 |    Yes    |
>>          |      protocolIdentifier     |           8 |     No    |
>>          |     sourceTransportPort     |          16 |     No    |
>>          | postNAPTsourceTransportPort |          16 |     No    |
>>          |     internalAddressRealm    |           8 |     No    |
>>          |     externalAddressRealm    |           8 |     No    |
>>          |           natEvent          |           8 |    Yes    |
>> +-----------------------------+-------------+-----------+
>>
>>               Table 7: NAT44 BIB create/delete event template
>>
>> 5.6.4.  NAT64 BIB create and delete events
>>
>>    These events will be generated when a NAT64 Bind entry is created or
>>    deleted.  The following is a template of the event.
>>
>> +-----------------------------+-------------+-----------+
>>          |          Field Name         | Size (bits) | Mandatory |
>> +-----------------------------+-------------+-----------+
>>          |          timeStamp          |          64 |    Yes    |
>>          |        natInstanceID        |          32 |     No    |
>>          |     vlanID/ingressVRFID     |          32 |     No    |
>>          |      sourceIPv6Address      |         128 |    Yes    |
>>          |   postNATSourceIPv4Address  |          32 |    Yes    |
>>          |      protocolIdentifier     |           8 |     No    |
>>          |     sourceTransportPort     |          16 |     No    |
>>          | postNAPTsourceTransportPort |          16 |     No    |
>>          |     internalAddressRealm    |           8 |     No    |
>>          |     externalAddressRealm    |           8 |     No    |
>>          |           natEvent          |           8 |    Yes    |
>> +-----------------------------+-------------+-----------+
>>
>>               Table 8: NAT64 BIB create/delete event template
>>
>> 5.6.5.  Addresses Exhausted event
>>
>>    This event will be generated when a NAT device runs out of global
>>    IPv4 addresses in a given pool of addresses. Typically, this event
>>    would mean that the NAT device wont be able to create any new
>>                                   ^^^^
>> SD: "won't"
>>
>> [Senthil] Ok.
>
> Thanks,
>
>>
>>    translations until some addresses/ports are freed.  This event SHOULD
>>    be rate limited as many packets hitting the device at the same time
>>    will trigger a burst of addresses exhausted events.
>>
>>    The following is a template of the event.  Note that either the NAT
>>    pool name or the nat pool identifier should be logged, but not both.
>>
>> SD: I lack understanding, but I didn't see anything that looked like 
>> a NAT pool name in the template. Did I miss something?
>>
>> [Senthil] We decided not to use a string like a pool name instead use 
>> a poolID, which is a unique identifier for each pool name. The reason 
>> being that the logs could become fairly large
>> If we have to carry the names and some of the NAT engines implement 
>> this in the hardware that lacks the string processing capability.
>
> OK, that helps. I'm understanding that a different template might have 
> included a pool name, but not a poolID, is that right?
>
> I'm somewhat uneasy about the "either should be logged, but not both" 
> text.
>
> Same question as usual - is this an RFC 2119 SHOULD that helps with 
> interoperation, or is this about an implementation choice?
>
> If it's an RFC 2119 SHOULD, robust collectors will need to do 
> something if a log arrives with both a pool name and a poolID. If it's 
> a MUST, a collector wouldn't accept the log (however the collector 
> would decide to do that).
>
> If it's not an RFC 2119 SHOULD, but just implementation guidance, the 
> explanation you provided would be more helpful (something like "could 
> include a pool name, but some NAT engines are implemented in hardware 
> that lacks string processing capability, and these are permitted to 
> substitute a poolID. There's no reason to provide both a pool name and 
> a poolID").
>
>> +---------------+-------------+-----------+
>>                 |   Field Name  | Size (bits) | Mandatory |
>> +---------------+-------------+-----------+
>>                 |   timeStamp   |          64 | Yes    |
>>                 | natInstanceID |          32 | No    |
>>                 |    natEvent   |           8 | Yes    |
>>                 |   natPoolID   |          32 | Yes    |
>> +---------------+-------------+-----------+
>>
>>                  Table 9: Address Exhausted event template
>>
>> 5.6.6.  Ports Exhausted event
>>
>>    This event will be generated when a NAT device runs out of ports for
>>    a global IPv4 address.  Port exhaustion shall be reported per
>>    protocol (UDP, TCP etc).  This event SHOULD be rate limited as many
>>    packets hitting the device at the same time will trigger a burst of
>>    port exhausted events.
>>
>>    The following is a template of the event.
>>
>> +--------------------------+-------------+-----------+
>>           |        Field Name        | Size (bits) | Mandatory |
>> +--------------------------+-------------+-----------+
>>           |        timeStamp         |          64 | Yes    |
>>           |      natInstanceID       |          32 | No    |
>>           |         natEvent         |           8 | Yes    |
>>           | postNATSourceIPv4Address |          32 | Yes    |
>>           |    protocolIdentifier    |           8 | Yes    |
>> +--------------------------+-------------+-----------+
>>
>>                  Table 10: Ports Exhausted event template
>>
>> 5.6.7.  Quota exceeded events
>>
>>    This event will be generated when a NAT device cannot allocate
>>    resources as a result of an administratively defined policy.  The
>>    quota exceeded event templates are described below
>>                                                      ^
>> SD: missing period
>> [Senthil] Ok.
>
> Thanks,
>
>> 5.6.7.1.  Maximum session entries exceeded
>>
>>    The maximum session entries exceeded is generated when the
>>    administratively configured limit is reached.  The following is the
>>    template of the event.
>>
>> +-----------------+-------------+-----------+
>>                |    Field Name   | Size (bits) | Mandatory |
>> +-----------------+-------------+-----------+
>>                |    timeStamp    |          64 | Yes    |
>>                |  natInstanceID  |          32 | No    |
>>                |     natEvent    |           8 | Yes    |
>>                |  natLimitEvent  |          32 | Yes    |
>>                | configuredLimit |          32 | Yes    |
>> +-----------------+-------------+-----------+
>>
>>              Table 11: Session Entries Exceeded event template
>>
>> 5.6.7.2.  Maximum BIB entries exceeded
>>
>>    The maximum BIB entries exceeded is generated when the
>>    administratively configured limit is reached.  The following is the
>>    template of the event.
>>
>> +-----------------+-------------+-----------+
>>                |    Field Name   | Size (bits) | Mandatory |
>> +-----------------+-------------+-----------+
>>                |    timeStamp    |          64 | Yes    |
>>                |  natInstanceID  |          32 | No    |
>>                |     natEvent    |           8 | Yes    |
>>                |  natLimitEvent  |          32 | Yes    |
>>                | configuredLimit |          32 | Yes    |
>> +-----------------+-------------+-----------+
>>
>>                Table 12: BIB Entries Exceeded event template
>>
>> 5.6.7.3.  Maximum entries per user exceeded
>>
>>    This event is generated when a single user reaches the
>>    administratively configured limit.  The following is the template of
>>    the event.
>>
>> +---------------------+-------------+---------------+
>>            |      Field Name     | Size (bits) | Mandatory   |
>> +---------------------+-------------+---------------+
>>            |      timeStamp      |          64 | Yes      |
>>            |    natInstanceID    |          32 | No      |
>>            |       natEvent      |           8 | Yes      |
>>            |    natLimitEvent    |          32 | Yes      |
>>            |   configuredLimit   |          32 | Yes      |
>>            | vlanID/ingressVRFID |          32 | No      |
>>            |  sourceIPv4 address |          32 | Yes for NAT44 |
>>            |  sourceIPv6 address |         128 | Yes for NAT64 |
>> +---------------------+-------------+---------------+
>>
>>             Table 13: Per-user Entries Exceeded event template
>>
>> 5.6.7.4.  Maximum active host or subscribers exceeded
>>
>>    This event is generated when the number of allowed hosts or
>>    subscribers reaches the administratively configured limit.  The
>>    following is the template of the event.
>>
>> +-----------------+-------------+-----------+
>>                |    Field Name   | Size (bits) | Mandatory |
>> +-----------------+-------------+-----------+
>>                |    timeStamp    |          64 | Yes    |
>>                |  natInstanceID  |          32 | No    |
>>                |     natEvent    |           8 | Yes    |
>>                |  natLimitEvent  |          32 | Yes    |
>>                | configuredLimit |          32 | Yes    |
>> +-----------------+-------------+-----------+
>>
>>         Table 14: Maximum hosts/subscribers Exceeded event template
>>
>> 5.6.7.5.  Maximum fragments pending reassembly exceeded
>>
>>    This event is generated when the number of fragments pending
>>    reassembly reaches the administratively configured limit.  The
>>    following is the template of the event.
>>
>> +----------------------+-------------+---------------+
>>           |      Field Name      | Size (bits) | Mandatory   |
>> +----------------------+-------------+---------------+
>>           |      timeStamp       |          64 | Yes      |
>>           |    natInstanceID     |          32 | No      |
>>           |       natEvent       |           8 | Yes      |
>>           |    natLimitEvent     |          32 | Yes      |
>>           |   configuredLimit    |          32 | Yes      |
>>           | internalAddressRealm |           8 | Yes      |
>>           | vlanID/ingressVRFID  |          32 | No      |
>>           |  sourceIPv4 address  |          32 | Yes for NAT44 |
>>           |  sourceIPv6 address  |         128 | Yes for NAT64 |
>> +----------------------+-------------+---------------+
>>
>>        Table 15: Maximum fragments pending reassembly Exceeded event
>>                                  template
>>
>> 5.6.8.  Threshold reached events
>>
>>    This event will be generated when a NAT device reaches a operator
>>    configured threshold when allocating resources.  The threshold
>>    reached events are described in the section above. The following is
>>    a template of the individual events.
>>
>> 5.6.8.1.  Address pool high or low threshold reached
>>
>>    This event is generated when the high or low threshold is reached for
>>    the address pool.  The template is the same for both high and low
>>    threshold events
>>
>> +-------------------+-------------+-----------+
>>               |     Field Name    | Size (bits) | Mandatory |
>> +-------------------+-------------+-----------+
>>               |     timeStamp     |          64 | Yes    |
>>               |   natInstanceID   |          32 | No    |
>>               |      natEvent     |           8 | Yes    |
>>               | natThresholdEvent |          32 | Yes    |
>>               |     natPoolID     |          32 | Yes    |
>>               |  configuredLimit  |          32 | Yes    |
>> +-------------------+-------------+-----------+
>>
>>      Table 16: Address pool high/low threshold reached event template
>>
>> 5.6.8.2.  Address and port high threshold reached
>>
>>    This event is generated when the high threshold is reached for the
>>    address pool and ports.
>>
>> +-------------------+-------------+-----------+
>>               |     Field Name    | Size (bits) | Mandatory |
>> +-------------------+-------------+-----------+
>>               |     timeStamp     |          64 | Yes    |
>>               |   natInstanceID   |          32 | No    |
>>               |      natEvent     |           8 | Yes    |
>>               | natThresholdEvent |          32 | Yes    |
>>               |  configuredLimit  |          32 | Yes    |
>> +-------------------+-------------+-----------+
>>
>>        Table 17: Address port high threshold reached event template
>>
>> 5.6.8.3.  Per-user Address and port high threshold reached
>>
>>    This event is generated when the high threshold is reached for the
>>    per-user address pool and ports.
>>
>> +---------------------+-------------+---------------+
>>            |      Field Name     | Size (bits) | Mandatory   |
>> +---------------------+-------------+---------------+
>>            |      timeStamp      |          64 | Yes      |
>>            |    natInstanceID    |          32 | No      |
>>            |       natEvent      |           8 | Yes      |
>>            |  natThresholdEvent  |          32 | Yes      |
>>            |   configuredLimit   |          32 | Yes      |
>>            | vlanID/ingressVRFID |          32 | No      |
>>            |  sourceIPv4 address |          32 | Yes for NAT44 |
>>            |  sourceIPv6 address |         128 | Yes for NAT64 |
>> +---------------------+-------------+---------------+
>>
>>    Table 18: Per-user Address port high threshold reached event template
>>
>> 5.6.8.4.  Global Address mapping high threshold reached
>>
>>    This event is generated when the high is reached for the per-user
>>    address pool and ports.  This is generated only by NAT devices that
>>    use a address pooling behavior of paired.
>>
>> +---------------------+-------------+-----------+
>>              |      Field Name     | Size (bits) | Mandatory |
>> +---------------------+-------------+-----------+
>>              |      timeStamp      |          64 | Yes    |
>>              |    natInstanceID    |          32 | No    |
>>              |       natEvent      |           8 | Yes    |
>>              |  natThresholdEvent  |          32 | Yes    |
>>              |   configuredLimit   |          32 | Yes    |
>>              | vlanID/ingressVRFID |          32 | No    |
>> +---------------------+-------------+-----------+
>>
>>        Table 19: Global Address mapping high threshold reached event
>>                                  template
>>
>> 5.6.9.  Address binding create and delete events
>>
>>    These events will be generated when a NAT device binds a local
>>    address with a global address and when the global address is freed.
>>    This binding event happens when the first packet of the first flow
>>    from a host in the private realm.
>>
>> +--------------------------------+-------------+---------------+
>>      |           Field Name           | Size (bits) | Mandatory   |
>> +--------------------------------+-------------+---------------+
>>      |           timeStamp            |          64 |      Yes      |
>>      |         natInstanceID          |          32 |       No      |
>>      |            natEvent            |           8 |      Yes      |
>>      |       sourceIPv4 address       |          32 | Yes for NAT44 |
>>      |       sourceIPv6 address       |         128 | Yes for NAT64 |
>>      | Translated Source IPv4 Address |          32 |      Yes      |
>> +--------------------------------+-------------+---------------+
>>
>>                   Table 20: NAT Address Binding template
>>
>> 5.6.10.  Port block allocation and de-allocation
>>
>>    This event will be generated when a NAT device allocates/de-allocates
>>    ports in a bulk fashion, as opposed to allocating a port on a per
>>    flow basis.
>>
>>    portRangeStart represents the starting value of the range.
>>
>>    portRangeEnd represents the ending value of the range.
>>
>>    NAT devices would do this in order to reduce logs and potentially to
>>    limit the number of connections a subscriber is allowed to use.  In
>>    the following Port Block allocation template, the portRangeStart and
>>    portRangeEnd must be specified.
>>
>>
>> Sivakumar & Penno        Expires August 15, 2014               [Page 17]
>>
>> Internet-Draft          IPFIX IEs for NAT logging          February 2014
>>
>>    It is up to the implementation to choose to consolidate log records
>>    in case two consecutive port ranges for the same user are allocated
>>    or freed.
>>
>> +--------------------------------+-------------+---------------+
>>      |           Field Name           | Size (bits) | Mandatory   |
>> +--------------------------------+-------------+---------------+
>>      |           timeStamp            |          64 |      Yes      |
>>      |         natInstanceID          |          32 |       No      |
>>      |            natEvent            |           8 |      Yes      |
>>      |       sourceIPv4 address       |          32 | Yes for NAT44 |
>>      |       sourceIPv6 address       |         128 | Yes for NAT64 |
>>      | Translated Source IPv4 Address |          32 |      Yes      |
>>      |         portRangeStart         |          16 |      Yes      |
>>      |          portRangeEnd          |          16 |       No      |
>> +--------------------------------+-------------+---------------+
>>
>>             Table 21: NAT Port Block Allocation event template
>>
>> 6.  Encoding
>>
>> 6.1.  IPFIX
>>
>>    This document uses IPFIX as the encoding mechanism to describe the
>>    logging of NAT events.  However, the information that should be
>>    logged SHOULD be the same irrespective of what kind of encoding
>>    scheme is used.  IPFIX is chosen because is it an IETF standard that
>>    meets all the needs for a reliable logging mechanism.  IPFIX provides
>>    the flexibility to the logging device to define the data sets that it
>>    is logging.  The IEs specified for logging MUST be the same
>>    irrespective of the encoding mechanism used.
>>
>> 7.  Acknowledgements
>>
>>    Thanks to Dan Wing, Selvi Shanmugam, Mohamed Boucadir, Jacni Qin
>>    Ramji Vaithianathan, Simon Perreault, Jean-Francois Tremblay, Paul
>>    Aitken and Julia Renouard for their review and comments.
>>
>> 8.  IANA Considerations
>>
>>    The following information elements are requested from IANA IPFIX
>>    registry.
>>
>>    natInstanceId
>>
>>    externalAddressRealm
>>
>>    natLimitEvent
>>
>> 9.  Management Considerations
>>
>>    This section considers requirements for management of the log system
>>    to support logging of the events described above.  It first covers
>>    requirements applicable to log management in general.  Any additional
>>    standardization required to fullfil these requirements is out of
>>    scope of the present document.  Some management considerations is
>>    covered in [I-D.behave-syslog-nat-logging].  This document covers the
>>    additional considerations.
>>
>> 9.1.  Ability to collect events from multiple NAT devices
>>
>>    An IPFIX collector should be able to collect events from multiple NAT
>>    devices and be able to decipher events based on the sourceID in the
>>    IPFIX header.
>>
>> 9.2.  Ability to suppress events
>>
>>    The exhaustion events can be overwhelming during traffic bursts and
>>    hence should be handled by the NAT devices to rate limit them before
>>    sending them to the collectors.  For eg. when the port exhaustion
>>    happens during bursty conditions, instead of sending a port
>>    exhaustion event for every packet, the exhaustion events should be
>>    rate limited by the NAT device.
>>
>> 10.  Security Considerations
>>
>>    None.
>>
>> 11.  References
>>
>> 11.1.  Normative References
>>
>>    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
>>               Requirement Levels", BCP 14, RFC 2119, March 1997.
>>
>>    [RFC2663]  Srisuresh, P. and M. Holdrege, "IP Network Address
>>               Translator (NAT) Terminology and Considerations", RFC
>>               2663, August 1999.
>>
>>    [RFC4787]  Audet, F. and C. Jennings, "Network Address Translation
>>               (NAT) Behavioral Requirements for Unicast UDP", BCP 127,
>>               RFC 4787, January 2007.
>>
>>    [RFC5382]  Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P.
>>               Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
>>               RFC 5382, October 2008.
>>
>>    [RFC6146]  Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
>>               NAT64: Network Address and Protocol Translation from IPv6
>>               Clients to IPv4 Servers", RFC 6146, April 2011.
>>
>>    [RFC6302]  Durand, A., Gashinsky, I., Lee, D., and S. Sheppard,
>>               "Logging Recommendations for Internet-Facing Servers", BCP
>>               162, RFC 6302, June 2011.
>>
>>    [RFC6888]  Perreault, S., Yamagata, I., Miyakawa, S., Nakagawa, A.,
>>               and H. Ashida, "Common Requirements for Carrier-Grade NATs
>>               (CGNs)", BCP 127, RFC 6888, April 2013.
>>
>> 11.2.  Informative References
>>
>>    [I-D.ietf-behave-syslog-nat-logging]
>>               Chen, Z., Zhou, C., Tsou, T., and T. Taylor, "Syslog
>>               Format for NAT Logging", draft-ietf-behave-syslog-nat-
>>               logging-06 (work in progress), January 2014.
>>
>>    [IPFIX-IANA]
>>               IANA, "IPFIX Information Elements registry",
>> <http://www.iana.org/assignments/ipfix>.
>>
>>    [RFC5101bis]
>>               Claise, B. and B. Trammel, "Specification of the IP Flow
>>               Information eXport (IPFIX) Protocol for the Exchange of
>>               Flow Information", July 2013.
>>
>>    [RFC5102bis]
>>               Claise, B. and B. Trammel, "Information Model for IP Flow
>>               Information eXport (IPFIX)", February 2013.
>>
>>    [RFC5470]  Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
>>               "Architecture for IP Flow Information Export", RFC 5470,
>>               March 2009.
>>
>> Authors' Addresses
>>
>>    Senthil Sivakumar
>>    Cisco Systems
>>    7100-8 Kit Creek Road
>>    Research Triangle Park, North Carolina  27709
>>    USA
>>
>>    Phone: +1 919 392 5158
>>
>>    Renaldo Penno
>>    Cisco Systems
>>    170 W Tasman Drive
>>    San Jose, California  95035
>>    USA
>>
>>    Email: repenno@cisco.com
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Sivakumar & Penno        Expires August 15, 2014               [Page 21]
>


--------------000800050500050302020207
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Hi, Senthil,<br>
    <br>
    I'm just checking - are you planning to submit a update before the
    cutoff next Friday?<br>
    <br>
    Thanks,<br>
    <br>
    Spencer<br>
    <br>
    <div class="moz-cite-prefix">On 05/23/2014 04:05 PM, Spencer Dawkins
      wrote:<br>
    </div>
    <blockquote cite="mid:537FB834.3010705@gmail.com" type="cite">
      <meta content="text/html; charset=windows-1252"
        http-equiv="Content-Type">
      <br>
      <div class="moz-cite-prefix">On 05/02/2014 02:20 PM, Senthil
        Sivakumar (ssenthil) wrote:<br>
      </div>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite">
        <meta http-equiv="Content-Type" content="text/html;
          charset=windows-1252">
        <div>Hi Spencer, </div>
        <div>Thanks for the thorough review. </div>
        <div>Please see inline for [Senthil]. If you agree, I will
          submit another version fixing all the issues raised and agreed
          upon. I will wait for your response.</div>
      </blockquote>
      <br>
      Hi, Senthil,<br>
      <br>
      Thanks for being responsive!<br>
      <br>
      Just as a high-order bit, many of the questions I asked are
      whether the draft uses "required" to mean "this is the way it
      works" - there's a difference between "the sender transmits a log"
      and "the sender is required to transmit a log". Does that make
      sense?<br>
      <br>
      Ths draft says it uses requirements language as per RFC 2119, and
      RFC 2119 says <br>
      <br>
      <meta http-equiv="content-type" content="text/html;
        charset=windows-1252">
      6. Guidance in the use of these Imperatives<br>
      <br>
         Imperatives of the type defined in this memo must be used with
      care<br>
         and sparingly.  In particular, they MUST only be used where it
      is<br>
         actually required for interoperation or to limit behavior which
      has<br>
         potential for causing harm (e.g., limiting retransmisssions) 
      For<br>
         example, they must not be used to try to impose a particular
      method<br>
         on implementors where the method is not required for<br>
         interoperability.<br>
      <br>
      It's also worth mentioning that RFC 2119 is silent on case for
      requirements language, your requirements terminology section only
      shows upper case examples, and most of the cases I'm asking about
      are in lower case, which makes it less clear whether you intend
      "require" to be an RFC 2119 requirement word or not. This is a
      continuing source of controversy in the IETF, especially during
      cross-area review - my suggestion is that you either change the
      requirements language statement to include a statement about
      whether lower-case versions are intended as requirements language,
      or don't use the lower-case terms in the document.<br>
      <br>
      I'll try to be clear in my detailed comments, but that's often
      what I'm trying to get at.<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite">
        <div>Thanks</div>
        <div>Senthil</div>
        <div><br>
        </div>
        <span id="OLK_SRC_BODY_SECTION">
          <div style="font-family:Calibri; font-size:11pt;
            text-align:left; color:black; BORDER-BOTTOM: medium none;
            BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
            0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
            BORDER-RIGHT: medium none; PADDING-TOP: 3pt"> <span
              style="font-weight:bold">From: </span>Spencer Dawkins
            &lt;<a moz-do-not-send="true"
              href="mailto:spencerdawkins.ietf@gmail.com">spencerdawkins.ietf@gmail.com</a>&gt;<br>
            <span style="font-weight:bold">Date: </span>Thursday, May
            1, 2014 4:25 PM<br>
            <span style="font-weight:bold">To: </span>"<a
              moz-do-not-send="true"
              href="mailto:draft-ietf-behave-ipfix-nat-logging@tools.ietf.org">draft-ietf-behave-ipfix-nat-logging@tools.ietf.org</a>"
            &lt;<a moz-do-not-send="true"
              href="mailto:draft-ietf-behave-ipfix-nat-logging@tools.ietf.org">draft-ietf-behave-ipfix-nat-logging@tools.ietf.org</a>&gt;<br>
            <span style="font-weight:bold">Cc: </span>"<a
              moz-do-not-send="true" href="mailto:behave@ietf.org">behave@ietf.org</a>"
            &lt;<a moz-do-not-send="true" href="mailto:behave@ietf.org">behave@ietf.org</a>&gt;<br>
            <span style="font-weight:bold">Subject: </span>AD
            Evaluation of draft-ietf-behave-ipfix-nat-logging-03<br>
            <span style="font-weight:bold">Resent-From: </span>&lt;<a
              moz-do-not-send="true"
              href="mailto:draft-alias-bounces@tools.ietf.org">draft-alias-bounces@tools.ietf.org</a>&gt;<br>
            <span style="font-weight:bold">Resent-To: </span>&lt;<a
              moz-do-not-send="true" href="mailto:repenno@cisco.com">repenno@cisco.com</a>&gt;,

            Senthil Sivakumar &lt;<a moz-do-not-send="true"
              href="mailto:ssenthil@cisco.com">ssenthil@cisco.com</a>&gt;<br>
            <span style="font-weight:bold">Resent-Date: </span>Thursday,

            May 1, 2014 4:26 PM<br>
          </div>
          <div><br>
          </div>
          <div>
            <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
                New,Courier,monospace">Dear
                draft-ietf-behave-ipfix-nat-logging Authors,<br>
                <br>
                I've completed my AD evaluation for this draft. I found
                some things I'd like to see changed before proceeding,
                but most are editorial. Please take a look, and let me
                know what you think.<br>
                <br>
                My notes follow ... you should be able to find my
                questions and comments by searching for "SD:".<br>
                <br>
                Thanks,<br>
                <br>
                Spencer<br>
                <br>
                In the Abstract<br>
                <br>
                   NAT devices are required to log events like creation
                and deletion of<br>
                                   ^^^^^^^^<br>
                SD: Is this required, like, legally required, or ? Is it
                more like "Operators need NAT devices to log events
                ..."?</font></div>
          </div>
        </span>
        <div>[Senthil] : It is the later, the network operators require
          the NAT devices to be able to log events.</div>
      </blockquote>
      <br>
      We don't usually include requirements language in the Abstract
      (that happens later, which is fine in the document body).<br>
      <br>
      The longer I look at this, the more I think it's something like
      "Operators expect NAT devices to log events".<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite"> <span id="OLK_SRC_BODY_SECTION">
          <div>
            <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
                New,Courier,monospace"><br>
                   translations and information about the resources it
                is managing.  The<br>
                   logs are required in many cases to identify an
                attacker or a host<br>
                   that was used to launch malicious attacks and/or for
                various other<br>
                   purposes of accounting.  Since there is no standard
                way of logging<br>
                   this information, different NAT devices behave
                differently and hence<br>
                                              
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>
                SD: Is this "different NAT devices log this information
                differently"? </font></div>
          </div>
        </span>
        <div bgcolor="#FFFFFF" text="#000000">[Senthil] Correct, as the
          sentence says, "Since there is no standard way…", each NAT
          device logs information in its own proprietary format.<font
            face="Courier New,Courier,monospace"><br>
          </font></div>
      </blockquote>
      <br>
      I'm just trying to make sure the reader understands what you mean
      by "behave differently" - NAT devices also behave differently when
      NATting.  I had to guess at the meaning. Maybe everyone else will
      understand?<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite">
        <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
            New,Courier,monospace">    it is difficult to expect a
            consistent behavior.  The lack of a<br>
               consistent way makes it difficult to write the collector
            applications<br>
               that would receive this data and process it to present
            useful<br>
               information.  This document describes the information
            that is<br>
               required to be logged by the NAT devices.<br>
               ^^^^^^^^^^^^^^^^^^^^^^^^ <br>
            SD: Same as previous question - is this "logged by"?</font></div>
        <span id="OLK_SRC_BODY_SECTION">
          <div> </div>
        </span>
        <div><br>
        </div>
        <div>[Senthil] If a NAT device is logging events, these are the
          requirements that a NAT device should adhere to.</div>
      </blockquote>
      <br>
      I know this seems tedious, but I'm not able to map what you
      provided as explanation onto the text you're explaining. What I'm
      seeing in the text is<br>
      <br>
      A NAT MUST log this information<br>
      <br>
      and what I'm seeing in your explanation is<br>
      <br>
      IF a NAT is is logging information, here's how the NAT SHOULD log
      information.<br>
      <br>
      I'm guessing that what you're saying is really "this document
      describes the information that logging NAT devices produce". <br>
      <br>
      This doesn't matter yet (you're still in the abstract, which
      shouldn't be providing requirements anyway), but in the body of
      the document, it needs to be clear.<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite"> <span id="OLK_SRC_BODY_SECTION">
          <div>
            <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
                New,Courier,monospace">2.  Introduction<br>
                <br>
                   The IPFIX Protocol [RFC5101bis] defines a generic
                push mechanism for<br>
                   exporting information and events.  The IPFIX
                Information Model<br>
                   [IPFIX-IANA] defines a set of standard Information
                Elements (IEs)<br>
                   which can be carried by the IPFIX protocol.  This
                document details<br>
                   the IPFIX Information Elements(IEs) that are required
                for logging by<br>
                   a NAT device.  The document will specify the format
                of the IE's that<br>
                   are required to be logged by the NAT device and all
                the optional<br>
                       ^^^^^^^^^^^^^^^^^^^^^<br>
                SD: Now that we're in the document body, if this is
                required, shouldn't there be a reference to where the
                requirements are stated?</font></div>
          </div>
        </span>
        <div>[Senthil] This is the document that is specifying those
          requirements. Do you have any other suggestions of wording
          instead of "required by", would it be fine if I change the
          sentence from</div>
        <div bgcolor="#FFFFFF" text="#000000">"required to be logged" to
          "SHOULD be logged"?<font face="Courier New,Courier,monospace"><br>
          </font></div>
      </blockquote>
      <br>
      Sorry, my first set of comments was bogus. What triggered my
      comments was the use of lower-case terms from RFC 2119 (see my
      explanation above).<br>
      <br>
      This could be "are REQUIRED" (the RFC 2119 requirements language
      you said you're using), or "are required" (if you change your
      paragraph about requirements language to say that case doesn't
      matter).<br>
      <br>
      But "REQUIRED" is "MUST", so changing to "SHOULD" would be a
      change in your intended meaning.<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite"><br>
        <span id="OLK_SRC_BODY_SECTION">
          <div>
            <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
                New,Courier,monospace">    This document and
                [I-D.behave-syslog-nat-logging] are provided in<br>
                   order to standardize the events and parameters to be
                recorded, using<br>
                   IPFIX [RFC5101bis] and SYSLOG [RFC5424]respectively.<br>
              </font></div>
          </div>
        </span></blockquote>
      <br>
      I'm sorry I missed this question the first time. Is there a
      relationship with the MIB revision?<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite"><span id="OLK_SRC_BODY_SECTION">
          <div>
            <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
                New,Courier,monospace"> 3.  Scope<br>
                <br>
                   This document provides the information model to be
                used for logging<br>
                   the NAT devices including Carrier Grade NAT (CGN)
                events.  This<br>
                                  
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>
                SD: This sentence seems somewhat turned around -
                "logging events", not "logging the NAT devices".</font></div>
          </div>
        </span>
        <div bgcolor="#FFFFFF" text="#000000">[Senthil] Agree, I will
          change this to "logging the NAT events". <font face="Courier
            New,Courier,monospace"><br>
          </font></div>
      </blockquote>
      <br>
      Thanks.<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite">
        <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
            New,Courier,monospace">    document focuses exclusively on
            the specification of IPFIX IE's.<br>
               This document does not provide guidance on the transport
            protocol<br>
               like TCP, UDP or SCTP that is to be used to log NAT
            events.  The log<br>
               events SHOULD NOT be lost but the choice of the actual
            transport<br>
               protocol is beyond the scope of this document.<br>
            <br>
            SD: I'm not understanding why this last sentence is needed,
            especially with a normative requirement for what you do when
            you are doing something outside the scope of the document
            ...</font></div>
        <span id="OLK_SRC_BODY_SECTION">
          <div> </div>
        </span>
        <div>[Senthil] Are you objecting to the second part of the last
          sentence "the choice of actual transport…", I think the
          requirement is that the LOG events should not be lost is
          valid.</div>
      </blockquote>
      <br>
      I'm sorry, my question wasn't clear. What I intended to say was
      that I was confused because the text said "not providing guidance
      on the choice of a transport protocol", but then provided a
      requirement about the implications of that choice (using a
      SHOULD).<br>
      <br>
      So let me try to be clearer. I think what you're saying is <br>
      <br>
      - you can use any transport protocol, but you SHOULDn't lose
      anything<br>
      <br>
      I'm thinking this may be underspecified, although I don't know
      what IPFIX usually expects from transport protocols, so please be
      patient.<br>
      <br>
      First, I'm confused by the SHOULD with no qualification. When is
      it OK to lose LOG events?<br>
      <br>
      Second, you're not giving guidance on selecting a transport
      protocol, but you are giving guidance about expecting a reliable
      data channel, whether MUST be reliable or SHOULD be reliable. Are
      there other transport characteristics that you expect? For
      instance, is in-order delivery assumed? Is duplicate detection by
      IPFIX assumed (if a log arrives twice, does IPFIX notice)?<br>
      <br>
      Third, are IPFIX implementations so transport protocol-agnostic
      that if my NAT device decides to to send logs using SCTP with
      partial reliability, I should expect that to work with any
      collector that implements this specification?<br>
      <br>
      It happens that I co-chaired MEDIACTRL when the specification said
      "TCP or SCTP", and got feedback during AD evaluation that if we
      didn't pick a mandatory to implement transport protocol, that
      wouldn't guarantee interoperation between two standard-conforming
      devices.<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite"> <span id="OLK_SRC_BODY_SECTION">
          <div>
            <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
                New,Courier,monospace"><br>
                   The existing IANA IPFIX IEs registry [IPFIX-IANA]
                already has<br>
                   assignments for many NAT logging events.  For
                convenience, this<br>
                   document uses those same IEs.  However, as stated
                earlier, this<br>
                   document is not defining IPFIX or NetFlow v9 as the
                framework for<br>
                   logging.  Rather, the information contained in these
                elements is<br>
                <br>
                SD: I got lost on "these elements" - is that "the
                elements in the existing registry"</font></div>
          </div>
        </span>
        <div bgcolor="#FFFFFF" text="#000000">[Senthil] Yes. How about
          "Rather, the information elements as defined in the IPFIX-IANA
          registry is within the scope of this document"?<font
            face="Courier New,Courier,monospace"><br>
          </font></div>
      </blockquote>
      <br>
      <font face="Courier New,Courier,monospace">I think that's "are
        within", but yes, that works. Thanks.<br>
        <br>
      </font>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite">
        <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
            New,Courier,monospace">    within the scope of this
            document.<br>
            <br>
               This document assumes that the NAT device will use the
            existing IPFIX<br>
               framework to send the log events to the collector.  This
            would mean<br>
               that the NAT device will specify the template that it is
            going to use<br>
               for each of the events.  The templates can be of varying
            length and<br>
               there could be multiple templates that a NAT device could
            use to log<br>
               the events.<br>
            <br>
               The implementation details of the collector application
            is beyond the<br>
               scope of this document.<br>
            <br>
               The optimization of logging the NAT events are left to
            the<br>
                                                          ^^^<br>
               implementation and are beyond the scope of this document.<br>
                                  ^^^<br>
            SD: It's a nit, but those "are"s should be "is"s.</font></div>
        <span id="OLK_SRC_BODY_SECTION">
          <div> </div>
        </span>
        <div bgcolor="#FFFFFF" text="#000000">[Senthil] Ok.<font
            face="Courier New,Courier,monospace"><br>
          </font></div>
      </blockquote>
      <br>
      Thanks.<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite">
        <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
            New,Courier,monospace"> 4.  Applicability<br>
            <br>
               NAT logging based on IPFIX uses binary encoding and hence
            is very<br>
               efficient.  IPFIX based logging is recommended for
            environments where<br>
               a high volume of logging is required, for example, where
            per-flow<br>
               logging is needed.  However, IPFIX based logging requires
            a collector<br>
               that processes the binary data and requires a network
            management<br>
               application that converts this binary data to a human
            readable<br>
               format.<br>
            <br>
            5.  Event based logging<br>
            <br>
               An event in a NAT device can be viewed as a happening as
            it relates<br>
                                                           ^^^^^^^^^<br>
            SD: Is this "a state transition"? I found "a happening"
            somewhat odd.</font></div>
        <span id="OLK_SRC_BODY_SECTION">
          <div> </div>
        </span>
        <div bgcolor="#FFFFFF" text="#000000">[Senthil] Yes, I can
          rephrase this as "viewed as a state transition as it relates
          to" or "viewed as an action as it relates to", if that is ok.<font
            face="Courier New,Courier,monospace"><br>
          </font></div>
      </blockquote>
      <br>
      If "a state transition" is correct, I'd prefer that (if it's
      correct :-) ).<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite">
        <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
            New,Courier,monospace">    to the management of NAT
            resources.  The creation and deletion of NAT<br>
               sessions and bindings are examples of events as it
            results in the<br>
               resources (addresses and ports) being allocated or
            freed.  The events<br>
               can happen either through the processing of data packets
            flowing<br>
               through the NAT device or through an external entity
            installing<br>
               policies on the NAT router or as a result of an
            asynchronous event<br>
               like a timer.  The list of events are provided in Section
            4.1.  Each<br>
               of these events SHOULD be logged, unless they are
            administratively<br>
               prohibited.  A NAT device MAY log these events to
            multiple collectors<br>
               if redundancy is required.  The network administrator
            will specify<br>
               the collectors to which the log records are to be sent.<br>
            <br>
               A collector may receive NAT events from multiple CGN
            devices and<br>
               should be able to distinguish between the devices.  Each
            CGN device<br>
               ^^^^^^<br>
            SD: I'm not sure why this isn't a SHOULD, or even a MUST.<br>
            <br>
               should have a unique source ID to identify themselves. 
            The source ID<br>
               ^^^^^^<br>
            SD: Again, I'm not sure why this isn't a SHOULD, or even a
            MUST.</font></div>
        <span id="OLK_SRC_BODY_SECTION">
          <div> </div>
        </span>
        <div><br>
        </div>
        <div>[Senthil] Well, this is NOT a statement for a NAT device,
          instead it is a collector that some application writer will </div>
        <div bgcolor="#FFFFFF" text="#000000">develop. <font
            face="Courier New,Courier,monospace"><br>
          </font></div>
      </blockquote>
      <br>
      Don't you think you can levy requirements about that on the
      collector? I don't understand. <br>
      <br>
      But beyond that, what I THINK the text is saying, is that multiple
      CGN devices can ("may") send to a single collector, that none of
      the CDN devices have to have a unique source ID to identify
      themselves ("should", but not "must"), and that the collector is
      still expected to be able to distinguish among logs coming from
      multiple CGNs ("should").<br>
      <br>
      Am I misreading this?<br>
      <br>
      If not, do you think that works?<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite">
        <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
            New,Courier,monospace">    is part of the IPFIX template and
            data exchange.<br>
            <br>
               Prior to logging any events, the NAT device MUST send the
            template of<br>
               the record to the collector to advertise the format of
            the data<br>
               record that it is using to send the events.  The
            templates can be<br>
               exchanged as frequently as required given the reliability
            of the<br>
               connection.  There SHOULD be a configurable timer for
            controlling the<br>
               template refresh.  NAT device SHOULD combine as many
            events as<br>
               possible in a single packet to effectively utilize the
            network<br>
               bandwidth.<br>
            <br>
            5.1.  Logging of destination information<br>
            <br>
               Logging of destination information in a NAT event has
            been discussed<br>
               in [RFC6302] and [RFC6888].  Logging of destination
            information<br>
               increases the size of each record and increases the need
            for storage<br>
               considerably.  It increases the number of log events
            generated<br>
               because when the same user connects to a different
            destination, it<br>
               results in a log record per destination address.  Logging
            of<br>
               destination information also results in the loss of
            privacy and hence<br>
               should be done with caution.  However, this draft
            provides the<br>
               necessary fields to log the destination information in
            cases where<br>
               they are required to be logged.<br>
            <br>
            5.2.  Information Elements<br>
            <br>
               The templates could contain a subset of the Information
            Elements(IEs)<br>
               shown in Table 1 depending upon the event being logged. 
            For example<br>
               a NAT44 session creation template record will contain,<br>
                                                        ^^^^<br>
            SD: Is this the only possible NAT44 template? If so, fine,
            but if not, perhaps "could contain", or "typically
            contains"?</font></div>
        <span id="OLK_SRC_BODY_SECTION">
          <div> </div>
        </span>
        <div><br>
        </div>
        <div bgcolor="#FFFFFF" text="#000000">[Senthil] Yes, this is all
          the information that a NAT44 need to export as it is the least
          common denominator.<font face="Courier New,Courier,monospace"><br>
          </font></div>
      </blockquote>
      <br>
      My question is whether any other IEs might be added in the future,
      I think. If not, "will" is OK, but "MUST" would be clearer.<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite">
        <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
            New,Courier,monospace">    {sourceIPv4Adress,
            postNATSourceIPv4Address, destinationIpv4Address,<br>
               postNATDestinationIPv4Address, sourceTransportPort,<br>
               postNAPTSourceTransportPort, destinationTransportPort,<br>
               postNAPTDestTransportPort, internalAddressRealm,
            natEvent, timeStamp}<br>
            <br>
               An example of the actual event data record is shown below
            - in a<br>
               readable form<br>
            <br>
               {192.168.16.1, 201.1.1.100, 207.85.231.104,
            207.85.231.104, 14800,<br>
               1024, 80, 80, 0, 1, 09:20:10:789}<br>
            <br>
               A single NAT device could be exporting multiple templates
            and the<br>
               collector should support receiving multiple templates
            from the same<br>
               source.observationTimeMilliseconds<br>
            <br>
               The following is the table of all the IE's that a CGN
            device would<br>
               need to export the events.  The formats of the IE's and
            the IPFIX IDs<br>
               are listed below.<br>
            <br>
            SD: I noticed that some IEs below have a name that matches <a
              moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-information-elements">http://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-information-elements</a>
            for the same IPFIX ID number, but others do not ("timeStamp"
            here doesn't match "observationTimeMilliseconds", but both
            are IPFIX ID 323, aren't they?) Is there a reason to use
            names that don't match the IANA registry?</font></div>
        <span id="OLK_SRC_BODY_SECTION">
          <div> </div>
        </span>
        <div><br>
        </div>
        <div>[Senthil] Good question, in case of timeStamp, I was
          looking for something that already existed in the IPFIX
          registry rather than asking for a new one. However, the
          terminology of "observationTimeMilliseconds" is not the
          terminology that we use in the NAT drafts/rfc's. So I am open
          to suggestions here. I can clarify in the description that is
          called observationTimeMilliSeconds". The other field is
          internalAddressRealm and externalAddresRealm, this is the
          terminology that we used in NAT MIB, syslog and other
          documents. However, when we defined the IPFIX IE, we didn’t
          stick to the same terminology, so I don’t know if I can go and
          ask the IPFIX IANA to change the name. Again I am open to
          suggestions, the dillema is whether I should stick to the
          existing IPFIX IANA terminology or the behave documents
          terminology.</div>
      </blockquote>
      <br>
      I'm way out of my depth on this one (sorry!).<br>
      <br>
      Fortunately, the next stop for an AD-sponsored IPFIX specification
      is the IPFIX review team. Could you just add a note pointing this
      question out, and asking if they have any suggestions?<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite"> <span id="OLK_SRC_BODY_SECTION">
          <div>
            <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
                New,Courier,monospace">  
                +----------------------------------+--------+-------+---------------+<br>
                   |            Field Name            |   Size |  IANA
                |  Description  |<br>
                   |                                  | (bits) | IPFIX
                |               |<br>
                   |                                  |        |    ID
                |               |<br>
                  
                +----------------------------------+--------+-------+---------------+<br>
                   |            timeStamp             |     64 |   323
                |  System Time  |<br>
                   |                                  |        |      
                |    when the   |<br>
                   |                                  |        |      
                |     event     |<br>
                   |                                  |        |      
                |    occured.   |<br>
                   |          natInstanceId           |     32 |   TBD
                |  NAT Instance |<br>
                   |                                  |        |      
                |   Identifier  |<br>
                   |              vlanID              |     16 |    58
                |   VLAN ID in  |<br>
                   |                                  |        |      
                |    case of    |<br>
                   |                                  |        |      
                |  overlapping  |<br>
                   |                                  |        |      
                |    networks   |<br>
                   |           ingressVRFID           |     32 |   234
                |   VRF ID in   |<br>
                   |                                  |        |      
                |    case of    |<br>
                   |                                  |        |      
                |  overlapping  |<br>
                   |                                  |        |      
                |    networks   |<br>
                   |        sourceIPv4Address         |     32 |     8
                |  Source IPv4  |<br>
                   |                                  |        |      
                |    Address    |<br>
                   |     postNATSourceIPv4Address     |     32 |   225
                |   Translated  |<br>
                   |                                  |        |      
                |  Source IPv4  |<br>
                   |                                  |        |      
                |    Address    |<br>
                   |        protocolIdentifier        |      8 |     4
                |   Transport   |<br>
                   |                                  |        |      
                |    protocol   |<br>
                   |       sourceTransportPort        |     16 |     7
                |  Source Port  |<br>
                   |   postNAPTsourceTransportPort    |     16 |   227
                |   Translated  |<br>
                   |                                  |        |      
                |  Source port  |<br>
                   |      destinationIPv4Address      |     32 |    12
                |  Destination  |<br>
                   |                                  |        |      
                |  IPv4 Address |<br>
                   |  postNATDestinationIPv4Address   |     32 |   226
                |   Translated  |<br>
                   |                                  |        |      
                |      IPv4     |<br>
                   |                                  |        |      
                |  destination  |<br>
                   |                                  |        |      
                |    address    |<br>
                   |     destinationTransportPort     |     16 |    11
                |  Destination  |<br>
                   |                                  |        |      
                |      port     |<br>
                   | postNAPTdestinationTransportPort |     16 |   228
                |   Translated  |<br>
                   |                                  |        |      
                |  Destination  |<br>
                   |                                  |        |      
                |      port     |<br>
                   |        sourceIPv6Address         |     27 |   128
                |  Source IPv6  |<br>
                   |                                  |        |      
                |    address    |<br>
                   |      destinationIPv6Address      |    128 |    28
                |  Destination  |<br>
                   |                                  |        |      
                |  IPv6 address |<br>
                   |     postNATSourceIPv6Address     |    128 |   281
                |   Translated  |<br>
                   |                                  |        |      
                |  source IPv6  |<br>
                   |                                  |        |      
                |    addresss   |<br>
                   |  postNATDestinationIPv6Address   |    128 |   282
                |   Translated  |<br>
                   |                                  |        |      
                |  Destination  |<br>
                   |                                  |        |      
                |  IPv6 address |<br>
                   |       internalAddressRealm       |      8 |   229
                |     Source    |<br>
                   |                                  |        |       |
                Address Realm |<br>
                   |       externalAddressRealm       |      8 |   TBD
                |  Destination  |<br>
                   |                                  |        |       |
                Address Realm |<br>
                   |             natEvent             |      8 |   230 |
                Type of Event |<br>
                   |          portRangeStart          |     16 |   361
                |   Allocated   |<br>
                   |                                  |        |      
                |   port block  |<br>
                   |                                  |        |      
                |     start     |<br>
                   |           portRangeEnd           |     16 |   362
                |   Allocated   |<br>
                   |                                  |        |      
                |   Port block  |<br>
                   |                                  |        |      
                |      end      |<br>
                   |            natPoolID             |     32 |   283
                |    NAT pool   |<br>
                   |                                  |        |      
                |   Identifier  |<br>
                   |          natLimitEvent           |     32 |   TBD
                |  Limit event  |<br>
                   |                                  |        |      
                |   identifier  |<br>
                  
                +----------------------------------+--------+-------+---------------+<br>
                <br>
                                      Table 1: Template format Table<br>
                <br>
                5.3.  Definition of NAT Events<br>
                <br>
                   The following are the list of NAT events and the
                proposed event<br>
                   values.  The list can be expanded in the future as
                necessary.  The<br>
                   data record will have the corresponding natEvent
                value to identify<br>
                   the event that is being logged.<br>
                <br>
                                   +--------------------------+--------+<br>
                                   |        Event Name        | Values |<br>
                                   +--------------------------+--------+<br>
                                   |   NAT44 Session create   |      1 |<br>
                                   |   NAT44 Session delete   |      2 |<br>
                                   | NAT Addresses exhausted  |      3 |<br>
                                   |   NAT64 Session create   |      4 |<br>
                                   |   NAT64 Session delete   |      5 |<br>
                                   |     NAT44 BIB create     |      6 |<br>
                                   |     NAT44 BIB delete     |      7 |<br>
                                   |     NAT64 BIB create     |      8 |<br>
                                   |     NAT64 BIB delete     |      9 |<br>
                                   |   NAT ports exhausted    |     10 |<br>
                                   |      Quota exceeded      |     11 |<br>
                                   |  Address binding create  |     12 |<br>
                                   |  Address binding delete  |     13 |<br>
                                   |  Port block allocation   |     14 |<br>
                                   | Port block de-allocation |     15 |<br>
                                   |    Threshold reached     |     16 |<br>
                                   +--------------------------+--------+<br>
                <br>
                                        Table 2: NAT Event ID table<br>
                <br>
                5.4.  Quota exceeded Event types<br>
                <br>
                   The following table shows the sub event types for the
                Quota exceeded<br>
                   or limits reached event.  The events that can be
                reported are the<br>
                   Maximum session entries limit reached, Maximum BIB
                entries limit<br>
                   reached, Maximum session/BIB entries per user limit
                reached and<br>
                   maximum subscribers or hosts limit reached.<br>
                <br>
                           
                +---------------------------------------+--------+<br>
                            |       Quota Exceeded Event Name       |
                Values |<br>
                           
                +---------------------------------------+--------+<br>
                            |        Maximum Session entries       
                |      1 |<br>
                            |          Maximum BIB entries         
                |      2 |<br>
                            |        Maximum entries per user      
                |      3 |<br>
                            |  Maximum active hosts or subscribers 
                |      4 |<br>
                            |  Maximum fragments pending reassembly
                |      5 |<br>
                           
                +---------------------------------------+--------+<br>
                <br>
                                    Table 3: Quota Exceeded event table<br>
                <br>
                5.5.  Threshold reached Event types<br>
                <br>
                   The following table shows the sub event types for the
                threshold<br>
                   reached event.  The administrator can configure the
                thresholds and<br>
                   whenever the threshold is reached or exceeded, the
                corresponding<br>
                   events are generated.<br>
                <br>
                   The address pool high threshold event will be
                reported when the<br>
                   address pool reaches a high water mark as defined by
                the operator.<br>
                   This will sever as an indication that the operator
                might have to add<br>
                   more addresses to the pool or an indication that the
                subsequent users<br>
                   may be denied NAT translation mappings.<br>
                <br>
                   The address and port mapping high threshold event is
                generated, when<br>
                   the number of ports in the configured address pool
                has reached a<br>
                   configured threshold.<br>
                <br>
                   The per-user address and port mapping high threshold
                is generated<br>
                   when a single user uses more address and port mapping
                than a<br>
                   configured threshold.<br>
                <br>
                  
                +---------------------------------------------------------+--------+<br>
                   |              Threshold Exceeded Event
                Name              | Values |<br>
                  
                +---------------------------------------------------------+--------+<br>
                   |            Address pool high threshold
                event            |      1 |<br>
                   |             Address pool low threshold
                event            |      2 |<br>
                   |      Address and port mapping high threshold
                event      |      3 |<br>
                   |  Address and port mapping per user high threshold
                event |      4 |<br>
                   |       Global Address mapping high threshold
                event       |      5 |<br>
                  
                +---------------------------------------------------------+--------+<br>
                <br>
                                      Table 4: Threshold event table<br>
                <br>
                5.6.  Templates for NAT Events<br>
                <br>
                   The following is the template of events that will
                have to logged.<br>
                                                               
                ^^^^^^^^^^^^^^^^^^^<br>
                <br>
                SD: I think this is a nit, but the sentence is garbled.
                "will be logged"?<br>
                <br>
                   The events below are identified at the time of this
                writing but the<br>
                   events are expandable.  Depending on the
                implementation and<br>
                   ^^^^^^^^^^^^^^^^^^^^^<br>
                SD: this is a nit, but "set of events is extensible", I
                think.</font></div>
          </div>
        </span>
        <div><br>
        </div>
        <div>[Senthil] Agree. (to both comments).</div>
      </blockquote>
      <br>
      Thanks,<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite"> <span id="OLK_SRC_BODY_SECTION">
          <div>
            <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
                New,Courier,monospace">   configuration various IE's
                specified can be included or ignored.<br>
                <br>
                5.6.1.  NAT44 create and delete session events<br>
                <br>
                   These events will be generated when a NAT44 session
                is created or<br>
                   deleted.  The template will be the same, the natEvent
                will indicate<br>
                   whether it is a create or a delete event.  The
                following is a<br>
                   template of the event.<br>
                <br>
                   The destination address and port information is
                optional as required<br>
                   by [RFC6888].  However, when the destination
                information is<br>
                   suppressed, the session log event contains the same
                information as<br>
                   the BIB event.  In such cases, the NAT device SHOULD
                NOT send both<br>
                   BIB and session events.<br>
                <br>
                     
                +----------------------------------+-------------+-----------+<br>
                      |            Field Name            | Size (bits) |
                Mandatory |<br>
                     
                +----------------------------------+-------------+-----------+<br>
                      |            timeStamp             |          64
                |    Yes    |<br>
                      |          natInstanceID           |          32
                |     No    |<br>
                      |       vlanID/ingressVRFID        |          32
                |     No    |<br>
                      |        sourceIPv4Address         |          32
                |    Yes    |<br>
                      |     postNATSourceIPv4Address     |          32
                |    Yes    |<br>
                      |        protocolIdentifier        |           8
                |    Yes    |<br>
                      |       sourceTransportPort        |          16
                |    Yes    |<br>
                      |   postNAPTsourceTransportPort    |          16
                |    Yes    |<br>
                      |      destinationIPv4Address      |          32
                |     No    |<br>
                      |  postNATDestinationIPv4Address   |          32
                |     No    |<br>
                      |     destinationTransportPort     |          16
                |     No    |<br>
                      | postNAPTdestinationTransportPort |          16
                |     No    |<br>
                      |       internalAddressRealm       |           8
                |     No    |<br>
                      |       externalAddressRealm       |           8
                |     No    |<br>
                      |             natEvent             |           8
                |    Yes    |<br>
                     
                +----------------------------------+-------------+-----------+<br>
                <br>
                               Table 5: NAT44 Session delete/create
                template<br>
                <br>
                5.6.2.  NAT64 create and delete session events<br>
                <br>
                   These events will be generated when a NAT64 session
                is created or<br>
                   deleted.  The following is a template of the event.<br>
                <br>
                     
                +----------------------------------+-------------+-----------+<br>
                      |            Field Name            | Size (bits) |
                Mandatory |<br>
                     
                +----------------------------------+-------------+-----------+<br>
                      |            timeStamp             |          64
                |    Yes    |<br>
                      |          natInstanceID           |          32
                |     No    |<br>
                      |       vlanID/ingressVRFID        |          32
                |     No    |<br>
                      |        sourceIPv6Address         |         128
                |    Yes    |<br>
                      |     postNATSourceIPv4Address     |          32
                |    Yes    |<br>
                      |        protocolIdentifier        |           8
                |    Yes    |<br>
                      |       sourceTransportPort        |          16
                |    Yes    |<br>
                      |   postNAPTsourceTransportPort    |          16
                |    Yes    |<br>
                      |      destinationIPv6Address      |         128
                |     No    |<br>
                      |  postNATDestinationIPv4Address   |          32
                |     No    |<br>
                      |     destinationTransportPort     |          16
                |     No    |<br>
                      | postNAPTdestinationTransportPort |          16
                |     No    |<br>
                      |       internalAddressRealm       |           8
                |     No    |<br>
                      |       externalAddressRealm       |           8
                |     No    |<br>
                      |             natEvent             |           8
                |    Yes    |<br>
                     
                +----------------------------------+-------------+-----------+<br>
                <br>
                            Table 6: NAT64 session create/delete event
                template<br>
                <br>
                5.6.3.  NAT44 BIB create and delete events<br>
                <br>
                   These events will be generated when a NAT44 Bind
                entry is created or<br>
                   deleted.  The following is a template of the event.<br>
                <br>
                        
                +-----------------------------+-------------+-----------+<br>
                         |          Field Name         | Size (bits) |
                Mandatory |<br>
                        
                +-----------------------------+-------------+-----------+<br>
                         |          timeStamp          |          64
                |    Yes    |<br>
                         |        natInstanceID        |          32
                |     No    |<br>
                         |     vlanID/ingressVRFID     |          32
                |     No    |<br>
                         |      sourceIPv4Address      |          32
                |    Yes    |<br>
                         |   postNATSourceIPv4Address  |          32
                |    Yes    |<br>
                         |      protocolIdentifier     |           8
                |     No    |<br>
                         |     sourceTransportPort     |          16
                |     No    |<br>
                         | postNAPTsourceTransportPort |          16
                |     No    |<br>
                         |     internalAddressRealm    |           8
                |     No    |<br>
                         |     externalAddressRealm    |           8
                |     No    |<br>
                         |           natEvent          |           8
                |    Yes    |<br>
                        
                +-----------------------------+-------------+-----------+<br>
                <br>
                              Table 7: NAT44 BIB create/delete event
                template<br>
                <br>
                5.6.4.  NAT64 BIB create and delete events<br>
                <br>
                   These events will be generated when a NAT64 Bind
                entry is created or<br>
                   deleted.  The following is a template of the event.<br>
                <br>
                        
                +-----------------------------+-------------+-----------+<br>
                         |          Field Name         | Size (bits) |
                Mandatory |<br>
                        
                +-----------------------------+-------------+-----------+<br>
                         |          timeStamp          |          64
                |    Yes    |<br>
                         |        natInstanceID        |          32
                |     No    |<br>
                         |     vlanID/ingressVRFID     |          32
                |     No    |<br>
                         |      sourceIPv6Address      |         128
                |    Yes    |<br>
                         |   postNATSourceIPv4Address  |          32
                |    Yes    |<br>
                         |      protocolIdentifier     |           8
                |     No    |<br>
                         |     sourceTransportPort     |          16
                |     No    |<br>
                         | postNAPTsourceTransportPort |          16
                |     No    |<br>
                         |     internalAddressRealm    |           8
                |     No    |<br>
                         |     externalAddressRealm    |           8
                |     No    |<br>
                         |           natEvent          |           8
                |    Yes    |<br>
                        
                +-----------------------------+-------------+-----------+<br>
                <br>
                              Table 8: NAT64 BIB create/delete event
                template<br>
                <br>
                5.6.5.  Addresses Exhausted event<br>
                <br>
                   This event will be generated when a NAT device runs
                out of global<br>
                   IPv4 addresses in a given pool of addresses. 
                Typically, this event<br>
                   would mean that the NAT device wont be able to create
                any new<br>
                                                  ^^^^<br>
                SD: "won't"</font></div>
          </div>
        </span>
        <div><br>
        </div>
        <div bgcolor="#FFFFFF" text="#000000">[Senthil] Ok.<font
            face="Courier New,Courier,monospace"><br>
          </font></div>
      </blockquote>
      <br>
      Thanks,<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite">
        <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
            New,Courier,monospace"> <br>
               translations until some addresses/ports are freed.  This
            event SHOULD<br>
               be rate limited as many packets hitting the device at the
            same time<br>
               will trigger a burst of addresses exhausted events.<br>
            <br>
               The following is a template of the event.  Note that
            either the NAT<br>
               pool name or the nat pool identifier should be logged,
            but not both.<br>
            <br>
            SD: I lack understanding, but I didn't see anything that
            looked like a NAT pool name in the template. Did I miss
            something?</font></div>
        <span id="OLK_SRC_BODY_SECTION">
          <div> </div>
        </span>
        <div><br>
        </div>
        <div>[Senthil] We decided not to use a string like a pool name
          instead use a poolID, which is a unique identifier for each
          pool name. The reason being that the logs could become fairly
          large </div>
        <div>If we have to carry the names and some of the NAT engines
          implement this in the hardware that lacks the string
          processing capability.</div>
      </blockquote>
      <br>
      OK, that helps. I'm understanding that a different template might
      have included a pool name, but not a poolID, is that right?<br>
      <br>
      I'm somewhat uneasy about the "either should be logged, but not
      both" text.<br>
      <br>
      Same question as usual - is this an RFC 2119 SHOULD that helps
      with interoperation, or is this about an implementation choice?<br>
      <br>
      If it's an RFC 2119 SHOULD, robust collectors will need to do
      something if a log arrives with both a pool name and a poolID. If
      it's a MUST, a collector wouldn't accept the log (however the
      collector would decide to do that).<br>
      <br>
      If it's not an RFC 2119 SHOULD, but just implementation guidance,
      the explanation you provided would be more helpful (something like
      "could include a pool name, but some NAT engines are implemented
      in hardware that lacks string processing capability, and these are
      permitted to substitute a poolID. There's no reason to provide
      both a pool name and a poolID").<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite"> <span id="OLK_SRC_BODY_SECTION">
          <div>
            <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
                New,Courier,monospace">               
                +---------------+-------------+-----------+<br>
                                |   Field Name  | Size (bits) |
                Mandatory |<br>
                               
                +---------------+-------------+-----------+<br>
                                |   timeStamp   |          64 |   
                Yes    |<br>
                                | natInstanceID |          32 |    
                No    |<br>
                                |    natEvent   |           8 |   
                Yes    |<br>
                                |   natPoolID   |          32 |   
                Yes    |<br>
                               
                +---------------+-------------+-----------+<br>
                <br>
                                 Table 9: Address Exhausted event
                template<br>
                <br>
                5.6.6.  Ports Exhausted event<br>
                <br>
                   This event will be generated when a NAT device runs
                out of ports for<br>
                   a global IPv4 address.  Port exhaustion shall be
                reported per<br>
                   protocol (UDP, TCP etc).  This event SHOULD be rate
                limited as many<br>
                   packets hitting the device at the same time will
                trigger a burst of<br>
                   port exhausted events.<br>
                <br>
                   The following is a template of the event.<br>
                <br>
                         
                +--------------------------+-------------+-----------+<br>
                          |        Field Name        | Size (bits) |
                Mandatory |<br>
                         
                +--------------------------+-------------+-----------+<br>
                          |        timeStamp         |          64 |   
                Yes    |<br>
                          |      natInstanceID       |          32 |    
                No    |<br>
                          |         natEvent         |           8 |   
                Yes    |<br>
                          | postNATSourceIPv4Address |          32 |   
                Yes    |<br>
                          |    protocolIdentifier    |           8 |   
                Yes    |<br>
                         
                +--------------------------+-------------+-----------+<br>
                <br>
                                 Table 10: Ports Exhausted event
                template<br>
                <br>
                5.6.7.  Quota exceeded events<br>
                <br>
                   This event will be generated when a NAT device cannot
                allocate<br>
                   resources as a result of an administratively defined
                policy.  The<br>
                   quota exceeded event templates are described below<br>
                                                                     ^<br>
                SD: missing period</font></div>
          </div>
        </span>
        <div>[Senthil] Ok.</div>
      </blockquote>
      <br>
      Thanks,<br>
      <br>
      <blockquote cite="mid:CF89605B.1009FB%25ssenthil@cisco.com"
        type="cite"> <span id="OLK_SRC_BODY_SECTION">
          <div>
            <div bgcolor="#FFFFFF" text="#000000"><font face="Courier
                New,Courier,monospace">5.6.7.1.  Maximum session entries
                exceeded<br>
                <br>
                   The maximum session entries exceeded is generated
                when the<br>
                   administratively configured limit is reached.  The
                following is the<br>
                   template of the event.<br>
                <br>
                              
                +-----------------+-------------+-----------+<br>
                               |    Field Name   | Size (bits) |
                Mandatory |<br>
                              
                +-----------------+-------------+-----------+<br>
                               |    timeStamp    |          64 |   
                Yes    |<br>
                               |  natInstanceID  |          32 |    
                No    |<br>
                               |     natEvent    |           8 |   
                Yes    |<br>
                               |  natLimitEvent  |          32 |   
                Yes    |<br>
                               | configuredLimit |          32 |   
                Yes    |<br>
                              
                +-----------------+-------------+-----------+<br>
                <br>
                             Table 11: Session Entries Exceeded event
                template<br>
                <br>
                5.6.7.2.  Maximum BIB entries exceeded<br>
                <br>
                   The maximum BIB entries exceeded is generated when
                the<br>
                   administratively configured limit is reached.  The
                following is the<br>
                   template of the event.<br>
                <br>
                              
                +-----------------+-------------+-----------+<br>
                               |    Field Name   | Size (bits) |
                Mandatory |<br>
                              
                +-----------------+-------------+-----------+<br>
                               |    timeStamp    |          64 |   
                Yes    |<br>
                               |  natInstanceID  |          32 |    
                No    |<br>
                               |     natEvent    |           8 |   
                Yes    |<br>
                               |  natLimitEvent  |          32 |   
                Yes    |<br>
                               | configuredLimit |          32 |   
                Yes    |<br>
                              
                +-----------------+-------------+-----------+<br>
                <br>
                               Table 12: BIB Entries Exceeded event
                template<br>
                <br>
                5.6.7.3.  Maximum entries per user exceeded<br>
                <br>
                   This event is generated when a single user reaches
                the<br>
                   administratively configured limit.  The following is
                the template of<br>
                   the event.<br>
                <br>
                          
                +---------------------+-------------+---------------+<br>
                           |      Field Name     | Size (bits) |  
                Mandatory   |<br>
                          
                +---------------------+-------------+---------------+<br>
                           |      timeStamp      |          64 |     
                Yes      |<br>
                           |    natInstanceID    |          32 |      
                No      |<br>
                           |       natEvent      |           8 |     
                Yes      |<br>
                           |    natLimitEvent    |          32 |     
                Yes      |<br>
                           |   configuredLimit   |          32 |     
                Yes      |<br>
                           | vlanID/ingressVRFID |          32 |      
                No      |<br>
                           |  sourceIPv4 address |          32 | Yes for
                NAT44 |<br>
                           |  sourceIPv6 address |         128 | Yes for
                NAT64 |<br>
                          
                +---------------------+-------------+---------------+<br>
                <br>
                            Table 13: Per-user Entries Exceeded event
                template<br>
                <br>
                5.6.7.4.  Maximum active host or subscribers exceeded<br>
                <br>
                   This event is generated when the number of allowed
                hosts or<br>
                   subscribers reaches the administratively configured
                limit.  The<br>
                   following is the template of the event.<br>
                <br>
                              
                +-----------------+-------------+-----------+<br>
                               |    Field Name   | Size (bits) |
                Mandatory |<br>
                              
                +-----------------+-------------+-----------+<br>
                               |    timeStamp    |          64 |   
                Yes    |<br>
                               |  natInstanceID  |          32 |    
                No    |<br>
                               |     natEvent    |           8 |   
                Yes    |<br>
                               |  natLimitEvent  |          32 |   
                Yes    |<br>
                               | configuredLimit |          32 |   
                Yes    |<br>
                              
                +-----------------+-------------+-----------+<br>
                <br>
                        Table 14: Maximum hosts/subscribers Exceeded
                event template<br>
                <br>
                5.6.7.5.  Maximum fragments pending reassembly exceeded<br>
                <br>
                   This event is generated when the number of fragments
                pending<br>
                   reassembly reaches the administratively configured
                limit.  The<br>
                   following is the template of the event.<br>
                <br>
                         
                +----------------------+-------------+---------------+<br>
                          |      Field Name      | Size (bits) |  
                Mandatory   |<br>
                         
                +----------------------+-------------+---------------+<br>
                          |      timeStamp       |          64 |     
                Yes      |<br>
                          |    natInstanceID     |          32 |      
                No      |<br>
                          |       natEvent       |           8 |     
                Yes      |<br>
                          |    natLimitEvent     |          32 |     
                Yes      |<br>
                          |   configuredLimit    |          32 |     
                Yes      |<br>
                          | internalAddressRealm |           8 |     
                Yes      |<br>
                          | vlanID/ingressVRFID  |          32 |      
                No      |<br>
                          |  sourceIPv4 address  |          32 | Yes for
                NAT44 |<br>
                          |  sourceIPv6 address  |         128 | Yes for
                NAT64 |<br>
                         
                +----------------------+-------------+---------------+<br>
                <br>
                       Table 15: Maximum fragments pending reassembly
                Exceeded event<br>
                                                 template<br>
                <br>
                5.6.8.  Threshold reached events<br>
                <br>
                   This event will be generated when a NAT device
                reaches a operator<br>
                   configured threshold when allocating resources.  The
                threshold<br>
                   reached events are described in the section above. 
                The following is<br>
                   a template of the individual events.<br>
                <br>
                5.6.8.1.  Address pool high or low threshold reached<br>
                <br>
                   This event is generated when the high or low
                threshold is reached for<br>
                   the address pool.  The template is the same for both
                high and low<br>
                   threshold events<br>
                <br>
                             
                +-------------------+-------------+-----------+<br>
                              |     Field Name    | Size (bits) |
                Mandatory |<br>
                             
                +-------------------+-------------+-----------+<br>
                              |     timeStamp     |          64 |   
                Yes    |<br>
                              |   natInstanceID   |          32 |    
                No    |<br>
                              |      natEvent     |           8 |   
                Yes    |<br>
                              | natThresholdEvent |          32 |   
                Yes    |<br>
                              |     natPoolID     |          32 |   
                Yes    |<br>
                              |  configuredLimit  |          32 |   
                Yes    |<br>
                             
                +-------------------+-------------+-----------+<br>
                <br>
                     Table 16: Address pool high/low threshold reached
                event template<br>
                <br>
                5.6.8.2.  Address and port high threshold reached<br>
                <br>
                   This event is generated when the high threshold is
                reached for the<br>
                   address pool and ports.<br>
                <br>
                             
                +-------------------+-------------+-----------+<br>
                              |     Field Name    | Size (bits) |
                Mandatory |<br>
                             
                +-------------------+-------------+-----------+<br>
                              |     timeStamp     |          64 |   
                Yes    |<br>
                              |   natInstanceID   |          32 |    
                No    |<br>
                              |      natEvent     |           8 |   
                Yes    |<br>
                              | natThresholdEvent |          32 |   
                Yes    |<br>
                              |  configuredLimit  |          32 |   
                Yes    |<br>
                             
                +-------------------+-------------+-----------+<br>
                <br>
                       Table 17: Address port high threshold reached
                event template<br>
                <br>
                5.6.8.3.  Per-user Address and port high threshold
                reached<br>
                <br>
                   This event is generated when the high threshold is
                reached for the<br>
                   per-user address pool and ports.<br>
                <br>
                          
                +---------------------+-------------+---------------+<br>
                           |      Field Name     | Size (bits) |  
                Mandatory   |<br>
                          
                +---------------------+-------------+---------------+<br>
                           |      timeStamp      |          64 |     
                Yes      |<br>
                           |    natInstanceID    |          32 |      
                No      |<br>
                           |       natEvent      |           8 |     
                Yes      |<br>
                           |  natThresholdEvent  |          32 |     
                Yes      |<br>
                           |   configuredLimit   |          32 |     
                Yes      |<br>
                           | vlanID/ingressVRFID |          32 |      
                No      |<br>
                           |  sourceIPv4 address |          32 | Yes for
                NAT44 |<br>
                           |  sourceIPv6 address |         128 | Yes for
                NAT64 |<br>
                          
                +---------------------+-------------+---------------+<br>
                <br>
                   Table 18: Per-user Address port high threshold
                reached event template<br>
                <br>
                5.6.8.4.  Global Address mapping high threshold reached<br>
                <br>
                   This event is generated when the high is reached for
                the per-user<br>
                   address pool and ports.  This is generated only by
                NAT devices that<br>
                   use a address pooling behavior of paired.<br>
                <br>
                            
                +---------------------+-------------+-----------+<br>
                             |      Field Name     | Size (bits) |
                Mandatory |<br>
                            
                +---------------------+-------------+-----------+<br>
                             |      timeStamp      |          64 |   
                Yes    |<br>
                             |    natInstanceID    |          32 |    
                No    |<br>
                             |       natEvent      |           8 |   
                Yes    |<br>
                             |  natThresholdEvent  |          32 |   
                Yes    |<br>
                             |   configuredLimit   |          32 |   
                Yes    |<br>
                             | vlanID/ingressVRFID |          32 |    
                No    |<br>
                            
                +---------------------+-------------+-----------+<br>
                <br>
                       Table 19: Global Address mapping high threshold
                reached event<br>
                                                 template<br>
                <br>
                5.6.9.  Address binding create and delete events<br>
                <br>
                   These events will be generated when a NAT device
                binds a local<br>
                   address with a global address and when the global
                address is freed.<br>
                   This binding event happens when the first packet of
                the first flow<br>
                   from a host in the private realm.<br>
                <br>
                    
                +--------------------------------+-------------+---------------+<br>
                     |           Field Name           | Size (bits) |  
                Mandatory   |<br>
                    
                +--------------------------------+-------------+---------------+<br>
                     |           timeStamp            |          64
                |      Yes      |<br>
                     |         natInstanceID          |          32
                |       No      |<br>
                     |            natEvent            |           8
                |      Yes      |<br>
                     |       sourceIPv4 address       |          32 |
                Yes for NAT44 |<br>
                     |       sourceIPv6 address       |         128 |
                Yes for NAT64 |<br>
                     | Translated Source IPv4 Address |          32
                |      Yes      |<br>
                    
                +--------------------------------+-------------+---------------+<br>
                <br>
                                  Table 20: NAT Address Binding template<br>
                <br>
                5.6.10.  Port block allocation and de-allocation<br>
                <br>
                   This event will be generated when a NAT device
                allocates/de-allocates<br>
                   ports in a bulk fashion, as opposed to allocating a
                port on a per<br>
                   flow basis.<br>
                <br>
                   portRangeStart represents the starting value of the
                range.<br>
                <br>
                   portRangeEnd represents the ending value of the
                range.<br>
                <br>
                   NAT devices would do this in order to reduce logs and
                potentially to<br>
                   limit the number of connections a subscriber is
                allowed to use.  In<br>
                   the following Port Block allocation template, the
                portRangeStart and<br>
                   portRangeEnd must be specified.<br>
                <br>
                <br>
                Sivakumar &amp; Penno        Expires August 15,
                2014               [Page 17]<br>
                <br>
                Internet-Draft          IPFIX IEs for NAT
                logging          February 2014<br>
                <br>
                   It is up to the implementation to choose to
                consolidate log records<br>
                   in case two consecutive port ranges for the same user
                are allocated<br>
                   or freed.<br>
                <br>
                    
                +--------------------------------+-------------+---------------+<br>
                     |           Field Name           | Size (bits) |  
                Mandatory   |<br>
                    
                +--------------------------------+-------------+---------------+<br>
                     |           timeStamp            |          64
                |      Yes      |<br>
                     |         natInstanceID          |          32
                |       No      |<br>
                     |            natEvent            |           8
                |      Yes      |<br>
                     |       sourceIPv4 address       |          32 |
                Yes for NAT44 |<br>
                     |       sourceIPv6 address       |         128 |
                Yes for NAT64 |<br>
                     | Translated Source IPv4 Address |          32
                |      Yes      |<br>
                     |         portRangeStart         |          16
                |      Yes      |<br>
                     |          portRangeEnd          |          16
                |       No      |<br>
                    
                +--------------------------------+-------------+---------------+<br>
                <br>
                            Table 21: NAT Port Block Allocation event
                template<br>
                <br>
                6.  Encoding<br>
                <br>
                6.1.  IPFIX<br>
                <br>
                   This document uses IPFIX as the encoding mechanism to
                describe the<br>
                   logging of NAT events.  However, the information that
                should be<br>
                   logged SHOULD be the same irrespective of what kind
                of encoding<br>
                   scheme is used.  IPFIX is chosen because is it an
                IETF standard that<br>
                   meets all the needs for a reliable logging
                mechanism.  IPFIX provides<br>
                   the flexibility to the logging device to define the
                data sets that it<br>
                   is logging.  The IEs specified for logging MUST be
                the same<br>
                   irrespective of the encoding mechanism used.<br>
                <br>
                7.  Acknowledgements<br>
                <br>
                   Thanks to Dan Wing, Selvi Shanmugam, Mohamed
                Boucadir, Jacni Qin<br>
                   Ramji Vaithianathan, Simon Perreault, Jean-Francois
                Tremblay, Paul<br>
                   Aitken and Julia Renouard for their review and
                comments.<br>
                <br>
                8.  IANA Considerations<br>
                <br>
                   The following information elements are requested from
                IANA IPFIX<br>
                   registry.<br>
                <br>
                   natInstanceId<br>
                <br>
                   externalAddressRealm<br>
                <br>
                   natLimitEvent<br>
                <br>
                9.  Management Considerations<br>
                <br>
                   This section considers requirements for management of
                the log system<br>
                   to support logging of the events described above.  It
                first covers<br>
                   requirements applicable to log management in
                general.  Any additional<br>
                   standardization required to fullfil these
                requirements is out of<br>
                   scope of the present document.  Some management
                considerations is<br>
                   covered in [I-D.behave-syslog-nat-logging].  This
                document covers the<br>
                   additional considerations.<br>
                <br>
                9.1.  Ability to collect events from multiple NAT
                devices<br>
                <br>
                   An IPFIX collector should be able to collect events
                from multiple NAT<br>
                   devices and be able to decipher events based on the
                sourceID in the<br>
                   IPFIX header.<br>
                <br>
                9.2.  Ability to suppress events<br>
                <br>
                   The exhaustion events can be overwhelming during
                traffic bursts and<br>
                   hence should be handled by the NAT devices to rate
                limit them before<br>
                   sending them to the collectors.  For eg. when the
                port exhaustion<br>
                   happens during bursty conditions, instead of sending
                a port<br>
                   exhaustion event for every packet, the exhaustion
                events should be<br>
                   rate limited by the NAT device.<br>
                <br>
                10.  Security Considerations<br>
                <br>
                   None.<br>
                <br>
                11.  References<br>
                <br>
                11.1.  Normative References<br>
                <br>
                   [RFC2119]  Bradner, S., "Key words for use in RFCs to
                Indicate<br>
                              Requirement Levels", BCP 14, RFC 2119,
                March 1997.<br>
                <br>
                   [RFC2663]  Srisuresh, P. and M. Holdrege, "IP Network
                Address<br>
                              Translator (NAT) Terminology and
                Considerations", RFC<br>
                              2663, August 1999.<br>
                <br>
                   [RFC4787]  Audet, F. and C. Jennings, "Network
                Address Translation<br>
                              (NAT) Behavioral Requirements for Unicast
                UDP", BCP 127,<br>
                              RFC 4787, January 2007.<br>
                <br>
                   [RFC5382]  Guha, S., Biswas, K., Ford, B., Sivakumar,
                S., and P.<br>
                              Srisuresh, "NAT Behavioral Requirements
                for TCP", BCP 142,<br>
                              RFC 5382, October 2008.<br>
                <br>
                   [RFC6146]  Bagnulo, M., Matthews, P., and I. van
                Beijnum, "Stateful<br>
                              NAT64: Network Address and Protocol
                Translation from IPv6<br>
                              Clients to IPv4 Servers", RFC 6146, April
                2011.<br>
                <br>
                   [RFC6302]  Durand, A., Gashinsky, I., Lee, D., and S.
                Sheppard,<br>
                              "Logging Recommendations for
                Internet-Facing Servers", BCP<br>
                              162, RFC 6302, June 2011.<br>
                <br>
                   [RFC6888]  Perreault, S., Yamagata, I., Miyakawa, S.,
                Nakagawa, A.,<br>
                              and H. Ashida, "Common Requirements for
                Carrier-Grade NATs<br>
                              (CGNs)", BCP 127, RFC 6888, April 2013.<br>
                <br>
                11.2.  Informative References<br>
                <br>
                   [I-D.ietf-behave-syslog-nat-logging]<br>
                              Chen, Z., Zhou, C., Tsou, T., and T.
                Taylor, "Syslog<br>
                              Format for NAT Logging",
                draft-ietf-behave-syslog-nat-<br>
                              logging-06 (work in progress), January
                2014.<br>
                <br>
                   [IPFIX-IANA]<br>
                              IANA, "IPFIX Information Elements
                registry",<br>
                              <a moz-do-not-send="true"
                  class="moz-txt-link-rfc2396E"
                  href="http://www.iana.org/assignments/ipfix">
                  &lt;http://www.iana.org/assignments/ipfix&gt;</a>.<br>
                <br>
                   [RFC5101bis]<br>
                              Claise, B. and B. Trammel, "Specification
                of the IP Flow<br>
                              Information eXport (IPFIX) Protocol for
                the Exchange of<br>
                              Flow Information", July 2013.<br>
                <br>
                   [RFC5102bis]<br>
                              Claise, B. and B. Trammel, "Information
                Model for IP Flow<br>
                              Information eXport (IPFIX)", February
                2013.<br>
                <br>
                   [RFC5470]  Sadasivan, G., Brownlee, N., Claise, B.,
                and J. Quittek,<br>
                              "Architecture for IP Flow Information
                Export", RFC 5470,<br>
                              March 2009.<br>
                <br>
                Authors' Addresses<br>
                <br>
                   Senthil Sivakumar<br>
                   Cisco Systems<br>
                   7100-8 Kit Creek Road<br>
                   Research Triangle Park, North Carolina  27709<br>
                   USA<br>
                <br>
                   Phone: +1 919 392 5158<br>
                <br>
                   Renaldo Penno<br>
                   Cisco Systems<br>
                   170 W Tasman Drive<br>
                   San Jose, California  95035<br>
                   USA<br>
                <br>
                   Email: <a moz-do-not-send="true"
                  class="moz-txt-link-abbreviated"
                  href="mailto:repenno@cisco.com">repenno@cisco.com</a><br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <br>
                Sivakumar &amp; Penno        Expires August 15,
                2014               [Page 21]</font></div>
          </div>
        </span> </blockquote>
      <br>
    </blockquote>
    <br>
  </body>
</html>

--------------000800050500050302020207--

