Internet Engineering Task Force (IETF) S. Sivakumar Request for Comments: 8158 R. Penno Category: Standards Track Cisco Systems ISSN: 2070-1721 December 2017
Internet Engineering Task Force (IETF) S. Sivakumar Request for Comments: 8158 R. Penno Category: Standards Track Cisco Systems ISSN: 2070-1721 December 2017
IP Flow Information Export (IPFIX) Information Elements for Logging NAT Events
用于记录NAT事件的IP流信息导出(IPFIX)信息元素
Abstract
摘要
Network operators require NAT devices to log events like creation and deletion of translations and information about the resources that the NAT device is managing. In many cases, the logs are essential to identify an attacker or a host that was used to launch malicious attacks and for various other purposes of accounting. Since there is no standard way of logging this information, different NAT devices use proprietary formats; hence, it is difficult to expect consistent behavior. This lack of standardization makes it difficult to write the Collector applications that would receive this data and process it to present useful information. This document describes the formats for logging NAT events.
网络运营商要求NAT设备记录事件,如创建和删除翻译以及有关NAT设备正在管理的资源的信息。在许多情况下,日志对于识别用于发起恶意攻击的攻击者或主机以及用于各种其他记帐目的至关重要。由于没有记录这些信息的标准方法,不同的NAT设备使用专有格式;因此,很难期望一致的行为。由于缺乏标准化,因此很难编写收集器应用程序来接收这些数据并对其进行处理以提供有用的信息。本文档描述了记录NAT事件的格式。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8158.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8158.
Copyright Notice
版权公告
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 5 2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Event-Based Logging . . . . . . . . . . . . . . . . . . . . . 6 4.1. Logging Destination Information . . . . . . . . . . . . . 6 4.2. Information Elements . . . . . . . . . . . . . . . . . . 7 4.3. Definition of NAT Events . . . . . . . . . . . . . . . . 11 4.4. Quota Exceeded Event Types . . . . . . . . . . . . . . . 12 4.5. Threshold Reached Event Types . . . . . . . . . . . . . . 13 4.6. Templates for NAT Events . . . . . . . . . . . . . . . . 14 4.6.1. NAT44 Session Create and Delete Events . . . . . . . 14 4.6.2. NAT64 Session Create and Delete Events . . . . . . . 15 4.6.3. NAT44 BIB Create and Delete Events . . . . . . . . . 16 4.6.4. NAT64 BIB Create and Delete Events . . . . . . . . . 16 4.6.5. Addresses Exhausted Event . . . . . . . . . . . . . . 17 4.6.6. Ports Exhausted Event . . . . . . . . . . . . . . . . 17 4.6.7. Quota Exceeded Events . . . . . . . . . . . . . . . . 18 4.6.7.1. Maximum Session Entries Exceeded . . . . . . . . 18 4.6.7.2. Maximum BIB Entries Exceeded . . . . . . . . . . 18 4.6.7.3. Maximum Entries per User Exceeded . . . . . . . . 19 4.6.7.4. Maximum Active Hosts or Subscribers Exceeded . . 19 4.6.7.5. Maximum Fragments Pending Reassembly Exceeded . . 19 4.6.8. Threshold Reached Events . . . . . . . . . . . . . . 20 4.6.8.1. Address Pool High or Low Threshold Reached . . . 20 4.6.8.2. Address and Port Mapping High Threshold Reached . 21 4.6.8.3. Address and Port Mapping per User High Threshold Reached . . . . . . . . . . . . . . . . . . . . . 21 4.6.8.4. Global Address Mapping High Threshold Reached . . 22 4.6.9. Address Binding Create and Delete Events . . . . . . 22
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 5 2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Event-Based Logging . . . . . . . . . . . . . . . . . . . . . 6 4.1. Logging Destination Information . . . . . . . . . . . . . 6 4.2. Information Elements . . . . . . . . . . . . . . . . . . 7 4.3. Definition of NAT Events . . . . . . . . . . . . . . . . 11 4.4. Quota Exceeded Event Types . . . . . . . . . . . . . . . 12 4.5. Threshold Reached Event Types . . . . . . . . . . . . . . 13 4.6. Templates for NAT Events . . . . . . . . . . . . . . . . 14 4.6.1. NAT44 Session Create and Delete Events . . . . . . . 14 4.6.2. NAT64 Session Create and Delete Events . . . . . . . 15 4.6.3. NAT44 BIB Create and Delete Events . . . . . . . . . 16 4.6.4. NAT64 BIB Create and Delete Events . . . . . . . . . 16 4.6.5. Addresses Exhausted Event . . . . . . . . . . . . . . 17 4.6.6. Ports Exhausted Event . . . . . . . . . . . . . . . . 17 4.6.7. Quota Exceeded Events . . . . . . . . . . . . . . . . 18 4.6.7.1. Maximum Session Entries Exceeded . . . . . . . . 18 4.6.7.2. Maximum BIB Entries Exceeded . . . . . . . . . . 18 4.6.7.3. Maximum Entries per User Exceeded . . . . . . . . 19 4.6.7.4. Maximum Active Hosts or Subscribers Exceeded . . 19 4.6.7.5. Maximum Fragments Pending Reassembly Exceeded . . 19 4.6.8. Threshold Reached Events . . . . . . . . . . . . . . 20 4.6.8.1. Address Pool High or Low Threshold Reached . . . 20 4.6.8.2. Address and Port Mapping High Threshold Reached . 21 4.6.8.3. Address and Port Mapping per User High Threshold Reached . . . . . . . . . . . . . . . . . . . . . 21 4.6.8.4. Global Address Mapping High Threshold Reached . . 22 4.6.9. Address Binding Create and Delete Events . . . . . . 22
4.6.10. Port Block Allocation and De-allocation . . . . . . . 22 5. Management Considerations . . . . . . . . . . . . . . . . . . 23 5.1. Ability to Collect Events from Multiple NAT Devices . . . 23 5.2. Ability to Suppress Events . . . . . . . . . . . . . . . 24 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 6.1. Information Elements . . . . . . . . . . . . . . . . . . 24 6.1.1. natInstanceID . . . . . . . . . . . . . . . . . . . . 24 6.1.2. internalAddressRealm . . . . . . . . . . . . . . . . 24 6.1.3. externalAddressRealm . . . . . . . . . . . . . . . . 25 6.1.4. natQuotaExceededEvent . . . . . . . . . . . . . . . . 25 6.1.5. natThresholdEvent . . . . . . . . . . . . . . . . . . 26 6.1.6. natEvent . . . . . . . . . . . . . . . . . . . . . . 27 6.1.7. maxSessionEntries . . . . . . . . . . . . . . . . . . 27 6.1.8. maxBIBEntries . . . . . . . . . . . . . . . . . . . . 28 6.1.9. maxEntriesPerUser . . . . . . . . . . . . . . . . . . 28 6.1.10. maxSubscribers . . . . . . . . . . . . . . . . . . . 28 6.1.11. maxFragmentsPendingReassembly . . . . . . . . . . . . 29 6.1.12. addressPoolHighThreshold . . . . . . . . . . . . . . 29 6.1.13. addressPoolLowThreshold . . . . . . . . . . . . . . . 29 6.1.14. addressPortMappingHighThreshold . . . . . . . . . . . 30 6.1.15. addressPortMappingLowThreshold . . . . . . . . . . . 30 6.1.16. addressPortMappingPerUserHighThreshold . . . . . . . 30 6.1.17. globalAddressMappingHighThreshold . . . . . . . . . . 31 7. Security Considerations . . . . . . . . . . . . . . . . . . . 31 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 8.1. Normative References . . . . . . . . . . . . . . . . . . 32 8.2. Informative References . . . . . . . . . . . . . . . . . 33 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 34 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
4.6.10. Port Block Allocation and De-allocation . . . . . . . 22 5. Management Considerations . . . . . . . . . . . . . . . . . . 23 5.1. Ability to Collect Events from Multiple NAT Devices . . . 23 5.2. Ability to Suppress Events . . . . . . . . . . . . . . . 24 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 6.1. Information Elements . . . . . . . . . . . . . . . . . . 24 6.1.1. natInstanceID . . . . . . . . . . . . . . . . . . . . 24 6.1.2. internalAddressRealm . . . . . . . . . . . . . . . . 24 6.1.3. externalAddressRealm . . . . . . . . . . . . . . . . 25 6.1.4. natQuotaExceededEvent . . . . . . . . . . . . . . . . 25 6.1.5. natThresholdEvent . . . . . . . . . . . . . . . . . . 26 6.1.6. natEvent . . . . . . . . . . . . . . . . . . . . . . 27 6.1.7. maxSessionEntries . . . . . . . . . . . . . . . . . . 27 6.1.8. maxBIBEntries . . . . . . . . . . . . . . . . . . . . 28 6.1.9. maxEntriesPerUser . . . . . . . . . . . . . . . . . . 28 6.1.10. maxSubscribers . . . . . . . . . . . . . . . . . . . 28 6.1.11. maxFragmentsPendingReassembly . . . . . . . . . . . . 29 6.1.12. addressPoolHighThreshold . . . . . . . . . . . . . . 29 6.1.13. addressPoolLowThreshold . . . . . . . . . . . . . . . 29 6.1.14. addressPortMappingHighThreshold . . . . . . . . . . . 30 6.1.15. addressPortMappingLowThreshold . . . . . . . . . . . 30 6.1.16. addressPortMappingPerUserHighThreshold . . . . . . . 30 6.1.17. globalAddressMappingHighThreshold . . . . . . . . . . 31 7. Security Considerations . . . . . . . . . . . . . . . . . . . 31 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 8.1. Normative References . . . . . . . . . . . . . . . . . . 32 8.2. Informative References . . . . . . . . . . . . . . . . . 33 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 34 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
The IP Flow Information Export (IPFIX) Protocol [RFC7011] defines a generic push mechanism for exporting information and events. The IPFIX Information Model [IPFIX-IANA] defines a set of standard Information Elements (IEs) that can be carried by the IPFIX protocol. This document details the IPFIX IEs that MUST be logged by a NAT device that supports NAT logging using IPFIX and all the optional fields. The fields specified in this document are gleaned from [RFC4787] and [RFC5382].
IP流信息导出(IPFIX)协议[RFC7011]定义了用于导出信息和事件的通用推送机制。IPFIX信息模型[IPFIX-IANA]定义了一组可由IPFIX协议承载的标准信息元素。本文档详细说明了支持使用IPFIX和所有可选字段进行NAT日志记录的NAT设备必须记录的IPFIX IE。本文件中指定的字段从[RFC4787]和[RFC5382]中收集。
This document and [NAT-LOG] are written in order to standardize the events and parameters to be recorded using IPFIX [RFC7011] and SYSLOG [RFC5424], respectively. This document uses IPFIX as the encoding mechanism to describe the logging of NAT events. However, the information that is logged should be the same irrespective of what kind of encoding scheme is used. IPFIX is chosen because it is an IETF standard that meets all the needs for a reliable logging mechanism. IPFIX provides the flexibility to the logging device to define the datasets that it is logging. The IEs specified for logging must be the same irrespective of the encoding mechanism used.
编写本文档和[NAT-LOG]是为了分别使用IPFIX[RFC7011]和SYSLOG[RFC5424]标准化要记录的事件和参数。本文档使用IPFIX作为编码机制来描述NAT事件的日志记录。但是,无论使用何种编码方案,记录的信息都应相同。之所以选择IPFIX,是因为它是一种IETF标准,能够满足可靠日志机制的所有需求。IPFIX为日志记录设备提供了定义其正在记录的数据集的灵活性。无论使用何种编码机制,为日志记录指定的IEs必须相同。
The term "NAT device" in this document refers to any NAT44 or NAT64 device. The term "Collector" refers to any device that receives binary data from a NAT device and converts it into meaningful information. This document uses the term "session" as defined in [RFC2663], and the term "Binding Information Base" (BIB) as defined in [RFC6146]. The term "Information Element" or "IE" is defined in [RFC7011]. The term "Carrier-Grade NAT" refers to a large-scale NAT device as described in [RFC6888]
本文件中的术语“NAT设备”指任何NAT44或NAT64设备。术语“收集器”是指从NAT设备接收二进制数据并将其转换为有意义信息的任何设备。本文件使用了[RFC2663]中定义的术语“会话”,以及[RFC6146]中定义的术语“绑定信息库”(BIB)。术语“信息元素”或“IE”在[RFC7011]中定义。术语“载波级NAT”是指[RFC6888]中所述的大规模NAT设备
The IPFIX IEs that are NAT specific are created with NAT terminology. In order to avoid creating duplicates, IEs are reused if they convey the same meaning. This document uses the term "timestamp" for the IE, which defines the time when an event is logged; this is the same as the IPFIX term "observationTimeMilliseconds" as described in [IPFIX-IANA]. Since observationTimeMilliseconds is not self-explanatory for NAT implementors, the term "timeStamp" is used. Event templates, which refer to IPFIX Template Records, as well as log events, which refer to IPFIX Flow Records, are also used in this document.
特定于NAT的IPFIX IE是使用NAT术语创建的。为了避免创建重复项,如果IEs表达相同的含义,则重复使用它们。本文档对IE使用术语“时间戳”,它定义了记录事件的时间;这与[IPFIX-IANA]中描述的IPFIX术语“观测时间毫秒”相同。由于ObservationTimeMillistics对于NAT实现者不是自解释的,因此使用了术语“时间戳”。本文档中还使用了引用IPFIX模板记录的事件模板以及引用IPFIX流记录的日志事件。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。
This document provides the information model to be used for logging the NAT events, including Carrier-Grade NAT (CGN) events. [RFC7011] provides guidance on the choices of the transport protocols used for IPFIX and their effects. This document does not provide guidance on transport protocols like TCP, UDP, or Stream Control Transmission Protocol (SCTP), which are to be used to log NAT events. The logs SHOULD be reliably sent to the Collector to ensure that the log events are not lost. The choice of the actual transport protocol is beyond the scope of this document.
本文档提供了用于记录NAT事件(包括运营商级NAT(CGN)事件)的信息模型。[RFC7011]为IPFIX使用的传输协议的选择及其影响提供了指导。本文档不提供TCP、UDP或流控制传输协议(SCTP)等传输协议的指南,这些协议用于记录NAT事件。日志应可靠地发送到收集器,以确保日志事件不会丢失。实际传输协议的选择超出了本文件的范围。
This document uses the allocated IPFIX IEs in the IANA "IPFIX Information Elements" registry [IPFIX-IANA] and registers some new ones.
本文档使用IANA“IPFIX信息元素”注册表[IPFIX-IANA]中分配的IPFIX IE,并注册一些新的。
This document assumes that the NAT device will use the existing IPFIX framework to send the log events to the Collector. This would mean that the NAT device will specify the template that it is going to use for each of the events. The templates can be of varying length, and there could be multiple templates that a NAT device could use to log the events.
本文档假设NAT设备将使用现有的IPFIX框架向收集器发送日志事件。这意味着NAT设备将指定它将用于每个事件的模板。模板的长度可以不同,NAT设备可以使用多个模板来记录事件。
The implementation details of the Collector application are beyond the scope of this document.
收集器应用程序的实现细节超出了本文档的范围。
The optimization of logging the NAT events is left to the implementation and is beyond the scope of this document.
记录NAT事件的优化由实现完成,超出了本文档的范围。
NAT logging based on IPFIX uses binary encoding; hence, it is very efficient. IPFIX-based logging is recommended for environments where a high volume of logging is required, for example, where per-flow logging is needed or in case of Carrier-Grade NAT. However, IPFIX-based logging requires a Collector that processes the binary data and requires a network management application that converts this binary data to a human-readable format.
基于IPFIX的NAT日志使用二进制编码;因此,它是非常有效的。对于需要大量日志记录的环境,建议使用基于IPFIX的日志记录,例如,需要逐流日志记录的环境或载波级NAT的环境。但是,基于IPFIX的日志记录需要一个处理二进制数据的收集器,并需要一个将二进制数据转换为人类可读格式的网络管理应用程序。
A Collector may receive NAT events from multiple CGN devices. The Collector distinguishes between the devices using the source IP address, source port, and Observation Domain ID in the IPFIX header. The Collector can decide to store the information based on the administrative policies that are in line with the operator and the local jurisdiction. The retention policy is not dictated by the Exporter and is left to the policies that are defined at the Collector.
收集器可以从多个CGN设备接收NAT事件。收集器使用IPFIX标头中的源IP地址、源端口和观察域ID区分设备。催收员可以根据符合运营商和当地管辖权的管理策略决定存储信息。保留策略不是由导出器指定的,而是由收集器定义的策略决定。
A Collector may have scale issues if it is overloaded by a large number of simultaneous events. An appropriate throttling mechanism may be used to handle the oversubscription.
如果收集器因大量同时发生的事件而过载,则可能会出现规模问题。可以使用适当的节流机制来处理超额认购。
The logs that are exported can be used for a variety of reasons. An example use case is to do accounting based on when the users logged on and off. The translation will be installed when the user logs on and removed when the user logs off. These events create log records. Another use case is to identify an attacker or a host in a provider network. The network administrators can use these logs to identify the usage patterns, the need for additional IP addresses, and etc. The deployment of NAT logging is not limited to just these cases.
导出的日志可用于多种原因。一个示例用例是根据用户登录和注销的时间进行记帐。翻译将在用户登录时安装,在用户注销时删除。这些事件创建日志记录。另一个用例是识别提供商网络中的攻击者或主机。网络管理员可以使用这些日志来识别使用模式、对额外IP地址的需求等。NAT日志的部署不限于这些情况。
An event in a NAT device can be viewed as a state transition because it relates to the management of NAT resources. The creation and deletion of NAT sessions and bindings are examples of events, as they result in resources (addresses and ports) being allocated or freed. The events can happen through the processing of data packets flowing through the NAT device, through an external entity installing policies on the NAT router, or as a result of an asynchronous event like a timer. The list of events is provided in Table 2. Each of these events SHOULD be logged, unless this is administratively prohibited. A NAT device MAY log these events to multiple Collectors if redundancy is required. The network administrator will specify the Collectors to which the log records are to be sent. It is necessary to preserve the list of Collectors and its associated information like the IPv4/IPv6 address, port, and protocol across reboots so that the configuration information is not lost when the device is restarted. The NAT device implementing the IPFIX logging MUST follow the IPFIX specification in [RFC7011].
NAT设备中的事件可以视为状态转换,因为它与NAT资源的管理有关。NAT会话和绑定的创建和删除就是事件的例子,因为它们会导致资源(地址和端口)被分配或释放。这些事件可以通过处理流经NAT设备的数据包、通过在NAT路由器上安装策略的外部实体或作为异步事件(如计时器)的结果而发生。事件列表见表2。这些事件中的每一个都应该被记录,除非这是行政禁止的。如果需要冗余,NAT设备可以将这些事件记录到多个收集器。网络管理员将指定日志记录要发送到的收集器。有必要在重新启动时保留收集器列表及其相关信息,如IPv4/IPv6地址、端口和协议,以便在设备重新启动时不会丢失配置信息。实现IPFIX日志记录的NAT设备必须遵循[RFC7011]中的IPFIX规范。
Logging destination information in a NAT event is discussed in [RFC6302] and [RFC6888]. Logging destination information increases the size of each record and increases the need for storage considerably. It increases the number of log events generated
[RFC6302]和[RFC6888]中讨论了在NAT事件中记录目标信息。记录目标信息会增加每条记录的大小,并大大增加存储需求。它增加了生成的日志事件的数量
because when the same user connects to a different destination, it results in a log record per destination address. Logging the source and destination addresses results in loss of privacy. Logging of destination addresses and ports, pre- or post-NAT, SHOULD NOT be done [RFC6888]. However, this document provides the necessary fields to log the destination information in cases where they must be logged.
因为当同一用户连接到不同的目的地时,每个目的地地址都会产生日志记录。记录源地址和目标地址会导致隐私丢失。不应在NAT之前或之后记录目标地址和端口[RFC6888]。但是,本文档提供了必要的字段,以便在必须记录目的地信息的情况下记录这些信息。
The templates could contain a subset of the IEs shown in Table 1, depending upon the event being logged. For example, a NAT44 session creation template record will contain:
根据记录的事件,模板可以包含表1中所示IE的子集。例如,NAT44会话创建模板记录将包含:
{sourceIPv4Address, postNATSourceIPv4Address, destinationIPv4Address, postNATDestinationIPv4Address, sourceTransportPort, postNAPTSourceTransportPort, destinationTransportPort, postNAPTDestinationTransportPort, internalAddressRealm, natEvent, timeStamp}
{sourceIPv4Address、postNATSourceIPv4Address、destinationIPv4Address、postNATDestinationIPv4Address、sourceTransportPort、postNAPTSourceTransportPort、destinationTransportPort、postNAPTDestinationTransportPort、internalAddressRealm、natEvent、时间戳}
An example of the actual event data record is shown below in a human-readable form:
实际事件数据记录的示例如下所示,为人类可读形式:
{192.0.2.1, 203.0.113.100, 192.0.2.104, 192.0.2.104, 14800, 1024, 80, 80, 0, 1, 09:20:10:789}
{192.0.2.1, 203.0.113.100, 192.0.2.104, 192.0.2.104, 14800, 1024, 80, 80, 0, 1, 09:20:10:789}
A single NAT device could be exporting multiple templates, and the Collector MUST support receiving multiple templates from the same source.
单个NAT设备可以导出多个模板,收集器必须支持从同一源接收多个模板。
The following table includes all the IEs that a NAT device would need to export the events. The formats of the IEs and the IPFIX IDs are listed. Detailed descriptions of the fields natInstanceID, internalAddressRealm, externalAddressRealm, natQuotaExceededEvent, and natThresholdEvent are included in the IANA Considerations section.
下表包括NAT设备导出事件所需的所有IE。将列出IEs和IPFIX ID的格式。IANA注意事项部分包含了对natInstanceID、internalAddressRealm、externalAddressRealm、NatQuoteExceedeEvent和natThresholdEvent字段的详细描述。
+-----------------------------------+--------+-------+--------------+ | Field Name | Size | IANA | Description | | | (bits) | IPFIX | | | | | ID | | +-----------------------------------+--------+-------+--------------+ | timeStamp | 64 | 323 | System Time | | | | | when the | | | | | event | | | | | occurred | | | | | | | natInstanceID | 32 | 463 | NAT Instance | | | | | Identifier | | | | | | | vlanId | 16 | 58 | VLAN ID in | | | | | case of | | | | | overlapping | | | | | networks | | | | | | | ingressVRFID | 32 | 234 | VRF ID in | | | | | case of | | | | | overlapping | | | | | networks | | | | | | | sourceIPv4Address | 32 | 8 | Source IPv4 | | | | | Address | | | | | | | postNATSourceIPv4Address | 32 | 225 | Translated | | | | | Source IPv4 | | | | | Address | | | | | | | protocolIdentifier | 8 | 4 | Transport | | | | | protocol | | | | | | | sourceTransportPort | 16 | 7 | Source Port | | | | | | | postNAPTSourceTransportPort | 16 | 227 | Translated | | | | | Source port | | | | | | | destinationIPv4Address | 32 | 12 | Destination | | | | | IPv4 Address | | | | | |
+-----------------------------------+--------+-------+--------------+ | Field Name | Size | IANA | Description | | | (bits) | IPFIX | | | | | ID | | +-----------------------------------+--------+-------+--------------+ | timeStamp | 64 | 323 | System Time | | | | | when the | | | | | event | | | | | occurred | | | | | | | natInstanceID | 32 | 463 | NAT Instance | | | | | Identifier | | | | | | | vlanId | 16 | 58 | VLAN ID in | | | | | case of | | | | | overlapping | | | | | networks | | | | | | | ingressVRFID | 32 | 234 | VRF ID in | | | | | case of | | | | | overlapping | | | | | networks | | | | | | | sourceIPv4Address | 32 | 8 | Source IPv4 | | | | | Address | | | | | | | postNATSourceIPv4Address | 32 | 225 | Translated | | | | | Source IPv4 | | | | | Address | | | | | | | protocolIdentifier | 8 | 4 | Transport | | | | | protocol | | | | | | | sourceTransportPort | 16 | 7 | Source Port | | | | | | | postNAPTSourceTransportPort | 16 | 227 | Translated | | | | | Source port | | | | | | | destinationIPv4Address | 32 | 12 | Destination | | | | | IPv4 Address | | | | | |
| postNATDestinationIPv4Address | 32 | 226 | Translated | | | | | IPv4 | | | | | destination | | | | | address | | | | | | | destinationTransportPort | 16 | 11 | Destination | | | | | port | | | | | | | postNAPTDestinationTransportPort | 16 | 228 | Translated | | | | | Destination | | | | | port | | | | | | | sourceIPv6Address | 128 | 27 | Source IPv6 | | | | | address | | | | | | | destinationIPv6Address | 128 | 28 | Destination | | | | | IPv6 address | | | | | | | postNATSourceIPv6Address | 128 | 281 | Translated | | | | | source IPv6 | | | | | address | | | | | | | postNATDestinationIPv6Address | 128 | 282 | Translated | | | | | Destination | | | | | IPv6 address | | | | | | | internalAddressRealm | (*) | 464 | Source | | | | | Address | | | | | Realm | | | | | | | externalAddressRealm | (*) | 465 | Destination | | | | | Address | | | | | Realm | | | | | | | natEvent | 8 | 230 | Type of | | | | | Event | | | | | | | portRangeStart | 16 | 361 | Allocated | | | | | port block | | | | | start | | | | | | | portRangeEnd | 16 | 362 | Allocated | | | | | Port block | | | | | end | | | | | | | natPoolId | 32 | 283 | NAT pool | | | | | Identifier | | | | | |
| postNATDestinationIPv4Address | 32 | 226 | Translated | | | | | IPv4 | | | | | destination | | | | | address | | | | | | | destinationTransportPort | 16 | 11 | Destination | | | | | port | | | | | | | postNAPTDestinationTransportPort | 16 | 228 | Translated | | | | | Destination | | | | | port | | | | | | | sourceIPv6Address | 128 | 27 | Source IPv6 | | | | | address | | | | | | | destinationIPv6Address | 128 | 28 | Destination | | | | | IPv6 address | | | | | | | postNATSourceIPv6Address | 128 | 281 | Translated | | | | | source IPv6 | | | | | address | | | | | | | postNATDestinationIPv6Address | 128 | 282 | Translated | | | | | Destination | | | | | IPv6 address | | | | | | | internalAddressRealm | (*) | 464 | Source | | | | | Address | | | | | Realm | | | | | | | externalAddressRealm | (*) | 465 | Destination | | | | | Address | | | | | Realm | | | | | | | natEvent | 8 | 230 | Type of | | | | | Event | | | | | | | portRangeStart | 16 | 361 | Allocated | | | | | port block | | | | | start | | | | | | | portRangeEnd | 16 | 362 | Allocated | | | | | Port block | | | | | end | | | | | | | natPoolId | 32 | 283 | NAT pool | | | | | Identifier | | | | | |
| natQuotaExceededEvent | 32 | 466 | Limit event | | | | | identifier | | | | | | | natThresholdEvent | 32 | 467 | Threshold | | | | | event | | | | | identifier | | | | | | | maxSessionEntries | 32 | 471 | Maximum | | | | | session | | | | | entries | | | | | | | maxBIBEntries | 32 | 472 | Maximum bind | | | | | entries | | | | | | | maxEntriesPerUser | 32 | 473 | Maximum | | | | | entries per- | | | | | user | | | | | | | maxSubscribers | 32 | 474 | Maximum | | | | | subscribers | | | | | | | maxFragmentsPendingReassembly | 32 | 475 | Maximum | | | | | fragments | | | | | for | | | | | ressembly | | | | | | | addressPoolHighThreshold | 32 | 476 | High | | | | | threshold | | | | | for address | | | | | pool | | | | | | | addressPoolLowThreshold | 32 | 477 | Low | | | | | threshold | | | | | for address | | | | | pool | | | | | | | addressPortMappingHighThreshold | 32 | 478 | High | | | | | threshold | | | | | for | | | | | address/port | | | | | mapping | | | | | | | addressPortMappingLowThreshold | 32 | 479 | Low | | | | | threshold | | | | | for | | | | | address/port | | | | | mapping | | | | | |
| natQuotaExceededEvent | 32 | 466 | Limit event | | | | | identifier | | | | | | | natThresholdEvent | 32 | 467 | Threshold | | | | | event | | | | | identifier | | | | | | | maxSessionEntries | 32 | 471 | Maximum | | | | | session | | | | | entries | | | | | | | maxBIBEntries | 32 | 472 | Maximum bind | | | | | entries | | | | | | | maxEntriesPerUser | 32 | 473 | Maximum | | | | | entries per- | | | | | user | | | | | | | maxSubscribers | 32 | 474 | Maximum | | | | | subscribers | | | | | | | maxFragmentsPendingReassembly | 32 | 475 | Maximum | | | | | fragments | | | | | for | | | | | ressembly | | | | | | | addressPoolHighThreshold | 32 | 476 | High | | | | | threshold | | | | | for address | | | | | pool | | | | | | | addressPoolLowThreshold | 32 | 477 | Low | | | | | threshold | | | | | for address | | | | | pool | | | | | | | addressPortMappingHighThreshold | 32 | 478 | High | | | | | threshold | | | | | for | | | | | address/port | | | | | mapping | | | | | | | addressPortMappingLowThreshold | 32 | 479 | Low | | | | | threshold | | | | | for | | | | | address/port | | | | | mapping | | | | | |
| addressPortMappingPerUserHighThre | 32 | 480 | High | | shold | | | threshold | | | | | for per-user | | | | | address/port | | | | | mapping | | | | | | | globalAddressMappingHighThreshold | 32 | 481 | High | | | | | threshold | | | | | for global | | | | | address | | | | | mapping | +-----------------------------------+--------+-------+--------------+
| addressPortMappingPerUserHighThre | 32 | 480 | High | | shold | | | threshold | | | | | for per-user | | | | | address/port | | | | | mapping | | | | | | | globalAddressMappingHighThreshold | 32 | 481 | High | | | | | threshold | | | | | for global | | | | | address | | | | | mapping | +-----------------------------------+--------+-------+--------------+
Note: (*) indicates octetArray
注:(*)表示八进制数组
Table 1: NAT IE List
表1:NAT IE列表
The following is the complete list of NAT events and the proposed event type values. The natEvent IE is defined in the "IPFIX Information Elements" registry [IPFIX-IANA];. The list can be expanded in the future as necessary. The data record will have the corresponding natEvent value to indicate the event that is being logged.
以下是NAT事件和建议的事件类型值的完整列表。natEvent IE在“IPFIX信息元素”注册表[IPFIX-IANA]中定义;。该列表可在将来根据需要扩展。数据记录将具有相应的natEvent值,以指示正在记录的事件。
Note that the first two events are marked "Historic" and are listed here for the sole purpose of completeness. Any compliant implementation SHOULD NOT use the events that are marked "Historic". These values were defined prior to the existence of this document and outside the IETF. These events are not standalone and require more information to be conveyed to qualify the event. For example, the NAT translation create event does not specify if it is NAT44 or NAT64. As a result, the Behave working group decided to have an explicit definition for each one of the unique events.
请注意,前两个事件标记为“历史事件”,此处列出的唯一目的是完整性。任何兼容的实现都不应使用标记为“历史”的事件。这些值是在本文件存在之前和IETF之外定义的。这些事件不是独立的,需要传达更多信息以确认事件。例如,NAT转换创建事件没有指定它是NAT44还是NAT64。因此,Behave工作组决定对每一个独特的事件都有一个明确的定义。
+-------+------------------------------------+ | Value | Event Name | +-------+------------------------------------+ | 0 | Reserved | | 1 | NAT translation create (Historic) | | 2 | NAT translation delete (Historic) | | 3 | NAT Addresses exhausted | | 4 | NAT44 session create | | 5 | NAT44 session delete | | 6 | NAT64 session create | | 7 | NAT64 session delete | | 8 | NAT44 BIB create | | 9 | NAT44 BIB delete | | 10 | NAT64 BIB create | | 11 | NAT64 BIB delete | | 12 | NAT ports exhausted | | 13 | Quota Exceeded | | 14 | Address binding create | | 15 | Address binding delete | | 16 | Port block allocation | | 17 | Port block de-allocation | | 18 | Threshold Reached | +-------+------------------------------------+
+-------+------------------------------------+ | Value | Event Name | +-------+------------------------------------+ | 0 | Reserved | | 1 | NAT translation create (Historic) | | 2 | NAT translation delete (Historic) | | 3 | NAT Addresses exhausted | | 4 | NAT44 session create | | 5 | NAT44 session delete | | 6 | NAT64 session create | | 7 | NAT64 session delete | | 8 | NAT44 BIB create | | 9 | NAT44 BIB delete | | 10 | NAT64 BIB create | | 11 | NAT64 BIB delete | | 12 | NAT ports exhausted | | 13 | Quota Exceeded | | 14 | Address binding create | | 15 | Address binding delete | | 16 | Port block allocation | | 17 | Port block de-allocation | | 18 | Threshold Reached | +-------+------------------------------------+
Table 2: NAT Event ID
表2:NAT事件ID
The Quota Exceeded event is a natEvent IE described in Table 2. The Quota Exceeded events are generated when the hard limits set by the administrator have been reached or exceeded. The following table shows the sub-event types for the Quota Exceeded event. The events that can be reported are the maximum session entries limit reached, maximum BIB entries limit reached, maximum (session/BIB) entries per user limit reached, maximum active hosts or subscribers limit reached, and maximum Fragments pending reassembly limit reached.
配额超出事件是表2中描述的自然事件。配额超出事件是在达到或超过管理员设置的硬限制时生成的。下表显示了配额超出事件的子事件类型。可以报告的事件包括达到的最大会话条目限制、达到的最大BIB条目限制、达到的每个用户的最大(会话/BIB)条目限制、达到的最大活动主机或订阅者限制,以及达到的最大待重组碎片限制。
+-------+---------------------------------------+ | Value | Quota Exceeded Event Name | +-------+---------------------------------------+ | 0 | Reserved | | 1 | Maximum session entries | | 2 | Maximum BIB entries | | 3 | Maximum entries per user | | 4 | Maximum active hosts or subscribers | | 5 | Maximum fragments pending reassembly | +-------+---------------------------------------+
+-------+---------------------------------------+ | Value | Quota Exceeded Event Name | +-------+---------------------------------------+ | 0 | Reserved | | 1 | Maximum session entries | | 2 | Maximum BIB entries | | 3 | Maximum entries per user | | 4 | Maximum active hosts or subscribers | | 5 | Maximum fragments pending reassembly | +-------+---------------------------------------+
Table 3: Quota Exceeded Event
表3:超出配额事件
The following table shows the sub-event types for the Threshold Reached event. The administrator can configure the thresholds, and whenever the threshold is reached or exceeded, the corresponding events are generated. The main difference between the Quota Exceeded and Threshold Reached events is that, once the Quota Exceeded events are hit, the packets are dropped or mappings will not be created, whereas the Threshold Reached events will provide the operator a chance to take action before the traffic disruptions can happen. A NAT device can choose to implement one or the other, or both.
下表显示了达到阈值事件的子事件类型。管理员可以配置阈值,并且无论何时达到或超过阈值,都会生成相应的事件。超出配额事件和达到阈值事件之间的主要区别在于,一旦超出配额事件被命中,数据包将被丢弃或映射将不会被创建,而达到阈值事件将为操作员提供在流量中断发生之前采取行动的机会。NAT设备可以选择实现一个或另一个,或者同时实现两个。
The address pool high threshold event will be reported when the address pool reaches a high-water mark as defined by the operator. This will serve as an indication that either the operator might have to add more addresses to the pool or the subsequent users may be denied NAT translation mappings.
当地址池达到操作员定义的高水位线时,将报告地址池高阈值事件。这将表明操作员可能必须向池中添加更多地址,或者后续用户可能被拒绝NAT转换映射。
The address pool low threshold event will be reported when the address pool reaches a low-water mark as defined by the operator. This will serve as an indication that the operator can reclaim some of the global IPv4 addresses in the pool.
当地址池达到操作员定义的低水位线时,将报告地址池低阈值事件。这将表明运营商可以回收池中的一些全局IPv4地址。
The address and port mapping high threshold event is generated when the number of ports in the configured address pool has reached a configured threshold.
当配置的地址池中的端口数达到配置的阈值时,将生成地址和端口映射高阈值事件。
The per-user address and port mapping high threshold is generated when a single user utilizes more address and port mapping than a configured threshold. We don't track the low threshold for per-user address and port mappings because, as the ports are freed, the address will become available. The address pool low threshold event will then be triggered so that the global IPv4 address can be reclaimed.
当单个用户使用的地址和端口映射多于配置的阈值时,将生成每用户地址和端口映射高阈值。我们不跟踪每个用户地址和端口映射的低阈值,因为当端口被释放时,地址将变为可用。然后将触发地址池低阈值事件,以便可以回收全局IPv4地址。
The global address mapping high threshold event is generated when the maximum number of mappings per user is reached for a NAT device doing paired-address pooling.
当执行成对地址池的NAT设备达到每个用户的最大映射数时,将生成全局地址映射高阈值事件。
+-------+---------------------------------------------------------+ | Value | Threshold Exceeded Event Name | +-------+---------------------------------------------------------+ | 0 | Reserved | | 1 | Address pool high threshold event | | 2 | Address pool low threshold event | | 3 | Address and port mapping high threshold event | | 4 | Address and port mapping per user high threshold event | | 5 | Global address mapping high threshold event | +-------+---------------------------------------------------------+
+-------+---------------------------------------------------------+ | Value | Threshold Exceeded Event Name | +-------+---------------------------------------------------------+ | 0 | Reserved | | 1 | Address pool high threshold event | | 2 | Address pool low threshold event | | 3 | Address and port mapping high threshold event | | 4 | Address and port mapping per user high threshold event | | 5 | Global address mapping high threshold event | +-------+---------------------------------------------------------+
Table 4: Threshold Event
表4:阈值事件
The following is the template of events that will be logged. The events below are identified at the time of this writing, but the set of events is extensible. A NAT device that implements a given NAT event MUST support the mandatory IEs in the templates. Depending on the implementation and configuration, various IEs that are not mandatory can be included or ignored.
以下是将要记录的事件模板。下面的事件在撰写本文时已确定,但事件集是可扩展的。实现给定NAT事件的NAT设备必须支持模板中的强制IEs。根据实施和配置,可以包括或忽略各种非强制性的IE。
These events will be generated when a NAT44 session is created or deleted. The template will be the same; the natEvent will indicate whether it is a create or a delete event. The following is a template of the event.
这些事件将在创建或删除NAT44会话时生成。模板将是相同的;natEvent将指示它是创建事件还是删除事件。以下是事件的模板。
The destination address and port information is optional as required by [RFC6888]. However, when the destination information is suppressed, the session log event contains the same information as the BIB event. In such cases, the NAT device SHOULD NOT send both BIB and session events.
根据[RFC6888]的要求,目标地址和端口信息是可选的。但是,当目标信息被抑制时,会话日志事件包含与BIB事件相同的信息。在这种情况下,NAT设备不应同时发送BIB和会话事件。
+----------------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +----------------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv4Address | 32 | Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | Yes | | sourceTransportPort | 16 | Yes | | postNAPTSourceTransportPort | 16 | Yes | | destinationIPv4Address | 32 | No | | postNATDestinationIPv4Address | 32 | No | | destinationTransportPort | 16 | No | | postNAPTDestinationTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | | externalAddressRealm | octetArray | No | +----------------------------------+-------------+-----------+
+----------------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +----------------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv4Address | 32 | Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | Yes | | sourceTransportPort | 16 | Yes | | postNAPTSourceTransportPort | 16 | Yes | | destinationIPv4Address | 32 | No | | postNATDestinationIPv4Address | 32 | No | | destinationTransportPort | 16 | No | | postNAPTDestinationTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | | externalAddressRealm | octetArray | No | +----------------------------------+-------------+-----------+
Table 5: NAT44 Session Delete/Create Template
表5:NAT44会话删除/创建模板
These events will be generated when a NAT64 session is created or deleted. The following is a template of the event.
这些事件将在创建或删除NAT64会话时生成。以下是事件的模板。
+----------------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +----------------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv6Address | 128 | Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | Yes | | sourceTransportPort | 16 | Yes | | postNAPTSourceTransportPort | 16 | Yes | | destinationIPv6Address | 128 | No | | postNATDestinationIPv4Address | 32 | No | | destinationTransportPort | 16 | No | | postNAPTDestinationTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | | externalAddressRealm | octetArray | No | +----------------------------------+-------------+-----------+
+----------------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +----------------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv6Address | 128 | Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | Yes | | sourceTransportPort | 16 | Yes | | postNAPTSourceTransportPort | 16 | Yes | | destinationIPv6Address | 128 | No | | postNATDestinationIPv4Address | 32 | No | | destinationTransportPort | 16 | No | | postNAPTDestinationTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | | externalAddressRealm | octetArray | No | +----------------------------------+-------------+-----------+
Table 6: NAT64 Session Create/Delete Event Template
表6:NAT64会话创建/删除事件模板
These events will be generated when a NAT44 Bind entry is created or deleted. The following is a template of the event.
创建或删除NAT44绑定条目时将生成这些事件。以下是事件的模板。
+-----------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv4Address | 32 | Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | No | | sourceTransportPort | 16 | No | | postNAPTSourceTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | | externalAddressRealm | octetArray | No | +-----------------------------+-------------+-----------+
+-----------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv4Address | 32 | Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | No | | sourceTransportPort | 16 | No | | postNAPTSourceTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | | externalAddressRealm | octetArray | No | +-----------------------------+-------------+-----------+
Table 7: NAT44 BIB Create/Delete Event Template
表7:NAT44 BIB创建/删除事件模板
These events will be generated when a NAT64 Bind entry is created or deleted. The following is a template of the event.
创建或删除NAT64绑定条目时将生成这些事件。以下是事件的模板。
+-----------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv6Address | 128 | Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | No | | sourceTransportPort | 16 | No | | postNAPTSourceTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | | externalAddressRealm | octetArray | No | +-----------------------------+-------------+-----------+
+-----------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv6Address | 128 | Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | No | | sourceTransportPort | 16 | No | | postNAPTSourceTransportPort | 16 | No | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | | externalAddressRealm | octetArray | No | +-----------------------------+-------------+-----------+
Table 8: NAT64 BIB Create/Delete Event Template
表8:NAT64 BIB创建/删除事件模板
This event will be generated when a NAT device runs out of global IPv4 addresses in a given pool of addresses. Typically, this event would mean that the NAT device won't be able to create any new translations until some addresses/ports are freed. This event SHOULD be rate-limited, as many packets hitting the device at the same time will trigger a burst of addresses exhausted events.
当NAT设备耗尽给定地址池中的全局IPv4地址时,将生成此事件。通常,此事件意味着NAT设备在释放某些地址/端口之前无法创建任何新的转换。此事件应该是速率受限的,因为许多数据包同时命中设备将触发地址耗尽事件的突发。
The following is a template of the event.
以下是事件的模板。
+---------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +---------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natPoolID | 32 | Yes | | natInstanceID | 32 | No | +---------------+-------------+-----------+
+---------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +---------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natPoolID | 32 | Yes | | natInstanceID | 32 | No | +---------------+-------------+-----------+
Table 9: Addresses Exhausted Event Template
表9:事件模板
This event will be generated when a NAT device runs out of ports for a global IPv4 address. Port exhaustion shall be reported per protocol (UDP, TCP, etc.). This event SHOULD be rate-limited, as many packets hitting the device at the same time will trigger a burst of port exhausted events.
当NAT设备耗尽全局IPv4地址的端口时,将生成此事件。应根据协议(UDP、TCP等)报告端口耗尽。此事件应具有速率限制,因为许多数据包同时命中设备将触发端口耗尽事件的突发。
The following is a template of the event.
以下是事件的模板。
+--------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +--------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | Yes | | natInstanceID | 32 | No | +--------------------------+-------------+-----------+
+--------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +--------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | postNATSourceIPv4Address | 32 | Yes | | protocolIdentifier | 8 | Yes | | natInstanceID | 32 | No | +--------------------------+-------------+-----------+
Table 10: Ports Exhausted Event Template
表10:事件模板
This event will be generated when a NAT device cannot allocate resources as a result of an administratively defined policy. The Quota Exceeded event templates are described below.
当NAT设备由于管理定义的策略而无法分配资源时,将生成此事件。下面描述了超出配额的事件模板。
The maximum session entries exceeded event is generated when the administratively configured NAT session limit is reached. The following is the template of the event.
当达到管理配置的NAT会话限制时,将生成“超出最大会话条目数”事件。以下是事件的模板。
+-----------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natQuotaExceededEvent | 32 | Yes | | maxSessionEntries | 32 | Yes | | natInstanceID | 32 | No | +-----------------------+-------------+-----------+
+-----------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natQuotaExceededEvent | 32 | Yes | | maxSessionEntries | 32 | Yes | | natInstanceID | 32 | No | +-----------------------+-------------+-----------+
Table 11: Session Entries Exceeded Event Template
表11:超出事件模板的会话条目
The maximum BIB entries exceeded event is generated when the administratively configured BIB entry limit is reached. The following is the template of the event.
当达到管理配置的BIB入口限制时,将生成“超出最大BIB入口”事件。以下是事件的模板。
+-----------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natQuotaExceededEvent | 32 | Yes | | maxBIBEntries | 32 | Yes | | natInstanceID | 32 | No | +-----------------------+-------------+-----------+
+-----------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natQuotaExceededEvent | 32 | Yes | | maxBIBEntries | 32 | Yes | | natInstanceID | 32 | No | +-----------------------+-------------+-----------+
Table 12: BIB Entries Exceeded Event Template
表12:BIB条目超出事件模板
This event is generated when a single user reaches the administratively configured NAT translation limit. The following is the template of the event.
当单个用户达到管理配置的NAT转换限制时,将生成此事件。以下是事件的模板。
+-----------------------+-------------+---------------+ | Field Name | Size (bits) | Mandatory | +-----------------------+-------------+---------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natQuotaExceededEvent | 32 | Yes | | maxEntriesPerUser | 32 | Yes | | sourceIPv4Address | 32 | Yes for NAT44 | | sourceIPv6Address | 128 | Yes for NAT64 | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | +-----------------------+-------------+---------------+
+-----------------------+-------------+---------------+ | Field Name | Size (bits) | Mandatory | +-----------------------+-------------+---------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natQuotaExceededEvent | 32 | Yes | | maxEntriesPerUser | 32 | Yes | | sourceIPv4Address | 32 | Yes for NAT44 | | sourceIPv6Address | 128 | Yes for NAT64 | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | +-----------------------+-------------+---------------+
Table 13: Per-User Entries Exceeded Event Template
表13:超出事件模板的每个用户条目
This event is generated when the number of allowed hosts or subscribers reaches the administratively configured limit. The following is the template of the event.
当允许的主机或订阅服务器数量达到管理配置的限制时,将生成此事件。以下是事件的模板。
+-----------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natQuotaExceededEvent | 32 | Yes | | maxSubscribers | 32 | Yes | | natInstanceID | 32 | No | +-----------------------+-------------+-----------+
+-----------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natQuotaExceededEvent | 32 | Yes | | maxSubscribers | 32 | Yes | | natInstanceID | 32 | No | +-----------------------+-------------+-----------+
Table 14: Maximum Hosts/Subscribers Exceeded Event Template
表14:超出事件模板的最大主机/订阅者数
This event is generated when the number of fragments pending reassembly reaches the administratively configured limit. Note that in the case of NAT64, when this condition is detected in the IPv6-to-IPv4 direction, the IPv6 source address is mandatory in the template. Similarly, when this condition is detected in IPv4-to-IPv6 direction, the source IPv4 address is mandatory in the template below. The following is the template of the event.
当待重新组装的片段数量达到管理配置的限制时,将生成此事件。请注意,对于NAT64,当在IPv6到IPv4方向上检测到此情况时,IPv6源地址在模板中是必需的。类似地,当在IPv4到IPv6方向上检测到此情况时,源IPv4地址在下面的模板中是必需的。以下是事件的模板。
+-------------------------------+-------------+----------------+ | Field Name | Size (bits) | Mandatory | +-------------------------------+-------------+----------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natQuotaExceededEvent | 32 | Yes | | maxFragmentsPendingReassembly | 32 | Yes | | sourceIPv4Address | 32 | Yes for NAT44 | | sourceIPv6Address | 128 | Yes for NAT64 | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | +-------------------------------+-------------+----------------+
+-------------------------------+-------------+----------------+ | Field Name | Size (bits) | Mandatory | +-------------------------------+-------------+----------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natQuotaExceededEvent | 32 | Yes | | maxFragmentsPendingReassembly | 32 | Yes | | sourceIPv4Address | 32 | Yes for NAT44 | | sourceIPv6Address | 128 | Yes for NAT64 | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | | internalAddressRealm | octetArray | No | +-------------------------------+-------------+----------------+
Table 15: Maximum Fragments Pending Reassembly Exceeded Event Template
表15:超过事件模板的最大待重组碎片数
This event will be generated when a NAT device reaches an operator-configured threshold when allocating resources. The Threshold Reached events are described in the section above. The following is a template of the individual events.
当NAT设备在分配资源时达到操作员配置的阈值时,将生成此事件。达到阈值的事件在上一节中进行了描述。以下是单个事件的模板。
This event is generated when the high or low threshold is reached for the address pool. The template is the same for both high and low threshold events
当达到地址池的高阈值或低阈值时,将生成此事件。该模板对于高阈值和低阈值事件都是相同的
+----------------------------------------------+--------+-----------+ | Field Name | Size | Mandatory | | | (bits) | | +----------------------------------------------+--------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | natPoolID | 32 | Yes | | addressPoolHighThreshold/ | 32 | Yes | | addressPoolLowThreshold | | | | natInstanceID | 32 | No | +----------------------------------------------+--------+-----------+
+----------------------------------------------+--------+-----------+ | Field Name | Size | Mandatory | | | (bits) | | +----------------------------------------------+--------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | natPoolID | 32 | Yes | | addressPoolHighThreshold/ | 32 | Yes | | addressPoolLowThreshold | | | | natInstanceID | 32 | No | +----------------------------------------------+--------+-----------+
Table 16: Address Pool High/Low Threshold Reached Event Template
表16:达到地址池高/低阈值的事件模板
This event is generated when the high threshold is reached for the address pool and ports.
当地址池和端口达到高阈值时生成此事件。
+----------------------------------------------+--------+-----------+ | Field Name | Size | Mandatory | | | (bits) | | +----------------------------------------------+--------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | addressPortMappingHighThreshold/ | 32 | Yes | | addressPortMappingLowThreshold | | | | natInstanceID | 32 | No | +----------------------------------------------+--------+-----------+
+----------------------------------------------+--------+-----------+ | Field Name | Size | Mandatory | | | (bits) | | +----------------------------------------------+--------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | addressPortMappingHighThreshold/ | 32 | Yes | | addressPortMappingLowThreshold | | | | natInstanceID | 32 | No | +----------------------------------------------+--------+-----------+
Table 17: Address Port High Threshold Reached Event Template
表17:已达到的地址端口高阈值事件模板
This event is generated when the high threshold is reached for the per-user address pool and ports.
当达到每用户地址池和端口的高阈值时,将生成此事件。
+----------------------------------------------+--------+-----------+ | Field Name | Size | Mandatory | | | (bits) | | +----------------------------------------------+--------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | addressPortMappingHighThreshold/ | 32 | Yes | | addressPortMappingLowThreshold | | | | sourceIPv4Address | 32 | Yes for | | | | NAT44 | | sourceIPv6Address | 128 | Yes for | | | | NAT64 | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | +----------------------------------------------+--------+-----------+
+----------------------------------------------+--------+-----------+ | Field Name | Size | Mandatory | | | (bits) | | +----------------------------------------------+--------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | addressPortMappingHighThreshold/ | 32 | Yes | | addressPortMappingLowThreshold | | | | sourceIPv4Address | 32 | Yes for | | | | NAT44 | | sourceIPv6Address | 128 | Yes for | | | | NAT64 | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | +----------------------------------------------+--------+-----------+
Table 18: Address and Port Mapping per User High Threshold Reached Event Template
表18:达到每个用户的地址和端口映射高阈值事件模板
This event is generated when the high threshold is reached for the per-user address pool and ports. This is generated only by NAT devices that use a paired-address-pooling behavior.
当达到每用户地址池和端口的高阈值时,将生成此事件。这仅由使用成对地址池行为的NAT设备生成。
+-----------------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | globalAddressMappingHighThreshold | 32 | Yes | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | +-----------------------------------+-------------+-----------+
+-----------------------------------+-------------+-----------+ | Field Name | Size (bits) | Mandatory | +-----------------------------------+-------------+-----------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | natThresholdEvent | 32 | Yes | | globalAddressMappingHighThreshold | 32 | Yes | | natInstanceID | 32 | No | | vlanID/ingressVRFID | 16/32 | No | +-----------------------------------+-------------+-----------+
Table 19: Global Address Mapping High Threshold Reached Event Template
表19:全局地址映射达到的高阈值事件模板
These events will be generated when a NAT device binds a local address with a global address and when the global address is freed. A NAT device will generate the binding events when it receives the first packet of the first flow from a host in the private realm.
当NAT设备将本地地址与全局地址绑定以及释放全局地址时,将生成这些事件。当NAT设备从私有领域中的主机接收到第一个流的第一个数据包时,它将生成绑定事件。
+--------------------------+-------------+---------------+ | Field Name | Size (bits) | Mandatory | +--------------------------+-------------+---------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv4Address | 32 | Yes for NAT44 | | sourceIPv6Address | 128 | Yes for NAT64 | | postNATSourceIPv4Address | 32 | Yes | | natInstanceID | 32 | No | +--------------------------+-------------+---------------+
+--------------------------+-------------+---------------+ | Field Name | Size (bits) | Mandatory | +--------------------------+-------------+---------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv4Address | 32 | Yes for NAT44 | | sourceIPv6Address | 128 | Yes for NAT64 | | postNATSourceIPv4Address | 32 | Yes | | natInstanceID | 32 | No | +--------------------------+-------------+---------------+
Table 20: NAT Address Binding Template
表20:NAT地址绑定模板
This event will be generated when a NAT device allocates/de-allocates ports in a bulk fashion, as opposed to allocating a port on a per-flow basis.
当NAT设备以批量方式分配/取消分配端口时,将生成此事件,而不是以每个流为基础分配端口。
portRangeStart represents the starting value of the range.
portRangeStart表示范围的起始值。
portRangeEnd represents the ending value of the range.
portRangeEnd表示范围的结束值。
NAT devices would do this in order to reduce logs and to potentially limit the number of connections a subscriber is allowed to use. In the following Port Block allocation template, the portRangeStart and portRangeEnd MUST be specified.
NAT设备这样做是为了减少日志,并可能限制订户允许使用的连接数。在以下端口块分配模板中,必须指定portRangeStart和portRangeEnd。
It is up to the implementation to choose to consolidate log records in case two consecutive port ranges for the same user are allocated or freed.
如果为同一用户分配或释放两个连续的端口范围,则由实现选择合并日志记录。
+--------------------------+-------------+---------------+ | Field Name | Size (bits) | Mandatory | +--------------------------+-------------+---------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv4Address | 32 | Yes for NAT44 | | sourceIPv6Address | 128 | Yes for NAT64 | | postNATSourceIPv4Address | 32 | Yes | | portRangeStart | 16 | Yes | | portRangeEnd | 16 | No | | natInstanceID | 32 | No | +--------------------------+-------------+---------------+
+--------------------------+-------------+---------------+ | Field Name | Size (bits) | Mandatory | +--------------------------+-------------+---------------+ | timeStamp | 64 | Yes | | natEvent | 8 | Yes | | sourceIPv4Address | 32 | Yes for NAT44 | | sourceIPv6Address | 128 | Yes for NAT64 | | postNATSourceIPv4Address | 32 | Yes | | portRangeStart | 16 | Yes | | portRangeEnd | 16 | No | | natInstanceID | 32 | No | +--------------------------+-------------+---------------+
Table 21: NAT Port Block Allocation Event Template
表21:NAT端口块分配事件模板
This section considers requirements for management of the log system to support logging of the events described above. It first covers requirements applicable to log management in general. Any additional standardization required to fulfill these requirements is out of scope of the present document. Some management considerations are covered in [NAT-LOG]. This document covers the additional considerations.
本节考虑管理日志系统以支持记录上述事件的要求。它首先涵盖了一般适用于日志管理的要求。满足这些要求所需的任何附加标准不在本文件范围内。[NAT-LOG]中介绍了一些管理注意事项。本文件涵盖了其他注意事项。
An IPFIX Collector MUST be able to collect events from multiple NAT devices and decipher events based on the Observation Domain ID in the IPFIX header.
IPFIX收集器必须能够从多个NAT设备收集事件,并根据IPFIX标头中的观察域ID解密事件。
The exhaustion events can be overwhelming during traffic bursts; hence, they SHOULD be handled by the NAT devices to rate-limit them before sending them to the Collectors. For example, when the port exhaustion happens during bursty conditions, instead of sending a port exhaustion event for every packet, the exhaustion events SHOULD be rate-limited by the NAT device.
在交通突发期间,疲劳事件可能是压倒性的;因此,在将它们发送到收集器之前,NAT设备应该对它们进行处理,以限制它们的速率。例如,当端口耗尽发生在突发条件下时,不是为每个数据包发送端口耗尽事件,而是由NAT设备限制耗尽事件的速率。
IANA has registered the following IEs in the "IPFIX Information Elements" registry at [IPFIX-IANA].
IANA已在[IPFIX-IANA]的“IPFIX信息元素”注册表中注册了以下IE。
ElementID: 463
元素ID:463
Name: natInstanceID
名称:natInstanceID
Description: This Information Element uniquely identifies an Instance of the NAT that runs on a NAT middlebox function after the packet passes the Observation Point. natInstanceID is defined in [RFC7659].
描述:此信息元素唯一标识在数据包通过观察点后在NAT中间盒函数上运行的NAT实例。natInstanceID在[RFC7659]中定义。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC791] for the definition of the IPv4 source address field. See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关IPv4源地址字段的定义,请参阅[RFC791]。NAT的定义见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 464
元素ID:464
Name: internalAddressRealm
名称:internalAddressRealm
Description: This Information Element represents the internal address realm where the packet is originated from or destined to. By definition, a NAT mapping can be created from two address realms, one from internal and one from external. Realms are implementation dependent and can represent a Virtual Routing and Forwarding (VRF) ID, a VLAN ID, or some unique identifier. Realms are optional and, when left unspecified, would mean that the external and internal realms are the same.
描述:此信息元素表示数据包起源或目的地的内部地址域。根据定义,NAT映射可以从两个地址域创建,一个来自内部,一个来自外部。域依赖于实现,可以表示虚拟路由和转发(VRF)ID、VLAN ID或某些唯一标识符。领域是可选的,如果未指定,则意味着外部领域和内部领域是相同的。
Abstract Data Type: octetArray
抽象数据类型:Octeraray
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC791] for the definition of the IPv4 source address field. See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关IPv4源地址字段的定义,请参阅[RFC791]。NAT的定义见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 465
元素ID:465
Name: externalAddressRealm
名称:externalAddressRealm
Description: This Information Element represents the external address realm where the packet is originated from or destined to. The detailed definition is in the internal address realm as specified above.
描述:此信息元素表示数据包来源或目的地的外部地址域。详细定义在上面指定的内部地址域中。
Abstract Data Type: octetArray
抽象数据类型:Octeraray
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC791] for the definition of the IPv4 source address field. See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关IPv4源地址字段的定义,请参阅[RFC791]。NAT的定义见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 466
元素ID:466
Name: natQuotaExceededEvent
名称:NatQuoteAExceedEvent
Description: This Information Element identifies the type of a NAT Quota Exceeded event. Values for this Information Element are listed in the "NAT Quota Exceeded Event Type" registry, see [IPFIX-IANA]. Initial values in the registry are defined by the table below. New assignments of values will be administered by IANA and are subject to Expert Review [RFC8126]. Experts need to check definitions of new values for completeness, accuracy, and redundancy.
描述:此信息元素标识NAT配额超出事件的类型。此信息元素的值列在“NAT配额超出事件类型”注册表中,请参阅[IPFIX-IANA]。注册表中的初始值由下表定义。新的价值分配将由IANA管理,并接受专家审查[RFC8126]。专家需要检查新值定义的完整性、准确性和冗余性。
+--------+---------------------------------------+ | Value | Quota Exceeded Event Name | +--------+---------------------------------------+ | 0 | Reserved | | 1 | Maximum session entries | | 2 | Maximum BIB entries | | 3 | Maximum entries per user | | 4 | Maximum active hosts or subscribers | | 5 | Maximum fragments pending reassembly | +--------+---------------------------------------+
+--------+---------------------------------------+ | Value | Quota Exceeded Event Name | +--------+---------------------------------------+ | 0 | Reserved | | 1 | Maximum session entries | | 2 | Maximum BIB entries | | 3 | Maximum entries per user | | 4 | Maximum active hosts or subscribers | | 5 | Maximum fragments pending reassembly | +--------+---------------------------------------+
Note: This is the same as Table 3.
注:与表3相同。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC791] for the definition of the IPv4 source address field. See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关IPv4源地址字段的定义,请参阅[RFC791]。NAT的定义见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 467
元素ID:467
Name: natThresholdEvent
名称:natThresholdEvent
Description: This Information Element identifies a type of a NAT Threshold event. Values for this Information Element are listed in the "NAT Threshold Event Type" registry, see [IPFIX-IANA]. Initial values in the registry are defined by the table below. New assignments of values will be administered by IANA and are subject to Expert Review [RFC8126]. Experts need to check definitions of new values for completeness, accuracy, and redundancy.
描述:此信息元素标识NAT阈值事件的类型。此信息元素的值列在“NAT阈值事件类型”注册表中,请参阅[IPFIX-IANA]。注册表中的初始值由下表定义。新的价值分配将由IANA管理,并接受专家审查[RFC8126]。专家需要检查新值定义的完整性、准确性和冗余性。
+--------+---------------------------------------------------------+ | Value | Threshold Exceeded Event Name | +--------+---------------------------------------------------------+ | 0 | Reserved | | 1 | Address pool high threshold event | | 2 | Address pool low threshold event | | 3 | Address and port mapping high threshold event | | 4 | Address and port mapping per user high threshold event | | 5 | Global address mapping high threshold event | +--------+---------------------------------------------------------+
+--------+---------------------------------------------------------+ | Value | Threshold Exceeded Event Name | +--------+---------------------------------------------------------+ | 0 | Reserved | | 1 | Address pool high threshold event | | 2 | Address pool low threshold event | | 3 | Address and port mapping high threshold event | | 4 | Address and port mapping per user high threshold event | | 5 | Global address mapping high threshold event | +--------+---------------------------------------------------------+
Note: This is the same as Table 4.
注:与表4相同。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC791] for the definition of the IPv4 source address field. See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关IPv4源地址字段的定义,请参阅[RFC791]。NAT的定义见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
The original definition of this Information Element specified only three values: 1, 2, and 3. This definition has been replaced by a registry, to which new values can be added. The semantics of the three originally defined values remain unchanged. IANA maintains the "NAT Event Type (Value 230)" registry for values of this Information Element at [IPFIX-IANA].
此信息元素的原始定义仅指定了三个值:1、2和3。此定义已被注册表替换,可以向其中添加新值。最初定义的三个值的语义保持不变。IANA在[IPFIX-IANA]维护此信息元素值的“NAT事件类型(值230)”注册表。
ElementID: 230
元素ID:230
Name: natEvent
名称:natEvent
Description: This Information Element identifies a NAT event. This IE identifies the type of a NAT event. Examples of NAT events include, but are not limited to, NAT translation create, NAT translation delete, Threshold Reached, or Threshold Exceeded, etc. Values for this Information Element are listed in the "NAT Event Type" registry, see [IPFIX-IANA]. The NAT event values in the registry are defined by Table 2 in Section 4.3. New assignments of values will be administered by IANA and are subject to Expert Review [RFC8126]. Experts need to check definitions of new values for completeness, accuracy, and redundancy.
描述:此信息元素标识NAT事件。此IE标识NAT事件的类型。NAT事件的示例包括但不限于NAT转换创建、NAT转换删除、达到阈值或超过阈值等。此信息元素的值列在“NAT事件类型”注册表中,请参阅[IPFIX-IANA]。注册表中的NAT事件值由第4.3节中的表2定义。新的价值分配将由IANA管理,并接受专家审查[RFC8126]。专家需要检查新值定义的完整性、准确性和冗余性。
Abstract Data Type: unsigned8
抽象数据类型:unsigned8
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes. See RFC 8158 for the definitions of values 4-16.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。值4-16的定义见RFC 8158。
ElementID: 471
元素ID:471
Name: maxSessionEntries
名称:maxSessionEntries
Description: This element represents the maximum session entries that can be created by the NAT device.
描述:此元素表示NAT设备可以创建的最大会话项。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 472
元素ID:472
Name: maxBIBEntries
姓名:maxBIBEntries
Description: This element represents the maximum BIB entries that can be created by the NAT device.
描述:此元素表示NAT设备可以创建的最大BIB条目。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 473
元素ID:473
Name: maxEntriesPerUser
姓名:maxEntriesPerUser
Description: This element represents the maximum NAT entries that can be created per user by the NAT device.
描述:此元素表示NAT设备可以为每个用户创建的最大NAT条目。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 474
元素ID:474
Name: maxSubscribers
姓名:maxSubscribers
Description: This element represents the maximum subscribers or maximum hosts that are allowed by the NAT device.
描述:此元素表示NAT设备允许的最大订户或最大主机数。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 475
元素ID:475
Name: maxFragmentsPendingReassembly
名称:MaxFragmentsPendingRemombly
Description: This element represents the maximum fragments that the NAT device can store for reassembling the packet.
描述:此元素表示NAT设备可以存储的用于重新组装数据包的最大片段。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 476
元素ID:476
Name: addressPoolHighThreshold
名称:addressPoolHighThreshold
Description: This element represents the high threshold value of the number of public IP addresses in the address pool.
描述:此元素表示地址池中公共IP地址数的高阈值。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 477
元素ID:477
Name: addressPoolLowThreshold
名称:addressPoolLowThreshold
Description: This element represents the low threshold value of the number of public IP addresses in the address pool.
描述:此元素表示地址池中公共IP地址数的低阈值。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 478
元素ID:478
Name: addressPortMappingHighThreshold
名称:addressPortMappingHighThreshold
Description: This element represents the high threshold value of the number of address and port mappings.
描述:此元素表示地址和端口映射数的高阈值。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 479
元素ID:479
Name: addressPortMappingLowThreshold
名称:addressPortMappingLowThreshold
Description: This element represents the low threshold value of the number of address and port mappings.
描述:此元素表示地址和端口映射数的低阈值。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 480
元素ID:480
Name: addressPortMappingPerUserHighThreshold
Name: addressPortMappingPerUserHighThreshold
Description: This element represents the high threshold value of the number of address and port mappings that a single user is allowed to create on a NAT device.
描述:此元素表示允许单个用户在NAT设备上创建的地址和端口映射数的高阈值。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。
ElementID: 481
元素ID:481
Name: globalAddressMappingHighThreshold
Name: globalAddressMappingHighThreshold
Description: This element represents the high threshold value of the number of address and port mappings that a single user is allowed to create on a NAT device in a paired address pooling behavior.
描述:此元素表示允许单个用户以成对地址池行为在NAT设备上创建的地址和端口映射数的高阈值。
Abstract Data Type: unsigned32
抽象数据类型:unsigned32
Data Type Semantics: identifier
数据类型语义:标识符
Reference: See [RFC3022] for the definition of NAT. See [RFC3234] for the definition of middleboxes. See [RFC4787] for the definition of paired address pooling behavior.
参考:有关NAT的定义,请参见[RFC3022]。有关中间盒的定义,请参见[RFC3234]。有关成对地址池行为的定义,请参见[RFC4787]。
The security considerations listed in detail for IPFIX in [RFC7011] apply to this document as well. As described in [RFC7011], the messages exchanged between the NAT device and the Collector MUST be protected to provide confidentiality, integrity, and authenticity. Without those characteristics, the messages are subject to various kinds of attacks. These attacks are described in great detail in [RFC7011].
[RFC7011]中详细列出的IPFIX安全注意事项也适用于本文档。如[RFC7011]所述,NAT设备和收集器之间交换的消息必须受到保护,以提供机密性、完整性和真实性。如果没有这些特征,消息就会受到各种攻击。[RFC7011]中详细描述了这些攻击。
This document re-emphasizes the use of Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) for exchanging the log messages between the NAT device and the Collector. The log events sent in cleartext can result in confidential data being exposed to attackers, who could then spoof log events based on the information in cleartext messages. Hence, the log events SHOULD NOT be sent in cleartext.
本文档再次强调使用传输层安全性(TLS)或数据报传输层安全性(DTLS)在NAT设备和收集器之间交换日志消息。以明文形式发送的日志事件可能导致机密数据暴露给攻击者,攻击者随后可以根据明文消息中的信息伪造日志事件。因此,日志事件不应以明文形式发送。
The logging of NAT events can result in privacy concerns as a result of exporting information such as the source address and port information. The logging of destination information can also cause privacy concerns, but it has been well documented in [RFC6888]. A NAT device can choose to operate in various logging modes if it wants
由于导出诸如源地址和端口信息之类的信息,NAT事件的日志记录可能会导致隐私问题。目的地信息的记录也会引起隐私问题,但[RFC6888]中对此进行了详细说明。如果需要,NAT设备可以选择在各种日志记录模式下运行
to avoid logging of private information. The Collector that receives the information can also choose to mask the private information but generate reports based on abstract data. It is outside the scope of this document to address the implementation of logging modes for privacy considerations.
避免记录私人信息。接收信息的收集器也可以选择屏蔽私有信息,但生成基于抽象数据的报告。出于隐私考虑,解决日志记录模式的实现超出了本文档的范围。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2007, <https://www.rfc-editor.org/info/rfc4787>.
[RFC4787]Audet,F.,Ed.和C.Jennings,“单播UDP的网络地址转换(NAT)行为要求”,BCP 127,RFC 4787,DOI 10.17487/RFC4787,2007年1月<https://www.rfc-editor.org/info/rfc4787>.
[RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, RFC 5382, DOI 10.17487/RFC5382, October 2008, <https://www.rfc-editor.org/info/rfc5382>.
[RFC5382]Guha,S.,Ed.,Biswas,K.,Ford,B.,Sivakumar,S.,和P.Srisuresh,“TCP的NAT行为要求”,BCP 142,RFC 5382,DOI 10.17487/RFC5382,2008年10月<https://www.rfc-editor.org/info/rfc5382>.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, April 2011, <https://www.rfc-editor.org/info/rfc6146>.
[RFC6146]Bagnulo,M.,Matthews,P.,和I.van Beijnum,“有状态NAT64:从IPv6客户端到IPv4服务器的网络地址和协议转换”,RFC 6146,DOI 10.17487/RFC6146,2011年4月<https://www.rfc-editor.org/info/rfc6146>.
[RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, "Logging Recommendations for Internet-Facing Servers", BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, <https://www.rfc-editor.org/info/rfc6302>.
[RFC6302]Durand,A.,Gashinsky,I.,Lee,D.,和S.Sheppard,“面向互联网服务器的日志记录建议”,BCP 162,RFC 6302,DOI 10.17487/RFC6302,2011年6月<https://www.rfc-editor.org/info/rfc6302>.
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, A., and H. Ashida, "Common Requirements for Carrier-Grade NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, April 2013, <https://www.rfc-editor.org/info/rfc6888>.
[RFC6888]Perreault,S.,Ed.,Yamagata,I.,Miyakawa,S.,Nakagawa,A.,和H.Ashida,“载体级NAT(CGN)的通用要求”,BCP 127,RFC 6888,DOI 10.17487/RFC6888,2013年4月<https://www.rfc-editor.org/info/rfc6888>.
[RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, DOI 10.17487/RFC7011, September 2013, <https://www.rfc-editor.org/info/rfc7011>.
[RFC7011]Claise,B.,Ed.,Trammell,B.,Ed.,和P.Aitken,“流量信息交换的IP流量信息导出(IPFIX)协议规范”,STD 77,RFC 7011,DOI 10.17487/RFC7011,2013年9月<https://www.rfc-editor.org/info/rfc7011>.
[RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, "Definitions of Managed Objects for Network Address Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, October 2015, <https://www.rfc-editor.org/info/rfc7659>.
[RFC7659]Perreault,S.,Tsou,T.,Sivakumar,S.,和T.Taylor,“网络地址转换器(NAT)托管对象的定义”,RFC 7659,DOI 10.17487/RFC7659,2015年10月<https://www.rfc-editor.org/info/rfc7659>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.
[IPFIX-IANA] IANA, "IPFIX Information Elements", <http://www.iana.org/assignments/ipfix>.
[IPFIX-IANA]IANA,“IPFIX信息元素”<http://www.iana.org/assignments/ipfix>.
[NAT-LOG] Chen, Z., Zhou, C., Tsou, T., and T. Taylor, Ed., "Syslog Format for NAT Logging", Work in Progress, draft-ietf-behave-syslog-nat-logging-06, January 2014.
[NAT-LOG]Chen,Z.,Zhou,C.,Tsou,T.,和T.Taylor,Ed.,“NAT日志记录的系统日志格式”,正在进行的工作,草稿-ietf-behave-Syslog-NAT-Logging-062014年1月。
[RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI 10.17487/RFC0791, September 1981, <https://www.rfc-editor.org/info/rfc791>.
[RFC791]Postel,J.,“互联网协议”,STD 5,RFC 791,DOI 10.17487/RFC07911981年9月<https://www.rfc-editor.org/info/rfc791>.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, DOI 10.17487/RFC2663, August 1999, <https://www.rfc-editor.org/info/rfc2663>.
[RFC2663]Srisuresh,P.和M.Holdrege,“IP网络地址转换器(NAT)术语和注意事项”,RFC 2663,DOI 10.17487/RFC2663,1999年8月<https://www.rfc-editor.org/info/rfc2663>.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)", RFC 3022, DOI 10.17487/RFC3022, January 2001, <https://www.rfc-editor.org/info/rfc3022>.
[RFC3022]Srisuresh,P.和K.Egevang,“传统IP网络地址转换器(传统NAT)”,RFC 3022,DOI 10.17487/RFC3022,2001年1月<https://www.rfc-editor.org/info/rfc3022>.
[RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002, <https://www.rfc-editor.org/info/rfc3234>.
[RFC3234]Carpenter,B.和S.Brim,“中间盒:分类和问题”,RFC 3234,DOI 10.17487/RFC3234,2002年2月<https://www.rfc-editor.org/info/rfc3234>.
[RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, DOI 10.17487/RFC5424, March 2009, <https://www.rfc-editor.org/info/rfc5424>.
[RFC5424]Gerhards,R.,“系统日志协议”,RFC 5424DOI 10.17487/RFC54242009年3月<https://www.rfc-editor.org/info/rfc5424>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017, <https://www.rfc-editor.org/info/rfc8126>.
[RFC8126]Cotton,M.,Leiba,B.,和T.Narten,“在RFC中编写IANA考虑事项部分的指南”,BCP 26,RFC 8126,DOI 10.17487/RFC8126,2017年6月<https://www.rfc-editor.org/info/rfc8126>.
Acknowledgements
致谢
Thanks to Dan Wing, Selvi Shanmugam, Mohamed Boucadir, Jacni Qin, Ramji Vaithianathan, Simon Perreault, Jean-Francois Tremblay, Paul Aitken, Julia Renouard, Spencer Dawkins, and Brian Trammell for their review and comments.
感谢Dan Wing、Selvi Shanmugam、Mohamed Boucadir、Jacni Qin、Ramji Vaithianathan、Simon Perreault、Jean-Francois Tremblay、Paul Aitken、Julia Renouard、Spencer Dawkins和Brian Trammell的评论。
Authors' Addresses
作者地址
Senthil Sivakumar Cisco Systems 7100-8 Kit Creek Road Research Triangle Park, NC 27709 United States of America
美国北卡罗来纳州Kit Creek Road研究三角公园Senthil Sivakumar Cisco Systems 7100-8号,邮编:27709
Phone: +1 919 392 5158 Email: ssenthil@cisco.com
Phone: +1 919 392 5158 Email: ssenthil@cisco.com
Reinaldo Penno Cisco Systems 170 W Tasman Drive San Jose, CA 95035 United States of America
美国加利福尼亚州圣何塞塔斯曼大道170 W雷纳尔多·佩诺思科系统公司,邮编95035
Email: repenno@cisco.com
Email: repenno@cisco.com