Technical Summary
Network operators require NAT devices to log events like creation and
deletion of translations and information about the resources that the
NAT device is managing. The logs are essential in many cases to
identify an attacker or a host that was used to launch malicious
attacks and for various other purposes of accounting. Since there is
no standard way of logging this information, different NAT devices
log the information using proprietary formats and hence it is
difficult to expect a consistent behavior. The lack of a consistent
way to log the data makes it difficult to write the collector
applications that would receive this data and process it to present
useful information. This document describes the formats for logging
of NAT events.
Working Group Summary
For much of its life, this work existed in the BEHAVE working group.
It became an AD-sponsored draft when the BEHAVE working group
was concluded. As a working group draft, it was not controversial,
and much of the focus of discussion was between the authors of this
draft, an MIB NAT management document (now RFCs 7658-7659, and
a SYSLOG NAT management document, working to make sure each
NAT management tool provided equivalent functionality, to the extent
possible.
Document Quality
Reviews were provided by Dan Wing (former BEHAVE WG chair), Paul
Aitken (on general use of IPFIX), Phillip Hallam-Baker (for
SECDIR), Dan Romascanu (for OPDIR), Paul Aitken (for IANA),
Juergen Quittek and Brian Trammell (for IPFIX IE-doctors),
Tom Taylor checked this draft for consistency with the NAT MIB
draft and the SYSLOG draft, and provided comments.
Personnel
The responsible Area Director is Spencer Dawkins, who is also
acting as document shepherd.