Syslog Format for NAT Logging
draft-ietf-behave-syslog-nat-logging-06

Document Type Active Internet-Draft (individual)
Last updated 2015-10-14 (latest revision 2014-01-24)
Replaces draft-zhou-behave-syslog-nat-logging
Stream IETF
Intended RFC status Proposed Standard
Formats plain text xml pdf html bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state AD Evaluation
Consensus Boilerplate Unknown
Telechat date
Responsible AD Spencer Dawkins
Send notices to (None)
Behave Working Group                                             Z. Chen
Internet-Draft                                             China Telecom
Intended status: Standards Track                                 C. Zhou
Expires: July 29, 2014                                           T. Tsou
                                                          T. Taylor, Ed.
                                                     Huawei Technologies
                                                        January 25, 2014

                     Syslog Format for NAT Logging
                draft-ietf-behave-syslog-nat-logging-06

Abstract

   NAT devices are required to log events like creation and deletion of
   translations and information about the resources the NAT is managing.
   The logs are required to identify an attacker or a host that was used
   to launch malicious attacks, and for various other purposes of
   accounting and management.  Since there is no standard way of logging
   this information, different NAT devices behave differently.  The lack
   of a consistent way makes it difficult to write the collector
   applications that would receive this data and process it to present
   useful information.

   This document describes the information that is required to be logged
   by the NAT devices.  It goes on to standardize formats for reporting
   these events and parameters using SYSLOG (RFC 5424).  A companion
   document specifies formats for reporting the same events and
   parameters using IPFIX (RFC 7011).  Applicability statements are
   provided in this document and its companion to guide operators and
   implementors in their choice of which technology to use for logging.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 29, 2014.

Chen, et al.              Expires July 29, 2014                 [Page 1]
Internet-Draft        Syslog Format for NAT Logging         January 2014

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   5
   2.  Deployment Considerations . . . . . . . . . . . . . . . . . .   6
     2.1.  Static and Dynamic NATs . . . . . . . . . . . . . . . . .   6
     2.2.  Realms and Address Pools  . . . . . . . . . . . . . . . .   7
       2.2.1.  Address Pools . . . . . . . . . . . . . . . . . . . .   7
     2.3.  NAT Logging Requirements For Different Transition Methods   8
     2.4.  Subscriber Identification . . . . . . . . . . . . . . . .   9
     2.5.  The Port Control Protocol (PCP) . . . . . . . . . . . . .  10
     2.6.  Logging At the Customer Edge  . . . . . . . . . . . . . .  10
   3.  NAT-Related Events and Parameters . . . . . . . . . . . . . .  10
     3.1.  Events Relating To Allocation Of Resources To Hosts . . .  10
       3.1.1.  NAT Address Mapping Creation and Deletion . . . . . .  11
       3.1.2.  NAT Address and Port Mapping Creation and Deletion  .  12
       3.1.3.  NAT Session Creation and Deletion . . . . . . . . . .  14
         3.1.3.1.  Destination Logging . . . . . . . . . . . . . . .  17
       3.1.4.  Port Range Allocation and Deallocation  . . . . . . .  17
     3.2.  Threshold Events  . . . . . . . . . . . . . . . . . . . .  19
       3.2.1.  Address Pool High- and Low-Water-Mark Threshold
               Events  . . . . . . . . . . . . . . . . . . . . . . .  19
       3.2.2.  Global Address Mapping High-Water-Mark Threshold
               Event . . . . . . . . . . . . . . . . . . . . . . . .  20
Show full document text