Mapping Between Field Values for IPFIX Flow Templates and Logs Exported From an MX Series Router or NFX250
A new proposed draft defining IPFIX IEs for logging various NAT events is available in IETF as IPFIX Information Elements for logging NAT Events—draft-ietf-behave-ipfix-nat-logging-02. The flow monitoring template format for flow monitoring logs generated for NAT events comply with the the templates defined in this draft for logging NAT44/NAT64 session create/delete, binding information base (BIB) create/delete, address exhaust, pool exhaustion, quota exceeded, address binding create/delete, port block allocation and de-allocation events. Also, this draft has an extension for NAT64. Support is implemented for logging events for both NAT44 and NAT64. Apart from those templates defined in this draft, no new user-defined templates are created for logging any NAT events.
The following table lists the extensions to the NAT events. The data record contains the corresponding natEvent value to identify the event that is being logged.
Event Name | Values |
|---|---|
NAT44 Session create | 1 |
NAT44 Session delete | 2 |
NAT Addresses exhausted | 3 |
NAT64 Session create | 4 |
NAT64 Session delete | 5 |
NAT44 BIB create | 6 |
NAT44 BIB delete | 7 |
NAT64 BIB create | 8 |
NAT64 BIB delete | 9 |
NAT ports exhausted | 10 |
Quota exceeded | 11 |
Address binding create | 12 |
Address binding delete | 13 |
Port block allocation | 14 |
Port block deallocation | 15 |
The following table describes the field IDs or values and the corresponding names for IPv6 addresses for IPFIX flows:
Field ID | Name | Size (Bytes) | Description |
|---|---|---|---|
27 | sourceIPv6Address | 16 | IPv6 source address |
28 | destinationIPv6Address | 16 | IPv6 destination address |
281 | postNATSourceIPv6Address | 16 | Translated source IPv6 address |
282 | postNATDestinationPv6Address | 16 | Translated destination IPv6 address |
The following table describes the field names and whether they are required or not for NAT64 session creation and deletion events:
Field Name | Size (Bytes) | Whether the Field Is Mandatory |
|---|---|---|
timeStamp | 64 | Yes |
vlanID/ingressVRFID | 32 | No |
sourceIPv4Address | 128 | Yes |
postNATSourceIPv4Address | 32 | Yes |
protocolIdentifier | 8 | Yes |
sourceTransportPort | 16 | Yes |
postNAPTsourceTransportPort | 16 | Yes |
destinationIPv4Address | 128 | No |
postNATDestinationIPv4Address | 32 | No |
destinationTransportPort | 16 | No |
postNAPTdestinationTransportPort | 16 | No |
natOriginatingAddressRealm | 8 | No |
natEvent | 8 | Yes |
A NAT44 session creation template record can contain the following fields. The natEvent field contains a value of 1, which indicates a NAT44 session creation event. An example of such a template is as follows:
Field Name | Size (Bytes) | Value |
|---|---|---|
timeStamp | 64 | 09:20:10:789 |
sourceIPv4Address | 32 | 192.168.16.1 |
postNATSourceIPv4Address | 32 | 192.0.2.100 |
protocolIdentifier | 8 | TC |
sourceTransportPort | 16 | 14800 |
postNAPTsourceTransportPort | 16 | 1024 |
destinationIPv4Address | 32 | 198.51.100.104 |
postNATDestinationIPv4Address | 32 | 198.51.100.104 |
destinationTransportPort | 16 | 80 |
postNAPTdestinationTransportPort | 16 | 80 |
natOriginatingAddressRealm | 8 | 0 |
natEvent | 8 | 1 |
A NAT44 session deletion template record can contain the following fields. The natEvent field contains a value of 2, which indicates a NAT44 session deletion event. An example of such a template is as follows:
Field Name | Size (Bytes) | Value |
|---|---|---|
timeStamp | 64 | 09:20:10:789 |
sourceIPv4Address | 32 | 192.168.16.1 |
postNATSourceIPv4Address | 32 | 192.0.2.100 |
protocolIdentifier | 8 | TC |
sourceTransportPort | 16 | 14800 |
postNAPTsourceTransportPort | 16 | 1024 |
destinationIPv4Address | 32 | 198.51.100.104 |
postNATDestinationIPv4Address | 32 | 198.51.100.104 |
destinationTransportPort | 16 | 80 |
postNAPTdestinationTransportPort | 16 | 80 |
natOriginatingAddressRealm | 8 | 0 |
natEvent | 8 | 2 |