Manual Chapter : IPFIX Templates for CGNAT Events

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 12.1.1, 12.1.0

BIG-IP APM

  • 12.1.1, 12.1.0

BIG-IP Link Controller

  • 12.1.1, 12.1.0

BIG-IP Analytics

  • 12.1.1, 12.1.0

BIG-IP LTM

  • 12.1.1, 12.1.0

BIG-IP PEM

  • 12.1.1, 12.1.0

BIG-IP AFM

  • 12.1.1, 12.1.0

BIG-IP DNS

  • 12.1.1, 12.1.0

BIG-IP ASM

  • 12.1.1, 12.1.0
Manual Chapter

IPFIX Templates for CGNAT Events

Overview: IPFIX logging templates

The IP Flow Information Export (IPFIX) Protocol is a logging mechanism for IP events. This appendix defines the IPFIX information elements (IEs) and templates used to log the F5 CGNAT events. An IE is the smallest form of useful information in an IPFIX log message, such as an IP address or a timestamp for the event. An IPFIX template is an ordered collection of specific IEs used to record one IP event, such as the establishment of an inbound NAT64 session.

IPFIX information elements for CGNAT events

Information elements (IEs) are individual fields in an IPFIX template. An IPFIX template describes a single CGNAT event. These tables list all the IEs used in F5 CGNAT events, and differentiate IEs defined by IANA from IEs defined by F5 products.

IANA-Defined IPFIX information elements

Information Elements

IANA maintains a list of standard IPFIX information elements (IEs), each with a unique element identifier, at http://www.iana.org/assignments/ipfix/ipfix.xml. The F5 CGNAT implementation uses a subset of these IEs to publish CGNAT events. This subset is summarized in the table below. Please refer to the IANA site for the official description of each field.

Information Element (IE) ID Size (Bytes)
destinationIPv4Address 12 4
destinationTransportPort 11 2
egressVRFID 235 4
flowDurationMilliseconds 161 4
flowStartMilliseconds 152 8
ingressVRFID 234 4
natEvent 230 1
natOriginatingAddressRealm 229 1
natPoolName 284 Variable
observationTimeMilliseconds 323 8
portRangeEnd 362 2
portRangeStart 361 2
postNAPTDestinationTransportPort 228 2
postNAPTSourceTransportPort 227 2
postNATDestinationIPv4Address 226 4
postNATDestinationIPv6Address 282 16
postNATSourceIPv4Address 225 4
protocolIdentifier 4 1
sourceIPv4Address 8 4
sourceIPv6Address 27 16
sourceTransportPort 7 2
Note: IPFIX, unlike NetFlow v9, supports variable-length IEs, where the length is encoded within the field in the Data Record. NetFlow v9 collectors (and their variants) cannot correctly process variable-length IEs, so they are omitted from logs sent to those collector types.

IPFIX enterprise information elements

Description

IPFIX provides specifications for enterprises to define their own Information Elements. F5 currently does not use any non-standard IEs for CGNAT Events.

Individual IPFIX templates for each event

These tables specify the IPFIX templates used by F5 to publish CGNAT Events.

Each template contains a natEvent information element (IE). This element is currently defined by IANA to contain values of 1 (Create Event), 2 (Delete Event) and 3 (Pool Exhausted). In the future, it is possible that IANA will standardize additional values to distinguish between NAT44 and NAT64 events, and to allow for additional types of NAT events. For example, the http://datatracker.ietf.org/doc/draft-ietf-behave-ipfix-nat-logging Internet Draft proposes additional values for this IE for such events.

F5 uses the standard Create and Delete natEvent values in its IPFIX Data Records, rather than new (non-standard) specific values for NAT44 Create, NAT64 Create, and so on.

You can infer the semantics of each template (for example, whether or not the template applies to NAT44 Create, NAT64 Create, or DS-Lite Create) from the template's contents rather than from distinct values in the natEvent IE.

F5 CGNAT might generate different variants of NAT Session Create/Delete events, to cater to customer requirements such as the need to publish destination address information, or to specifically omit such information. Each variant has a distinct template.

The “Pool Exhausted” natEvent value is insufficiently descriptive to cover the possible NAT failure cases. Therefore, pending future updates to the natEvent Information Element, F5 uses some non-standard values to cover the following cases:

  • 10 – Translation Failure
  • 11 – Session Quota Exceeded
  • 12 – Port Quota Exceeded
  • 13 - Port Block Allocated
  • 14 - Port Block Released
  • 15 - Port Block Allocation (PBA) Client Block Limit Exceeded
  • 16 - PBA Port Quota Exceeded

The following tables enumerate and define the IPFIX templates, and include the possible natEvent values for each template.

NAT44 session create – outbound variant

Description

This event is generated when a NAT44 client session is received from the subscriber side and the LSN process successfully translates the source address/port.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv4Address 8 4  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 1 (for Create event).

NAT44 session delete – outbound variant

Description

This event is generated when a NAT44 client session is received from the subscriber side and the LSN process finishes the session.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv4Address 8 4  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

NAT44 session create – inbound variant

Description

This event is generated when an inbound NAT44 client session is received from the internet side and connects to a client on the subscriber side.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv4Address 226 4  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 1 (for Create event).

NAT44 session delete – inbound variant

Description

This event is generated when an inbound NAT44 client session is received from the internet side and connects to a client on the subscriber side. This event is the deletion of the inbound connection.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv4Address 226 4  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

NAT44 translation failed

Description

This event reports a NAT44 Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natEvent 230 1 10 for Transmission Failed.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

NAT44 quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT44 translation.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
natEvent 230 1 11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

NAT44 port block allocated or released

Description

This event is generated when the BIG-IP software allocates or releases a block of ports for a NAT44 client. The event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it only issues an IPFIX log for every block of CGNAT translations. This reduces IPFIX traffic for CGNAT.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The egress routing-domain ID.
sourceIPv4Address 8 4  
postNATSourceIPv4Address 225 4  
portRangeStart 361 2  
portRangeEnd 362 2  
natEvent 230 1 13 for PBA, block Allocated, 14 for PBA, block released.

NAT64 session create – outbound variant

Description

This event is generated when a NAT64 client session is received from the subscriber side and the LSN process successfully translates the source address/port.

Note: The destinationIPv6Address is not reported, since the postNATdestinationIPv4Address value is derived algorithmically from the IPv6 representation in destinationIPv6Address, as specified in RFC 6146 and RFC 6502.
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv6Address 27 16  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
postNATDestinationIPv4Address 226 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 1 (for Create event).

NAT64 session delete – outbound variant

Description

This event is generated when a NAT64 client session is received from the subscriber side and the LSN process finishes the outbound session.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv6Address 27 16  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
postNATDestinationIPv4Address 226 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

NAT64 session create – inbound variant

Description

This event is generated when a client session comes in from the internet side and successfully connects to a NAT64 client on the subscriber side.

Note: postNATSourceIPv6Address is not reported since this value can be derived algorithmically from by appending the well-known NAT64 prefix 64:ff9b:: to sourceIPv4Address.
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv6Address 282 16  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 1 (for Create event).

NAT64 session delete – inbound variant

Description

This event is generated when a client session comes in from the internet side and successfully connects to a NAT64 client on the subscriber side. This event is the deletion of the inbound connection.

Note: postNATSourceIPv6Address is not reported since this value can be derived algorithmically from by appending the well-known NAT64 prefix 64:ff9b:: to sourceIPv4Address.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv6Address 282 16  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

NAT64 translation failed

Description

This event reports a NAT64 Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv6Address 27 16  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natEvent 230 1 10 for Transmission Failed.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

NAT64 quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT64 translation.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv6Address 27 16  
natEvent 230 1 11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

NAT64 port block allocated or released

Description

This event is generated when the BIG-IP software allocates or releases a block of ports for a NAT64 client. The event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it only issues an IPFIX log for every block of CGNAT translations. This reduces IPFIX traffic for CGNAT.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The egress routing-domain ID.
sourceIPv6Address 27 16  
postNATSourceIPv4Address 225 4  
portRangeStart 361 2  
portRangeEnd 362 2  
natEvent 230 1 13 for PBA, block Allocated, 14 for PBA, block released.

DS-Lite session create – outbound variant

Description

This event is generated when a DS-Lite client session is received on the subscriber side and the LSN process successfully translates the source address/port. The client's DS-Lite IPv6 remote endpoint address is reported using IE lsnDsLiteRemoteV6asSource.

Note: The sourceIPv6Address stores different information in this template from the equivalent NAT64 template. In the NAT64 create and delete templates, sourceIPv6Address holds the client's IPv6 address. In this DS-Lite template, it holds the remote endpoint address of the DS-Lite tunnel.
Note: The VRFID (or routing domain ID) for the DS-Lite tunnel is not currently provided; this attribute may be added in the future.
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv4Address 8 4  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
sourceIPv6Address 27 16 DS-Lite remote endpoint IPv6 address.
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 1 (for Create event).

DS-Lite session delete – outbound variant

Description

This event is generated when a DS-Lite client session is received from the subscriber side and the LSN process finishes with the outbound session.

Note: The sourceIPv6Address stores different information in this template from the equivalent NAT64 template. In the NAT64 create and delete templates, sourceIPv6Address holds the client's IPv6 address. In this DS-Lite template, it holds the remote endpoint address of the DS-Lite tunnel.
Note: The VRFID (or routing domain ID) for the DS-Lite tunnel is not currently provided; this attribute may be added in the future.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The "LSN" routing-domain ID.
sourceIPv4Address 8 4  
postNATSourceIPv4Address 225 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
postNAPTSourceTransportPort 227 2  
sourceIPv6Address 27 16 DS-Lite remote endpoint IPv6 address.
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natOriginatingAddressRealm 229 1 1 (private/internal realm, subscriber side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

DS-Lite session create – inbound variant

Description

This event is generated when an inbound client session comes in from the internet side and connects to a DS-Lite client on the subscriber side.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv6Address 282 16 DS-Lite remote endpoint IPv6 address.
postNATDestinationIPv4Address 226 4  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 1 (for Create event).

DS-Lite session delete – inbound variant

Description

This event is generated when an inbound client session comes in from the internet side and connects to a DS-Lite client on the subscriber side. This event marks the end of the inbound connection, when the connection is deleted.

By default, the BIG-IP® system does not record "delete session" events like this one. This default exists to improve performance, but it prevents the system from ever sending IPFIX logs matching this template. To enable "delete session" events and IPFIX logs matching this template, use the following tmsh command:

modify sys db log.lsn.session.end value enable
Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "LSN" routing-domain ID.
egressVRFID 235 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
protocolIdentifier 4 1  
sourceTransportPort 7 2  
destinationIPv4Address 12 4  
postNATDestinationIPv6Address 282 16  
postNATDestinationIPv4Address 226 4  
destinationTransportPort 11 2  
postNAPTDestinationTransportPort 228 2  
natOriginatingAddressRealm 229 1 2 (public/external realm, Internet side).
natEvent 230 1 2 (for Delete event).
flowStartMilliseconds 152 8 Start time, in ms since Epoch (1/1/1970).
flowDurationMilliseconds 161 4 Duration in ms.

DS-Lite translation failed

Description

This event reports a DS-Lite Translation Failure. The failure does not necessarily mean that all addresses or ports in the translation pool are already in use; the implementation may not be able to find a valid translation within the allowed time constraints or number of lookup attempts, as may happen if the pool has become highly fragmented.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv4Address 8 4 IPv4 address used by F5 CGNAT in the IPv4-mapped IPv6 format, for the DS-Lite tunnel terminated on the BIG-IP.
protocolIdentifier 4 1  
sourceTransportPort 7 2  
sourceIPv6Address 27 16 IPv6 address for remote endpoint of the DS-Lite tunnel.
destinationIPv4Address 12 4 0 (zero) if obscured.
destinationTransportPort 11 2 0 (zero) if obscured.
natEvent 230 1 10 for Transmission Failed.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

DS-Lite quota exceeded

Description

This event is generated when an administratively configured policy prevents a successful NAT translation in a DS-Lite context.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
sourceIPv4Address 8 4  
sourceIPv6Address 27 16 DS-Lite remote endpoint IPv6 address.
natEvent 230 1 11 for Session Quota Exceeded, 12 for Port Quota Exceeded, 15 for PBA client block limit Exceeded, 16 for PBA Port Quota Exceeded.
natPoolName 284 Variable This IE is omitted for NetFlow v9.

DS-Lite port block allocated or released

Description

This event is generated when the BIG-IP software allocates or releases a block of ports for a DS-Lite client. This event only occurs when port-block allocation (PBA) is configured for the LSN pool. When an LSN pool uses PBA, it issues an IPFIX log for every block of CGNAT translations rather than each individual translation. This reduces IPFIX traffic for CGNAT.

Information Element (IE) ID Size (Bytes) Notes
observationTimeMilliseconds 323 8  
ingressVRFID 234 4 The "client" routing-domain ID.
egressVRFID 235 4 The egress routing-domain ID.
sourceIPv6Address 27 16  
postNATSourceIPv4Address 225 4  
portRangeStart 361 2  
portRangeEnd 362 2  
natEvent 230 1 13 for PBA, block Allocated, 14 for PBA, block released.