2. Tracing single-user systems
In many cases, a particular computer is used by just one person. Without NAT, the IP address and timestamp are sufficient to identify both the computer and the person. Where the backbone routers can see the computer's true MAC address, the system can be isolated by a MAC address block. OxCERT will generally use MAC address blocks at the backbone router where possible, as this minimises the danger of collateral damage in environments using dynamic IP address pools.
If OxCERT can only supply an IP address, units may need to be able to map this to a MAC address themselves, for instance from their DHCP server logs. One of IP or MAC address should be sufficient to identify the system and its user.