idnits 2.17.1 draft-ietf-opsawg-nat-yang-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 39 instances of too long lines in the document, the longest one being 10 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 460 has weird spacing: '...-prefix ine...' == Line 470 has weird spacing: '...atch-id uin...' == Line 481 has weird spacing: '...ta-type enu...' == Line 496 has weird spacing: '...timeout ine...' == Line 523 has weird spacing: '...address ine...' == (3 more instances...) -- The document date (August 18, 2017) is 2436 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC7659' is defined on line 2516, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) == Outdated reference: A later version (-05) exists of draft-boucadair-pcp-yang-04 == Outdated reference: A later version (-17) exists of draft-ietf-softwire-dslite-yang-05 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-11 Summary: 2 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: February 19, 2018 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 August 18, 2017 14 A YANG Data Model for Network Address Translation (NAT) and Network 15 Prefix Translation (NPT) 16 draft-ietf-opsawg-nat-yang-00 18 Abstract 20 For the sake of network automation and the need for programming 21 Network Address Translation (NAT) function in particular, a data 22 model for configuring and managing the NAT is essential. This 23 document defines a YANG data model for the NAT function. NAT44, 24 NAT64, and NPTv6 are covered in this document. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on February 19, 2018. 43 Copyright Notice 45 Copyright (c) 2017 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 61 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 62 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 63 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 64 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 65 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 5 66 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 5 67 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 68 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 69 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 6 70 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 6 71 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 72 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 9 73 2.10. Tree Structure . . . . . . . . . . . . . . . . . . . . . 9 74 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 13 75 4. Security Considerations . . . . . . . . . . . . . . . . . . . 50 76 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 77 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 51 78 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 79 7.1. Normative References . . . . . . . . . . . . . . . . . . 51 80 7.2. Informative References . . . . . . . . . . . . . . . . . 52 81 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 54 82 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 54 83 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 84 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 59 85 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 60 86 A.5. Static Mappings with Port Ranges . . . . . . . . . . . . 60 87 A.6. Static Mappings with IP Prefixes . . . . . . . . . . . . 61 88 A.7. Destination NAT . . . . . . . . . . . . . . . . . . . . . 62 89 A.8. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 65 90 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 66 92 1. Introduction 94 This document defines a data model for Network Address Translation 95 (NAT) and Network Prefix Translation (NPT) capabilities using the 96 YANG data modeling language [RFC6020]. 98 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 99 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 100 used to optimize the usage of global IP address space at the scale of 101 a domain: a CGN is not managed by end users, but by service providers 102 instead. This document covers both traditional NATs and CGNs. 104 This document also covers the NAT64 [RFC6146] and IPv6 Network Prefix 105 Translation (NPTv6) [RFC6296]. 107 Sample examples are provided in Appendix A. 109 1.1. Terminology 111 This document makes use of the following terms: 113 o Basic NAT44: translation is limited to IP addresses alone 114 (Section 2.1 of [RFC3022]). 116 o Network Address/Port Translator (NAPT): translation in NAPT is 117 extended to include IP addresses and transport identifiers (such 118 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 119 [RFC3022]. 121 o Destination NAT: is a translation that acts on the destination IP 122 address and/or destination port number. This flavor is usually 123 deployed in load balancers or at devices in front of public 124 servers. 126 o Port-restricted IPv4 address: An IPv4 address with a restricted 127 port set. Multiple hosts may share the same IPv4 address; 128 however, their port sets must not overlap [RFC7596]. 130 o Restricted port set: A non-overlapping range of allowed external 131 ports to use for NAT operation. Source ports of IPv4 packets 132 translated by a NAT must belong to the assigned port set. The 133 port set is used for all port-aware IP protocols [RFC7596]. 135 o Internal Host: A host that may solicit a NAT or an NPTv6 (or both) 136 capability to send to and receive traffic from the Internet. 138 o Internal Address/prefix: The IP address/prefix of an internal 139 host. 141 o External Address: The IP address/prefix assigned by a NAT/NPTv6 to 142 an internal host; this is the address that will be seen by a 143 remote host on the Internet. 145 o Mapping: denotes a state at the NAT that is necessary for network 146 address and/or port translation. 148 o Dynamic implicit mapping: is created implicitly as a side effect 149 of traffic such as an outgoing TCP SYN or an outgoing UDP packet. 150 A validity lifetime is associated with this mapping. 152 o Dynamic explicit mapping: is created as a result of an explicit 153 request, e.g., PCP message [RFC6887]. A validity lifetime is 154 associated with this mapping. 156 o Static explicit mapping: is created manually. This mapping is 157 likely to be maintained by the NAT function till an explicit 158 action is executed to remove it. 160 The usage of the term NAT in this document refers to any NAT flavor 161 (NAT44, NAT64, etc.) indifferently. 163 This document uses the term "session" as defined in [RFC2663] and 164 [RFC6146] for NAT64. 166 1.2. Tree Diagrams 168 The meaning of the symbols in these diagrams is as follows: 170 o Brackets "[" and "]" enclose list keys. 172 o Curly braces "{" and "}" contain names of optional features that 173 make the corresponding node conditional. 175 o Abbreviations before data node names: "rw" means configuration 176 (read-write), "ro" state data (read-only). 178 o Symbols after data node names: "?" means an optional node, "!" a 179 container with presence, and "*" denotes a "list" or "leaf-list". 181 o Parentheses enclose choice and case nodes, and case nodes are also 182 marked with a colon (":"). 184 o Ellipsis ("...") stands for contents of subtrees that are not 185 shown. 187 2. Overview of the NAT YANG Data Model 189 2.1. Overview 191 The NAT YANG data model is designed to cover dynamic implicit 192 mappings and static explicit mappings. The required functionality to 193 instruct dynamic explicit mappings is defined in separate documents 194 such as [I-D.boucadair-pcp-yang]. Considerations about instructing 195 explicit dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are 196 out of scope. 198 A single NAT device can have multiple NAT instances; each of these 199 instances is responsible for serving a group of internal hosts. This 200 document does not make any assumption about how internal hosts are 201 associated with a given NAT instance. 203 The data model assumes that each NAT instance can be enabled/ 204 disabled, be provisioned with a specific set of configuration data, 205 and maintains its own mapping tables. 207 To accommodate deployments where [RFC6302] is not enabled, this YANG 208 model allows to instruct a NAT function to log the destination port 209 number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] 210 which provides the templates to log the destination ports. 212 2.2. Various NAT Flavors 214 The following modes are supported: 216 1. Basic NAT44 217 2. NAPT 218 3. Destination NAT 219 4. Port-restricted NAT 220 5. NAT64 221 6. NPTv6 222 7. Combination of Basic NAT/NAPT and Destination NAT 223 8. Combination of port-restricted and Destination NAT 225 [I-D.ietf-softwire-dslite-yang] specifies an extension to support DS- 226 Lite. 228 2.3. TCP, UDP and ICMP NAT Behavioral Requirements 230 This document assumes [RFC4787][RFC5382][RFC5508] are enabled by 231 default. 233 Furthermore, the data model relies upon the recommendations detailed 234 in [RFC6888] and [RFC7857]. 236 2.4. Other Transport Protocols 238 The module is structured to support other protocols than UDP, TCP, 239 and ICMP. The mapping table is designed so that it can indicate any 240 transport protocol. For example, this module may be used to manage a 241 DCCP-capable NAT that adheres to [RFC5597]. 243 Future extensions can be defined to cover NAT-related considerations 244 that are specific to other transport protocols such as SCTP 245 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 246 extended to record two optional SCTP-specific parameters: Internal 247 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 249 2.5. IP Addresses Used for Translation 251 This data model assumes that blocks of IP external addresses 252 (external-ip-address-pool) can be provisioned to the NAT function. 253 These blocks may be contiguous or not. 255 This behavior is aligned with [RFC6888] which specifies that a NAT 256 function should not have any limitations on the size or the 257 contiguity of the external address pool. In particular, the NAT 258 function must be configurable with contiguous or non-contiguous 259 external IPv4 address ranges. 261 Likewise, one or multiple IP address pools may be configured for 262 Destination NAT (dst-ip-address-pool). 264 2.6. Port Set Assignment 266 Port numbers can be assigned by a NAT individually (that is, a single 267 port is a assigned on a per session basis). Nevertheless, this port 268 allocation scheme may not be optimal for logging purposes. 269 Therefore, a NAT function should be able to assign port sets (e.g., 270 [RFC7753]) to optimize the volume of the logging data (REQ-14 of 271 [RFC6888]). Both features are supported in the NAT YANG data model. 273 When port set assignment is activated (i.e., port-allocation- 274 type==port-range-allocation), the NAT can be provided with the size 275 of the port set to be assigned (port-set-size). 277 2.7. Port-Restricted IP Addresses 279 Some NATs require to restrict the port numbers (e.g., Lightweight 280 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port set 281 assignments (port-set-restrict) are supported in this document: 283 o Simple port range: is defined by two port values, the start and 284 the end of the port range [RFC8045]. 286 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 287 the set of ports that can be used. 289 2.8. NAT Mapping Entries 291 A TCP/UDP mapping entry maintains an association between the 292 following information: 294 (internal-src-address, internal-src-port) (internal-dst-address, 295 internal-dst-port) <=> (external-src-address, external-src-port) 296 (external-dst-address, external-dst-port) 298 An ICMP mapping entry maintains an association between the following 299 information: 301 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 302 identifier) <=> (external-src-address, external-dst-address, 303 external ICMP/ICMPv6 identifier) 305 To cover TCP, UDP, and ICMP, the NAT YANG model assumes the following 306 structure of a mapping entry: 308 type: Indicates how the mapping was instantiated. For example, it 309 may indicate whether a mapping is dynamically instantiated by a 310 packet or statically configured. 312 transport-protocol: Indicates the transport protocol (e.g., UDP, 313 TCP, ICMP) of a given mapping. 315 internal-src-address: Indicates the source IP address as used by an 316 internal host. 318 internal-src-port: Indicates the source port number (or ICMP 319 identifier) as used by an internal host. 321 external-src-address: Indicates the source IP address as assigned 322 by the NAT. 324 external-src-port: Indicates the source port number (or ICMP 325 identifier) as assigned by the NAT. 327 internal-dst-address: Indicates the destination IP address as used 328 by an internal host when sending a packet to a remote host. 330 internal-dst-port: Indicates the destination IP address as used by 331 an internal host when sending a packet to a remote host. 333 external-dst-address: Indicates the destination IP address used by a 334 NAT when processing a packet issued by an internal host towards a 335 remote host. 337 external-dst-port: Indicates the destination port number used by a 338 NAT when processing a packet issued by an internal host towards a 339 remote host. 341 In order to cover both NAT64 and NAT44 flavors in particular, the NAT 342 mapping structure allows to include an IPv4 or an IPv6 address as an 343 internal IP address. Remaining fields are common to both NAT 344 schemes. 346 For example, the mapping that will be created by a NAT64 upon receipt 347 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 348 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 349 and destination port number 8080 is characterized as follows: 351 o type: dynamically implicit mapping. 352 o transport-protocol: TCP (6) 353 o internal-src-address: 2001:db8:aaaa::1 354 o internal-src-port: 25636 355 o external-src-address: T (an IPv4 address configured on the NAT64) 356 o external-src-port: t (a port number that is chosen by the NAT64) 357 o internal-dst-address: 2001:db8:1234::198.51.100.1 358 o internal-dst-port: 8080 359 o external-dst-address: 198.51.100.1 360 o external-dst-port: 8080 362 The mapping that will be created by a NAT44 upon receipt of an ICMP 363 request from source address 198.51.100.1 and ICMP identifier (ID1) to 364 destination IP address 198.51.100.11 is characterized as follows: 366 o type: dynamically implicit mapping. 367 o transport-protocol: ICMP (1) 368 o internal-src-address: 198.51.100.1 369 o internal-src-port: ID1 370 o external-src-address: T (an IPv4 address configured on the NAT44) 371 o external-src-port: ID2 (an ICMP identifier that is chosen by the 372 NAT44) 373 o internal-dst-address: 198.51.100.11 375 The mapping that will be created by a NAT64 upon receipt of an ICMP 376 request from source address 2001:db8:aaaa::1 and ICMP identifier 377 (ID1) to destination IP address 2001:db8:1234::198.51.100.1 is 378 characterized as follows: 380 o type: dynamically implicit mapping. 381 o transport-protocol: ICMPv6 (58) 382 o internal-src-address: 2001:db8:aaaa::1 383 o internal-src-port: ID1 384 o external-src-address: T (an IPv4 address configured on the NAT64) 385 o external-src-port: ID2 (an ICMP identifier that is chosen by the 386 NAT64) 387 o internal-dst-address: 2001:db8:1234::198.51.100.1 388 o external-dst-address: 198.51.100.1 390 Note that a mapping table is maintained only for stateless NAT 391 functions. Obviously, no mapping table is maintained for NPTv6 given 392 that it is stateless and transport-agnostic. 394 2.9. Resource Limits 396 In order to comply with CGN deployments in particular, the data model 397 allows limiting the number of external ports per subscriber (port- 398 quota) and the amount of state memory allocated per mapping and per 399 subscriber (mapping-limit and connection-limit). According to 400 [RFC6888], the model allows for the following: 402 o Per-subscriber limits are configurable by the NAT administrator. 404 o Per-subscriber limits are configurable independently per transport 405 protocol. 407 o Administrator-adjustable thresholds to prevent a single subscriber 408 from consuming excessive CPU resources from the NAT (e.g., rate- 409 limit the subscriber's creation of new mappings) can be 410 configured. 412 2.10. Tree Structure 414 The tree structure of the NAT data model is provided below: 416 module: ietf-nat 417 +--rw nat-module 418 +--rw nat-instances 419 +--rw nat-instance* [id] 420 +--rw id uint32 421 +--rw name? string 422 +--rw enable? boolean 423 +--ro nat-capabilities 424 | +--ro nat-flavor* identityref 425 | +--ro nat44-flavor* identityref 426 | +--ro restricted-port-support? boolean 427 | +--ro static-mapping-support? boolean 428 | +--ro port-randomization-support? boolean 429 | +--ro port-range-allocation-support? boolean 430 | +--ro port-preservation-suport? boolean 431 | +--ro port-parity-preservation-support? boolean 432 | +--ro address-roundrobin-support? boolean 433 | +--ro paired-address-pooling-support? boolean 434 | +--ro endpoint-independent-mapping-support? boolean 435 | +--ro address-dependent-mapping-support? boolean 436 | +--ro address-and-port-dependent-mapping-support? boolean 437 | +--ro endpoint-independent-filtering-support? boolean 438 | +--ro address-dependent-filtering? boolean 439 | +--ro address-and-port-dependent-filtering? boolean 440 +--rw external-ip-address-pool* [pool-id] 441 | +--rw pool-id uint32 442 | +--rw external-ip-pool? inet:ipv4-prefix 443 +--rw port-set-restrict 444 | +--rw (port-type)? 445 | +--:(port-range) 446 | | +--rw start-port-number? inet:port-number 447 | | +--rw end-port-number? inet:port-number 448 | +--:(port-set-algo) 449 | +--rw psid-offset? uint8 450 | +--rw psid-len uint8 451 | +--rw psid uint16 452 +--rw dst-nat-enable? boolean 453 +--rw dst-ip-address-pool* [pool-id] 454 | +--rw pool-id uint32 455 | +--rw dst-in-ip-pool? inet:ip-prefix 456 | +--rw dst-out-ip-pool? inet:ip-prefix 457 +--rw nat64-prefixes* [nat64-prefix] 458 | +--rw nat64-prefix inet:ipv6-prefix 459 | +--rw destination-ipv4-prefix* [ipv4-prefix] 460 | +--rw ipv4-prefix inet:ipv4-prefix 461 +--rw nptv6-prefixes* [pool-id] 462 | +--rw pool-id uint32 463 | +--rw internal-ipv6-prefix? inet:ipv6-prefix 464 | +--rw external-ipv6-prefix? inet:ipv6-prefix 465 +--rw supported-transport-protocols* [transport-protocol-id] 466 | +--rw transport-protocol-id uint8 467 | +--rw transport-protocol-name? string 468 +--rw subscriber-mask-v6? uint8 469 +--rw subscriber-match* [sub-match-id] 470 | +--rw sub-match-id uint32 471 | +--rw sub-mask inet:ip-prefix 472 +--rw nat-pass-through* [nat-pass-through-id] 473 | +--rw nat-pass-through-id uint32 474 | +--rw nat-pass-through-pref? inet:ip-prefix 475 | +--rw nat-pass-through-port? inet:port-number 476 +--rw paired-address-pooling? boolean 477 +--rw nat-mapping-type? enumeration 478 +--rw nat-filtering-type? enumeration 479 +--rw port-quota* [quota-type] 480 | +--rw port-limit? uint16 481 | +--rw quota-type enumeration 482 +--rw port-allocation-type? enumeration 483 +--rw address-roundrobin-enable? boolean 484 +--rw port-set 485 | +--rw port-set-size? uint16 486 | +--rw port-set-timeout? uint32 487 +--rw udp-timeout? uint32 488 +--rw tcp-idle-timeout? uint32 489 +--rw tcp-trans-open-timeout? uint32 490 +--rw tcp-trans-close-timeout? uint32 491 +--rw tcp-in-syn-timeout? uint32 492 +--rw fragment-min-timeout? uint32 493 +--rw icmp-timeout? uint32 494 +--rw per-port-timeout* [port-number] 495 | +--rw port-number inet:port-number 496 | +--rw port-timeout inet:port-number 497 +--rw hold-down-timeout? uint32 498 +--rw hold-down-max? uint32 499 +--rw mapping-limit 500 | +--rw limit-per-subscriber? uint32 501 | +--rw limit-per-vrf? uint32 502 | +--rw limit-per-subnet? inet:ip-prefix 503 | +--rw limit-per-instance uint32 504 | +--rw limit-per-udp uint32 505 | +--rw limit-per-tcp uint32 506 | +--rw limit-per-icmp uint32 507 +--rw connection-limit 508 | +--rw limit-per-subscriber? uint32 509 | +--rw limit-per-vrf? uint32 510 | +--rw limit-per-subnet? inet:ip-prefix 511 | +--rw limit-per-instance uint32 512 | +--rw limit-per-udp uint32 513 | +--rw limit-per-tcp uint32 514 | +--rw limit-per-icmp uint32 515 +--rw algs* [alg-name] 516 | +--rw alg-name string 517 | +--rw alg-transport-protocol? uint32 518 | +--rw alg-transport-port? inet:port-number 519 | +--rw alg-status? boolean 520 +--rw all-algs-enable? boolean 521 +--rw logging-info 522 | +--rw logging-enable? boolean 523 | +--rw destination-address inet:ip-prefix 524 | +--rw destination-port inet:port-number 525 | +--rw (protocol)? 526 | +--:(syslog) 527 | | +--rw syslog? boolean 528 | +--:(ipfix) 529 | | +--rw ipfix? boolean 530 | +--:(ftp) 531 | +--rw ftp? boolean 532 +--rw notify-pool-usage 533 | +--rw pool-id? uint32 534 | +--rw notify-pool-hi-threshold percent 535 | +--rw notify-pool-low-threshold? percent 536 +--rw mapping-table 537 | +--rw mapping-entry* [index] 538 | +--rw index uint32 539 | +--rw type? enumeration 540 | +--rw transport-protocol uint8 541 | +--rw internal-src-address inet:ip-prefix 542 | +--rw internal-src-port 543 | | +--rw (port-type)? 544 | | +--:(single-port-number) 545 | | | +--rw single-port-number? inet:port-number 546 | | +--:(port-range) 547 | | +--rw start-port-number? inet:port-number 548 | | +--rw end-port-number? inet:port-number 549 | +--rw external-src-address inet:ip-prefix 550 | +--rw external-src-port 551 | | +--rw (port-type)? 552 | | +--:(single-port-number) 553 | | | +--rw single-port-number? inet:port-number 554 | | +--:(port-range) 555 | | +--rw start-port-number? inet:port-number 556 | | +--rw end-port-number? inet:port-number 557 | +--rw internal-dst-address? inet:ip-prefix 558 | +--rw internal-dst-port 559 | | +--rw (port-type)? 560 | | +--:(single-port-number) 561 | | | +--rw single-port-number? inet:port-number 562 | | +--:(port-range) 563 | | +--rw start-port-number? inet:port-number 564 | | +--rw end-port-number? inet:port-number 565 | +--rw external-dst-address? inet:ip-prefix 566 | +--rw external-dst-port 567 | | +--rw (port-type)? 568 | | +--:(single-port-number) 569 | | | +--rw single-port-number? inet:port-number 570 | | +--:(port-range) 571 | | +--rw start-port-number? inet:port-number 572 | | +--rw end-port-number? inet:port-number 573 | +--rw lifetime? uint32 574 +--ro statistics 575 +--ro traffic-statistics 576 | +--ro sent-packet? yang:zero-based-counter64 577 | +--ro sent-byte? yang:zero-based-counter64 578 | +--ro rcvd-packet? yang:zero-based-counter64 579 | +--ro rcvd-byte? yang:zero-based-counter64 580 | +--ro dropped-packet? yang:zero-based-counter64 581 | +--ro dropped-byte? yang:zero-based-counter64 582 +--ro mapping-statistics 583 | +--ro total-mappings? uint32 584 | +--ro total-tcp-mappings? uint32 585 | +--ro total-udp-mappings? uint32 586 | +--ro total-icmp-mappings? uint32 587 +--ro pool-stats 588 +--ro pool-id? uint32 589 +--ro address-allocated? uint32 590 +--ro address-free? uint32 591 +--ro port-stats 592 +--ro ports-allocated? uint32 593 +--ro ports-free? uint32 595 notifications: 596 +---n nat-event 597 +--ro id? -> /nat-module/nat-instances/nat-instance/id 598 +--ro notify-pool-threshold percent 600 3. NAT YANG Module 602 file "ietf-nat@2017-08-03.yang" 604 module ietf-nat { 605 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 607 //namespace to be assigned by IANA 608 prefix "nat"; 610 import ietf-inet-types { prefix inet; } 611 import ietf-yang-types { prefix yang; } 613 organization "IETF OPSAWG Working Group"; 615 contact 616 "Mohamed Boucadair 617 Senthil Sivakumar 618 Chritsian Jacquenet 619 Suresh Vinapamula 620 Qin Wu "; 622 description 623 "This module is a YANG module for NAT implementations 624 (including NAT44 and NAT64 flavors). 626 Copyright (c) 2017 IETF Trust and the persons identified as 627 authors of the code. All rights reserved. 629 Redistribution and use in source and binary forms, with or 630 without modification, is permitted pursuant to, and subject 631 to the license terms contained in, the Simplified BSD License 632 set forth in Section 4.c of the IETF Trust's Legal Provisions 633 Relating to IETF Documents 634 (http://trustee.ietf.org/license-info). 636 This version of this YANG module is part of RFC XXXX; see 637 the RFC itself for full legal notices."; 639 revision 2017-08-03 { 640 description "Integrates comments from OPSAWG CFA."; 641 reference "-08"; 642 } 644 revision 2017-07-03 { 645 description "Integrates comments from D. Wing and T. Zhou."; 646 reference "-07"; 647 } 649 revision 2015-09-08 { 650 description "Fixes few YANG errors."; 652 reference "-02"; 653 } 655 revision 2015-09-07 { 656 description "Completes the NAT64 model."; 657 reference "01"; 658 } 660 revision 2015-08-29 { 661 description "Initial version."; 662 reference "00"; 663 } 664 /* 665 * Definitions 666 */ 668 typedef percent { 669 type uint8 { 670 range "0 .. 100"; 671 } 672 description 673 "Percentage"; 674 } 676 /* 677 * Identities 678 */ 680 identity nat-type { 681 description 682 "Base identity for nat type."; 683 } 685 identity nat44 { 686 base nat:nat-type; 687 description 688 "Identity for traditional NAT support."; 690 reference 691 "RFC 3022."; 692 } 694 identity basic-nat { 695 //base nat:nat-type; 696 base nat:nat44; 697 description 698 "Identity for Basic NAT support."; 700 reference 701 "RFC 3022."; 702 } 704 identity napt { 705 //base nat:nat-type; 706 base nat:nat44; 707 description 708 "Identity for NAPT support."; 710 reference 711 "RFC 3022."; 713 } 715 identity restricted-nat { 716 //base nat:nat-type; 717 base nat:nat44; 718 description 719 "Identity for Port-Restricted NAT support."; 721 reference 722 "RFC 7596."; 723 } 725 identity dst-nat { 726 base nat:nat-type; 727 description 728 "Identity for Destination NAT support."; 729 } 731 identity nat64 { 732 base nat:nat-type; 733 description 734 "Identity for NAT64 support."; 736 reference 737 "RFC 6146."; 738 } 740 identity nptv6 { 741 base nat:nat-type; 742 description 743 "Identity for NPTv6 support."; 745 reference 746 "RFC 6296."; 747 } 749 /* 750 * Grouping 751 */ 753 // Timers 755 grouping timeouts { 756 description 757 "Configure values of various timeouts."; 758 leaf udp-timeout { 759 type uint32; 760 units "seconds"; 761 default 300; 762 description 763 "UDP inactivity timeout. That is the time a mapping 764 will stay active without packets traversing the NAT."; 766 reference 767 "RFC 4787."; 768 } 770 leaf tcp-idle-timeout { 771 type uint32; 772 units "seconds"; 773 default 7440; 774 description 775 "TCP Idle timeout should be 776 2 hours and 4 minutes."; 778 reference 779 "RFC 5382."; 780 } 782 leaf tcp-trans-open-timeout { 783 type uint32; 784 units "seconds"; 785 default 240; 786 description 787 "The value of the transitory open connection 788 idle-timeout. 789 Section 2.1 of [RFC7857] clarifies that a NAT 790 should provide different configurable 792 parameters for configuring the open and 793 closing idle timeouts. 794 To accommodate deployments that consider 795 a partially open timeout of 4 minutes as being 796 excessive from a security standpoint, a NAT may 797 allow the configured timeout to be less than 798 4 minutes. 799 However, a minimum default transitory connection 800 idle-timeout of 4 minutes is recommended."; 802 reference 803 "RFC 7857."; 804 } 805 leaf tcp-trans-close-timeout { 806 type uint32; 807 units "seconds"; 808 default 240; 809 description 810 "The value of the transitory close connection 811 idle-timeout. 812 Section 2.1 of [RFC7857] clarifies that a NAT 813 should provide different configurable 814 parameters for configuring the open and 815 closing idle timeouts."; 817 reference 818 "RFC 7857."; 819 } 821 leaf tcp-in-syn-timeout { 822 type uint32; 823 units "seconds"; 824 default 6; 825 description 826 "A NAT must not respond to an unsolicited 827 inbound SYN packet for at least 6 seconds 828 after the packet is received. If during 829 this interval the NAT receives and translates 830 an outbound SYN for the connection the NAT 831 must silently drop the original unsolicited 832 inbound SYN packet."; 834 reference 835 "RFC 5382."; 836 } 838 leaf fragment-min-timeout { 840 type uint32; 841 units "seconds"; 842 default 2; 843 description 844 "As long as the NAT has available resources, 845 the NAT allows the fragments to arrive 846 over fragment-min-timeout interval. 847 The default value is inspired from RFC6146."; 848 } 850 leaf icmp-timeout { 851 type uint32; 852 units "seconds"; 853 default 60; 854 description 855 "An ICMP Query session timer must not expire 856 in less than 60 seconds. It is recommended 857 that the ICMP Query session timer be made 858 configurable"; 860 reference 861 "RFC 5508."; 862 } 864 list per-port-timeout { 865 key port-number; 867 description 868 "Some NATs are configurable with short timeouts 869 for some ports, e.g., as 10 seconds on 870 port 53 (DNS) and NTP (123) and longer timeouts 871 on other ports."; 873 leaf port-number { 874 type inet:port-number; 875 description 876 "A port number."; 877 } 879 leaf port-timeout { 880 type inet:port-number; 881 mandatory true; 882 description 883 "Timeout for this port"; 884 } 885 } 887 leaf hold-down-timeout { 889 type uint32; 890 units "seconds"; 891 default 120; 892 description 893 "Hold down timer. Ports in the 894 hold down pool are not reassigned until 895 this timer expires. 896 The length of time and the maximum 897 number of ports in this state must be 898 configurable by the administrator 899 [RFC6888]. This is necessary in order 900 to prevent collisions between old 901 and new mappings and sessions. It ensures 902 that all established sessions are broken 903 instead of redirected to a different peer."; 905 reference 906 "REQ#8 of RFC 6888."; 907 } 909 leaf hold-down-max { 911 type uint32; 913 description 914 "Maximum ports in the Hold down timer pool. 915 Ports in the hold down pool are not reassigned 916 until hold-down-timeout expires. 917 The length of time and the maximum 918 number of ports in this state must be 919 configurable by the administrator 920 [RFC6888]. This is necessary in order 921 to prevent collisions between old 922 and new mappings and sessions. It ensures 923 that all established sessions are broken 924 instead of redirected to a different peer."; 926 reference 927 "REQ#8 of RFC 6888."; 928 } 929 } 931 // Set of ports 933 grouping port-set { 934 description 935 "Indicates a set of ports. 936 It may be a simple port range, or use the PSID algorithm 937 to represent a range of transport layer 938 ports which will be used by a NAPT."; 940 choice port-type { 941 default port-range; 942 description 943 "Port type: port-range or port-set-algo."; 945 case port-range { 946 leaf start-port-number { 947 type inet:port-number; 948 description 949 "Begining of the port range."; 951 reference 952 "Section 3.2.9 of RFC 8045."; 953 } 955 leaf end-port-number { 957 type inet:port-number; 958 description 959 "End of the port range."; 961 reference 962 "Section 3.2.10 of RFC 8045."; 963 } 964 } 966 case port-set-algo { 968 leaf psid-offset { 969 type uint8 { 970 range 0..16; 971 } 972 description 973 "The number of offset bits. In Lightweight 4over6, 974 the default value is 0 for assigning one contiguous 975 port range. In MAP-E/T, the default value is 6, 976 which excludes system ports by default and assigns 977 port ranges distributed across the entire port space."; 978 } 980 leaf psid-len { 981 type uint8 { 982 range 0..15; 983 } 984 mandatory true; 985 description 986 "The length of PSID, representing the sharing ratio for an 987 IPv4 address."; 988 } 990 leaf psid { 991 type uint16; 992 mandatory true; 993 description 994 "Port Set Identifier (PSID) value, which identifies a set 995 of ports algorithmically."; 996 } 997 } 999 } 1000 } 1002 // port numbers: single or port-range 1004 grouping port-number { 1005 description 1006 "Individual port or a range of ports."; 1008 choice port-type { 1009 default single-port-number; 1010 description 1011 "Port type: single or port-range."; 1013 case single-port-number { 1014 leaf single-port-number { 1015 type inet:port-number; 1016 description 1017 "Used for single port numbers."; 1018 } 1019 } 1021 case port-range { 1022 leaf start-port-number { 1023 type inet:port-number; 1024 description 1025 "Begining of the port range."; 1027 reference 1028 "Section 3.2.9 of RFC 8045."; 1029 } 1031 leaf end-port-number { 1032 type inet:port-number; 1033 description 1034 "End of the port range."; 1036 reference 1037 "Section 3.2.10 of RFC 8045."; 1038 } 1039 } 1040 } 1041 } 1043 // Mapping Entry 1045 grouping mapping-entry { 1046 description 1047 "NAT mapping entry."; 1049 leaf index { 1050 type uint32; 1051 description 1052 "A unique identifier of a mapping entry."; 1053 } 1055 leaf type { 1056 type enumeration { 1057 enum "static" { 1058 description 1059 "The mapping entry is manually configured."; 1060 } 1062 enum "dynamic-explicit" { 1063 description 1064 "This mapping is created by an outgoing 1065 packet."; 1066 } 1068 enum "dynamic-implicit" { 1069 description 1070 "This mapping is created by an explicit 1071 dynamic message."; 1072 } 1073 } 1074 description 1075 "Indicates the type of a mapping entry. E.g., 1076 a mapping can be: static, impliict dynamic or explicit dynamic."; 1077 } 1079 leaf transport-protocol { 1080 type uint8; 1081 mandatory true; 1082 description 1083 "Upper-layer protocol associated with this mapping. 1084 Values are taken from the IANA protocol registry. 1085 For example, this field contains 6 (TCP) for a TCP 1086 mapping or 17 (UDP) for a UDP mapping."; 1087 } 1089 leaf internal-src-address { 1090 type inet:ip-prefix; 1091 mandatory true; 1092 description 1093 "Corresponds to the source IPv4/IPv6 address/prefix 1094 of the packet received on an internal 1095 interface."; 1096 } 1098 container internal-src-port { 1100 description 1101 "Corresponds to the source port of the 1102 packet received on an internal interface. 1103 It is used also to carry the internal 1104 source ICMP identifier."; 1106 uses port-number; 1108 } 1110 leaf external-src-address { 1111 type inet:ip-prefix; 1112 mandatory true; 1113 description 1114 "Source IP address/prefix of the packet sent 1115 on an external interface of the NAT."; 1116 } 1118 container external-src-port { 1120 description 1121 "Source port of the packet sent 1122 on an external interafce of the NAT. 1123 It is used also to carry the external 1124 source ICMP identifier."; 1126 uses port-number; 1127 } 1129 leaf internal-dst-address { 1130 type inet:ip-prefix; 1131 description 1132 "Corresponds to the destination IP address/prefix 1133 of the packet received on an internal interface of the NAT. 1134 For example, some NAT implementations support the translation of 1135 both source and destination addresses and ports, 1136 sometimes referred to as 'Twice NAT'."; 1137 } 1138 container internal-dst-port { 1140 description 1141 "Corresponds to the destination port of the 1142 IP packet received on the internal interface. 1144 It is used also to carry the internal 1145 destination ICMP identifier."; 1147 uses port-number; 1148 } 1150 leaf external-dst-address { 1151 type inet:ip-prefix; 1152 description 1153 "Corresponds to the destination IP address/prefix 1154 of the packet sent on an external interface of the NAT."; 1155 } 1157 container external-dst-port { 1159 description 1160 "Corresponds to the destination port number of 1161 the packet sent on the external interface of the NAT. 1162 It is used also to carry the external 1163 destination ICMP identifier."; 1165 uses port-number; 1166 } 1168 leaf lifetime { 1169 type uint32; 1170 //mandatory true; 1172 description 1173 "When specified, it tracks the connection that is 1174 fully-formed (e.g., once the 3WHS TCP is completed) 1175 or the duration for maintaining an explicit mapping 1176 alive. Static mappings may not be associated with a 1177 lifetime. If no lifetime is associated with a 1178 static mapping, an explicit action is requried to 1179 remove that mapping."; 1180 } 1181 } 1183 grouping nat-parameters { 1184 description 1185 "NAT parameters for a given instance"; 1186 list external-ip-address-pool { 1187 key pool-id; 1189 description 1190 "Pool of external IP addresses used to service 1191 internal hosts. 1192 Both contiguous and non-contiguous pools 1193 can be configured for NAT purposes."; 1195 leaf pool-id { 1196 type uint32; 1197 description 1198 "An identifier of the address pool."; 1199 } 1201 leaf external-ip-pool { 1202 type inet:ipv4-prefix; 1203 description 1205 "An IPv4 prefix used for NAT purposes."; 1206 } 1207 } 1209 container port-set-restrict { 1211 when "../nat-capabilities/restricted-port-support = 'true' "; 1213 description 1214 "Configures contiguous and non-contiguous port ranges"; 1216 uses port-set; 1217 } 1219 leaf dst-nat-enable { 1220 type boolean; 1221 default false; 1223 description 1224 "Enable/Disable destination NAT. 1225 A NAT44 may be configured to enable Destination NAT, too."; 1226 } 1228 list dst-ip-address-pool { 1229 //if-feature dst-nat; 1230 when "../nat-capabilities/nat-flavor = 'dst-nat' "; 1232 key pool-id; 1233 description 1234 "Pool of IP addresses used for destination NAT."; 1236 leaf pool-id { 1237 type uint32; 1238 description 1239 "An identifier of the address pool."; 1240 } 1242 leaf dst-in-ip-pool { 1243 type inet:ip-prefix; 1244 description 1245 "Internal IP prefix/address"; 1246 } 1248 leaf dst-out-ip-pool { 1249 type inet:ip-prefix; 1250 description 1251 "IP address/prefix used for destination NAT."; 1252 } 1253 } 1255 list nat64-prefixes { 1257 //if-feature nat64; 1258 when "../nat-capabilities/nat-flavor = 'nat64' "; 1260 key nat64-prefix; 1262 description 1263 "Provides one or a list of NAT64 prefixes 1264 with or without a list of destination IPv4 prefixes. 1266 Destination-based Pref64::/n is discussed in 1267 Section 5.1 of [RFC7050]). For example: 1268 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 1269 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 1271 reference 1273 "Section 5.1 of RFC7050."; 1275 leaf nat64-prefix { 1276 type inet:ipv6-prefix; 1277 //default "64:ff9b::/96"; 1279 description 1280 "A NAT64 prefix. Can be NSP or a Well-Known 1281 Prefix (WKP)."; 1283 reference 1284 "RFC 6052."; 1285 } 1287 list destination-ipv4-prefix { 1289 key ipv4-prefix; 1291 description 1292 "An IPv4 prefix/address."; 1294 leaf ipv4-prefix { 1295 type inet:ipv4-prefix; 1296 description 1297 "An IPv4 address/prefix."; 1298 } 1299 } 1300 } 1302 list nptv6-prefixes { 1304 //if-feature nptv6; 1306 when "../nat-capabilities/nat-flavor = 'nptv6' "; 1308 key pool-id; 1310 description 1311 "Provides one or a list of (internal IPv6 prefix, 1312 external IPv6 prefix) required for NPTv6. 1314 In its simplest form, NPTv6 interconnects two network 1315 links, one of which is an 'internal' network link attached 1316 to a leaf network within a single administrative domain 1317 and the other of which is an 'external' network with 1318 connectivity to the global Internet."; 1320 reference 1321 "RFC 6296."; 1323 leaf pool-id { 1324 type uint32; 1325 description 1326 "An identifier of the NPTv6 prefixs."; 1327 } 1329 leaf internal-ipv6-prefix { 1330 type inet:ipv6-prefix; 1332 description 1333 "An IPv6 prefix used by an internal interface of 1334 NPTv6."; 1336 reference 1337 "RFC 6296."; 1338 } 1340 leaf external-ipv6-prefix { 1341 type inet:ipv6-prefix; 1343 description 1344 "An IPv6 prefix used by the external interface of 1345 NPTv6."; 1347 reference 1348 "RFC 6296."; 1349 } 1350 } 1352 list supported-transport-protocols { 1354 key transport-protocol-id; 1356 description 1357 "Supported transport protocols. 1358 TCP and UDP are supported by default."; 1360 leaf transport-protocol-id { 1361 type uint8; 1362 mandatory true; 1363 description 1364 "Upper-layer protocol associated with this mapping. 1365 Values are taken from the IANA protocol registry. 1366 For example, this field contains 6 (TCP) for a TCP 1367 mapping or 17 (UDP) for a UDP mapping."; 1368 } 1370 leaf transport-protocol-name { 1371 type string; 1372 description 1373 "For example, TCP, UDP, DCCP, and SCTP."; 1375 } 1376 } 1378 leaf subscriber-mask-v6 { 1379 type uint8 { 1380 range "0 .. 128"; 1381 } 1383 description 1384 "The subscriber-mask is an integer that indicates 1385 the length of significant bits to be applied on 1386 the source IP address (internal side) to 1387 unambiguously identify a CPE. 1389 Subscriber-mask is a system-wide configuration 1390 parameter that is used to enforce generic 1391 per-subscriber policies (e.g., port-quota). 1393 The enforcement of these generic policies does not 1394 require the configuration of every subscriber's 1395 prefix. 1397 Example: suppose the 2001:db8:100:100::/56 prefix 1398 is assigned to a NAT64 serviced CPE. Suppose also 1399 that 2001:db8:100:100::1 is the IPv6 address used 1400 by the client that resides in that CPE. When the 1401 NAT64 receives a packet from this client, 1402 it applies the subscriber-mask (e.g., 56) on 1403 the source IPv6 address to compute the associated 1404 prefix for this client (2001:db8:100:100::/56). 1405 Then, the NAT64 enforces policies based on that 1406 prefix (2001:db8:100:100::/56), not on the exact 1407 source IPv6 address."; 1408 } 1410 list subscriber-match { 1412 key sub-match-id; 1414 description 1415 "IP prefix match."; 1417 leaf sub-match-id { 1418 type uint32; 1419 description 1420 "An identifier of the subscriber masck."; 1421 } 1422 leaf sub-mask { 1423 type inet:ip-prefix; 1424 mandatory true; 1425 description 1426 "The IP address subnets that match 1427 should be translated. E.g., all addresses 1428 that belong to the 192.0.2.0/24 prefix must 1429 be processed by the NAT."; 1430 } 1432 } 1434 list nat-pass-through { 1436 key nat-pass-through-id; 1438 description 1439 "IP prefix NAT pass through."; 1441 leaf nat-pass-through-id { 1442 type uint32; 1443 description 1444 "An identifier of the IP prefix pass through."; 1445 } 1447 leaf nat-pass-through-pref { 1448 type inet:ip-prefix; 1449 description 1450 "The IP address subnets that match 1451 should not be translated. According to REQ#6 1452 of RFC6888, it must be possible to 1453 administratively turn off translation 1454 for specific destination addresses 1455 and/or ports."; 1456 } 1458 leaf nat-pass-through-port { 1459 type inet:port-number; 1460 description 1461 "The IP address subnets that match 1462 should not be translated. According to REQ#6 1463 of RFC6888, it must be possible to 1464 administratively turn off translation 1465 for specific destination addresses 1466 and/or ports."; 1467 } 1468 } 1469 leaf paired-address-pooling { 1470 type boolean; 1471 default true; 1473 description 1474 "Paired address pooling informs the NAT 1475 that all the flows from an internal IP 1476 address must be assigned the same external 1477 address."; 1479 reference 1480 "RFC 4007."; 1481 } 1483 leaf nat-mapping-type { 1484 type enumeration { 1485 enum "eim" { 1486 description 1487 "endpoint-independent-mapping."; 1489 reference 1490 "Section 4 of RFC 4787."; 1491 } 1493 enum "adm" { 1494 description 1495 "address-dependent-mapping."; 1497 reference 1498 "Section 4 of RFC 4787."; 1499 } 1501 enum "edm" { 1502 description 1503 "address-and-port-dependent-mapping."; 1505 reference 1506 "Section 4 of RFC 4787."; 1507 } 1508 } 1509 description 1510 "Indicates the type of a NAT mapping."; 1511 } 1513 leaf nat-filtering-type { 1514 type enumeration { 1515 enum "eif" { 1516 description 1517 "endpoint-independent- filtering."; 1519 reference 1520 "Section 5 of RFC 4787."; 1521 } 1523 enum "adf" { 1524 description 1525 "address-dependent-filtering."; 1527 reference 1528 "Section 5 of RFC 4787."; 1529 } 1531 enum "edf" { 1532 description 1533 "address-and-port-dependent-filtering"; 1535 reference 1536 "Section 5 of RFC 4787."; 1537 } 1538 } 1539 description 1540 "Indicates the type of a NAT filtering."; 1541 } 1543 list port-quota { 1544 when "../nat-capabilities/nat44-flavor = "+ 1545 "'napt' or "+ 1546 "../nat-capabilities/nat-flavor = "+ 1547 "'nat64'"; 1549 key quota-type; 1551 description 1552 "Configures a port quota to be assigned per 1553 subscriber. It corresponds to the maximum 1554 number of ports to be used by a subscriber."; 1556 leaf port-limit { 1558 type uint16; 1560 description 1561 "Configures a port quota to be assigned per 1562 subscriber. It corresponds to the maximum 1563 number of ports to be used by a subscriber."; 1565 reference 1566 "REQ-4 of RFC 6888."; 1567 } 1569 leaf quota-type { 1570 type enumeration { 1571 enum "all" { 1573 description 1574 "The limit applies to all protocols."; 1576 reference 1577 "REQ-4 of RFC 6888."; 1578 } 1580 enum "tcp" { 1581 description 1582 "TCP quota."; 1584 reference 1585 "REQ-4 of RFC 6888."; 1586 } 1588 enum "udp" { 1589 description 1590 "UDP quota."; 1592 reference 1593 "REQ-4 of RFC 6888."; 1594 } 1596 enum "icmp" { 1597 description 1598 "ICMP quota."; 1600 reference 1601 "REQ-4 of RFC 6888."; 1602 } 1603 } 1604 description 1605 "Indicates whether the port quota applies to 1606 all protocols or to a specific transport."; 1607 } 1608 } 1609 leaf port-allocation-type { 1610 type enumeration { 1611 enum "random" { 1612 description 1613 "Port randomization is enabled."; 1614 } 1616 enum "port-preservation" { 1617 description 1618 "Indicates whether the NAT should 1619 preserve the internal port number."; 1620 } 1622 enum "port-parity-preservation" { 1623 description 1624 "Indicates whether the NAT should 1625 preserve the port parity of the 1626 internal port number."; 1627 } 1629 enum "port-range-allocation" { 1630 description 1631 "Indicates whether the NAT assigns a range 1632 of ports for an internal host."; 1633 } 1635 } 1636 description 1637 "Indicates the type of a port allocation."; 1638 } 1640 leaf address-roundrobin-enable { 1641 type boolean; 1643 description 1644 "Enable/disable address allocation 1645 round robin."; 1646 } 1648 container port-set { 1649 when "../port-allocation-type = 'port-range-allocation'"; 1651 description 1652 "Manages port-set assignments."; 1654 leaf port-set-size { 1655 type uint16; 1656 description 1657 "Indicates the size of assigned port 1658 sets."; 1659 } 1661 leaf port-set-timeout { 1662 type uint32; 1663 description 1664 "Inactivty timeout for port sets."; 1665 } 1666 } 1668 uses timeouts; 1670 container mapping-limit { 1672 description 1673 "Information about the configuration parameters that 1674 limits the mappings based upon various criteria."; 1676 leaf limit-per-subscriber { 1677 type uint32; 1679 description 1680 "Maximum number of NAT mappings per 1681 subscriber."; 1682 } 1684 leaf limit-per-vrf { 1685 type uint32; 1687 description 1688 "Maximum number of NAT mappings per 1689 VLAN/VRF."; 1690 } 1692 leaf limit-per-subnet { 1693 type inet:ip-prefix; 1695 description 1696 "Maximum number of NAT mappings per 1697 subnet."; 1698 } 1700 leaf limit-per-instance { 1701 type uint32; 1702 mandatory true; 1703 description 1704 "Maximum number of NAT mappings per 1705 instance."; 1706 } 1708 leaf limit-per-udp { 1709 type uint32; 1710 mandatory true; 1712 description 1713 "Maximum number of UDP NAT mappings per 1714 subscriber."; 1715 } 1717 leaf limit-per-tcp { 1718 type uint32; 1719 mandatory true; 1721 description 1722 "Maximum number of TCP NAT mappings per 1723 subscriber."; 1725 } 1727 leaf limit-per-icmp { 1728 type uint32; 1729 mandatory true; 1731 description 1732 "Maximum number of ICMP NAT mappings per 1733 subscriber."; 1734 } 1735 } 1737 container connection-limit { 1739 description 1740 "Information about the configuration parameters that 1741 rate limit the translation based upon various 1742 criteria."; 1744 leaf limit-per-subscriber { 1745 type uint32; 1747 description 1748 "Rate-limit the number of new mappings and sessions 1749 per subscriber."; 1751 } 1753 leaf limit-per-vrf { 1754 type uint32; 1756 description 1757 "Rate-limit the number of new mappings and sessions 1758 per VLAN/VRF."; 1759 } 1761 leaf limit-per-subnet { 1762 type inet:ip-prefix; 1764 description 1765 "Rate-limit the number of new mappings and sessions 1766 per subnet."; 1767 } 1769 leaf limit-per-instance { 1770 type uint32; 1771 mandatory true; 1773 description 1774 "Rate-limit the number of new mappings and sessions 1775 per instance."; 1776 } 1778 leaf limit-per-udp { 1779 type uint32; 1780 mandatory true; 1782 description 1783 "Rate-limit the number of new UDP mappings and sessions 1784 per subscriber."; 1785 } 1787 leaf limit-per-tcp { 1788 type uint32; 1789 mandatory true; 1791 description 1792 "Rate-limit the number of new TCP mappings and sessions 1793 per subscriber."; 1795 } 1797 leaf limit-per-icmp { 1798 type uint32; 1799 mandatory true; 1801 description 1802 "Rate-limit the number of new ICMP mappings and sessions 1803 per subscriber."; 1804 } 1805 } 1807 list algs { 1809 key alg-name; 1811 description 1812 "ALG-related features."; 1814 leaf alg-name { 1815 type string; 1817 description 1818 "The name of the ALG"; 1819 } 1821 leaf alg-transport-protocol { 1822 type uint32; 1824 description 1825 "The transport protocol used by the ALG."; 1826 } 1828 leaf alg-transport-port { 1829 type inet:port-number; 1831 description 1832 "The port number used by the ALG."; 1833 } 1835 leaf alg-status { 1836 type boolean; 1838 description 1839 "Enable/disable the ALG."; 1840 } 1841 } 1843 leaf all-algs-enable { 1844 type boolean; 1845 description 1846 "Enable/disable all ALGs."; 1847 } 1849 container logging-info { 1850 description 1851 "Information about logging NAT events"; 1853 leaf logging-enable { 1854 type boolean; 1856 description 1857 "Enable logging features as per Section 2.3 1858 of [RFC6908]."; 1859 } 1861 leaf destination-address { 1862 type inet:ip-prefix; 1863 mandatory true; 1865 description 1866 "Address of the collector that receives 1867 the logs"; 1868 } 1870 leaf destination-port { 1871 type inet:port-number; 1872 mandatory true; 1874 description 1875 "Destination port of the collector."; 1876 } 1878 choice protocol { 1880 description 1881 "Enable the protocol to be used for 1882 the retrieval of logging entries."; 1884 case syslog { 1885 leaf syslog { 1886 type boolean; 1888 description 1889 "If SYSLOG is in use."; 1890 } 1891 } 1893 case ipfix { 1894 leaf ipfix { 1895 type boolean; 1897 description 1898 "If IPFIX is in use."; 1899 } 1900 } 1902 case ftp { 1903 leaf ftp { 1904 type boolean; 1906 description 1907 "If FTP is in use."; 1908 } 1909 } 1910 } 1911 } 1913 container notify-pool-usage { 1914 description 1915 "Notification of pool usage when certain criteria 1916 are met."; 1918 leaf pool-id { 1919 type uint32; 1921 description 1922 "Pool-ID for which the notification 1923 criteria is defined"; 1924 } 1926 leaf notify-pool-hi-threshold { 1927 type percent; 1928 mandatory true; 1930 description 1931 "Notification must be generated when the 1932 defined high threshold is reached. 1933 For example, if a notification is 1934 required when the pool utilization reaches 1935 90%, this configuration parameter must 1936 be set to 90%."; 1937 } 1939 leaf notify-pool-low-threshold { 1940 type percent; 1941 description 1942 "Notification must be generated when the defined 1943 low threshold is reached. 1944 For example, if a notification is required when 1945 the pool utilization reaches below 10%, 1946 this configuration parameter must be set to 1947 10%."; 1948 } 1949 } 1951 } //nat-parameters group 1953 container nat-module { 1954 description 1955 "NAT"; 1957 container nat-instances { 1958 description 1959 "NAT instances"; 1961 list nat-instance { 1963 key "id"; 1965 description 1966 "A NAT instance."; 1968 leaf id { 1969 type uint32; 1971 description 1972 "NAT instance identifier."; 1974 reference 1975 "RFC 7659."; 1976 } 1978 leaf name { 1979 type string; 1981 description 1982 "A name associated with the NAT instance."; 1983 } 1985 leaf enable { 1986 type boolean; 1988 description 1989 "Status of the the NAT instance."; 1990 } 1992 container nat-capabilities { 1993 config false; 1995 description 1996 "NAT capabilities"; 1998 leaf-list nat-flavor { 1999 type identityref { 2000 base nat-type; 2001 } 2002 description 2003 "Type of NAT."; 2004 } 2006 leaf-list nat44-flavor { 2008 when "../nat-flavor = 'nat44'"; 2010 type identityref { 2011 base nat44; 2012 } 2013 description 2014 "Type of NAT44: Basic NAT or NAPT."; 2015 } 2017 leaf restricted-port-support { 2018 type boolean; 2020 description 2021 "Indicates source port NAT restriction 2022 support."; 2023 } 2025 leaf static-mapping-support { 2026 type boolean; 2028 description 2029 "Indicates whether static mappings are 2030 supported."; 2031 } 2033 leaf port-randomization-support { 2034 type boolean; 2035 description 2036 "Indicates whether port randomization is 2037 supported."; 2038 } 2040 leaf port-range-allocation-support { 2041 type boolean; 2043 description 2044 "Indicates whether port range 2045 allocation is supported."; 2046 } 2048 leaf port-preservation-suport { 2049 type boolean; 2051 description 2052 "Indicates whether port preservation 2053 is supported."; 2054 } 2056 leaf port-parity-preservation-support { 2057 type boolean; 2059 description 2060 "Indicates whether port parity 2061 preservation is supported."; 2062 } 2064 leaf address-roundrobin-support { 2065 type boolean; 2067 description 2068 "Indicates whether address allocation 2069 round robin is supported."; 2070 } 2072 leaf paired-address-pooling-support { 2073 type boolean; 2075 description 2076 "Indicates whether paired-address-pooling is 2077 supported"; 2078 } 2080 leaf endpoint-independent-mapping-support { 2081 type boolean; 2082 description 2083 "Indicates whether endpoint-independent-mapping 2084 in Section 4 of RFC 4787 is supported."; 2085 } 2087 leaf address-dependent-mapping-support { 2088 type boolean; 2090 description 2091 "Indicates whether address-dependent-mapping 2092 is supported."; 2093 } 2095 leaf address-and-port-dependent-mapping-support { 2096 type boolean; 2098 description 2099 "Indicates whether address-and-port-dependent-mapping 2100 is supported."; 2101 } 2103 leaf endpoint-independent-filtering-support { 2104 type boolean; 2106 description 2107 "Indicates whether endpoint-independent-filtering 2108 is supported."; 2109 } 2111 leaf address-dependent-filtering { 2112 type boolean; 2114 description 2115 "Indicates whether address-dependent-filtering 2116 is supported."; 2117 } 2119 leaf address-and-port-dependent-filtering { 2120 type boolean; 2122 description 2123 "Indicates whether address-and-port-dependent 2124 is supported."; 2125 } 2126 } 2128 uses nat-parameters; 2129 container mapping-table { 2131 when "../nat-capabilities/nat-flavor = "+ 2132 "'nat44' or "+ 2133 "../nat-capabilities/nat-flavor = "+ 2134 "'nat64'or "+ 2135 "../nat-capabilities/nat-flavor = 'dst-nat'"; 2137 description 2138 "NAT mapping table used to track 2139 sessions. Only applicable if NAT44, 2140 Destination NAT, or nat64 is supported."; 2142 list mapping-entry { 2143 key "index"; 2145 description 2146 "NAT mapping entry."; 2148 uses mapping-entry; 2149 } 2150 } 2152 container statistics { 2154 config false; 2156 description 2157 "Statistics related to the NAT instance. 2158 Only applicable if nat44, dst-nat or nat64 is 2159 supported."; 2161 container traffic-statistics { 2162 description 2163 "Generic traffic statistics."; 2165 leaf sent-packet { 2166 type yang:zero-based-counter64; 2168 description 2169 "Number of packets sent."; 2170 } 2172 leaf sent-byte { 2173 type yang:zero-based-counter64; 2175 description 2176 "Counter for sent traffic in bytes."; 2177 } 2179 leaf rcvd-packet { 2180 type yang:zero-based-counter64; 2182 description 2183 "Number of received packets."; 2184 } 2186 leaf rcvd-byte { 2187 type yang:zero-based-counter64; 2189 description 2190 "Counter for received traffic 2191 in bytes."; 2192 } 2194 leaf dropped-packet { 2195 type yang:zero-based-counter64; 2197 description 2198 "Number of dropped packets."; 2199 } 2201 leaf dropped-byte { 2202 type yang:zero-based-counter64; 2204 description 2205 "Counter for dropped traffic in 2206 bytes."; 2207 } 2208 } 2210 container mapping-statistics { 2212 when "../../nat-capabilities/nat-flavor = "+ 2213 "'nat44' or "+ 2214 "../../nat-capabilities/nat-flavor = "+ 2215 "'nat64'or "+ 2216 "../../nat-capabilities/nat-flavor = 'dst-nat'"; 2218 description 2219 "Mapping statistics."; 2221 leaf total-mappings { 2222 type uint32; 2223 description 2224 "Total number of NAT mappings present 2225 at a given time. This variable includes 2226 all the static and dynamic mappings."; 2227 } 2229 leaf total-tcp-mappings { 2230 type uint32; 2231 description 2232 "Total number of TCP mappings present 2233 at a given time."; 2234 } 2236 leaf total-udp-mappings { 2237 type uint32; 2238 description 2239 "Total number of UDP mappings present 2240 at a given time."; 2241 } 2243 leaf total-icmp-mappings { 2244 type uint32; 2245 description 2246 "Total number of ICMP mappings present 2247 at a given time."; 2248 } 2250 } 2252 container pool-stats { 2254 when "../../nat-capabilities/nat-flavor = "+ 2255 "'nat44' or "+ 2256 "../../nat-capabilities/nat-flavor = "+ 2257 "'nat64'"; 2259 description 2260 "Statistics related to address/prefix 2261 pool usage"; 2263 leaf pool-id { 2264 type uint32; 2265 description 2266 "Unique Identifier that represents 2267 a pool of addresses/prefixes."; 2268 } 2269 leaf address-allocated { 2270 type uint32; 2271 description 2272 "Number of allocated addresses in 2273 the pool"; 2274 } 2276 leaf address-free { 2277 type uint32; 2278 description 2279 "Number of unallocated addresses in 2280 the pool at a given time.The sum of 2281 unallocated and allocated 2282 addresses is the total number of 2283 addresses of the pool."; 2284 } 2286 container port-stats { 2288 description 2289 "Statistics related to port 2290 usage."; 2292 leaf ports-allocated { 2293 type uint32; 2294 description 2295 "Number of allocated ports 2296 in the pool."; 2297 } 2299 leaf ports-free { 2300 type uint32; 2301 description 2302 "Number of unallocated addresses 2303 in the pool."; 2304 } 2305 } 2306 } 2307 } //statistics 2308 } 2309 } 2310 } 2312 /* 2313 * Notifications 2314 */ 2316 notification nat-event { 2317 description 2318 "Notifications must be generated when the defined 2319 high/low threshold is reached. Related 2320 configuration parameters must be provided to 2321 trigger the notifications."; 2323 leaf id { 2324 type leafref { 2325 path 2326 "/nat-module/nat-instances/" 2327 + "nat-instance/id"; 2328 } 2329 description 2330 "NAT instance ID."; 2331 } 2333 leaf notify-pool-threshold { 2334 type percent; 2335 mandatory true; 2336 description 2337 "A treshhold has been fired."; 2338 } 2339 } 2340 } 2341 2343 4. Security Considerations 2345 The YANG module defined in this memo is designed to be accessed via 2346 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 2347 secure transport layer and the support of SSH is mandatory to 2348 implement secure transport [RFC6242]. The NETCONF access control 2349 model [RFC6536] provides means to restrict access by some users to a 2350 pre-configured subset of all available NETCONF protocol operations 2351 and data. 2353 All data nodes defined in the YANG module which can be created, 2354 modified and deleted (i.e., config true, which is the default). 2355 These data nodes are considered sensitive. Write operations (e.g., 2356 edit-config) applied to these data nodes without proper protection 2357 can negatively affect network operations. 2359 5. IANA Considerations 2361 This document requests IANA to register the following URI in the 2362 "IETF XML Registry" [RFC3688]: 2364 URI: urn:ietf:params:xml:ns:yang:ietf-nat 2365 Registrant Contact: The IESG. 2366 XML: N/A; the requested URI is an XML namespace. 2368 This document requests IANA to register the following YANG module in 2369 the "YANG Module Names" registry [RFC6020]. 2371 name: ietf-nat 2372 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 2373 prefix: nat 2374 reference: RFC XXXX 2376 6. Acknowledgements 2378 Many thanks to Dan Wing and Tianran Zhou for the review. 2380 Thanks to Juergen Schoenwaelder for the comments on the YANG 2381 structure and the suggestion to use NMDA. 2383 7. References 2385 7.1. Normative References 2387 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2388 DOI 10.17487/RFC3688, January 2004, . 2391 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 2392 Translation (NAT) Behavioral Requirements for Unicast 2393 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2394 2007, . 2396 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 2397 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 2398 RFC 5382, DOI 10.17487/RFC5382, October 2008, 2399 . 2401 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 2402 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 2403 DOI 10.17487/RFC5508, April 2009, . 2406 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2407 the Network Configuration Protocol (NETCONF)", RFC 6020, 2408 DOI 10.17487/RFC6020, October 2010, . 2411 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 2412 NAT64: Network Address and Protocol Translation from IPv6 2413 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 2414 April 2011, . 2416 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2417 and A. Bierman, Ed., "Network Configuration Protocol 2418 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2419 . 2421 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2422 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2423 . 2425 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 2426 Protocol (NETCONF) Access Control Model", RFC 6536, 2427 DOI 10.17487/RFC6536, March 2012, . 2430 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 2431 A., and H. Ashida, "Common Requirements for Carrier-Grade 2432 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 2433 April 2013, . 2435 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 2436 S., and K. Naito, "Updates to Network Address Translation 2437 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 2438 DOI 10.17487/RFC7857, April 2016, . 2441 7.2. Informative References 2443 [I-D.boucadair-pcp-yang] 2444 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 2445 Vinapamula, "YANG Data Models for the Port Control 2446 Protocol (PCP)", draft-boucadair-pcp-yang-04 (work in 2447 progress), May 2017. 2449 [I-D.ietf-behave-ipfix-nat-logging] 2450 Sivakumar, S. and R. Penno, "IPFIX Information Elements 2451 for logging NAT Events", draft-ietf-behave-ipfix-nat- 2452 logging-13 (work in progress), January 2017. 2454 [I-D.ietf-softwire-dslite-yang] 2455 Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data 2456 Models for the DS-Lite", draft-ietf-softwire-dslite- 2457 yang-05 (work in progress), August 2017. 2459 [I-D.ietf-tsvwg-natsupp] 2460 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 2461 Transmission Protocol (SCTP) Network Address Translation 2462 Support", draft-ietf-tsvwg-natsupp-11 (work in progress), 2463 July 2017. 2465 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 2466 Translator (NAT) Terminology and Considerations", 2467 RFC 2663, DOI 10.17487/RFC2663, August 1999, 2468 . 2470 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 2471 Address Translator (Traditional NAT)", RFC 3022, 2472 DOI 10.17487/RFC3022, January 2001, . 2475 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 2476 Behavioral Requirements for the Datagram Congestion 2477 Control Protocol", BCP 150, RFC 5597, 2478 DOI 10.17487/RFC5597, September 2009, . 2481 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 2482 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 2483 DOI 10.17487/RFC6052, October 2010, . 2486 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 2487 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 2488 . 2490 [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 2491 "Logging Recommendations for Internet-Facing Servers", 2492 BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, 2493 . 2495 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 2496 "Diameter Network Address and Port Translation Control 2497 Application", RFC 6736, DOI 10.17487/RFC6736, October 2498 2012, . 2500 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 2501 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 2502 DOI 10.17487/RFC6887, April 2013, . 2505 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 2506 Farrer, "Lightweight 4over6: An Extension to the Dual- 2507 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 2508 July 2015, . 2510 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 2511 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 2512 Port with Encapsulation (MAP-E)", RFC 7597, 2513 DOI 10.17487/RFC7597, July 2015, . 2516 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 2517 "Definitions of Managed Objects for Network Address 2518 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 2519 October 2015, . 2521 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 2522 and S. Perreault, "Port Control Protocol (PCP) Extension 2523 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 2524 February 2016, . 2526 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 2527 "RADIUS Extensions for IP Port Configuration and 2528 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 2529 . 2531 Appendix A. Sample Examples 2533 This section provides a non-exhaustive set of examples to illustrate 2534 the use of the NAT YANG module. 2536 A.1. Traditional NAT44 2538 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 2539 same IPv4 address among hosts that are owned by the same subscriber. 2540 This is typically the NAT that is embedded in CPE devices. 2542 This NAT is usually provided with one single external IPv4 address; 2543 disambiguating connections is achieved by rewriting the source port 2544 number. The XML snippet to configure the external IPv4 address in 2545 such case together with a mapping entry is depicted below: 2547 2548 2549 1 2550 NAT_Subscriber_A 2551 .... 2552 2553 1 2554 2555 192.0.2.1 2556 2557 2558 .... 2559 2560 .... 2561 2562 192.0.2.1 2563 2564 .... 2565 2566 2567 2569 The following shows the XML excerpt depicting a dynamic UDP mapping 2570 entry maintained by a traditional NAT44. In reference to this 2571 example, the UDP packet received with a source IPv4 address 2572 (192.0.2.1) and source port number (1568) is translated into a UDP 2573 packet having a source IPv4 address (198.51.100.1) and source port 2574 (15000). The lifetime of this mapping is 300 seconds. 2576 2577 15 2578 2579 dynamic-explicit 2580 2581 2582 17 2583 2584 2585 192.0.2.1 2586 2587 2588 2589 1568 2590 2591 2592 2593 198.51.100.1 2594 2595 2596 2597 15000 2598 2599 2600 2601 300 2602 2603 2605 A.2. CGN 2607 The following XML snippet shows the example of the capabilities 2608 supported by a CGN as retrieved using NETCONF. 2610 2612 nat44 2613 2614 2615 false 2616 2617 2618 true 2619 2620 2621 true 2622 2623 2624 true 2625 2626 2627 true 2628 2629 2630 false 2631 2632 2633 true 2634 2635 2636 true 2637 2638 2639 true 2640 2641 2642 false 2643 2644 2645 false 2646 2647 2648 true 2649 2650 2651 false 2652 2653 2654 false 2655 2656 2657 The following XML snippet shows the example of a CGN that is 2658 provisioned with one contiguous pool of external IPv4 addresses 2659 (192.0.2.0/24). Further, the CGN is instructed to limit the number 2660 of allocated ports per subscriber to 1024. Ports can be allocated by 2661 the CGN by assigning ranges of 256 ports (that is, a subscriber can 2662 be allocated up to four port ranges of 256 ports each). 2664 2665 2666 1 2667 myCGN 2668 .... 2669 2670 1 2671 2672 192.0.2.0/24 2673 2674 2675 2676 2677 1024 2678 2679 2680 all 2681 2682 2683 2684 port-range-allocation 2685 2686 2687 2688 256 2689 2690 2691 .... 2692 2693 2695 An administrator may decide to allocate one single port range per 2696 subscriber (port range of 1024 ports) as shown below: 2698 2699 2700 1 2701 myotherCGN 2702 .... 2703 2704 1 2705 2706 192.0.2.0/24 2707 2708 2709 2710 2711 1024 2712 2713 2714 all 2715 2716 2717 2718 port-range-allocation 2719 2720 2721 2722 1024 2723 2724 .... 2725 2726 .... 2727 2728 2730 A.3. CGN Pass-Through 2732 Figure 1 illustrates an example of the CGN pass-through feature. 2734 X1:x1 X1':x1' X2:x2 2735 +---+from X1:x1 +---+from X1:x1 +---+ 2736 | C | to X2:x2 | | to X2:x2 | S | 2737 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 2738 | i | | G | | r | 2739 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 2740 | n |from X2:x2 | |from X2:x2 | e | 2741 | t | to X1:x1 | | to X1:x1 | r | 2742 +---+ +---+ +---+ 2744 Figure 1: CGN Pass-Through 2746 For example, in order to disable NAT for communications issued by the 2747 client (192.0.2.25), the following configuration parameter must be 2748 set: 2750 2751 ... 2752 192.0.2.25 2753 ... 2754 2756 A.4. NAT64 2758 Let's consider the example of a NAT64 that should use 2759 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 2760 The XML snippet to configure the NAT64 prefix in such case is 2761 depicted below: 2763 2764 2765 2001:db8:122:300::/56 2766 2767 2769 Let's now consider the example of a NAT64 that should use 2770 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 2771 the destination address matches 198.51.100.0/24. The XML snippet to 2772 configure the NAT64 prefix in such case is shown below: 2774 2775 2776 2001:db8:122::/48 2777 2778 2779 2780 198.51.100.0/24 2781 2782 2783 2785 A.5. Static Mappings with Port Ranges 2787 The following example shows a static mapping that instructs a NAT to 2788 translate packets issued from 192.0.2.1 and with source ports in the 2789 100-500 range to 198.51.100.1:1100-1500. 2791 2792 1 2793 static 2794 6 2795 2796 192.0.2.1 2797 2798 2799 2800 2801 100 2802 2803 2804 500 2805 2806 2807 2808 2809 198.51.100.1 2810 2811 2812 2813 2814 1100 2815 2816 2817 1500 2818 2819 2820 2821 ... 2822 2824 A.6. Static Mappings with IP Prefixes 2826 The following example shows a static mapping that instructs a NAT to 2827 translate packets issued from 192.0.2.1/24 to 198.51.100.1/24. 2829 2830 1 2831 static 2832 6 2833 2834 192.0.2.1/24 2835 2836 2837 198.51.100.1/24 2838 2839 ... 2840 2842 A.7. Destination NAT 2844 The following XML snippet shows an example a destination NAT that is 2845 instructed to translate packets having 192.0.2.1 as a destination IP 2846 address to 198.51.100.1. 2848 2849 1 2850 2851 192.0.2.1 2852 2853 2854 198.51.100.1 2855 2856 2858 In order to instruct a NAT to translate TCP packets destined to 2859 192.0.2.1:80 to 198.51.100.1:8080, the following XML snippet shows 2860 the static mapping to be configured on the NAT: 2862 2863 1 2864 static 2865 6 2866 2867 192.0.2.1 2868 2869 2870 80 2871 2872 2873 198.51.100.1 2874 2875 2876 8080 2877 2878 2880 In order to instruct a NAT to translate TCP packets destined to 2881 192.0.2.1:80 (http traffic) to 198.51.100.1 and 192.0.2.1:22 (ssh 2882 traffic) to 198.51.100.2, the following XML snippet shows the static 2883 mappings to be configured on the NAT: 2885 2886 1 2887 static 2888 6 2889 2890 192.0.2.1 2891 2892 2893 2894 80 2895 2896 2897 2898 198.51.100.1 2899 2900 ... 2901 2902 2903 2 2904 static 2905 2906 6 2907 2908 2909 192.0.2.1 2910 2911 2912 2913 22 2914 2915 2916 2917 198.51.100.2 2918 2919 ... 2920 2922 The NAT may also be instructed to proceed with both source and 2923 destination NAT. To do so, in addition to the above sample to 2924 configure destination NAT, the NAT may be provided, for example with 2925 a pool of external IP addresses (198.51.100.0/24) to use for source 2926 address translation. An example of the corresponding XML snippet is 2927 provided hereafter: 2929 2930 1 2931 2932 198.51.100.0/24 2933 2934 2936 Instead of providing an external IP address to share, the NAT may be 2937 configured with static mapping entries that modifies the internal IP 2938 address and/or port number. 2940 A.8. NPTv6 2942 Let's consider the example of a NPTv6 translator that should rewrite 2943 packets with the source prefix (fd01:203:405:/48) with the external 2944 prefix (2001:db8:1:/48). 2946 External Network: Prefix = 2001:db8:1:/48 2947 -------------------------------------- 2948 | 2949 | 2950 +-------------+ 2951 | NPTv6 | 2952 | Translator | 2953 +-------------+ 2954 | 2955 | 2956 -------------------------------------- 2957 Internal Network: Prefix = fd01:203:405:/48 2959 Example of NPTv6 (RFC6296) 2961 The XML snippet to configure NPTv6 prefixes in such case is depicted 2962 below: 2964 2965 1 2966 2967 fd01:203:405:/48 2968 2969 2970 2001:db8:1:/48 2971 2972 2974 Figure 2 shows an example of an NPTv6 that interconnects two internal 2975 networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is 2976 translated using a dedicated prefix (2001:db8:1:/48 and 2977 2001:db8:6666:/48, respectively). 2979 Internal Prefix = fd01:4444:5555:/48 2980 -------------------------------------- 2981 V | External Prefix 2982 V | 2001:db8:1:/48 2983 V +---------+ ^ 2984 V | NPTv6 | ^ 2985 V | Device | ^ 2986 V +---------+ ^ 2987 External Prefix | ^ 2988 2001:db8:6666:/48 | ^ 2989 -------------------------------------- 2990 Internal Prefix = fd01:203:405:/48 2992 Figure 2: Connecting two Peer Networks (RFC6296) 2994 To that aim, the following configuration is provided to the NPTv6: 2996 2997 1 2998 2999 fd01:203:405:/48 3000 3001 3002 2001:db8:1:/48 3003 3004 3005 3006 2 3007 3008 fd01:4444:5555:/48 3009 3010 3011 2001:db8:6666:/48 3012 3013 3015 Authors' Addresses 3017 Mohamed Boucadair 3018 Orange 3019 Rennes 35000 3020 France 3022 Email: mohamed.boucadair@orange.com 3023 Senthil Sivakumar 3024 Cisco Systems 3025 7100-8 Kit Creek Road 3026 Research Triangle Park, North Carolina 27709 3027 USA 3029 Phone: +1 919 392 5158 3030 Email: ssenthil@cisco.com 3032 Christian Jacquenet 3033 Orange 3034 Rennes 35000 3035 France 3037 Email: christian.jacquenet@orange.com 3039 Suresh Vinapamula 3040 Juniper Networks 3041 1133 Innovation Way 3042 Sunnyvale 94089 3043 USA 3045 Qin Wu 3046 Huawei 3047 101 Software Avenue, Yuhua District 3048 Nanjing, Jiangsu 210012 3049 China 3051 Email: bill.wu@huawei.com