idnits 2.17.1 draft-ietf-opsawg-nat-yang-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 37 instances of too long lines in the document, the longest one being 10 characters in excess of 72. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 480 has weird spacing: '...-prefix ine...' == Line 482 has weird spacing: '...-prefix ine...' == Line 484 has weird spacing: '...-prefix ine...' == Line 494 has weird spacing: '...atch-id uin...' == Line 505 has weird spacing: '...ta-type enu...' == (3 more instances...) -- The document date (August 21, 2017) is 2439 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC7659' is defined on line 2659, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) ** Downref: Normative reference to an Informational RFC: RFC 6877 == Outdated reference: A later version (-05) exists of draft-boucadair-pcp-yang-04 == Outdated reference: A later version (-17) exists of draft-ietf-softwire-dslite-yang-05 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-11 Summary: 3 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: February 22, 2018 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 August 21, 2017 14 A YANG Data Model for Network Address Translation (NAT) and Network 15 Prefix Translation (NPT) 16 draft-ietf-opsawg-nat-yang-01 18 Abstract 20 For the sake of network automation and the need for programming 21 Network Address Translation (NAT) function in particular, a data 22 model for configuring and managing the NAT is essential. This 23 document defines a YANG data model for the NAT function. 25 NAT44, Network Address and Protocol Translation from IPv6 Clients to 26 IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit 27 Address Mappings for Stateless IP/ICMP Translation (SIIT EIM), and 28 IPv6 Network Prefix Translation (NPTv6) are covered in this document. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at http://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on February 22, 2018. 47 Copyright Notice 49 Copyright (c) 2017 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (http://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 65 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 66 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 67 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 68 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 69 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 5 70 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 71 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 72 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 73 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 6 74 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 75 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 76 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 9 77 2.10. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10 78 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14 79 4. Security Considerations . . . . . . . . . . . . . . . . . . . 52 80 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 53 81 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 53 82 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 83 7.1. Normative References . . . . . . . . . . . . . . . . . . 53 84 7.2. Informative References . . . . . . . . . . . . . . . . . 55 85 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 57 86 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 57 87 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 88 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 61 89 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 62 90 A.5. Explicit Address Mappings for Stateless IP/ICMP 91 Translation . . . . . . . . . . . . . . . . . . . . . . . 62 92 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 66 93 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 66 94 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 67 95 A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 70 96 A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 70 97 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 72 99 1. Introduction 101 This document defines a data model for Network Address Translation 102 (NAT) and Network Prefix Translation (NPT) capabilities using the 103 YANG data modeling language [RFC6020]. 105 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 106 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 107 used to optimize the usage of global IP address space at the scale of 108 a domain: a CGN is not managed by end users, but by service providers 109 instead. This document covers both traditional NATs and CGNs. 111 This document also covers NAT64 [RFC6146], customer-side translator 112 (CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP 113 Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation 114 (NPTv6) [RFC6296]. 116 Sample examples are provided in Appendix A. 118 1.1. Terminology 120 This document makes use of the following terms: 122 o Basic NAT44: translation is limited to IP addresses alone 123 (Section 2.1 of [RFC3022]). 125 o Network Address/Port Translator (NAPT): translation in NAPT is 126 extended to include IP addresses and transport identifiers (such 127 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 128 [RFC3022]. 130 o Destination NAT: is a translation that acts on the destination IP 131 address and/or destination port number. This flavor is usually 132 deployed in load balancers or at devices in front of public 133 servers. 135 o Port-restricted IPv4 address: An IPv4 address with a restricted 136 port set. Multiple hosts may share the same IPv4 address; 137 however, their port sets must not overlap [RFC7596]. 139 o Restricted port set: A non-overlapping range of allowed external 140 ports to use for NAT operation. Source ports of IPv4 packets 141 translated by a NAT must belong to the assigned port set. The 142 port set is used for all port-aware IP protocols [RFC7596]. 144 o Internal Host: A host that may solicit a NAT or an NPTv6 (or both) 145 capability to send to and receive traffic from the Internet. 147 o Internal Address/prefix: The IP address/prefix of an internal 148 host. 150 o External Address: The IP address/prefix assigned by a NAT/NPTv6 to 151 an internal host; this is the address that will be seen by a 152 remote host on the Internet. 154 o Mapping: denotes a state at the NAT that is necessary for network 155 address and/or port translation. 157 o Dynamic implicit mapping: is created implicitly as a side effect 158 of traffic such as an outgoing TCP SYN or an outgoing UDP packet. 159 A validity lifetime is associated with this mapping. 161 o Dynamic explicit mapping: is created as a result of an explicit 162 request, e.g., PCP message [RFC6887]. A validity lifetime is 163 associated with this mapping. 165 o Static explicit mapping: is created manually. This mapping is 166 likely to be maintained by the NAT function till an explicit 167 action is executed to remove it. 169 The usage of the term NAT in this document refers to any NAT flavor 170 (NAT44, NAT64, etc.) indifferently. 172 This document uses the term "session" as defined in [RFC2663] and 173 [RFC6146] for NAT64. 175 1.2. Tree Diagrams 177 The meaning of the symbols in these diagrams is as follows: 179 o Brackets "[" and "]" enclose list keys. 181 o Curly braces "{" and "}" contain names of optional features that 182 make the corresponding node conditional. 184 o Abbreviations before data node names: "rw" means configuration 185 (read-write), "ro" state data (read-only). 187 o Symbols after data node names: "?" means an optional node, "!" a 188 container with presence, and "*" denotes a "list" or "leaf-list". 190 o Parentheses enclose choice and case nodes, and case nodes are also 191 marked with a colon (":"). 193 o Ellipsis ("...") stands for contents of subtrees that are not 194 shown. 196 2. Overview of the NAT YANG Data Model 198 2.1. Overview 200 The NAT YANG data model is designed to cover dynamic implicit 201 mappings and static explicit mappings. The required functionality to 202 instruct dynamic explicit mappings is defined in separate documents 203 such as [I-D.boucadair-pcp-yang]. Considerations about instructing 204 explicit dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are 205 out of scope. 207 A single NAT device can have multiple NAT instances; each of these 208 instances is responsible for serving a group of internal hosts. This 209 document does not make any assumption about how internal hosts are 210 associated with a given NAT instance. 212 The data model assumes that each NAT instance can be enabled/ 213 disabled, be provisioned with a specific set of configuration data, 214 and maintains its own mapping tables. 216 To accommodate deployments where [RFC6302] is not enabled, this YANG 217 model allows to instruct a NAT function to log the destination port 218 number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] 219 which provides the templates to log the destination ports. 221 2.2. Various NAT Flavors 223 The following modes are supported: 225 1. Basic NAT44 226 2. NAPT 227 3. Destination NAT 228 4. Port-restricted NAT 229 5. NAT64 230 6. EAM SIIT 231 7. CLAT 232 8. NPTv6 233 9. Combination of Basic NAT/NAPT and Destination NAT 234 10. Combination of port-restricted and Destination NAT 235 11. Combination of NAT64 and EAM 237 [I-D.ietf-softwire-dslite-yang] specifies an extension to support DS- 238 Lite. 240 2.3. TCP, UDP and ICMP NAT Behavioral Requirements 242 This document assumes [RFC4787][RFC5382][RFC5508] are enabled by 243 default. 245 Furthermore, the data model relies upon the recommendations detailed 246 in [RFC6888] and [RFC7857]. 248 2.4. Other Transport Protocols 250 The module is structured to support other protocols than UDP, TCP, 251 and ICMP. The mapping table is designed so that it can indicate any 252 transport protocol. For example, this module may be used to manage a 253 DCCP-capable NAT that adheres to [RFC5597]. 255 Future extensions can be defined to cover NAT-related considerations 256 that are specific to other transport protocols such as SCTP 257 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 258 extended to record two optional SCTP-specific parameters: Internal 259 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 261 2.5. IP Addresses Used for Translation 263 This data model assumes that blocks of IP external addresses 264 (external-ip-address-pool) can be provisioned to the NAT function. 265 These blocks may be contiguous or not. 267 This behavior is aligned with [RFC6888] which specifies that a NAT 268 function should not have any limitations on the size or the 269 contiguity of the external address pool. In particular, the NAT 270 function must be configurable with contiguous or non-contiguous 271 external IPv4 address ranges. 273 Likewise, one or multiple IP address pools may be configured for 274 Destination NAT (dst-ip-address-pool). 276 2.6. Port Set Assignment 278 Port numbers can be assigned by a NAT individually (that is, a single 279 port is a assigned on a per session basis). Nevertheless, this port 280 allocation scheme may not be optimal for logging purposes. 281 Therefore, a NAT function should be able to assign port sets (e.g., 282 [RFC7753]) to optimize the volume of the logging data (REQ-14 of 283 [RFC6888]). Both features are supported in the NAT YANG data model. 285 When port set assignment is activated (i.e., port-allocation- 286 type==port-range-allocation), the NAT can be provided with the size 287 of the port set to be assigned (port-set-size). 289 2.7. Port-Restricted IP Addresses 291 Some NATs require to restrict the port numbers (e.g., Lightweight 292 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port set 293 assignments (port-set-restrict) are supported in this document: 295 o Simple port range: is defined by two port values, the start and 296 the end of the port range [RFC8045]. 298 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 299 the set of ports that can be used. 301 2.8. NAT Mapping Entries 303 A TCP/UDP mapping entry maintains an association between the 304 following information: 306 (internal-src-address, internal-src-port) (internal-dst-address, 307 internal-dst-port) <=> (external-src-address, external-src-port) 308 (external-dst-address, external-dst-port) 310 An ICMP mapping entry maintains an association between the following 311 information: 313 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 314 identifier) <=> (external-src-address, external-dst-address, 315 external ICMP/ICMPv6 identifier) 317 To cover TCP, UDP, and ICMP, the NAT YANG model assumes the following 318 structure of a mapping entry: 320 type: Indicates how the mapping was instantiated. For example, it 321 may indicate whether a mapping is dynamically instantiated by a 322 packet or statically configured. 324 transport-protocol: Indicates the transport protocol (e.g., UDP, 325 TCP, ICMP) of a given mapping. 327 internal-src-address: Indicates the source IP address as used by an 328 internal host. 330 internal-src-port: Indicates the source port number (or ICMP 331 identifier) as used by an internal host. 333 external-src-address: Indicates the source IP address as assigned 334 by the NAT. 336 external-src-port: Indicates the source port number (or ICMP 337 identifier) as assigned by the NAT. 339 internal-dst-address: Indicates the destination IP address as used 340 by an internal host when sending a packet to a remote host. 342 internal-dst-port: Indicates the destination IP address as used by 343 an internal host when sending a packet to a remote host. 345 external-dst-address: Indicates the destination IP address used by a 346 NAT when processing a packet issued by an internal host towards a 347 remote host. 349 external-dst-port: Indicates the destination port number used by a 350 NAT when processing a packet issued by an internal host towards a 351 remote host. 353 In order to cover both NAT64 and NAT44 flavors in particular, the NAT 354 mapping structure allows to include an IPv4 or an IPv6 address as an 355 internal IP address. Remaining fields are common to both NAT 356 schemes. 358 For example, the mapping that will be created by a NAT64 upon receipt 359 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 360 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 361 and destination port number 8080 is characterized as follows: 363 o type: dynamic implicit mapping. 364 o transport-protocol: TCP (6) 365 o internal-src-address: 2001:db8:aaaa::1 366 o internal-src-port: 25636 367 o external-src-address: T (an IPv4 address configured on the NAT64) 368 o external-src-port: t (a port number that is chosen by the NAT64) 369 o internal-dst-address: 2001:db8:1234::198.51.100.1 370 o internal-dst-port: 8080 371 o external-dst-address: 198.51.100.1 372 o external-dst-port: 8080 374 The mapping that will be created by a NAT44 upon receipt of an ICMP 375 request from source address 198.51.100.1 and ICMP identifier (ID1) to 376 destination IP address 198.51.100.11 is characterized as follows: 378 o type: dynamic implicit mapping. 379 o transport-protocol: ICMP (1) 380 o internal-src-address: 198.51.100.1 381 o internal-src-port: ID1 382 o external-src-address: T (an IPv4 address configured on the NAT44) 383 o external-src-port: ID2 (an ICMP identifier that is chosen by the 384 NAT44) 385 o internal-dst-address: 198.51.100.11 387 The mapping that will be created by a NAT64 upon receipt of an ICMP 388 request from source address 2001:db8:aaaa::1 and ICMP identifier 389 (ID1) to destination IP address 2001:db8:1234::198.51.100.1 is 390 characterized as follows: 392 o type: dynamic implicit mapping. 393 o transport-protocol: ICMPv6 (58) 394 o internal-src-address: 2001:db8:aaaa::1 395 o internal-src-port: ID1 396 o external-src-address: T (an IPv4 address configured on the NAT64) 397 o external-src-port: ID2 (an ICMP identifier that is chosen by the 398 NAT64) 399 o internal-dst-address: 2001:db8:1234::198.51.100.1 400 o external-dst-address: 198.51.100.1 402 Note that a mapping table is maintained only for stateful NAT 403 functions. Particularly: 405 o No mapping table is maintained for NPTv6 given that it is 406 stateless and transport-agnostic. 408 o The double translations are stateless in CLAT if a dedicated IPv6 409 prefix is provided for CLAT. If not, a stateful NAT44 will be 410 required. 412 o No per-flow mapping is maintained for EAM [RFC7757]. 414 2.9. Resource Limits 416 In order to comply with CGN deployments in particular, the data model 417 allows limiting the number of external ports per subscriber (port- 418 quota) and the amount of state memory allocated per mapping and per 419 subscriber (mapping-limit and connection-limit). According to 420 [RFC6888], the model allows for the following: 422 o Per-subscriber limits are configurable by the NAT administrator. 424 o Per-subscriber limits are configurable independently per transport 425 protocol. 427 o Administrator-adjustable thresholds to prevent a single subscriber 428 from consuming excessive CPU resources from the NAT (e.g., rate- 429 limit the subscriber's creation of new mappings) can be 430 configured. 432 2.10. Tree Structure 434 The tree structure of the NAT data model is provided below: 436 module: ietf-nat 437 +--rw nat-module 438 +--rw nat-instances 439 +--rw nat-instance* [id] 440 +--rw id uint32 441 +--rw name? string 442 +--rw enable? boolean 443 +--ro nat-capabilities 444 | +--ro nat-flavor* identityref 445 | +--ro nat44-flavor* identityref 446 | +--ro restricted-port-support? boolean 447 | +--ro static-mapping-support? boolean 448 | +--ro port-randomization-support? boolean 449 | +--ro port-range-allocation-support? boolean 450 | +--ro port-preservation-suport? boolean 451 | +--ro port-parity-preservation-support? boolean 452 | +--ro address-roundrobin-support? boolean 453 | +--ro paired-address-pooling-support? boolean 454 | +--ro endpoint-independent-mapping-support? boolean 455 | +--ro address-dependent-mapping-support? boolean 456 | +--ro address-and-port-dependent-mapping-support? boolean 457 | +--ro endpoint-independent-filtering-support? boolean 458 | +--ro address-dependent-filtering? boolean 459 | +--ro address-and-port-dependent-filtering? boolean 460 +--rw external-ip-address-pool* [pool-id] 461 | +--rw pool-id uint32 462 | +--rw external-ip-pool? inet:ipv4-prefix 463 +--rw port-set-restrict 464 | +--rw (port-type)? 465 | +--:(port-range) 466 | | +--rw start-port-number? inet:port-number 467 | | +--rw end-port-number? inet:port-number 468 | +--:(port-set-algo) 469 | +--rw psid-offset? uint8 470 | +--rw psid-len uint8 471 | +--rw psid uint16 472 +--rw dst-nat-enable? boolean 473 +--rw dst-ip-address-pool* [pool-id] 474 | +--rw pool-id uint32 475 | +--rw dst-in-ip-pool? inet:ip-prefix 476 | +--rw dst-out-ip-pool? inet:ip-prefix 477 +--rw nat64-prefixes* [nat64-prefix] 478 | +--rw nat64-prefix inet:ipv6-prefix 479 | +--rw destination-ipv4-prefix* [ipv4-prefix] 480 | +--rw ipv4-prefix inet:ipv4-prefix 481 +--rw clat-ipv6-prefixes* [clat-ipv6-prefix] 482 | +--rw clat-ipv6-prefix inet:ipv6-prefix 483 +--rw clat-ipv4-prefixes* [clat-ipv4-prefix] 484 | +--rw clat-ipv4-prefix inet:ipv4-prefix 485 +--rw nptv6-prefixes* [pool-id] 486 | +--rw pool-id uint32 487 | +--rw internal-ipv6-prefix? inet:ipv6-prefix 488 | +--rw external-ipv6-prefix? inet:ipv6-prefix 489 +--rw supported-transport-protocols* [transport-protocol-id] 490 | +--rw transport-protocol-id uint8 491 | +--rw transport-protocol-name? string 492 +--rw subscriber-mask-v6? uint8 493 +--rw subscriber-match* [sub-match-id] 494 | +--rw sub-match-id uint32 495 | +--rw sub-mask inet:ip-prefix 496 +--rw nat-pass-through* [nat-pass-through-id] 497 | +--rw nat-pass-through-id uint32 498 | +--rw nat-pass-through-pref? inet:ip-prefix 499 | +--rw nat-pass-through-port? inet:port-number 500 +--rw paired-address-pooling? boolean 501 +--rw nat-mapping-type? enumeration 502 +--rw nat-filtering-type? enumeration 503 +--rw port-quota* [quota-type] 504 | +--rw port-limit? uint16 505 | +--rw quota-type enumeration 506 +--rw port-allocation-type? enumeration 507 +--rw address-roundrobin-enable? boolean 508 +--rw port-set 509 | +--rw port-set-size? uint16 510 | +--rw port-set-timeout? uint32 511 +--rw udp-timeout? uint32 512 +--rw tcp-idle-timeout? uint32 513 +--rw tcp-trans-open-timeout? uint32 514 +--rw tcp-trans-close-timeout? uint32 515 +--rw tcp-in-syn-timeout? uint32 516 +--rw fragment-min-timeout? uint32 517 +--rw icmp-timeout? uint32 518 +--rw per-port-timeout* [port-number] 519 | +--rw port-number inet:port-number 520 | +--rw port-timeout inet:port-number 521 +--rw hold-down-timeout? uint32 522 +--rw hold-down-max? uint32 523 +--rw mapping-limit 524 | +--rw limit-per-subscriber? uint32 525 | +--rw limit-per-vrf? uint32 526 | +--rw limit-per-subnet? inet:ip-prefix 527 | +--rw limit-per-instance uint32 528 | +--rw limit-per-udp uint32 529 | +--rw limit-per-tcp uint32 530 | +--rw limit-per-icmp uint32 531 +--rw connection-limit 532 | +--rw limit-per-subscriber? uint32 533 | +--rw limit-per-vrf? uint32 534 | +--rw limit-per-subnet? inet:ip-prefix 535 | +--rw limit-per-instance uint32 536 | +--rw limit-per-udp uint32 537 | +--rw limit-per-tcp uint32 538 | +--rw limit-per-icmp uint32 539 +--rw algs* [alg-name] 540 | +--rw alg-name string 541 | +--rw alg-transport-protocol? uint32 542 | +--rw alg-transport-port? inet:port-number 543 | +--rw alg-status? boolean 544 +--rw all-algs-enable? boolean 545 +--rw logging-info 546 | +--rw logging-enable? boolean 547 | +--rw destination-address inet:ip-prefix 548 | +--rw destination-port inet:port-number 549 | +--rw (protocol)? 550 | +--:(syslog) 551 | | +--rw syslog? boolean 552 | +--:(ipfix) 553 | | +--rw ipfix? boolean 554 | +--:(ftp) 555 | +--rw ftp? boolean 556 +--rw notify-pool-usage 557 | +--rw pool-id? uint32 558 | +--rw notify-pool-hi-threshold percent 559 | +--rw notify-pool-low-threshold? percent 560 +--rw mapping-table 561 | +--rw mapping-entry* [index] 562 | +--rw index uint32 563 | +--rw type? enumeration 564 | +--rw transport-protocol? uint8 565 | +--rw internal-src-address? inet:ip-prefix 566 | +--rw internal-src-port 567 | | +--rw (port-type)? 568 | | +--:(single-port-number) 569 | | | +--rw single-port-number? inet:port-number 570 | | +--:(port-range) 571 | | +--rw start-port-number? inet:port-number 572 | | +--rw end-port-number? inet:port-number 573 | +--rw external-src-address? inet:ip-prefix 574 | +--rw external-src-port 575 | | +--rw (port-type)? 576 | | +--:(single-port-number) 577 | | | +--rw single-port-number? inet:port-number 578 | | +--:(port-range) 579 | | +--rw start-port-number? inet:port-number 580 | | +--rw end-port-number? inet:port-number 581 | +--rw internal-dst-address? inet:ip-prefix 582 | +--rw internal-dst-port 583 | | +--rw (port-type)? 584 | | +--:(single-port-number) 585 | | | +--rw single-port-number? inet:port-number 586 | | +--:(port-range) 587 | | +--rw start-port-number? inet:port-number 588 | | +--rw end-port-number? inet:port-number 589 | +--rw external-dst-address? inet:ip-prefix 590 | +--rw external-dst-port 591 | | +--rw (port-type)? 592 | | +--:(single-port-number) 593 | | | +--rw single-port-number? inet:port-number 594 | | +--:(port-range) 595 | | +--rw start-port-number? inet:port-number 596 | | +--rw end-port-number? inet:port-number 597 | +--rw lifetime? uint32 598 +--ro statistics 599 +--ro traffic-statistics 600 | +--ro sent-packet? yang:zero-based-counter64 601 | +--ro sent-byte? yang:zero-based-counter64 602 | +--ro rcvd-packet? yang:zero-based-counter64 603 | +--ro rcvd-byte? yang:zero-based-counter64 604 | +--ro dropped-packet? yang:zero-based-counter64 605 | +--ro dropped-byte? yang:zero-based-counter64 606 +--ro mapping-statistics 607 | +--ro total-mappings? uint32 608 | +--ro total-tcp-mappings? uint32 609 | +--ro total-udp-mappings? uint32 610 | +--ro total-icmp-mappings? uint32 611 +--ro pool-stats 612 +--ro pool-id? uint32 613 +--ro address-allocated? uint32 614 +--ro address-free? uint32 615 +--ro port-stats 616 +--ro ports-allocated? uint32 617 +--ro ports-free? uint32 619 notifications: 620 +---n nat-event 621 +--ro id? -> /nat-module/nat-instances/nat-instance/id 622 +--ro notify-pool-threshold percent 624 3. NAT YANG Module 626 file "ietf-nat@2017-08-03.yang" 628 module ietf-nat { 629 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 631 //namespace to be assigned by IANA 632 prefix "nat"; 634 import ietf-inet-types { prefix inet; } 635 import ietf-yang-types { prefix yang; } 637 organization "IETF OPSAWG Working Group"; 639 contact 640 "Mohamed Boucadair 641 Senthil Sivakumar 642 Chritsian Jacquenet 643 Suresh Vinapamula 644 Qin Wu "; 646 description 647 "This module is a YANG module for NAT implementations 648 (including NAT44 and NAT64 flavors). 650 Copyright (c) 2017 IETF Trust and the persons identified as 651 authors of the code. All rights reserved. 653 Redistribution and use in source and binary forms, with or 654 without modification, is permitted pursuant to, and subject 655 to the license terms contained in, the Simplified BSD License 656 set forth in Section 4.c of the IETF Trust's Legal Provisions 657 Relating to IETF Documents 658 (http://trustee.ietf.org/license-info). 660 This version of this YANG module is part of RFC XXXX; see 661 the RFC itself for full legal notices."; 663 revision 2017-08-21 { 664 description " Includes CLAT (Lee/Jordi)."; 665 reference "-ietf-01"; 666 } 668 revision 2017-08-03 { 669 description "Integrates comments from OPSAWG CFA."; 670 reference "-ietf-00"; 671 } 672 revision 2017-07-03 { 673 description "Integrates comments from D. Wing and T. Zhou."; 674 reference "-07"; 675 } 677 revision 2015-09-08 { 678 description "Fixes few YANG errors."; 680 reference "-02"; 681 } 683 revision 2015-09-07 { 684 description "Completes the NAT64 model."; 685 reference "01"; 686 } 688 revision 2015-08-29 { 689 description "Initial version."; 690 reference "00"; 691 } 693 /* 694 * Definitions 695 */ 697 typedef percent { 698 type uint8 { 699 range "0 .. 100"; 700 } 701 description 702 "Percentage"; 703 } 705 /* 706 * Identities 707 */ 709 identity nat-type { 710 description 711 "Base identity for nat type."; 712 } 714 identity nat44 { 715 base nat:nat-type; 716 description 717 "Identity for traditional NAT support."; 719 reference 720 "RFC 3022."; 721 } 723 identity basic-nat { 724 //base nat:nat-type; 725 base nat:nat44; 726 description 727 "Identity for Basic NAT support."; 729 reference 730 "RFC 3022."; 731 } 733 identity napt { 734 //base nat:nat-type; 735 base nat:nat44; 736 description 737 "Identity for NAPT support."; 739 reference 740 "RFC 3022."; 741 } 743 identity restricted-nat { 744 //base nat:nat-type; 745 base nat:nat44; 746 description 747 "Identity for Port-Restricted NAT support."; 749 reference 750 "RFC 7596."; 751 } 753 identity dst-nat { 754 base nat:nat-type; 755 description 756 "Identity for Destination NAT support."; 757 } 759 identity nat64 { 760 base nat:nat-type; 761 description 762 "Identity for NAT64 support."; 764 reference 765 "RFC 6146."; 766 } 767 identity clat { 768 base nat:nat-type; 769 description 770 "Identity for CLAT support."; 772 reference 773 "RFC 6877."; 774 } 776 identity eam { 777 base nat:nat-type; 778 description 779 "Identity for EAM support."; 781 reference 782 "RFC 7757."; 783 } 785 identity nptv6 { 786 base nat:nat-type; 787 description 788 "Identity for NPTv6 support."; 790 reference 791 "RFC 6296."; 792 } 794 /* 795 * Grouping 796 */ 798 // Timers 800 grouping timeouts { 801 description 802 "Configure values of various timeouts."; 804 leaf udp-timeout { 805 type uint32; 806 units "seconds"; 807 default 300; 808 description 809 "UDP inactivity timeout. That is the time a mapping 810 will stay active without packets traversing the NAT."; 812 reference 813 "RFC 4787."; 814 } 816 leaf tcp-idle-timeout { 817 type uint32; 818 units "seconds"; 819 default 7440; 820 description 821 "TCP Idle timeout should be 822 2 hours and 4 minutes."; 824 reference 825 "RFC 5382."; 826 } 828 leaf tcp-trans-open-timeout { 829 type uint32; 830 units "seconds"; 831 default 240; 832 description 833 "The value of the transitory open connection 834 idle-timeout. 835 Section 2.1 of [RFC7857] clarifies that a NAT 836 should provide different configurable 838 parameters for configuring the open and 839 closing idle timeouts. 840 To accommodate deployments that consider 841 a partially open timeout of 4 minutes as being 842 excessive from a security standpoint, a NAT may 843 allow the configured timeout to be less than 844 4 minutes. 845 However, a minimum default transitory connection 846 idle-timeout of 4 minutes is recommended."; 848 reference 849 "RFC 7857."; 850 } 852 leaf tcp-trans-close-timeout { 853 type uint32; 854 units "seconds"; 855 default 240; 856 description 857 "The value of the transitory close connection 858 idle-timeout. 859 Section 2.1 of [RFC7857] clarifies that a NAT 860 should provide different configurable 861 parameters for configuring the open and 862 closing idle timeouts."; 864 reference 865 "RFC 7857."; 866 } 868 leaf tcp-in-syn-timeout { 869 type uint32; 870 units "seconds"; 871 default 6; 872 description 873 "A NAT must not respond to an unsolicited 874 inbound SYN packet for at least 6 seconds 875 after the packet is received. If during 876 this interval the NAT receives and translates 877 an outbound SYN for the connection the NAT 878 must silently drop the original unsolicited 879 inbound SYN packet."; 881 reference 882 "RFC 5382."; 883 } 885 leaf fragment-min-timeout { 887 type uint32; 888 units "seconds"; 889 default 2; 890 description 891 "As long as the NAT has available resources, 892 the NAT allows the fragments to arrive 893 over fragment-min-timeout interval. 894 The default value is inspired from RFC6146."; 895 } 897 leaf icmp-timeout { 898 type uint32; 899 units "seconds"; 900 default 60; 901 description 902 "An ICMP Query session timer must not expire 903 in less than 60 seconds. It is recommended 904 that the ICMP Query session timer be made 905 configurable"; 907 reference 908 "RFC 5508."; 910 } 912 list per-port-timeout { 913 key port-number; 915 description 916 "Some NATs are configurable with short timeouts 917 for some ports, e.g., as 10 seconds on 918 port 53 (DNS) and NTP (123) and longer timeouts 919 on other ports."; 921 leaf port-number { 922 type inet:port-number; 923 description 924 "A port number."; 925 } 927 leaf port-timeout { 928 type inet:port-number; 929 mandatory true; 930 description 931 "Timeout for this port"; 932 } 933 } 935 leaf hold-down-timeout { 937 type uint32; 938 units "seconds"; 939 default 120; 940 description 941 "Hold down timer. Ports in the 942 hold down pool are not reassigned until 943 this timer expires. 944 The length of time and the maximum 945 number of ports in this state must be 946 configurable by the administrator 947 [RFC6888]. This is necessary in order 948 to prevent collisions between old 949 and new mappings and sessions. It ensures 950 that all established sessions are broken 951 instead of redirected to a different peer."; 953 reference 954 "REQ#8 of RFC 6888."; 955 } 957 leaf hold-down-max { 958 type uint32; 960 description 961 "Maximum ports in the Hold down timer pool. 962 Ports in the hold down pool are not reassigned 963 until hold-down-timeout expires. 964 The length of time and the maximum 965 number of ports in this state must be 966 configurable by the administrator 967 [RFC6888]. This is necessary in order 968 to prevent collisions between old 969 and new mappings and sessions. It ensures 970 that all established sessions are broken 971 instead of redirected to a different peer."; 973 reference 974 "REQ#8 of RFC 6888."; 975 } 976 } 978 // Set of ports 980 grouping port-set { 981 description 982 "Indicates a set of ports. 983 It may be a simple port range, or use the PSID algorithm 984 to represent a range of transport layer 985 ports which will be used by a NAPT."; 987 choice port-type { 988 default port-range; 989 description 990 "Port type: port-range or port-set-algo."; 992 case port-range { 993 leaf start-port-number { 994 type inet:port-number; 995 description 996 "Begining of the port range."; 998 reference 999 "Section 3.2.9 of RFC 8045."; 1000 } 1002 leaf end-port-number { 1003 type inet:port-number; 1004 description 1005 "End of the port range."; 1007 reference 1008 "Section 3.2.10 of RFC 8045."; 1009 } 1010 } 1012 case port-set-algo { 1014 leaf psid-offset { 1015 type uint8 { 1016 range 0..16; 1017 } 1018 description 1019 "The number of offset bits. In Lightweight 4over6, 1020 the default value is 0 for assigning one contiguous 1021 port range. In MAP-E/T, the default value is 6, 1022 which excludes system ports by default and assigns 1023 port ranges distributed across the entire port space."; 1024 } 1026 leaf psid-len { 1027 type uint8 { 1028 range 0..15; 1029 } 1030 mandatory true; 1031 description 1032 "The length of PSID, representing the sharing ratio for an 1033 IPv4 address."; 1034 } 1036 leaf psid { 1037 type uint16; 1038 mandatory true; 1039 description 1040 "Port Set Identifier (PSID) value, which identifies a set 1041 of ports algorithmically."; 1042 } 1043 } 1045 } 1046 } 1048 // port numbers: single or port-range 1050 grouping port-number { 1051 description 1052 "Individual port or a range of ports."; 1054 choice port-type { 1055 default single-port-number; 1056 description 1057 "Port type: single or port-range."; 1059 case single-port-number { 1060 leaf single-port-number { 1061 type inet:port-number; 1062 description 1063 "Used for single port numbers."; 1064 } 1065 } 1067 case port-range { 1068 leaf start-port-number { 1069 type inet:port-number; 1070 description 1071 "Begining of the port range."; 1073 reference 1074 "Section 3.2.9 of RFC 8045."; 1075 } 1077 leaf end-port-number { 1078 type inet:port-number; 1079 description 1080 "End of the port range."; 1082 reference 1083 "Section 3.2.10 of RFC 8045."; 1084 } 1085 } 1086 } 1087 } 1089 // Mapping Entry 1091 grouping mapping-entry { 1092 description 1093 "NAT mapping entry."; 1095 leaf index { 1096 type uint32; 1097 description 1098 "A unique identifier of a mapping entry."; 1100 } 1102 leaf type { 1103 type enumeration { 1104 enum "static" { 1105 description 1106 "The mapping entry is manually configured."; 1107 } 1109 enum "dynamic-explicit" { 1110 description 1111 "This mapping is created by an outgoing 1112 packet."; 1113 } 1115 enum "dynamic-implicit" { 1116 description 1117 "This mapping is created by an explicit 1118 dynamic message."; 1119 } 1120 } 1121 description 1122 "Indicates the type of a mapping entry. E.g., 1123 a mapping can be: static, implicit dynamic 1124 or explicit dynamic."; 1125 } 1127 leaf transport-protocol { 1128 type uint8; 1130 description 1131 "Upper-layer protocol associated with this mapping. 1132 Values are taken from the IANA protocol registry. 1133 For example, this field contains 6 (TCP) for a TCP 1134 mapping or 17 (UDP) for a UDP mapping. No transport 1135 protocol is indicated if a mapping applies for any 1136 protocol."; 1137 } 1139 leaf internal-src-address { 1140 type inet:ip-prefix; 1142 description 1143 "Corresponds to the source IPv4/IPv6 address/prefix 1144 of the packet received on an internal 1145 interface."; 1146 } 1147 container internal-src-port { 1149 description 1150 "Corresponds to the source port of the 1151 packet received on an internal interface. 1152 It is used also to carry the internal 1153 source ICMP identifier."; 1155 uses port-number; 1156 } 1158 leaf external-src-address { 1159 type inet:ip-prefix; 1161 description 1162 "Source IP address/prefix of the packet sent 1163 on an external interface of the NAT."; 1164 } 1166 container external-src-port { 1168 description 1169 "Source port of the packet sent 1170 on an external interafce of the NAT. 1171 It is used also to carry the external 1172 source ICMP identifier."; 1174 uses port-number; 1175 } 1177 leaf internal-dst-address { 1178 type inet:ip-prefix; 1180 description 1181 "Corresponds to the destination IP address/prefix 1182 of the packet received on an internal interface of the NAT. 1183 For example, some NAT implementations support the translation of 1184 both source and destination addresses and ports, 1185 sometimes referred to as 'Twice NAT'."; 1186 } 1188 container internal-dst-port { 1190 description 1191 "Corresponds to the destination port of the 1192 IP packet received on the internal interface. 1194 It is used also to carry the internal 1195 destination ICMP identifier."; 1197 uses port-number; 1198 } 1200 leaf external-dst-address { 1201 type inet:ip-prefix; 1203 description 1204 "Corresponds to the destination IP address/prefix 1205 of the packet sent on an external interface of the NAT."; 1206 } 1208 container external-dst-port { 1210 description 1211 "Corresponds to the destination port number of 1212 the packet sent on the external interface of the NAT. 1213 It is used also to carry the external 1214 destination ICMP identifier."; 1216 uses port-number; 1217 } 1219 leaf lifetime { 1220 type uint32; 1221 //mandatory true; 1223 description 1224 "When specified, it tracks the connection that is 1225 fully-formed (e.g., once the 3WHS TCP is completed) 1226 or the duration for maintaining an explicit mapping 1227 alive. Static mappings may not be associated with a 1228 lifetime. If no lifetime is associated with a 1229 static mapping, an explicit action is requried to 1230 remove that mapping."; 1231 } 1232 } 1234 grouping nat-parameters { 1235 description 1236 "NAT parameters for a given instance"; 1238 list external-ip-address-pool { 1239 key pool-id; 1241 description 1242 "Pool of external IP addresses used to 1243 service internal hosts. 1244 Both contiguous and non-contiguous pools 1245 can be configured for NAT purposes."; 1247 leaf pool-id { 1248 type uint32; 1250 description 1251 "An identifier of the address pool."; 1252 } 1254 leaf external-ip-pool { 1255 type inet:ipv4-prefix; 1257 description 1258 "An IPv4 prefix used for NAT purposes."; 1259 } 1260 } 1262 container port-set-restrict { 1264 when "../nat-capabilities/restricted-port-support = 'true' "; 1266 description 1267 "Configures contiguous and non-contiguous port ranges."; 1269 uses port-set; 1270 } 1272 leaf dst-nat-enable { 1273 type boolean; 1274 default false; 1276 description 1277 "Enable/Disable destination NAT. 1278 A NAT44 may be configured to enable 1279 Destination NAT, too."; 1280 } 1282 list dst-ip-address-pool { 1283 //if-feature dst-nat; 1284 when "../nat-capabilities/nat-flavor = 'dst-nat' "; 1286 key pool-id; 1288 description 1289 "Pool of IP addresses used for destination NAT."; 1291 leaf pool-id { 1292 type uint32; 1294 description 1295 "An identifier of the address pool."; 1296 } 1298 leaf dst-in-ip-pool { 1299 type inet:ip-prefix; 1301 description 1302 "Internal IP prefix/address"; 1303 } 1305 leaf dst-out-ip-pool { 1306 type inet:ip-prefix; 1308 description 1309 "IP address/prefix used for destination NAT."; 1310 } 1311 } 1313 list nat64-prefixes { 1315 when "../nat-capabilities/nat-flavor = 'nat64' " + 1316 " or ../nat-capabilities/nat-flavor = 'clat'"; 1318 key nat64-prefix; 1320 description 1321 "Provides one or a list of NAT64 prefixes 1322 with or without a list of destination IPv4 prefixes. 1324 Destination-based Pref64::/n is discussed in 1325 Section 5.1 of [RFC7050]). For example: 1326 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 1327 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 1329 reference 1330 "Section 5.1 of RFC7050."; 1332 leaf nat64-prefix { 1333 type inet:ipv6-prefix; 1334 //default "64:ff9b::/96"; 1336 description 1337 "A NAT64 prefix. Can be NSP or a Well-Known 1338 Prefix (WKP)."; 1340 reference 1341 "RFC 6052."; 1342 } 1344 list destination-ipv4-prefix { 1346 key ipv4-prefix; 1348 description 1349 "An IPv4 prefix/address."; 1351 leaf ipv4-prefix { 1352 type inet:ipv4-prefix; 1353 description 1354 "An IPv4 address/prefix."; 1355 } 1356 } 1357 } 1359 list clat-ipv6-prefixes { 1361 when "../nat-capabilities/nat-flavor = 'clat' "; 1363 key clat-ipv6-prefix; 1365 description 1366 "464XLAT double translation treatment is 1367 stateless when a dedicated /64 is available 1368 for translation on the CLAT. Otherwise, the 1369 CLAT will have both stateful and stateless 1370 since it requires NAT44 from the LAN to 1371 a single IPv4 address and then stateless 1372 translation to a single IPv6 address."; 1374 reference 1375 "RFC 6877."; 1377 leaf clat-ipv6-prefix { 1378 type inet:ipv6-prefix; 1380 description 1381 "An IPv6 prefix used for CLAT."; 1382 } 1383 } 1385 list clat-ipv4-prefixes { 1386 when "../nat-capabilities/nat-flavor = 'clat'"; 1388 key clat-ipv4-prefix; 1390 description 1391 "Pool of IPv4 addresses used for CLAT. 1392 192.0.0.0/29 is the IPv4 service continuity 1393 prefix."; 1395 reference 1396 "RFC 7335."; 1398 leaf clat-ipv4-prefix { 1399 type inet:ipv4-prefix; 1401 description 1402 "464XLAT double translation treatment is 1403 stateless when a dedicated /64 is available 1404 for translation on the CLAT. Otherwise, the 1405 CLAT will have both stateful and stateless 1406 since it requires NAT44 from the LAN to 1407 a single IPv4 address and then stateless 1408 translation to a single IPv6 address. 1409 The CLAT performs NAT44 for all IPv4 LAN 1410 packets so that all the LAN-originated IPv4 1411 packets appear from a single IPv4 address 1412 and are then statelessly translated to one 1413 interface IPv6 address that is claimed by 1414 the CLAT. 1415 An IPv4 address from this pool is also 1416 provided to an application that makes 1417 use of literals."; 1419 reference 1420 "RFC 6877."; 1421 } 1422 } 1424 list nptv6-prefixes { 1426 when "../nat-capabilities/nat-flavor = 'nptv6' "; 1428 key pool-id; 1430 description 1431 "Provides one or a list of (internal IPv6 prefix, 1432 external IPv6 prefix) required for NPTv6. 1434 In its simplest form, NPTv6 interconnects two network 1435 links, one of which is an 'internal' network link attached 1436 to a leaf network within a single administrative domain 1437 and the other of which is an 'external' network with 1438 connectivity to the global Internet."; 1440 reference 1441 "RFC 6296."; 1443 leaf pool-id { 1444 type uint32; 1445 description 1446 "An identifier of the NPTv6 prefixs."; 1447 } 1449 leaf internal-ipv6-prefix { 1450 type inet:ipv6-prefix; 1452 description 1453 "An IPv6 prefix used by an internal interface 1454 of NPTv6."; 1456 reference 1457 "RFC 6296."; 1458 } 1460 leaf external-ipv6-prefix { 1461 type inet:ipv6-prefix; 1463 description 1464 "An IPv6 prefix used by the external interface 1465 of NPTv6."; 1467 reference 1468 "RFC 6296."; 1469 } 1470 } 1472 list supported-transport-protocols { 1474 key transport-protocol-id; 1476 description 1477 "Supported transport protocols. 1478 TCP and UDP are supported by default."; 1480 leaf transport-protocol-id { 1481 type uint8; 1482 mandatory true; 1484 description 1485 "Upper-layer protocol associated with this mapping. 1486 Values are taken from the IANA protocol registry. 1487 For example, this field contains 6 (TCP) for a TCP 1488 mapping or 17 (UDP) for a UDP mapping."; 1489 } 1491 leaf transport-protocol-name { 1492 type string; 1493 description 1494 "For example, TCP, UDP, DCCP, and SCTP."; 1495 } 1496 } 1498 leaf subscriber-mask-v6 { 1499 type uint8 { 1500 range "0 .. 128"; 1501 } 1503 description 1504 "The subscriber-mask is an integer that indicates 1505 the length of significant bits to be applied on 1506 the source IP address (internal side) to 1507 unambiguously identify a CPE. 1509 Subscriber-mask is a system-wide configuration 1510 parameter that is used to enforce generic 1511 per-subscriber policies (e.g., port-quota). 1513 The enforcement of these generic policies does not 1514 require the configuration of every subscriber's 1515 prefix. 1517 Example: suppose the 2001:db8:100:100::/56 prefix 1518 is assigned to a NAT64 serviced CPE. Suppose also 1519 that 2001:db8:100:100::1 is the IPv6 address used 1520 by the client that resides in that CPE. When the 1521 NAT64 receives a packet from this client, 1522 it applies the subscriber-mask (e.g., 56) on 1523 the source IPv6 address to compute the associated 1524 prefix for this client (2001:db8:100:100::/56). 1525 Then, the NAT64 enforces policies based on that 1526 prefix (2001:db8:100:100::/56), not on the exact 1527 source IPv6 address."; 1528 } 1529 list subscriber-match { 1531 key sub-match-id; 1533 description 1534 "IP prefix match."; 1536 leaf sub-match-id { 1537 type uint32; 1538 description 1539 "An identifier of the subscriber masck."; 1540 } 1542 leaf sub-mask { 1543 type inet:ip-prefix; 1544 mandatory true; 1545 description 1546 "The IP address subnets that match 1547 should be translated. E.g., all addresses 1548 that belong to the 192.0.2.0/24 prefix must 1549 be processed by the NAT."; 1550 } 1552 } 1554 list nat-pass-through { 1556 key nat-pass-through-id; 1558 description 1559 "IP prefix NAT pass through."; 1561 leaf nat-pass-through-id { 1562 type uint32; 1563 description 1564 "An identifier of the IP prefix pass through."; 1565 } 1567 leaf nat-pass-through-pref { 1568 type inet:ip-prefix; 1569 description 1570 "The IP address subnets that match 1571 should not be translated. According to REQ#6 1572 of RFC6888, it must be possible to 1573 administratively turn off translation 1574 for specific destination addresses 1575 and/or ports."; 1577 } 1579 leaf nat-pass-through-port { 1580 type inet:port-number; 1581 description 1582 "The IP address subnets that match 1583 should not be translated. According to REQ#6 1584 of RFC6888, it must be possible to 1585 administratively turn off translation 1586 for specific destination addresses 1587 and/or ports."; 1588 } 1589 } 1591 leaf paired-address-pooling { 1592 type boolean; 1593 default true; 1595 description 1596 "Paired address pooling informs the NAT 1597 that all the flows from an internal IP 1598 address must be assigned the same external 1599 address."; 1601 reference 1602 "RFC 4007."; 1603 } 1605 leaf nat-mapping-type { 1606 type enumeration { 1607 enum "eim" { 1608 description 1609 "endpoint-independent-mapping."; 1611 reference 1612 "Section 4 of RFC 4787."; 1613 } 1615 enum "adm" { 1616 description 1617 "address-dependent-mapping."; 1619 reference 1620 "Section 4 of RFC 4787."; 1621 } 1623 enum "edm" { 1624 description 1625 "address-and-port-dependent-mapping."; 1627 reference 1628 "Section 4 of RFC 4787."; 1629 } 1630 } 1631 description 1632 "Indicates the type of a NAT mapping."; 1633 } 1635 leaf nat-filtering-type { 1636 type enumeration { 1637 enum "eif" { 1639 description 1640 "endpoint-independent- filtering."; 1642 reference 1643 "Section 5 of RFC 4787."; 1644 } 1646 enum "adf" { 1647 description 1648 "address-dependent-filtering."; 1650 reference 1651 "Section 5 of RFC 4787."; 1652 } 1654 enum "edf" { 1655 description 1656 "address-and-port-dependent-filtering"; 1658 reference 1659 "Section 5 of RFC 4787."; 1660 } 1661 } 1662 description 1663 "Indicates the type of a NAT filtering."; 1664 } 1666 list port-quota { 1667 when "../nat-capabilities/nat44-flavor = "+ 1668 "'napt' or "+ 1669 "../nat-capabilities/nat-flavor = "+ 1670 "'nat64'"; 1672 key quota-type; 1674 description 1675 "Configures a port quota to be assigned per 1676 subscriber. It corresponds to the maximum 1677 number of ports to be used by a subscriber."; 1679 leaf port-limit { 1681 type uint16; 1683 description 1684 "Configures a port quota to be assigned per 1685 subscriber. It corresponds to the maximum 1686 number of ports to be used by a subscriber."; 1688 reference 1689 "REQ-4 of RFC 6888."; 1690 } 1692 leaf quota-type { 1693 type enumeration { 1694 enum "all" { 1696 description 1697 "The limit applies to all protocols."; 1699 reference 1700 "REQ-4 of RFC 6888."; 1701 } 1703 enum "tcp" { 1704 description 1705 "TCP quota."; 1707 reference 1708 "REQ-4 of RFC 6888."; 1709 } 1711 enum "udp" { 1712 description 1713 "UDP quota."; 1715 reference 1716 "REQ-4 of RFC 6888."; 1717 } 1718 enum "icmp" { 1719 description 1720 "ICMP quota."; 1722 reference 1723 "REQ-4 of RFC 6888."; 1724 } 1725 } 1726 description 1727 "Indicates whether the port quota applies to 1728 all protocols or to a specific transport."; 1729 } 1730 } 1732 leaf port-allocation-type { 1733 type enumeration { 1734 enum "random" { 1735 description 1736 "Port randomization is enabled."; 1737 } 1739 enum "port-preservation" { 1740 description 1741 "Indicates whether the NAT should 1742 preserve the internal port number."; 1743 } 1745 enum "port-parity-preservation" { 1746 description 1747 "Indicates whether the NAT should 1748 preserve the port parity of the 1749 internal port number."; 1750 } 1752 enum "port-range-allocation" { 1753 description 1754 "Indicates whether the NAT assigns a range 1755 of ports for an internal host."; 1756 } 1758 } 1759 description 1760 "Indicates the type of a port allocation."; 1761 } 1763 leaf address-roundrobin-enable { 1764 type boolean; 1765 description 1766 "Enable/disable address allocation 1767 round robin."; 1768 } 1770 container port-set { 1771 when "../port-allocation-type = 'port-range-allocation'"; 1773 description 1774 "Manages port-set assignments."; 1776 leaf port-set-size { 1777 type uint16; 1778 description 1779 "Indicates the size of assigned port 1780 sets."; 1781 } 1783 leaf port-set-timeout { 1784 type uint32; 1785 description 1786 "Inactivty timeout for port sets."; 1787 } 1788 } 1790 uses timeouts; 1792 container mapping-limit { 1794 description 1795 "Information about the configuration parameters that 1796 limits the mappings based upon various criteria."; 1798 leaf limit-per-subscriber { 1799 type uint32; 1801 description 1802 "Maximum number of NAT mappings per 1803 subscriber."; 1804 } 1806 leaf limit-per-vrf { 1807 type uint32; 1809 description 1810 "Maximum number of NAT mappings per 1811 VLAN/VRF."; 1813 } 1815 leaf limit-per-subnet { 1816 type inet:ip-prefix; 1818 description 1819 "Maximum number of NAT mappings per 1820 subnet."; 1821 } 1823 leaf limit-per-instance { 1824 type uint32; 1825 mandatory true; 1827 description 1828 "Maximum number of NAT mappings per 1829 instance."; 1830 } 1832 leaf limit-per-udp { 1833 type uint32; 1834 mandatory true; 1836 description 1837 "Maximum number of UDP NAT mappings per 1838 subscriber."; 1839 } 1841 leaf limit-per-tcp { 1842 type uint32; 1843 mandatory true; 1845 description 1846 "Maximum number of TCP NAT mappings per 1847 subscriber."; 1849 } 1851 leaf limit-per-icmp { 1852 type uint32; 1853 mandatory true; 1855 description 1856 "Maximum number of ICMP NAT mappings per 1857 subscriber."; 1858 } 1859 } 1860 container connection-limit { 1862 description 1863 "Information about the configuration parameters that 1864 rate limit the translation based upon various 1865 criteria."; 1867 leaf limit-per-subscriber { 1868 type uint32; 1870 description 1871 "Rate-limit the number of new mappings and sessions 1872 per subscriber."; 1873 } 1875 leaf limit-per-vrf { 1876 type uint32; 1878 description 1879 "Rate-limit the number of new mappings and sessions 1880 per VLAN/VRF."; 1881 } 1883 leaf limit-per-subnet { 1884 type inet:ip-prefix; 1886 description 1887 "Rate-limit the number of new mappings and sessions 1888 per subnet."; 1889 } 1891 leaf limit-per-instance { 1892 type uint32; 1893 mandatory true; 1895 description 1896 "Rate-limit the number of new mappings and sessions 1897 per instance."; 1898 } 1900 leaf limit-per-udp { 1901 type uint32; 1902 mandatory true; 1904 description 1905 "Rate-limit the number of new UDP mappings and sessions 1906 per subscriber."; 1907 } 1908 leaf limit-per-tcp { 1909 type uint32; 1910 mandatory true; 1912 description 1913 "Rate-limit the number of new TCP mappings and sessions 1914 per subscriber."; 1916 } 1918 leaf limit-per-icmp { 1919 type uint32; 1920 mandatory true; 1922 description 1923 "Rate-limit the number of new ICMP mappings and sessions 1924 per subscriber."; 1925 } 1926 } 1928 list algs { 1930 key alg-name; 1932 description 1933 "ALG-related features."; 1935 leaf alg-name { 1936 type string; 1938 description 1939 "The name of the ALG"; 1940 } 1942 leaf alg-transport-protocol { 1943 type uint32; 1945 description 1946 "The transport protocol used by the ALG."; 1947 } 1949 leaf alg-transport-port { 1950 type inet:port-number; 1952 description 1953 "The port number used by the ALG."; 1954 } 1955 leaf alg-status { 1956 type boolean; 1958 description 1959 "Enable/disable the ALG."; 1960 } 1961 } 1963 leaf all-algs-enable { 1964 type boolean; 1966 description 1967 "Enable/disable all ALGs."; 1968 } 1970 container logging-info { 1971 description 1972 "Information about logging NAT events"; 1974 leaf logging-enable { 1975 type boolean; 1977 description 1978 "Enable logging features as per Section 2.3 1979 of [RFC6908]."; 1980 } 1982 leaf destination-address { 1983 type inet:ip-prefix; 1984 mandatory true; 1986 description 1987 "Address of the collector that receives 1988 the logs"; 1989 } 1991 leaf destination-port { 1992 type inet:port-number; 1993 mandatory true; 1995 description 1996 "Destination port of the collector."; 1997 } 1999 choice protocol { 2001 description 2002 "Enable the protocol to be used for 2003 the retrieval of logging entries."; 2005 case syslog { 2006 leaf syslog { 2007 type boolean; 2009 description 2010 "If SYSLOG is in use."; 2011 } 2012 } 2014 case ipfix { 2015 leaf ipfix { 2016 type boolean; 2018 description 2019 "If IPFIX is in use."; 2020 } 2021 } 2023 case ftp { 2024 leaf ftp { 2025 type boolean; 2027 description 2028 "If FTP is in use."; 2029 } 2030 } 2031 } 2032 } 2034 container notify-pool-usage { 2035 description 2036 "Notification of pool usage when certain criteria 2037 are met."; 2039 leaf pool-id { 2040 type uint32; 2042 description 2043 "Pool-ID for which the notification 2044 criteria is defined"; 2045 } 2047 leaf notify-pool-hi-threshold { 2048 type percent; 2049 mandatory true; 2050 description 2051 "Notification must be generated when the 2052 defined high threshold is reached. 2053 For example, if a notification is 2054 required when the pool utilization reaches 2055 90%, this configuration parameter must 2056 be set to 90%."; 2057 } 2059 leaf notify-pool-low-threshold { 2060 type percent; 2062 description 2063 "Notification must be generated when the defined 2064 low threshold is reached. 2065 For example, if a notification is required when 2066 the pool utilization reaches below 10%, 2067 this configuration parameter must be set to 2068 10%."; 2069 } 2070 } 2072 } //nat-parameters group 2074 container nat-module { 2075 description 2076 "NAT"; 2078 container nat-instances { 2079 description 2080 "NAT instances"; 2082 list nat-instance { 2084 key "id"; 2086 description 2087 "A NAT instance."; 2089 leaf id { 2090 type uint32; 2092 description 2093 "NAT instance identifier."; 2095 reference 2096 "RFC 7659."; 2097 } 2099 leaf name { 2100 type string; 2102 description 2103 "A name associated with the NAT instance."; 2104 } 2106 leaf enable { 2107 type boolean; 2109 description 2110 "Status of the the NAT instance."; 2111 } 2113 container nat-capabilities { 2114 config false; 2116 description 2117 "NAT capabilities"; 2119 leaf-list nat-flavor { 2120 type identityref { 2121 base nat-type; 2122 } 2123 description 2124 "Type of NAT."; 2125 } 2127 leaf-list nat44-flavor { 2129 when "../nat-flavor = 'nat44'"; 2131 type identityref { 2132 base nat44; 2133 } 2134 description 2135 "Type of NAT44: Basic NAT or NAPT."; 2136 } 2138 leaf restricted-port-support { 2139 type boolean; 2141 description 2142 "Indicates source port NAT restriction 2143 support."; 2144 } 2145 leaf static-mapping-support { 2146 type boolean; 2148 description 2149 "Indicates whether static mappings are 2150 supported."; 2151 } 2153 leaf port-randomization-support { 2154 type boolean; 2156 description 2157 "Indicates whether port randomization is 2158 supported."; 2159 } 2161 leaf port-range-allocation-support { 2162 type boolean; 2164 description 2165 "Indicates whether port range 2166 allocation is supported."; 2167 } 2169 leaf port-preservation-suport { 2170 type boolean; 2172 description 2173 "Indicates whether port preservation 2174 is supported."; 2175 } 2177 leaf port-parity-preservation-support { 2178 type boolean; 2180 description 2181 "Indicates whether port parity 2182 preservation is supported."; 2183 } 2185 leaf address-roundrobin-support { 2186 type boolean; 2188 description 2189 "Indicates whether address allocation 2190 round robin is supported."; 2191 } 2193 leaf paired-address-pooling-support { 2194 type boolean; 2196 description 2197 "Indicates whether paired-address-pooling is 2198 supported"; 2199 } 2201 leaf endpoint-independent-mapping-support { 2202 type boolean; 2204 description 2205 "Indicates whether endpoint-independent-mapping 2206 in Section 4 of RFC 4787 is supported."; 2207 } 2209 leaf address-dependent-mapping-support { 2210 type boolean; 2212 description 2213 "Indicates whether address-dependent-mapping 2214 is supported."; 2215 } 2217 leaf address-and-port-dependent-mapping-support { 2218 type boolean; 2220 description 2221 "Indicates whether address-and-port-dependent-mapping 2222 is supported."; 2223 } 2225 leaf endpoint-independent-filtering-support { 2226 type boolean; 2228 description 2229 "Indicates whether endpoint-independent-filtering 2230 is supported."; 2231 } 2233 leaf address-dependent-filtering { 2234 type boolean; 2236 description 2237 "Indicates whether address-dependent-filtering 2238 is supported."; 2239 } 2240 leaf address-and-port-dependent-filtering { 2241 type boolean; 2243 description 2244 "Indicates whether address-and-port-dependent 2245 is supported."; 2246 } 2247 } 2249 uses nat-parameters; 2251 container mapping-table { 2253 when "../nat-capabilities/nat-flavor = "+ 2254 "'nat44' or "+ 2255 "../nat-capabilities/nat-flavor = "+ 2256 "'nat64'or "+ 2257 "../nat-capabilities/nat-flavor = "+ 2258 "'clat'or "+ 2259 "../nat-capabilities/nat-flavor = 'dst-nat'"; 2261 description 2262 "NAT mapping table. Applicable for functions which 2263 maintains static and/or dynamic mappings such as NAT44, 2264 Destination NAT, NAT64, CLAT, or EAM."; 2266 list mapping-entry { 2267 key "index"; 2269 description 2270 "NAT mapping entry."; 2272 uses mapping-entry; 2273 } 2274 } 2276 container statistics { 2278 config false; 2280 description 2281 "Statistics related to the NAT instance."; 2283 container traffic-statistics { 2284 description 2285 "Generic traffic statistics."; 2287 leaf sent-packet { 2288 type yang:zero-based-counter64; 2290 description 2291 "Number of packets sent."; 2292 } 2294 leaf sent-byte { 2295 type yang:zero-based-counter64; 2297 description 2298 "Counter for sent traffic in bytes."; 2299 } 2301 leaf rcvd-packet { 2302 type yang:zero-based-counter64; 2304 description 2305 "Number of received packets."; 2306 } 2308 leaf rcvd-byte { 2309 type yang:zero-based-counter64; 2311 description 2312 "Counter for received traffic 2313 in bytes."; 2314 } 2316 leaf dropped-packet { 2317 type yang:zero-based-counter64; 2319 description 2320 "Number of dropped packets."; 2321 } 2323 leaf dropped-byte { 2324 type yang:zero-based-counter64; 2326 description 2327 "Counter for dropped traffic in 2328 bytes."; 2329 } 2330 } 2332 container mapping-statistics { 2333 when "../../nat-capabilities/nat-flavor = "+ 2334 "'nat44' or "+ 2335 "../../nat-capabilities/nat-flavor = "+ 2336 "'nat64'or "+ 2337 "../../nat-capabilities/nat-flavor = 'dst-nat'"; 2339 description 2340 "Mapping statistics."; 2342 leaf total-mappings { 2343 type uint32; 2345 description 2346 "Total number of NAT mappings present 2347 at a given time. This variable includes 2348 all the static and dynamic mappings."; 2349 } 2351 leaf total-tcp-mappings { 2352 type uint32; 2353 description 2354 "Total number of TCP mappings present 2355 at a given time."; 2356 } 2358 leaf total-udp-mappings { 2359 type uint32; 2360 description 2361 "Total number of UDP mappings present 2362 at a given time."; 2363 } 2365 leaf total-icmp-mappings { 2366 type uint32; 2367 description 2368 "Total number of ICMP mappings present 2369 at a given time."; 2370 } 2372 } 2374 container pool-stats { 2376 when "../../nat-capabilities/nat-flavor = "+ 2377 "'nat44' or "+ 2378 "../../nat-capabilities/nat-flavor = "+ 2379 "'nat64'"; 2381 description 2382 "Statistics related to address/prefix 2383 pool usage"; 2385 leaf pool-id { 2386 type uint32; 2387 description 2388 "Unique Identifier that represents 2389 a pool of addresses/prefixes."; 2390 } 2392 leaf address-allocated { 2393 type uint32; 2394 description 2395 "Number of allocated addresses in 2396 the pool"; 2397 } 2399 leaf address-free { 2400 type uint32; 2401 description 2402 "Number of unallocated addresses in 2403 the pool at a given time.The sum of 2404 unallocated and allocated 2405 addresses is the total number of 2406 addresses of the pool."; 2407 } 2409 container port-stats { 2411 description 2412 "Statistics related to port 2413 usage."; 2415 leaf ports-allocated { 2416 type uint32; 2417 description 2418 "Number of allocated ports 2419 in the pool."; 2420 } 2422 leaf ports-free { 2423 type uint32; 2424 description 2425 "Number of unallocated addresses 2426 in the pool."; 2428 } 2429 } 2430 } 2431 } //statistics 2432 } 2433 } 2434 } 2436 /* 2437 * Notifications 2438 */ 2440 notification nat-event { 2441 description 2442 "Notifications must be generated when the defined 2443 high/low threshold is reached. Related 2444 configuration parameters must be provided to 2445 trigger the notifications."; 2447 leaf id { 2448 type leafref { 2449 path 2450 "/nat-module/nat-instances/" 2451 + "nat-instance/id"; 2452 } 2453 description 2454 "NAT instance ID."; 2455 } 2457 leaf notify-pool-threshold { 2458 type percent; 2459 mandatory true; 2460 description 2461 "A treshhold has been fired."; 2462 } 2463 } 2464 } 2465 2467 4. Security Considerations 2469 The YANG module defined in this memo is designed to be accessed via 2470 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 2471 secure transport layer and the support of SSH is mandatory to 2472 implement secure transport [RFC6242]. The NETCONF access control 2473 model [RFC6536] provides means to restrict access by some users to a 2474 pre-configured subset of all available NETCONF protocol operations 2475 and data. 2477 All data nodes defined in the YANG module which can be created, 2478 modified and deleted (i.e., config true, which is the default). 2479 These data nodes are considered sensitive. Write operations (e.g., 2480 edit-config) applied to these data nodes without proper protection 2481 can negatively affect network operations. 2483 5. IANA Considerations 2485 This document requests IANA to register the following URI in the 2486 "IETF XML Registry" [RFC3688]: 2488 URI: urn:ietf:params:xml:ns:yang:ietf-nat 2489 Registrant Contact: The IESG. 2490 XML: N/A; the requested URI is an XML namespace. 2492 This document requests IANA to register the following YANG module in 2493 the "YANG Module Names" registry [RFC6020]. 2495 name: ietf-nat 2496 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 2497 prefix: nat 2498 reference: RFC XXXX 2500 6. Acknowledgements 2502 Many thanks to Dan Wing and Tianran Zhou for the review. 2504 Thanks to Juergen Schoenwaelder for the comments on the YANG 2505 structure and the suggestion to use NMDA. 2507 Thanks to Lee Howard and Jordi Palet for the CLAT comments. 2509 Special thanks to Maros Marsalek and Marek Gradzki for sharing their 2510 comments based on the FD.io implementation. 2512 7. References 2514 7.1. Normative References 2516 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2517 DOI 10.17487/RFC3688, January 2004, . 2520 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 2521 Translation (NAT) Behavioral Requirements for Unicast 2522 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2523 2007, . 2525 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 2526 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 2527 RFC 5382, DOI 10.17487/RFC5382, October 2008, 2528 . 2530 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 2531 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 2532 DOI 10.17487/RFC5508, April 2009, . 2535 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2536 the Network Configuration Protocol (NETCONF)", RFC 6020, 2537 DOI 10.17487/RFC6020, October 2010, . 2540 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 2541 NAT64: Network Address and Protocol Translation from IPv6 2542 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 2543 April 2011, . 2545 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2546 and A. Bierman, Ed., "Network Configuration Protocol 2547 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2548 . 2550 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2551 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2552 . 2554 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 2555 Protocol (NETCONF) Access Control Model", RFC 6536, 2556 DOI 10.17487/RFC6536, March 2012, . 2559 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 2560 Combination of Stateful and Stateless Translation", 2561 RFC 6877, DOI 10.17487/RFC6877, April 2013, 2562 . 2564 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 2565 A., and H. Ashida, "Common Requirements for Carrier-Grade 2566 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 2567 April 2013, . 2569 [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address 2570 Mappings for Stateless IP/ICMP Translation", RFC 7757, 2571 DOI 10.17487/RFC7757, February 2016, . 2574 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 2575 S., and K. Naito, "Updates to Network Address Translation 2576 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 2577 DOI 10.17487/RFC7857, April 2016, . 2580 7.2. Informative References 2582 [I-D.boucadair-pcp-yang] 2583 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 2584 Vinapamula, "YANG Data Models for the Port Control 2585 Protocol (PCP)", draft-boucadair-pcp-yang-04 (work in 2586 progress), May 2017. 2588 [I-D.ietf-behave-ipfix-nat-logging] 2589 Sivakumar, S. and R. Penno, "IPFIX Information Elements 2590 for logging NAT Events", draft-ietf-behave-ipfix-nat- 2591 logging-13 (work in progress), January 2017. 2593 [I-D.ietf-softwire-dslite-yang] 2594 Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data 2595 Models for the DS-Lite", draft-ietf-softwire-dslite- 2596 yang-05 (work in progress), August 2017. 2598 [I-D.ietf-tsvwg-natsupp] 2599 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 2600 Transmission Protocol (SCTP) Network Address Translation 2601 Support", draft-ietf-tsvwg-natsupp-11 (work in progress), 2602 July 2017. 2604 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 2605 Translator (NAT) Terminology and Considerations", 2606 RFC 2663, DOI 10.17487/RFC2663, August 1999, 2607 . 2609 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 2610 Address Translator (Traditional NAT)", RFC 3022, 2611 DOI 10.17487/RFC3022, January 2001, . 2614 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 2615 Behavioral Requirements for the Datagram Congestion 2616 Control Protocol", BCP 150, RFC 5597, 2617 DOI 10.17487/RFC5597, September 2009, . 2620 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 2621 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 2622 DOI 10.17487/RFC6052, October 2010, . 2625 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 2626 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 2627 . 2629 [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 2630 "Logging Recommendations for Internet-Facing Servers", 2631 BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, 2632 . 2634 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 2635 "Diameter Network Address and Port Translation Control 2636 Application", RFC 6736, DOI 10.17487/RFC6736, October 2637 2012, . 2639 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 2640 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 2641 DOI 10.17487/RFC6887, April 2013, . 2644 [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, 2645 DOI 10.17487/RFC7335, August 2014, . 2648 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 2649 Farrer, "Lightweight 4over6: An Extension to the Dual- 2650 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 2651 July 2015, . 2653 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 2654 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 2655 Port with Encapsulation (MAP-E)", RFC 7597, 2656 DOI 10.17487/RFC7597, July 2015, . 2659 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 2660 "Definitions of Managed Objects for Network Address 2661 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 2662 October 2015, . 2664 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 2665 and S. Perreault, "Port Control Protocol (PCP) Extension 2666 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 2667 February 2016, . 2669 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 2670 "RADIUS Extensions for IP Port Configuration and 2671 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 2672 . 2674 Appendix A. Sample Examples 2676 This section provides a non-exhaustive set of examples to illustrate 2677 the use of the NAT YANG module. 2679 A.1. Traditional NAT44 2681 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 2682 same IPv4 address among hosts that are owned by the same subscriber. 2683 This is typically the NAT that is embedded in CPE devices. 2685 This NAT is usually provided with one single external IPv4 address; 2686 disambiguating connections is achieved by rewriting the source port 2687 number. The XML snippet to configure the external IPv4 address in 2688 such case together with a mapping entry is depicted below: 2690 2691 2692 1 2693 NAT_Subscriber_A 2694 .... 2695 2696 1 2697 2698 192.0.2.1 2699 2700 2701 .... 2702 2703 .... 2704 2705 192.0.2.1 2706 2707 .... 2708 2709 2710 2712 The following shows the XML excerpt depicting a dynamic UDP mapping 2713 entry maintained by a traditional NAT44. In reference to this 2714 example, the UDP packet received with a source IPv4 address 2715 (192.0.2.1) and source port number (1568) is translated into a UDP 2716 packet having a source IPv4 address (198.51.100.1) and source port 2717 (15000). The lifetime of this mapping is 300 seconds. 2719 2720 15 2721 2722 dynamic-explicit 2723 2724 2725 17 2726 2727 2728 192.0.2.1 2729 2730 2731 2732 1568 2733 2734 2735 2736 198.51.100.1 2737 2738 2739 2740 15000 2741 2742 2743 2744 300 2745 2746 2748 A.2. CGN 2750 The following XML snippet shows the example of the capabilities 2751 supported by a CGN as retrieved using NETCONF. 2753 2755 nat44 2756 2757 2758 false 2759 2760 2761 true 2762 2763 2764 true 2765 2766 2767 true 2768 2769 2770 true 2771 2772 2773 false 2774 2775 2776 true 2777 2778 2779 true 2780 2781 2782 true 2783 2784 2785 false 2786 2787 2788 false 2789 2790 2791 true 2792 2793 2794 false 2795 2796 2797 false 2798 2799 2800 The following XML snippet shows the example of a CGN that is 2801 provisioned with one contiguous pool of external IPv4 addresses 2802 (192.0.2.0/24). Further, the CGN is instructed to limit the number 2803 of allocated ports per subscriber to 1024. Ports can be allocated by 2804 the CGN by assigning ranges of 256 ports (that is, a subscriber can 2805 be allocated up to four port ranges of 256 ports each). 2807 2808 2809 1 2810 myCGN 2811 .... 2812 2813 1 2814 2815 192.0.2.0/24 2816 2817 2818 2819 2820 1024 2821 2822 2823 all 2824 2825 2826 2827 port-range-allocation 2828 2829 2830 2831 256 2832 2833 2834 .... 2835 2836 2838 An administrator may decide to allocate one single port range per 2839 subscriber (port range of 1024 ports) as shown below: 2841 2842 2843 1 2844 myotherCGN 2845 .... 2846 2847 1 2848 2849 192.0.2.0/24 2850 2851 2852 2853 2854 1024 2855 2856 2857 all 2858 2859 2860 2861 port-range-allocation 2862 2863 2864 2865 1024 2866 2867 .... 2868 2869 .... 2870 2871 2873 A.3. CGN Pass-Through 2875 Figure 1 illustrates an example of the CGN pass-through feature. 2877 X1:x1 X1':x1' X2:x2 2878 +---+from X1:x1 +---+from X1:x1 +---+ 2879 | C | to X2:x2 | | to X2:x2 | S | 2880 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 2881 | i | | G | | r | 2882 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 2883 | n |from X2:x2 | |from X2:x2 | e | 2884 | t | to X1:x1 | | to X1:x1 | r | 2885 +---+ +---+ +---+ 2887 Figure 1: CGN Pass-Through 2889 For example, in order to disable NAT for communications issued by the 2890 client (192.0.2.25), the following configuration parameter must be 2891 set: 2893 2894 ... 2895 192.0.2.25 2896 ... 2897 2899 A.4. NAT64 2901 Let's consider the example of a NAT64 that should use 2902 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 2903 The XML snippet to configure the NAT64 prefix in such case is 2904 depicted below: 2906 2907 2908 2001:db8:122:300::/56 2909 2910 2912 Let's now consider the example of a NAT64 that should use 2913 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 2914 the destination address matches 198.51.100.0/24. The XML snippet to 2915 configure the NAT64 prefix in such case is shown below: 2917 2918 2919 2001:db8:122::/48 2920 2921 2922 2923 198.51.100.0/24 2924 2925 2926 2928 A.5. Explicit Address Mappings for Stateless IP/ICMP Translation 2930 As specified in [RFC7757], an EAM consists of an IPv4 prefix and an 2931 IPv6 prefix. Let's consider the set of EAM examples in Figure 2. 2933 +---+----------------+----------------------+ 2934 | # | IPv4 Prefix | IPv6 Prefix | 2935 +---+----------------+----------------------+ 2936 | 1 | 192.0.2.1 | 2001:db8:aaaa:: | 2937 | 2 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | 2938 | 3 | 192.0.2.16/28 | 2001:db8:cccc::/124 | 2939 | 4 | 192.0.2.128/26 | 2001:db8:dddd::/64 | 2940 | 5 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | 2941 | 6 | 192.0.2.224/31 | 64:ff9b::/127 | 2942 +---+----------------+----------------------+ 2944 Figure 2: EAM Examples (RFC7757) 2946 The following XML excerpt illustrates how these EAMs can be 2947 configured using the YANG NAT module: 2949 2950 2951 1 2952 static 2953 2954 192.0.2.1 2955 2956 2957 2001:db8:aaaa:: 2958 2959 2960 2961 2 2962 static 2963 2964 192.0.2.2/32 2965 2966 2967 2001:db8:bbbb::b/128 2968 2969 2970 2971 3 2972 static 2973 2974 192.0.2.16/28 2975 2976 2977 2001:db8:cccc::/124 2978 2979 2980 2981 4 2982 static 2983 2984 192.0.2.128/26 2985 2986 2987 2001:db8:dddd::/64 2988 2989 2990 2991 5 2992 static 2993 2994 192.0.2.192/29 2995 2996 2997 2001:db8:eeee:8::/62 2998 2999 3000 3001 6 3002 static 3003 3004 192.0.2.224/31 3005 3006 3007 64:ff9b::/127 3008 3009 3010 3012 EAMs may be enabled jointly with statefull NAT64. This example shows 3013 a NAT64 fucntion that supports static mappings: 3015 3017 nat64 3018 3019 3020 true 3021 3022 3023 true 3024 3025 3026 true 3027 3028 3029 true 3030 3031 3032 false 3033 3034 3035 true 3036 3037 3038 true 3039 3040 3041 true 3042 3043 3044 false 3045 3046 3047 false 3048 3049 3050 true 3051 3052 3053 false 3054 3055 3056 false 3057 3058 3060 A.6. Static Mappings with Port Ranges 3062 The following example shows a static mapping that instructs a NAT to 3063 translate packets issued from 192.0.2.1 and with source ports in the 3064 100-500 range to 198.51.100.1:1100-1500. 3066 3067 1 3068 static 3069 6 3070 3071 192.0.2.1 3072 3073 3074 3075 3076 100 3077 3078 3079 500 3080 3081 3082 3083 3084 198.51.100.1 3085 3086 3087 3088 3089 1100 3090 3091 3092 1500 3093 3094 3095 3096 ... 3097 3099 A.7. Static Mappings with IP Prefixes 3101 The following example shows a static mapping that instructs a NAT to 3102 translate packets issued from 192.0.2.1/24 to 198.51.100.1/24. 3104 3105 1 3106 static 3107 6 3108 3109 192.0.2.1/24 3110 3111 3112 198.51.100.1/24 3113 3114 ... 3115 3117 A.8. Destination NAT 3119 The following XML snippet shows an example a destination NAT that is 3120 instructed to translate packets having 192.0.2.1 as a destination IP 3121 address to 198.51.100.1. 3123 3124 1 3125 3126 192.0.2.1 3127 3128 3129 198.51.100.1 3130 3131 3133 In order to instruct a NAT to translate TCP packets destined to 3134 192.0.2.1:80 to 198.51.100.1:8080, the following XML snippet shows 3135 the static mapping to be configured on the NAT: 3137 3138 1 3139 static 3140 6 3141 3142 192.0.2.1 3143 3144 3145 80 3146 3147 3148 198.51.100.1 3149 3150 3151 8080 3152 3153 3155 In order to instruct a NAT to translate TCP packets destined to 3156 192.0.2.1:80 (http traffic) to 198.51.100.1 and 192.0.2.1:22 (ssh 3157 traffic) to 198.51.100.2, the following XML snippet shows the static 3158 mappings to be configured on the NAT: 3160 3161 1 3162 static 3163 6 3164 3165 192.0.2.1 3166 3167 3168 3169 80 3170 3171 3172 3173 198.51.100.1 3174 3175 ... 3176 3177 3178 2 3179 static 3180 3181 6 3182 3183 3184 192.0.2.1 3185 3186 3187 3188 22 3189 3190 3191 3192 198.51.100.2 3193 3194 ... 3195 3197 The NAT may also be instructed to proceed with both source and 3198 destination NAT. To do so, in addition to the above sample to 3199 configure destination NAT, the NAT may be provided, for example with 3200 a pool of external IP addresses (198.51.100.0/24) to use for source 3201 address translation. An example of the corresponding XML snippet is 3202 provided hereafter: 3204 3205 1 3206 3207 198.51.100.0/24 3208 3209 3211 Instead of providing an external IP address to share, the NAT may be 3212 configured with static mapping entries that modifies the internal IP 3213 address and/or port number. 3215 A.9. CLAT 3217 The following XML snippet shows the example of a CLAT that is 3218 configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and 3219 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 3220 provided with 192.0.0.1/32 (which is selected from the IPv4 service 3221 continuity prefix defined in [RFC7335]). 3223 3224 3225 2001:db8:1234::/96 3226 3227 3228 3229 3230 2001:db8:aaaa::/96 3231 3232 3233 3234 3235 192.0.0.1/32 3236 3237 3239 A.10. NPTv6 3241 Let's consider the example of a NPTv6 translator that should rewrite 3242 packets with the source prefix (fd01:203:405:/48) with the external 3243 prefix (2001:db8:1:/48). 3245 External Network: Prefix = 2001:db8:1:/48 3246 -------------------------------------- 3247 | 3248 | 3249 +-------------+ 3250 | NPTv6 | 3251 | Translator | 3252 +-------------+ 3253 | 3254 | 3255 -------------------------------------- 3256 Internal Network: Prefix = fd01:203:405:/48 3258 Example of NPTv6 (RFC6296) 3260 The XML snippet to configure NPTv6 prefixes in such case is depicted 3261 below: 3263 3264 1 3265 3266 fd01:203:405:/48 3267 3268 3269 2001:db8:1:/48 3270 3271 3273 Figure 3 shows an example of an NPTv6 that interconnects two internal 3274 networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is 3275 translated using a dedicated prefix (2001:db8:1:/48 and 3276 2001:db8:6666:/48, respectively). 3278 Internal Prefix = fd01:4444:5555:/48 3279 -------------------------------------- 3280 V | External Prefix 3281 V | 2001:db8:1:/48 3282 V +---------+ ^ 3283 V | NPTv6 | ^ 3284 V | Device | ^ 3285 V +---------+ ^ 3286 External Prefix | ^ 3287 2001:db8:6666:/48 | ^ 3288 -------------------------------------- 3289 Internal Prefix = fd01:203:405:/48 3291 Figure 3: Connecting two Peer Networks (RFC6296) 3293 To that aim, the following configuration is provided to the NPTv6: 3295 3296 1 3297 3298 fd01:203:405:/48 3299 3300 3301 2001:db8:1:/48 3302 3303 3304 3305 2 3306 3307 fd01:4444:5555:/48 3308 3309 3310 2001:db8:6666:/48 3311 3312 3314 Authors' Addresses 3316 Mohamed Boucadair 3317 Orange 3318 Rennes 35000 3319 France 3321 Email: mohamed.boucadair@orange.com 3323 Senthil Sivakumar 3324 Cisco Systems 3325 7100-8 Kit Creek Road 3326 Research Triangle Park, North Carolina 27709 3327 USA 3329 Phone: +1 919 392 5158 3330 Email: ssenthil@cisco.com 3332 Christian Jacquenet 3333 Orange 3334 Rennes 35000 3335 France 3337 Email: christian.jacquenet@orange.com 3338 Suresh Vinapamula 3339 Juniper Networks 3340 1133 Innovation Way 3341 Sunnyvale 94089 3342 USA 3344 Qin Wu 3345 Huawei 3346 101 Software Avenue, Yuhua District 3347 Nanjing, Jiangsu 210012 3348 China 3350 Email: bill.wu@huawei.com