idnits 2.17.1 draft-ietf-opsawg-nat-yang-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 18 instances of too long lines in the document, the longest one being 10 characters in excess of 72. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 473 has weird spacing: '...terface if:...' == Line 475 has weird spacing: '...terface if:...' == Line 496 has weird spacing: '...-prefix ine...' == Line 498 has weird spacing: '...-prefix ine...' == Line 500 has weird spacing: '...-prefix ine...' == (6 more instances...) -- The document date (August 23, 2017) is 2438 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC7659' is defined on line 2735, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) ** Downref: Normative reference to an Informational RFC: RFC 6877 == Outdated reference: A later version (-05) exists of draft-boucadair-pcp-yang-04 == Outdated reference: A later version (-17) exists of draft-ietf-softwire-dslite-yang-06 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-11 Summary: 3 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: February 24, 2018 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 August 23, 2017 14 A YANG Data Model for Network Address Translation (NAT) and Network 15 Prefix Translation (NPT) 16 draft-ietf-opsawg-nat-yang-02 18 Abstract 20 For the sake of network automation and the need for programming 21 Network Address Translation (NAT) function in particular, a data 22 model for configuring and managing the NAT is essential. This 23 document defines a YANG data model for the NAT function. 25 NAT44, Network Address and Protocol Translation from IPv6 Clients to 26 IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit 27 Address Mappings for Stateless IP/ICMP Translation (SIIT EIM), and 28 IPv6 Network Prefix Translation (NPTv6) are covered in this document. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at http://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on February 24, 2018. 47 Copyright Notice 49 Copyright (c) 2017 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (http://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 65 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 66 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 67 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 68 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 69 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 5 70 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 71 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 72 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 73 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 6 74 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 75 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 76 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 9 77 2.10. Binding the NAT Function to an Interface . . . . . . . . 10 78 2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10 79 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14 80 4. Security Considerations . . . . . . . . . . . . . . . . . . . 54 81 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54 82 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 55 83 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 55 84 7.1. Normative References . . . . . . . . . . . . . . . . . . 55 85 7.2. Informative References . . . . . . . . . . . . . . . . . 56 86 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 58 87 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 59 88 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 89 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 63 90 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 64 91 A.5. Explicit Address Mappings for Stateless IP/ICMP 92 Translation . . . . . . . . . . . . . . . . . . . . . . . 64 93 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 68 94 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 68 95 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 69 96 A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 72 97 A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 72 98 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 74 100 1. Introduction 102 This document defines a data model for Network Address Translation 103 (NAT) and Network Prefix Translation (NPT) capabilities using the 104 YANG data modeling language [RFC6020]. 106 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 107 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 108 used to optimize the usage of global IP address space at the scale of 109 a domain: a CGN is not managed by end users, but by service providers 110 instead. This document covers both traditional NATs and CGNs. 112 This document also covers NAT64 [RFC6146], customer-side translator 113 (CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP 114 Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation 115 (NPTv6) [RFC6296]. 117 Sample examples are provided in Appendix A. 119 1.1. Terminology 121 This document makes use of the following terms: 123 o Basic NAT44: translation is limited to IP addresses alone 124 (Section 2.1 of [RFC3022]). 126 o Network Address/Port Translator (NAPT): translation in NAPT is 127 extended to include IP addresses and transport identifiers (such 128 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 129 [RFC3022]. 131 o Destination NAT: is a translation that acts on the destination IP 132 address and/or destination port number. This flavor is usually 133 deployed in load balancers or at devices in front of public 134 servers. 136 o Port-restricted IPv4 address: An IPv4 address with a restricted 137 port set. Multiple hosts may share the same IPv4 address; 138 however, their port sets must not overlap [RFC7596]. 140 o Restricted port set: A non-overlapping range of allowed external 141 ports to use for NAT operation. Source ports of IPv4 packets 142 translated by a NAT must belong to the assigned port set. The 143 port set is used for all port-aware IP protocols [RFC7596]. 145 o Internal Host: A host that may solicit a NAT or an NPTv6 (or both) 146 capability to send to and receive traffic from the Internet. 148 o Internal Address/prefix: The IP address/prefix of an internal 149 host. 151 o External Address: The IP address/prefix assigned by a NAT/NPTv6 to 152 an internal host; this is the address that will be seen by a 153 remote host on the Internet. 155 o Mapping: denotes a state at the NAT that is necessary for network 156 address and/or port translation. 158 o Dynamic implicit mapping: is created implicitly as a side effect 159 of traffic such as an outgoing TCP SYN or an outgoing UDP packet. 160 A validity lifetime is associated with this mapping. 162 o Dynamic explicit mapping: is created as a result of an explicit 163 request, e.g., PCP message [RFC6887]. A validity lifetime is 164 associated with this mapping. 166 o Static explicit mapping: is created manually. This mapping is 167 likely to be maintained by the NAT function till an explicit 168 action is executed to remove it. 170 The usage of the term NAT in this document refers to any NAT flavor 171 (NAT44, NAT64, etc.) indifferently. 173 This document uses the term "session" as defined in [RFC2663] and 174 [RFC6146] for NAT64. 176 1.2. Tree Diagrams 178 The meaning of the symbols in these diagrams is as follows: 180 o Brackets "[" and "]" enclose list keys. 182 o Curly braces "{" and "}" contain names of optional features that 183 make the corresponding node conditional. 185 o Abbreviations before data node names: "rw" means configuration 186 (read-write), "ro" state data (read-only). 188 o Symbols after data node names: "?" means an optional node, "!" a 189 container with presence, and "*" denotes a "list" or "leaf-list". 191 o Parentheses enclose choice and case nodes, and case nodes are also 192 marked with a colon (":"). 194 o Ellipsis ("...") stands for contents of subtrees that are not 195 shown. 197 2. Overview of the NAT YANG Data Model 199 2.1. Overview 201 The NAT YANG data model is designed to cover dynamic implicit 202 mappings and static explicit mappings. The required functionality to 203 instruct dynamic explicit mappings is defined in separate documents 204 such as [I-D.boucadair-pcp-yang]. Considerations about instructing 205 explicit dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are 206 out of scope. 208 A single NAT device can have multiple NAT instances; each of these 209 instances is responsible for serving a group of internal hosts. This 210 document does not make any assumption about how internal hosts are 211 associated with a given NAT instance. 213 The data model assumes that each NAT instance can be enabled/ 214 disabled, be provisioned with a specific set of configuration data, 215 and maintains its own mapping tables. 217 To accommodate deployments where [RFC6302] is not enabled, this YANG 218 model allows to instruct a NAT function to log the destination port 219 number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] 220 which provides the templates to log the destination ports. 222 2.2. Various NAT Flavors 224 The following modes are supported: 226 1. Basic NAT44 227 2. NAPT 228 3. Destination NAT 229 4. Port-restricted NAT 230 5. NAT64 231 6. EAM SIIT 232 7. CLAT 233 8. NPTv6 234 9. Combination of Basic NAT/NAPT and Destination NAT 235 10. Combination of port-restricted and Destination NAT 236 11. Combination of NAT64 and EAM 238 [I-D.ietf-softwire-dslite-yang] specifies an extension to support DS- 239 Lite. 241 2.3. TCP, UDP and ICMP NAT Behavioral Requirements 243 This document assumes [RFC4787][RFC5382][RFC5508] are enabled by 244 default. 246 Furthermore, the data model relies upon the recommendations detailed 247 in [RFC6888] and [RFC7857]. 249 2.4. Other Transport Protocols 251 The module is structured to support other protocols than UDP, TCP, 252 and ICMP. The mapping table is designed so that it can indicate any 253 transport protocol. For example, this module may be used to manage a 254 DCCP-capable NAT that adheres to [RFC5597]. 256 Future extensions can be defined to cover NAT-related considerations 257 that are specific to other transport protocols such as SCTP 258 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 259 extended to record two optional SCTP-specific parameters: Internal 260 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 262 2.5. IP Addresses Used for Translation 264 This data model assumes that blocks of IP external addresses 265 (external-ip-address-pool) can be provisioned to the NAT function. 266 These blocks may be contiguous or not. 268 This behavior is aligned with [RFC6888] which specifies that a NAT 269 function should not have any limitations on the size or the 270 contiguity of the external address pool. In particular, the NAT 271 function must be configurable with contiguous or non-contiguous 272 external IPv4 address ranges. 274 Likewise, one or multiple IP address pools may be configured for 275 Destination NAT (dst-ip-address-pool). 277 2.6. Port Set Assignment 279 Port numbers can be assigned by a NAT individually (that is, a single 280 port is a assigned on a per session basis). Nevertheless, this port 281 allocation scheme may not be optimal for logging purposes. 282 Therefore, a NAT function should be able to assign port sets (e.g., 283 [RFC7753]) to optimize the volume of the logging data (REQ-14 of 284 [RFC6888]). Both features are supported in the NAT YANG data model. 286 When port set assignment is activated (i.e., port-allocation- 287 type==port-range-allocation), the NAT can be provided with the size 288 of the port set to be assigned (port-set-size). 290 2.7. Port-Restricted IP Addresses 292 Some NATs require to restrict the port numbers (e.g., Lightweight 293 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port set 294 assignments (port-set-restrict) are supported in this document: 296 o Simple port range: is defined by two port values, the start and 297 the end of the port range [RFC8045]. 299 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 300 the set of ports that can be used. 302 2.8. NAT Mapping Entries 304 A TCP/UDP mapping entry maintains an association between the 305 following information: 307 (internal-src-address, internal-src-port) (internal-dst-address, 308 internal-dst-port) <=> (external-src-address, external-src-port) 309 (external-dst-address, external-dst-port) 311 An ICMP mapping entry maintains an association between the following 312 information: 314 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 315 identifier) <=> (external-src-address, external-dst-address, 316 external ICMP/ICMPv6 identifier) 318 To cover TCP, UDP, and ICMP, the NAT YANG model assumes the following 319 structure of a mapping entry: 321 type: Indicates how the mapping was instantiated. For example, it 322 may indicate whether a mapping is dynamically instantiated by a 323 packet or statically configured. 325 transport-protocol: Indicates the transport protocol (e.g., UDP, 326 TCP, ICMP) of a given mapping. 328 internal-src-address: Indicates the source IP address as used by an 329 internal host. 331 internal-src-port: Indicates the source port number (or ICMP 332 identifier) as used by an internal host. 334 external-src-address: Indicates the source IP address as assigned 335 by the NAT. 337 external-src-port: Indicates the source port number (or ICMP 338 identifier) as assigned by the NAT. 340 internal-dst-address: Indicates the destination IP address as used 341 by an internal host when sending a packet to a remote host. 343 internal-dst-port: Indicates the destination IP address as used by 344 an internal host when sending a packet to a remote host. 346 external-dst-address: Indicates the destination IP address used by a 347 NAT when processing a packet issued by an internal host towards a 348 remote host. 350 external-dst-port: Indicates the destination port number used by a 351 NAT when processing a packet issued by an internal host towards a 352 remote host. 354 In order to cover both NAT64 and NAT44 flavors in particular, the NAT 355 mapping structure allows to include an IPv4 or an IPv6 address as an 356 internal IP address. Remaining fields are common to both NAT 357 schemes. 359 For example, the mapping that will be created by a NAT64 upon receipt 360 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 361 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 362 and destination port number 8080 is characterized as follows: 364 o type: dynamic implicit mapping. 365 o transport-protocol: TCP (6) 366 o internal-src-address: 2001:db8:aaaa::1 367 o internal-src-port: 25636 368 o external-src-address: T (an IPv4 address configured on the NAT64) 369 o external-src-port: t (a port number that is chosen by the NAT64) 370 o internal-dst-address: 2001:db8:1234::198.51.100.1 371 o internal-dst-port: 8080 372 o external-dst-address: 198.51.100.1 373 o external-dst-port: 8080 375 The mapping that will be created by a NAT44 upon receipt of an ICMP 376 request from source address 198.51.100.1 and ICMP identifier (ID1) to 377 destination IP address 198.51.100.11 is characterized as follows: 379 o type: dynamic implicit mapping. 380 o transport-protocol: ICMP (1) 381 o internal-src-address: 198.51.100.1 382 o internal-src-port: ID1 383 o external-src-address: T (an IPv4 address configured on the NAT44) 384 o external-src-port: ID2 (an ICMP identifier that is chosen by the 385 NAT44) 386 o internal-dst-address: 198.51.100.11 388 The mapping that will be created by a NAT64 upon receipt of an ICMP 389 request from source address 2001:db8:aaaa::1 and ICMP identifier 390 (ID1) to destination IP address 2001:db8:1234::198.51.100.1 is 391 characterized as follows: 393 o type: dynamic implicit mapping. 394 o transport-protocol: ICMPv6 (58) 395 o internal-src-address: 2001:db8:aaaa::1 396 o internal-src-port: ID1 397 o external-src-address: T (an IPv4 address configured on the NAT64) 398 o external-src-port: ID2 (an ICMP identifier that is chosen by the 399 NAT64) 400 o internal-dst-address: 2001:db8:1234::198.51.100.1 401 o external-dst-address: 198.51.100.1 403 Note that a mapping table is maintained only for stateful NAT 404 functions. Particularly: 406 o No mapping table is maintained for NPTv6 given that it is 407 stateless and transport-agnostic. 409 o The double translations are stateless in CLAT if a dedicated IPv6 410 prefix is provided for CLAT. If not, a stateful NAT44 will be 411 required. 413 o No per-flow mapping is maintained for EAM [RFC7757]. 415 2.9. Resource Limits 417 In order to comply with CGN deployments in particular, the data model 418 allows limiting the number of external ports per subscriber (port- 419 quota) and the amount of state memory allocated per mapping and per 420 subscriber (mapping-limit and connection-limit). According to 421 [RFC6888], the model allows for the following: 423 o Per-subscriber limits are configurable by the NAT administrator. 425 o Per-subscriber limits are configurable independently per transport 426 protocol. 428 o Administrator-adjustable thresholds to prevent a single subscriber 429 from consuming excessive CPU resources from the NAT (e.g., rate- 430 limit the subscriber's creation of new mappings) can be 431 configured. 433 2.10. Binding the NAT Function to an Interface 435 The model allows to specify the interface(s) on which the NAT 436 function must be applied (external-interfaces). The model allows 437 also to specify internal interfaces (interfaces-interfaces). 439 If no interface is provided, this assumes that the system is able to 440 determine the external interface(s) on which the NAT will be applied. 441 Typically, the WAN and LAN interfaces of a CPE is determined by the 442 CPE. 444 2.11. Tree Structure 446 The tree structure of the NAT data model is provided below: 448 module: ietf-nat 449 +--rw nat-module 450 +--rw nat-instances 451 +--rw nat-instance* [id] 452 +--rw id uint32 453 +--rw name? string 454 +--rw enable? boolean 455 +--ro nat-capabilities 456 | +--ro nat-flavor* identityref 457 | +--ro nat44-flavor* identityref 458 | +--ro restricted-port-support? boolean 459 | +--ro static-mapping-support? boolean 460 | +--ro port-randomization-support? boolean 461 | +--ro port-range-allocation-support? boolean 462 | +--ro port-preservation-suport? boolean 463 | +--ro port-parity-preservation-support? boolean 464 | +--ro address-roundrobin-support? boolean 465 | +--ro paired-address-pooling-support? boolean 466 | +--ro endpoint-independent-mapping-support? boolean 467 | +--ro address-dependent-mapping-support? boolean 468 | +--ro address-and-port-dependent-mapping-support? boolean 469 | +--ro endpoint-independent-filtering-support? boolean 470 | +--ro address-dependent-filtering? boolean 471 | +--ro address-and-port-dependent-filtering? boolean 472 +--rw internal-interfaces* [internal-interface] 473 | +--rw internal-interface if:interface-ref 474 +--rw external-interfaces* [external-interface] 475 | +--rw external-interface if:interface-ref 476 +--rw external-ip-address-pool* [pool-id] 477 | +--rw pool-id uint32 478 | +--rw external-ip-pool? inet:ipv4-prefix 479 +--rw port-set-restrict 480 | +--rw (port-type)? 481 | +--:(port-range) 482 | | +--rw start-port-number? inet:port-number 483 | | +--rw end-port-number? inet:port-number 484 | +--:(port-set-algo) 485 | +--rw psid-offset? uint8 486 | +--rw psid-len uint8 487 | +--rw psid uint16 488 +--rw dst-nat-enable? boolean 489 +--rw dst-ip-address-pool* [pool-id] 490 | +--rw pool-id uint32 491 | +--rw dst-in-ip-pool? inet:ip-prefix 492 | +--rw dst-out-ip-pool? inet:ip-prefix 493 +--rw nat64-prefixes* [nat64-prefix] 494 | +--rw nat64-prefix inet:ipv6-prefix 495 | +--rw destination-ipv4-prefix* [ipv4-prefix] 496 | +--rw ipv4-prefix inet:ipv4-prefix 497 +--rw clat-ipv6-prefixes* [clat-ipv6-prefix] 498 | +--rw clat-ipv6-prefix inet:ipv6-prefix 499 +--rw clat-ipv4-prefixes* [clat-ipv4-prefix] 500 | +--rw clat-ipv4-prefix inet:ipv4-prefix 501 +--rw nptv6-prefixes* [translation-id] 502 | +--rw translation-id uint32 503 | +--rw internal-ipv6-prefix? inet:ipv6-prefix 504 | +--rw external-ipv6-prefix? inet:ipv6-prefix 505 +--rw supported-transport-protocols* [transport-protocol-id] 506 | +--rw transport-protocol-id uint8 507 | +--rw transport-protocol-name? string 508 +--rw subscriber-mask-v6? uint8 509 +--rw subscriber-match* [sub-match-id] 510 | +--rw sub-match-id uint32 511 | +--rw sub-mask inet:ip-prefix 512 +--rw nat-pass-through* [nat-pass-through-id] 513 | +--rw nat-pass-through-id uint32 514 | +--rw nat-pass-through-pref? inet:ip-prefix 515 | +--rw nat-pass-through-port? inet:port-number 516 +--rw paired-address-pooling? boolean 517 +--rw nat-mapping-type? enumeration 518 +--rw nat-filtering-type? enumeration 519 +--rw port-quota* [quota-type] 520 | +--rw port-limit? uint16 521 | +--rw quota-type enumeration 522 +--rw port-allocation-type? enumeration 523 +--rw address-roundrobin-enable? boolean 524 +--rw port-set 525 | +--rw port-set-size? uint16 526 | +--rw port-set-timeout? uint32 527 +--rw udp-timeout? uint32 528 +--rw tcp-idle-timeout? uint32 529 +--rw tcp-trans-open-timeout? uint32 530 +--rw tcp-trans-close-timeout? uint32 531 +--rw tcp-in-syn-timeout? uint32 532 +--rw fragment-min-timeout? uint32 533 +--rw icmp-timeout? uint32 534 +--rw per-port-timeout* [port-number] 535 | +--rw port-number inet:port-number 536 | +--rw port-timeout inet:port-number 537 +--rw hold-down-timeout? uint32 538 +--rw hold-down-max? uint32 539 +--rw mapping-limit 540 | +--rw limit-per-subscriber? uint32 541 | +--rw limit-per-vrf? uint32 542 | +--rw limit-per-subnet? inet:ip-prefix 543 | +--rw limit-per-instance uint32 544 | +--rw limit-per-udp uint32 545 | +--rw limit-per-tcp uint32 546 | +--rw limit-per-icmp uint32 547 +--rw connection-limit 548 | +--rw limit-per-subscriber? uint32 549 | +--rw limit-per-vrf? uint32 550 | +--rw limit-per-subnet? inet:ip-prefix 551 | +--rw limit-per-instance uint32 552 | +--rw limit-per-udp uint32 553 | +--rw limit-per-tcp uint32 554 | +--rw limit-per-icmp uint32 555 +--rw algs* [alg-name] 556 | +--rw alg-name string 557 | +--rw alg-transport-protocol? uint32 558 | +--rw alg-transport-port? inet:port-number 559 | +--rw alg-status? boolean 560 +--rw all-algs-enable? boolean 561 +--rw logging-info 562 | +--rw logging-enable? boolean 563 | +--rw destination-address inet:ip-prefix 564 | +--rw destination-port inet:port-number 565 | +--rw (protocol)? 566 | +--:(syslog) 567 | | +--rw syslog? boolean 568 | +--:(ipfix) 569 | | +--rw ipfix? boolean 570 | +--:(ftp) 571 | +--rw ftp? boolean 572 +--rw notify-pool-usage 573 | +--rw pool-id? uint32 574 | +--rw notify-pool-hi-threshold percent 575 | +--rw notify-pool-low-threshold? percent 576 +--rw mapping-table 577 | +--rw mapping-entry* [index] 578 | +--rw index uint32 579 | +--rw type? enumeration 580 | +--rw transport-protocol? uint8 581 | +--rw internal-src-address? inet:ip-prefix 582 | +--rw internal-src-port 583 | | +--rw (port-type)? 584 | | +--:(single-port-number) 585 | | | +--rw single-port-number? inet:port-number 586 | | +--:(port-range) 587 | | +--rw start-port-number? inet:port-number 588 | | +--rw end-port-number? inet:port-number 589 | +--rw external-src-address? inet:ip-prefix 590 | +--rw external-src-port 591 | | +--rw (port-type)? 592 | | +--:(single-port-number) 593 | | | +--rw single-port-number? inet:port-number 594 | | +--:(port-range) 595 | | +--rw start-port-number? inet:port-number 596 | | +--rw end-port-number? inet:port-number 597 | +--rw internal-dst-address? inet:ip-prefix 598 | +--rw internal-dst-port 599 | | +--rw (port-type)? 600 | | +--:(single-port-number) 601 | | | +--rw single-port-number? inet:port-number 602 | | +--:(port-range) 603 | | +--rw start-port-number? inet:port-number 604 | | +--rw end-port-number? inet:port-number 605 | +--rw external-dst-address? inet:ip-prefix 606 | +--rw external-dst-port 607 | | +--rw (port-type)? 608 | | +--:(single-port-number) 609 | | | +--rw single-port-number? inet:port-number 610 | | +--:(port-range) 611 | | +--rw start-port-number? inet:port-number 612 | | +--rw end-port-number? inet:port-number 613 | +--rw lifetime? uint32 614 +--ro statistics 615 +--ro traffic-statistics 616 | +--ro sent-packet? yang:zero-based-counter64 617 | +--ro sent-byte? yang:zero-based-counter64 618 | +--ro rcvd-packet? yang:zero-based-counter64 619 | +--ro rcvd-byte? yang:zero-based-counter64 620 | +--ro dropped-packet? yang:zero-based-counter64 621 | +--ro dropped-byte? yang:zero-based-counter64 622 +--ro mapping-statistics 623 | +--ro total-mappings? uint32 624 | +--ro total-tcp-mappings? uint32 625 | +--ro total-udp-mappings? uint32 626 | +--ro total-icmp-mappings? uint32 627 +--ro pool-stats 628 +--ro pool-id? uint32 629 +--ro address-allocated? uint32 630 +--ro address-free? uint32 631 +--ro port-stats 632 +--ro ports-allocated? uint32 633 +--ro ports-free? uint32 635 notifications: 636 +---n nat-event 637 +--ro id? -> /nat-module/nat-instances/nat-instance/id 638 +--ro notify-pool-threshold percent 640 3. NAT YANG Module 642 file "ietf-nat@2017-08-23.yang" 644 module ietf-nat { 645 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 647 //namespace to be assigned by IANA 648 prefix "nat"; 650 import ietf-inet-types { prefix inet; } 651 import ietf-yang-types { prefix yang; } 653 import ietf-interfaces { prefix if; } 654 //import iana-if-type { prefix ianaift; } 656 organization "IETF OPSAWG Working Group"; 658 contact 659 "Mohamed Boucadair 660 Senthil Sivakumar 661 Chritsian Jacquenet 662 Suresh Vinapamula 663 Qin Wu "; 665 description 666 "This module is a YANG module for NAT implementations 667 (including NAT44 and NAT64 flavors). 669 Copyright (c) 2017 IETF Trust and the persons identified as 670 authors of the code. All rights reserved. 672 Redistribution and use in source and binary forms, with or 673 without modification, is permitted pursuant to, and subject 674 to the license terms contained in, the Simplified BSD License 675 set forth in Section 4.c of the IETF Trust's Legal Provisions 676 Relating to IETF Documents 677 (http://trustee.ietf.org/license-info). 679 This version of this YANG module is part of RFC XXXX; see 680 the RFC itself for full legal notices."; 682 revision 2017-08-23 { 683 description "Comments from F. Baker about NPTv6."; 684 reference "-ietf-02"; 685 } 687 revision 2017-08-21 { 688 description " Includes CLAT (Lee/Jordi)."; 689 reference "-ietf-01"; 690 } 692 revision 2017-08-03 { 693 description "Integrates comments from OPSAWG CFA."; 694 reference "-ietf-00"; 695 } 697 revision 2017-07-03 { 698 description "Integrates comments from D. Wing and T. Zhou."; 699 reference "-07"; 700 } 702 revision 2015-09-08 { 703 description "Fixes few YANG errors."; 705 reference "-02"; 706 } 708 revision 2015-09-07 { 709 description "Completes the NAT64 model."; 710 reference "01"; 711 } 713 revision 2015-08-29 { 714 description "Initial version."; 715 reference "00"; 716 } 717 /* 718 * Definitions 719 */ 721 typedef percent { 722 type uint8 { 723 range "0 .. 100"; 724 } 725 description 726 "Percentage"; 727 } 729 /* 730 * Identities 731 */ 733 identity nat-type { 734 description 735 "Base identity for nat type."; 736 } 738 identity nat44 { 739 base nat:nat-type; 740 description 741 "Identity for traditional NAT support."; 743 reference 744 "RFC 3022."; 745 } 747 identity basic-nat { 748 //base nat:nat-type; 749 base nat:nat44; 750 description 751 "Identity for Basic NAT support."; 753 reference 754 "RFC 3022."; 755 } 757 identity napt { 758 //base nat:nat-type; 759 base nat:nat44; 760 description 761 "Identity for NAPT support."; 763 reference 764 "RFC 3022."; 766 } 768 identity restricted-nat { 769 //base nat:nat-type; 770 base nat:nat44; 771 description 772 "Identity for Port-Restricted NAT support."; 774 reference 775 "RFC 7596."; 776 } 778 identity dst-nat { 779 base nat:nat-type; 780 description 781 "Identity for Destination NAT support."; 782 } 784 identity nat64 { 785 base nat:nat-type; 786 description 787 "Identity for NAT64 support."; 789 reference 790 "RFC 6146."; 791 } 793 identity clat { 794 base nat:nat-type; 795 description 796 "Identity for CLAT support."; 798 reference 799 "RFC 6877."; 800 } 802 identity eam { 803 base nat:nat-type; 804 description 805 "Identity for EAM support."; 807 reference 808 "RFC 7757."; 809 } 811 identity nptv6 { 812 base nat:nat-type; 813 description 814 "Identity for NPTv6 support."; 816 reference 817 "RFC 6296."; 818 } 820 /* 821 * Grouping 822 */ 824 // Timers 826 grouping timeouts { 827 description 828 "Configure values of various timeouts."; 830 leaf udp-timeout { 831 type uint32; 832 units "seconds"; 833 default 300; 834 description 835 "UDP inactivity timeout. That is the time a mapping 836 will stay active without packets traversing the NAT."; 838 reference 839 "RFC 4787."; 840 } 842 leaf tcp-idle-timeout { 843 type uint32; 844 units "seconds"; 845 default 7440; 846 description 847 "TCP Idle timeout should be 848 2 hours and 4 minutes."; 850 reference 851 "RFC 5382."; 852 } 854 leaf tcp-trans-open-timeout { 855 type uint32; 856 units "seconds"; 857 default 240; 858 description 859 "The value of the transitory open connection 860 idle-timeout. 861 Section 2.1 of [RFC7857] clarifies that a NAT 862 should provide different configurable 864 parameters for configuring the open and 865 closing idle timeouts. 866 To accommodate deployments that consider 867 a partially open timeout of 4 minutes as being 868 excessive from a security standpoint, a NAT may 869 allow the configured timeout to be less than 870 4 minutes. 871 However, a minimum default transitory connection 872 idle-timeout of 4 minutes is recommended."; 874 reference 875 "RFC 7857."; 876 } 878 leaf tcp-trans-close-timeout { 879 type uint32; 880 units "seconds"; 881 default 240; 882 description 883 "The value of the transitory close connection 884 idle-timeout. 885 Section 2.1 of [RFC7857] clarifies that a NAT 886 should provide different configurable 887 parameters for configuring the open and 888 closing idle timeouts."; 890 reference 891 "RFC 7857."; 892 } 894 leaf tcp-in-syn-timeout { 895 type uint32; 896 units "seconds"; 897 default 6; 898 description 899 "A NAT must not respond to an unsolicited 900 inbound SYN packet for at least 6 seconds 901 after the packet is received. If during 902 this interval the NAT receives and translates 903 an outbound SYN for the connection the NAT 904 must silently drop the original unsolicited 905 inbound SYN packet."; 907 reference 908 "RFC 5382."; 909 } 911 leaf fragment-min-timeout { 913 type uint32; 914 units "seconds"; 915 default 2; 916 description 917 "As long as the NAT has available resources, 918 the NAT allows the fragments to arrive 919 over fragment-min-timeout interval. 920 The default value is inspired from RFC6146."; 921 } 923 leaf icmp-timeout { 924 type uint32; 925 units "seconds"; 926 default 60; 927 description 928 "An ICMP Query session timer must not expire 929 in less than 60 seconds. It is recommended 930 that the ICMP Query session timer be made 931 configurable"; 933 reference 934 "RFC 5508."; 935 } 937 list per-port-timeout { 938 key port-number; 940 description 941 "Some NATs are configurable with short timeouts 942 for some ports, e.g., as 10 seconds on 943 port 53 (DNS) and NTP (123) and longer timeouts 944 on other ports."; 946 leaf port-number { 947 type inet:port-number; 948 description 949 "A port number."; 950 } 952 leaf port-timeout { 953 type inet:port-number; 954 mandatory true; 955 description 956 "Timeout for this port"; 957 } 958 } 960 leaf hold-down-timeout { 962 type uint32; 963 units "seconds"; 964 default 120; 966 description 967 "Hold down timer. Ports in the 968 hold down pool are not reassigned until 969 this timer expires. 970 The length of time and the maximum 971 number of ports in this state must be 972 configurable by the administrator 973 [RFC6888]. This is necessary in order 974 to prevent collisions between old 975 and new mappings and sessions. It ensures 976 that all established sessions are broken 977 instead of redirected to a different peer."; 979 reference 980 "REQ#8 of RFC 6888."; 981 } 983 leaf hold-down-max { 985 type uint32; 987 description 988 "Maximum ports in the Hold down timer pool. 989 Ports in the hold down pool are not reassigned 990 until hold-down-timeout expires. 991 The length of time and the maximum 992 number of ports in this state must be 993 configurable by the administrator 994 [RFC6888]. This is necessary in order 995 to prevent collisions between old 996 and new mappings and sessions. It ensures 997 that all established sessions are broken 998 instead of redirected to a different peer."; 1000 reference 1001 "REQ#8 of RFC 6888."; 1002 } 1003 } 1005 // Set of ports 1007 grouping port-set { 1008 description 1009 "Indicates a set of ports. 1010 It may be a simple port range, or use the PSID algorithm 1011 to represent a range of transport layer 1012 ports which will be used by a NAPT."; 1014 choice port-type { 1015 default port-range; 1016 description 1017 "Port type: port-range or port-set-algo."; 1019 case port-range { 1020 leaf start-port-number { 1021 type inet:port-number; 1022 description 1023 "Begining of the port range."; 1025 reference 1026 "Section 3.2.9 of RFC 8045."; 1027 } 1029 leaf end-port-number { 1031 type inet:port-number; 1032 description 1033 "End of the port range."; 1035 reference 1036 "Section 3.2.10 of RFC 8045."; 1037 } 1038 } 1040 case port-set-algo { 1042 leaf psid-offset { 1043 type uint8 { 1044 range 0..16; 1045 } 1046 description 1047 "The number of offset bits. In Lightweight 4over6, 1048 the default value is 0 for assigning one contiguous 1049 port range. In MAP-E/T, the default value is 6, 1050 which excludes system ports by default and assigns 1051 port ranges distributed across the entire port 1052 space."; 1053 } 1055 leaf psid-len { 1056 type uint8 { 1057 range 0..15; 1058 } 1059 mandatory true; 1060 description 1061 "The length of PSID, representing the sharing 1062 ratio for an IPv4 address."; 1063 } 1065 leaf psid { 1066 type uint16; 1067 mandatory true; 1068 description 1069 "Port Set Identifier (PSID) value, which 1070 identifies a set of ports algorithmically."; 1071 } 1072 } 1074 } 1075 } 1077 // port numbers: single or port-range 1079 grouping port-number { 1080 description 1081 "Individual port or a range of ports."; 1083 choice port-type { 1084 default single-port-number; 1085 description 1086 "Port type: single or port-range."; 1088 case single-port-number { 1089 leaf single-port-number { 1090 type inet:port-number; 1091 description 1092 "Used for single port numbers."; 1093 } 1094 } 1096 case port-range { 1097 leaf start-port-number { 1098 type inet:port-number; 1099 description 1100 "Begining of the port range."; 1102 reference 1103 "Section 3.2.9 of RFC 8045."; 1104 } 1106 leaf end-port-number { 1107 type inet:port-number; 1108 description 1109 "End of the port range."; 1111 reference 1112 "Section 3.2.10 of RFC 8045."; 1113 } 1114 } 1115 } 1116 } 1118 // Mapping Entry 1120 grouping mapping-entry { 1121 description 1122 "NAT mapping entry."; 1124 leaf index { 1125 type uint32; 1126 description 1127 "A unique identifier of a mapping entry."; 1128 } 1130 leaf type { 1131 type enumeration { 1132 enum "static" { 1133 description 1134 "The mapping entry is manually 1135 configured."; 1136 } 1138 enum "dynamic-explicit" { 1139 description 1140 "This mapping is created by an 1141 outgoing packet."; 1142 } 1144 enum "dynamic-implicit" { 1145 description 1146 "This mapping is created by an 1147 explicit dynamic message."; 1149 } 1150 } 1151 description 1152 "Indicates the type of a mapping entry. E.g., 1153 a mapping can be: static, implicit dynamic 1154 or explicit dynamic."; 1155 } 1157 leaf transport-protocol { 1158 type uint8; 1160 description 1161 "Upper-layer protocol associated with this mapping. 1162 Values are taken from the IANA protocol registry. 1163 For example, this field contains 6 (TCP) for a TCP 1164 mapping or 17 (UDP) for a UDP mapping. No transport 1165 protocol is indicated if a mapping applies for any 1166 protocol."; 1167 } 1169 leaf internal-src-address { 1170 type inet:ip-prefix; 1172 description 1173 "Corresponds to the source IPv4/IPv6 address/prefix 1174 of the packet received on an internal 1175 interface."; 1176 } 1178 container internal-src-port { 1180 description 1181 "Corresponds to the source port of the 1182 packet received on an internal interface. 1183 It is used also to carry the internal 1184 source ICMP identifier."; 1186 uses port-number; 1187 } 1189 leaf external-src-address { 1190 type inet:ip-prefix; 1192 description 1193 "Source IP address/prefix of the packet sent 1194 on an external interface of the NAT."; 1195 } 1196 container external-src-port { 1198 description 1199 "Source port of the packet sent 1200 on an external interafce of the NAT. 1201 It is used also to carry the external 1202 source ICMP identifier."; 1204 uses port-number; 1205 } 1207 leaf internal-dst-address { 1208 type inet:ip-prefix; 1210 description 1211 "Corresponds to the destination IP address/prefix 1212 of the packet received on an internal interface 1213 of the NAT. 1214 For example, some NAT implementations support 1215 the translation of both source and destination 1216 addresses and ports, sometimes referred to 1217 as 'Twice NAT'."; 1218 } 1220 container internal-dst-port { 1222 description 1223 "Corresponds to the destination port of the 1224 IP packet received on the internal interface. 1226 It is used also to carry the internal 1227 destination ICMP identifier."; 1229 uses port-number; 1230 } 1232 leaf external-dst-address { 1233 type inet:ip-prefix; 1235 description 1236 "Corresponds to the destination IP address/prefix 1237 of the packet sent on an external interface 1238 of the NAT."; 1239 } 1241 container external-dst-port { 1243 description 1244 "Corresponds to the destination port number of 1245 the packet sent on the external interface 1246 of the NAT. 1247 It is used also to carry the external 1248 destination ICMP identifier."; 1250 uses port-number; 1251 } 1253 leaf lifetime { 1254 type uint32; 1255 //mandatory true; 1257 description 1258 "When specified, it tracks the connection that is 1259 fully-formed (e.g., once the 3WHS TCP is completed) 1260 or the duration for maintaining an explicit mapping 1261 alive. Static mappings may not be associated with a 1262 lifetime. If no lifetime is associated with a 1263 static mapping, an explicit action is requried to 1264 remove that mapping."; 1265 } 1266 } 1268 grouping nat-parameters { 1269 description 1270 "NAT parameters for a given instance"; 1272 list external-ip-address-pool { 1273 key pool-id; 1275 description 1276 "Pool of external IP addresses used to 1277 service internal hosts. 1278 Both contiguous and non-contiguous pools 1279 can be configured for NAT purposes."; 1281 leaf pool-id { 1282 type uint32; 1284 description 1285 "An identifier of the address pool."; 1286 } 1288 leaf external-ip-pool { 1289 type inet:ipv4-prefix; 1291 description 1292 "An IPv4 prefix used for NAT purposes."; 1293 } 1294 } 1296 container port-set-restrict { 1298 when "../nat-capabilities/restricted-port-support = 'true'"; 1300 description 1301 "Configures contiguous and non-contiguous port ranges."; 1303 uses port-set; 1304 } 1306 leaf dst-nat-enable { 1307 type boolean; 1308 default false; 1310 description 1311 "Enable/Disable destination NAT. 1312 A NAT44 may be configured to enable 1313 Destination NAT, too."; 1314 } 1316 list dst-ip-address-pool { 1317 //if-feature dst-nat; 1318 when "../nat-capabilities/nat-flavor = 'dst-nat' "; 1320 key pool-id; 1322 description 1323 "Pool of IP addresses used for destination NAT."; 1325 leaf pool-id { 1326 type uint32; 1328 description 1329 "An identifier of the address pool."; 1330 } 1332 leaf dst-in-ip-pool { 1333 type inet:ip-prefix; 1335 description 1336 "Internal IP prefix/address"; 1337 } 1339 leaf dst-out-ip-pool { 1340 type inet:ip-prefix; 1342 description 1343 "IP address/prefix used for destination NAT."; 1344 } 1345 } 1347 list nat64-prefixes { 1349 when "../nat-capabilities/nat-flavor = 'nat64' " + 1350 " or ../nat-capabilities/nat-flavor = 'clat'"; 1352 key nat64-prefix; 1354 description 1355 "Provides one or a list of NAT64 prefixes 1356 with or without a list of destination IPv4 prefixes. 1358 Destination-based Pref64::/n is discussed in 1359 Section 5.1 of [RFC7050]). For example: 1360 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 1361 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 1363 reference 1364 "Section 5.1 of RFC7050."; 1366 leaf nat64-prefix { 1367 type inet:ipv6-prefix; 1368 //default "64:ff9b::/96"; 1370 description 1371 "A NAT64 prefix. Can be NSP or a Well-Known 1372 Prefix (WKP)."; 1374 reference 1375 "RFC 6052."; 1376 } 1378 list destination-ipv4-prefix { 1380 key ipv4-prefix; 1382 description 1383 "An IPv4 prefix/address."; 1385 leaf ipv4-prefix { 1386 type inet:ipv4-prefix; 1387 description 1388 "An IPv4 address/prefix."; 1389 } 1390 } 1391 } 1393 list clat-ipv6-prefixes { 1395 when "../nat-capabilities/nat-flavor = 'clat' "; 1397 key clat-ipv6-prefix; 1399 description 1400 "464XLAT double translation treatment is 1401 stateless when a dedicated /64 is available 1402 for translation on the CLAT. Otherwise, the 1403 CLAT will have both stateful and stateless 1404 since it requires NAT44 from the LAN to 1405 a single IPv4 address and then stateless 1406 translation to a single IPv6 address."; 1408 reference 1409 "RFC 6877."; 1411 leaf clat-ipv6-prefix { 1412 type inet:ipv6-prefix; 1414 description 1415 "An IPv6 prefix used for CLAT."; 1416 } 1417 } 1419 list clat-ipv4-prefixes { 1421 when "../nat-capabilities/nat-flavor = 'clat'"; 1423 key clat-ipv4-prefix; 1425 description 1426 "Pool of IPv4 addresses used for CLAT. 1427 192.0.0.0/29 is the IPv4 service continuity 1428 prefix."; 1430 reference 1431 "RFC 7335."; 1433 leaf clat-ipv4-prefix { 1434 type inet:ipv4-prefix; 1436 description 1437 "464XLAT double translation treatment is 1438 stateless when a dedicated /64 is available 1439 for translation on the CLAT. Otherwise, the 1440 CLAT will have both stateful and stateless 1441 since it requires NAT44 from the LAN to 1442 a single IPv4 address and then stateless 1443 translation to a single IPv6 address. 1444 The CLAT performs NAT44 for all IPv4 LAN 1445 packets so that all the LAN-originated IPv4 1446 packets appear from a single IPv4 address 1447 and are then statelessly translated to one 1448 interface IPv6 address that is claimed by 1449 the CLAT. 1450 An IPv4 address from this pool is also 1451 provided to an application that makes 1452 use of literals."; 1454 reference 1455 "RFC 6877."; 1456 } 1457 } 1459 list nptv6-prefixes { 1461 when "../nat-capabilities/nat-flavor = 'nptv6' "; 1463 key translation-id; 1465 description 1466 "Provides one or a list of (internal IPv6 prefix, 1467 external IPv6 prefix) required for NPTv6. 1469 In its simplest form, NPTv6 interconnects two network 1470 links, one of which is an 'internal' network link 1471 attachedto a leaf network within a single 1472 administrative domain and the other of which is an 1473 'external' network with connectivity to the global 1474 Internet."; 1476 reference 1477 "RFC 6296."; 1479 leaf translation-id { 1480 type uint32; 1481 description 1482 "An identifier of the NPTv6 prefixs."; 1483 } 1485 leaf internal-ipv6-prefix { 1486 type inet:ipv6-prefix; 1488 description 1489 "An IPv6 prefix used by an internal interface 1490 of NPTv6."; 1492 reference 1493 "RFC 6296."; 1494 } 1496 leaf external-ipv6-prefix { 1497 type inet:ipv6-prefix; 1499 description 1500 "An IPv6 prefix used by the external interface 1501 of NPTv6."; 1503 reference 1504 "RFC 6296."; 1505 } 1506 } 1508 list supported-transport-protocols { 1510 key transport-protocol-id; 1512 description 1513 "Supported transport protocols. 1514 TCP and UDP are supported by default."; 1516 leaf transport-protocol-id { 1517 type uint8; 1518 mandatory true; 1520 description 1521 "Upper-layer protocol associated with this mapping. 1522 Values are taken from the IANA protocol registry. 1523 For example, this field contains 6 (TCP) for a TCP 1524 mapping or 17 (UDP) for a UDP mapping."; 1525 } 1527 leaf transport-protocol-name { 1528 type string; 1529 description 1530 "For example, TCP, UDP, DCCP, and SCTP."; 1531 } 1532 } 1534 leaf subscriber-mask-v6 { 1535 type uint8 { 1536 range "0 .. 128"; 1537 } 1539 description 1540 "The subscriber-mask is an integer that indicates 1541 the length of significant bits to be applied on 1542 the source IP address (internal side) to 1543 unambiguously identify a CPE. 1545 Subscriber-mask is a system-wide configuration 1546 parameter that is used to enforce generic 1547 per-subscriber policies (e.g., port-quota). 1549 The enforcement of these generic policies does not 1550 require the configuration of every subscriber's 1551 prefix. 1553 Example: suppose the 2001:db8:100:100::/56 prefix 1554 is assigned to a NAT64 serviced CPE. Suppose also 1555 that 2001:db8:100:100::1 is the IPv6 address used 1556 by the client that resides in that CPE. When the 1557 NAT64 receives a packet from this client, 1558 it applies the subscriber-mask (e.g., 56) on 1559 the source IPv6 address to compute the associated 1560 prefix for this client (2001:db8:100:100::/56). 1561 Then, the NAT64 enforces policies based on that 1562 prefix (2001:db8:100:100::/56), not on the exact 1563 source IPv6 address."; 1564 } 1566 list subscriber-match { 1568 key sub-match-id; 1570 description 1571 "IP prefix match."; 1573 leaf sub-match-id { 1574 type uint32; 1575 description 1576 "An identifier of the subscriber masck."; 1577 } 1578 leaf sub-mask { 1579 type inet:ip-prefix; 1580 mandatory true; 1581 description 1582 "The IP address subnets that match 1583 should be translated. E.g., all addresses 1584 that belong to the 192.0.2.0/24 prefix must 1585 be processed by the NAT."; 1586 } 1588 } 1590 list nat-pass-through { 1592 key nat-pass-through-id; 1594 description 1595 "IP prefix NAT pass through."; 1597 leaf nat-pass-through-id { 1598 type uint32; 1599 description 1600 "An identifier of the IP prefix pass 1601 through."; 1602 } 1604 leaf nat-pass-through-pref { 1605 type inet:ip-prefix; 1606 description 1607 "The IP address subnets that match 1608 should not be translated. According to 1609 REQ#6 of RFC6888, it must be possible 1610 to administratively turn off translation 1611 for specific destination addresses 1612 and/or ports."; 1613 } 1615 leaf nat-pass-through-port { 1616 type inet:port-number; 1617 description 1618 "The IP address subnets that match 1619 should not be translated. According to 1620 REQ#6 of RFC6888, it must be possible to 1621 administratively turn off translation 1622 for specific destination addresses 1623 and/or ports."; 1624 } 1626 } 1628 leaf paired-address-pooling { 1629 type boolean; 1630 default true; 1632 description 1633 "Paired address pooling informs the NAT 1634 that all the flows from an internal IP 1635 address must be assigned the same external 1636 address."; 1638 reference 1639 "RFC 4007."; 1640 } 1642 leaf nat-mapping-type { 1643 type enumeration { 1644 enum "eim" { 1645 description 1646 "endpoint-independent-mapping."; 1648 reference 1649 "Section 4 of RFC 4787."; 1650 } 1652 enum "adm" { 1653 description 1654 "address-dependent-mapping."; 1656 reference 1657 "Section 4 of RFC 4787."; 1658 } 1660 enum "edm" { 1661 description 1662 "address-and-port-dependent-mapping."; 1664 reference 1665 "Section 4 of RFC 4787."; 1666 } 1667 } 1668 description 1669 "Indicates the type of a NAT mapping."; 1670 } 1672 leaf nat-filtering-type { 1673 type enumeration { 1674 enum "eif" { 1676 description 1677 "endpoint-independent- filtering."; 1679 reference 1680 "Section 5 of RFC 4787."; 1681 } 1683 enum "adf" { 1684 description 1685 "address-dependent-filtering."; 1687 reference 1688 "Section 5 of RFC 4787."; 1689 } 1691 enum "edf" { 1692 description 1693 "address-and-port-dependent-filtering"; 1695 reference 1696 "Section 5 of RFC 4787."; 1697 } 1698 } 1699 description 1700 "Indicates the type of a NAT filtering."; 1701 } 1703 list port-quota { 1704 when "../nat-capabilities/nat44-flavor = "+ 1705 "'napt' or "+ 1706 "../nat-capabilities/nat-flavor = "+ 1707 "'nat64'"; 1709 key quota-type; 1711 description 1712 "Configures a port quota to be assigned per 1713 subscriber. It corresponds to the maximum 1714 number of ports to be used by a subscriber."; 1716 leaf port-limit { 1718 type uint16; 1719 description 1720 "Configures a port quota to be assigned per 1721 subscriber. It corresponds to the maximum 1722 number of ports to be used by a subscriber."; 1724 reference 1725 "REQ-4 of RFC 6888."; 1726 } 1728 leaf quota-type { 1729 type enumeration { 1730 enum "all" { 1732 description 1733 "The limit applies to all protocols."; 1735 reference 1736 "REQ-4 of RFC 6888."; 1737 } 1739 enum "tcp" { 1740 description 1741 "TCP quota."; 1743 reference 1744 "REQ-4 of RFC 6888."; 1745 } 1747 enum "udp" { 1748 description 1749 "UDP quota."; 1751 reference 1752 "REQ-4 of RFC 6888."; 1753 } 1755 enum "icmp" { 1756 description 1757 "ICMP quota."; 1759 reference 1760 "REQ-4 of RFC 6888."; 1761 } 1762 } 1763 description 1764 "Indicates whether the port quota applies to 1765 all protocols or to a specific transport."; 1766 } 1768 } 1770 leaf port-allocation-type { 1771 type enumeration { 1772 enum "random" { 1773 description 1774 "Port randomization is enabled."; 1775 } 1777 enum "port-preservation" { 1778 description 1779 "Indicates whether the NAT should 1780 preserve the internal port number."; 1781 } 1783 enum "port-parity-preservation" { 1784 description 1785 "Indicates whether the NAT should 1786 preserve the port parity of the 1787 internal port number."; 1788 } 1790 enum "port-range-allocation" { 1791 description 1792 "Indicates whether the NAT assigns a 1793 range of ports for an internal host."; 1794 } 1796 } 1797 description 1798 "Indicates the type of a port allocation."; 1799 } 1801 leaf address-roundrobin-enable { 1802 type boolean; 1804 description 1805 "Enable/disable address allocation 1806 round robin."; 1807 } 1809 container port-set { 1810 when "../port-allocation-type='port-range-allocation'"; 1812 description 1813 "Manages port-set assignments."; 1815 leaf port-set-size { 1816 type uint16; 1817 description 1818 "Indicates the size of assigned port 1819 sets."; 1820 } 1822 leaf port-set-timeout { 1823 type uint32; 1824 description 1825 "Inactivty timeout for port sets."; 1826 } 1827 } 1829 uses timeouts; 1831 container mapping-limit { 1833 description 1834 "Information about the configuration parameters that 1835 limits the mappings based upon various criteria."; 1837 leaf limit-per-subscriber { 1838 type uint32; 1840 description 1841 "Maximum number of NAT mappings per 1842 subscriber."; 1843 } 1845 leaf limit-per-vrf { 1846 type uint32; 1848 description 1849 "Maximum number of NAT mappings per 1850 VLAN/VRF."; 1851 } 1853 leaf limit-per-subnet { 1854 type inet:ip-prefix; 1856 description 1857 "Maximum number of NAT mappings per 1858 subnet."; 1859 } 1861 leaf limit-per-instance { 1862 type uint32; 1863 mandatory true; 1865 description 1866 "Maximum number of NAT mappings per 1867 instance."; 1868 } 1870 leaf limit-per-udp { 1871 type uint32; 1872 mandatory true; 1874 description 1875 "Maximum number of UDP NAT mappings per 1876 subscriber."; 1877 } 1879 leaf limit-per-tcp { 1880 type uint32; 1881 mandatory true; 1883 description 1884 "Maximum number of TCP NAT mappings per 1885 subscriber."; 1887 } 1889 leaf limit-per-icmp { 1890 type uint32; 1891 mandatory true; 1893 description 1894 "Maximum number of ICMP NAT mappings per 1895 subscriber."; 1896 } 1897 } 1899 container connection-limit { 1901 description 1902 "Information about the configuration parameters that 1903 rate limit the translation based upon various 1904 criteria."; 1906 leaf limit-per-subscriber { 1907 type uint32; 1909 description 1910 "Rate-limit the number of new mappings 1911 and sessions per subscriber."; 1912 } 1914 leaf limit-per-vrf { 1915 type uint32; 1917 description 1918 "Rate-limit the number of new mappings 1919 and sessions per VLAN/VRF."; 1920 } 1922 leaf limit-per-subnet { 1923 type inet:ip-prefix; 1925 description 1926 "Rate-limit the number of new mappings 1927 and sessions per subnet."; 1928 } 1930 leaf limit-per-instance { 1931 type uint32; 1932 mandatory true; 1934 description 1935 "Rate-limit the number of new mappings 1936 and sessions per instance."; 1937 } 1939 leaf limit-per-udp { 1940 type uint32; 1941 mandatory true; 1943 description 1944 "Rate-limit the number of new UDP mappings 1945 and sessions per subscriber."; 1946 } 1948 leaf limit-per-tcp { 1949 type uint32; 1950 mandatory true; 1952 description 1953 "Rate-limit the number of new TCP mappings 1954 and sessions per subscriber."; 1956 } 1957 leaf limit-per-icmp { 1958 type uint32; 1959 mandatory true; 1961 description 1962 "Rate-limit the number of new ICMP mappings 1963 and sessions per subscriber."; 1964 } 1965 } 1967 list algs { 1969 key alg-name; 1971 description 1972 "ALG-related features."; 1974 leaf alg-name { 1975 type string; 1977 description 1978 "The name of the ALG"; 1979 } 1981 leaf alg-transport-protocol { 1982 type uint32; 1984 description 1985 "The transport protocol used by the ALG."; 1986 } 1988 leaf alg-transport-port { 1989 type inet:port-number; 1991 description 1992 "The port number used by the ALG."; 1993 } 1995 leaf alg-status { 1996 type boolean; 1998 description 1999 "Enable/disable the ALG."; 2000 } 2001 } 2003 leaf all-algs-enable { 2004 type boolean; 2006 description 2007 "Enable/disable all ALGs."; 2008 } 2010 container logging-info { 2011 description 2012 "Information about logging NAT events"; 2014 leaf logging-enable { 2015 type boolean; 2017 description 2018 "Enable logging features as per Section 2.3 2019 of [RFC6908]."; 2020 } 2022 leaf destination-address { 2023 type inet:ip-prefix; 2024 mandatory true; 2026 description 2027 "Address of the collector that receives 2028 the logs"; 2029 } 2031 leaf destination-port { 2032 type inet:port-number; 2033 mandatory true; 2035 description 2036 "Destination port of the collector."; 2037 } 2039 choice protocol { 2041 description 2042 "Enable the protocol to be used for 2043 the retrieval of logging entries."; 2045 case syslog { 2046 leaf syslog { 2047 type boolean; 2049 description 2050 "If SYSLOG is in use."; 2051 } 2053 } 2055 case ipfix { 2056 leaf ipfix { 2057 type boolean; 2059 description 2060 "If IPFIX is in use."; 2061 } 2062 } 2064 case ftp { 2065 leaf ftp { 2066 type boolean; 2068 description 2069 "If FTP is in use."; 2070 } 2071 } 2072 } 2073 } 2075 container notify-pool-usage { 2076 description 2077 "Notification of pool usage when certain criteria 2078 are met."; 2080 leaf pool-id { 2081 type uint32; 2083 description 2084 "Pool-ID for which the notification 2085 criteria is defined"; 2086 } 2088 leaf notify-pool-hi-threshold { 2089 type percent; 2090 mandatory true; 2092 description 2093 "Notification must be generated when the 2094 defined high threshold is reached. 2095 For example, if a notification is 2096 required when the pool utilization reaches 2097 90%, this configuration parameter must 2098 be set to 90%."; 2099 } 2100 leaf notify-pool-low-threshold { 2101 type percent; 2103 description 2104 "Notification must be generated when the defined 2105 low threshold is reached. 2106 For example, if a notification is required when 2107 the pool utilization reaches below 10%, 2108 this configuration parameter must be set to 2109 10%."; 2110 } 2111 } 2113 } //nat-parameters group 2115 container nat-module { 2116 description 2117 "NAT"; 2119 container nat-instances { 2120 description 2121 "NAT instances"; 2123 list nat-instance { 2125 key "id"; 2127 description 2128 "A NAT instance."; 2130 leaf id { 2131 type uint32; 2133 description 2134 "NAT instance identifier."; 2136 reference 2137 "RFC 7659."; 2138 } 2140 leaf name { 2141 type string; 2143 description 2144 "A name associated with the NAT instance."; 2145 } 2147 leaf enable { 2148 type boolean; 2150 description 2151 "Status of the the NAT instance."; 2152 } 2154 container nat-capabilities { 2155 config false; 2157 description 2158 "NAT capabilities"; 2160 leaf-list nat-flavor { 2161 type identityref { 2162 base nat-type; 2163 } 2164 description 2165 "Type of NAT."; 2166 } 2168 leaf-list nat44-flavor { 2170 when "../nat-flavor = 'nat44'"; 2172 type identityref { 2173 base nat44; 2174 } 2175 description 2176 "Type of NAT44: Basic NAT or NAPT."; 2177 } 2179 leaf restricted-port-support { 2180 type boolean; 2182 description 2183 "Indicates source port NAT restriction 2184 support."; 2185 } 2187 leaf static-mapping-support { 2188 type boolean; 2190 description 2191 "Indicates whether static mappings are 2192 supported."; 2193 } 2194 leaf port-randomization-support { 2195 type boolean; 2197 description 2198 "Indicates whether port randomization is 2199 supported."; 2200 } 2202 leaf port-range-allocation-support { 2203 type boolean; 2205 description 2206 "Indicates whether port range 2207 allocation is supported."; 2208 } 2210 leaf port-preservation-suport { 2211 type boolean; 2213 description 2214 "Indicates whether port preservation 2215 is supported."; 2216 } 2218 leaf port-parity-preservation-support { 2219 type boolean; 2221 description 2222 "Indicates whether port parity 2223 preservation is supported."; 2224 } 2226 leaf address-roundrobin-support { 2227 type boolean; 2229 description 2230 "Indicates whether address allocation 2231 round robin is supported."; 2232 } 2234 leaf paired-address-pooling-support { 2235 type boolean; 2237 description 2238 "Indicates whether paired-address-pooling is 2239 supported"; 2240 } 2241 leaf endpoint-independent-mapping-support { 2242 type boolean; 2244 description 2245 "Indicates whether endpoint-independent- 2246 mapping in Section 4 of RFC 4787 is 2247 supported."; 2248 } 2250 leaf address-dependent-mapping-support { 2251 type boolean; 2253 description 2254 "Indicates whether address-dependent- 2255 mapping is supported."; 2256 } 2258 leaf address-and-port-dependent-mapping-support 2259 { 2260 type boolean; 2262 description 2263 "Indicates whether address-and-port- 2264 dependent-mapping is supported."; 2265 } 2267 leaf endpoint-independent-filtering-support 2268 { 2269 type boolean; 2271 description 2272 "Indicates whether endpoint-independent 2273 -filtering is supported."; 2274 } 2276 leaf address-dependent-filtering { 2277 type boolean; 2279 description 2280 "Indicates whether address-dependent 2281 -filtering is supported."; 2282 } 2284 leaf address-and-port-dependent-filtering { 2285 type boolean; 2287 description 2288 "Indicates whether address-and-port 2289 -dependent is supported."; 2290 } 2291 } 2293 list internal-interfaces { 2295 key internal-interface; 2297 description 2298 "List of internal interfaces."; 2300 leaf internal-interface { 2301 type if:interface-ref; 2302 description 2303 "Name of an internal interface."; 2304 } 2305 } 2307 list external-interfaces { 2309 key external-interface; 2311 description 2312 "List of external interfaces."; 2314 leaf external-interface { 2315 type if:interface-ref; 2316 description 2317 "Name of an external interface."; 2318 } 2319 } 2321 uses nat-parameters; 2323 container mapping-table { 2325 when "../nat-capabilities/nat-flavor = "+ 2326 "'nat44' or "+ 2327 "../nat-capabilities/nat-flavor = "+ 2328 "'nat64'or "+ 2329 "../nat-capabilities/nat-flavor = "+ 2330 "'clat'or "+ 2331 "../nat-capabilities/nat-flavor = 'dst-nat'"; 2333 description 2334 "NAT mapping table. Applicable for functions 2335 which maintains static and/or dynamic mappings, 2336 such as NAT44, Destination NAT, NAT64, CLAT, 2337 or EAM."; 2339 list mapping-entry { 2340 key "index"; 2342 description 2343 "NAT mapping entry."; 2345 uses mapping-entry; 2346 } 2347 } 2349 container statistics { 2351 config false; 2353 description 2354 "Statistics related to the NAT instance."; 2356 container traffic-statistics { 2357 description 2358 "Generic traffic statistics."; 2360 leaf sent-packet { 2361 type yang:zero-based-counter64; 2363 description 2364 "Number of packets sent."; 2365 } 2367 leaf sent-byte { 2368 type yang:zero-based-counter64; 2370 description 2371 "Counter for sent traffic in bytes."; 2372 } 2374 leaf rcvd-packet { 2375 type yang:zero-based-counter64; 2377 description 2378 "Number of received packets."; 2379 } 2381 leaf rcvd-byte { 2382 type yang:zero-based-counter64; 2384 description 2385 "Counter for received traffic 2386 in bytes."; 2387 } 2389 leaf dropped-packet { 2390 type yang:zero-based-counter64; 2392 description 2393 "Number of dropped packets."; 2394 } 2396 leaf dropped-byte { 2397 type yang:zero-based-counter64; 2399 description 2400 "Counter for dropped traffic in 2401 bytes."; 2402 } 2403 } 2405 container mapping-statistics { 2407 when "../../nat-capabilities/nat-flavor = "+ 2408 "'nat44' or "+ 2409 "../../nat-capabilities/nat-flavor = "+ 2410 "'nat64'or "+ 2411 "../../nat-capabilities/nat-flavor = 'dst-nat'"; 2413 description 2414 "Mapping statistics."; 2416 leaf total-mappings { 2417 type uint32; 2419 description 2420 "Total number of NAT mappings present 2421 at a given time. This variable includes 2422 all the static and dynamic mappings."; 2423 } 2425 leaf total-tcp-mappings { 2426 type uint32; 2427 description 2428 "Total number of TCP mappings present 2429 at a given time."; 2430 } 2432 leaf total-udp-mappings { 2433 type uint32; 2434 description 2435 "Total number of UDP mappings present 2436 at a given time."; 2437 } 2439 leaf total-icmp-mappings { 2440 type uint32; 2441 description 2442 "Total number of ICMP mappings present 2443 at a given time."; 2444 } 2446 } 2448 container pool-stats { 2450 when "../../nat-capabilities/nat-flavor = "+ 2451 "'nat44' or "+ 2452 "../../nat-capabilities/nat-flavor = "+ 2453 "'nat64'"; 2455 description 2456 "Statistics related to address/prefix 2457 pool usage"; 2459 leaf pool-id { 2460 type uint32; 2461 description 2462 "Unique Identifier that represents 2463 a pool of addresses/prefixes."; 2464 } 2466 leaf address-allocated { 2467 type uint32; 2468 description 2469 "Number of allocated addresses in 2470 the pool"; 2471 } 2473 leaf address-free { 2474 type uint32; 2475 description 2476 "Number of unallocated addresses in 2477 the pool at a given time.The sum of 2478 unallocated and allocated 2479 addresses is the total number of 2480 addresses of the pool."; 2481 } 2483 container port-stats { 2485 description 2486 "Statistics related to port 2487 usage."; 2489 leaf ports-allocated { 2490 type uint32; 2492 description 2493 "Number of allocated ports 2494 in the pool."; 2495 } 2497 leaf ports-free { 2498 type uint32; 2500 description 2501 "Number of unallocated addresses 2502 in the pool."; 2503 } 2504 } 2505 } 2506 } //statistics 2507 } 2508 } 2509 } 2511 /* 2512 * Notifications 2513 */ 2515 notification nat-event { 2516 description 2517 "Notifications must be generated when the defined 2518 high/low threshold is reached. Related 2519 configuration parameters must be provided to 2520 trigger the notifications."; 2522 leaf id { 2523 type leafref { 2524 path 2525 "/nat-module/nat-instances/" 2526 + "nat-instance/id"; 2527 } 2528 description 2529 "NAT instance ID."; 2530 } 2532 leaf notify-pool-threshold { 2533 type percent; 2534 mandatory true; 2535 description 2536 "A treshhold has been fired."; 2537 } 2538 } 2539 } 2540 2542 4. Security Considerations 2544 The YANG module defined in this memo is designed to be accessed via 2545 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 2546 secure transport layer and the support of SSH is mandatory to 2547 implement secure transport [RFC6242]. The NETCONF access control 2548 model [RFC6536] provides means to restrict access by some users to a 2549 pre-configured subset of all available NETCONF protocol operations 2550 and data. 2552 All data nodes defined in the YANG module which can be created, 2553 modified and deleted (i.e., config true, which is the default). 2554 These data nodes are considered sensitive. Write operations (e.g., 2555 edit-config) applied to these data nodes without proper protection 2556 can negatively affect network operations. 2558 5. IANA Considerations 2560 This document requests IANA to register the following URI in the 2561 "IETF XML Registry" [RFC3688]: 2563 URI: urn:ietf:params:xml:ns:yang:ietf-nat 2564 Registrant Contact: The IESG. 2565 XML: N/A; the requested URI is an XML namespace. 2567 This document requests IANA to register the following YANG module in 2568 the "YANG Module Names" registry [RFC6020]. 2570 name: ietf-nat 2571 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 2572 prefix: nat 2573 reference: RFC XXXX 2575 6. Acknowledgements 2577 Many thanks to Dan Wing and Tianran Zhou for the review. 2579 Thanks to Juergen Schoenwaelder for the comments on the YANG 2580 structure and the suggestion to use NMDA. 2582 Thanks to Lee Howard and Jordi Palet for the CLAT comments and to 2583 Fred Baker for the NPTv6 comments. 2585 Special thanks to Maros Marsalek and Marek Gradzki for sharing their 2586 comments based on the FD.io implementation. 2588 7. References 2590 7.1. Normative References 2592 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2593 DOI 10.17487/RFC3688, January 2004, . 2596 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 2597 Translation (NAT) Behavioral Requirements for Unicast 2598 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2599 2007, . 2601 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 2602 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 2603 RFC 5382, DOI 10.17487/RFC5382, October 2008, 2604 . 2606 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 2607 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 2608 DOI 10.17487/RFC5508, April 2009, . 2611 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2612 the Network Configuration Protocol (NETCONF)", RFC 6020, 2613 DOI 10.17487/RFC6020, October 2010, . 2616 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 2617 NAT64: Network Address and Protocol Translation from IPv6 2618 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 2619 April 2011, . 2621 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2622 and A. Bierman, Ed., "Network Configuration Protocol 2623 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2624 . 2626 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2627 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2628 . 2630 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 2631 Protocol (NETCONF) Access Control Model", RFC 6536, 2632 DOI 10.17487/RFC6536, March 2012, . 2635 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 2636 Combination of Stateful and Stateless Translation", 2637 RFC 6877, DOI 10.17487/RFC6877, April 2013, 2638 . 2640 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 2641 A., and H. Ashida, "Common Requirements for Carrier-Grade 2642 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 2643 April 2013, . 2645 [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address 2646 Mappings for Stateless IP/ICMP Translation", RFC 7757, 2647 DOI 10.17487/RFC7757, February 2016, . 2650 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 2651 S., and K. Naito, "Updates to Network Address Translation 2652 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 2653 DOI 10.17487/RFC7857, April 2016, . 2656 7.2. Informative References 2658 [I-D.boucadair-pcp-yang] 2659 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 2660 Vinapamula, "YANG Data Models for the Port Control 2661 Protocol (PCP)", draft-boucadair-pcp-yang-04 (work in 2662 progress), May 2017. 2664 [I-D.ietf-behave-ipfix-nat-logging] 2665 Sivakumar, S. and R. Penno, "IPFIX Information Elements 2666 for logging NAT Events", draft-ietf-behave-ipfix-nat- 2667 logging-13 (work in progress), January 2017. 2669 [I-D.ietf-softwire-dslite-yang] 2670 Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data 2671 Models for the DS-Lite", draft-ietf-softwire-dslite- 2672 yang-06 (work in progress), August 2017. 2674 [I-D.ietf-tsvwg-natsupp] 2675 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 2676 Transmission Protocol (SCTP) Network Address Translation 2677 Support", draft-ietf-tsvwg-natsupp-11 (work in progress), 2678 July 2017. 2680 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 2681 Translator (NAT) Terminology and Considerations", 2682 RFC 2663, DOI 10.17487/RFC2663, August 1999, 2683 . 2685 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 2686 Address Translator (Traditional NAT)", RFC 3022, 2687 DOI 10.17487/RFC3022, January 2001, . 2690 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 2691 Behavioral Requirements for the Datagram Congestion 2692 Control Protocol", BCP 150, RFC 5597, 2693 DOI 10.17487/RFC5597, September 2009, . 2696 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 2697 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 2698 DOI 10.17487/RFC6052, October 2010, . 2701 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 2702 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 2703 . 2705 [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 2706 "Logging Recommendations for Internet-Facing Servers", 2707 BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, 2708 . 2710 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 2711 "Diameter Network Address and Port Translation Control 2712 Application", RFC 6736, DOI 10.17487/RFC6736, October 2713 2012, . 2715 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 2716 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 2717 DOI 10.17487/RFC6887, April 2013, . 2720 [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, 2721 DOI 10.17487/RFC7335, August 2014, . 2724 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 2725 Farrer, "Lightweight 4over6: An Extension to the Dual- 2726 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 2727 July 2015, . 2729 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 2730 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 2731 Port with Encapsulation (MAP-E)", RFC 7597, 2732 DOI 10.17487/RFC7597, July 2015, . 2735 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 2736 "Definitions of Managed Objects for Network Address 2737 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 2738 October 2015, . 2740 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 2741 and S. Perreault, "Port Control Protocol (PCP) Extension 2742 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 2743 February 2016, . 2745 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 2746 "RADIUS Extensions for IP Port Configuration and 2747 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 2748 . 2750 Appendix A. Sample Examples 2752 This section provides a non-exhaustive set of examples to illustrate 2753 the use of the NAT YANG module. 2755 A.1. Traditional NAT44 2757 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 2758 same IPv4 address among hosts that are owned by the same subscriber. 2759 This is typically the NAT that is embedded in CPE devices. 2761 This NAT is usually provided with one single external IPv4 address; 2762 disambiguating connections is achieved by rewriting the source port 2763 number. The XML snippet to configure the external IPv4 address in 2764 such case together with a mapping entry is depicted below: 2766 2767 2768 1 2769 NAT_Subscriber_A 2770 .... 2771 2772 1 2773 2774 192.0.2.1 2775 2776 2777 .... 2778 2779 .... 2780 2781 192.0.2.1 2782 2783 .... 2784 2785 2786 2788 The following shows the XML excerpt depicting a dynamic UDP mapping 2789 entry maintained by a traditional NAT44. In reference to this 2790 example, the UDP packet received with a source IPv4 address 2791 (192.0.2.1) and source port number (1568) is translated into a UDP 2792 packet having a source IPv4 address (198.51.100.1) and source port 2793 (15000). The lifetime of this mapping is 300 seconds. 2795 2796 15 2797 2798 dynamic-explicit 2799 2800 2801 17 2802 2803 2804 192.0.2.1 2805 2806 2807 2808 1568 2809 2810 2811 2812 198.51.100.1 2813 2814 2815 2816 15000 2817 2818 2819 2820 300 2821 2822 2824 A.2. CGN 2826 The following XML snippet shows the example of the capabilities 2827 supported by a CGN as retrieved using NETCONF. 2829 2831 nat44 2832 2833 2834 false 2835 2836 2837 true 2838 2839 2840 true 2841 2842 2843 true 2844 2845 2846 true 2847 2848 2849 false 2850 2851 2852 true 2853 2854 2855 true 2856 2857 2858 true 2859 2860 2861 false 2862 2863 2864 false 2865 2866 2867 true 2868 2869 2870 false 2871 2872 2873 false 2874 2875 2876 The following XML snippet shows the example of a CGN that is 2877 provisioned with one contiguous pool of external IPv4 addresses 2878 (192.0.2.0/24). Further, the CGN is instructed to limit the number 2879 of allocated ports per subscriber to 1024. Ports can be allocated by 2880 the CGN by assigning ranges of 256 ports (that is, a subscriber can 2881 be allocated up to four port ranges of 256 ports each). 2883 2884 2885 1 2886 myCGN 2887 .... 2888 2889 1 2890 2891 192.0.2.0/24 2892 2893 2894 2895 2896 1024 2897 2898 2899 all 2900 2901 2902 2903 port-range-allocation 2904 2905 2906 2907 256 2908 2909 2910 .... 2911 2912 2914 An administrator may decide to allocate one single port range per 2915 subscriber (port range of 1024 ports) as shown below: 2917 2918 2919 1 2920 myotherCGN 2921 .... 2922 2923 1 2924 2925 192.0.2.0/24 2926 2927 2928 2929 2930 1024 2931 2932 2933 all 2934 2935 2936 2937 port-range-allocation 2938 2939 2940 2941 1024 2942 2943 .... 2944 2945 .... 2946 2947 2949 A.3. CGN Pass-Through 2951 Figure 1 illustrates an example of the CGN pass-through feature. 2953 X1:x1 X1':x1' X2:x2 2954 +---+from X1:x1 +---+from X1:x1 +---+ 2955 | C | to X2:x2 | | to X2:x2 | S | 2956 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 2957 | i | | G | | r | 2958 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 2959 | n |from X2:x2 | |from X2:x2 | e | 2960 | t | to X1:x1 | | to X1:x1 | r | 2961 +---+ +---+ +---+ 2963 Figure 1: CGN Pass-Through 2965 For example, in order to disable NAT for communications issued by the 2966 client (192.0.2.25), the following configuration parameter must be 2967 set: 2969 2970 ... 2971 192.0.2.25 2972 ... 2973 2975 A.4. NAT64 2977 Let's consider the example of a NAT64 that should use 2978 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 2979 The XML snippet to configure the NAT64 prefix in such case is 2980 depicted below: 2982 2983 2984 2001:db8:122:300::/56 2985 2986 2988 Let's now consider the example of a NAT64 that should use 2989 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 2990 the destination address matches 198.51.100.0/24. The XML snippet to 2991 configure the NAT64 prefix in such case is shown below: 2993 2994 2995 2001:db8:122::/48 2996 2997 2998 2999 198.51.100.0/24 3000 3001 3002 3004 A.5. Explicit Address Mappings for Stateless IP/ICMP Translation 3006 As specified in [RFC7757], an EAM consists of an IPv4 prefix and an 3007 IPv6 prefix. Let's consider the set of EAM examples in Figure 2. 3009 +---+----------------+----------------------+ 3010 | # | IPv4 Prefix | IPv6 Prefix | 3011 +---+----------------+----------------------+ 3012 | 1 | 192.0.2.1 | 2001:db8:aaaa:: | 3013 | 2 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | 3014 | 3 | 192.0.2.16/28 | 2001:db8:cccc::/124 | 3015 | 4 | 192.0.2.128/26 | 2001:db8:dddd::/64 | 3016 | 5 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | 3017 | 6 | 192.0.2.224/31 | 64:ff9b::/127 | 3018 +---+----------------+----------------------+ 3020 Figure 2: EAM Examples (RFC7757) 3022 The following XML excerpt illustrates how these EAMs can be 3023 configured using the YANG NAT module: 3025 3026 3027 1 3028 static 3029 3030 192.0.2.1 3031 3032 3033 2001:db8:aaaa:: 3034 3035 3036 3037 2 3038 static 3039 3040 192.0.2.2/32 3041 3042 3043 2001:db8:bbbb::b/128 3044 3045 3046 3047 3 3048 static 3049 3050 192.0.2.16/28 3051 3052 3053 2001:db8:cccc::/124 3054 3055 3056 3057 4 3058 static 3059 3060 192.0.2.128/26 3061 3062 3063 2001:db8:dddd::/64 3064 3065 3066 3067 5 3068 static 3069 3070 192.0.2.192/29 3071 3072 3073 2001:db8:eeee:8::/62 3074 3075 3076 3077 6 3078 static 3079 3080 192.0.2.224/31 3081 3082 3083 64:ff9b::/127 3084 3085 3086 3088 EAMs may be enabled jointly with statefull NAT64. This example shows 3089 a NAT64 fucntion that supports static mappings: 3091 3093 nat64 3094 3095 3096 true 3097 3098 3099 true 3100 3101 3102 true 3103 3104 3105 true 3106 3107 3108 false 3109 3110 3111 true 3112 3113 3114 true 3115 3116 3117 true 3118 3119 3120 false 3121 3122 3123 false 3124 3125 3126 true 3127 3128 3129 false 3130 3131 3132 false 3133 3134 3136 A.6. Static Mappings with Port Ranges 3138 The following example shows a static mapping that instructs a NAT to 3139 translate packets issued from 192.0.2.1 and with source ports in the 3140 100-500 range to 198.51.100.1:1100-1500. 3142 3143 1 3144 static 3145 6 3146 3147 192.0.2.1 3148 3149 3150 3151 3152 100 3153 3154 3155 500 3156 3157 3158 3159 3160 198.51.100.1 3161 3162 3163 3164 3165 1100 3166 3167 3168 1500 3169 3170 3171 3172 ... 3173 3175 A.7. Static Mappings with IP Prefixes 3177 The following example shows a static mapping that instructs a NAT to 3178 translate packets issued from 192.0.2.1/24 to 198.51.100.1/24. 3180 3181 1 3182 static 3183 6 3184 3185 192.0.2.1/24 3186 3187 3188 198.51.100.1/24 3189 3190 ... 3191 3193 A.8. Destination NAT 3195 The following XML snippet shows an example a destination NAT that is 3196 instructed to translate packets having 192.0.2.1 as a destination IP 3197 address to 198.51.100.1. 3199 3200 1 3201 3202 192.0.2.1 3203 3204 3205 198.51.100.1 3206 3207 3209 In order to instruct a NAT to translate TCP packets destined to 3210 192.0.2.1:80 to 198.51.100.1:8080, the following XML snippet shows 3211 the static mapping to be configured on the NAT: 3213 3214 1 3215 static 3216 6 3217 3218 192.0.2.1 3219 3220 3221 80 3222 3223 3224 198.51.100.1 3225 3226 3227 8080 3228 3229 3231 In order to instruct a NAT to translate TCP packets destined to 3232 192.0.2.1:80 (http traffic) to 198.51.100.1 and 192.0.2.1:22 (ssh 3233 traffic) to 198.51.100.2, the following XML snippet shows the static 3234 mappings to be configured on the NAT: 3236 3237 1 3238 static 3239 6 3240 3241 192.0.2.1 3242 3243 3244 3245 80 3246 3247 3248 3249 198.51.100.1 3250 3251 ... 3252 3253 3254 2 3255 static 3256 3257 6 3258 3259 3260 192.0.2.1 3261 3262 3263 3264 22 3265 3266 3267 3268 198.51.100.2 3269 3270 ... 3271 3273 The NAT may also be instructed to proceed with both source and 3274 destination NAT. To do so, in addition to the above sample to 3275 configure destination NAT, the NAT may be provided, for example with 3276 a pool of external IP addresses (198.51.100.0/24) to use for source 3277 address translation. An example of the corresponding XML snippet is 3278 provided hereafter: 3280 3281 1 3282 3283 198.51.100.0/24 3284 3285 3287 Instead of providing an external IP address to share, the NAT may be 3288 configured with static mapping entries that modifies the internal IP 3289 address and/or port number. 3291 A.9. CLAT 3293 The following XML snippet shows the example of a CLAT that is 3294 configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and 3295 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 3296 provided with 192.0.0.1/32 (which is selected from the IPv4 service 3297 continuity prefix defined in [RFC7335]). 3299 3300 3301 2001:db8:1234::/96 3302 3303 3304 3305 3306 2001:db8:aaaa::/96 3307 3308 3309 3310 3311 192.0.0.1/32 3312 3313 3315 A.10. NPTv6 3317 Let's consider the example of a NPTv6 translator that should rewrite 3318 packets with the source prefix (fd01:203:405:/48) with the external 3319 prefix (2001:db8:1:/48). The internal interface is "eth0" while the 3320 external interface is "eth1". 3322 External Network: Prefix = 2001:db8:1:/48 3323 -------------------------------------- 3324 | 3325 |eth1 3326 +-------------+ 3327 eth4| NPTv6 |eth2 3328 ...-----| |------... 3329 +-------------+ 3330 |eth0 3331 | 3332 -------------------------------------- 3333 Internal Network: Prefix = fd01:203:405:/48 3335 Example of NPTv6 (RFC6296) 3337 The XML snippet to configure NPTv6 prefixes in such case is depicted 3338 below: 3340 3341 3342 eth0 3343 3344 3345 3346 3347 eth1 3348 3349 3350 ... 3351 3352 1 3353 3354 fd01:203:405:/48 3355 3356 3357 2001:db8:1:/48 3358 3359 3361 Figure 3 shows an example of an NPTv6 that interconnects two internal 3362 networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is 3363 translated using a dedicated prefix (2001:db8:1:/48 and 3364 2001:db8:6666:/48, respectively). 3366 Internal Prefix = fd01:4444:5555:/48 3367 -------------------------------------- 3368 V | External Prefix 3369 V | 2001:db8:1:/48 3370 V +---------+ ^ 3371 V | NPTv6 | ^ 3372 V | | ^ 3373 V +---------+ ^ 3374 External Prefix | ^ 3375 2001:db8:6666:/48 | ^ 3376 -------------------------------------- 3377 Internal Prefix = fd01:203:405:/48 3379 Figure 3: Connecting two Peer Networks (RFC6296) 3381 To that aim, the following configuration is provided to the NPTv6: 3383 3384 1 3385 3386 fd01:203:405:/48 3387 3388 3389 2001:db8:1:/48 3390 3391 3392 3393 2 3394 3395 fd01:4444:5555:/48 3396 3397 3398 2001:db8:6666:/48 3399 3400 3402 Authors' Addresses 3404 Mohamed Boucadair 3405 Orange 3406 Rennes 35000 3407 France 3409 Email: mohamed.boucadair@orange.com 3410 Senthil Sivakumar 3411 Cisco Systems 3412 7100-8 Kit Creek Road 3413 Research Triangle Park, North Carolina 27709 3414 USA 3416 Phone: +1 919 392 5158 3417 Email: ssenthil@cisco.com 3419 Christian Jacquenet 3420 Orange 3421 Rennes 35000 3422 France 3424 Email: christian.jacquenet@orange.com 3426 Suresh Vinapamula 3427 Juniper Networks 3428 1133 Innovation Way 3429 Sunnyvale 94089 3430 USA 3432 Qin Wu 3433 Huawei 3434 101 Software Avenue, Yuhua District 3435 Nanjing, Jiangsu 210012 3436 China 3438 Email: bill.wu@huawei.com