idnits 2.17.1 draft-ietf-opsawg-nat-yang-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 20 instances of too long lines in the document, the longest one being 50 characters in excess of 72. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 492 has weird spacing: '...-prefix ine...' == Line 494 has weird spacing: '...-prefix ine...' == Line 500 has weird spacing: '...-prefix ine...' == Line 505 has weird spacing: '...-prefix ine...' == Line 528 has weird spacing: '...atch-id uin...' == (5 more instances...) -- The document date (September 28, 2017) is 2400 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC7659' is defined on line 2891, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) ** Downref: Normative reference to an Informational RFC: RFC 6877 == Outdated reference: A later version (-05) exists of draft-boucadair-pcp-yang-04 == Outdated reference: A later version (-17) exists of draft-ietf-softwire-dslite-yang-06 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-11 Summary: 3 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: April 1, 2018 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 September 28, 2017 14 A YANG Data Model for Network Address Translation (NAT) and Network 15 Prefix Translation (NPT) 16 draft-ietf-opsawg-nat-yang-04 18 Abstract 20 For the sake of network automation and the need for programming 21 Network Address Translation (NAT) function in particular, a data 22 model for configuring and managing the NAT is essential. This 23 document defines a YANG module for the NAT function. 25 NAT44, Network Address and Protocol Translation from IPv6 Clients to 26 IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit 27 Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and 28 IPv6 Network Prefix Translation (NPTv6) are covered in this document. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on April 1, 2018. 47 Copyright Notice 49 Copyright (c) 2017 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (https://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 65 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 66 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 67 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 68 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 69 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 5 70 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 71 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 72 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 73 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7 74 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 75 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 76 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 9 77 2.10. Binding the NAT Function to an External Interface or VRF 10 78 2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10 79 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14 80 4. Security Considerations . . . . . . . . . . . . . . . . . . . 57 81 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 82 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 58 83 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 58 84 7.1. Normative References . . . . . . . . . . . . . . . . . . 58 85 7.2. Informative References . . . . . . . . . . . . . . . . . 59 86 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 62 87 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 62 88 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 89 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 66 90 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 67 91 A.5. Explicit Address Mappings for Stateless IP/ICMP 92 Translation . . . . . . . . . . . . . . . . . . . . . . . 67 93 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 71 94 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 71 95 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 72 96 A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 75 97 A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 75 98 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 78 100 1. Introduction 102 This document defines a data model for Network Address Translation 103 (NAT) and Network Prefix Translation (NPT) capabilities using the 104 YANG data modeling language [RFC6020]. 106 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 107 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 108 used to optimize the usage of global IP address space at the scale of 109 a domain: a CGN is not managed by end users, but by service providers 110 instead. This document covers both traditional NATs and CGNs. 112 This document also covers NAT64 [RFC6146], customer-side translator 113 (CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP 114 Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation 115 (NPTv6) [RFC6296]. 117 Sample examples are provided in Appendix A. These examples are not 118 intended to be exhaustive. 120 1.1. Terminology 122 This document makes use of the following terms: 124 o Basic NAT44: translation is limited to IP addresses alone 125 (Section 2.1 of [RFC3022]). 127 o Network Address/Port Translator (NAPT): translation in NAPT is 128 extended to include IP addresses and transport identifiers (such 129 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 130 [RFC3022]. 132 o Destination NAT: is a translation that acts on the destination IP 133 address and/or destination port number. This flavor is usually 134 deployed in load balancers or at devices in front of public 135 servers. 137 o Port-restricted IPv4 address: An IPv4 address with a restricted 138 port set. Multiple hosts may share the same IPv4 address; 139 however, their port sets must not overlap [RFC7596]. 141 o Restricted port set: A non-overlapping range of allowed external 142 ports to use for NAT operation. Source ports of IPv4 packets 143 translated by a NAT must belong to the assigned port set. The 144 port set is used for all port-aware IP protocols [RFC7596]. 146 o Internal Host: A host that may solicit a NAT or an NPTv6 (or both) 147 capability to send to and receive traffic from the Internet. 149 o Internal Address/prefix: The IP address/prefix of an internal 150 host. 152 o External Address: The IP address/prefix assigned by a NAT/NPTv6 to 153 an internal host; this is the address that will be seen by a 154 remote host on the Internet. 156 o Mapping: denotes a state at the NAT that is necessary for network 157 address and/or port translation. 159 o Dynamic implicit mapping: is created implicitly as a side effect 160 of traffic such as an outgoing TCP SYN or an outgoing UDP packet. 161 A validity lifetime is associated with this mapping. 163 o Dynamic explicit mapping: is created as a result of an explicit 164 request, e.g., PCP message [RFC6887]. A validity lifetime is 165 associated with this mapping. 167 o Static explicit mapping: is created manually. This mapping is 168 likely to be maintained by the NAT function till an explicit 169 action is executed to remove it. 171 The usage of the term NAT in this document refers to any NAT flavor 172 (NAT44, NAT64, etc.) indifferently. 174 This document uses the term "session" as defined in [RFC2663] and 175 [RFC6146] for NAT64. 177 1.2. Tree Diagrams 179 The meaning of the symbols in these diagrams is as follows: 181 o Brackets "[" and "]" enclose list keys. 183 o Curly braces "{" and "}" contain names of optional features that 184 make the corresponding node conditional. 186 o Abbreviations before data node names: "rw" means configuration 187 (read-write), "ro" state data (read-only). 189 o Symbols after data node names: "?" means an optional node, "!" a 190 container with presence, and "*" denotes a "list" or "leaf-list". 192 o Parentheses enclose choice and case nodes, and case nodes are also 193 marked with a colon (":"). 195 o Ellipsis ("...") stands for contents of subtrees that are not 196 shown. 198 2. Overview of the NAT YANG Data Model 200 2.1. Overview 202 The NAT YANG module is designed to cover dynamic implicit mappings 203 and static explicit mappings. The required functionality to instruct 204 dynamic explicit mappings is defined in separate documents such as 205 [I-D.boucadair-pcp-yang]. Considerations about instructing explicit 206 dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of 207 scope. 209 A single NAT device can have multiple NAT instances (nat-instance); 210 each of these instances can be provided with its own policies (e.g., 211 be responsible for serving a group of hosts). This document does not 212 make any assumption about how internal hosts or flows are associated 213 with a given NAT instance. 215 The NAT YANG module assumes that each NAT instance can be enabled/ 216 disabled, be provisioned with a specific set of configuration data, 217 and maintains its own mapping tables. 219 Further, the NAT YANG module allows for a NAT instance to be provided 220 with multiple NAT policies (nat-policy). The document does not make 221 any assumption about how flows are associated with a given NAT policy 222 of a given NAT instance. Classification filters are out of scope. 224 Defining multiple NAT instances or configuring multiple NAT policies 225 within one single NAT instance is implementation- and deployment- 226 specific. 228 To accommodate deployments where [RFC6302] is not enabled, this YANG 229 module allows to instruct a NAT function to log the destination port 230 number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] 231 which provides the templates to log the destination ports. 233 2.2. Various NAT Flavors 235 The following modes are supported: 237 1. Basic NAT44 238 2. NAPT 239 3. Destination NAT 240 4. Port-restricted NAT 241 5. NAT64 242 6. EAM SIIT 243 7. CLAT 244 8. NPTv6 245 9. Combination of Basic NAT/NAPT and Destination NAT 246 10. Combination of port-restricted and Destination NAT 247 11. Combination of NAT64 and EAM 249 [I-D.ietf-softwire-dslite-yang] specifies an extension to support DS- 250 Lite. 252 2.3. TCP, UDP and ICMP NAT Behavioral Requirements 254 This document assumes [RFC4787][RFC5382][RFC5508] are enabled by 255 default. 257 Furthermore, the NAT YANG module relies upon the recommendations 258 detailed in [RFC6888] and [RFC7857]. 260 2.4. Other Transport Protocols 262 The module is structured to support other protocols than UDP, TCP, 263 and ICMP. The mapping table is designed so that it can indicate any 264 transport protocol. For example, this module may be used to manage a 265 DCCP-capable NAT that adheres to [RFC5597]. 267 Future extensions can be defined to cover NAT-related considerations 268 that are specific to other transport protocols such as SCTP 269 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 270 extended to record two optional SCTP-specific parameters: Internal 271 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 273 2.5. IP Addresses Used for Translation 275 The NAT YANG module assumes that blocks of IP external addresses 276 (external-ip-address-pool) can be provisioned to the NAT function. 277 These blocks may be contiguous or not. 279 This behavior is aligned with [RFC6888] which specifies that a NAT 280 function should not have any limitations on the size or the 281 contiguity of the external address pool. In particular, the NAT 282 function must be configurable with contiguous or non-contiguous 283 external IPv4 address ranges. 285 Likewise, one or multiple IP address pools may be configured for 286 Destination NAT (dst-ip-address-pool). 288 2.6. Port Set Assignment 290 Port numbers can be assigned by a NAT individually (that is, a single 291 port is a assigned on a per session basis). Nevertheless, this port 292 allocation scheme may not be optimal for logging purposes. 293 Therefore, a NAT function should be able to assign port sets (e.g., 294 [RFC7753]) to optimize the volume of the logging data (REQ-14 of 295 [RFC6888]). Both features are supported in the NAT YANG module. 297 When port set assignment is activated (i.e., port-allocation- 298 type==port-range-allocation), the NAT can be provided with the size 299 of the port set to be assigned (port-set-size). 301 2.7. Port-Restricted IP Addresses 303 Some NATs require to restrict the port numbers (e.g., Lightweight 304 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port set 305 assignments (port-set-restrict) are supported in this document: 307 o Simple port range: is defined by two port values, the start and 308 the end of the port range [RFC8045]. 310 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 311 the set of ports that can be used. 313 2.8. NAT Mapping Entries 315 A TCP/UDP mapping entry maintains an association between the 316 following information: 318 (internal-src-address, internal-src-port) (internal-dst-address, 319 internal-dst-port) <=> (external-src-address, external-src-port) 320 (external-dst-address, external-dst-port) 322 An ICMP mapping entry maintains an association between the following 323 information: 325 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 326 identifier) <=> (external-src-address, external-dst-address, 327 external ICMP/ICMPv6 identifier) 329 To cover TCP, UDP, and ICMP, the NAT YANG module assumes the 330 following structure of a mapping entry: 332 type: Indicates how the mapping was instantiated. For example, it 333 may indicate whether a mapping is dynamically instantiated by a 334 packet or statically configured. 336 transport-protocol: Indicates the transport protocol (e.g., UDP, 337 TCP, ICMP) of a given mapping. 339 internal-src-address: Indicates the source IP address as used by an 340 internal host. 342 internal-src-port: Indicates the source port number (or ICMP 343 identifier) as used by an internal host. 345 external-src-address: Indicates the source IP address as assigned 346 by the NAT. 348 external-src-port: Indicates the source port number (or ICMP 349 identifier) as assigned by the NAT. 351 internal-dst-address: Indicates the destination IP address as used 352 by an internal host when sending a packet to a remote host. 354 internal-dst-port: Indicates the destination IP address as used by 355 an internal host when sending a packet to a remote host. 357 external-dst-address: Indicates the destination IP address used by a 358 NAT when processing a packet issued by an internal host towards a 359 remote host. 361 external-dst-port: Indicates the destination port number used by a 362 NAT when processing a packet issued by an internal host towards a 363 remote host. 365 In order to cover both NAT64 and NAT44 flavors in particular, the NAT 366 mapping structure allows to include an IPv4 or an IPv6 address as an 367 internal IP address. Remaining fields are common to both NAT 368 schemes. 370 For example, the mapping that will be created by a NAT64 upon receipt 371 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 372 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 373 and destination port number 8080 is characterized as follows: 375 o type: dynamic implicit mapping. 376 o transport-protocol: TCP (6) 377 o internal-src-address: 2001:db8:aaaa::1 378 o internal-src-port: 25636 379 o external-src-address: T (an IPv4 address configured on the NAT64) 380 o external-src-port: t (a port number that is chosen by the NAT64) 381 o internal-dst-address: 2001:db8:1234::198.51.100.1 382 o internal-dst-port: 8080 383 o external-dst-address: 198.51.100.1 384 o external-dst-port: 8080 386 The mapping that will be created by a NAT44 upon receipt of an ICMP 387 request from source address 198.51.100.1 and ICMP identifier (ID1) to 388 destination IP address 198.51.100.11 is characterized as follows: 390 o type: dynamic implicit mapping. 391 o transport-protocol: ICMP (1) 392 o internal-src-address: 198.51.100.1 393 o internal-src-port: ID1 394 o external-src-address: T (an IPv4 address configured on the NAT44) 395 o external-src-port: ID2 (an ICMP identifier that is chosen by the 396 NAT44) 397 o internal-dst-address: 198.51.100.11 399 The mapping that will be created by a NAT64 upon receipt of an ICMP 400 request from source address 2001:db8:aaaa::1 and ICMP identifier 401 (ID1) to destination IP address 2001:db8:1234::198.51.100.1 is 402 characterized as follows: 404 o type: dynamic implicit mapping. 405 o transport-protocol: ICMPv6 (58) 406 o internal-src-address: 2001:db8:aaaa::1 407 o internal-src-port: ID1 408 o external-src-address: T (an IPv4 address configured on the NAT64) 409 o external-src-port: ID2 (an ICMP identifier that is chosen by the 410 NAT64) 411 o internal-dst-address: 2001:db8:1234::198.51.100.1 412 o external-dst-address: 198.51.100.1 414 Note that a mapping table is maintained only for stateful NAT 415 functions. Particularly: 417 o No mapping table is maintained for NPTv6 given that it is 418 stateless and transport-agnostic. 420 o The double translations are stateless in CLAT if a dedicated IPv6 421 prefix is provided for CLAT. If not, a stateful NAT44 will be 422 required. 424 o No per-flow mapping is maintained for EAM [RFC7757]. 426 2.9. Resource Limits 428 In order to comply with CGN deployments in particular, the NAT YANG 429 module allows limiting the number of external ports per subscriber 430 (port-quota) and the amount of state memory allocated per mapping and 431 per subscriber (mapping-limit and connection-limit). According to 432 [RFC6888], the model allows for the following: 434 o Per-subscriber limits are configurable by the NAT administrator. 436 o Per-subscriber limits are configurable independently per transport 437 protocol. 439 o Administrator-adjustable thresholds to prevent a single subscriber 440 from consuming excessive CPU resources from the NAT (e.g., rate- 441 limit the subscriber's creation of new mappings) can be 442 configured. 444 2.10. Binding the NAT Function to an External Interface or VRF 446 The model allows to specify the interface or Virtual Routing and 447 Forwarding (VRF) instance on which the NAT function must be applied 448 (external-realm). Distinct interfaces/VRFs can be provided as a 449 function of the NAT policy (see for example, Section 4 of [RFC7289]). 451 If no external interface/VRF is provided, this assumes that the 452 system is able to determine the external interface/VRF instance on 453 which the NAT will be applied. Typically, the WAN and LAN interfaces 454 of a CPE is determined by the CPE. 456 2.11. Tree Structure 458 The tree structure of the NAT YANG module is provided below: 460 module: ietf-nat 461 +--rw nat-module 462 +--rw nat-instances 463 +--rw nat-instance* [id] 464 +--rw id uint32 465 +--rw name? string 466 +--rw enable? boolean 467 +--rw nat-capabilities 468 | +--rw nat-flavor* identityref 469 | +--rw nat44-flavor* identityref 470 | +--rw restricted-port-support? boolean 471 | +--rw static-mapping-support? boolean 472 | +--rw port-randomization-support? boolean 473 | +--rw port-range-allocation-support? boolean 474 | +--rw port-preservation-suport? boolean 475 | +--rw port-parity-preservation-support? boolean 476 | +--rw address-roundrobin-support? boolean 477 | +--rw paired-address-pooling-support? boolean 478 | +--rw endpoint-independent-mapping-support? boolean 479 | +--rw address-dependent-mapping-support? boolean 480 | +--rw address-and-port-dependent-mapping-support? boolean 481 | +--rw endpoint-independent-filtering-support? boolean 482 | +--rw address-dependent-filtering? boolean 483 | +--rw address-and-port-dependent-filtering? boolean 484 +--rw nat-pass-through* [nat-pass-through-id] 485 | +--rw nat-pass-through-id uint32 486 | +--rw nat-pass-through-pref? inet:ip-prefix 487 | +--rw nat-pass-through-port? inet:port-number 488 +--rw nat-policy* [policy-id] 489 | +--rw policy-id uint32 490 | +--rw clat-parameters 491 | | +--rw clat-ipv6-prefixes* [clat-ipv6-prefix] 492 | | | +--rw clat-ipv6-prefix inet:ipv6-prefix 493 | | +--rw clat-ipv4-prefixes* [clat-ipv4-prefix] 494 | | +--rw clat-ipv4-prefix inet:ipv4-prefix 495 | +--rw nptv6-prefixes* [translation-id] 496 | | +--rw translation-id uint32 497 | | +--rw internal-ipv6-prefix? inet:ipv6-prefix 498 | | +--rw external-ipv6-prefix? inet:ipv6-prefix 499 | +--rw eam* [eam-ipv4-prefix] 500 | | +--rw eam-ipv4-prefix inet:ipv4-prefix 501 | | +--rw eam-ipv6-prefix? inet:ipv6-prefix 502 | +--rw nat64-prefixes* [nat64-prefix] 503 | | +--rw nat64-prefix inet:ipv6-prefix 504 | | +--rw destination-ipv4-prefix* [ipv4-prefix] 505 | | +--rw ipv4-prefix inet:ipv4-prefix 506 | +--rw external-ip-address-pool* [pool-id] 507 | | +--rw pool-id uint32 508 | | +--rw external-ip-pool? inet:ipv4-prefix 509 | +--rw port-set-restrict 510 | | +--rw (port-type)? 511 | | +--:(port-range) 512 | | | +--rw start-port-number? inet:port-number 513 | | | +--rw end-port-number? inet:port-number 514 | | +--:(port-set-algo) 515 | | +--rw psid-offset? uint8 516 | | +--rw psid-len uint8 517 | | +--rw psid uint16 518 | +--rw dst-nat-enable? boolean 519 | +--rw dst-ip-address-pool* [pool-id] 520 | | +--rw pool-id uint32 521 | | +--rw dst-in-ip-pool? inet:ip-prefix 522 | | +--rw dst-out-ip-pool? inet:ip-prefix 523 | +--rw supported-transport-protocols* [transport-protocol-id] 524 | | +--rw transport-protocol-id uint8 525 | | +--rw transport-protocol-name? string 526 | +--rw subscriber-mask-v6? uint8 527 | +--rw subscriber-match* [sub-match-id] 528 | | +--rw sub-match-id uint32 529 | | +--rw sub-mask inet:ip-prefix 530 | +--rw paired-address-pooling? boolean 531 | +--rw nat-mapping-type? enumeration 532 | +--rw nat-filtering-type? enumeration 533 | +--rw port-quota* [quota-type] 534 | | +--rw port-limit? uint16 535 | | +--rw quota-type enumeration 536 | +--rw port-allocation-type? enumeration 537 | +--rw address-roundrobin-enable? boolean 538 | +--rw port-set 539 | | +--rw port-set-size? uint16 540 | | +--rw port-set-timeout? uint32 541 | +--rw timers 542 | | +--rw udp-timeout? uint32 543 | | +--rw tcp-idle-timeout? uint32 544 | | +--rw tcp-trans-open-timeout? uint32 545 | | +--rw tcp-trans-close-timeout? uint32 546 | | +--rw tcp-in-syn-timeout? uint32 547 | | +--rw fragment-min-timeout? uint32 548 | | +--rw icmp-timeout? uint32 549 | | +--rw per-port-timeout* [port-number] 550 | | | +--rw port-number inet:port-number 551 | | | +--rw port-timeout inet:port-number 552 | | +--rw hold-down-timeout? uint32 553 | | +--rw hold-down-max? uint32 554 | +--rw algs* [alg-name] 555 | | +--rw alg-name string 556 | | +--rw alg-transport-protocol? uint32 557 | | +--rw alg-transport-port? inet:port-number 558 | | +--rw alg-status? boolean 559 | +--rw all-algs-enable? boolean 560 | +--rw notify-pool-usage 561 | | +--rw pool-id? uint32 562 | | +--rw notify-pool-hi-threshold percent 563 | | +--rw notify-pool-low-threshold? percent 564 | +--rw external-realm 565 | +--rw (realm-type)? 566 | +--:(interface) 567 | | +--rw external-interface? if:interface-ref 568 | +--:(vrf) 569 | +--rw external-vrf-instance? identityref 570 +--rw mapping-limit 571 | +--rw limit-per-subscriber? uint32 572 | +--rw limit-per-vrf? uint32 573 | +--rw limit-per-subnet? inet:ip-prefix 574 | +--rw limit-per-instance uint32 575 | +--rw limit-per-udp uint32 576 | +--rw limit-per-tcp uint32 577 | +--rw limit-per-icmp uint32 578 +--rw connection-limit 579 | +--rw limit-per-subscriber? uint32 580 | +--rw limit-per-vrf? uint32 581 | +--rw limit-per-subnet? inet:ip-prefix 582 | +--rw limit-per-instance uint32 583 | +--rw limit-per-udp uint32 584 | +--rw limit-per-tcp uint32 585 | +--rw limit-per-icmp uint32 586 +--rw logging-info 587 | +--rw logging-enable? boolean 588 | +--rw destination-address inet:ip-prefix 589 | +--rw destination-port inet:port-number 590 | +--rw (protocol)? 591 | +--:(syslog) 592 | | +--rw syslog? boolean 593 | +--:(ipfix) 594 | | +--rw ipfix? boolean 595 | +--:(ftp) 596 | +--rw ftp? boolean 597 +--rw mapping-table 598 | +--rw mapping-entry* [index] 599 | +--rw index uint32 600 | +--rw type? enumeration 601 | +--rw transport-protocol? uint8 602 | +--rw internal-src-address? inet:ip-prefix 603 | +--rw internal-src-port 604 | | +--rw (port-type)? 605 | | +--:(single-port-number) 606 | | | +--rw single-port-number? inet:port-number 607 | | +--:(port-range) 608 | | +--rw start-port-number? inet:port-number 609 | | +--rw end-port-number? inet:port-number 610 | +--rw external-src-address? inet:ip-prefix 611 | +--rw external-src-port 612 | | +--rw (port-type)? 613 | | +--:(single-port-number) 614 | | | +--rw single-port-number? inet:port-number 615 | | +--:(port-range) 616 | | +--rw start-port-number? inet:port-number 617 | | +--rw end-port-number? inet:port-number 618 | +--rw internal-dst-address? inet:ip-prefix 619 | +--rw internal-dst-port 620 | | +--rw (port-type)? 621 | | +--:(single-port-number) 622 | | | +--rw single-port-number? inet:port-number 623 | | +--:(port-range) 624 | | +--rw start-port-number? inet:port-number 625 | | +--rw end-port-number? inet:port-number 626 | +--rw external-dst-address? inet:ip-prefix 627 | +--rw external-dst-port 628 | | +--rw (port-type)? 629 | | +--:(single-port-number) 630 | | | +--rw single-port-number? inet:port-number 631 | | +--:(port-range) 632 | | +--rw start-port-number? inet:port-number 633 | | +--rw end-port-number? inet:port-number 634 | +--rw lifetime? uint32 635 +--ro statistics 636 +--ro traffic-statistics 637 | +--ro sent-packet? yang:zero-based-counter64 638 | +--ro sent-byte? yang:zero-based-counter64 639 | +--ro rcvd-packet? yang:zero-based-counter64 640 | +--ro rcvd-byte? yang:zero-based-counter64 641 | +--ro dropped-packet? yang:zero-based-counter64 642 | +--ro dropped-byte? yang:zero-based-counter64 643 +--ro mapping-statistics 644 | +--ro total-mappings? uint32 645 | +--ro total-tcp-mappings? uint32 646 | +--ro total-udp-mappings? uint32 647 | +--ro total-icmp-mappings? uint32 648 +--ro pool-stats 649 +--ro pool-id? uint32 650 +--ro address-allocated? uint32 651 +--ro address-free? uint32 652 +--ro port-stats 653 +--ro ports-allocated? uint32 654 +--ro ports-free? uint32 655 notifications: 656 +---n nat-event 657 +--ro id? -> /nat-module/nat-instances/nat-instance/id 658 +--ro policy-id? -> /nat-module/nat-instances/nat-instance/nat-policy/policy-id 659 +--ro pool-id? -> /nat-module/nat-instances/nat-instance/nat-policy/external-ip-address-pool/pool-id 660 +--ro notify-pool-threshold percent 662 3. NAT YANG Module 664 file "ietf-nat@2017-09-28.yang" 666 module ietf-nat { 667 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 669 //namespace to be assigned by IANA 670 prefix "nat"; 672 import ietf-inet-types { prefix inet; } 673 import ietf-yang-types { prefix yang; } 675 import ietf-interfaces { prefix if; } 676 //import iana-if-type { prefix ianaift; } 678 organization "IETF OPSAWG Working Group"; 680 contact 681 "Mohamed Boucadair 682 Senthil Sivakumar 683 Chritsian Jacquenet 684 Suresh Vinapamula 685 Qin Wu "; 687 description 688 "This module is a YANG module for NAT implementations 689 (including NAT44 and NAT64 flavors). 691 Copyright (c) 2017 IETF Trust and the persons identified as 692 authors of the code. All rights reserved. 694 Redistribution and use in source and binary forms, with or 695 without modification, is permitted pursuant to, and subject 696 to the license terms contained in, the Simplified BSD License 697 set forth in Section 4.c of the IETF Trust's Legal Provisions 698 Relating to IETF Documents 699 (http://trustee.ietf.org/license-info). 701 This version of this YANG module is part of RFC XXXX; see 702 the RFC itself for full legal notices."; 704 revision 2017-09-27 { 705 description "Comments from Kris Poscic about NAT44, mainly: 706 - Allow for multiple NAT policies within the same instance. 707 - asociate an external interface/vrf per NAT policy."; 708 reference "-ietf-04"; 709 } 711 revision 2017-09-18 { 712 description "Comments from Tore Anderson about EAM-SIIT."; 713 reference "-ietf-03"; 714 } 716 revision 2017-08-23 { 717 description "Comments from F. Baker about NPTv6."; 718 reference "-ietf-02"; 719 } 721 revision 2017-08-21 { 722 description " Includes CLAT (Lee/Jordi)."; 723 reference "-ietf-01"; 724 } 726 revision 2017-08-03 { 727 description "Integrates comments from OPSAWG CFA."; 728 reference "-ietf-00"; 729 } 731 revision 2017-07-03 { 732 description "Integrates comments from D. Wing and T. Zhou."; 733 reference "-07"; 734 } 736 revision 2015-09-08 { 737 description "Fixes few YANG errors."; 739 reference "-02"; 740 } 742 revision 2015-09-07 { 743 description "Completes the NAT64 model."; 744 reference "01"; 745 } 747 revision 2015-08-29 { 748 description "Initial version."; 749 reference "00"; 750 } 752 /* 753 * Definitions 754 */ 756 typedef percent { 757 type uint8 { 758 range "0 .. 100"; 759 } 760 description 761 "Percentage"; 762 } 764 /* 765 * Identities 766 */ 768 identity nat-type { 769 description 770 "Base identity for nat type."; 771 } 773 identity nat44 { 774 base nat:nat-type; 775 description 776 "Identity for traditional NAT support."; 778 reference 779 "RFC 3022."; 780 } 782 identity basic-nat { 783 //base nat:nat-type; 784 base nat:nat44; 785 description 786 "Identity for Basic NAT support."; 788 reference 789 "RFC 3022."; 790 } 792 identity napt { 793 //base nat:nat-type; 794 base nat:nat44; 795 description 796 "Identity for NAPT support."; 798 reference 799 "RFC 3022."; 800 } 802 identity restricted-nat { 803 //base nat:nat-type; 804 base nat:nat44; 805 description 806 "Identity for Port-Restricted NAT support."; 808 reference 809 "RFC 7596."; 810 } 812 identity dst-nat { 813 base nat:nat-type; 814 description 815 "Identity for Destination NAT support."; 816 } 818 identity nat64 { 819 base nat:nat-type; 820 description 821 "Identity for NAT64 support."; 823 reference 824 "RFC 6146."; 825 } 827 identity clat { 828 base nat:nat-type; 829 description 830 "Identity for CLAT support."; 832 reference 833 "RFC 6877."; 834 } 836 identity eam { 837 base nat:nat-type; 838 description 839 "Identity for EAM support."; 841 reference 842 "RFC 7757."; 843 } 845 identity nptv6 { 846 base nat:nat-type; 847 description 848 "Identity for NPTv6 support."; 850 reference 851 "RFC 6296."; 852 } 854 identity vrf-routing-instance { 856 description 857 "This identity represents a VRF routing instance."; 859 reference 860 "Section 8.9 of RFC 4026."; 862 } 864 /* 865 * Grouping 866 */ 868 // Set of ports 870 grouping port-set { 871 description 872 "Indicates a set of ports. 873 It may be a simple port range, or use the PSID algorithm 874 to represent a range of transport layer 875 ports which will be used by a NAPT."; 877 choice port-type { 878 default port-range; 879 description 880 "Port type: port-range or port-set-algo."; 882 case port-range { 883 leaf start-port-number { 884 type inet:port-number; 885 description 886 "Begining of the port range."; 888 reference 889 "Section 3.2.9 of RFC 8045."; 890 } 892 leaf end-port-number { 894 type inet:port-number; 895 description 896 "End of the port range."; 898 reference 899 "Section 3.2.10 of RFC 8045."; 900 } 901 } 903 case port-set-algo { 905 leaf psid-offset { 906 type uint8 { 907 range 0..16; 909 } 910 description 911 "The number of offset bits. In Lightweight 4over6, 912 the default value is 0 for assigning one contiguous 913 port range. In MAP-E/T, the default value is 6, 914 which excludes system ports by default and assigns 915 port ranges distributed across the entire port 916 space."; 917 } 919 leaf psid-len { 920 type uint8 { 921 range 0..15; 922 } 923 mandatory true; 924 description 925 "The length of PSID, representing the sharing 926 ratio for an IPv4 address."; 927 } 929 leaf psid { 930 type uint16; 931 mandatory true; 932 description 933 "Port Set Identifier (PSID) value, which 934 identifies a set of ports algorithmically."; 935 } 936 } 938 } 939 } 941 // port numbers: single or port-range 943 grouping port-number { 944 description 945 "Individual port or a range of ports."; 947 choice port-type { 948 default single-port-number; 949 description 950 "Port type: single or port-range."; 952 case single-port-number { 953 leaf single-port-number { 954 type inet:port-number; 955 description 956 "Used for single port numbers."; 958 } 959 } 961 case port-range { 962 leaf start-port-number { 963 type inet:port-number; 964 description 965 "Begining of the port range."; 967 reference 968 "Section 3.2.9 of RFC 8045."; 969 } 971 leaf end-port-number { 972 type inet:port-number; 973 description 974 "End of the port range."; 976 reference 977 "Section 3.2.10 of RFC 8045."; 978 } 979 } 980 } 981 } 983 // Mapping Entry 985 grouping mapping-entry { 986 description 987 "NAT mapping entry."; 989 leaf index { 990 type uint32; 991 description 992 "A unique identifier of a mapping entry."; 993 } 995 leaf type { 996 type enumeration { 997 enum "static" { 998 description 999 "The mapping entry is manually 1000 configured."; 1001 } 1003 enum "dynamic-explicit" { 1004 description 1005 "This mapping is created by an 1006 outgoing packet."; 1007 } 1009 enum "dynamic-implicit" { 1010 description 1011 "This mapping is created by an 1012 explicit dynamic message."; 1013 } 1014 } 1015 description 1016 "Indicates the type of a mapping entry. E.g., 1017 a mapping can be: static, implicit dynamic 1018 or explicit dynamic."; 1019 } 1021 leaf transport-protocol { 1022 type uint8; 1024 description 1025 "Upper-layer protocol associated with this mapping. 1026 Values are taken from the IANA protocol registry. 1027 For example, this field contains 6 (TCP) for a TCP 1028 mapping or 17 (UDP) for a UDP mapping. No transport 1029 protocol is indicated if a mapping applies for any 1030 protocol."; 1031 } 1033 leaf internal-src-address { 1034 type inet:ip-prefix; 1036 description 1037 "Corresponds to the source IPv4/IPv6 address/prefix 1038 of the packet received on an internal 1039 interface."; 1040 } 1042 container internal-src-port { 1044 description 1045 "Corresponds to the source port of the 1046 packet received on an internal interface. 1047 It is used also to carry the internal 1048 source ICMP identifier."; 1050 uses port-number; 1051 } 1053 leaf external-src-address { 1054 type inet:ip-prefix; 1056 description 1057 "Source IP address/prefix of the packet sent 1058 on an external interface of the NAT."; 1059 } 1061 container external-src-port { 1063 description 1064 "Source port of the packet sent 1065 on an external interafce of the NAT. 1066 It is used also to carry the external 1067 source ICMP identifier."; 1069 uses port-number; 1070 } 1072 leaf internal-dst-address { 1073 type inet:ip-prefix; 1075 description 1076 "Corresponds to the destination IP address/prefix 1077 of the packet received on an internal interface 1078 of the NAT. 1079 For example, some NAT implementations support 1080 the translation of both source and destination 1081 addresses and ports, sometimes referred to 1082 as 'Twice NAT'."; 1083 } 1085 container internal-dst-port { 1087 description 1088 "Corresponds to the destination port of the 1089 IP packet received on the internal interface. 1091 It is used also to carry the internal 1092 destination ICMP identifier."; 1094 uses port-number; 1095 } 1097 leaf external-dst-address { 1098 type inet:ip-prefix; 1100 description 1101 "Corresponds to the destination IP address/prefix 1102 of the packet sent on an external interface 1103 of the NAT."; 1104 } 1106 container external-dst-port { 1108 description 1109 "Corresponds to the destination port number of 1110 the packet sent on the external interface 1111 of the NAT. 1112 It is used also to carry the external 1113 destination ICMP identifier."; 1115 uses port-number; 1116 } 1118 leaf lifetime { 1119 type uint32; 1120 //mandatory true; 1122 description 1123 "When specified, it tracks the connection that is 1124 fully-formed (e.g., once the 3WHS TCP is completed) 1125 or the duration for maintaining an explicit mapping 1126 alive. Static mappings may not be associated with a 1127 lifetime. If no lifetime is associated with a 1128 static mapping, an explicit action is requried to 1129 remove that mapping."; 1130 } 1131 } 1133 /* 1134 * NAT Module 1135 */ 1137 container nat-module { 1138 description 1139 "NAT"; 1141 container nat-instances { 1142 description 1143 "NAT instances"; 1145 list nat-instance { 1147 key "id"; 1149 description 1150 "A NAT instance."; 1152 leaf id { 1153 type uint32; 1155 description 1156 "NAT instance identifier."; 1158 reference 1159 "RFC7659."; 1160 } 1162 leaf name { 1163 type string; 1165 description 1166 "A name associated with the NAT instance."; 1167 } 1169 leaf enable { 1170 type boolean; 1172 description 1173 "Status of the the NAT instance."; 1174 } 1176 container nat-capabilities { 1177 // config false; 1179 description 1180 "NAT capabilities"; 1182 leaf-list nat-flavor { 1183 type identityref { 1184 base nat-type; 1185 } 1186 description 1187 "Type of NAT."; 1188 } 1190 leaf-list nat44-flavor { 1192 when "../nat-flavor = 'nat44'"; 1194 type identityref { 1195 base nat44; 1196 } 1198 description 1199 "Type of NAT44: Basic NAT or NAPT."; 1200 } 1202 leaf restricted-port-support { 1203 type boolean; 1205 description 1206 "Indicates source port NAT restriction 1207 support."; 1208 } 1210 leaf static-mapping-support { 1211 type boolean; 1213 description 1214 "Indicates whether static mappings are 1215 supported."; 1216 } 1218 leaf port-randomization-support { 1219 type boolean; 1221 description 1222 "Indicates whether port randomization is 1223 supported."; 1224 } 1226 leaf port-range-allocation-support { 1227 type boolean; 1229 description 1230 "Indicates whether port range 1231 allocation is supported."; 1232 } 1234 leaf port-preservation-suport { 1235 type boolean; 1237 description 1238 "Indicates whether port preservation 1239 is supported."; 1240 } 1242 leaf port-parity-preservation-support { 1243 type boolean; 1245 description 1246 "Indicates whether port parity 1247 preservation is supported."; 1248 } 1250 leaf address-roundrobin-support { 1251 type boolean; 1253 description 1254 "Indicates whether address allocation 1255 round robin is supported."; 1256 } 1258 leaf paired-address-pooling-support { 1259 type boolean; 1261 description 1262 "Indicates whether paired-address-pooling is 1263 supported"; 1264 } 1266 leaf endpoint-independent-mapping-support { 1267 type boolean; 1269 description 1270 "Indicates whether endpoint-independent- 1271 mapping in Section 4 of RFC 4787 is 1272 supported."; 1273 } 1275 leaf address-dependent-mapping-support { 1276 type boolean; 1278 description 1279 "Indicates whether address-dependent- 1280 mapping is supported."; 1281 } 1283 leaf address-and-port-dependent-mapping-support 1284 { 1285 type boolean; 1287 description 1288 "Indicates whether address-and-port- 1289 dependent-mapping is supported."; 1290 } 1292 leaf endpoint-independent-filtering-support 1293 { 1294 type boolean; 1296 description 1297 "Indicates whether endpoint-independent 1298 -filtering is supported."; 1299 } 1301 leaf address-dependent-filtering { 1302 type boolean; 1304 description 1305 "Indicates whether address-dependent 1306 -filtering is supported."; 1307 } 1309 leaf address-and-port-dependent-filtering { 1310 type boolean; 1312 description 1313 "Indicates whether address-and-port 1314 -dependent is supported."; 1315 } 1316 } 1318 // Parameters for NAT pass through 1320 list nat-pass-through { 1322 key nat-pass-through-id; 1324 description 1325 "IP prefix NAT pass through."; 1327 leaf nat-pass-through-id { 1328 type uint32; 1330 description 1331 "An identifier of the IP prefix pass 1332 through."; 1333 } 1335 leaf nat-pass-through-pref { 1336 type inet:ip-prefix; 1338 description 1339 "The IP address subnets that match 1340 should not be translated. According to 1341 REQ#6 of RFC6888, it must be possible 1342 to administratively turn off translation 1343 for specific destination addresses 1344 and/or ports."; 1345 } 1347 leaf nat-pass-through-port { 1348 type inet:port-number; 1350 description 1351 "The IP address subnets that match 1352 should not be translated. According to 1353 REQ#6 of RFC6888, it must be possible to 1354 administratively turn off translation 1355 for specific destination addresses 1356 and/or ports."; 1357 } 1358 } 1360 // NAT Policies: Multiple policies per NAT instance 1362 list nat-policy { 1364 key policy-id; 1366 description 1367 "NAT parameters for a given instance"; 1369 leaf policy-id { 1370 type uint32; 1372 description 1373 "An identifier of the NAT policy."; 1374 } 1376 // CLAT Parameters 1378 container clat-parameters { 1380 description 1381 "CLAT parameters."; 1383 list clat-ipv6-prefixes { 1385 when "../../../nat-capabilities/nat-flavor = 'clat' "; 1387 key clat-ipv6-prefix; 1388 description 1389 "464XLAT double translation treatment is 1390 stateless when a dedicated /64 is available 1391 for translation on the CLAT. Otherwise, the 1392 CLAT will have both stateful and stateless 1393 since it requires NAT44 from the LAN to 1394 a single IPv4 address and then stateless 1395 translation to a single IPv6 address."; 1397 reference 1398 "RFC 6877."; 1400 leaf clat-ipv6-prefix { 1401 type inet:ipv6-prefix; 1403 description 1404 "An IPv6 prefix used for CLAT."; 1405 } 1406 } 1408 list clat-ipv4-prefixes { 1410 when "../../../nat-capabilities/nat-flavor = 'clat'"; 1412 key clat-ipv4-prefix; 1414 description 1415 "Pool of IPv4 addresses used for CLAT. 1416 192.0.0.0/29 is the IPv4 service continuity 1417 prefix."; 1419 reference 1420 "RFC 7335."; 1422 leaf clat-ipv4-prefix { 1423 type inet:ipv4-prefix; 1425 description 1426 "464XLAT double translation treatment is 1427 stateless when a dedicated /64 is available 1428 for translation on the CLAT. Otherwise, the 1429 CLAT will have both stateful and stateless 1430 since it requires NAT44 from the LAN to 1431 a single IPv4 address and then stateless 1432 translation to a single IPv6 address. 1433 The CLAT performs NAT44 for all IPv4 LAN 1434 packets so that all the LAN-originated IPv4 1435 packets appear from a single IPv4 address 1436 and are then statelessly translated to one 1437 interface IPv6 address that is claimed by 1438 the CLAT. 1439 An IPv4 address from this pool is also 1440 provided to an application that makes 1441 use of literals."; 1443 reference 1444 "RFC 6877."; 1445 } 1446 } 1447 } 1449 // NPTv6 Parameters 1451 list nptv6-prefixes { 1453 when "../../nat-capabilities/nat-flavor = 'nptv6' "; 1455 key translation-id; 1457 description 1458 "Provides one or a list of (internal IPv6 prefix, 1459 external IPv6 prefix) required for NPTv6. 1461 In its simplest form, NPTv6 interconnects two network 1462 links, one of which is an 'internal' network link 1463 attachedto a leaf network within a single 1464 administrative domain and the other of which is an 1465 'external' network with connectivity to the global 1466 Internet."; 1468 reference 1469 "RFC 6296."; 1471 leaf translation-id { 1472 type uint32; 1473 description 1474 "An identifier of the NPTv6 prefixs."; 1475 } 1477 leaf internal-ipv6-prefix { 1478 type inet:ipv6-prefix; 1480 description 1481 "An IPv6 prefix used by an internal interface 1482 of NPTv6."; 1484 reference 1485 "RFC 6296."; 1486 } 1488 leaf external-ipv6-prefix { 1489 type inet:ipv6-prefix; 1491 description 1492 "An IPv6 prefix used by the external interface 1493 of NPTv6."; 1495 reference 1496 "RFC 6296."; 1497 } 1498 } 1500 // EAM SIIT Parameters 1502 list eam { 1504 when "../../nat-capabilities/nat-flavor = 'eam' "; 1506 key eam-ipv4-prefix; 1508 description 1509 "The Explicit Address Mapping Table, a conceptual 1510 table in which each row represents an EAM. 1511 Each EAM describes a mapping between IPv4 and IPv6 1512 prefixes/addresses."; 1514 reference "Section 3.1 of RFC 7757."; 1516 leaf eam-ipv4-prefix { 1517 type inet:ipv4-prefix; 1519 description 1520 "The IPv4 prefix of an EAM."; 1522 reference 1523 "Section 3.2 of RFC 7757."; 1524 } 1526 leaf eam-ipv6-prefix { 1527 type inet:ipv6-prefix; 1529 description 1530 "The IPv6 prefix of an EAM."; 1532 reference 1533 "Section 3.2 of RFC 7757."; 1534 } 1535 } 1537 //NAT64 IPv6 Prefixes 1539 list nat64-prefixes { 1541 when "../../nat-capabilities/nat-flavor = 'nat64' " + 1542 " or ../../nat-capabilities/nat-flavor = 'clat'"; 1544 key nat64-prefix; 1546 description 1547 "Provides one or a list of NAT64 prefixes 1548 with or without a list of destination IPv4 prefixes. 1550 Destination-based Pref64::/n is discussed in 1551 Section 5.1 of [RFC7050]). For example: 1552 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 1553 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 1555 reference 1556 "Section 5.1 of RFC7050."; 1558 leaf nat64-prefix { 1559 type inet:ipv6-prefix; 1560 //default "64:ff9b::/96"; 1562 description 1563 "A NAT64 prefix. Can be NSP or a Well-Known 1564 Prefix (WKP)."; 1566 reference 1567 "RFC 6052."; 1568 } 1570 list destination-ipv4-prefix { 1572 key ipv4-prefix; 1574 description 1575 "An IPv4 prefix/address."; 1577 leaf ipv4-prefix { 1578 type inet:ipv4-prefix; 1579 description 1580 "An IPv4 address/prefix."; 1581 } 1582 } 1583 } 1585 list external-ip-address-pool { 1586 key pool-id; 1588 description 1589 "Pool of external IP addresses used to 1590 service internal hosts. 1591 Both contiguous and non-contiguous pools 1592 can be configured for NAT purposes."; 1594 leaf pool-id { 1595 type uint32; 1597 description 1598 "An identifier of the address pool."; 1599 } 1601 leaf external-ip-pool { 1602 type inet:ipv4-prefix; 1604 description 1605 "An IPv4 prefix used for NAT purposes."; 1606 } 1607 } 1609 container port-set-restrict { 1611 when "../../nat-capabilities/restricted-port-support = 'true'"; 1613 description 1614 "Configures contiguous and non-contiguous port ranges."; 1616 uses port-set; 1617 } 1619 leaf dst-nat-enable { 1620 type boolean; 1621 default false; 1623 description 1624 "Enable/Disable destination NAT. 1625 A NAT44 may be configured to enable 1626 Destination NAT, too."; 1628 } 1630 list dst-ip-address-pool { 1631 //if-feature dst-nat; 1632 when "../../nat-capabilities/nat-flavor = 'dst-nat' "; 1634 key pool-id; 1636 description 1637 "Pool of IP addresses used for destination NAT."; 1639 leaf pool-id { 1640 type uint32; 1642 description 1643 "An identifier of the address pool."; 1644 } 1646 leaf dst-in-ip-pool { 1647 type inet:ip-prefix; 1649 description 1650 "Internal IP prefix/address"; 1651 } 1653 leaf dst-out-ip-pool { 1654 type inet:ip-prefix; 1656 description 1657 "IP address/prefix used for destination NAT."; 1658 } 1659 } 1661 list supported-transport-protocols { 1663 key transport-protocol-id; 1665 description 1666 "Supported transport protocols. 1667 TCP and UDP are supported by default."; 1669 leaf transport-protocol-id { 1670 type uint8; 1671 mandatory true; 1673 description 1674 "Upper-layer protocol associated with this mapping. 1675 Values are taken from the IANA protocol registry. 1676 For example, this field contains 6 (TCP) for a TCP 1677 mapping or 17 (UDP) for a UDP mapping."; 1678 } 1680 leaf transport-protocol-name { 1681 type string; 1682 description 1683 "For example, TCP, UDP, DCCP, and SCTP."; 1684 } 1685 } 1687 leaf subscriber-mask-v6 { 1688 type uint8 { 1689 range "0 .. 128"; 1690 } 1692 description 1693 "The subscriber-mask is an integer that indicates 1694 the length of significant bits to be applied on 1695 the source IP address (internal side) to 1696 unambiguously identify a CPE. 1698 Subscriber-mask is a system-wide configuration 1699 parameter that is used to enforce generic 1700 per-subscriber policies (e.g., port-quota). 1702 The enforcement of these generic policies does not 1703 require the configuration of every subscriber's 1704 prefix. 1706 Example: suppose the 2001:db8:100:100::/56 prefix 1707 is assigned to a NAT64 serviced CPE. Suppose also 1708 that 2001:db8:100:100::1 is the IPv6 address used 1709 by the client that resides in that CPE. When the 1710 NAT64 receives a packet from this client, 1711 it applies the subscriber-mask (e.g., 56) on 1712 the source IPv6 address to compute the associated 1713 prefix for this client (2001:db8:100:100::/56). 1714 Then, the NAT64 enforces policies based on that 1715 prefix (2001:db8:100:100::/56), not on the exact 1716 source IPv6 address."; 1717 } 1719 list subscriber-match { 1721 key sub-match-id; 1722 description 1723 "IP prefix match."; 1725 leaf sub-match-id { 1726 type uint32; 1727 description 1728 "An identifier of the subscriber masck."; 1729 } 1731 leaf sub-mask { 1732 type inet:ip-prefix; 1733 mandatory true; 1735 description 1736 "The IP address subnets that match 1737 should be translated. E.g., all addresses 1738 that belong to the 192.0.2.0/24 prefix must 1739 be processed by the NAT."; 1740 } 1742 } 1744 leaf paired-address-pooling { 1745 type boolean; 1746 default true; 1748 description 1749 "Paired address pooling informs the NAT 1750 that all the flows from an internal IP 1751 address must be assigned the same external 1752 address."; 1754 reference 1755 "RFC 4007."; 1756 } 1758 leaf nat-mapping-type { 1759 type enumeration { 1760 enum "eim" { 1761 description 1762 "endpoint-independent-mapping."; 1764 reference 1765 "Section 4 of RFC 4787."; 1766 } 1768 enum "adm" { 1769 description 1770 "address-dependent-mapping."; 1772 reference 1773 "Section 4 of RFC 4787."; 1774 } 1776 enum "edm" { 1777 description 1778 "address-and-port-dependent-mapping."; 1780 reference 1781 "Section 4 of RFC 4787."; 1782 } 1783 } 1784 description 1785 "Indicates the type of a NAT mapping."; 1786 } 1788 leaf nat-filtering-type { 1789 type enumeration { 1790 enum "eif" { 1792 description 1793 "endpoint-independent- filtering."; 1795 reference 1796 "Section 5 of RFC 4787."; 1797 } 1799 enum "adf" { 1800 description 1801 "address-dependent-filtering."; 1803 reference 1804 "Section 5 of RFC 4787."; 1805 } 1807 enum "edf" { 1808 description 1809 "address-and-port-dependent-filtering"; 1811 reference 1812 "Section 5 of RFC 4787."; 1813 } 1814 } 1815 description 1816 "Indicates the type of a NAT filtering."; 1817 } 1818 list port-quota { 1819 when "../../nat-capabilities/nat44-flavor = "+ 1820 "'napt' or "+ 1821 "../../nat-capabilities/nat-flavor = "+ 1822 "'nat64'"; 1824 key quota-type; 1826 description 1827 "Configures a port quota to be assigned per 1828 subscriber. It corresponds to the maximum 1829 number of ports to be used by a subscriber."; 1831 leaf port-limit { 1833 type uint16; 1835 description 1836 "Configures a port quota to be assigned per 1837 subscriber. It corresponds to the maximum 1838 number of ports to be used by a subscriber."; 1840 reference 1841 "REQ-4 of RFC 6888."; 1842 } 1844 leaf quota-type { 1845 type enumeration { 1846 enum "all" { 1848 description 1849 "The limit applies to all protocols."; 1851 reference 1852 "REQ-4 of RFC 6888."; 1853 } 1855 enum "tcp" { 1856 description 1857 "TCP quota."; 1859 reference 1860 "REQ-4 of RFC 6888."; 1861 } 1863 enum "udp" { 1864 description 1865 "UDP quota."; 1867 reference 1868 "REQ-4 of RFC 6888."; 1869 } 1871 enum "icmp" { 1872 description 1873 "ICMP quota."; 1875 reference 1876 "REQ-4 of RFC 6888."; 1877 } 1878 } 1879 description 1880 "Indicates whether the port quota applies to 1881 all protocols or to a specific transport."; 1882 } 1883 } 1885 leaf port-allocation-type { 1886 type enumeration { 1887 enum "random" { 1888 description 1889 "Port randomization is enabled."; 1890 } 1892 enum "port-preservation" { 1893 description 1894 "Indicates whether the NAT should 1895 preserve the internal port number."; 1896 } 1898 enum "port-parity-preservation" { 1899 description 1900 "Indicates whether the NAT should 1901 preserve the port parity of the 1902 internal port number."; 1903 } 1905 enum "port-range-allocation" { 1906 description 1907 "Indicates whether the NAT assigns a 1908 range of ports for an internal host."; 1909 } 1911 } 1913 description 1914 "Indicates the type of a port allocation."; 1915 } 1917 leaf address-roundrobin-enable { 1918 type boolean; 1920 description 1921 "Enable/disable address allocation 1922 round robin."; 1923 } 1925 container port-set { 1926 when "../port-allocation-type='port-range-allocation'"; 1928 description 1929 "Manages port-set assignments."; 1931 leaf port-set-size { 1932 type uint16; 1933 description 1934 "Indicates the size of assigned port 1935 sets."; 1936 } 1938 leaf port-set-timeout { 1939 type uint32; 1940 description 1941 "Inactivty timeout for port sets."; 1942 } 1943 } 1945 container timers { 1946 description 1947 "Configure values of various timeouts."; 1949 leaf udp-timeout { 1950 type uint32; 1951 units "seconds"; 1952 default 300; 1953 description 1954 "UDP inactivity timeout. That is the time a mapping 1955 will stay active without packets traversing the NAT."; 1957 reference 1958 "RFC 4787."; 1960 } 1962 leaf tcp-idle-timeout { 1963 type uint32; 1964 units "seconds"; 1965 default 7440; 1966 description 1967 "TCP Idle timeout should be 1968 2 hours and 4 minutes."; 1970 reference 1971 "RFC 5382."; 1972 } 1974 leaf tcp-trans-open-timeout { 1975 type uint32; 1976 units "seconds"; 1977 default 240; 1978 description 1979 "The value of the transitory open connection 1980 idle-timeout. 1981 Section 2.1 of [RFC7857] clarifies that a NAT 1982 should provide different configurable 1984 parameters for configuring the open and 1985 closing idle timeouts. 1986 To accommodate deployments that consider 1987 a partially open timeout of 4 minutes as being 1988 excessive from a security standpoint, a NAT may 1989 allow the configured timeout to be less than 1990 4 minutes. 1991 However, a minimum default transitory connection 1992 idle-timeout of 4 minutes is recommended."; 1994 reference 1995 "RFC 7857."; 1996 } 1998 leaf tcp-trans-close-timeout { 1999 type uint32; 2000 units "seconds"; 2001 default 240; 2002 description 2003 "The value of the transitory close connection 2004 idle-timeout. 2005 Section 2.1 of [RFC7857] clarifies that a NAT 2006 should provide different configurable 2007 parameters for configuring the open and 2008 closing idle timeouts."; 2010 reference 2011 "RFC 7857."; 2012 } 2014 leaf tcp-in-syn-timeout { 2015 type uint32; 2016 units "seconds"; 2017 default 6; 2018 description 2019 "A NAT must not respond to an unsolicited 2020 inbound SYN packet for at least 6 seconds 2021 after the packet is received. If during 2022 this interval the NAT receives and translates 2023 an outbound SYN for the connection the NAT 2024 must silently drop the original unsolicited 2025 inbound SYN packet."; 2027 reference 2028 "RFC 5382."; 2029 } 2031 leaf fragment-min-timeout { 2033 type uint32; 2034 units "seconds"; 2035 default 2; 2036 description 2037 "As long as the NAT has available resources, 2038 the NAT allows the fragments to arrive 2039 over fragment-min-timeout interval. 2040 The default value is inspired from RFC6146."; 2041 } 2043 leaf icmp-timeout { 2044 type uint32; 2045 units "seconds"; 2046 default 60; 2047 description 2048 "An ICMP Query session timer must not expire 2049 in less than 60 seconds. It is recommended 2050 that the ICMP Query session timer be made 2051 configurable"; 2053 reference 2054 "RFC 5508."; 2055 } 2057 list per-port-timeout { 2058 key port-number; 2060 description 2061 "Some NATs are configurable with short timeouts 2062 for some ports, e.g., as 10 seconds on 2063 port 53 (DNS) and NTP (123) and longer timeouts 2064 on other ports."; 2066 leaf port-number { 2067 type inet:port-number; 2068 description 2069 "A port number."; 2070 } 2072 leaf port-timeout { 2073 type inet:port-number; 2074 mandatory true; 2075 description 2076 "Timeout for this port"; 2077 } 2078 } 2080 leaf hold-down-timeout { 2082 type uint32; 2083 units "seconds"; 2084 default 120; 2086 description 2087 "Hold down timer. Ports in the 2088 hold down pool are not reassigned until 2089 this timer expires. 2090 The length of time and the maximum 2091 number of ports in this state must be 2092 configurable by the administrator 2093 [RFC6888]. This is necessary in order 2094 to prevent collisions between old 2095 and new mappings and sessions. It ensures 2096 that all established sessions are broken 2097 instead of redirected to a different peer."; 2099 reference 2100 "REQ#8 of RFC 6888."; 2101 } 2103 leaf hold-down-max { 2104 type uint32; 2106 description 2107 "Maximum ports in the Hold down timer pool. 2108 Ports in the hold down pool are not reassigned 2109 until hold-down-timeout expires. 2110 The length of time and the maximum 2111 number of ports in this state must be 2112 configurable by the administrator 2113 [RFC6888]. This is necessary in order 2114 to prevent collisions between old 2115 and new mappings and sessions. It ensures 2116 that all established sessions are broken 2117 instead of redirected to a different peer."; 2119 reference 2120 "REQ#8 of RFC 6888."; 2121 } 2122 } 2124 list algs { 2126 key alg-name; 2128 description 2129 "ALG-related features."; 2131 leaf alg-name { 2132 type string; 2134 description 2135 "The name of the ALG"; 2136 } 2138 leaf alg-transport-protocol { 2139 type uint32; 2141 description 2142 "The transport protocol used by the ALG."; 2143 } 2145 leaf alg-transport-port { 2146 type inet:port-number; 2148 description 2149 "The port number used by the ALG."; 2150 } 2151 leaf alg-status { 2152 type boolean; 2154 description 2155 "Enable/disable the ALG."; 2156 } 2157 } 2159 leaf all-algs-enable { 2160 type boolean; 2162 description 2163 "Enable/disable all ALGs."; 2164 } 2166 container notify-pool-usage { 2167 description 2168 "Notification of pool usage when certain criteria 2169 are met."; 2171 leaf pool-id { 2172 type uint32; 2174 description 2175 "Pool-ID for which the notification 2176 criteria is defined"; 2177 } 2179 leaf notify-pool-hi-threshold { 2180 type percent; 2181 mandatory true; 2183 description 2184 "Notification must be generated when the 2185 defined high threshold is reached. 2186 For example, if a notification is 2187 required when the pool utilization reaches 2188 90%, this configuration parameter must 2189 be set to 90%."; 2190 } 2192 leaf notify-pool-low-threshold { 2193 type percent; 2195 description 2196 "Notification must be generated when the defined 2197 low threshold is reached. 2198 For example, if a notification is required when 2199 the pool utilization reaches below 10%, 2200 this configuration parameter must be set to 2201 10%."; 2202 } 2203 } 2205 container external-realm { 2207 description 2208 "Identifies the external realm of 2209 the NAT."; 2211 choice realm-type { 2213 description 2214 "Interface or VRF."; 2216 case interface { 2218 description 2219 "External interface."; 2221 leaf external-interface { 2222 type if:interface-ref; 2224 description 2225 "Name of an external interface."; 2226 } 2227 } 2229 case vrf { 2231 description 2232 "External VRF instance."; 2234 leaf external-vrf-instance { 2235 type identityref { 2236 base vrf-routing-instance; 2237 } 2239 description 2240 "A VRF instance."; 2241 } 2242 } 2243 } 2244 } 2246 } //nat-policy 2247 container mapping-limit { 2249 description 2250 "Information about the configuration parameters that 2251 limits the mappings based upon various criteria."; 2253 leaf limit-per-subscriber { 2254 type uint32; 2256 description 2257 "Maximum number of NAT mappings per 2258 subscriber."; 2259 } 2261 leaf limit-per-vrf { 2262 type uint32; 2264 description 2265 "Maximum number of NAT mappings per 2266 VLAN/VRF."; 2267 } 2269 leaf limit-per-subnet { 2270 type inet:ip-prefix; 2272 description 2273 "Maximum number of NAT mappings per 2274 subnet."; 2275 } 2277 leaf limit-per-instance { 2278 type uint32; 2279 mandatory true; 2281 description 2282 "Maximum number of NAT mappings per 2283 instance."; 2284 } 2286 leaf limit-per-udp { 2287 type uint32; 2288 mandatory true; 2290 description 2291 "Maximum number of UDP NAT mappings per 2292 subscriber."; 2293 } 2294 leaf limit-per-tcp { 2295 type uint32; 2296 mandatory true; 2298 description 2299 "Maximum number of TCP NAT mappings per 2300 subscriber."; 2302 } 2304 leaf limit-per-icmp { 2305 type uint32; 2306 mandatory true; 2308 description 2309 "Maximum number of ICMP NAT mappings per 2310 subscriber."; 2311 } 2312 } 2314 container connection-limit { 2316 description 2317 "Information about the configuration parameters that 2318 rate limit the translation based upon various 2319 criteria."; 2321 leaf limit-per-subscriber { 2322 type uint32; 2324 description 2325 "Rate-limit the number of new mappings 2326 and sessions per subscriber."; 2327 } 2329 leaf limit-per-vrf { 2330 type uint32; 2332 description 2333 "Rate-limit the number of new mappings 2334 and sessions per VLAN/VRF."; 2335 } 2337 leaf limit-per-subnet { 2338 type inet:ip-prefix; 2340 description 2341 "Rate-limit the number of new mappings 2342 and sessions per subnet."; 2343 } 2345 leaf limit-per-instance { 2346 type uint32; 2347 mandatory true; 2349 description 2350 "Rate-limit the number of new mappings 2351 and sessions per instance."; 2352 } 2354 leaf limit-per-udp { 2355 type uint32; 2356 mandatory true; 2358 description 2359 "Rate-limit the number of new UDP mappings 2360 and sessions per subscriber."; 2361 } 2363 leaf limit-per-tcp { 2364 type uint32; 2365 mandatory true; 2367 description 2368 "Rate-limit the number of new TCP mappings 2369 and sessions per subscriber."; 2371 } 2373 leaf limit-per-icmp { 2374 type uint32; 2375 mandatory true; 2377 description 2378 "Rate-limit the number of new ICMP mappings 2379 and sessions per subscriber."; 2380 } 2381 } 2383 container logging-info { 2384 description 2385 "Information about logging NAT events"; 2387 leaf logging-enable { 2388 type boolean; 2389 description 2390 "Enable logging features as per Section 2.3 2391 of [RFC6908]."; 2392 } 2394 leaf destination-address { 2395 type inet:ip-prefix; 2396 mandatory true; 2398 description 2399 "Address of the collector that receives 2400 the logs"; 2401 } 2403 leaf destination-port { 2404 type inet:port-number; 2405 mandatory true; 2407 description 2408 "Destination port of the collector."; 2409 } 2411 choice protocol { 2413 description 2414 "Enable the protocol to be used for 2415 the retrieval of logging entries."; 2417 case syslog { 2418 leaf syslog { 2419 type boolean; 2421 description 2422 "If SYSLOG is in use."; 2423 } 2424 } 2426 case ipfix { 2427 leaf ipfix { 2428 type boolean; 2430 description 2431 "If IPFIX is in use."; 2432 } 2433 } 2435 case ftp { 2436 leaf ftp { 2437 type boolean; 2439 description 2440 "If FTP is in use."; 2441 } 2442 } 2443 } 2444 } 2446 container mapping-table { 2448 when "../nat-capabilities/nat-flavor = "+ 2449 "'nat44' or "+ 2450 "../nat-capabilities/nat-flavor = "+ 2451 "'nat64'or "+ 2452 "../nat-capabilities/nat-flavor = "+ 2453 "'clat'or "+ 2454 "../nat-capabilities/nat-flavor = 'dst-nat'"; 2456 description 2457 "NAT mapping table. Applicable for functions 2458 which maintains static and/or dynamic mappings, 2459 such as NAT44, Destination NAT, NAT64, or CLAT."; 2461 list mapping-entry { 2462 key "index"; 2464 description 2465 "NAT mapping entry."; 2467 uses mapping-entry; 2468 } 2469 } 2471 container statistics { 2473 config false; 2475 description 2476 "Statistics related to the NAT instance."; 2478 container traffic-statistics { 2479 description 2480 "Generic traffic statistics."; 2482 leaf sent-packet { 2483 type yang:zero-based-counter64; 2484 description 2485 "Number of packets sent."; 2486 } 2488 leaf sent-byte { 2489 type yang:zero-based-counter64; 2491 description 2492 "Counter for sent traffic in bytes."; 2493 } 2495 leaf rcvd-packet { 2496 type yang:zero-based-counter64; 2498 description 2499 "Number of received packets."; 2500 } 2502 leaf rcvd-byte { 2503 type yang:zero-based-counter64; 2505 description 2506 "Counter for received traffic 2507 in bytes."; 2508 } 2510 leaf dropped-packet { 2511 type yang:zero-based-counter64; 2513 description 2514 "Number of dropped packets."; 2515 } 2517 leaf dropped-byte { 2518 type yang:zero-based-counter64; 2520 description 2521 "Counter for dropped traffic in 2522 bytes."; 2523 } 2524 } 2526 container mapping-statistics { 2528 when "../../nat-capabilities/nat-flavor = "+ 2529 "'nat44' or "+ 2530 "../../nat-capabilities/nat-flavor = "+ 2531 "'nat64'or "+ 2532 "../../nat-capabilities/nat-flavor = 'dst-nat'"; 2534 description 2535 "Mapping statistics."; 2537 leaf total-mappings { 2538 type uint32; 2540 description 2541 "Total number of NAT mappings present 2542 at a given time. This variable includes 2543 all the static and dynamic mappings."; 2544 } 2546 leaf total-tcp-mappings { 2547 type uint32; 2549 description 2550 "Total number of TCP mappings present 2551 at a given time."; 2552 } 2554 leaf total-udp-mappings { 2555 type uint32; 2557 description 2558 "Total number of UDP mappings present 2559 at a given time."; 2560 } 2562 leaf total-icmp-mappings { 2563 type uint32; 2565 description 2566 "Total number of ICMP mappings present 2567 at a given time."; 2568 } 2570 } 2572 container pool-stats { 2574 when "../../nat-capabilities/nat-flavor = "+ 2575 "'nat44' or "+ 2576 "../../nat-capabilities/nat-flavor = "+ 2577 "'nat64'"; 2578 description 2579 "Statistics related to address/prefix 2580 pool usage"; 2582 leaf pool-id { 2583 type uint32; 2585 description 2586 "Unique Identifier that represents 2587 a pool of addresses/prefixes."; 2588 } 2590 leaf address-allocated { 2591 type uint32; 2593 description 2594 "Number of allocated addresses in 2595 the pool"; 2596 } 2598 leaf address-free { 2599 type uint32; 2601 description 2602 "Number of unallocated addresses in 2603 the pool at a given time.The sum of 2604 unallocated and allocated 2605 addresses is the total number of 2606 addresses of the pool."; 2607 } 2609 container port-stats { 2611 description 2612 "Statistics related to port 2613 usage."; 2615 leaf ports-allocated { 2616 type uint32; 2618 description 2619 "Number of allocated ports 2620 in the pool."; 2621 } 2623 leaf ports-free { 2624 type uint32; 2625 description 2626 "Number of unallocated addresses 2627 in the pool."; 2628 } 2629 } 2630 } 2631 } //statistics 2632 } 2633 } 2634 } 2636 /* 2637 * Notifications 2638 */ 2640 notification nat-event { 2641 description 2642 "Notifications must be generated when the defined 2643 high/low threshold is reached. Related 2644 configuration parameters must be provided to 2645 trigger the notifications."; 2647 leaf id { 2648 type leafref { 2649 path 2650 "/nat-module/nat-instances/" 2651 + "nat-instance/id"; 2652 } 2653 description 2654 "NAT instance ID."; 2655 } 2657 leaf policy-id { 2658 type leafref { 2659 path 2660 "/nat-module/nat-instances/" 2661 + "nat-instance/nat-policy/policy-id"; 2662 } 2664 description 2665 "Policy ID."; 2666 } 2668 leaf pool-id { 2669 type leafref { 2670 path 2671 "/nat-module/nat-instances/" 2673 + "nat-instance/nat-policy/" 2674 + "external-ip-address-pool/pool-id"; 2675 } 2676 description 2677 "Pool ID."; 2678 } 2680 leaf notify-pool-threshold { 2681 type percent; 2682 mandatory true; 2684 description 2685 "A treshhold has been fired."; 2686 } 2687 } 2688 } 2689 2691 4. Security Considerations 2693 The YANG module defined in this memo is designed to be accessed via 2694 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 2695 secure transport layer and the support of SSH is mandatory to 2696 implement secure transport [RFC6242]. The NETCONF access control 2697 model [RFC6536] provides means to restrict access by some users to a 2698 pre-configured subset of all available NETCONF protocol operations 2699 and data. 2701 All data nodes defined in the YANG module which can be created, 2702 modified and deleted (i.e., config true, which is the default). 2703 These data nodes are considered sensitive. Write operations (e.g., 2704 edit-config) applied to these data nodes without proper protection 2705 can negatively affect network operations. 2707 5. IANA Considerations 2709 This document requests IANA to register the following URI in the 2710 "IETF XML Registry" [RFC3688]: 2712 URI: urn:ietf:params:xml:ns:yang:ietf-nat 2713 Registrant Contact: The IESG. 2714 XML: N/A; the requested URI is an XML namespace. 2716 This document requests IANA to register the following YANG module in 2717 the "YANG Module Names" registry [RFC6020]. 2719 name: ietf-nat 2720 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 2721 prefix: nat 2722 reference: RFC XXXX 2724 6. Acknowledgements 2726 Many thanks to Dan Wing and Tianran Zhou for the review. 2728 Thanks to Juergen Schoenwaelder for the comments on the YANG 2729 structure and the suggestion to use NMDA. 2731 Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred 2732 Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and 2733 Kristian Poscic for the CGN review. 2735 Special thanks to Maros Marsalek and Marek Gradzki for sharing their 2736 comments based on the FD.io implementation of an earlier version of 2737 this module. 2739 7. References 2741 7.1. Normative References 2743 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2744 DOI 10.17487/RFC3688, January 2004, 2745 . 2747 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 2748 Translation (NAT) Behavioral Requirements for Unicast 2749 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2750 2007, . 2752 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 2753 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 2754 RFC 5382, DOI 10.17487/RFC5382, October 2008, 2755 . 2757 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 2758 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 2759 DOI 10.17487/RFC5508, April 2009, 2760 . 2762 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2763 the Network Configuration Protocol (NETCONF)", RFC 6020, 2764 DOI 10.17487/RFC6020, October 2010, 2765 . 2767 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 2768 NAT64: Network Address and Protocol Translation from IPv6 2769 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 2770 April 2011, . 2772 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2773 and A. Bierman, Ed., "Network Configuration Protocol 2774 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2775 . 2777 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2778 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2779 . 2781 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 2782 Protocol (NETCONF) Access Control Model", RFC 6536, 2783 DOI 10.17487/RFC6536, March 2012, 2784 . 2786 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 2787 Combination of Stateful and Stateless Translation", 2788 RFC 6877, DOI 10.17487/RFC6877, April 2013, 2789 . 2791 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 2792 A., and H. Ashida, "Common Requirements for Carrier-Grade 2793 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 2794 April 2013, . 2796 [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address 2797 Mappings for Stateless IP/ICMP Translation", RFC 7757, 2798 DOI 10.17487/RFC7757, February 2016, 2799 . 2801 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 2802 S., and K. Naito, "Updates to Network Address Translation 2803 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 2804 DOI 10.17487/RFC7857, April 2016, 2805 . 2807 7.2. Informative References 2809 [I-D.boucadair-pcp-yang] 2810 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 2811 Vinapamula, "YANG Data Models for the Port Control 2812 Protocol (PCP)", draft-boucadair-pcp-yang-04 (work in 2813 progress), May 2017. 2815 [I-D.ietf-behave-ipfix-nat-logging] 2816 Sivakumar, S. and R. Penno, "IPFIX Information Elements 2817 for logging NAT Events", draft-ietf-behave-ipfix-nat- 2818 logging-13 (work in progress), January 2017. 2820 [I-D.ietf-softwire-dslite-yang] 2821 Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data 2822 Models for the DS-Lite", draft-ietf-softwire-dslite- 2823 yang-06 (work in progress), August 2017. 2825 [I-D.ietf-tsvwg-natsupp] 2826 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 2827 Transmission Protocol (SCTP) Network Address Translation 2828 Support", draft-ietf-tsvwg-natsupp-11 (work in progress), 2829 July 2017. 2831 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 2832 Translator (NAT) Terminology and Considerations", 2833 RFC 2663, DOI 10.17487/RFC2663, August 1999, 2834 . 2836 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 2837 Address Translator (Traditional NAT)", RFC 3022, 2838 DOI 10.17487/RFC3022, January 2001, 2839 . 2841 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 2842 Behavioral Requirements for the Datagram Congestion 2843 Control Protocol", BCP 150, RFC 5597, 2844 DOI 10.17487/RFC5597, September 2009, 2845 . 2847 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 2848 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 2849 DOI 10.17487/RFC6052, October 2010, 2850 . 2852 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 2853 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 2854 . 2856 [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 2857 "Logging Recommendations for Internet-Facing Servers", 2858 BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, 2859 . 2861 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 2862 "Diameter Network Address and Port Translation Control 2863 Application", RFC 6736, DOI 10.17487/RFC6736, October 2864 2012, . 2866 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 2867 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 2868 DOI 10.17487/RFC6887, April 2013, 2869 . 2871 [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT 2872 (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, 2873 DOI 10.17487/RFC7289, June 2014, 2874 . 2876 [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, 2877 DOI 10.17487/RFC7335, August 2014, 2878 . 2880 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 2881 Farrer, "Lightweight 4over6: An Extension to the Dual- 2882 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 2883 July 2015, . 2885 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 2886 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 2887 Port with Encapsulation (MAP-E)", RFC 7597, 2888 DOI 10.17487/RFC7597, July 2015, 2889 . 2891 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 2892 "Definitions of Managed Objects for Network Address 2893 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 2894 October 2015, . 2896 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 2897 and S. Perreault, "Port Control Protocol (PCP) Extension 2898 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 2899 February 2016, . 2901 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 2902 "RADIUS Extensions for IP Port Configuration and 2903 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 2904 . 2906 Appendix A. Sample Examples 2908 This section provides a non-exhaustive set of examples to illustrate 2909 the use of the NAT YANG module. 2911 A.1. Traditional NAT44 2913 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 2914 same IPv4 address among hosts that are owned by the same subscriber. 2915 This is typically the NAT that is embedded in CPE devices. 2917 This NAT is usually provided with one single external IPv4 address; 2918 disambiguating connections is achieved by rewriting the source port 2919 number. The XML snippet to configure the external IPv4 address in 2920 such case together with a mapping entry is depicted below: 2922 2923 2924 1 2925 NAT_Subscriber_A 2926 .... 2927 2928 1 2929 2930 192.0.2.1 2931 2932 2933 .... 2934 2935 .... 2936 2937 192.0.2.1 2938 2939 .... 2940 2941 2942 2944 The following shows the XML excerpt depicting a dynamic UDP mapping 2945 entry maintained by a traditional NAT44. In reference to this 2946 example, the UDP packet received with a source IPv4 address 2947 (192.0.2.1) and source port number (1568) is translated into a UDP 2948 packet having a source IPv4 address (198.51.100.1) and source port 2949 (15000). The lifetime of this mapping is 300 seconds. 2951 2952 15 2953 2954 dynamic-explicit 2955 2956 2957 17 2958 2959 2960 192.0.2.1 2961 2962 2963 2964 1568 2965 2966 2967 2968 198.51.100.1 2969 2970 2971 2972 15000 2973 2974 2975 2976 300 2977 2978 2980 A.2. CGN 2982 The following XML snippet shows the example of the capabilities 2983 supported by a CGN as retrieved using NETCONF. 2985 2987 nat44 2988 2989 2990 false 2991 2992 2993 true 2994 2995 2996 true 2997 2998 2999 true 3000 3001 3002 true 3003 3004 3005 false 3006 3007 3008 true 3009 3010 3011 true 3012 3013 3014 true 3015 3016 3017 false 3018 3019 3020 false 3021 3022 3023 true 3024 3025 3026 false 3027 3028 3029 false 3030 3031 3032 The following XML snippet shows the example of a CGN that is 3033 provisioned with one contiguous pool of external IPv4 addresses 3034 (192.0.2.0/24). Further, the CGN is instructed to limit the number 3035 of allocated ports per subscriber to 1024. Ports can be allocated by 3036 the CGN by assigning ranges of 256 ports (that is, a subscriber can 3037 be allocated up to four port ranges of 256 ports each). 3039 3040 3041 1 3042 myCGN 3043 .... 3044 3045 1 3046 3047 192.0.2.0/24 3048 3049 3050 3051 3052 1024 3053 3054 3055 all 3056 3057 3058 3059 port-range-allocation 3060 3061 3062 3063 256 3064 3065 3066 .... 3067 3068 3070 An administrator may decide to allocate one single port range per 3071 subscriber (port range of 1024 ports) as shown below: 3073 3074 3075 1 3076 myotherCGN 3077 .... 3078 3079 1 3080 3081 192.0.2.0/24 3082 3083 3084 3085 3086 1024 3087 3088 3089 all 3090 3091 3092 3093 port-range-allocation 3094 3095 3096 3097 1024 3098 3099 .... 3100 3101 .... 3102 3103 3105 A.3. CGN Pass-Through 3107 Figure 1 illustrates an example of the CGN pass-through feature. 3109 X1:x1 X1':x1' X2:x2 3110 +---+from X1:x1 +---+from X1:x1 +---+ 3111 | C | to X2:x2 | | to X2:x2 | S | 3112 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 3113 | i | | G | | r | 3114 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 3115 | n |from X2:x2 | |from X2:x2 | e | 3116 | t | to X1:x1 | | to X1:x1 | r | 3117 +---+ +---+ +---+ 3119 Figure 1: CGN Pass-Through 3121 For example, in order to disable NAT for communications issued by the 3122 client (192.0.2.25), the following configuration parameter must be 3123 set: 3125 3126 ... 3127 192.0.2.25 3128 ... 3129 3131 A.4. NAT64 3133 Let's consider the example of a NAT64 that should use 3134 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 3135 The XML snippet to configure the NAT64 prefix in such case is 3136 depicted below: 3138 3139 3140 2001:db8:122:300::/56 3141 3142 3144 Let's now consider the example of a NAT64 that should use 3145 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 3146 the destination address matches 198.51.100.0/24. The XML snippet to 3147 configure the NAT64 prefix in such case is shown below: 3149 3150 3151 2001:db8:122::/48 3152 3153 3154 3155 198.51.100.0/24 3156 3157 3158 3160 A.5. Explicit Address Mappings for Stateless IP/ICMP Translation 3162 As specified in [RFC7757], an EAM consists of an IPv4 prefix and an 3163 IPv6 prefix. Let's consider the set of EAM examples in Figure 2. 3165 +---+----------------+----------------------+ 3166 | # | IPv4 Prefix | IPv6 Prefix | 3167 +---+----------------+----------------------+ 3168 | 1 | 192.0.2.1 | 2001:db8:aaaa:: | 3169 | 2 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | 3170 | 3 | 192.0.2.16/28 | 2001:db8:cccc::/124 | 3171 | 4 | 192.0.2.128/26 | 2001:db8:dddd::/64 | 3172 | 5 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | 3173 | 6 | 192.0.2.224/31 | 64:ff9b::/127 | 3174 +---+----------------+----------------------+ 3176 Figure 2: EAM Examples (RFC7757) 3178 The following XML excerpt illustrates how these EAMs can be 3179 configured using the YANG NAT module: 3181 3182 3183 192.0.2.1 3184 3185 3186 2001:db8:aaaa:: 3187 3188 3189 3190 3191 192.0.2.2/32 3192 3193 3194 2001:db8:bbbb::b/128 3195 3196 3197 3198 3199 192.0.2.16/28 3200 3201 3202 2001:db8:cccc::/124 3203 3204 3205 3206 3207 192.0.2.128/26 3208 3209 3210 2001:db8:dddd::/64 3211 3212 3213 3214 3215 192.0.2.192/29 3216 3217 3218 2001:db8:eeee:8::/62 3219 3220 3221 3222 3223 192.0.2.224/31 3224 3225 3226 64:ff9b::/127 3227 3228 3229 EAMs may be enabled jointly with statefull NAT64. This example shows 3230 a NAT64 fucntion that supports static mappings: 3232 3234 nat64 3235 3236 3237 true 3238 3239 3240 true 3241 3242 3243 true 3244 3245 3246 true 3247 3248 3249 false 3250 3251 3252 true 3253 3254 3255 true 3256 3257 3258 true 3259 3260 3261 false 3262 3263 3264 false 3265 3266 3267 true 3268 3269 3270 false 3271 3272 3273 false 3274 3275 3277 A.6. Static Mappings with Port Ranges 3279 The following example shows a static mapping that instructs a NAT to 3280 translate packets issued from 192.0.2.1 and with source ports in the 3281 100-500 range to 198.51.100.1:1100-1500. 3283 3284 1 3285 static 3286 6 3287 3288 192.0.2.1 3289 3290 3291 3292 3293 100 3294 3295 3296 500 3297 3298 3299 3300 3301 198.51.100.1 3302 3303 3304 3305 3306 1100 3307 3308 3309 1500 3310 3311 3312 3313 ... 3314 3316 A.7. Static Mappings with IP Prefixes 3318 The following example shows a static mapping that instructs a NAT to 3319 translate packets issued from 192.0.2.1/24 to 198.51.100.1/24. 3321 3322 1 3323 static 3324 6 3325 3326 192.0.2.1/24 3327 3328 3329 198.51.100.1/24 3330 3331 ... 3332 3334 A.8. Destination NAT 3336 The following XML snippet shows an example a destination NAT that is 3337 instructed to translate packets having 192.0.2.1 as a destination IP 3338 address to 198.51.100.1. 3340 3341 1 3342 3343 192.0.2.1 3344 3345 3346 198.51.100.1 3347 3348 3350 In order to instruct a NAT to translate TCP packets destined to 3351 192.0.2.1:80 to 198.51.100.1:8080, the following XML snippet shows 3352 the static mapping to be configured on the NAT: 3354 3355 1 3356 static 3357 6 3358 3359 192.0.2.1 3360 3361 3362 80 3363 3364 3365 198.51.100.1 3366 3367 3368 8080 3369 3370 3372 In order to instruct a NAT to translate TCP packets destined to 3373 192.0.2.1:80 (http traffic) to 198.51.100.1 and 192.0.2.1:22 (ssh 3374 traffic) to 198.51.100.2, the following XML snippet shows the static 3375 mappings to be configured on the NAT: 3377 3378 1 3379 static 3380 6 3381 3382 192.0.2.1 3383 3384 3385 3386 80 3387 3388 3389 3390 198.51.100.1 3391 3392 ... 3393 3394 3395 2 3396 static 3397 3398 6 3399 3400 3401 192.0.2.1 3402 3403 3404 3405 22 3406 3407 3408 3409 198.51.100.2 3410 3411 ... 3412 3414 The NAT may also be instructed to proceed with both source and 3415 destination NAT. To do so, in addition to the above sample to 3416 configure destination NAT, the NAT may be provided, for example with 3417 a pool of external IP addresses (198.51.100.0/24) to use for source 3418 address translation. An example of the corresponding XML snippet is 3419 provided hereafter: 3421 3422 1 3423 3424 198.51.100.0/24 3425 3426 3428 Instead of providing an external IP address to share, the NAT may be 3429 configured with static mapping entries that modifies the internal IP 3430 address and/or port number. 3432 A.9. CLAT 3434 The following XML snippet shows the example of a CLAT that is 3435 configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and 3436 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 3437 provided with 192.0.0.1/32 (which is selected from the IPv4 service 3438 continuity prefix defined in [RFC7335]). 3440 3441 3442 2001:db8:aaaa::/96 3443 3444 3445 3446 3447 192.0.0.1/32 3448 3449 3450 3451 3452 2001:db8:1234::/96 3453 3454 3456 A.10. NPTv6 3458 Let's consider the example of a NPTv6 translator that should rewrite 3459 packets with the source prefix (fd01:203:405:/48) with the external 3460 prefix (2001:db8:1:/48). The internal interface is "eth0" while the 3461 external interface is "eth1". 3463 External Network: Prefix = 2001:db8:1:/48 3464 -------------------------------------- 3465 | 3466 |eth1 3467 +-------------+ 3468 eth4| NPTv6 |eth2 3469 ...-----| |------... 3470 +-------------+ 3471 |eth0 3472 | 3473 -------------------------------------- 3474 Internal Network: Prefix = fd01:203:405:/48 3476 Example of NPTv6 (RFC6296) 3478 The XML snippet to configure NPTv6 prefixes in such case is depicted 3479 below: 3481 3482 1 3483 3484 fd01:203:405:/48 3485 3486 3487 2001:db8:1:/48 3488 3489 3490 ... 3491 3492 3493 eth1 3494 3495 3497 Figure 3 shows an example of an NPTv6 that interconnects two internal 3498 networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is 3499 translated using a dedicated prefix (2001:db8:1:/48 and 3500 2001:db8:6666:/48, respectively). 3502 Internal Prefix = fd01:4444:5555:/48 3503 -------------------------------------- 3504 V | External Prefix 3505 V |eth1 2001:db8:1:/48 3506 V +---------+ ^ 3507 V | NPTv6 | ^ 3508 V | | ^ 3509 V +---------+ ^ 3510 External Prefix |eth0 ^ 3511 2001:db8:6666:/48 | ^ 3512 -------------------------------------- 3513 Internal Prefix = fd01:203:405:/48 3515 Figure 3: Connecting two Peer Networks (RFC6296) 3517 To that aim, the following configuration is provided to the NPTv6: 3519 3520 1 3521 3522 1 3523 3524 fd01:203:405:/48 3525 3526 3527 2001:db8:1:/48 3528 3529 3530 3531 eth1 3532 3533 3534 3535 2 3536 3537 2 3538 3539 fd01:4444:5555:/48 3540 3541 3542 2001:db8:6666:/48 3543 3544 3545 3546 eth0 3547 3548 3550 Authors' Addresses 3552 Mohamed Boucadair 3553 Orange 3554 Rennes 35000 3555 France 3557 Email: mohamed.boucadair@orange.com 3559 Senthil Sivakumar 3560 Cisco Systems 3561 7100-8 Kit Creek Road 3562 Research Triangle Park, North Carolina 27709 3563 USA 3565 Phone: +1 919 392 5158 3566 Email: ssenthil@cisco.com 3568 Christian Jacquenet 3569 Orange 3570 Rennes 35000 3571 France 3573 Email: christian.jacquenet@orange.com 3575 Suresh Vinapamula 3576 Juniper Networks 3577 1133 Innovation Way 3578 Sunnyvale 94089 3579 USA 3581 Qin Wu 3582 Huawei 3583 101 Software Avenue, Yuhua District 3584 Nanjing, Jiangsu 210012 3585 China 3587 Email: bill.wu@huawei.com