idnits 2.17.1 draft-ietf-opsawg-nat-yang-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 20 instances of too long lines in the document, the longest one being 50 characters in excess of 72. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 498 has weird spacing: '...-prefix ine...' == Line 500 has weird spacing: '...-prefix ine...' == Line 506 has weird spacing: '...-prefix ine...' == Line 511 has weird spacing: '...-prefix ine...' == Line 535 has weird spacing: '...atch-id uin...' == (5 more instances...) -- The document date (October 1, 2017) is 2392 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC7659' is defined on line 2918, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) ** Downref: Normative reference to an Informational RFC: RFC 6877 == Outdated reference: A later version (-05) exists of draft-boucadair-pcp-yang-04 == Outdated reference: A later version (-17) exists of draft-ietf-softwire-dslite-yang-06 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-11 Summary: 3 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: April 4, 2018 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 October 1, 2017 14 A YANG Data Model for Network Address Translation (NAT) and Network 15 Prefix Translation (NPT) 16 draft-ietf-opsawg-nat-yang-05 18 Abstract 20 For the sake of network automation and the need for programming 21 Network Address Translation (NAT) function in particular, a data 22 model for configuring and managing the NAT is essential. This 23 document defines a YANG module for the NAT function. 25 NAT44, Network Address and Protocol Translation from IPv6 Clients to 26 IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit 27 Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and 28 IPv6 Network Prefix Translation (NPTv6) are covered in this document. 30 Status of This Memo 32 This Internet-Draft is submitted in full conformance with the 33 provisions of BCP 78 and BCP 79. 35 Internet-Drafts are working documents of the Internet Engineering 36 Task Force (IETF). Note that other groups may also distribute 37 working documents as Internet-Drafts. The list of current Internet- 38 Drafts is at https://datatracker.ietf.org/drafts/current/. 40 Internet-Drafts are draft documents valid for a maximum of six months 41 and may be updated, replaced, or obsoleted by other documents at any 42 time. It is inappropriate to use Internet-Drafts as reference 43 material or to cite them other than as "work in progress." 45 This Internet-Draft will expire on April 4, 2018. 47 Copyright Notice 49 Copyright (c) 2017 IETF Trust and the persons identified as the 50 document authors. All rights reserved. 52 This document is subject to BCP 78 and the IETF Trust's Legal 53 Provisions Relating to IETF Documents 54 (https://trustee.ietf.org/license-info) in effect on the date of 55 publication of this document. Please review these documents 56 carefully, as they describe your rights and restrictions with respect 57 to this document. Code Components extracted from this document must 58 include Simplified BSD License text as described in Section 4.e of 59 the Trust Legal Provisions and are provided without warranty as 60 described in the Simplified BSD License. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 65 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 66 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 67 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 68 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 69 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 6 70 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 71 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 72 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 73 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7 74 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 75 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 76 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 10 77 2.10. Binding the NAT Function to an External Interface or VRF 10 78 2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10 79 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 15 80 4. Security Considerations . . . . . . . . . . . . . . . . . . . 58 81 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 58 82 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 58 83 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 84 7.1. Normative References . . . . . . . . . . . . . . . . . . 59 85 7.2. Informative References . . . . . . . . . . . . . . . . . 60 86 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 62 87 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 62 88 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 89 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 67 90 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 68 91 A.5. Explicit Address Mappings for Stateless IP/ICMP 92 Translation . . . . . . . . . . . . . . . . . . . . . . . 69 93 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 72 94 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 72 95 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 73 96 A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 76 97 A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 76 98 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 79 100 1. Introduction 102 This document defines a data model for Network Address Translation 103 (NAT) and Network Prefix Translation (NPT) capabilities using the 104 YANG data modeling language [RFC6020]. 106 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 107 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 108 used to optimize the usage of global IP address space at the scale of 109 a domain: a CGN is not managed by end users, but by service providers 110 instead. This document covers both traditional NATs and CGNs. 112 This document also covers NAT64 [RFC6146], customer-side translator 113 (CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP 114 Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation 115 (NPTv6) [RFC6296]. The full set of translation schemes that are in 116 scope is included in Section 2.2. 118 Sample examples are provided in Appendix A. These examples are not 119 intended to be exhaustive. 121 1.1. Terminology 123 This document makes use of the following terms: 125 o Basic NAT44: translation is limited to IP addresses alone 126 (Section 2.1 of [RFC3022]). 128 o Network Address/Port Translator (NAPT): translation in NAPT is 129 extended to include IP addresses and transport identifiers (such 130 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 131 [RFC3022]. 133 o Destination NAT: is a translation that acts on the destination IP 134 address and/or destination port number. This flavor is usually 135 deployed in load balancers or at devices in front of public 136 servers. 138 o Port-restricted IPv4 address: An IPv4 address with a restricted 139 port set. Multiple hosts may share the same IPv4 address; 140 however, their port sets must not overlap [RFC7596]. 142 o Restricted port set: A non-overlapping range of allowed external 143 ports to use for NAT operation. Source ports of IPv4 packets 144 translated by a NAT must belong to the assigned port set. The 145 port set is used for all port-aware IP protocols [RFC7596]. 147 o Internal Host: A host that may solicit a NAT or an NPTv6 (or both) 148 capability to send to and receive traffic from the Internet. 150 o Internal Address/prefix: The IP address/prefix of an internal 151 host. 153 o External Address: The IP address/prefix assigned by a NAT/NPTv6 to 154 an internal host; this is the address that will be seen by a 155 remote host on the Internet. 157 o Mapping: denotes a state at the NAT that is necessary for network 158 address and/or port translation. 160 o Dynamic implicit mapping: is created implicitly as a side effect 161 of traffic such as an outgoing TCP SYN or an outgoing UDP packet. 162 A validity lifetime is associated with this mapping. 164 o Dynamic explicit mapping: is created as a result of an explicit 165 request, e.g., PCP message [RFC6887]. A validity lifetime is 166 associated with this mapping. 168 o Static explicit mapping: is created manually. This mapping is 169 likely to be maintained by the NAT function till an explicit 170 action is executed to remove it. 172 The usage of the term NAT in this document refers to any NAT flavor 173 (NAT44, NAT64, etc.) indifferently. 175 This document uses the term "session" as defined in [RFC2663] and 176 [RFC6146] for NAT64. 178 1.2. Tree Diagrams 180 The meaning of the symbols in these diagrams is as follows: 182 o Brackets "[" and "]" enclose list keys. 184 o Curly braces "{" and "}" contain names of optional features that 185 make the corresponding node conditional. 187 o Abbreviations before data node names: "rw" means configuration 188 (read-write), "ro" state data (read-only). 190 o Symbols after data node names: "?" means an optional node, "!" a 191 container with presence, and "*" denotes a "list" or "leaf-list". 193 o Parentheses enclose choice and case nodes, and case nodes are also 194 marked with a colon (":"). 196 o Ellipsis ("...") stands for contents of subtrees that are not 197 shown. 199 2. Overview of the NAT YANG Data Model 201 2.1. Overview 203 The NAT YANG module is designed to cover dynamic implicit mappings 204 and static explicit mappings. The required functionality to instruct 205 dynamic explicit mappings is defined in separate documents such as 206 [I-D.boucadair-pcp-yang]. Considerations about instructing explicit 207 dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of 208 scope. 210 A single NAT device can have multiple NAT instances (nat-instance); 211 each of these instances can be provided with its own policies (e.g., 212 be responsible for serving a group of hosts). This document does not 213 make any assumption about how internal hosts or flows are associated 214 with a given NAT instance. 216 The NAT YANG module assumes that each NAT instance can be enabled/ 217 disabled, be provisioned with a specific set of configuration data, 218 and maintains its own mapping tables. 220 Further, the NAT YANG module allows for a NAT instance to be provided 221 with multiple NAT policies (nat-policy). The document does not make 222 any assumption about how flows are associated with a given NAT policy 223 of a given NAT instance. Classification filters are out of scope. 225 Defining multiple NAT instances or configuring multiple NAT policies 226 within one single NAT instance is implementation- and deployment- 227 specific. 229 To accommodate deployments where [RFC6302] is not enabled, this YANG 230 module allows to instruct a NAT function to log the destination port 231 number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] 232 which provides the templates to log the destination ports. 234 2.2. Various NAT Flavors 236 The following modes are supported: 238 1. Basic NAT44 239 2. NAPT 240 3. Destination NAT 241 4. Port-restricted NAT 242 5. Stateful and stateless NAT64 243 6. EAM SIIT 244 7. CLAT 245 8. NPTv6 246 9. Combination of Basic NAT/NAPT and Destination NAT 247 10. Combination of port-restricted and Destination NAT 248 11. Combination of NAT64 and EAM 250 [I-D.ietf-softwire-dslite-yang] specifies an extension to support DS- 251 Lite. 253 2.3. TCP, UDP and ICMP NAT Behavioral Requirements 255 This document assumes [RFC4787][RFC5382][RFC5508] are enabled by 256 default. 258 Furthermore, the NAT YANG module relies upon the recommendations 259 detailed in [RFC6888] and [RFC7857]. 261 2.4. Other Transport Protocols 263 The module is structured to support other protocols than UDP, TCP, 264 and ICMP. The mapping table is designed so that it can indicate any 265 transport protocol. For example, this module may be used to manage a 266 DCCP-capable NAT that adheres to [RFC5597]. 268 Future extensions can be defined to cover NAT-related considerations 269 that are specific to other transport protocols such as SCTP 270 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 271 extended to record two optional SCTP-specific parameters: Internal 272 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 274 2.5. IP Addresses Used for Translation 276 The NAT YANG module assumes that blocks of IP external addresses 277 (external-ip-address-pool) can be provisioned to the NAT function. 278 These blocks may be contiguous or not. 280 This behavior is aligned with [RFC6888] which specifies that a NAT 281 function should not have any limitations on the size or the 282 contiguity of the external address pool. In particular, the NAT 283 function must be configurable with contiguous or non-contiguous 284 external IPv4 address ranges. 286 Likewise, one or multiple IP address pools may be configured for 287 Destination NAT (dst-ip-address-pool). 289 2.6. Port Set Assignment 291 Port numbers can be assigned by a NAT individually (that is, a single 292 port is a assigned on a per session basis). Nevertheless, this port 293 allocation scheme may not be optimal for logging purposes. 294 Therefore, a NAT function should be able to assign port sets (e.g., 295 [RFC7753]) to optimize the volume of the logging data (REQ-14 of 296 [RFC6888]). Both features are supported in the NAT YANG module. 298 When port set assignment is activated (i.e., port-allocation- 299 type==port-range-allocation), the NAT can be provided with the size 300 of the port set to be assigned (port-set-size). 302 2.7. Port-Restricted IP Addresses 304 Some NATs require to restrict the port numbers (e.g., Lightweight 305 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port set 306 assignments (port-set-restrict) are supported in this document: 308 o Simple port range: is defined by two port values, the start and 309 the end of the port range [RFC8045]. 311 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 312 the set of ports that can be used. 314 2.8. NAT Mapping Entries 316 A TCP/UDP mapping entry maintains an association between the 317 following information: 319 (internal-src-address, internal-src-port) (internal-dst-address, 320 internal-dst-port) <=> (external-src-address, external-src-port) 321 (external-dst-address, external-dst-port) 323 An ICMP mapping entry maintains an association between the following 324 information: 326 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 327 identifier) <=> (external-src-address, external-dst-address, 328 external ICMP/ICMPv6 identifier) 330 To cover TCP, UDP, and ICMP, the NAT YANG module assumes the 331 following structure of a mapping entry: 333 type: Indicates how the mapping was instantiated. For example, it 334 may indicate whether a mapping is dynamically instantiated by a 335 packet or statically configured. 337 transport-protocol: Indicates the transport protocol (e.g., UDP, 338 TCP, ICMP) of a given mapping. 340 internal-src-address: Indicates the source IP address as used by an 341 internal host. 343 internal-src-port: Indicates the source port number (or ICMP 344 identifier) as used by an internal host. 346 external-src-address: Indicates the source IP address as assigned 347 by the NAT. 349 external-src-port: Indicates the source port number (or ICMP 350 identifier) as assigned by the NAT. 352 internal-dst-address: Indicates the destination IP address as used 353 by an internal host when sending a packet to a remote host. 355 internal-dst-port: Indicates the destination IP address as used by 356 an internal host when sending a packet to a remote host. 358 external-dst-address: Indicates the destination IP address used by a 359 NAT when processing a packet issued by an internal host towards a 360 remote host. 362 external-dst-port: Indicates the destination port number used by a 363 NAT when processing a packet issued by an internal host towards a 364 remote host. 366 In order to cover both NAT64 and NAT44 flavors in particular, the NAT 367 mapping structure allows to include an IPv4 or an IPv6 address as an 368 internal IP address. Remaining fields are common to both NAT 369 schemes. 371 For example, the mapping that will be created by a NAT64 upon receipt 372 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 373 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 374 and destination port number 8080 is characterized as follows: 376 o type: dynamic implicit mapping. 377 o transport-protocol: TCP (6) 378 o internal-src-address: 2001:db8:aaaa::1 379 o internal-src-port: 25636 380 o external-src-address: T (an IPv4 address configured on the NAT64) 381 o external-src-port: t (a port number that is chosen by the NAT64) 382 o internal-dst-address: 2001:db8:1234::198.51.100.1 383 o internal-dst-port: 8080 384 o external-dst-address: 198.51.100.1 385 o external-dst-port: 8080 387 The mapping that will be created by a NAT44 upon receipt of an ICMP 388 request from source address 198.51.100.1 and ICMP identifier (ID1) to 389 destination IP address 198.51.100.11 is characterized as follows: 391 o type: dynamic implicit mapping. 392 o transport-protocol: ICMP (1) 393 o internal-src-address: 198.51.100.1 394 o internal-src-port: ID1 395 o external-src-address: T (an IPv4 address configured on the NAT44) 396 o external-src-port: ID2 (an ICMP identifier that is chosen by the 397 NAT44) 398 o internal-dst-address: 198.51.100.11 400 The mapping that will be created by a NAT64 upon receipt of an ICMP 401 request from source address 2001:db8:aaaa::1 and ICMP identifier 402 (ID1) to destination IP address 2001:db8:1234::198.51.100.1 is 403 characterized as follows: 405 o type: dynamic implicit mapping. 406 o transport-protocol: ICMPv6 (58) 407 o internal-src-address: 2001:db8:aaaa::1 408 o internal-src-port: ID1 409 o external-src-address: T (an IPv4 address configured on the NAT64) 410 o external-src-port: ID2 (an ICMP identifier that is chosen by the 411 NAT64) 412 o internal-dst-address: 2001:db8:1234::198.51.100.1 413 o external-dst-address: 198.51.100.1 415 Note that a mapping table is maintained only for stateful NAT 416 functions. Particularly: 418 o No mapping table is maintained for NPTv6 given that it is 419 stateless and transport-agnostic. 421 o The double translations are stateless in CLAT if a dedicated IPv6 422 prefix is provided for CLAT. If not, a stateful NAT44 will be 423 required. 425 o No per-flow mapping is maintained for EAM [RFC7757]. 427 o No mapping table is maintained for stateless NAT64. As a 428 reminder, in such deployments internal IPv6 nodes are addressed 429 using IPv4-translatable IPv6 addresses, which enable them to be 430 accessed by IPv4 nodes [RFC6052]. 432 2.9. Resource Limits 434 In order to comply with CGN deployments in particular, the NAT YANG 435 module allows limiting the number of external ports per subscriber 436 (port-quota) and the amount of state memory allocated per mapping and 437 per subscriber (mapping-limit and connection-limit). According to 438 [RFC6888], the model allows for the following: 440 o Per-subscriber limits are configurable by the NAT administrator. 442 o Per-subscriber limits are configurable independently per transport 443 protocol. 445 o Administrator-adjustable thresholds to prevent a single subscriber 446 from consuming excessive CPU resources from the NAT (e.g., rate- 447 limit the subscriber's creation of new mappings) can be 448 configured. 450 2.10. Binding the NAT Function to an External Interface or VRF 452 The model allows to specify the interface or Virtual Routing and 453 Forwarding (VRF) instance on which the NAT function must be applied 454 (external-realm). Distinct interfaces/VRFs can be provided as a 455 function of the NAT policy (see for example, Section 4 of [RFC7289]). 457 If no external interface/VRF is provided, this assumes that the 458 system is able to determine the external interface/VRF instance on 459 which the NAT will be applied. Typically, the WAN and LAN interfaces 460 of a CPE is determined by the CPE. 462 2.11. Tree Structure 464 The tree structure of the NAT YANG module is provided below: 466 module: ietf-nat 467 +--rw nat-module 468 +--rw nat-instances 469 +--rw nat-instance* [id] 470 +--rw id uint32 471 +--rw name? string 472 +--rw enable? boolean 473 +--rw nat-capabilities 474 | +--rw nat-flavor* identityref 475 | +--rw nat44-flavor* identityref 476 | +--rw restricted-port-support? boolean 477 | +--rw static-mapping-support? boolean 478 | +--rw port-randomization-support? boolean 479 | +--rw port-range-allocation-support? boolean 480 | +--rw port-preservation-suport? boolean 481 | +--rw port-parity-preservation-support? boolean 482 | +--rw address-roundrobin-support? boolean 483 | +--rw paired-address-pooling-support? boolean 484 | +--rw endpoint-independent-mapping-support? boolean 485 | +--rw address-dependent-mapping-support? boolean 486 | +--rw address-and-port-dependent-mapping-support? boolean 487 | +--rw endpoint-independent-filtering-support? boolean 488 | +--rw address-dependent-filtering? boolean 489 | +--rw address-and-port-dependent-filtering? boolean 490 +--rw nat-pass-through* [nat-pass-through-id] 491 | +--rw nat-pass-through-id uint32 492 | +--rw nat-pass-through-pref? inet:ip-prefix 493 | +--rw nat-pass-through-port? inet:port-number 494 +--rw nat-policy* [policy-id] 495 | +--rw policy-id uint32 496 | +--rw clat-parameters 497 | | +--rw clat-ipv6-prefixes* [clat-ipv6-prefix] 498 | | | +--rw clat-ipv6-prefix inet:ipv6-prefix 499 | | +--rw clat-ipv4-prefixes* [clat-ipv4-prefix] 500 | | +--rw clat-ipv4-prefix inet:ipv4-prefix 501 | +--rw nptv6-prefixes* [translation-id] 502 | | +--rw translation-id uint32 503 | | +--rw internal-ipv6-prefix? inet:ipv6-prefix 504 | | +--rw external-ipv6-prefix? inet:ipv6-prefix 505 | +--rw eam* [eam-ipv4-prefix] 506 | | +--rw eam-ipv4-prefix inet:ipv4-prefix 507 | | +--rw eam-ipv6-prefix? inet:ipv6-prefix 508 | +--rw nat64-prefixes* [nat64-prefix] 509 | | +--rw nat64-prefix inet:ipv6-prefix 510 | | +--rw destination-ipv4-prefix* [ipv4-prefix] 511 | | | +--rw ipv4-prefix inet:ipv4-prefix 512 | | +--rw stateless-enable? boolean 513 | +--rw external-ip-address-pool* [pool-id] 514 | | +--rw pool-id uint32 515 | | +--rw external-ip-pool? inet:ipv4-prefix 516 | +--rw port-set-restrict 517 | | +--rw (port-type)? 518 | | +--:(port-range) 519 | | | +--rw start-port-number? inet:port-number 520 | | | +--rw end-port-number? inet:port-number 521 | | +--:(port-set-algo) 522 | | +--rw psid-offset? uint8 523 | | +--rw psid-len uint8 524 | | +--rw psid uint16 525 | +--rw dst-nat-enable? boolean 526 | +--rw dst-ip-address-pool* [pool-id] 527 | | +--rw pool-id uint32 528 | | +--rw dst-in-ip-pool? inet:ip-prefix 529 | | +--rw dst-out-ip-pool? inet:ip-prefix 530 | +--rw supported-transport-protocols* [transport-protocol-id] 531 | | +--rw transport-protocol-id uint8 532 | | +--rw transport-protocol-name? string 533 | +--rw subscriber-mask-v6? uint8 534 | +--rw subscriber-match* [sub-match-id] 535 | | +--rw sub-match-id uint32 536 | | +--rw sub-mask inet:ip-prefix 537 | +--rw paired-address-pooling? boolean 538 | +--rw nat-mapping-type? enumeration 539 | +--rw nat-filtering-type? enumeration 540 | +--rw port-quota* [quota-type] 541 | | +--rw port-limit? uint16 542 | | +--rw quota-type enumeration 543 | +--rw port-allocation-type? enumeration 544 | +--rw address-roundrobin-enable? boolean 545 | +--rw port-set 546 | | +--rw port-set-size? uint16 547 | | +--rw port-set-timeout? uint32 548 | +--rw timers 549 | | +--rw udp-timeout? uint32 550 | | +--rw tcp-idle-timeout? uint32 551 | | +--rw tcp-trans-open-timeout? uint32 552 | | +--rw tcp-trans-close-timeout? uint32 553 | | +--rw tcp-in-syn-timeout? uint32 554 | | +--rw fragment-min-timeout? uint32 555 | | +--rw icmp-timeout? uint32 556 | | +--rw per-port-timeout* [port-number] 557 | | | +--rw port-number inet:port-number 558 | | | +--rw port-timeout inet:port-number 559 | | +--rw hold-down-timeout? uint32 560 | | +--rw hold-down-max? uint32 561 | +--rw algs* [alg-name] 562 | | +--rw alg-name string 563 | | +--rw alg-transport-protocol? uint32 564 | | +--rw alg-transport-port? inet:port-number 565 | | +--rw alg-status? boolean 566 | +--rw all-algs-enable? boolean 567 | +--rw notify-pool-usage 568 | | +--rw pool-id? uint32 569 | | +--rw notify-pool-hi-threshold percent 570 | | +--rw notify-pool-low-threshold? percent 571 | +--rw external-realm 572 | +--rw (realm-type)? 573 | +--:(interface) 574 | | +--rw external-interface? if:interface-ref 575 | +--:(vrf) 576 | +--rw external-vrf-instance? identityref 577 +--rw mapping-limit 578 | +--rw limit-per-subscriber? uint32 579 | +--rw limit-per-vrf? uint32 580 | +--rw limit-per-subnet? inet:ip-prefix 581 | +--rw limit-per-instance uint32 582 | +--rw limit-per-udp uint32 583 | +--rw limit-per-tcp uint32 584 | +--rw limit-per-icmp uint32 585 +--rw connection-limit 586 | +--rw limit-per-subscriber? uint32 587 | +--rw limit-per-vrf? uint32 588 | +--rw limit-per-subnet? inet:ip-prefix 589 | +--rw limit-per-instance uint32 590 | +--rw limit-per-udp uint32 591 | +--rw limit-per-tcp uint32 592 | +--rw limit-per-icmp uint32 593 +--rw logging-info 594 | +--rw logging-enable? boolean 595 | +--rw destination-address inet:ip-prefix 596 | +--rw destination-port inet:port-number 597 | +--rw (protocol)? 598 | +--:(syslog) 599 | | +--rw syslog? boolean 600 | +--:(ipfix) 601 | | +--rw ipfix? boolean 602 | +--:(ftp) 603 | +--rw ftp? boolean 604 +--rw mapping-table 605 | +--rw mapping-entry* [index] 606 | +--rw index uint32 607 | +--rw type? enumeration 608 | +--rw transport-protocol? uint8 609 | +--rw internal-src-address? inet:ip-prefix 610 | +--rw internal-src-port 611 | | +--rw (port-type)? 612 | | +--:(single-port-number) 613 | | | +--rw single-port-number? inet:port-number 614 | | +--:(port-range) 615 | | +--rw start-port-number? inet:port-number 616 | | +--rw end-port-number? inet:port-number 617 | +--rw external-src-address? inet:ip-prefix 618 | +--rw external-src-port 619 | | +--rw (port-type)? 620 | | +--:(single-port-number) 621 | | | +--rw single-port-number? inet:port-number 622 | | +--:(port-range) 623 | | +--rw start-port-number? inet:port-number 624 | | +--rw end-port-number? inet:port-number 625 | +--rw internal-dst-address? inet:ip-prefix 626 | +--rw internal-dst-port 627 | | +--rw (port-type)? 628 | | +--:(single-port-number) 629 | | | +--rw single-port-number? inet:port-number 630 | | +--:(port-range) 631 | | +--rw start-port-number? inet:port-number 632 | | +--rw end-port-number? inet:port-number 633 | +--rw external-dst-address? inet:ip-prefix 634 | +--rw external-dst-port 635 | | +--rw (port-type)? 636 | | +--:(single-port-number) 637 | | | +--rw single-port-number? inet:port-number 638 | | +--:(port-range) 639 | | +--rw start-port-number? inet:port-number 640 | | +--rw end-port-number? inet:port-number 641 | +--rw lifetime? uint32 642 +--ro statistics 643 +--ro traffic-statistics 644 | +--ro sent-packet? yang:zero-based-counter64 645 | +--ro sent-byte? yang:zero-based-counter64 646 | +--ro rcvd-packet? yang:zero-based-counter64 647 | +--ro rcvd-byte? yang:zero-based-counter64 648 | +--ro dropped-packet? yang:zero-based-counter64 649 | +--ro dropped-byte? yang:zero-based-counter64 650 +--ro mapping-statistics 651 | +--ro total-mappings? uint32 652 | +--ro total-tcp-mappings? uint32 653 | +--ro total-udp-mappings? uint32 654 | +--ro total-icmp-mappings? uint32 655 +--ro pool-stats 656 +--ro pool-id? uint32 657 +--ro address-allocated? uint32 658 +--ro address-free? uint32 659 +--ro port-stats 660 +--ro ports-allocated? uint32 661 +--ro ports-free? uint32 662 notifications: 663 +---n nat-event 664 +--ro id? -> /nat-module/nat-instances/nat-instance/id 665 +--ro policy-id? -> /nat-module/nat-instances/nat-instance/nat-policy/policy-id 666 +--ro pool-id? -> /nat-module/nat-instances/nat-instance/nat-policy/external-ip-address-pool/pool-id 667 +--ro notify-pool-threshold percent 669 3. NAT YANG Module 671 file "ietf-nat@2017-10-02.yang" 673 module ietf-nat { 674 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 676 //namespace to be assigned by IANA 677 prefix "nat"; 679 import ietf-inet-types { prefix inet; } 680 import ietf-yang-types { prefix yang; } 682 import ietf-interfaces { prefix if; } 683 //import iana-if-type { prefix ianaift; } 685 organization "IETF OPSAWG Working Group"; 687 contact 688 "Mohamed Boucadair 689 Senthil Sivakumar 690 Chritsian Jacquenet 691 Suresh Vinapamula 692 Qin Wu "; 694 description 695 "This module is a YANG module for NAT implementations 696 (including NAT44 and NAT64 flavors). 698 Copyright (c) 2017 IETF Trust and the persons identified as 699 authors of the code. All rights reserved. 701 Redistribution and use in source and binary forms, with or 702 without modification, is permitted pursuant to, and subject 703 to the license terms contained in, the Simplified BSD License 704 set forth in Section 4.c of the IETF Trust's Legal Provisions 705 Relating to IETF Documents 706 (http://trustee.ietf.org/license-info). 708 This version of this YANG module is part of RFC XXXX; see 709 the RFC itself for full legal notices."; 711 revision 2017-10-02 { 712 description "Comments from Rajiv Asati to call out 713 explicitly stateless NAT64."; 715 reference "-ietf-04"; 716 } 718 revision 2017-09-27 { 719 description "Comments from Kris Poscic about NAT44, mainly: 720 - Allow for multiple NAT policies within the same instance. 721 - Associate an external interface/vrf per NAT policy."; 722 reference "-ietf-04"; 723 } 725 revision 2017-09-18 { 726 description "Comments from Tore Anderson about EAM-SIIT."; 727 reference "-ietf-03"; 728 } 730 revision 2017-08-23 { 731 description "Comments from F. Baker about NPTv6."; 732 reference "-ietf-02"; 733 } 735 revision 2017-08-21 { 736 description " Includes CLAT (Lee/Jordi)."; 737 reference "-ietf-01"; 738 } 740 revision 2017-08-03 { 741 description "Integrates comments from OPSAWG CFA."; 742 reference "-ietf-00"; 743 } 745 revision 2017-07-03 { 746 description "Integrates comments from D. Wing and T. Zhou."; 747 reference "-07"; 748 } 750 revision 2015-09-08 { 751 description "Fixes few YANG errors."; 753 reference "-02"; 754 } 756 revision 2015-09-07 { 757 description "Completes the NAT64 model."; 758 reference "01"; 759 } 761 revision 2015-08-29 { 762 description "Initial version."; 763 reference "00"; 764 } 766 /* 767 * Definitions 768 */ 770 typedef percent { 771 type uint8 { 772 range "0 .. 100"; 773 } 774 description 775 "Percentage"; 776 } 778 /* 779 * Identities 780 */ 782 identity nat-type { 783 description 784 "Base identity for nat type."; 785 } 787 identity nat44 { 788 base nat:nat-type; 789 description 790 "Identity for traditional NAT support."; 792 reference 793 "RFC 3022."; 794 } 796 identity basic-nat { 797 //base nat:nat-type; 798 base nat:nat44; 799 description 800 "Identity for Basic NAT support."; 802 reference 803 "RFC 3022."; 804 } 806 identity napt { 807 //base nat:nat-type; 808 base nat:nat44; 809 description 810 "Identity for NAPT support."; 811 reference 812 "RFC 3022."; 813 } 815 identity restricted-nat { 816 //base nat:nat-type; 817 base nat:nat44; 818 description 819 "Identity for Port-Restricted NAT support."; 821 reference 822 "RFC 7596."; 823 } 825 identity dst-nat { 826 base nat:nat-type; 827 description 828 "Identity for Destination NAT support."; 829 } 831 identity nat64 { 832 base nat:nat-type; 833 description 834 "Identity for NAT64 support."; 836 reference 837 "RFC 6146."; 838 } 840 identity clat { 841 base nat:nat-type; 842 description 843 "Identity for CLAT support."; 845 reference 846 "RFC 6877."; 847 } 849 identity eam { 850 base nat:nat-type; 851 description 852 "Identity for EAM support."; 854 reference 855 "RFC 7757."; 856 } 858 identity nptv6 { 859 base nat:nat-type; 860 description 861 "Identity for NPTv6 support."; 863 reference 864 "RFC 6296."; 865 } 867 identity vrf-routing-instance { 869 description 870 "This identity represents a VRF routing instance."; 872 reference 873 "Section 8.9 of RFC 4026."; 874 } 876 /* 877 * Grouping 878 */ 880 // Set of ports 882 grouping port-set { 883 description 884 "Indicates a set of ports. 885 It may be a simple port range, or use the PSID algorithm 886 to represent a range of transport layer 887 ports which will be used by a NAPT."; 889 choice port-type { 890 default port-range; 891 description 892 "Port type: port-range or port-set-algo."; 894 case port-range { 895 leaf start-port-number { 896 type inet:port-number; 897 description 898 "Begining of the port range."; 900 reference 901 "Section 3.2.9 of RFC 8045."; 902 } 903 leaf end-port-number { 905 type inet:port-number; 906 description 907 "End of the port range."; 909 reference 910 "Section 3.2.10 of RFC 8045."; 911 } 912 } 914 case port-set-algo { 916 leaf psid-offset { 917 type uint8 { 918 range 0..16; 919 } 920 description 921 "The number of offset bits. In Lightweight 4over6, 922 the default value is 0 for assigning one contiguous 923 port range. In MAP-E/T, the default value is 6, 924 which excludes system ports by default and assigns 925 port ranges distributed across the entire port 926 space."; 927 } 929 leaf psid-len { 930 type uint8 { 931 range 0..15; 932 } 933 mandatory true; 934 description 935 "The length of PSID, representing the sharing 936 ratio for an IPv4 address."; 937 } 939 leaf psid { 940 type uint16; 941 mandatory true; 942 description 943 "Port Set Identifier (PSID) value, which 944 identifies a set of ports algorithmically."; 945 } 946 } 948 } 949 } 950 // port numbers: single or port-range 952 grouping port-number { 953 description 954 "Individual port or a range of ports."; 956 choice port-type { 957 default single-port-number; 958 description 959 "Port type: single or port-range."; 961 case single-port-number { 962 leaf single-port-number { 963 type inet:port-number; 964 description 965 "Used for single port numbers."; 966 } 967 } 969 case port-range { 970 leaf start-port-number { 971 type inet:port-number; 972 description 973 "Begining of the port range."; 975 reference 976 "Section 3.2.9 of RFC 8045."; 977 } 979 leaf end-port-number { 980 type inet:port-number; 981 description 982 "End of the port range."; 984 reference 985 "Section 3.2.10 of RFC 8045."; 986 } 987 } 988 } 989 } 991 // Mapping Entry 993 grouping mapping-entry { 994 description 995 "NAT mapping entry."; 997 leaf index { 998 type uint32; 999 description 1000 "A unique identifier of a mapping entry."; 1001 } 1003 leaf type { 1004 type enumeration { 1005 enum "static" { 1006 description 1007 "The mapping entry is manually 1008 configured."; 1009 } 1011 enum "dynamic-explicit" { 1012 description 1013 "This mapping is created by an 1014 outgoing packet."; 1015 } 1017 enum "dynamic-implicit" { 1018 description 1019 "This mapping is created by an 1020 explicit dynamic message."; 1021 } 1022 } 1023 description 1024 "Indicates the type of a mapping entry. E.g., 1025 a mapping can be: static, implicit dynamic 1026 or explicit dynamic."; 1027 } 1029 leaf transport-protocol { 1030 type uint8; 1032 description 1033 "Upper-layer protocol associated with this mapping. 1034 Values are taken from the IANA protocol registry. 1035 For example, this field contains 6 (TCP) for a TCP 1036 mapping or 17 (UDP) for a UDP mapping. No transport 1037 protocol is indicated if a mapping applies for any 1038 protocol."; 1039 } 1041 leaf internal-src-address { 1042 type inet:ip-prefix; 1044 description 1045 "Corresponds to the source IPv4/IPv6 address/prefix 1046 of the packet received on an internal 1047 interface."; 1048 } 1050 container internal-src-port { 1052 description 1053 "Corresponds to the source port of the 1054 packet received on an internal interface. 1055 It is used also to carry the internal 1056 source ICMP identifier."; 1058 uses port-number; 1059 } 1061 leaf external-src-address { 1062 type inet:ip-prefix; 1064 description 1065 "Source IP address/prefix of the packet sent 1066 on an external interface of the NAT."; 1067 } 1069 container external-src-port { 1071 description 1072 "Source port of the packet sent 1073 on an external interafce of the NAT. 1074 It is used also to carry the external 1075 source ICMP identifier."; 1077 uses port-number; 1078 } 1080 leaf internal-dst-address { 1081 type inet:ip-prefix; 1083 description 1084 "Corresponds to the destination IP address/prefix 1085 of the packet received on an internal interface 1086 of the NAT. 1087 For example, some NAT implementations support 1088 the translation of both source and destination 1089 addresses and ports, sometimes referred to 1090 as 'Twice NAT'."; 1091 } 1093 container internal-dst-port { 1094 description 1095 "Corresponds to the destination port of the 1096 IP packet received on the internal interface. 1098 It is used also to carry the internal 1099 destination ICMP identifier."; 1101 uses port-number; 1102 } 1104 leaf external-dst-address { 1105 type inet:ip-prefix; 1107 description 1108 "Corresponds to the destination IP address/prefix 1109 of the packet sent on an external interface 1110 of the NAT."; 1111 } 1113 container external-dst-port { 1115 description 1116 "Corresponds to the destination port number of 1117 the packet sent on the external interface 1118 of the NAT. 1119 It is used also to carry the external 1120 destination ICMP identifier."; 1122 uses port-number; 1123 } 1125 leaf lifetime { 1126 type uint32; 1127 //mandatory true; 1129 description 1130 "When specified, it tracks the connection that is 1131 fully-formed (e.g., once the 3WHS TCP is completed) 1132 or the duration for maintaining an explicit mapping 1133 alive. Static mappings may not be associated with a 1134 lifetime. If no lifetime is associated with a 1135 static mapping, an explicit action is requried to 1136 remove that mapping."; 1137 } 1138 } 1140 /* 1141 * NAT Module 1142 */ 1144 container nat-module { 1145 description 1146 "NAT"; 1148 container nat-instances { 1149 description 1150 "NAT instances"; 1152 list nat-instance { 1154 key "id"; 1156 description 1157 "A NAT instance."; 1159 leaf id { 1160 type uint32; 1162 description 1163 "NAT instance identifier."; 1165 reference 1166 "RFC7659."; 1167 } 1169 leaf name { 1170 type string; 1172 description 1173 "A name associated with the NAT instance."; 1174 } 1176 leaf enable { 1177 type boolean; 1179 description 1180 "Status of the the NAT instance."; 1181 } 1183 container nat-capabilities { 1184 // config false; 1186 description 1187 "NAT capabilities"; 1189 leaf-list nat-flavor { 1190 type identityref { 1191 base nat-type; 1192 } 1193 description 1194 "Type of NAT."; 1195 } 1197 leaf-list nat44-flavor { 1199 when "../nat-flavor = 'nat44'"; 1201 type identityref { 1202 base nat44; 1203 } 1204 description 1205 "Type of NAT44: Basic NAT or NAPT."; 1206 } 1208 leaf restricted-port-support { 1209 type boolean; 1211 description 1212 "Indicates source port NAT restriction 1213 support."; 1214 } 1216 leaf static-mapping-support { 1217 type boolean; 1219 description 1220 "Indicates whether static mappings are 1221 supported."; 1222 } 1224 leaf port-randomization-support { 1225 type boolean; 1227 description 1228 "Indicates whether port randomization is 1229 supported."; 1230 } 1232 leaf port-range-allocation-support { 1233 type boolean; 1235 description 1236 "Indicates whether port range 1237 allocation is supported."; 1238 } 1240 leaf port-preservation-suport { 1241 type boolean; 1243 description 1244 "Indicates whether port preservation 1245 is supported."; 1246 } 1248 leaf port-parity-preservation-support { 1249 type boolean; 1251 description 1252 "Indicates whether port parity 1253 preservation is supported."; 1254 } 1256 leaf address-roundrobin-support { 1257 type boolean; 1259 description 1260 "Indicates whether address allocation 1261 round robin is supported."; 1262 } 1264 leaf paired-address-pooling-support { 1265 type boolean; 1267 description 1268 "Indicates whether paired-address-pooling is 1269 supported"; 1270 } 1272 leaf endpoint-independent-mapping-support { 1273 type boolean; 1275 description 1276 "Indicates whether endpoint-independent- 1277 mapping in Section 4 of RFC 4787 is 1278 supported."; 1279 } 1281 leaf address-dependent-mapping-support { 1282 type boolean; 1284 description 1285 "Indicates whether address-dependent- 1286 mapping is supported."; 1287 } 1289 leaf address-and-port-dependent-mapping-support 1290 { 1291 type boolean; 1293 description 1294 "Indicates whether address-and-port- 1295 dependent-mapping is supported."; 1296 } 1298 leaf endpoint-independent-filtering-support 1299 { 1300 type boolean; 1302 description 1303 "Indicates whether endpoint-independent 1304 -filtering is supported."; 1305 } 1307 leaf address-dependent-filtering { 1308 type boolean; 1310 description 1311 "Indicates whether address-dependent 1312 -filtering is supported."; 1313 } 1315 leaf address-and-port-dependent-filtering { 1316 type boolean; 1318 description 1319 "Indicates whether address-and-port 1320 -dependent is supported."; 1321 } 1322 } 1324 // Parameters for NAT pass through 1326 list nat-pass-through { 1328 key nat-pass-through-id; 1330 description 1331 "IP prefix NAT pass through."; 1333 leaf nat-pass-through-id { 1334 type uint32; 1336 description 1337 "An identifier of the IP prefix pass 1338 through."; 1339 } 1341 leaf nat-pass-through-pref { 1342 type inet:ip-prefix; 1344 description 1345 "The IP address subnets that match 1346 should not be translated. According to 1347 REQ#6 of RFC6888, it must be possible 1348 to administratively turn off translation 1349 for specific destination addresses 1350 and/or ports."; 1351 } 1353 leaf nat-pass-through-port { 1354 type inet:port-number; 1356 description 1357 "The IP address subnets that match 1358 should not be translated. According to 1359 REQ#6 of RFC6888, it must be possible to 1360 administratively turn off translation 1361 for specific destination addresses 1362 and/or ports."; 1363 } 1364 } 1366 // NAT Policies: Multiple policies per NAT instance 1368 list nat-policy { 1370 key policy-id; 1372 description 1373 "NAT parameters for a given instance"; 1375 leaf policy-id { 1376 type uint32; 1378 description 1379 "An identifier of the NAT policy."; 1380 } 1382 // CLAT Parameters 1384 container clat-parameters { 1386 description 1387 "CLAT parameters."; 1389 list clat-ipv6-prefixes { 1391 when "../../../nat-capabilities/nat-flavor = 'clat' "; 1393 key clat-ipv6-prefix; 1395 description 1396 "464XLAT double translation treatment is 1397 stateless when a dedicated /64 is available 1398 for translation on the CLAT. Otherwise, the 1399 CLAT will have both stateful and stateless 1400 since it requires NAT44 from the LAN to 1401 a single IPv4 address and then stateless 1402 translation to a single IPv6 address."; 1404 reference 1405 "RFC 6877."; 1407 leaf clat-ipv6-prefix { 1408 type inet:ipv6-prefix; 1410 description 1411 "An IPv6 prefix used for CLAT."; 1412 } 1413 } 1415 list clat-ipv4-prefixes { 1417 when "../../../nat-capabilities/nat-flavor = 'clat'"; 1419 key clat-ipv4-prefix; 1421 description 1422 "Pool of IPv4 addresses used for CLAT. 1423 192.0.0.0/29 is the IPv4 service continuity 1424 prefix."; 1426 reference 1427 "RFC 7335."; 1429 leaf clat-ipv4-prefix { 1430 type inet:ipv4-prefix; 1432 description 1433 "464XLAT double translation treatment is 1434 stateless when a dedicated /64 is available 1435 for translation on the CLAT. Otherwise, the 1436 CLAT will have both stateful and stateless 1437 since it requires NAT44 from the LAN to 1438 a single IPv4 address and then stateless 1439 translation to a single IPv6 address. 1440 The CLAT performs NAT44 for all IPv4 LAN 1441 packets so that all the LAN-originated IPv4 1442 packets appear from a single IPv4 address 1443 and are then statelessly translated to one 1444 interface IPv6 address that is claimed by 1445 the CLAT. 1446 An IPv4 address from this pool is also 1447 provided to an application that makes 1448 use of literals."; 1450 reference 1451 "RFC 6877."; 1452 } 1453 } 1454 } 1456 // NPTv6 Parameters 1458 list nptv6-prefixes { 1460 when "../../nat-capabilities/nat-flavor = 'nptv6' "; 1462 key translation-id; 1464 description 1465 "Provides one or a list of (internal IPv6 prefix, 1466 external IPv6 prefix) required for NPTv6. 1468 In its simplest form, NPTv6 interconnects two network 1469 links, one of which is an 'internal' network link 1470 attachedto a leaf network within a single 1471 administrative domain and the other of which is an 1472 'external' network with connectivity to the global 1473 Internet."; 1475 reference 1476 "RFC 6296."; 1478 leaf translation-id { 1479 type uint32; 1480 description 1481 "An identifier of the NPTv6 prefixs."; 1482 } 1484 leaf internal-ipv6-prefix { 1485 type inet:ipv6-prefix; 1487 description 1488 "An IPv6 prefix used by an internal interface 1489 of NPTv6."; 1491 reference 1492 "RFC 6296."; 1493 } 1495 leaf external-ipv6-prefix { 1496 type inet:ipv6-prefix; 1498 description 1499 "An IPv6 prefix used by the external interface 1500 of NPTv6."; 1502 reference 1503 "RFC 6296."; 1504 } 1505 } 1507 // EAM SIIT Parameters 1509 list eam { 1511 when "../../nat-capabilities/nat-flavor = 'eam' "; 1513 key eam-ipv4-prefix; 1515 description 1516 "The Explicit Address Mapping Table, a conceptual 1517 table in which each row represents an EAM. 1518 Each EAM describes a mapping between IPv4 and IPv6 1519 prefixes/addresses."; 1521 reference "Section 3.1 of RFC 7757."; 1523 leaf eam-ipv4-prefix { 1524 type inet:ipv4-prefix; 1525 description 1526 "The IPv4 prefix of an EAM."; 1528 reference 1529 "Section 3.2 of RFC 7757."; 1530 } 1532 leaf eam-ipv6-prefix { 1533 type inet:ipv6-prefix; 1535 description 1536 "The IPv6 prefix of an EAM."; 1538 reference 1539 "Section 3.2 of RFC 7757."; 1540 } 1541 } 1543 //NAT64 IPv6 Prefixes 1545 list nat64-prefixes { 1547 when "../../nat-capabilities/nat-flavor = 'nat64' " + 1548 " or ../../nat-capabilities/nat-flavor = 'clat'"; 1550 key nat64-prefix; 1552 description 1553 "Provides one or a list of NAT64 prefixes 1554 with or without a list of destination IPv4 prefixes. 1556 Destination-based Pref64::/n is discussed in 1557 Section 5.1 of [RFC7050]). For example: 1558 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 1559 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 1561 reference 1562 "Section 5.1 of RFC7050."; 1564 leaf nat64-prefix { 1565 type inet:ipv6-prefix; 1566 //default "64:ff9b::/96"; 1568 description 1569 "A NAT64 prefix. Can be NSP or a Well-Known 1570 Prefix (WKP). 1572 Organizations deploying stateless IPv4/IPv6 1573 translation should assign a Network-Specific 1574 Prefix to their IPv4/IPv6 translation service. 1576 For stateless NAT64, IPv4-translatable IPv6 1577 addresses must use the selected Network-Specific 1578 Prefix. Both IPv4-translatable IPv6 addresses 1579 and IPv4-converted IPv6 addresses should use 1580 the same prefix."; 1582 reference 1583 "Sections 3.3 and 3.4 of RFC 6052."; 1584 } 1586 list destination-ipv4-prefix { 1588 key ipv4-prefix; 1590 description 1591 "An IPv4 prefix/address."; 1593 leaf ipv4-prefix { 1594 type inet:ipv4-prefix; 1595 description 1596 "An IPv4 address/prefix."; 1597 } 1598 } 1600 leaf stateless-enable { 1601 type boolean; 1603 description 1604 "Enable explicitly statless NAT64."; 1606 } 1607 } 1609 list external-ip-address-pool { 1610 key pool-id; 1612 description 1613 "Pool of external IP addresses used to 1614 service internal hosts. 1615 Both contiguous and non-contiguous pools 1616 can be configured for NAT purposes."; 1618 leaf pool-id { 1619 type uint32; 1621 description 1622 "An identifier of the address pool."; 1623 } 1625 leaf external-ip-pool { 1626 type inet:ipv4-prefix; 1628 description 1629 "An IPv4 prefix used for NAT purposes."; 1630 } 1631 } 1633 container port-set-restrict { 1635 when "../../nat-capabilities/restricted-port-support = 'true'"; 1637 description 1638 "Configures contiguous and non-contiguous port ranges."; 1640 uses port-set; 1641 } 1643 leaf dst-nat-enable { 1644 type boolean; 1645 default false; 1647 description 1648 "Enable/Disable destination NAT. 1649 A NAT44 may be configured to enable 1650 Destination NAT, too."; 1651 } 1653 list dst-ip-address-pool { 1654 //if-feature dst-nat; 1655 when "../../nat-capabilities/nat-flavor = 'dst-nat' "; 1657 key pool-id; 1659 description 1660 "Pool of IP addresses used for destination NAT."; 1662 leaf pool-id { 1663 type uint32; 1664 description 1665 "An identifier of the address pool."; 1666 } 1668 leaf dst-in-ip-pool { 1669 type inet:ip-prefix; 1671 description 1672 "Internal IP prefix/address"; 1673 } 1675 leaf dst-out-ip-pool { 1676 type inet:ip-prefix; 1678 description 1679 "IP address/prefix used for destination NAT."; 1680 } 1681 } 1683 list supported-transport-protocols { 1685 key transport-protocol-id; 1687 description 1688 "Supported transport protocols. 1689 TCP and UDP are supported by default."; 1691 leaf transport-protocol-id { 1692 type uint8; 1693 mandatory true; 1695 description 1696 "Upper-layer protocol associated with this mapping. 1697 Values are taken from the IANA protocol registry. 1698 For example, this field contains 6 (TCP) for a TCP 1699 mapping or 17 (UDP) for a UDP mapping."; 1700 } 1702 leaf transport-protocol-name { 1703 type string; 1704 description 1705 "For example, TCP, UDP, DCCP, and SCTP."; 1706 } 1707 } 1709 leaf subscriber-mask-v6 { 1710 type uint8 { 1711 range "0 .. 128"; 1713 } 1715 description 1716 "The subscriber-mask is an integer that indicates 1717 the length of significant bits to be applied on 1718 the source IP address (internal side) to 1719 unambiguously identify a CPE. 1721 Subscriber-mask is a system-wide configuration 1722 parameter that is used to enforce generic 1723 per-subscriber policies (e.g., port-quota). 1725 The enforcement of these generic policies does not 1726 require the configuration of every subscriber's 1727 prefix. 1729 Example: suppose the 2001:db8:100:100::/56 prefix 1730 is assigned to a NAT64 serviced CPE. Suppose also 1731 that 2001:db8:100:100::1 is the IPv6 address used 1732 by the client that resides in that CPE. When the 1733 NAT64 receives a packet from this client, 1734 it applies the subscriber-mask (e.g., 56) on 1735 the source IPv6 address to compute the associated 1736 prefix for this client (2001:db8:100:100::/56). 1737 Then, the NAT64 enforces policies based on that 1738 prefix (2001:db8:100:100::/56), not on the exact 1739 source IPv6 address."; 1740 } 1742 list subscriber-match { 1744 key sub-match-id; 1746 description 1747 "IP prefix match."; 1749 leaf sub-match-id { 1750 type uint32; 1751 description 1752 "An identifier of the subscriber masck."; 1753 } 1755 leaf sub-mask { 1756 type inet:ip-prefix; 1757 mandatory true; 1759 description 1760 "The IP address subnets that match 1761 should be translated. E.g., all addresses 1762 that belong to the 192.0.2.0/24 prefix must 1763 be processed by the NAT."; 1764 } 1766 } 1768 leaf paired-address-pooling { 1769 type boolean; 1770 default true; 1772 description 1773 "Paired address pooling informs the NAT 1774 that all the flows from an internal IP 1775 address must be assigned the same external 1776 address."; 1778 reference 1779 "RFC 4007."; 1780 } 1782 leaf nat-mapping-type { 1783 type enumeration { 1784 enum "eim" { 1785 description 1786 "endpoint-independent-mapping."; 1788 reference 1789 "Section 4 of RFC 4787."; 1790 } 1792 enum "adm" { 1793 description 1794 "address-dependent-mapping."; 1796 reference 1797 "Section 4 of RFC 4787."; 1798 } 1800 enum "edm" { 1801 description 1802 "address-and-port-dependent-mapping."; 1804 reference 1805 "Section 4 of RFC 4787."; 1806 } 1807 } 1808 description 1809 "Indicates the type of a NAT mapping."; 1810 } 1812 leaf nat-filtering-type { 1813 type enumeration { 1814 enum "eif" { 1816 description 1817 "endpoint-independent- filtering."; 1819 reference 1820 "Section 5 of RFC 4787."; 1821 } 1823 enum "adf" { 1824 description 1825 "address-dependent-filtering."; 1827 reference 1828 "Section 5 of RFC 4787."; 1829 } 1831 enum "edf" { 1832 description 1833 "address-and-port-dependent-filtering"; 1835 reference 1836 "Section 5 of RFC 4787."; 1837 } 1838 } 1839 description 1840 "Indicates the type of a NAT filtering."; 1841 } 1843 list port-quota { 1844 when "../../nat-capabilities/nat44-flavor = "+ 1845 "'napt' or "+ 1846 "../../nat-capabilities/nat-flavor = "+ 1847 "'nat64'"; 1849 key quota-type; 1851 description 1852 "Configures a port quota to be assigned per 1853 subscriber. It corresponds to the maximum 1854 number of ports to be used by a subscriber."; 1856 leaf port-limit { 1858 type uint16; 1860 description 1861 "Configures a port quota to be assigned per 1862 subscriber. It corresponds to the maximum 1863 number of ports to be used by a subscriber."; 1865 reference 1866 "REQ-4 of RFC 6888."; 1867 } 1869 leaf quota-type { 1870 type enumeration { 1871 enum "all" { 1873 description 1874 "The limit applies to all protocols."; 1876 reference 1877 "REQ-4 of RFC 6888."; 1878 } 1880 enum "tcp" { 1881 description 1882 "TCP quota."; 1884 reference 1885 "REQ-4 of RFC 6888."; 1886 } 1888 enum "udp" { 1889 description 1890 "UDP quota."; 1892 reference 1893 "REQ-4 of RFC 6888."; 1894 } 1896 enum "icmp" { 1897 description 1898 "ICMP quota."; 1900 reference 1901 "REQ-4 of RFC 6888."; 1902 } 1903 } 1905 description 1906 "Indicates whether the port quota applies to 1907 all protocols or to a specific transport."; 1908 } 1909 } 1911 leaf port-allocation-type { 1912 type enumeration { 1913 enum "random" { 1914 description 1915 "Port randomization is enabled."; 1916 } 1918 enum "port-preservation" { 1919 description 1920 "Indicates whether the NAT should 1921 preserve the internal port number."; 1922 } 1924 enum "port-parity-preservation" { 1925 description 1926 "Indicates whether the NAT should 1927 preserve the port parity of the 1928 internal port number."; 1929 } 1931 enum "port-range-allocation" { 1932 description 1933 "Indicates whether the NAT assigns a 1934 range of ports for an internal host."; 1935 } 1937 } 1938 description 1939 "Indicates the type of a port allocation."; 1940 } 1942 leaf address-roundrobin-enable { 1943 type boolean; 1945 description 1946 "Enable/disable address allocation 1947 round robin."; 1948 } 1950 container port-set { 1951 when "../port-allocation-type='port-range-allocation'"; 1952 description 1953 "Manages port-set assignments."; 1955 leaf port-set-size { 1956 type uint16; 1957 description 1958 "Indicates the size of assigned port 1959 sets."; 1960 } 1962 leaf port-set-timeout { 1963 type uint32; 1964 description 1965 "Inactivty timeout for port sets."; 1966 } 1967 } 1969 container timers { 1970 description 1971 "Configure values of various timeouts."; 1973 leaf udp-timeout { 1974 type uint32; 1975 units "seconds"; 1976 default 300; 1977 description 1978 "UDP inactivity timeout. That is the time a mapping 1979 will stay active without packets traversing the NAT."; 1981 reference 1982 "RFC 4787."; 1983 } 1985 leaf tcp-idle-timeout { 1986 type uint32; 1987 units "seconds"; 1988 default 7440; 1989 description 1990 "TCP Idle timeout should be 1991 2 hours and 4 minutes."; 1993 reference 1994 "RFC 5382."; 1995 } 1997 leaf tcp-trans-open-timeout { 1998 type uint32; 1999 units "seconds"; 2000 default 240; 2001 description 2002 "The value of the transitory open connection 2003 idle-timeout. 2004 Section 2.1 of [RFC7857] clarifies that a NAT 2005 should provide different configurable 2007 parameters for configuring the open and 2008 closing idle timeouts. 2009 To accommodate deployments that consider 2010 a partially open timeout of 4 minutes as being 2011 excessive from a security standpoint, a NAT may 2012 allow the configured timeout to be less than 2013 4 minutes. 2014 However, a minimum default transitory connection 2015 idle-timeout of 4 minutes is recommended."; 2017 reference 2018 "RFC 7857."; 2019 } 2021 leaf tcp-trans-close-timeout { 2022 type uint32; 2023 units "seconds"; 2024 default 240; 2025 description 2026 "The value of the transitory close connection 2027 idle-timeout. 2028 Section 2.1 of [RFC7857] clarifies that a NAT 2029 should provide different configurable 2030 parameters for configuring the open and 2031 closing idle timeouts."; 2033 reference 2034 "RFC 7857."; 2035 } 2037 leaf tcp-in-syn-timeout { 2038 type uint32; 2039 units "seconds"; 2040 default 6; 2041 description 2042 "A NAT must not respond to an unsolicited 2043 inbound SYN packet for at least 6 seconds 2044 after the packet is received. If during 2045 this interval the NAT receives and translates 2046 an outbound SYN for the connection the NAT 2047 must silently drop the original unsolicited 2048 inbound SYN packet."; 2050 reference 2051 "RFC 5382."; 2052 } 2054 leaf fragment-min-timeout { 2056 type uint32; 2057 units "seconds"; 2058 default 2; 2059 description 2060 "As long as the NAT has available resources, 2061 the NAT allows the fragments to arrive 2062 over fragment-min-timeout interval. 2063 The default value is inspired from RFC6146."; 2064 } 2066 leaf icmp-timeout { 2067 type uint32; 2068 units "seconds"; 2069 default 60; 2070 description 2071 "An ICMP Query session timer must not expire 2072 in less than 60 seconds. It is recommended 2073 that the ICMP Query session timer be made 2074 configurable"; 2076 reference 2077 "RFC 5508."; 2078 } 2080 list per-port-timeout { 2081 key port-number; 2083 description 2084 "Some NATs are configurable with short timeouts 2085 for some ports, e.g., as 10 seconds on 2086 port 53 (DNS) and NTP (123) and longer timeouts 2087 on other ports."; 2089 leaf port-number { 2090 type inet:port-number; 2091 description 2092 "A port number."; 2093 } 2094 leaf port-timeout { 2095 type inet:port-number; 2096 mandatory true; 2097 description 2098 "Timeout for this port"; 2099 } 2100 } 2102 leaf hold-down-timeout { 2104 type uint32; 2105 units "seconds"; 2106 default 120; 2108 description 2109 "Hold down timer. Ports in the 2110 hold down pool are not reassigned until 2111 this timer expires. 2112 The length of time and the maximum 2113 number of ports in this state must be 2114 configurable by the administrator 2115 [RFC6888]. This is necessary in order 2116 to prevent collisions between old 2117 and new mappings and sessions. It ensures 2118 that all established sessions are broken 2119 instead of redirected to a different peer."; 2121 reference 2122 "REQ#8 of RFC 6888."; 2123 } 2125 leaf hold-down-max { 2127 type uint32; 2129 description 2130 "Maximum ports in the Hold down timer pool. 2131 Ports in the hold down pool are not reassigned 2132 until hold-down-timeout expires. 2133 The length of time and the maximum 2134 number of ports in this state must be 2135 configurable by the administrator 2136 [RFC6888]. This is necessary in order 2137 to prevent collisions between old 2138 and new mappings and sessions. It ensures 2139 that all established sessions are broken 2140 instead of redirected to a different peer."; 2142 reference 2143 "REQ#8 of RFC 6888."; 2144 } 2145 } 2147 list algs { 2149 key alg-name; 2151 description 2152 "ALG-related features."; 2154 leaf alg-name { 2155 type string; 2157 description 2158 "The name of the ALG"; 2159 } 2161 leaf alg-transport-protocol { 2162 type uint32; 2164 description 2165 "The transport protocol used by the ALG."; 2166 } 2168 leaf alg-transport-port { 2169 type inet:port-number; 2171 description 2172 "The port number used by the ALG."; 2173 } 2175 leaf alg-status { 2176 type boolean; 2178 description 2179 "Enable/disable the ALG."; 2180 } 2181 } 2183 leaf all-algs-enable { 2184 type boolean; 2186 description 2187 "Enable/disable all ALGs."; 2188 } 2189 container notify-pool-usage { 2190 description 2191 "Notification of pool usage when certain criteria 2192 are met."; 2194 leaf pool-id { 2195 type uint32; 2197 description 2198 "Pool-ID for which the notification 2199 criteria is defined"; 2200 } 2202 leaf notify-pool-hi-threshold { 2203 type percent; 2204 mandatory true; 2206 description 2207 "Notification must be generated when the 2208 defined high threshold is reached. 2209 For example, if a notification is 2210 required when the pool utilization reaches 2211 90%, this configuration parameter must 2212 be set to 90%."; 2213 } 2215 leaf notify-pool-low-threshold { 2216 type percent; 2218 description 2219 "Notification must be generated when the defined 2220 low threshold is reached. 2221 For example, if a notification is required when 2222 the pool utilization reaches below 10%, 2223 this configuration parameter must be set to 2224 10%."; 2225 } 2226 } 2228 container external-realm { 2230 description 2231 "Identifies the external realm of 2232 the NAT."; 2234 choice realm-type { 2236 description 2237 "Interface or VRF."; 2239 case interface { 2241 description 2242 "External interface."; 2244 leaf external-interface { 2245 type if:interface-ref; 2247 description 2248 "Name of an external interface."; 2249 } 2250 } 2252 case vrf { 2254 description 2255 "External VRF instance."; 2257 leaf external-vrf-instance { 2258 type identityref { 2259 base vrf-routing-instance; 2260 } 2262 description 2263 "A VRF instance."; 2264 } 2265 } 2266 } 2267 } 2269 } //nat-policy 2271 container mapping-limit { 2273 description 2274 "Information about the configuration parameters that 2275 limits the mappings based upon various criteria."; 2277 leaf limit-per-subscriber { 2278 type uint32; 2280 description 2281 "Maximum number of NAT mappings per 2282 subscriber."; 2283 } 2284 leaf limit-per-vrf { 2285 type uint32; 2287 description 2288 "Maximum number of NAT mappings per 2289 VLAN/VRF."; 2290 } 2292 leaf limit-per-subnet { 2293 type inet:ip-prefix; 2295 description 2296 "Maximum number of NAT mappings per 2297 subnet."; 2298 } 2300 leaf limit-per-instance { 2301 type uint32; 2302 mandatory true; 2304 description 2305 "Maximum number of NAT mappings per 2306 instance."; 2307 } 2309 leaf limit-per-udp { 2310 type uint32; 2311 mandatory true; 2313 description 2314 "Maximum number of UDP NAT mappings per 2315 subscriber."; 2316 } 2318 leaf limit-per-tcp { 2319 type uint32; 2320 mandatory true; 2322 description 2323 "Maximum number of TCP NAT mappings per 2324 subscriber."; 2326 } 2328 leaf limit-per-icmp { 2329 type uint32; 2330 mandatory true; 2331 description 2332 "Maximum number of ICMP NAT mappings per 2333 subscriber."; 2334 } 2335 } 2337 container connection-limit { 2339 description 2340 "Information about the configuration parameters that 2341 rate limit the translation based upon various 2342 criteria."; 2344 leaf limit-per-subscriber { 2345 type uint32; 2347 description 2348 "Rate-limit the number of new mappings 2349 and sessions per subscriber."; 2350 } 2352 leaf limit-per-vrf { 2353 type uint32; 2355 description 2356 "Rate-limit the number of new mappings 2357 and sessions per VLAN/VRF."; 2358 } 2360 leaf limit-per-subnet { 2361 type inet:ip-prefix; 2363 description 2364 "Rate-limit the number of new mappings 2365 and sessions per subnet."; 2366 } 2368 leaf limit-per-instance { 2369 type uint32; 2370 mandatory true; 2372 description 2373 "Rate-limit the number of new mappings 2374 and sessions per instance."; 2375 } 2377 leaf limit-per-udp { 2378 type uint32; 2379 mandatory true; 2381 description 2382 "Rate-limit the number of new UDP mappings 2383 and sessions per subscriber."; 2384 } 2386 leaf limit-per-tcp { 2387 type uint32; 2388 mandatory true; 2390 description 2391 "Rate-limit the number of new TCP mappings 2392 and sessions per subscriber."; 2394 } 2396 leaf limit-per-icmp { 2397 type uint32; 2398 mandatory true; 2400 description 2401 "Rate-limit the number of new ICMP mappings 2402 and sessions per subscriber."; 2403 } 2404 } 2406 container logging-info { 2407 description 2408 "Information about logging NAT events"; 2410 leaf logging-enable { 2411 type boolean; 2413 description 2414 "Enable logging features as per Section 2.3 2415 of [RFC6908]."; 2416 } 2418 leaf destination-address { 2419 type inet:ip-prefix; 2420 mandatory true; 2422 description 2423 "Address of the collector that receives 2424 the logs"; 2425 } 2426 leaf destination-port { 2427 type inet:port-number; 2428 mandatory true; 2430 description 2431 "Destination port of the collector."; 2432 } 2434 choice protocol { 2436 description 2437 "Enable the protocol to be used for 2438 the retrieval of logging entries."; 2440 case syslog { 2441 leaf syslog { 2442 type boolean; 2444 description 2445 "If SYSLOG is in use."; 2446 } 2447 } 2449 case ipfix { 2450 leaf ipfix { 2451 type boolean; 2453 description 2454 "If IPFIX is in use."; 2455 } 2456 } 2458 case ftp { 2459 leaf ftp { 2460 type boolean; 2462 description 2463 "If FTP is in use."; 2464 } 2465 } 2466 } 2467 } 2469 container mapping-table { 2471 when "../nat-capabilities/nat-flavor = "+ 2472 "'nat44' or "+ 2473 "../nat-capabilities/nat-flavor = "+ 2474 "'nat64'or "+ 2475 "../nat-capabilities/nat-flavor = "+ 2476 "'clat'or "+ 2477 "../nat-capabilities/nat-flavor = 'dst-nat'"; 2479 description 2480 "NAT mapping table. Applicable for functions 2481 which maintains static and/or dynamic mappings, 2482 such as NAT44, Destination NAT, NAT64, or CLAT."; 2484 list mapping-entry { 2485 key "index"; 2487 description 2488 "NAT mapping entry."; 2490 uses mapping-entry; 2491 } 2492 } 2494 container statistics { 2496 config false; 2498 description 2499 "Statistics related to the NAT instance."; 2501 container traffic-statistics { 2502 description 2503 "Generic traffic statistics."; 2505 leaf sent-packet { 2506 type yang:zero-based-counter64; 2508 description 2509 "Number of packets sent."; 2510 } 2512 leaf sent-byte { 2513 type yang:zero-based-counter64; 2515 description 2516 "Counter for sent traffic in bytes."; 2517 } 2519 leaf rcvd-packet { 2520 type yang:zero-based-counter64; 2521 description 2522 "Number of received packets."; 2523 } 2525 leaf rcvd-byte { 2526 type yang:zero-based-counter64; 2528 description 2529 "Counter for received traffic 2530 in bytes."; 2531 } 2533 leaf dropped-packet { 2534 type yang:zero-based-counter64; 2536 description 2537 "Number of dropped packets."; 2538 } 2540 leaf dropped-byte { 2541 type yang:zero-based-counter64; 2543 description 2544 "Counter for dropped traffic in 2545 bytes."; 2546 } 2547 } 2549 container mapping-statistics { 2551 when "../../nat-capabilities/nat-flavor = "+ 2552 "'nat44' or "+ 2553 "../../nat-capabilities/nat-flavor = "+ 2554 "'nat64'or "+ 2555 "../../nat-capabilities/nat-flavor = 'dst-nat'"; 2557 description 2558 "Mapping statistics."; 2560 leaf total-mappings { 2561 type uint32; 2563 description 2564 "Total number of NAT mappings present 2565 at a given time. This variable includes 2566 all the static and dynamic mappings."; 2567 } 2568 leaf total-tcp-mappings { 2569 type uint32; 2571 description 2572 "Total number of TCP mappings present 2573 at a given time."; 2574 } 2576 leaf total-udp-mappings { 2577 type uint32; 2579 description 2580 "Total number of UDP mappings present 2581 at a given time."; 2582 } 2584 leaf total-icmp-mappings { 2585 type uint32; 2587 description 2588 "Total number of ICMP mappings present 2589 at a given time."; 2590 } 2592 } 2594 container pool-stats { 2596 when "../../nat-capabilities/nat-flavor = "+ 2597 "'nat44' or "+ 2598 "../../nat-capabilities/nat-flavor = "+ 2599 "'nat64'"; 2601 description 2602 "Statistics related to address/prefix 2603 pool usage"; 2605 leaf pool-id { 2606 type uint32; 2608 description 2609 "Unique Identifier that represents 2610 a pool of addresses/prefixes."; 2611 } 2613 leaf address-allocated { 2614 type uint32; 2616 description 2617 "Number of allocated addresses in 2618 the pool"; 2619 } 2621 leaf address-free { 2622 type uint32; 2624 description 2625 "Number of unallocated addresses in 2626 the pool at a given time.The sum of 2627 unallocated and allocated 2628 addresses is the total number of 2629 addresses of the pool."; 2630 } 2632 container port-stats { 2634 description 2635 "Statistics related to port 2636 usage."; 2638 leaf ports-allocated { 2639 type uint32; 2641 description 2642 "Number of allocated ports 2643 in the pool."; 2644 } 2646 leaf ports-free { 2647 type uint32; 2649 description 2650 "Number of unallocated addresses 2651 in the pool."; 2652 } 2653 } 2654 } 2655 } //statistics 2656 } 2657 } 2658 } 2660 /* 2661 * Notifications 2662 */ 2664 notification nat-event { 2665 description 2666 "Notifications must be generated when the defined 2667 high/low threshold is reached. Related 2668 configuration parameters must be provided to 2669 trigger the notifications."; 2671 leaf id { 2672 type leafref { 2673 path 2674 "/nat-module/nat-instances/" 2675 + "nat-instance/id"; 2676 } 2677 description 2678 "NAT instance ID."; 2679 } 2681 leaf policy-id { 2682 type leafref { 2683 path 2684 "/nat-module/nat-instances/" 2685 + "nat-instance/nat-policy/policy-id"; 2686 } 2688 description 2689 "Policy ID."; 2690 } 2692 leaf pool-id { 2693 type leafref { 2694 path 2695 "/nat-module/nat-instances/" 2696 + "nat-instance/nat-policy/" 2697 + "external-ip-address-pool/pool-id"; 2698 } 2699 description 2700 "Pool ID."; 2701 } 2703 leaf notify-pool-threshold { 2704 type percent; 2705 mandatory true; 2707 description 2708 "A treshhold has been fired."; 2710 } 2711 } 2712 } 2713 2715 4. Security Considerations 2717 The YANG module defined in this memo is designed to be accessed via 2718 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 2719 secure transport layer and the support of SSH is mandatory to 2720 implement secure transport [RFC6242]. The NETCONF access control 2721 model [RFC6536] provides means to restrict access by some users to a 2722 pre-configured subset of all available NETCONF protocol operations 2723 and data. 2725 All data nodes defined in the YANG module which can be created, 2726 modified and deleted (i.e., config true, which is the default). 2727 These data nodes are considered sensitive. Write operations (e.g., 2728 edit-config) applied to these data nodes without proper protection 2729 can negatively affect network operations. 2731 5. IANA Considerations 2733 This document requests IANA to register the following URI in the 2734 "IETF XML Registry" [RFC3688]: 2736 URI: urn:ietf:params:xml:ns:yang:ietf-nat 2737 Registrant Contact: The IESG. 2738 XML: N/A; the requested URI is an XML namespace. 2740 This document requests IANA to register the following YANG module in 2741 the "YANG Module Names" registry [RFC6020]. 2743 name: ietf-nat 2744 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 2745 prefix: nat 2746 reference: RFC XXXX 2748 6. Acknowledgements 2750 Many thanks to Dan Wing and Tianran Zhou for the review. 2752 Thanks to Juergen Schoenwaelder for the comments on the YANG 2753 structure and the suggestion to use NMDA. 2755 Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred 2756 Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and 2757 Kristian Poscic for the CGN review. 2759 Special thanks to Maros Marsalek and Marek Gradzki for sharing their 2760 comments based on the FD.io implementation of an earlier version of 2761 this module. 2763 Rajiv Asati suggested to clarify how the module applies for both 2764 stateless and stateful NAT64. 2766 7. References 2768 7.1. Normative References 2770 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2771 DOI 10.17487/RFC3688, January 2004, 2772 . 2774 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 2775 Translation (NAT) Behavioral Requirements for Unicast 2776 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2777 2007, . 2779 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 2780 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 2781 RFC 5382, DOI 10.17487/RFC5382, October 2008, 2782 . 2784 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 2785 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 2786 DOI 10.17487/RFC5508, April 2009, 2787 . 2789 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 2790 the Network Configuration Protocol (NETCONF)", RFC 6020, 2791 DOI 10.17487/RFC6020, October 2010, 2792 . 2794 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 2795 NAT64: Network Address and Protocol Translation from IPv6 2796 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 2797 April 2011, . 2799 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2800 and A. Bierman, Ed., "Network Configuration Protocol 2801 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2802 . 2804 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2805 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2806 . 2808 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 2809 Protocol (NETCONF) Access Control Model", RFC 6536, 2810 DOI 10.17487/RFC6536, March 2012, 2811 . 2813 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 2814 Combination of Stateful and Stateless Translation", 2815 RFC 6877, DOI 10.17487/RFC6877, April 2013, 2816 . 2818 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 2819 A., and H. Ashida, "Common Requirements for Carrier-Grade 2820 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 2821 April 2013, . 2823 [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address 2824 Mappings for Stateless IP/ICMP Translation", RFC 7757, 2825 DOI 10.17487/RFC7757, February 2016, 2826 . 2828 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 2829 S., and K. Naito, "Updates to Network Address Translation 2830 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 2831 DOI 10.17487/RFC7857, April 2016, 2832 . 2834 7.2. Informative References 2836 [I-D.boucadair-pcp-yang] 2837 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 2838 Vinapamula, "YANG Data Models for the Port Control 2839 Protocol (PCP)", draft-boucadair-pcp-yang-04 (work in 2840 progress), May 2017. 2842 [I-D.ietf-behave-ipfix-nat-logging] 2843 Sivakumar, S. and R. Penno, "IPFIX Information Elements 2844 for logging NAT Events", draft-ietf-behave-ipfix-nat- 2845 logging-13 (work in progress), January 2017. 2847 [I-D.ietf-softwire-dslite-yang] 2848 Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data 2849 Models for the DS-Lite", draft-ietf-softwire-dslite- 2850 yang-06 (work in progress), August 2017. 2852 [I-D.ietf-tsvwg-natsupp] 2853 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 2854 Transmission Protocol (SCTP) Network Address Translation 2855 Support", draft-ietf-tsvwg-natsupp-11 (work in progress), 2856 July 2017. 2858 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 2859 Translator (NAT) Terminology and Considerations", 2860 RFC 2663, DOI 10.17487/RFC2663, August 1999, 2861 . 2863 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 2864 Address Translator (Traditional NAT)", RFC 3022, 2865 DOI 10.17487/RFC3022, January 2001, 2866 . 2868 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 2869 Behavioral Requirements for the Datagram Congestion 2870 Control Protocol", BCP 150, RFC 5597, 2871 DOI 10.17487/RFC5597, September 2009, 2872 . 2874 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 2875 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 2876 DOI 10.17487/RFC6052, October 2010, 2877 . 2879 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 2880 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 2881 . 2883 [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 2884 "Logging Recommendations for Internet-Facing Servers", 2885 BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, 2886 . 2888 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 2889 "Diameter Network Address and Port Translation Control 2890 Application", RFC 6736, DOI 10.17487/RFC6736, October 2891 2012, . 2893 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 2894 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 2895 DOI 10.17487/RFC6887, April 2013, 2896 . 2898 [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT 2899 (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, 2900 DOI 10.17487/RFC7289, June 2014, 2901 . 2903 [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, 2904 DOI 10.17487/RFC7335, August 2014, 2905 . 2907 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 2908 Farrer, "Lightweight 4over6: An Extension to the Dual- 2909 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 2910 July 2015, . 2912 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 2913 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 2914 Port with Encapsulation (MAP-E)", RFC 7597, 2915 DOI 10.17487/RFC7597, July 2015, 2916 . 2918 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 2919 "Definitions of Managed Objects for Network Address 2920 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 2921 October 2015, . 2923 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 2924 and S. Perreault, "Port Control Protocol (PCP) Extension 2925 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 2926 February 2016, . 2928 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 2929 "RADIUS Extensions for IP Port Configuration and 2930 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 2931 . 2933 Appendix A. Sample Examples 2935 This section provides a non-exhaustive set of examples to illustrate 2936 the use of the NAT YANG module. 2938 A.1. Traditional NAT44 2940 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 2941 same IPv4 address among hosts that are owned by the same subscriber. 2942 This is typically the NAT that is embedded in CPE devices. 2944 This NAT is usually provided with one single external IPv4 address; 2945 disambiguating connections is achieved by rewriting the source port 2946 number. The XML snippet to configure the external IPv4 address in 2947 such case together with a mapping entry is depicted below: 2949 2950 2951 1 2952 NAT_Subscriber_A 2953 .... 2954 2955 1 2956 2957 192.0.2.1 2958 2959 2960 .... 2961 2962 .... 2963 2964 192.0.2.1 2965 2966 .... 2967 2968 2969 2971 The following shows the XML excerpt depicting a dynamic UDP mapping 2972 entry maintained by a traditional NAT44. In reference to this 2973 example, the UDP packet received with a source IPv4 address 2974 (192.0.2.1) and source port number (1568) is translated into a UDP 2975 packet having a source IPv4 address (198.51.100.1) and source port 2976 (15000). The lifetime of this mapping is 300 seconds. 2978 2979 15 2980 2981 dynamic-explicit 2982 2983 2984 17 2985 2986 2987 192.0.2.1 2988 2989 2990 2991 1568 2992 2993 2994 2995 198.51.100.1 2996 2997 2998 2999 15000 3000 3001 3002 3003 300 3004 3005 3007 A.2. CGN 3009 The following XML snippet shows the example of the capabilities 3010 supported by a CGN as retrieved using NETCONF. 3012 3014 nat44 3015 3016 3017 false 3018 3019 3020 true 3021 3022 3023 true 3024 3025 3026 true 3027 3028 3029 true 3030 3031 3032 false 3033 3034 3035 true 3036 3037 3038 true 3039 3040 3041 true 3042 3043 3044 false 3045 3046 3047 false 3048 3049 3050 true 3051 3052 3053 false 3054 3055 3056 false 3057 3058 3059 The following XML snippet shows the example of a CGN that is 3060 provisioned with one contiguous pool of external IPv4 addresses 3061 (192.0.2.0/24). Further, the CGN is instructed to limit the number 3062 of allocated ports per subscriber to 1024. Ports can be allocated by 3063 the CGN by assigning ranges of 256 ports (that is, a subscriber can 3064 be allocated up to four port ranges of 256 ports each). 3066 3067 3068 1 3069 myCGN 3070 .... 3071 3072 1 3073 3074 192.0.2.0/24 3075 3076 3077 3078 3079 1024 3080 3081 3082 all 3083 3084 3085 3086 port-range-allocation 3087 3088 3089 3090 256 3091 3092 3093 .... 3094 3095 3097 An administrator may decide to allocate one single port range per 3098 subscriber (port range of 1024 ports) as shown below: 3100 3101 3102 1 3103 myotherCGN 3104 .... 3105 3106 1 3107 3108 192.0.2.0/24 3109 3110 3111 3112 3113 1024 3114 3115 3116 all 3117 3118 3119 3120 port-range-allocation 3121 3122 3123 3124 1024 3125 3126 .... 3127 3128 .... 3129 3130 3132 A.3. CGN Pass-Through 3134 Figure 1 illustrates an example of the CGN pass-through feature. 3136 X1:x1 X1':x1' X2:x2 3137 +---+from X1:x1 +---+from X1:x1 +---+ 3138 | C | to X2:x2 | | to X2:x2 | S | 3139 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 3140 | i | | G | | r | 3141 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 3142 | n |from X2:x2 | |from X2:x2 | e | 3143 | t | to X1:x1 | | to X1:x1 | r | 3144 +---+ +---+ +---+ 3146 Figure 1: CGN Pass-Through 3148 For example, in order to disable NAT for communications issued by the 3149 client (192.0.2.25), the following configuration parameter must be 3150 set: 3152 3153 ... 3154 192.0.2.25 3155 ... 3156 3158 A.4. NAT64 3160 Let's consider the example of a NAT64 that should use 3161 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 3162 The XML snippet to configure the NAT64 prefix in such case is 3163 depicted below: 3165 3166 3167 2001:db8:122:300::/56 3168 3169 3171 A NAT64 can be instructed to behave in the stateless mode by 3172 providing the following configuration. The same NAT64 prefix is used 3173 for constructing both IPv4- translatable IPv6 addresses and 3174 IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]). 3176 3177 3178 2001:db8:122:300::/56 3179 3180 3181 true 3182 3183 3185 Let's now consider the example of a NAT64 that should use 3186 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 3187 the destination address matches 198.51.100.0/24. The XML snippet to 3188 configure the NAT64 prefix in such case is shown below: 3190 3191 3192 2001:db8:122::/48 3193 3194 3195 3196 198.51.100.0/24 3197 3198 3199 3201 A.5. Explicit Address Mappings for Stateless IP/ICMP Translation 3203 As specified in [RFC7757], an EAM consists of an IPv4 prefix and an 3204 IPv6 prefix. Let's consider the set of EAM examples in Figure 2. 3206 +---+----------------+----------------------+ 3207 | # | IPv4 Prefix | IPv6 Prefix | 3208 +---+----------------+----------------------+ 3209 | 1 | 192.0.2.1 | 2001:db8:aaaa:: | 3210 | 2 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | 3211 | 3 | 192.0.2.16/28 | 2001:db8:cccc::/124 | 3212 | 4 | 192.0.2.128/26 | 2001:db8:dddd::/64 | 3213 | 5 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | 3214 | 6 | 192.0.2.224/31 | 64:ff9b::/127 | 3215 +---+----------------+----------------------+ 3217 Figure 2: EAM Examples (RFC7757) 3219 The following XML excerpt illustrates how these EAMs can be 3220 configured using the YANG NAT module: 3222 3223 3224 192.0.2.1 3225 3226 3227 2001:db8:aaaa:: 3228 3229 3230 3231 3232 192.0.2.2/32 3233 3234 3235 2001:db8:bbbb::b/128 3236 3237 3238 3239 3240 192.0.2.16/28 3241 3242 3243 2001:db8:cccc::/124 3244 3245 3246 3247 3248 192.0.2.128/26 3249 3250 3251 2001:db8:dddd::/64 3252 3253 3254 3255 3256 192.0.2.192/29 3257 3258 3259 2001:db8:eeee:8::/62 3260 3261 3262 3263 3264 192.0.2.224/31 3265 3266 3267 64:ff9b::/127 3268 3269 3270 EAMs may be enabled jointly with statefull NAT64. This example shows 3271 a NAT64 fucntion that supports static mappings: 3273 3275 nat64 3276 3277 3278 true 3279 3280 3281 true 3282 3283 3284 true 3285 3286 3287 true 3288 3289 3290 false 3291 3292 3293 true 3294 3295 3296 true 3297 3298 3299 true 3300 3301 3302 false 3303 3304 3305 false 3306 3307 3308 true 3309 3310 3311 false 3312 3313 3314 false 3315 3316 3318 A.6. Static Mappings with Port Ranges 3320 The following example shows a static mapping that instructs a NAT to 3321 translate packets issued from 192.0.2.1 and with source ports in the 3322 100-500 range to 198.51.100.1:1100-1500. 3324 3325 1 3326 static 3327 6 3328 3329 192.0.2.1 3330 3331 3332 3333 3334 100 3335 3336 3337 500 3338 3339 3340 3341 3342 198.51.100.1 3343 3344 3345 3346 3347 1100 3348 3349 3350 1500 3351 3352 3353 3354 ... 3355 3357 A.7. Static Mappings with IP Prefixes 3359 The following example shows a static mapping that instructs a NAT to 3360 translate packets issued from 192.0.2.1/24 to 198.51.100.1/24. 3362 3363 1 3364 static 3365 6 3366 3367 192.0.2.1/24 3368 3369 3370 198.51.100.1/24 3371 3372 ... 3373 3375 A.8. Destination NAT 3377 The following XML snippet shows an example a destination NAT that is 3378 instructed to translate packets having 192.0.2.1 as a destination IP 3379 address to 198.51.100.1. 3381 3382 1 3383 3384 192.0.2.1 3385 3386 3387 198.51.100.1 3388 3389 3391 In order to instruct a NAT to translate TCP packets destined to 3392 192.0.2.1:80 to 198.51.100.1:8080, the following XML snippet shows 3393 the static mapping to be configured on the NAT: 3395 3396 1 3397 static 3398 6 3399 3400 192.0.2.1 3401 3402 3403 80 3404 3405 3406 198.51.100.1 3407 3408 3409 8080 3410 3411 3413 In order to instruct a NAT to translate TCP packets destined to 3414 192.0.2.1:80 (http traffic) to 198.51.100.1 and 192.0.2.1:22 (ssh 3415 traffic) to 198.51.100.2, the following XML snippet shows the static 3416 mappings to be configured on the NAT: 3418 3419 1 3420 static 3421 6 3422 3423 192.0.2.1 3424 3425 3426 3427 80 3428 3429 3430 3431 198.51.100.1 3432 3433 ... 3434 3435 3436 2 3437 static 3438 3439 6 3440 3441 3442 192.0.2.1 3443 3444 3445 3446 22 3447 3448 3449 3450 198.51.100.2 3451 3452 ... 3453 3455 The NAT may also be instructed to proceed with both source and 3456 destination NAT. To do so, in addition to the above sample to 3457 configure destination NAT, the NAT may be provided, for example with 3458 a pool of external IP addresses (198.51.100.0/24) to use for source 3459 address translation. An example of the corresponding XML snippet is 3460 provided hereafter: 3462 3463 1 3464 3465 198.51.100.0/24 3466 3467 3469 Instead of providing an external IP address to share, the NAT may be 3470 configured with static mapping entries that modifies the internal IP 3471 address and/or port number. 3473 A.9. CLAT 3475 The following XML snippet shows the example of a CLAT that is 3476 configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and 3477 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 3478 provided with 192.0.0.1/32 (which is selected from the IPv4 service 3479 continuity prefix defined in [RFC7335]). 3481 3482 3483 2001:db8:aaaa::/96 3484 3485 3486 3487 3488 192.0.0.1/32 3489 3490 3491 3492 3493 2001:db8:1234::/96 3494 3495 3497 A.10. NPTv6 3499 Let's consider the example of a NPTv6 translator that should rewrite 3500 packets with the source prefix (fd01:203:405:/48) with the external 3501 prefix (2001:db8:1:/48). The internal interface is "eth0" while the 3502 external interface is "eth1". 3504 External Network: Prefix = 2001:db8:1:/48 3505 -------------------------------------- 3506 | 3507 |eth1 3508 +-------------+ 3509 eth4| NPTv6 |eth2 3510 ...-----| |------... 3511 +-------------+ 3512 |eth0 3513 | 3514 -------------------------------------- 3515 Internal Network: Prefix = fd01:203:405:/48 3517 Example of NPTv6 (RFC6296) 3519 The XML snippet to configure NPTv6 prefixes in such case is depicted 3520 below: 3522 3523 1 3524 3525 fd01:203:405:/48 3526 3527 3528 2001:db8:1:/48 3529 3530 3531 ... 3532 3533 3534 eth1 3535 3536 3538 Figure 3 shows an example of an NPTv6 that interconnects two internal 3539 networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is 3540 translated using a dedicated prefix (2001:db8:1:/48 and 3541 2001:db8:6666:/48, respectively). 3543 Internal Prefix = fd01:4444:5555:/48 3544 -------------------------------------- 3545 V | External Prefix 3546 V |eth1 2001:db8:1:/48 3547 V +---------+ ^ 3548 V | NPTv6 | ^ 3549 V | | ^ 3550 V +---------+ ^ 3551 External Prefix |eth0 ^ 3552 2001:db8:6666:/48 | ^ 3553 -------------------------------------- 3554 Internal Prefix = fd01:203:405:/48 3556 Figure 3: Connecting two Peer Networks (RFC6296) 3558 To that aim, the following configuration is provided to the NPTv6: 3560 3561 1 3562 3563 1 3564 3565 fd01:203:405:/48 3566 3567 3568 2001:db8:1:/48 3569 3570 3571 3572 eth1 3573 3574 3575 3576 2 3577 3578 2 3579 3580 fd01:4444:5555:/48 3581 3582 3583 2001:db8:6666:/48 3584 3585 3586 3587 eth0 3588 3589 3591 Authors' Addresses 3593 Mohamed Boucadair 3594 Orange 3595 Rennes 35000 3596 France 3598 Email: mohamed.boucadair@orange.com 3600 Senthil Sivakumar 3601 Cisco Systems 3602 7100-8 Kit Creek Road 3603 Research Triangle Park, North Carolina 27709 3604 USA 3606 Phone: +1 919 392 5158 3607 Email: ssenthil@cisco.com 3609 Christian Jacquenet 3610 Orange 3611 Rennes 35000 3612 France 3614 Email: christian.jacquenet@orange.com 3616 Suresh Vinapamula 3617 Juniper Networks 3618 1133 Innovation Way 3619 Sunnyvale 94089 3620 USA 3622 Qin Wu 3623 Huawei 3624 101 Software Avenue, Yuhua District 3625 Nanjing, Jiangsu 210012 3626 China 3628 Email: bill.wu@huawei.com