idnits 2.17.1 draft-ietf-opsawg-nat-yang-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 24 instances of too long lines in the document, the longest one being 51 characters in excess of 72. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 505 has weird spacing: '...-prefix ine...' == Line 507 has weird spacing: '...-prefix ine...' == Line 513 has weird spacing: '...-prefix ine...' == Line 518 has weird spacing: '...-prefix ine...' == Line 542 has weird spacing: '...atch-id uin...' == (5 more instances...) -- The document date (October 11, 2017) is 2382 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC7659' is defined on line 2890, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) ** Downref: Normative reference to an Informational RFC: RFC 6877 == Outdated reference: A later version (-05) exists of draft-boucadair-pcp-yang-04 == Outdated reference: A later version (-17) exists of draft-ietf-softwire-dslite-yang-07 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-11 Summary: 3 errors (**), 0 flaws (~~), 12 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: April 14, 2018 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 October 11, 2017 14 A YANG Data Model for Network Address Translation (NAT) and Network 15 Prefix Translation (NPT) 16 draft-ietf-opsawg-nat-yang-06 18 Abstract 20 For the sake of network automation and the need for programming 21 Network Address Translation (NAT) function in particular, a data 22 model for configuring and managing the NAT is essential. This 23 document defines a YANG module for the NAT function. 25 NAT44, Network Address and Protocol Translation from IPv6 Clients to 26 IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit 27 Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and 28 IPv6 Network Prefix Translation (NPTv6) are covered in this document. 30 Editorial Note (To be removed by RFC Editor) 32 Please update this statement with the RFC number to be assigned to 33 ths document: 35 "This version of this YANG module is part of RFC XXXX;" 37 Status of This Memo 39 This Internet-Draft is submitted in full conformance with the 40 provisions of BCP 78 and BCP 79. 42 Internet-Drafts are working documents of the Internet Engineering 43 Task Force (IETF). Note that other groups may also distribute 44 working documents as Internet-Drafts. The list of current Internet- 45 Drafts is at https://datatracker.ietf.org/drafts/current/. 47 Internet-Drafts are draft documents valid for a maximum of six months 48 and may be updated, replaced, or obsoleted by other documents at any 49 time. It is inappropriate to use Internet-Drafts as reference 50 material or to cite them other than as "work in progress." 52 This Internet-Draft will expire on April 14, 2018. 54 Copyright Notice 56 Copyright (c) 2017 IETF Trust and the persons identified as the 57 document authors. All rights reserved. 59 This document is subject to BCP 78 and the IETF Trust's Legal 60 Provisions Relating to IETF Documents 61 (https://trustee.ietf.org/license-info) in effect on the date of 62 publication of this document. Please review these documents 63 carefully, as they describe your rights and restrictions with respect 64 to this document. Code Components extracted from this document must 65 include Simplified BSD License text as described in Section 4.e of 66 the Trust Legal Provisions and are provided without warranty as 67 described in the Simplified BSD License. 69 Table of Contents 71 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 72 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 73 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 74 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 75 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 76 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 6 77 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 78 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 79 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 80 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7 81 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 82 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 83 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 10 84 2.10. Binding the NAT Function to an External Interface or VRF 10 85 2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10 86 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14 87 4. Security Considerations . . . . . . . . . . . . . . . . . . . 56 88 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 89 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 57 90 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 58 91 7.1. Normative References . . . . . . . . . . . . . . . . . . 58 92 7.2. Informative References . . . . . . . . . . . . . . . . . 59 93 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 61 94 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 61 95 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 96 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 66 97 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 67 98 A.5. Explicit Address Mappings for Stateless IP/ICMP 99 Translation . . . . . . . . . . . . . . . . . . . . . . . 68 100 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 71 101 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 71 102 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 72 103 A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 75 104 A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 75 105 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 78 107 1. Introduction 109 This document defines a data model for Network Address Translation 110 (NAT) and Network Prefix Translation (NPT) capabilities using the 111 YANG data modeling language [RFC7950]. 113 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 114 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 115 used to optimize the usage of global IP address space at the scale of 116 a domain: a CGN is not managed by end users, but by service providers 117 instead. This document covers both traditional NATs and CGNs. 119 This document also covers NAT64 [RFC6146], customer-side translator 120 (CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP 121 Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation 122 (NPTv6) [RFC6296]. The full set of translation schemes that are in 123 scope is included in Section 2.2. 125 Sample examples are provided in Appendix A. These examples are not 126 intended to be exhaustive. 128 1.1. Terminology 130 This document makes use of the following terms: 132 o Basic NAT44: translation is limited to IP addresses alone 133 (Section 2.1 of [RFC3022]). 135 o Network Address/Port Translator (NAPT): translation in NAPT is 136 extended to include IP addresses and transport identifiers (such 137 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 138 [RFC3022]. 140 o Destination NAT: is a translation that acts on the destination IP 141 address and/or destination port number. This flavor is usually 142 deployed in load balancers or at devices in front of public 143 servers. 145 o Port-restricted IPv4 address: An IPv4 address with a restricted 146 port set. Multiple hosts may share the same IPv4 address; 147 however, their port sets must not overlap [RFC7596]. 149 o Restricted port set: A non-overlapping range of allowed external 150 ports to use for NAT operation. Source ports of IPv4 packets 151 translated by a NAT must belong to the assigned port set. The 152 port set is used for all port-aware IP protocols [RFC7596]. 154 o Internal Host: A host that may solicit a NAT or an NPTv6 (or both) 155 capability to send to and receive traffic from the Internet. 157 o Internal Address/prefix: The IP address/prefix of an internal 158 host. 160 o External Address: The IP address/prefix assigned by a NAT/NPTv6 to 161 an internal host; this is the address that will be seen by a 162 remote host on the Internet. 164 o Mapping: denotes a state at the NAT that is necessary for network 165 address and/or port translation. 167 o Dynamic implicit mapping: is created implicitly as a side effect 168 of traffic such as an outgoing TCP SYN or an outgoing UDP packet. 169 A validity lifetime is associated with this mapping. 171 o Dynamic explicit mapping: is created as a result of an explicit 172 request, e.g., PCP message [RFC6887]. A validity lifetime is 173 associated with this mapping. 175 o Static explicit mapping: is created manually. This mapping is 176 likely to be maintained by the NAT function till an explicit 177 action is executed to remove it. 179 The usage of the term NAT in this document refers to any NAT flavor 180 (NAT44, NAT64, etc.) indifferently. 182 This document uses the term "session" as defined in [RFC2663] and 183 [RFC6146] for NAT64. 185 1.2. Tree Diagrams 187 The meaning of the symbols in these diagrams is as follows: 189 o Brackets "[" and "]" enclose list keys. 191 o Curly braces "{" and "}" contain names of optional features that 192 make the corresponding node conditional. 194 o Abbreviations before data node names: "rw" means configuration 195 (read-write), "ro" state data (read-only). 197 o Symbols after data node names: "?" means an optional node, "!" a 198 container with presence, and "*" denotes a "list" or "leaf-list". 200 o Parentheses enclose choice and case nodes, and case nodes are also 201 marked with a colon (":"). 203 o Ellipsis ("...") stands for contents of subtrees that are not 204 shown. 206 2. Overview of the NAT YANG Data Model 208 2.1. Overview 210 The NAT YANG module is designed to cover dynamic implicit mappings 211 and static explicit mappings. The required functionality to instruct 212 dynamic explicit mappings is defined in separate documents such as 213 [I-D.boucadair-pcp-yang]. Considerations about instructing explicit 214 dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of 215 scope. 217 A single NAT device can have multiple NAT instances (nat-instance); 218 each of these instances can be provided with its own policies (e.g., 219 be responsible for serving a group of hosts). This document does not 220 make any assumption about how internal hosts or flows are associated 221 with a given NAT instance. 223 The NAT YANG module assumes that each NAT instance can be enabled/ 224 disabled, be provisioned with a specific set of configuration data, 225 and maintains its own mapping tables. 227 Further, the NAT YANG module allows for a NAT instance to be provided 228 with multiple NAT policies (nat-policy). The document does not make 229 any assumption about how flows are associated with a given NAT policy 230 of a given NAT instance. Classification filters are out of scope. 232 Defining multiple NAT instances or configuring multiple NAT policies 233 within one single NAT instance is implementation- and deployment- 234 specific. 236 To accommodate deployments where [RFC6302] is not enabled, this YANG 237 module allows to instruct a NAT function to log the destination port 238 number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] 239 which provides the templates to log the destination ports. 241 2.2. Various NAT Flavors 243 The following modes are supported: 245 1. Basic NAT44 246 2. NAPT 247 3. Destination NAT 248 4. Port-restricted NAT 249 5. Stateful and stateless NAT64 250 6. EAM SIIT 251 7. CLAT 252 8. NPTv6 253 9. Combination of Basic NAT/NAPT and Destination NAT 254 10. Combination of port-restricted and Destination NAT 255 11. Combination of NAT64 and EAM 257 [I-D.ietf-softwire-dslite-yang] specifies an extension to support DS- 258 Lite. 260 2.3. TCP, UDP and ICMP NAT Behavioral Requirements 262 This document assumes [RFC4787][RFC5382][RFC5508] are enabled by 263 default. 265 Furthermore, the NAT YANG module relies upon the recommendations 266 detailed in [RFC6888] and [RFC7857]. 268 2.4. Other Transport Protocols 270 The module is structured to support other protocols than UDP, TCP, 271 and ICMP. The mapping table is designed so that it can indicate any 272 transport protocol. For example, this module may be used to manage a 273 DCCP-capable NAT that adheres to [RFC5597]. 275 Future extensions can be defined to cover NAT-related considerations 276 that are specific to other transport protocols such as SCTP 277 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 278 extended to record two optional SCTP-specific parameters: Internal 279 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 281 2.5. IP Addresses Used for Translation 283 The NAT YANG module assumes that blocks of IP external addresses 284 (external-ip-address-pool) can be provisioned to the NAT function. 285 These blocks may be contiguous or not. 287 This behavior is aligned with [RFC6888] which specifies that a NAT 288 function should not have any limitations on the size or the 289 contiguity of the external address pool. In particular, the NAT 290 function must be configurable with contiguous or non-contiguous 291 external IPv4 address ranges. 293 Likewise, one or multiple IP address pools may be configured for 294 Destination NAT (dst-ip-address-pool). 296 2.6. Port Set Assignment 298 Port numbers can be assigned by a NAT individually (that is, a single 299 port is a assigned on a per session basis). Nevertheless, this port 300 allocation scheme may not be optimal for logging purposes. 301 Therefore, a NAT function should be able to assign port sets (e.g., 302 [RFC7753]) to optimize the volume of the logging data (REQ-14 of 303 [RFC6888]). Both features are supported in the NAT YANG module. 305 When port set assignment is activated (i.e., port-allocation- 306 type==port-range-allocation), the NAT can be provided with the size 307 of the port set to be assigned (port-set-size). 309 2.7. Port-Restricted IP Addresses 311 Some NATs require to restrict the port numbers (e.g., Lightweight 312 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port set 313 assignments (port-set-restrict) are supported in this document: 315 o Simple port range: is defined by two port values, the start and 316 the end of the port range [RFC8045]. 318 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 319 the set of ports that can be used. 321 2.8. NAT Mapping Entries 323 A TCP/UDP mapping entry maintains an association between the 324 following information: 326 (internal-src-address, internal-src-port) (internal-dst-address, 327 internal-dst-port) <=> (external-src-address, external-src-port) 328 (external-dst-address, external-dst-port) 330 An ICMP mapping entry maintains an association between the following 331 information: 333 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 334 identifier) <=> (external-src-address, external-dst-address, 335 external ICMP/ICMPv6 identifier) 337 To cover TCP, UDP, and ICMP, the NAT YANG module assumes the 338 following structure of a mapping entry: 340 type: Indicates how the mapping was instantiated. For example, it 341 may indicate whether a mapping is dynamically instantiated by a 342 packet or statically configured. 344 transport-protocol: Indicates the transport protocol (e.g., UDP, 345 TCP, ICMP) of a given mapping. 347 internal-src-address: Indicates the source IP address as used by an 348 internal host. 350 internal-src-port: Indicates the source port number (or ICMP 351 identifier) as used by an internal host. 353 external-src-address: Indicates the source IP address as assigned 354 by the NAT. 356 external-src-port: Indicates the source port number (or ICMP 357 identifier) as assigned by the NAT. 359 internal-dst-address: Indicates the destination IP address as used 360 by an internal host when sending a packet to a remote host. 362 internal-dst-port: Indicates the destination IP address as used by 363 an internal host when sending a packet to a remote host. 365 external-dst-address: Indicates the destination IP address used by a 366 NAT when processing a packet issued by an internal host towards a 367 remote host. 369 external-dst-port: Indicates the destination port number used by a 370 NAT when processing a packet issued by an internal host towards a 371 remote host. 373 In order to cover both NAT64 and NAT44 flavors in particular, the NAT 374 mapping structure allows to include an IPv4 or an IPv6 address as an 375 internal IP address. Remaining fields are common to both NAT 376 schemes. 378 For example, the mapping that will be created by a NAT64 upon receipt 379 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 380 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 381 and destination port number 8080 is characterized as follows: 383 o type: dynamic implicit mapping. 384 o transport-protocol: TCP (6) 385 o internal-src-address: 2001:db8:aaaa::1 386 o internal-src-port: 25636 387 o external-src-address: T (an IPv4 address configured on the NAT64) 388 o external-src-port: t (a port number that is chosen by the NAT64) 389 o internal-dst-address: 2001:db8:1234::198.51.100.1 390 o internal-dst-port: 8080 391 o external-dst-address: 198.51.100.1 392 o external-dst-port: 8080 394 The mapping that will be created by a NAT44 upon receipt of an ICMP 395 request from source address 198.51.100.1 and ICMP identifier (ID1) to 396 destination IP address 198.51.100.11 is characterized as follows: 398 o type: dynamic implicit mapping. 399 o transport-protocol: ICMP (1) 400 o internal-src-address: 198.51.100.1 401 o internal-src-port: ID1 402 o external-src-address: T (an IPv4 address configured on the NAT44) 403 o external-src-port: ID2 (an ICMP identifier that is chosen by the 404 NAT44) 405 o internal-dst-address: 198.51.100.11 407 The mapping that will be created by a NAT64 upon receipt of an ICMP 408 request from source address 2001:db8:aaaa::1 and ICMP identifier 409 (ID1) to destination IP address 2001:db8:1234::198.51.100.1 is 410 characterized as follows: 412 o type: dynamic implicit mapping. 413 o transport-protocol: ICMPv6 (58) 414 o internal-src-address: 2001:db8:aaaa::1 415 o internal-src-port: ID1 416 o external-src-address: T (an IPv4 address configured on the NAT64) 417 o external-src-port: ID2 (an ICMP identifier that is chosen by the 418 NAT64) 419 o internal-dst-address: 2001:db8:1234::198.51.100.1 420 o external-dst-address: 198.51.100.1 422 Note that a mapping table is maintained only for stateful NAT 423 functions. Particularly: 425 o No mapping table is maintained for NPTv6 given that it is 426 stateless and transport-agnostic. 428 o The double translations are stateless in CLAT if a dedicated IPv6 429 prefix is provided for CLAT. If not, a stateful NAT44 will be 430 required. 432 o No per-flow mapping is maintained for EAM [RFC7757]. 434 o No mapping table is maintained for stateless NAT64. As a 435 reminder, in such deployments internal IPv6 nodes are addressed 436 using IPv4-translatable IPv6 addresses, which enable them to be 437 accessed by IPv4 nodes [RFC6052]. 439 2.9. Resource Limits 441 In order to comply with CGN deployments in particular, the NAT YANG 442 module allows limiting the number of external ports per subscriber 443 (port-quota) and the amount of state memory allocated per mapping and 444 per subscriber (mapping-limit and connection-limit). According to 445 [RFC6888], the model allows for the following: 447 o Per-subscriber limits are configurable by the NAT administrator. 449 o Per-subscriber limits are configurable independently per transport 450 protocol. 452 o Administrator-adjustable thresholds to prevent a single subscriber 453 from consuming excessive CPU resources from the NAT (e.g., rate- 454 limit the subscriber's creation of new mappings) can be 455 configured. 457 2.10. Binding the NAT Function to an External Interface or VRF 459 The model allows to specify the interface or Virtual Routing and 460 Forwarding (VRF) instance on which the NAT function must be applied 461 (external-realm). Distinct interfaces/VRFs can be provided as a 462 function of the NAT policy (see for example, Section 4 of [RFC7289]). 464 If no external interface/VRF is provided, this assumes that the 465 system is able to determine the external interface/VRF instance on 466 which the NAT will be applied. Typically, the WAN and LAN interfaces 467 of a CPE is determined by the CPE. 469 2.11. Tree Structure 471 The tree structure of the NAT YANG module is provided below: 473 module: ietf-nat 474 +--rw nat-module 475 +--rw nat-instances 476 +--rw nat-instance* [id] 477 +--rw id uint32 478 +--rw name? string 479 +--rw enable? boolean 480 +--rw nat-capabilities 481 | +--rw nat-flavor* identityref 482 | +--rw nat44-flavor* identityref 483 | +--rw restricted-port-support? boolean 484 | +--rw static-mapping-support? boolean 485 | +--rw port-randomization-support? boolean 486 | +--rw port-range-allocation-support? boolean 487 | +--rw port-preservation-suport? boolean 488 | +--rw port-parity-preservation-support? boolean 489 | +--rw address-roundrobin-support? boolean 490 | +--rw paired-address-pooling-support? boolean 491 | +--rw endpoint-independent-mapping-support? boolean 492 | +--rw address-dependent-mapping-support? boolean 493 | +--rw address-and-port-dependent-mapping-support? boolean 494 | +--rw endpoint-independent-filtering-support? boolean 495 | +--rw address-dependent-filtering? boolean 496 | +--rw address-and-port-dependent-filtering? boolean 497 +--rw nat-pass-through* [nat-pass-through-id] 498 | +--rw nat-pass-through-id uint32 499 | +--rw nat-pass-through-pref? inet:ip-prefix 500 | +--rw nat-pass-through-port? inet:port-number 501 +--rw nat-policy* [policy-id] 502 | +--rw policy-id uint32 503 | +--rw clat-parameters 504 | | +--rw clat-ipv6-prefixes* [clat-ipv6-prefix] 505 | | | +--rw clat-ipv6-prefix inet:ipv6-prefix 506 | | +--rw clat-ipv4-prefixes* [clat-ipv4-prefix] 507 | | +--rw clat-ipv4-prefix inet:ipv4-prefix 508 | +--rw nptv6-prefixes* [translation-id] 509 | | +--rw translation-id uint32 510 | | +--rw internal-ipv6-prefix? inet:ipv6-prefix 511 | | +--rw external-ipv6-prefix? inet:ipv6-prefix 512 | +--rw eam* [eam-ipv4-prefix] 513 | | +--rw eam-ipv4-prefix inet:ipv4-prefix 514 | | +--rw eam-ipv6-prefix? inet:ipv6-prefix 515 | +--rw nat64-prefixes* [nat64-prefix] 516 | | +--rw nat64-prefix inet:ipv6-prefix 517 | | +--rw destination-ipv4-prefix* [ipv4-prefix] 518 | | | +--rw ipv4-prefix inet:ipv4-prefix 519 | | +--rw stateless-enable? boolean 520 | +--rw external-ip-address-pool* [pool-id] 521 | | +--rw pool-id uint32 522 | | +--rw external-ip-pool? inet:ipv4-prefix 523 | +--rw port-set-restrict 524 | | +--rw (port-type)? 525 | | +--:(port-range) 526 | | | +--rw start-port-number? inet:port-number 527 | | | +--rw end-port-number? inet:port-number 528 | | +--:(port-set-algo) 529 | | +--rw psid-offset? uint8 530 | | +--rw psid-len uint8 531 | | +--rw psid uint16 532 | +--rw dst-nat-enable? boolean 533 | +--rw dst-ip-address-pool* [pool-id] 534 | | +--rw pool-id uint32 535 | | +--rw dst-in-ip-pool? inet:ip-prefix 536 | | +--rw dst-out-ip-pool? inet:ip-prefix 537 | +--rw supported-transport-protocols* [transport-protocol-id] 538 | | +--rw transport-protocol-id uint8 539 | | +--rw transport-protocol-name? string 540 | +--rw subscriber-mask-v6? uint8 541 | +--rw subscriber-match* [sub-match-id] 542 | | +--rw sub-match-id uint32 543 | | +--rw sub-mask inet:ip-prefix 544 | +--rw paired-address-pooling? boolean 545 | +--rw nat-mapping-type? enumeration 546 | +--rw nat-filtering-type? enumeration 547 | +--rw port-quota* [quota-type] 548 | | +--rw port-limit? uint16 549 | | +--rw quota-type enumeration 550 | +--rw port-allocation-type? enumeration 551 | +--rw address-roundrobin-enable? boolean 552 | +--rw port-set 553 | | +--rw port-set-size? uint16 554 | | +--rw port-set-timeout? uint32 555 | +--rw timers 556 | | +--rw udp-timeout? uint32 557 | | +--rw tcp-idle-timeout? uint32 558 | | +--rw tcp-trans-open-timeout? uint32 559 | | +--rw tcp-trans-close-timeout? uint32 560 | | +--rw tcp-in-syn-timeout? uint32 561 | | +--rw fragment-min-timeout? uint32 562 | | +--rw icmp-timeout? uint32 563 | | +--rw per-port-timeout* [port-number] 564 | | | +--rw port-number inet:port-number 565 | | | +--rw port-timeout inet:port-number 566 | | +--rw hold-down-timeout? uint32 567 | | +--rw hold-down-max? uint32 568 | +--rw algs* [alg-name] 569 | | +--rw alg-name string 570 | | +--rw alg-transport-protocol? uint32 571 | | +--rw alg-transport-port? inet:port-number 572 | | +--rw alg-status? boolean 573 | +--rw all-algs-enable? boolean 574 | +--rw notify-pool-usage 575 | | +--rw pool-id? uint32 576 | | +--rw notify-pool-hi-threshold percent 577 | | +--rw notify-pool-low-threshold? percent 578 | +--rw external-realm 579 | +--rw (realm-type)? 580 | +--:(interface) 581 | | +--rw external-interface? if:interface-ref 582 | +--:(vrf) 583 | +--rw external-vrf-instance? identityref 584 +--rw mapping-limit 585 | +--rw limit-per-subscriber? uint32 586 | +--rw limit-per-vrf? uint32 587 | +--rw limit-per-subnet? inet:ip-prefix 588 | +--rw limit-per-instance uint32 589 | +--rw limit-per-udp uint32 590 | +--rw limit-per-tcp uint32 591 | +--rw limit-per-icmp uint32 592 +--rw connection-limit 593 | +--rw limit-per-subscriber? uint32 594 | +--rw limit-per-vrf? uint32 595 | +--rw limit-per-subnet? inet:ip-prefix 596 | +--rw limit-per-instance uint32 597 | +--rw limit-per-udp uint32 598 | +--rw limit-per-tcp uint32 599 | +--rw limit-per-icmp uint32 600 +--rw logging-info 601 | +--rw logging-enable? boolean 602 | +--rw destination-address inet:ip-prefix 603 | +--rw destination-port inet:port-number 604 | +--rw (protocol)? 605 | +--:(syslog) 606 | | +--rw syslog? boolean 607 | +--:(ipfix) 608 | | +--rw ipfix? boolean 609 | +--:(ftp) 610 | +--rw ftp? boolean 611 +--rw mapping-table 612 | +--rw mapping-entry* [index] 613 | +--rw index uint32 614 | +--rw type? enumeration 615 | +--rw transport-protocol? uint8 616 | +--rw internal-src-address? inet:ip-prefix 617 | +--rw internal-src-port 618 | | +--rw start-port-number? inet:port-number 619 | | +--rw end-port-number? inet:port-number 620 | +--rw external-src-address? inet:ip-prefix 621 | +--rw external-src-port 622 | | +--rw start-port-number? inet:port-number 623 | | +--rw end-port-number? inet:port-number 624 | +--rw internal-dst-address? inet:ip-prefix 625 | +--rw internal-dst-port 626 | | +--rw start-port-number? inet:port-number 627 | | +--rw end-port-number? inet:port-number 628 | +--rw external-dst-address? inet:ip-prefix 629 | +--rw external-dst-port 630 | | +--rw start-port-number? inet:port-number 631 | | +--rw end-port-number? inet:port-number 632 | +--rw lifetime? uint32 633 +--ro statistics 634 +--ro traffic-statistics 635 | +--ro sent-packet? yang:zero-based-counter64 636 | +--ro sent-byte? yang:zero-based-counter64 637 | +--ro rcvd-packet? yang:zero-based-counter64 638 | +--ro rcvd-byte? yang:zero-based-counter64 639 | +--ro dropped-packet? yang:zero-based-counter64 640 | +--ro dropped-byte? yang:zero-based-counter64 641 +--ro mapping-statistics 642 | +--ro total-mappings? uint32 643 | +--ro total-tcp-mappings? uint32 644 | +--ro total-udp-mappings? uint32 645 | +--ro total-icmp-mappings? uint32 646 +--ro pool-stats 647 +--ro pool-id? uint32 648 +--ro address-allocated? uint32 649 +--ro address-free? uint32 650 +--ro port-stats 651 +--ro ports-allocated? uint32 652 +--ro ports-free? uint32 654 notifications: 655 +---n nat-event 656 +--ro id? -> /nat-module/nat-instances/nat-instance/id 657 +--ro policy-id? -> /nat-module/nat-instances/nat-instance/nat-policy/policy-id 658 +--ro pool-id? -> /nat-module/nat-instances/nat-instance/nat-policy/external-ip-address-pool/pool-id 659 +--ro notify-pool-threshold percent 661 3. NAT YANG Module 663 file "ietf-nat@2017-10-12.yang" 665 module ietf-nat { 666 yang-version 1.1; 667 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 669 //namespace to be assigned by IANA 670 prefix "nat"; 672 import ietf-inet-types { prefix inet; } 673 import ietf-yang-types { prefix yang; } 674 import ietf-interfaces { prefix if; } 676 organization "IETF OPSAWG Working Group"; 678 contact 679 "Mohamed Boucadair 680 Senthil Sivakumar 681 Chritsian Jacquenet 682 Suresh Vinapamula 683 Qin Wu "; 685 description 686 "This module is a YANG module for NAT implementations 687 (including NAT44 and NAT64 flavors). 689 Copyright (c) 2017 IETF Trust and the persons identified as 690 authors of the code. All rights reserved. 692 Redistribution and use in source and binary forms, with or 693 without modification, is permitted pursuant to, and subject 694 to the license terms contained in, the Simplified BSD License 695 set forth in Section 4.c of the IETF Trust's Legal Provisions 696 Relating to IETF Documents 697 (http://trustee.ietf.org/license-info). 699 This version of this YANG module is part of RFC XXXX; see 700 the RFC itself for full legal notices."; 702 revision 2017-10-12 { 703 description "Comments from Mahesh Jethanandani."; 704 reference "-ietf-05"; 705 } 707 revision 2017-10-02 { 708 description "Comments from Rajiv Asati to call out 709 explicitly stateless NAT64."; 710 reference "-ietf-04"; 711 } 713 revision 2017-09-27 { 714 description "Comments from Kris Poscic about NAT44, mainly: 715 - Allow for multiple NAT policies within the same instance. 716 - Associate an external interface/vrf per NAT policy."; 717 reference "-ietf-04"; 718 } 720 revision 2017-09-18 { 721 description "Comments from Tore Anderson about EAM-SIIT."; 722 reference "-ietf-03"; 723 } 725 revision 2017-08-23 { 726 description "Comments from F. Baker about NPTv6."; 727 reference "-ietf-02"; 728 } 730 revision 2017-08-21 { 731 description " Includes CLAT (Lee/Jordi)."; 732 reference "-ietf-01"; 733 } 735 revision 2017-08-03 { 736 description "Integrates comments from OPSAWG CFA."; 737 reference "-ietf-00"; 738 } 740 revision 2017-07-03 { 741 description "Integrates comments from D. Wing and T. Zhou."; 742 reference "-07"; 743 } 745 revision 2015-09-08 { 746 description "Fixes few YANG errors."; 748 reference "-02"; 749 } 751 revision 2015-09-07 { 752 description "Completes the NAT64 model."; 753 reference "01"; 754 } 756 revision 2015-08-29 { 757 description "Initial version."; 758 reference "00"; 759 } 761 /* 762 * Definitions 763 */ 765 typedef percent { 766 type uint8 { 767 range "0 .. 100"; 768 } 769 description 770 "Percentage"; 771 } 773 /* 774 * Identities 775 */ 777 identity nat-type { 778 description 779 "Base identity for nat type."; 780 } 782 identity nat44 { 783 base nat:nat-type; 785 description 786 "Identity for traditional NAT support."; 788 reference 789 "RFC 3022."; 790 } 792 identity basic-nat { 793 base nat:nat44; 795 description 796 "Identity for Basic NAT support."; 798 reference 799 "RFC 3022."; 800 } 802 identity napt { 803 base nat:nat44; 805 description 806 "Identity for NAPT support."; 808 reference 809 "RFC 3022."; 810 } 812 identity restricted-nat { 813 base nat:nat44; 815 description 816 "Identity for Port-Restricted NAT support."; 818 reference 819 "RFC 7596."; 820 } 822 identity dst-nat { 823 base nat:nat-type; 825 description 826 "Identity for Destination NAT support."; 827 } 829 identity nat64 { 830 base nat:nat-type; 832 description 833 "Identity for NAT64 support."; 835 reference 836 "RFC 6146."; 837 } 839 identity clat { 840 base nat:nat-type; 842 description 843 "Identity for CLAT support."; 845 reference 846 "RFC 6877."; 847 } 849 identity eam { 850 base nat:nat-type; 852 description 853 "Identity for EAM support."; 855 reference 856 "RFC 7757."; 857 } 859 identity nptv6 { 860 base nat:nat-type; 862 description 863 "Identity for NPTv6 support."; 865 reference 866 "RFC 6296."; 867 } 869 identity vrf-routing-instance { 870 description 871 "This identity represents a VRF routing instance."; 873 reference 874 "Section 8.9 of RFC 4026."; 875 } 877 /* 878 * Grouping 879 */ 881 // port numbers: single or port-range 883 grouping port-number { 884 description 885 "Individual port or a range of ports. 886 When only start-port-numbert is present, 887 it represents a single port."; 889 leaf start-port-number { 890 type inet:port-number; 892 description 893 "Begining of the port range."; 895 reference 896 "Section 3.2.9 of RFC 8045."; 897 } 899 leaf end-port-number { 900 type inet:port-number; 902 must ". >= ../start-port-number" 903 { 904 error-message 905 "The end-port-number must be greater than or 906 equal to start-port-number."; 907 } 908 description 909 "End of the port range."; 911 reference 912 "Section 3.2.10 of RFC 8045."; 913 } 915 } 917 // Set of ports 919 grouping port-set { 920 description 921 "Indicates a set of ports. 922 It may be a simple port range, or use the PSID algorithm 923 to represent a range of transport layer 924 ports which will be used by a NAPT."; 926 choice port-type { 927 default port-range; 929 description 930 "Port type: port-range or port-set-algo."; 932 case port-range { 933 /*leaf start-port-number { 934 type inet:port-number; 935 description 936 "Begining of the port range."; 938 reference 939 "Section 3.2.9 of RFC 8045."; 940 } 942 leaf end-port-number { 943 type inet:port-number; 945 description 946 "End of the port range."; 948 reference 949 "Section 3.2.10 of RFC 8045."; 950 }*/ 951 uses port-number; 952 } 954 case port-set-algo { 955 leaf psid-offset { 956 type uint8 { 957 range 0..16; 958 } 960 description 961 "The number of offset bits. In Lightweight 4over6, 962 the default value is 0 for assigning one contiguous 963 port range. In MAP-E/T, the default value is 6, 964 which excludes system ports by default and assigns 965 port ranges distributed across the entire port 966 space."; 967 } 969 leaf psid-len { 970 type uint8 { 971 range 0..15; 972 } 973 mandatory true; 975 description 976 "The length of PSID, representing the sharing 977 ratio for an IPv4 address."; 978 } 980 leaf psid { 981 type uint16; 982 mandatory true; 984 description 985 "Port Set Identifier (PSID) value, which 986 identifies a set of ports algorithmically."; 987 } 988 } 989 } 990 } 992 // Mapping Entry 994 grouping mapping-entry { 995 description 996 "NAT mapping entry."; 998 leaf index { 999 type uint32; 1001 description 1002 "A unique identifier of a mapping entry."; 1003 } 1005 leaf type { 1006 type enumeration { 1007 enum "static" { 1008 description 1009 "The mapping entry is manually 1010 configured."; 1012 } 1014 enum "dynamic-explicit" { 1015 description 1016 "This mapping is created by an 1017 outgoing packet."; 1018 } 1020 enum "dynamic-implicit" { 1021 description 1022 "This mapping is created by an 1023 explicit dynamic message."; 1024 } 1025 } 1026 description 1027 "Indicates the type of a mapping entry. E.g., 1028 a mapping can be: static, implicit dynamic 1029 or explicit dynamic."; 1030 } 1032 leaf transport-protocol { 1033 type uint8; 1035 description 1036 "Upper-layer protocol associated with this mapping. 1037 Values are taken from the IANA protocol registry. 1038 For example, this field contains 6 (TCP) for a TCP 1039 mapping or 17 (UDP) for a UDP mapping. No transport 1040 protocol is indicated if a mapping applies for any 1041 protocol."; 1042 } 1044 leaf internal-src-address { 1045 type inet:ip-prefix; 1047 description 1048 "Corresponds to the source IPv4/IPv6 address/prefix 1049 of the packet received on an internal 1050 interface."; 1051 } 1053 container internal-src-port { 1054 description 1055 "Corresponds to the source port of the 1056 packet received on an internal interface. 1058 It is used also to carry the internal 1059 source ICMP identifier."; 1061 uses port-number; 1062 } 1064 leaf external-src-address { 1065 type inet:ip-prefix; 1067 description 1068 "Source IP address/prefix of the packet sent 1069 on an external interface of the NAT."; 1070 } 1072 container external-src-port { 1073 description 1074 "Source port of the packet sent 1075 on an external interafce of the NAT. 1077 It is used also to carry the external 1078 source ICMP identifier."; 1079 uses port-number; 1080 } 1082 leaf internal-dst-address { 1083 type inet:ip-prefix; 1085 description 1086 "Corresponds to the destination IP address/prefix 1087 of the packet received on an internal interface 1088 of the NAT. 1090 For example, some NAT implementations support 1091 the translation of both source and destination 1092 addresses and ports, sometimes referred to 1093 as 'Twice NAT'."; 1094 } 1096 container internal-dst-port { 1097 description 1098 "Corresponds to the destination port of the 1099 IP packet received on the internal interface. 1101 It is used also to carry the internal 1102 destination ICMP identifier."; 1104 uses port-number; 1105 } 1107 leaf external-dst-address { 1108 type inet:ip-prefix; 1109 description 1110 "Corresponds to the destination IP address/prefix 1111 of the packet sent on an external interface 1112 of the NAT."; 1113 } 1115 container external-dst-port { 1116 description 1117 "Corresponds to the destination port number of 1118 the packet sent on the external interface 1119 of the NAT. 1121 It is used also to carry the external 1122 destination ICMP identifier."; 1124 uses port-number; 1125 } 1127 leaf lifetime { 1128 type uint32; 1130 description 1131 "When specified, it tracks the connection that is 1132 fully-formed (e.g., once the 3WHS TCP is completed) 1133 or the duration for maintaining an explicit mapping 1134 alive. Static mappings may not be associated with a 1135 lifetime. If no lifetime is associated with a 1136 static mapping, an explicit action is requried to 1137 remove that mapping."; 1138 } 1139 } 1141 /* 1142 * NAT Module 1143 */ 1145 container nat-module { 1146 description 1147 "NAT module"; 1149 container nat-instances { 1150 description 1151 "NAT instances"; 1153 list nat-instance { 1154 key "id"; 1156 description 1157 "A NAT instance."; 1159 leaf id { 1160 type uint32; 1162 description 1163 "NAT instance identifier."; 1165 reference 1166 "RFC 7659."; 1167 } 1169 leaf name { 1170 type string; 1172 description 1173 "A name associated with the NAT instance."; 1174 } 1176 leaf enable { 1177 type boolean; 1179 description 1180 "Status of the the NAT instance."; 1181 } 1183 container nat-capabilities { 1184 description 1185 "NAT capabilities"; 1187 leaf-list nat-flavor { 1188 type identityref { 1189 base nat-type; 1190 } 1191 description 1192 "Type of NAT."; 1193 } 1195 leaf-list nat44-flavor { 1196 when "../nat-flavor = 'nat44'"; 1198 type identityref { 1199 base nat44; 1200 } 1201 description 1202 "Type of NAT44: Basic NAT or NAPT."; 1203 } 1204 leaf restricted-port-support { 1205 type boolean; 1207 description 1208 "Indicates source port NAT restriction 1209 support."; 1210 } 1212 leaf static-mapping-support { 1213 type boolean; 1215 description 1216 "Indicates whether static mappings are supported."; 1217 } 1219 leaf port-randomization-support { 1220 type boolean; 1222 description 1223 "Indicates whether port randomization is supported."; 1224 } 1226 leaf port-range-allocation-support { 1227 type boolean; 1229 description 1230 "Indicates whether port range allocation is supported."; 1231 } 1233 leaf port-preservation-suport { 1234 type boolean; 1236 description 1237 "Indicates whether port preservation is supported."; 1238 } 1240 leaf port-parity-preservation-support { 1241 type boolean; 1243 description 1244 "Indicates whether port parity preservation is supported."; 1245 } 1247 leaf address-roundrobin-support { 1248 type boolean; 1250 description 1251 "Indicates whether address allocation round robin is supported."; 1253 } 1255 leaf paired-address-pooling-support { 1256 type boolean; 1258 description 1259 "Indicates whether paired-address-pooling is supported"; 1260 } 1262 leaf endpoint-independent-mapping-support { 1263 type boolean; 1265 description 1266 "Indicates whether endpoint-independent- 1267 mapping in Section 4 of RFC 4787 is 1268 supported."; 1269 } 1271 leaf address-dependent-mapping-support { 1272 type boolean; 1274 description 1275 "Indicates whether address-dependent-mapping is supported."; 1276 } 1278 leaf address-and-port-dependent-mapping-support { 1279 type boolean; 1281 description 1282 "Indicates whether address-and-port-dependent-mapping is supported."; 1283 } 1285 leaf endpoint-independent-filtering-support { 1286 type boolean; 1288 description 1289 "Indicates whether endpoint-independent-filtering is supported."; 1290 } 1292 leaf address-dependent-filtering { 1293 type boolean; 1295 description 1296 "Indicates whether address-dependent-filtering is supported."; 1297 } 1299 leaf address-and-port-dependent-filtering { 1300 type boolean; 1301 description 1302 "Indicates whether address-and-port-dependent is supported."; 1303 } 1304 } 1306 // Parameters for NAT pass through 1308 list nat-pass-through { 1309 key nat-pass-through-id; 1311 description 1312 "IP prefix NAT pass through."; 1314 leaf nat-pass-through-id { 1315 type uint32; 1317 description 1318 "An identifier of the IP prefix pass 1319 through."; 1320 } 1322 leaf nat-pass-through-pref { 1323 type inet:ip-prefix; 1325 description 1326 "The IP address subnets that match 1327 should not be translated. According to 1328 REQ#6 of RFC6888, it must be possible 1329 to administratively turn off translation 1330 for specific destination addresses 1331 and/or ports."; 1333 reference 1334 "REQ#6 of RFC6888."; 1335 } 1337 leaf nat-pass-through-port { 1338 type inet:port-number; 1340 description 1341 "The IP address subnets that match 1342 should not be translated. According to 1343 REQ#6 of RFC6888, it must be possible to 1344 administratively turn off translation 1345 for specific destination addresses 1346 and/or ports."; 1348 reference 1349 "REQ#6 of RFC6888."; 1350 } 1351 } 1353 // NAT Policies: Multiple policies per NAT instance 1355 list nat-policy { 1356 key policy-id; 1358 description 1359 "NAT parameters for a given instance"; 1361 leaf policy-id { 1362 type uint32; 1364 description 1365 "An identifier of the NAT policy."; 1366 } 1368 // CLAT Parameters 1369 container clat-parameters { 1370 description 1371 "CLAT parameters."; 1373 list clat-ipv6-prefixes { 1374 when "../../../nat-capabilities/nat-flavor = 'clat' "; 1376 key clat-ipv6-prefix; 1378 description 1379 "464XLAT double translation treatment is 1380 stateless when a dedicated /64 is available 1381 for translation on the CLAT. Otherwise, the 1382 CLAT will have both stateful and stateless 1383 since it requires NAT44 from the LAN to 1384 a single IPv4 address and then stateless 1385 translation to a single IPv6 address."; 1387 reference 1388 "RFC 6877."; 1390 leaf clat-ipv6-prefix { 1391 type inet:ipv6-prefix; 1393 description 1394 "An IPv6 prefix used for CLAT."; 1395 } 1396 } 1397 list clat-ipv4-prefixes { 1398 when "../../../nat-capabilities/nat-flavor = 'clat'"; 1400 key clat-ipv4-prefix; 1402 description 1403 "Pool of IPv4 addresses used for CLAT. 1404 192.0.0.0/29 is the IPv4 service continuity 1405 prefix."; 1407 reference 1408 "RFC 7335."; 1410 leaf clat-ipv4-prefix { 1411 type inet:ipv4-prefix; 1413 description 1414 "464XLAT double translation treatment is 1415 stateless when a dedicated /64 is available 1416 for translation on the CLAT. Otherwise, the 1417 CLAT will have both stateful and stateless 1418 since it requires NAT44 from the LAN to 1419 a single IPv4 address and then stateless 1420 translation to a single IPv6 address. 1421 The CLAT performs NAT44 for all IPv4 LAN 1422 packets so that all the LAN-originated IPv4 1423 packets appear from a single IPv4 address 1424 and are then statelessly translated to one 1425 interface IPv6 address that is claimed by 1426 the CLAT. 1428 An IPv4 address from this pool is also 1429 provided to an application that makes 1430 use of literals."; 1432 reference 1433 "RFC 6877."; 1434 } 1435 } 1436 } 1438 // NPTv6 Parameters 1440 list nptv6-prefixes { 1441 when "../../nat-capabilities/nat-flavor = 'nptv6' "; 1443 key translation-id; 1444 description 1445 "Provides one or a list of (internal IPv6 prefix, 1446 external IPv6 prefix) required for NPTv6. 1448 In its simplest form, NPTv6 interconnects two network 1449 links, one of which is an 'internal' network link 1450 attachedto a leaf network within a single 1451 administrative domain and the other of which is an 1452 'external' network with connectivity to the global 1453 Internet."; 1455 reference 1456 "RFC 6296."; 1458 leaf translation-id { 1459 type uint32; 1461 description 1462 "An identifier of the NPTv6 prefixs."; 1463 } 1465 leaf internal-ipv6-prefix { 1466 type inet:ipv6-prefix; 1468 description 1469 "An IPv6 prefix used by an internal interface 1470 of NPTv6."; 1472 reference 1473 "RFC 6296."; 1474 } 1476 leaf external-ipv6-prefix { 1477 type inet:ipv6-prefix; 1479 description 1480 "An IPv6 prefix used by the external interface 1481 of NPTv6."; 1483 reference 1484 "RFC 6296."; 1485 } 1486 } 1488 // EAM SIIT Parameters 1490 list eam { 1491 when "../../nat-capabilities/nat-flavor = 'eam' "; 1492 key eam-ipv4-prefix; 1494 description 1495 "The Explicit Address Mapping Table, a conceptual 1496 table in which each row represents an EAM. 1498 Each EAM describes a mapping between IPv4 and IPv6 1499 prefixes/addresses."; 1501 reference 1502 "Section 3.1 of RFC 7757."; 1504 leaf eam-ipv4-prefix { 1505 type inet:ipv4-prefix; 1507 description 1508 "The IPv4 prefix of an EAM."; 1510 reference 1511 "Section 3.2 of RFC 7757."; 1512 } 1514 leaf eam-ipv6-prefix { 1515 type inet:ipv6-prefix; 1517 description 1518 "The IPv6 prefix of an EAM."; 1520 reference 1521 "Section 3.2 of RFC 7757."; 1522 } 1523 } 1525 //NAT64 IPv6 Prefixes 1527 list nat64-prefixes { 1528 when "../../nat-capabilities/nat-flavor = 'nat64' " + 1529 " or ../../nat-capabilities/nat-flavor = 'clat'"; 1531 key nat64-prefix; 1533 description 1534 "Provides one or a list of NAT64 prefixes 1535 with or without a list of destination IPv4 prefixes. 1537 Destination-based Pref64::/n is discussed in 1538 Section 5.1 of [RFC7050]). For example: 1539 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 1541 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 1543 reference 1544 "Section 5.1 of RFC7050."; 1546 leaf nat64-prefix { 1547 type inet:ipv6-prefix; 1548 //default "64:ff9b::/96"; 1550 description 1551 "A NAT64 prefix. Can be NSP or a Well-Known 1552 Prefix (WKP). 1554 Organizations deploying stateless IPv4/IPv6 1555 translation should assign a Network-Specific 1556 Prefix to their IPv4/IPv6 translation service. 1558 For stateless NAT64, IPv4-translatable IPv6 1559 addresses must use the selected Network-Specific 1560 Prefix. Both IPv4-translatable IPv6 addresses 1561 and IPv4-converted IPv6 addresses should use 1562 the same prefix."; 1564 reference 1565 "Sections 3.3 and 3.4 of RFC 6052."; 1566 } 1568 list destination-ipv4-prefix { 1569 key ipv4-prefix; 1571 description 1572 "An IPv4 prefix/address."; 1574 leaf ipv4-prefix { 1575 type inet:ipv4-prefix; 1576 description 1577 "An IPv4 address/prefix."; 1578 } 1579 } 1581 leaf stateless-enable { 1582 type boolean; 1584 description 1585 "Enable explicitly statless NAT64."; 1586 } 1587 } 1588 list external-ip-address-pool { 1589 key pool-id; 1591 description 1592 "Pool of external IP addresses used to 1593 service internal hosts. 1595 Both contiguous and non-contiguous pools 1596 can be configured for NAT purposes."; 1598 leaf pool-id { 1599 type uint32; 1601 description 1602 "An identifier of the address pool."; 1603 } 1605 leaf external-ip-pool { 1606 type inet:ipv4-prefix; 1608 description 1609 "An IPv4 prefix used for NAT purposes."; 1610 } 1611 } 1613 container port-set-restrict { 1614 when "../../nat-capabilities/restricted-port-support = 'true'"; 1616 description 1617 "Configures contiguous and non-contiguous port ranges."; 1619 uses port-set; 1620 } 1622 leaf dst-nat-enable { 1623 type boolean; 1624 default false; 1626 description 1627 "Enable/Disable destination NAT. 1628 A NAT44 may be configured to enable 1629 Destination NAT, too."; 1630 } 1632 list dst-ip-address-pool { 1633 when "../../nat-capabilities/nat-flavor = 'dst-nat' "; 1635 key pool-id; 1636 description 1637 "Pool of IP addresses used for destination NAT."; 1639 leaf pool-id { 1640 type uint32; 1642 description 1643 "An identifier of the address pool."; 1644 } 1646 leaf dst-in-ip-pool { 1647 type inet:ip-prefix; 1649 description 1650 "Internal IP prefix/address"; 1651 } 1653 leaf dst-out-ip-pool { 1654 type inet:ip-prefix; 1656 description 1657 "IP address/prefix used for destination NAT."; 1658 } 1659 } 1661 list supported-transport-protocols { 1662 key transport-protocol-id; 1664 description 1665 "Supported transport protocols. 1666 TCP and UDP are supported by default."; 1668 leaf transport-protocol-id { 1669 type uint8; 1670 mandatory true; 1672 description 1673 "Upper-layer protocol associated with this mapping. 1674 Values are taken from the IANA protocol registry. 1675 For example, this field contains 6 (TCP) for a TCP 1676 mapping or 17 (UDP) for a UDP mapping."; 1677 } 1679 leaf transport-protocol-name { 1680 type string; 1681 description 1682 "For example, TCP, UDP, DCCP, and SCTP."; 1683 } 1685 } 1687 leaf subscriber-mask-v6 { 1688 type uint8 { 1689 range "0 .. 128"; 1690 } 1692 description 1693 "The subscriber-mask is an integer that indicates 1694 the length of significant bits to be applied on 1695 the source IP address (internal side) to 1696 unambiguously identify a CPE. 1698 Subscriber-mask is a system-wide configuration 1699 parameter that is used to enforce generic 1700 per-subscriber policies (e.g., port-quota). 1702 The enforcement of these generic policies does not 1703 require the configuration of every subscriber's 1704 prefix. 1706 Example: suppose the 2001:db8:100:100::/56 prefix 1707 is assigned to a NAT64 serviced CPE. Suppose also 1708 that 2001:db8:100:100::1 is the IPv6 address used 1709 by the client that resides in that CPE. When the 1710 NAT64 receives a packet from this client, 1711 it applies the subscriber-mask (e.g., 56) on 1712 the source IPv6 address to compute the associated 1713 prefix for this client (2001:db8:100:100::/56). 1714 Then, the NAT64 enforces policies based on that 1715 prefix (2001:db8:100:100::/56), not on the exact 1716 source IPv6 address."; 1717 } 1719 list subscriber-match { 1720 key sub-match-id; 1722 description 1723 "IP prefix match."; 1725 leaf sub-match-id { 1726 type uint32; 1728 description 1729 "An identifier of the subscriber masck."; 1730 } 1732 leaf sub-mask { 1733 type inet:ip-prefix; 1734 mandatory true; 1736 description 1737 "The IP address subnets that match 1738 should be translated. E.g., all addresses 1739 that belong to the 192.0.2.0/24 prefix must 1740 be processed by the NAT."; 1741 } 1742 } 1744 leaf paired-address-pooling { 1745 type boolean; 1746 default true; 1748 description 1749 "Paired address pooling informs the NAT 1750 that all the flows from an internal IP 1751 address must be assigned the same external 1752 address."; 1754 reference 1755 "RFC 4007."; 1756 } 1758 leaf nat-mapping-type { 1759 type enumeration { 1760 enum "eim" { 1761 description 1762 "endpoint-independent-mapping."; 1764 reference 1765 "Section 4 of RFC 4787."; 1766 } 1768 enum "adm" { 1769 description 1770 "address-dependent-mapping."; 1772 reference 1773 "Section 4 of RFC 4787."; 1774 } 1776 enum "edm" { 1777 description 1778 "address-and-port-dependent-mapping."; 1780 reference 1781 "Section 4 of RFC 4787."; 1782 } 1783 } 1784 description 1785 "Indicates the type of a NAT mapping."; 1786 } 1788 leaf nat-filtering-type { 1789 type enumeration { 1790 enum "eif" { 1791 description 1792 "endpoint-independent- filtering."; 1794 reference 1795 "Section 5 of RFC 4787."; 1796 } 1798 enum "adf" { 1799 description 1800 "address-dependent-filtering."; 1802 reference 1803 "Section 5 of RFC 4787."; 1804 } 1806 enum "edf" { 1807 description 1808 "address-and-port-dependent-filtering"; 1810 reference 1811 "Section 5 of RFC 4787."; 1812 } 1813 } 1814 description 1815 "Indicates the type of a NAT filtering."; 1816 } 1818 list port-quota { 1819 when "../../nat-capabilities/nat44-flavor = "+ 1820 "'napt' or "+ 1821 "../../nat-capabilities/nat-flavor = "+ 1822 "'nat64'"; 1824 key quota-type; 1826 description 1827 "Configures a port quota to be assigned per 1828 subscriber. It corresponds to the maximum 1829 number of ports to be used by a subscriber."; 1831 leaf port-limit { 1832 type uint16; 1834 description 1835 "Configures a port quota to be assigned per 1836 subscriber. It corresponds to the maximum 1837 number of ports to be used by a subscriber."; 1839 reference 1840 "REQ-4 of RFC 6888."; 1841 } 1843 leaf quota-type { 1844 type enumeration { 1845 enum "all" { 1846 description 1847 "The limit applies to all protocols."; 1849 reference 1850 "REQ-4 of RFC 6888."; 1851 } 1853 enum "tcp" { 1854 description 1855 "TCP quota."; 1857 reference 1858 "REQ-4 of RFC 6888."; 1859 } 1861 enum "udp" { 1862 description 1863 "UDP quota."; 1865 reference 1866 "REQ-4 of RFC 6888."; 1867 } 1869 enum "icmp" { 1870 description 1871 "ICMP quota."; 1873 reference 1874 "REQ-4 of RFC 6888."; 1875 } 1876 } 1877 description 1878 "Indicates whether the port quota applies to 1879 all protocols or to a specific transport."; 1880 } 1881 } 1883 leaf port-allocation-type { 1884 type enumeration { 1885 enum "random" { 1886 description 1887 "Port randomization is enabled."; 1888 } 1890 enum "port-preservation" { 1891 description 1892 "Indicates whether the NAT should 1893 preserve the internal port number."; 1894 } 1896 enum "port-parity-preservation" { 1897 description 1898 "Indicates whether the NAT should 1899 preserve the port parity of the 1900 internal port number."; 1901 } 1903 enum "port-range-allocation" { 1904 description 1905 "Indicates whether the NAT assigns a 1906 range of ports for an internal host."; 1907 } 1908 } 1909 description 1910 "Indicates the type of a port allocation."; 1911 } 1913 leaf address-roundrobin-enable { 1914 type boolean; 1916 description 1917 "Enable/disable address allocation 1918 round robin."; 1919 } 1921 container port-set { 1922 when "../port-allocation-type='port-range-allocation'"; 1924 description 1925 "Manages port-set assignments."; 1927 leaf port-set-size { 1928 type uint16; 1929 description 1930 "Indicates the size of assigned port 1931 sets."; 1932 } 1934 leaf port-set-timeout { 1935 type uint32; 1936 description 1937 "Inactivty timeout for port sets."; 1938 } 1939 } 1941 container timers { 1942 description 1943 "Configure values of various timeouts."; 1945 leaf udp-timeout { 1946 type uint32; 1947 units "seconds"; 1948 default 300; 1950 description 1951 "UDP inactivity timeout. That is the time a mapping 1952 will stay active without packets traversing the NAT."; 1954 reference 1955 "RFC 4787."; 1956 } 1958 leaf tcp-idle-timeout { 1959 type uint32; 1960 units "seconds"; 1961 default 7440; 1963 description 1964 "TCP Idle timeout should be 1965 2 hours and 4 minutes."; 1967 reference 1968 "RFC 5382."; 1969 } 1971 leaf tcp-trans-open-timeout { 1972 type uint32; 1973 units "seconds"; 1974 default 240; 1976 description 1977 "The value of the transitory open connection 1978 idle-timeout. 1980 Section 2.1 of [RFC7857] clarifies that a NAT 1981 should provide different configurable 1983 parameters for configuring the open and 1984 closing idle timeouts. 1986 To accommodate deployments that consider 1987 a partially open timeout of 4 minutes as being 1988 excessive from a security standpoint, a NAT may 1989 allow the configured timeout to be less than 1990 4 minutes. 1992 However, a minimum default transitory connection 1993 idle-timeout of 4 minutes is recommended."; 1995 reference 1996 "Section 2.1 of RFC 7857."; 1997 } 1999 leaf tcp-trans-close-timeout { 2000 type uint32; 2001 units "seconds"; 2002 default 240; 2004 description 2005 "The value of the transitory close connection 2006 idle-timeout. 2008 Section 2.1 of [RFC7857] clarifies that a NAT 2009 should provide different configurable 2010 parameters for configuring the open and 2011 closing idle timeouts."; 2013 reference 2014 "Section 2.1 of RFC 7857."; 2015 } 2017 leaf tcp-in-syn-timeout { 2018 type uint32; 2019 units "seconds"; 2020 default 6; 2021 description 2022 "A NAT must not respond to an unsolicited 2023 inbound SYN packet for at least 6 seconds 2024 after the packet is received. If during 2025 this interval the NAT receives and translates 2026 an outbound SYN for the connection the NAT 2027 must silently drop the original unsolicited 2028 inbound SYN packet."; 2030 reference 2031 "RFC 5382."; 2032 } 2034 leaf fragment-min-timeout { 2035 type uint32; 2036 units "seconds"; 2037 default 2; 2039 description 2040 "As long as the NAT has available resources, 2041 the NAT allows the fragments to arrive 2042 over fragment-min-timeout interval. 2043 The default value is inspired from RFC6146."; 2044 } 2046 leaf icmp-timeout { 2047 type uint32; 2048 units "seconds"; 2049 default 60; 2051 description 2052 "An ICMP Query session timer must not expire 2053 in less than 60 seconds. It is recommended 2054 that the ICMP Query session timer be made 2055 configurable"; 2057 reference 2058 "RFC 5508."; 2059 } 2061 list per-port-timeout { 2062 key port-number; 2064 description 2065 "Some NATs are configurable with short timeouts 2066 for some ports, e.g., as 10 seconds on 2067 port 53 (DNS) and NTP (123) and longer timeouts 2068 on other ports."; 2070 leaf port-number { 2071 type inet:port-number; 2073 description 2074 "A port number."; 2075 } 2077 leaf port-timeout { 2078 type inet:port-number; 2079 mandatory true; 2081 description 2082 "Timeout for this port"; 2083 } 2084 } 2086 leaf hold-down-timeout { 2087 type uint32; 2088 units "seconds"; 2089 default 120; 2091 description 2092 "Hold down timer. 2094 Ports in the hold down pool are not reassigned 2095 until hold-down-timeout expires. 2097 The length of time and the maximum 2098 number of ports in this state must be 2099 configurable by the administrator. 2100 This is necessary in order 2101 to prevent collisions between old 2102 and new mappings and sessions. It ensures 2103 that all established sessions are broken 2104 instead of redirected to a different peer."; 2106 reference 2107 "REQ#8 of RFC 6888."; 2108 } 2110 leaf hold-down-max { 2111 type uint32; 2113 description 2114 "Maximum ports in the Hold down timer pool. 2116 Ports in the hold down pool are not reassigned 2117 until hold-down-timeout expires. 2119 The length of time and the maximum 2120 number of ports in this state must be 2121 configurable by the administrator. 2122 This is necessary in order 2123 to prevent collisions between old 2124 and new mappings and sessions. It ensures 2125 that all established sessions are broken 2126 instead of redirected to a different peer."; 2128 reference 2129 "REQ#8 of RFC 6888."; 2130 } 2131 } 2133 list algs { 2135 key alg-name; 2137 description 2138 "ALG-related features."; 2140 leaf alg-name { 2141 type string; 2143 description 2144 "The name of the ALG"; 2145 } 2147 leaf alg-transport-protocol { 2148 type uint32; 2150 description 2151 "The transport protocol used by the ALG."; 2152 } 2154 leaf alg-transport-port { 2155 type inet:port-number; 2157 description 2158 "The port number used by the ALG."; 2159 } 2161 leaf alg-status { 2162 type boolean; 2164 description 2165 "Enable/disable the ALG."; 2166 } 2167 } 2169 leaf all-algs-enable { 2170 type boolean; 2172 description 2173 "Enable/disable all ALGs."; 2174 } 2176 container notify-pool-usage { 2177 description 2178 "Notification of pool usage when certain criteria 2179 are met."; 2181 leaf pool-id { 2182 type uint32; 2184 description 2185 "Pool-ID for which the notification 2186 criteria is defined"; 2187 } 2189 leaf notify-pool-hi-threshold { 2190 type percent; 2191 mandatory true; 2193 description 2194 "Notification must be generated when the 2195 defined high threshold is reached. 2197 For example, if a notification is 2198 required when the pool utilization reaches 2199 90%, this configuration parameter must 2200 be set to 90%."; 2201 } 2203 leaf notify-pool-low-threshold { 2204 type percent; 2206 description 2207 "Notification must be generated when the defined 2208 low threshold is reached. 2210 For example, if a notification is required when 2211 the pool utilization reaches below 10%, 2212 this configuration parameter must be set to 2213 10%."; 2214 } 2215 } 2217 container external-realm { 2218 description 2219 "Identifies the external realm of the NAT."; 2221 choice realm-type { 2222 description 2223 "Interface or VRF."; 2225 case interface { 2226 description 2227 "External interface."; 2229 leaf external-interface { 2230 type if:interface-ref; 2232 description 2233 "Name of an external interface."; 2234 } 2235 } 2237 case vrf { 2238 description 2239 "External VRF instance."; 2241 leaf external-vrf-instance { 2242 type identityref { 2243 base vrf-routing-instance; 2244 } 2245 description 2246 "A VRF instance."; 2247 } 2248 } 2249 } 2250 } 2251 } //nat-policy 2253 container mapping-limit { 2254 description 2255 "Information about the configuration parameters that 2256 limits the mappings based upon various criteria."; 2258 leaf limit-per-subscriber { 2259 type uint32; 2260 description 2261 "Maximum number of NAT mappings per subscriber."; 2262 } 2264 leaf limit-per-vrf { 2265 type uint32; 2267 description 2268 "Maximum number of NAT mappings per VLAN/VRF."; 2269 } 2271 leaf limit-per-subnet { 2272 type inet:ip-prefix; 2274 description 2275 "Maximum number of NAT mappings per subnet."; 2276 } 2278 leaf limit-per-instance { 2279 type uint32; 2280 mandatory true; 2282 description 2283 "Maximum number of NAT mappings per instance."; 2284 } 2286 leaf limit-per-udp { 2287 type uint32; 2288 mandatory true; 2290 description 2291 "Maximum number of UDP NAT mappings per subscriber."; 2292 } 2294 leaf limit-per-tcp { 2295 type uint32; 2296 mandatory true; 2298 description 2299 "Maximum number of TCP NAT mappings per subscriber."; 2300 } 2302 leaf limit-per-icmp { 2303 type uint32; 2304 mandatory true; 2306 description 2307 "Maximum number of ICMP NAT mappings per subscriber."; 2309 } 2310 } 2312 container connection-limit { 2313 description 2314 "Information about the configuration parameters that 2315 rate limit the translation based upon various 2316 criteria."; 2318 leaf limit-per-subscriber { 2319 type uint32; 2321 description 2322 "Rate-limit the number of new mappings 2323 and sessions per subscriber."; 2324 } 2326 leaf limit-per-vrf { 2327 type uint32; 2329 description 2330 "Rate-limit the number of new mappings 2331 and sessions per VLAN/VRF."; 2332 } 2334 leaf limit-per-subnet { 2335 type inet:ip-prefix; 2337 description 2338 "Rate-limit the number of new mappings 2339 and sessions per subnet."; 2340 } 2342 leaf limit-per-instance { 2343 type uint32; 2344 mandatory true; 2346 description 2347 "Rate-limit the number of new mappings 2348 and sessions per instance."; 2349 } 2351 leaf limit-per-udp { 2352 type uint32; 2353 mandatory true; 2355 description 2356 "Rate-limit the number of new UDP mappings 2357 and sessions per subscriber."; 2358 } 2360 leaf limit-per-tcp { 2361 type uint32; 2362 mandatory true; 2364 description 2365 "Rate-limit the number of new TCP mappings 2366 and sessions per subscriber."; 2367 } 2369 leaf limit-per-icmp { 2370 type uint32; 2371 mandatory true; 2373 description 2374 "Rate-limit the number of new ICMP mappings 2375 and sessions per subscriber."; 2376 } 2377 } 2379 container logging-info { 2380 description 2381 "Information about logging NAT events"; 2383 leaf logging-enable { 2384 type boolean; 2386 description 2387 "Enable logging features."; 2389 reference 2390 "Section 2.3 of RFC 6908."; 2391 } 2393 leaf destination-address { 2394 type inet:ip-prefix; 2395 mandatory true; 2397 description 2398 "Address of the collector that receives 2399 the logs"; 2400 } 2402 leaf destination-port { 2403 type inet:port-number; 2404 mandatory true; 2405 description 2406 "Destination port of the collector."; 2407 } 2409 choice protocol { 2411 description 2412 "Enable the protocol to be used for 2413 the retrieval of logging entries."; 2415 case syslog { 2416 leaf syslog { 2417 type boolean; 2419 description 2420 "If SYSLOG is in use."; 2421 } 2422 } 2424 case ipfix { 2425 leaf ipfix { 2426 type boolean; 2428 description 2429 "If IPFIX is in use."; 2430 } 2431 } 2433 case ftp { 2434 leaf ftp { 2435 type boolean; 2437 description 2438 "If FTP is in use."; 2439 } 2440 } 2441 } 2442 } 2444 container mapping-table { 2445 when "../nat-capabilities/nat-flavor = "+ 2446 "'nat44' or "+ 2447 "../nat-capabilities/nat-flavor = "+ 2448 "'nat64'or "+ 2449 "../nat-capabilities/nat-flavor = "+ 2450 "'clat'or "+ 2451 "../nat-capabilities/nat-flavor = 'dst-nat'"; 2453 description 2454 "NAT mapping table. Applicable for functions 2455 which maintains static and/or dynamic mappings, 2456 such as NAT44, Destination NAT, NAT64, or CLAT."; 2458 list mapping-entry { 2459 key "index"; 2461 description 2462 "NAT mapping entry."; 2464 uses mapping-entry; 2465 } 2466 } 2468 container statistics { 2470 config false; 2472 description 2473 "Statistics related to the NAT instance."; 2475 container traffic-statistics { 2476 description 2477 "Generic traffic statistics."; 2479 leaf sent-packet { 2480 type yang:zero-based-counter64; 2482 description 2483 "Number of packets sent."; 2484 } 2486 leaf sent-byte { 2487 type yang:zero-based-counter64; 2489 description 2490 "Counter for sent traffic in bytes."; 2491 } 2493 leaf rcvd-packet { 2494 type yang:zero-based-counter64; 2496 description 2497 "Number of received packets."; 2498 } 2500 leaf rcvd-byte { 2501 type yang:zero-based-counter64; 2503 description 2504 "Counter for received traffic 2505 in bytes."; 2506 } 2508 leaf dropped-packet { 2509 type yang:zero-based-counter64; 2511 description 2512 "Number of dropped packets."; 2513 } 2515 leaf dropped-byte { 2516 type yang:zero-based-counter64; 2518 description 2519 "Counter for dropped traffic in 2520 bytes."; 2521 } 2522 } 2524 container mapping-statistics { 2525 when "../../nat-capabilities/nat-flavor = "+ 2526 "'nat44' or "+ 2527 "../../nat-capabilities/nat-flavor = "+ 2528 "'nat64'or "+ 2529 "../../nat-capabilities/nat-flavor = 'dst-nat'"; 2531 description 2532 "Mapping statistics."; 2534 leaf total-mappings { 2535 type uint32; 2537 description 2538 "Total number of NAT mappings present 2539 at a given time. This variable includes 2540 all the static and dynamic mappings."; 2541 } 2543 leaf total-tcp-mappings { 2544 type uint32; 2546 description 2547 "Total number of TCP mappings present 2548 at a given time."; 2550 } 2552 leaf total-udp-mappings { 2553 type uint32; 2555 description 2556 "Total number of UDP mappings present 2557 at a given time."; 2558 } 2560 leaf total-icmp-mappings { 2561 type uint32; 2563 description 2564 "Total number of ICMP mappings present 2565 at a given time."; 2566 } 2567 } 2569 container pool-stats { 2571 when "../../nat-capabilities/nat-flavor = "+ 2572 "'nat44' or "+ 2573 "../../nat-capabilities/nat-flavor = "+ 2574 "'nat64'"; 2576 description 2577 "Statistics related to address/prefix 2578 pool usage"; 2580 leaf pool-id { 2581 type uint32; 2583 description 2584 "Unique Identifier that represents 2585 a pool of addresses/prefixes."; 2586 } 2588 leaf address-allocated { 2589 type uint32; 2591 description 2592 "Number of allocated addresses in 2593 the pool"; 2594 } 2596 leaf address-free { 2597 type uint32; 2598 description 2599 "Number of unallocated addresses in 2600 the pool at a given time.The sum of 2601 unallocated and allocated 2602 addresses is the total number of 2603 addresses of the pool."; 2604 } 2606 container port-stats { 2608 description 2609 "Statistics related to port 2610 usage."; 2612 leaf ports-allocated { 2613 type uint32; 2615 description 2616 "Number of allocated ports 2617 in the pool."; 2618 } 2620 leaf ports-free { 2621 type uint32; 2623 description 2624 "Number of unallocated addresses 2625 in the pool."; 2626 } 2627 } 2628 } 2629 }//statistics 2630 } 2631 } 2632 } 2634 /* 2635 * Notifications 2636 */ 2638 notification nat-event { 2639 description 2640 "Notifications must be generated when the defined 2641 high/low threshold is reached. Related 2642 configuration parameters must be provided to 2643 trigger the notifications."; 2645 leaf id { 2646 type leafref { 2647 path 2648 "/nat-module/nat-instances/" 2649 + "nat-instance/id"; 2650 } 2651 description 2652 "NAT instance ID."; 2653 } 2655 leaf policy-id { 2656 type leafref { 2657 path 2658 "/nat-module/nat-instances/" 2659 + "nat-instance/nat-policy/policy-id"; 2660 } 2662 description 2663 "Policy ID."; 2664 } 2666 leaf pool-id { 2667 type leafref { 2668 path 2669 "/nat-module/nat-instances/" 2670 + "nat-instance/nat-policy/" 2671 + "external-ip-address-pool/pool-id"; 2672 } 2673 description 2674 "Pool ID."; 2675 } 2677 leaf notify-pool-threshold { 2678 type percent; 2679 mandatory true; 2681 description 2682 "A treshhold has been fired."; 2683 } 2684 } 2685 } 2686 2688 4. Security Considerations 2690 The YANG module defined in this memo is designed to be accessed via 2691 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 2692 secure transport layer and the support of SSH is mandatory to 2693 implement secure transport [RFC6242]. The NETCONF access control 2694 model [RFC6536] provides means to restrict access by some users to a 2695 pre-configured subset of all available NETCONF protocol operations 2696 and data. 2698 All data nodes defined in the YANG module which can be created, 2699 modified and deleted (i.e., config true, which is the default). 2700 These data nodes are considered sensitive. Write operations (e.g., 2701 edit-config) applied to these data nodes without proper protection 2702 can negatively affect network operations. 2704 5. IANA Considerations 2706 This document requests IANA to register the following URI in the 2707 "IETF XML Registry" [RFC3688]: 2709 URI: urn:ietf:params:xml:ns:yang:ietf-nat 2710 Registrant Contact: The IESG. 2711 XML: N/A; the requested URI is an XML namespace. 2713 This document requests IANA to register the following YANG module in 2714 the "YANG Module Names" registry [RFC7950]. 2716 name: ietf-nat 2717 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 2718 prefix: nat 2719 reference: RFC XXXX 2721 6. Acknowledgements 2723 Many thanks to Dan Wing and Tianran Zhou for the review. 2725 Thanks to Juergen Schoenwaelder for the comments on the YANG 2726 structure and the suggestion to use NMDA. 2728 Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred 2729 Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and 2730 Kristian Poscic for the CGN review. 2732 Special thanks to Maros Marsalek and Marek Gradzki for sharing their 2733 comments based on the FD.io implementation of an earlier version of 2734 this module. 2736 Rajiv Asati suggested to clarify how the module applies for both 2737 stateless and stateful NAT64. 2739 7. References 2741 7.1. Normative References 2743 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2744 DOI 10.17487/RFC3688, January 2004, 2745 . 2747 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 2748 Translation (NAT) Behavioral Requirements for Unicast 2749 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2750 2007, . 2752 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 2753 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 2754 RFC 5382, DOI 10.17487/RFC5382, October 2008, 2755 . 2757 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 2758 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 2759 DOI 10.17487/RFC5508, April 2009, 2760 . 2762 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 2763 NAT64: Network Address and Protocol Translation from IPv6 2764 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 2765 April 2011, . 2767 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2768 and A. Bierman, Ed., "Network Configuration Protocol 2769 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2770 . 2772 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2773 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2774 . 2776 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 2777 Protocol (NETCONF) Access Control Model", RFC 6536, 2778 DOI 10.17487/RFC6536, March 2012, 2779 . 2781 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 2782 Combination of Stateful and Stateless Translation", 2783 RFC 6877, DOI 10.17487/RFC6877, April 2013, 2784 . 2786 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 2787 A., and H. Ashida, "Common Requirements for Carrier-Grade 2788 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 2789 April 2013, . 2791 [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address 2792 Mappings for Stateless IP/ICMP Translation", RFC 7757, 2793 DOI 10.17487/RFC7757, February 2016, 2794 . 2796 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 2797 S., and K. Naito, "Updates to Network Address Translation 2798 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 2799 DOI 10.17487/RFC7857, April 2016, 2800 . 2802 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 2803 RFC 7950, DOI 10.17487/RFC7950, August 2016, 2804 . 2806 7.2. Informative References 2808 [I-D.boucadair-pcp-yang] 2809 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 2810 Vinapamula, "YANG Data Models for the Port Control 2811 Protocol (PCP)", draft-boucadair-pcp-yang-04 (work in 2812 progress), May 2017. 2814 [I-D.ietf-behave-ipfix-nat-logging] 2815 Sivakumar, S. and R. Penno, "IPFIX Information Elements 2816 for logging NAT Events", draft-ietf-behave-ipfix-nat- 2817 logging-13 (work in progress), January 2017. 2819 [I-D.ietf-softwire-dslite-yang] 2820 Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data 2821 Modules for the DS-Lite", draft-ietf-softwire-dslite- 2822 yang-07 (work in progress), October 2017. 2824 [I-D.ietf-tsvwg-natsupp] 2825 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 2826 Transmission Protocol (SCTP) Network Address Translation 2827 Support", draft-ietf-tsvwg-natsupp-11 (work in progress), 2828 July 2017. 2830 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 2831 Translator (NAT) Terminology and Considerations", 2832 RFC 2663, DOI 10.17487/RFC2663, August 1999, 2833 . 2835 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 2836 Address Translator (Traditional NAT)", RFC 3022, 2837 DOI 10.17487/RFC3022, January 2001, 2838 . 2840 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 2841 Behavioral Requirements for the Datagram Congestion 2842 Control Protocol", BCP 150, RFC 5597, 2843 DOI 10.17487/RFC5597, September 2009, 2844 . 2846 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 2847 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 2848 DOI 10.17487/RFC6052, October 2010, 2849 . 2851 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 2852 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 2853 . 2855 [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 2856 "Logging Recommendations for Internet-Facing Servers", 2857 BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, 2858 . 2860 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 2861 "Diameter Network Address and Port Translation Control 2862 Application", RFC 6736, DOI 10.17487/RFC6736, October 2863 2012, . 2865 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 2866 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 2867 DOI 10.17487/RFC6887, April 2013, 2868 . 2870 [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT 2871 (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, 2872 DOI 10.17487/RFC7289, June 2014, 2873 . 2875 [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, 2876 DOI 10.17487/RFC7335, August 2014, 2877 . 2879 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 2880 Farrer, "Lightweight 4over6: An Extension to the Dual- 2881 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 2882 July 2015, . 2884 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 2885 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 2886 Port with Encapsulation (MAP-E)", RFC 7597, 2887 DOI 10.17487/RFC7597, July 2015, 2888 . 2890 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 2891 "Definitions of Managed Objects for Network Address 2892 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 2893 October 2015, . 2895 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 2896 and S. Perreault, "Port Control Protocol (PCP) Extension 2897 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 2898 February 2016, . 2900 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 2901 "RADIUS Extensions for IP Port Configuration and 2902 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 2903 . 2905 Appendix A. Sample Examples 2907 This section provides a non-exhaustive set of examples to illustrate 2908 the use of the NAT YANG module. 2910 A.1. Traditional NAT44 2912 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 2913 same IPv4 address among hosts that are owned by the same subscriber. 2914 This is typically the NAT that is embedded in CPE devices. 2916 This NAT is usually provided with one single external IPv4 address; 2917 disambiguating connections is achieved by rewriting the source port 2918 number. The XML snippet to configure the external IPv4 address in 2919 such case together with a mapping entry is depicted below: 2921 2922 2923 1 2924 NAT_Subscriber_A 2925 .... 2926 2927 1 2928 2929 192.0.2.1 2930 2931 2932 .... 2933 2934 .... 2935 2936 192.0.2.1 2937 2938 .... 2939 2940 2941 2943 The following shows the XML excerpt depicting a dynamic UDP mapping 2944 entry maintained by a traditional NAT44. In reference to this 2945 example, the UDP packet received with a source IPv4 address 2946 (192.0.2.1) and source port number (1568) is translated into a UDP 2947 packet having a source IPv4 address (198.51.100.1) and source port 2948 (15000). The lifetime of this mapping is 300 seconds. 2950 2951 15 2952 2953 dynamic-explicit 2954 2955 2956 17 2957 2958 2959 192.0.2.1 2960 2961 2962 2963 1568 2964 2965 2966 2967 198.51.100.1 2968 2969 2970 2971 15000 2972 2973 2974 2975 300 2976 2977 2979 A.2. CGN 2981 The following XML snippet shows the example of the capabilities 2982 supported by a CGN as retrieved using NETCONF. 2984 2986 nat44 2987 2988 2989 false 2990 2991 2992 true 2993 2994 2995 true 2996 2997 2998 true 2999 3000 3001 true 3002 3003 3004 false 3005 3006 3007 true 3008 3009 3010 true 3011 3012 3013 true 3014 3015 3016 false 3017 3018 3019 false 3020 3021 3022 true 3023 3024 3025 false 3026 3027 3028 false 3029 3030 3031 The following XML snippet shows the example of a CGN that is 3032 provisioned with one contiguous pool of external IPv4 addresses 3033 (192.0.2.0/24). Further, the CGN is instructed to limit the number 3034 of allocated ports per subscriber to 1024. Ports can be allocated by 3035 the CGN by assigning ranges of 256 ports (that is, a subscriber can 3036 be allocated up to four port ranges of 256 ports each). 3038 3039 3040 1 3041 myCGN 3042 .... 3043 3044 1 3045 3046 192.0.2.0/24 3047 3048 3049 3050 3051 1024 3052 3053 3054 all 3055 3056 3057 3058 port-range-allocation 3059 3060 3061 3062 256 3063 3064 3065 .... 3066 3067 3069 An administrator may decide to allocate one single port range per 3070 subscriber (port range of 1024 ports) as shown below: 3072 3073 3074 1 3075 myotherCGN 3076 .... 3077 3078 1 3079 3080 192.0.2.0/24 3081 3082 3083 3084 3085 1024 3086 3087 3088 all 3089 3090 3091 3092 port-range-allocation 3093 3094 3095 3096 1024 3097 3098 .... 3099 3100 .... 3101 3102 3104 A.3. CGN Pass-Through 3106 Figure 1 illustrates an example of the CGN pass-through feature. 3108 X1:x1 X1':x1' X2:x2 3109 +---+from X1:x1 +---+from X1:x1 +---+ 3110 | C | to X2:x2 | | to X2:x2 | S | 3111 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 3112 | i | | G | | r | 3113 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 3114 | n |from X2:x2 | |from X2:x2 | e | 3115 | t | to X1:x1 | | to X1:x1 | r | 3116 +---+ +---+ +---+ 3118 Figure 1: CGN Pass-Through 3120 For example, in order to disable NAT for communications issued by the 3121 client (192.0.2.25), the following configuration parameter must be 3122 set: 3124 3125 ... 3126 192.0.2.25 3127 ... 3128 3130 A.4. NAT64 3132 Let's consider the example of a NAT64 that should use 3133 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 3134 The XML snippet to configure the NAT64 prefix in such case is 3135 depicted below: 3137 3138 3139 2001:db8:122:300::/56 3140 3141 3143 A NAT64 can be instructed to behave in the stateless mode by 3144 providing the following configuration. The same NAT64 prefix is used 3145 for constructing both IPv4- translatable IPv6 addresses and 3146 IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]). 3148 3149 3150 2001:db8:122:300::/56 3151 3152 3153 true 3154 3155 3157 Let's now consider the example of a NAT64 that should use 3158 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 3159 the destination address matches 198.51.100.0/24. The XML snippet to 3160 configure the NAT64 prefix in such case is shown below: 3162 3163 3164 2001:db8:122::/48 3165 3166 3167 3168 198.51.100.0/24 3169 3170 3171 3173 A.5. Explicit Address Mappings for Stateless IP/ICMP Translation 3175 As specified in [RFC7757], an EAM consists of an IPv4 prefix and an 3176 IPv6 prefix. Let's consider the set of EAM examples in Figure 2. 3178 +---+----------------+----------------------+ 3179 | # | IPv4 Prefix | IPv6 Prefix | 3180 +---+----------------+----------------------+ 3181 | 1 | 192.0.2.1 | 2001:db8:aaaa:: | 3182 | 2 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | 3183 | 3 | 192.0.2.16/28 | 2001:db8:cccc::/124 | 3184 | 4 | 192.0.2.128/26 | 2001:db8:dddd::/64 | 3185 | 5 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | 3186 | 6 | 192.0.2.224/31 | 64:ff9b::/127 | 3187 +---+----------------+----------------------+ 3189 Figure 2: EAM Examples (RFC7757) 3191 The following XML excerpt illustrates how these EAMs can be 3192 configured using the YANG NAT module: 3194 3195 3196 192.0.2.1 3197 3198 3199 2001:db8:aaaa:: 3200 3201 3202 3203 3204 192.0.2.2/32 3205 3206 3207 2001:db8:bbbb::b/128 3208 3209 3210 3211 3212 192.0.2.16/28 3213 3214 3215 2001:db8:cccc::/124 3216 3217 3218 3219 3220 192.0.2.128/26 3221 3222 3223 2001:db8:dddd::/64 3224 3225 3226 3227 3228 192.0.2.192/29 3229 3230 3231 2001:db8:eeee:8::/62 3232 3233 3234 3235 3236 192.0.2.224/31 3237 3238 3239 64:ff9b::/127 3240 3241 3242 EAMs may be enabled jointly with statefull NAT64. This example shows 3243 a NAT64 fucntion that supports static mappings: 3245 3247 nat64 3248 3249 3250 true 3251 3252 3253 true 3254 3255 3256 true 3257 3258 3259 true 3260 3261 3262 false 3263 3264 3265 true 3266 3267 3268 true 3269 3270 3271 true 3272 3273 3274 false 3275 3276 3277 false 3278 3279 3280 true 3281 3282 3283 false 3284 3285 3286 false 3287 3288 3290 A.6. Static Mappings with Port Ranges 3292 The following example shows a static mapping that instructs a NAT to 3293 translate packets issued from 192.0.2.1 and with source ports in the 3294 100-500 range to 198.51.100.1:1100-1500. 3296 3297 1 3298 static 3299 6 3300 3301 192.0.2.1 3302 3303 3304 3305 100 3306 3307 3308 500 3309 3310 3311 3312 198.51.100.1 3313 3314 3315 3316 1100 3317 3318 3319 1500 3320 3321 3322 ... 3323 3325 A.7. Static Mappings with IP Prefixes 3327 The following example shows a static mapping that instructs a NAT to 3328 translate packets issued from 192.0.2.1/24 to 198.51.100.1/24. 3330 3331 1 3332 static 3333 6 3334 3335 192.0.2.1/24 3336 3337 3338 198.51.100.1/24 3339 3340 ... 3341 3343 A.8. Destination NAT 3345 The following XML snippet shows an example a destination NAT that is 3346 instructed to translate packets having 192.0.2.1 as a destination IP 3347 address to 198.51.100.1. 3349 3350 1 3351 3352 192.0.2.1 3353 3354 3355 198.51.100.1 3356 3357 3359 In order to instruct a NAT to translate TCP packets destined to 3360 192.0.2.1:80 to 198.51.100.1:8080, the following XML snippet shows 3361 the static mapping to be configured on the NAT: 3363 3364 1 3365 static 3366 6 3367 3368 192.0.2.1 3369 3370 3371 80 3372 3373 3374 198.51.100.1 3375 3376 3377 8080 3378 3379 3381 In order to instruct a NAT to translate TCP packets destined to 3382 192.0.2.1:80 (http traffic) to 198.51.100.1 and 192.0.2.1:22 (ssh 3383 traffic) to 198.51.100.2, the following XML snippet shows the static 3384 mappings to be configured on the NAT: 3386 3387 1 3388 static 3389 6 3390 3391 192.0.2.1 3392 3393 3394 3395 80 3396 3397 3398 3399 198.51.100.1 3400 3401 ... 3402 3403 3404 2 3405 static 3406 3407 6 3408 3409 3410 192.0.2.1 3411 3412 3413 3414 22 3415 3416 3417 3418 198.51.100.2 3419 3420 ... 3421 3423 The NAT may also be instructed to proceed with both source and 3424 destination NAT. To do so, in addition to the above sample to 3425 configure destination NAT, the NAT may be provided, for example with 3426 a pool of external IP addresses (198.51.100.0/24) to use for source 3427 address translation. An example of the corresponding XML snippet is 3428 provided hereafter: 3430 3431 1 3432 3433 198.51.100.0/24 3434 3435 3437 Instead of providing an external IP address to share, the NAT may be 3438 configured with static mapping entries that modifies the internal IP 3439 address and/or port number. 3441 A.9. CLAT 3443 The following XML snippet shows the example of a CLAT that is 3444 configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and 3445 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 3446 provided with 192.0.0.1/32 (which is selected from the IPv4 service 3447 continuity prefix defined in [RFC7335]). 3449 3450 3451 2001:db8:aaaa::/96 3452 3453 3454 3455 3456 192.0.0.1/32 3457 3458 3459 3460 3461 2001:db8:1234::/96 3462 3463 3465 A.10. NPTv6 3467 Let's consider the example of a NPTv6 translator that should rewrite 3468 packets with the source prefix (fd01:203:405:/48) with the external 3469 prefix (2001:db8:1:/48). The internal interface is "eth0" while the 3470 external interface is "eth1". 3472 External Network: Prefix = 2001:db8:1:/48 3473 -------------------------------------- 3474 | 3475 |eth1 3476 +-------------+ 3477 eth4| NPTv6 |eth2 3478 ...-----| |------... 3479 +-------------+ 3480 |eth0 3481 | 3482 -------------------------------------- 3483 Internal Network: Prefix = fd01:203:405:/48 3485 Example of NPTv6 (RFC6296) 3487 The XML snippet to configure NPTv6 prefixes in such case is depicted 3488 below: 3490 3491 1 3492 3493 fd01:203:405:/48 3494 3495 3496 2001:db8:1:/48 3497 3498 3499 ... 3500 3501 3502 eth1 3503 3504 3506 Figure 3 shows an example of an NPTv6 that interconnects two internal 3507 networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is 3508 translated using a dedicated prefix (2001:db8:1:/48 and 3509 2001:db8:6666:/48, respectively). 3511 Internal Prefix = fd01:4444:5555:/48 3512 -------------------------------------- 3513 V | External Prefix 3514 V |eth1 2001:db8:1:/48 3515 V +---------+ ^ 3516 V | NPTv6 | ^ 3517 V | | ^ 3518 V +---------+ ^ 3519 External Prefix |eth0 ^ 3520 2001:db8:6666:/48 | ^ 3521 -------------------------------------- 3522 Internal Prefix = fd01:203:405:/48 3524 Figure 3: Connecting two Peer Networks (RFC6296) 3526 To that aim, the following configuration is provided to the NPTv6: 3528 3529 1 3530 3531 1 3532 3533 fd01:203:405:/48 3534 3535 3536 2001:db8:1:/48 3537 3538 3539 3540 eth1 3541 3542 3543 3544 2 3545 3546 2 3547 3548 fd01:4444:5555:/48 3549 3550 3551 2001:db8:6666:/48 3552 3553 3554 3555 eth0 3556 3557 3559 Authors' Addresses 3561 Mohamed Boucadair 3562 Orange 3563 Rennes 35000 3564 France 3566 Email: mohamed.boucadair@orange.com 3568 Senthil Sivakumar 3569 Cisco Systems 3570 7100-8 Kit Creek Road 3571 Research Triangle Park, North Carolina 27709 3572 USA 3574 Phone: +1 919 392 5158 3575 Email: ssenthil@cisco.com 3577 Christian Jacquenet 3578 Orange 3579 Rennes 35000 3580 France 3582 Email: christian.jacquenet@orange.com 3584 Suresh Vinapamula 3585 Juniper Networks 3586 1133 Innovation Way 3587 Sunnyvale 94089 3588 USA 3590 Email: sureshk@juniper.net 3592 Qin Wu 3593 Huawei 3594 101 Software Avenue, Yuhua District 3595 Nanjing, Jiangsu 210012 3596 China 3598 Email: bill.wu@huawei.com