idnits 2.17.1 draft-ietf-opsawg-nat-yang-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 26 instances of too long lines in the document, the longest one being 32 characters in excess of 72. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 511 has weird spacing: '...-prefix ine...' == Line 513 has weird spacing: '...-prefix ine...' == Line 519 has weird spacing: '...-prefix ine...' == Line 524 has weird spacing: '...-prefix ine...' == Line 548 has weird spacing: '...atch-id uin...' == (6 more instances...) -- The document date (October 30, 2017) is 2371 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC7659' is defined on line 2700, but no explicit reference was found in the text ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) ** Downref: Normative reference to an Informational RFC: RFC 6877 == Outdated reference: A later version (-17) exists of draft-ietf-softwire-dslite-yang-07 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-11 Summary: 4 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: May 3, 2018 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 October 30, 2017 14 A YANG Data Model for Network Address Translation (NAT) and Network 15 Prefix Translation (NPT) 16 draft-ietf-opsawg-nat-yang-07 18 Abstract 20 For the sake of network automation and the need for programming 21 Network Address Translation (NAT) function in particular, a data 22 model for configuring and managing the NAT is essential. This 23 document defines a YANG module for the NAT function. 25 NAT44, Network Address and Protocol Translation from IPv6 Clients to 26 IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit 27 Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and 28 IPv6 Network Prefix Translation (NPTv6) are covered in this document. 30 Editorial Note (To be removed by RFC Editor) 32 Please update these statements with the RFC number to be assigned to 33 this document: 35 "This version of this YANG module is part of RFC XXXX;" 37 "RFC XXXX: A YANG Data Model for Network Address Translation (NAT) 38 and Network Prefix Translation (NPT)"; 40 "reference: RFC XXXX" 42 Status of This Memo 44 This Internet-Draft is submitted in full conformance with the 45 provisions of BCP 78 and BCP 79. 47 Internet-Drafts are working documents of the Internet Engineering 48 Task Force (IETF). Note that other groups may also distribute 49 working documents as Internet-Drafts. The list of current Internet- 50 Drafts is at https://datatracker.ietf.org/drafts/current/. 52 Internet-Drafts are draft documents valid for a maximum of six months 53 and may be updated, replaced, or obsoleted by other documents at any 54 time. It is inappropriate to use Internet-Drafts as reference 55 material or to cite them other than as "work in progress." 57 This Internet-Draft will expire on May 3, 2018. 59 Copyright Notice 61 Copyright (c) 2017 IETF Trust and the persons identified as the 62 document authors. All rights reserved. 64 This document is subject to BCP 78 and the IETF Trust's Legal 65 Provisions Relating to IETF Documents 66 (https://trustee.ietf.org/license-info) in effect on the date of 67 publication of this document. Please review these documents 68 carefully, as they describe your rights and restrictions with respect 69 to this document. Code Components extracted from this document must 70 include Simplified BSD License text as described in Section 4.e of 71 the Trust Legal Provisions and are provided without warranty as 72 described in the Simplified BSD License. 74 Table of Contents 76 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 77 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 78 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 5 79 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 80 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 81 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 6 82 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 83 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 84 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 7 85 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7 86 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 87 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 88 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 10 89 2.10. Binding the NAT Function to an External Interface or VRF 10 90 2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 11 91 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 15 92 4. Security Considerations . . . . . . . . . . . . . . . . . . . 52 93 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 53 94 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 53 95 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 54 96 7.1. Normative References . . . . . . . . . . . . . . . . . . 54 97 7.2. Informative References . . . . . . . . . . . . . . . . . 55 98 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 57 99 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 58 100 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 101 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 62 102 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 63 103 A.5. Explicit Address Mappings for Stateless IP/ICMP 104 Translation . . . . . . . . . . . . . . . . . . . . . . . 64 105 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 67 106 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 67 107 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 68 108 A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 71 109 A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 71 110 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 74 112 1. Introduction 114 This document defines a data model for Network Address Translation 115 (NAT) and Network Prefix Translation (NPT) capabilities using the 116 YANG data modeling language [RFC7950]. 118 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 119 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 120 used to optimize the usage of global IP address space at the scale of 121 a domain: a CGN is not managed by end users, but by service providers 122 instead. This document covers both traditional NATs and CGNs. 124 This document also covers NAT64 [RFC6146], customer-side translator 125 (CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP 126 Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation 127 (NPTv6) [RFC6296]. The full set of translation schemes that are in 128 scope is included in Section 2.2. 130 Sample examples are provided in Appendix A. These examples are not 131 intended to be exhaustive. 133 1.1. Terminology 135 This document makes use of the following terms: 137 o Basic NAT44: translation is limited to IP addresses alone 138 (Section 2.1 of [RFC3022]). 140 o Network Address/Port Translator (NAPT): translation in NAPT is 141 extended to include IP addresses and transport identifiers (such 142 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 143 [RFC3022]. 145 o Destination NAT: is a translation that acts on the destination IP 146 address and/or destination port number. This flavor is usually 147 deployed in load balancers or at devices in front of public 148 servers. 150 o Port-restricted IPv4 address: An IPv4 address with a restricted 151 port set. Multiple hosts may share the same IPv4 address; 152 however, their port sets must not overlap [RFC7596]. 154 o Restricted port set: A non-overlapping range of allowed external 155 ports to use for NAT operation. Source ports of IPv4 packets 156 translated by a NAT must belong to the assigned port set. The 157 port set is used for all port-aware IP protocols [RFC7596]. 159 o Internal Host: A host that may solicit a NAT or an NPTv6 (or both) 160 capability to send to and receive traffic from the Internet. 162 o Internal Address/prefix: The IP address/prefix of an internal 163 host. 165 o External Address: The IP address/prefix assigned by a NAT/NPTv6 to 166 an internal host; this is the address that will be seen by a 167 remote host on the Internet. 169 o Mapping: denotes a state at the NAT that is necessary for network 170 address and/or port translation. 172 o Dynamic implicit mapping: is created implicitly as a side effect 173 of processing a packet (e.g., an initial TCP SYN packet) that 174 requires a new mapping. A validity lifetime is associated with 175 this mapping. 177 o Dynamic explicit mapping: is created as a result of an explicit 178 request, e.g., PCP message [RFC6887]. A validity lifetime is 179 associated with this mapping. 181 o Static explicit mapping: is created using, e.g., a CLI interface. 182 This mapping is likely to be maintained by the NAT function till 183 an explicit action is executed to remove it. 185 The usage of the term NAT in this document refers to any NAT flavor 186 (NAT44, NAT64, etc.) indifferently. 188 This document uses the term "session" as defined in [RFC2663] and 189 [RFC6146] for NAT64. 191 1.2. Tree Diagrams 193 The meaning of the symbols in these diagrams is as follows: 195 o Brackets "[" and "]" enclose list keys. 197 o Curly braces "{" and "}" contain names of optional features that 198 make the corresponding node conditional. 200 o Abbreviations before data node names: "rw" means configuration 201 (read-write), "ro" state data (read-only). 203 o Symbols after data node names: "?" means an optional node, "!" a 204 container with presence, and "*" denotes a "list" or "leaf-list". 206 o Parentheses enclose choice and case nodes, and case nodes are also 207 marked with a colon (":"). 209 o Ellipsis ("...") stands for contents of subtrees that are not 210 shown. 212 2. Overview of the NAT YANG Data Model 214 2.1. Overview 216 The NAT YANG module is designed to cover dynamic implicit mappings 217 and static explicit mappings. The required functionality to instruct 218 dynamic explicit mappings is defined in separate documents such as 219 [I-D.boucadair-pcp-yang]. Considerations about instructing explicit 220 dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of 221 scope. 223 A single NAT device can have multiple NAT instances; each of these 224 instances can be provided with its own policies (e.g., be responsible 225 for serving a group of hosts). This document does not make any 226 assumption about how internal hosts or flows are associated with a 227 given NAT instance. 229 The NAT YANG module assumes that each NAT instance can be enabled/ 230 disabled, be provisioned with a specific set of configuration data, 231 and maintains its own mapping tables. 233 Further, the NAT YANG module allows for a NAT instance to be provided 234 with multiple NAT policies (policy). The document does not make any 235 assumption about how flows are associated with a given NAT policy of 236 a given NAT instance. Classification filters are out of scope. 238 Defining multiple NAT instances or configuring multiple NAT policies 239 within one single NAT instance is implementation- and deployment- 240 specific. 242 To accommodate deployments where [RFC6302] is not enabled, this YANG 243 module allows to instruct a NAT function to log the destination port 244 number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] 245 which provides the templates to log the destination ports. 247 2.2. Various NAT Flavors 249 The following modes are supported: 251 1. Basic NAT44 252 2. NAPT 253 3. Destination NAT 254 4. Port-restricted NAT 255 5. Stateful and stateless NAT64 256 6. EAM SIIT 257 7. CLAT 258 8. NPTv6 259 9. Combination of Basic NAT/NAPT and Destination NAT 260 10. Combination of port-restricted and Destination NAT 261 11. Combination of NAT64 and EAM 263 [I-D.ietf-softwire-dslite-yang] specifies an extension to support DS- 264 Lite. 266 2.3. TCP, UDP and ICMP NAT Behavioral Requirements 268 This document assumes [RFC4787][RFC5382][RFC5508] are enabled by 269 default. 271 Furthermore, the NAT YANG module relies upon the recommendations 272 detailed in [RFC6888] and [RFC7857]. 274 2.4. Other Transport Protocols 276 The module is structured to support other protocols than UDP, TCP, 277 and ICMP. The mapping table is designed so that it can indicate any 278 transport protocol. For example, this module may be used to manage a 279 DCCP-capable NAT that adheres to [RFC5597]. 281 Future extensions can be defined to cover NAT-related considerations 282 that are specific to other transport protocols such as SCTP 283 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 284 extended to record two optional SCTP-specific parameters: Internal 285 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 287 2.5. IP Addresses Used for Translation 289 The NAT YANG module assumes that blocks of IP external addresses 290 (external-ip-address-pool) can be provisioned to the NAT function. 291 These blocks may be contiguous or not. 293 This behavior is aligned with [RFC6888] which specifies that a NAT 294 function should not have any limitations on the size or the 295 contiguity of the external address pool. In particular, the NAT 296 function must be configurable with contiguous or non-contiguous 297 external IPv4 address ranges. 299 Likewise, one or multiple IP address pools may be configured for 300 Destination NAT (dst-ip-address-pool). 302 2.6. Port Set Assignment 304 Port numbers can be assigned by a NAT individually (that is, a single 305 port is a assigned on a per session basis). Nevertheless, this port 306 allocation scheme may not be optimal for logging purposes. 307 Therefore, a NAT function should be able to assign port sets (e.g., 308 [RFC7753]) to optimize the volume of the logging data (REQ-14 of 309 [RFC6888]). Both features are supported in the NAT YANG module. 311 When port set assignment is activated (i.e., port-allocation- 312 type==port-range-allocation), the NAT can be provided with the size 313 of the port set to be assigned (port-set-size). 315 2.7. Port-Restricted IP Addresses 317 Some NATs require to restrict the port numbers (e.g., Lightweight 318 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port set 319 assignments (port-set-restrict) are supported in this document: 321 o Simple port range: is defined by two port values, the start and 322 the end of the port range [RFC8045]. 324 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 325 the set of ports that can be used. 327 2.8. NAT Mapping Entries 329 A TCP/UDP mapping entry maintains an association between the 330 following information: 332 (internal-src-address, internal-src-port) (internal-dst-address, 333 internal-dst-port) <=> (external-src-address, external-src-port) 334 (external-dst-address, external-dst-port) 336 An ICMP mapping entry maintains an association between the following 337 information: 339 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 340 identifier) <=> (external-src-address, external-dst-address, 341 external ICMP/ICMPv6 identifier) 343 To cover TCP, UDP, and ICMP, the NAT YANG module assumes the 344 following structure of a mapping entry: 346 type: Indicates how the mapping was instantiated. For example, it 347 may indicate whether a mapping is dynamically instantiated by a 348 packet or statically configured. 350 transport-protocol: Indicates the transport protocol (e.g., UDP, 351 TCP, ICMP) of a given mapping. 353 internal-src-address: Indicates the source IP address as used by an 354 internal host. 356 internal-src-port: Indicates the source port number (or ICMP 357 identifier) as used by an internal host. 359 external-src-address: Indicates the source IP address as assigned 360 by the NAT. 362 external-src-port: Indicates the source port number (or ICMP 363 identifier) as assigned by the NAT. 365 internal-dst-address: Indicates the destination IP address as used 366 by an internal host when sending a packet to a remote host. 368 internal-dst-port: Indicates the destination IP address as used by 369 an internal host when sending a packet to a remote host. 371 external-dst-address: Indicates the destination IP address used by a 372 NAT when processing a packet issued by an internal host towards a 373 remote host. 375 external-dst-port: Indicates the destination port number used by a 376 NAT when processing a packet issued by an internal host towards a 377 remote host. 379 In order to cover both NAT64 and NAT44 flavors in particular, the NAT 380 mapping structure allows to include an IPv4 or an IPv6 address as an 381 internal IP address. Remaining fields are common to both NAT 382 schemes. 384 For example, the mapping that will be created by a NAT64 upon receipt 385 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 386 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 387 and destination port number 8080 is characterized as follows: 389 o type: dynamic implicit mapping. 390 o transport-protocol: TCP (6) 391 o internal-src-address: 2001:db8:aaaa::1 392 o internal-src-port: 25636 393 o external-src-address: T (an IPv4 address configured on the NAT64) 394 o external-src-port: t (a port number that is chosen by the NAT64) 395 o internal-dst-address: 2001:db8:1234::198.51.100.1 396 o internal-dst-port: 8080 397 o external-dst-address: 198.51.100.1 398 o external-dst-port: 8080 400 The mapping that will be created by a NAT44 upon receipt of an ICMP 401 request from source address 198.51.100.1 and ICMP identifier (ID1) to 402 destination IP address 198.51.100.11 is characterized as follows: 404 o type: dynamic implicit mapping. 405 o transport-protocol: ICMP (1) 406 o internal-src-address: 198.51.100.1 407 o internal-src-port: ID1 408 o external-src-address: T (an IPv4 address configured on the NAT44) 409 o external-src-port: ID2 (an ICMP identifier that is chosen by the 410 NAT44) 411 o internal-dst-address: 198.51.100.11 413 The mapping that will be created by a NAT64 upon receipt of an ICMP 414 request from source address 2001:db8:aaaa::1 and ICMP identifier 415 (ID1) to destination IP address 2001:db8:1234::198.51.100.1 is 416 characterized as follows: 418 o type: dynamic implicit mapping. 419 o transport-protocol: ICMPv6 (58) 420 o internal-src-address: 2001:db8:aaaa::1 421 o internal-src-port: ID1 422 o external-src-address: T (an IPv4 address configured on the NAT64) 423 o external-src-port: ID2 (an ICMP identifier that is chosen by the 424 NAT64) 425 o internal-dst-address: 2001:db8:1234::198.51.100.1 426 o external-dst-address: 198.51.100.1 428 Note that a mapping table is maintained only for stateful NAT 429 functions. Particularly: 431 o No mapping table is maintained for NPTv6 given that it is 432 stateless and transport-agnostic. 434 o The double translations are stateless in CLAT if a dedicated IPv6 435 prefix is provided for CLAT. If not, a stateful NAT44 will be 436 required. 438 o No per-flow mapping is maintained for EAM [RFC7757]. 440 o No mapping table is maintained for stateless NAT64. As a 441 reminder, in such deployments internal IPv6 nodes are addressed 442 using IPv4-translatable IPv6 addresses, which enable them to be 443 accessed by IPv4 nodes [RFC6052]. 445 2.9. Resource Limits 447 In order to comply with CGN deployments in particular, the NAT YANG 448 module allows limiting the number of external ports per subscriber 449 (port-quota) and the amount of state memory allocated per mapping and 450 per subscriber (mapping-limit and connection-limit). According to 451 [RFC6888], the model allows for the following: 453 o Per-subscriber limits are configurable by the NAT administrator. 455 o Per-subscriber limits are configurable independently per transport 456 protocol. 458 o Administrator-adjustable thresholds to prevent a single subscriber 459 from consuming excessive CPU resources from the NAT (e.g., rate- 460 limit the subscriber's creation of new mappings) can be 461 configured. 463 2.10. Binding the NAT Function to an External Interface or VRF 465 The model allows to specify the interface or Virtual Routing and 466 Forwarding (VRF) instance on which the NAT function must be applied 467 (external-realm). Distinct interfaces/VRFs can be provided as a 468 function of the NAT policy (see for example, Section 4 of [RFC7289]). 470 If no external interface/VRF is provided, this assumes that the 471 system is able to determine the external interface/VRF instance on 472 which the NAT will be applied. Typically, the WAN and LAN interfaces 473 of a CPE is determined by the CPE. 475 2.11. Tree Structure 477 The tree structure of the NAT YANG module is provided below: 479 module: ietf-nat 480 +--rw nat 481 +--rw instances 482 +--rw instance* [id] 483 +--rw id uint32 484 +--rw name? string 485 +--rw enable? boolean 486 +--rw capabilities 487 | +--rw nat-flavor* identityref 488 | +--rw nat44-flavor* identityref 489 | +--rw restricted-port-support? boolean 490 | +--rw static-mapping-support? boolean 491 | +--rw port-randomization-support? boolean 492 | +--rw port-range-allocation-support? boolean 493 | +--rw port-preservation-suport? boolean 494 | +--rw port-parity-preservation-support? boolean 495 | +--rw address-roundrobin-support? boolean 496 | +--rw paired-address-pooling-support? boolean 497 | +--rw endpoint-independent-mapping-support? boolean 498 | +--rw address-dependent-mapping-support? boolean 499 | +--rw address-and-port-dependent-mapping-support? boolean 500 | +--rw endpoint-independent-filtering-support? boolean 501 | +--rw address-dependent-filtering? boolean 502 | +--rw address-and-port-dependent-filtering? boolean 503 +--rw nat-pass-through* [id] 504 | +--rw id uint32 505 | +--rw prefix? inet:ip-prefix 506 | +--rw port? inet:port-number 507 +--rw policy* [id] 508 | +--rw id uint32 509 | +--rw clat-parameters 510 | | +--rw clat-ipv6-prefixes* [ipv6-prefix] 511 | | | +--rw ipv6-prefix inet:ipv6-prefix 512 | | +--rw ipv4-prefixes* [ipv4-prefix] 513 | | +--rw ipv4-prefix inet:ipv4-prefix 514 | +--rw nptv6-prefixes* [translation-id] 515 | | +--rw translation-id uint32 516 | | +--rw internal-ipv6-prefix? inet:ipv6-prefix 517 | | +--rw external-ipv6-prefix? inet:ipv6-prefix 518 | +--rw eam* [ipv4-prefix] 519 | | +--rw ipv4-prefix inet:ipv4-prefix 520 | | +--rw ipv6-prefix? inet:ipv6-prefix 521 | +--rw nat64-prefixes* [nat64-prefix] 522 | | +--rw nat64-prefix inet:ipv6-prefix 523 | | +--rw destination-ipv4-prefix* [ipv4-prefix] 524 | | | +--rw ipv4-prefix inet:ipv4-prefix 525 | | +--rw stateless-enable? boolean 526 | +--rw external-ip-address-pool* [pool-id] 527 | | +--rw pool-id uint32 528 | | +--rw external-ip-pool? inet:ipv4-prefix 529 | +--rw port-set-restrict 530 | | +--rw (port-type)? 531 | | +--:(port-range) 532 | | | +--rw start-port-number? inet:port-number 533 | | | +--rw end-port-number? inet:port-number 534 | | +--:(port-set-algo) 535 | | +--rw psid-offset? uint8 536 | | +--rw psid-len uint8 537 | | +--rw psid uint16 538 | +--rw dst-nat-enable? boolean 539 | +--rw dst-ip-address-pool* [pool-id] 540 | | +--rw pool-id uint32 541 | | +--rw dst-in-ip-pool? inet:ip-prefix 542 | | +--rw dst-out-ip-pool? inet:ip-prefix 543 | +--rw supported-transport-protocols* [transport-protocol-id] 544 | | +--rw transport-protocol-id uint8 545 | | +--rw transport-protocol-name? string 546 | +--rw subscriber-mask-v6? uint8 547 | +--rw subscriber-match* [sub-match-id] 548 | | +--rw sub-match-id uint32 549 | | +--rw sub-mask inet:ip-prefix 550 | +--rw paired-address-pooling? boolean 551 | +--rw mapping-type? enumeration 552 | +--rw filtering-type? enumeration 553 | +--rw port-quota* [quota-type] 554 | | +--rw port-limit? uint16 555 | | +--rw quota-type uint8 556 | +--rw port-allocation-type? enumeration 557 | +--rw address-roundrobin-enable? boolean 558 | +--rw port-set 559 | | +--rw port-set-size? uint16 560 | | +--rw port-set-timeout? uint32 561 | +--rw timers 562 | | +--rw udp-timeout? uint32 563 | | +--rw tcp-idle-timeout? uint32 564 | | +--rw tcp-trans-open-timeout? uint32 565 | | +--rw tcp-trans-close-timeout? uint32 566 | | +--rw tcp-in-syn-timeout? uint32 567 | | +--rw fragment-min-timeout? uint32 568 | | +--rw icmp-timeout? uint32 569 | | +--rw per-port-timeout* [port-number] 570 | | | +--rw port-number inet:port-number 571 | | | +--rw port-timeout uint32 572 | | +--rw hold-down-timeout? uint32 573 | | +--rw hold-down-max? uint32 574 | +--rw algs* [name] 575 | | +--rw name string 576 | | +--rw transport-protocol? uint32 577 | | +--rw transport-port? inet:port-number 578 | | +--rw status? boolean 579 | +--rw all-algs-enable? boolean 580 | +--rw notify-pool-usage 581 | | +--rw pool-id? uint32 582 | | +--rw high-threshold percent 583 | | +--rw low-threshold? percent 584 | +--rw external-realm 585 | +--rw (realm-type)? 586 | +--:(interface) 587 | | +--rw external-interface? if:interface-ref 588 | +--:(vrf) 589 | +--rw external-vrf-instance? identityref 590 +--rw mapping-limit 591 | +--rw limit-per-subscriber? uint32 592 | +--rw limit-per-vrf? uint32 593 | +--rw limit-per-instance uint32 594 | +--rw limit-per-udp uint32 595 | +--rw limit-per-tcp uint32 596 | +--rw limit-per-icmp uint32 597 +--rw connection-limit 598 | +--rw limit-per-subscriber? uint32 599 | +--rw limit-per-vrf? uint32 600 | +--rw limit-per-instance uint32 601 | +--rw limit-per-udp uint32 602 | +--rw limit-per-tcp uint32 603 | +--rw limit-per-icmp uint32 604 +--rw logging-info 605 | +--rw logging-enable? boolean 606 | +--rw destination-address inet:ip-prefix 607 | +--rw destination-port inet:port-number 608 | +--rw (protocol)? 609 | +--:(syslog) 610 | | +--rw syslog? boolean 611 | +--:(ipfix) 612 | | +--rw ipfix? boolean 613 | +--:(ftp) 614 | +--rw ftp? boolean 615 +--rw mapping-table 616 | +--rw mapping-entry* [index] 617 | +--rw index uint32 618 | +--rw type? enumeration 619 | +--rw transport-protocol? uint8 620 | +--rw internal-src-address? inet:ip-prefix 621 | +--rw internal-src-port 622 | | +--rw start-port-number? inet:port-number 623 | | +--rw end-port-number? inet:port-number 624 | +--rw external-src-address? inet:ip-prefix 625 | +--rw external-src-port 626 | | +--rw start-port-number? inet:port-number 627 | | +--rw end-port-number? inet:port-number 628 | +--rw internal-dst-address? inet:ip-prefix 629 | +--rw internal-dst-port 630 | | +--rw start-port-number? inet:port-number 631 | | +--rw end-port-number? inet:port-number 632 | +--rw external-dst-address? inet:ip-prefix 633 | +--rw external-dst-port 634 | | +--rw start-port-number? inet:port-number 635 | | +--rw end-port-number? inet:port-number 636 | +--rw lifetime? uint32 637 +--ro statistics 638 +--ro traffic-statistics 639 | +--ro sent-packets? yang:zero-based-counter64 640 | +--ro sent-bytes? yang:zero-based-counter64 641 | +--ro rcvd-packets? yang:zero-based-counter64 642 | +--ro rcvd-bytes? yang:zero-based-counter64 643 | +--ro dropped-packets? yang:zero-based-counter64 644 | +--ro dropped-bytes? yang:zero-based-counter64 645 +--ro mapping-statistics 646 | +--ro total-mappings? yang:gauge32 647 | +--ro total-tcp-mappings? yang:gauge32 648 | +--ro total-udp-mappings? yang:gauge32 649 | +--ro total-icmp-mappings? yang:gauge32 650 +--ro pool-stats 651 +--ro pool-id? uint32 652 +--ro addresses-allocated? yang:gauge32 653 +--ro addresses-free? yang:gauge32 654 +--ro port-stats 655 +--ro ports-allocated? yang:gauge32 656 +--ro ports-free? yang:gauge32 658 notifications: 659 +---n nat-event 660 +--ro id? -> /nat/instances/instance/id 661 +--ro policy-id? -> /nat/instances/instance/policy/id 662 +--ro pool-id? -> /nat/instances/instance/policy/external-ip-address-pool/pool-id 663 +--ro notify-pool-threshold percent 665 3. NAT YANG Module 667 file "ietf-nat@2017-10-30.yang" 669 module ietf-nat { 670 yang-version 1.1; 671 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 673 //namespace to be assigned by IANA 674 prefix "nat"; 676 import ietf-inet-types { prefix inet; } 677 import ietf-yang-types { prefix yang; } 678 import ietf-interfaces { prefix if; } 680 organization "IETF OPSAWG (Operations and Management Area Working Group)"; 682 contact 684 "WG Web: 685 WG List: 687 WG Chair: Ignas Bagdonas 688 690 WG Chair: Joe Clarke 691 693 WG Chair: Tianran Zhou 694 696 Editor: Mohamed Boucadair 697 699 Editor: Senthil Sivakumar 700 702 Editor: Chritsian Jacquenet 703 705 Editor: Suresh Vinapamula 706 708 Editor: Qin Wu 709 "; 711 description 712 "This module is a YANG module for NAT implementations 713 (including NAT44 and NAT64 flavors). 715 Copyright (c) 2017 IETF Trust and the persons identified as 716 authors of the code. All rights reserved. 718 Redistribution and use in source and binary forms, with or 719 without modification, is permitted pursuant to, and subject 720 to the license terms contained in, the Simplified BSD License 721 set forth in Section 4.c of the IETF Trust's Legal Provisions 722 Relating to IETF Documents 723 (http://trustee.ietf.org/license-info). 725 This version of this YANG module is part of RFC XXXX; see 726 the RFC itself for full legal notices."; 728 revision 2017-10-30 { 729 description 730 "Initial revision."; 731 reference 732 "RFC XXXX: A YANG Data Model for Network Address Translation 733 (NAT) and Network Prefix Translation (NPT)"; 734 } 736 /* 737 * Definitions 738 */ 740 typedef percent { 741 type uint8 { 742 range "0 .. 100"; 743 } 744 description 745 "Percentage"; 746 } 748 /* 749 * Identities 750 */ 752 identity nat-type { 753 description 754 "Base identity for nat type."; 755 } 757 identity nat44 { 758 base nat:nat-type; 759 description 760 "Identity for traditional NAT support."; 761 reference 762 "RFC 3022: Traditional IP Network Address Translator 763 (Traditional NAT)"; 764 } 766 identity basic-nat { 767 base nat:nat44; 768 description 769 "Identity for Basic NAT support."; 770 reference 771 "RFC 3022: Traditional IP Network Address Translator 772 (Traditional NAT)"; 773 } 775 identity napt { 776 base nat:nat44; 777 description 778 "Identity for NAPT support."; 779 reference 780 "RFC 3022: Traditional IP Network Address Translator 781 (Traditional NAT)"; 782 } 784 identity dst-nat { 785 base nat:nat-type; 786 description 787 "Identity for Destination NAT support."; 788 } 790 identity nat64 { 791 base nat:nat-type; 792 description 793 "Identity for NAT64 support."; 794 reference 795 "RFC 6146: Stateful NAT64: Network Address and Protocol 796 Translation from IPv6 Clients to IPv4 Servers"; 797 } 799 identity clat { 800 base nat:nat-type; 801 description 802 "Identity for CLAT support."; 803 reference 804 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 805 Translation"; 806 } 807 identity eam { 808 base nat:nat-type; 809 description 810 "Identity for EAM support."; 811 reference 812 "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP 813 Translation"; 814 } 816 identity nptv6 { 817 base nat:nat-type; 818 description 819 "Identity for NPTv6 support."; 820 reference 821 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 822 } 824 identity vrf-routing-instance { 825 description 826 "This identity represents a VRF routing instance."; 827 reference 828 "Section 8.9 of RFC 4026."; 829 } 831 /* 832 * Grouping 833 */ 835 grouping port-number { 836 description 837 "Individual port or a range of ports. 838 When only start-port-number is present, 839 it represents a single port."; 841 leaf start-port-number { 842 type inet:port-number; 843 description 844 "Begining of the port range."; 845 reference 846 "Section 3.2.9 of RFC 8045."; 847 } 849 leaf end-port-number { 850 type inet:port-number; 852 must ". >= ../start-port-number" 853 { 854 error-message 855 "The end-port-number must be greater than or 856 equal to start-port-number."; 857 } 858 description 859 "End of the port range."; 860 reference 861 "Section 3.2.10 of RFC 8045."; 862 } 863 } 865 grouping port-set { 866 description 867 "Indicates a set of ports. 869 It may be a simple port range, or use the Port Set ID (PSID) 870 algorithm to represent a range of transport layer 871 ports which will be used by a NAPT."; 873 choice port-type { 874 default port-range; 875 description 876 "Port type: port-range or port-set-algo."; 877 case port-range { 878 uses port-number; 879 } 881 case port-set-algo { 882 leaf psid-offset { 883 type uint8 { 884 range 0..15; 885 } 887 description 888 "The number of offset bits (a.k.a., 'a' bits). 890 Specifies the numeric value for the excluded port 891 range/offset bits. 893 Allowed values are between 0 and 15 "; 895 reference 896 "Section 5.1 of RFC 7597"; 897 } 899 leaf psid-len { 900 type uint8 { 901 range 0..15; 902 } 903 mandatory true; 905 description 906 "The length of PSID, representing the sharing 907 ratio for an IPv4 address. 909 (also known as 'k'). 911 The address-sharing ratio would be 2^k."; 913 reference 914 "Section 5.1 of RFC 7597"; 915 } 917 leaf psid { 918 type uint16; 919 mandatory true; 920 description 921 "Port Set Identifier (PSID) value, which 922 identifies a set of ports algorithmically."; 923 reference 924 "Section 5.1 of RFC 7597"; 925 } 926 } 927 reference 928 "Section 7597: Mapping of Address and Port with 929 Encapsulation (MAP-E)"; 930 } 931 } 933 grouping mapping-entry { 934 description 935 "NAT mapping entry."; 937 leaf index { 938 type uint32; 939 description 940 "A unique identifier of a mapping entry."; 941 } 943 leaf type { 944 type enumeration { 945 enum "static" { 946 description 947 "The mapping entry is explicitly configrued 948 (e.g., via command-line interface)."; 949 } 950 enum "dynamic-implicit" { 951 description 952 "This mapping is created implicitely as a side effect 953 of processing a packet that requires a new mapping."; 955 } 957 enum "dynamic-explicit" { 958 description 959 "This mapping is created as a result of an explicit 960 request, e.g., a PCP message."; 962 } 963 } 964 description 965 "Indicates the type of a mapping entry. E.g., 966 a mapping can be: static, implicit dynamic 967 or explicit dynamic."; 968 } 970 leaf transport-protocol { 971 type uint8; 972 description 973 "Upper-layer protocol associated with this mapping. 974 Values are taken from the IANA protocol registry. 975 For example, this field contains 6 (TCP) for a TCP 976 mapping or 17 (UDP) for a UDP mapping. 978 If this leaf is not instantiated, then the mapping 979 applies to any protocol."; 980 } 982 leaf internal-src-address { 983 type inet:ip-prefix; 984 description 985 "Corresponds to the source IPv4/IPv6 address/prefix 986 of the packet received on an internal 987 interface."; 988 } 990 container internal-src-port { 991 description 992 "Corresponds to the source port of the 993 packet received on an internal interface. 995 It is used also to indicate the internal 996 source ICMP identifier. 998 As a reminder, all the ICMP Query messages contain 999 an 'Identifier' field, which is referred to in this 1000 document as the 'ICMP Identifier'."; 1002 uses port-number; 1003 } 1005 leaf external-src-address { 1006 type inet:ip-prefix; 1007 description 1008 "Source IP address/prefix of the packet sent 1009 on an external interface of the NAT."; 1010 } 1012 container external-src-port { 1013 description 1014 "Source port of the packet sent 1015 on an external interafce of the NAT. 1017 It is used also to indicate the external 1018 source ICMP identifier."; 1020 uses port-number; 1021 } 1023 leaf internal-dst-address { 1024 type inet:ip-prefix; 1025 description 1026 "Corresponds to the destination IP address/prefix 1027 of the packet received on an internal interface 1028 of the NAT. 1030 For example, some NAT implementations support 1031 the translation of both source and destination 1032 addresses and ports, sometimes referred to 1033 as 'Twice NAT'."; 1034 } 1036 container internal-dst-port { 1037 description 1038 "Corresponds to the destination port of the 1039 IP packet received on the internal interface. 1041 It is used also to include the internal 1042 destination ICMP identifier."; 1044 uses port-number; 1045 } 1046 leaf external-dst-address { 1047 type inet:ip-prefix; 1048 description 1049 "Corresponds to the destination IP address/prefix 1050 of the packet sent on an external interface 1051 of the NAT."; 1052 } 1054 container external-dst-port { 1055 description 1056 "Corresponds to the destination port number of 1057 the packet sent on the external interface 1058 of the NAT. 1060 It is used also to include the external 1061 destination ICMP identifier."; 1063 uses port-number; 1064 } 1066 leaf lifetime { 1067 type uint32; 1068 units "seconds"; 1069 description 1070 "When specified, it is used to track the connection that is 1071 fully-formed (e.g., once the three-way handshake 1072 TCP is completed) or the duration for maintaining 1073 an explicit mapping alive. The mapping entry will be 1074 removed by the NAT instance once this lifetime is expired. 1076 When reported in a get operation, the lifetime indicates 1077 the remaining validity lifetime. 1079 Static mappings may not be associated with a 1080 lifetime. If no lifetime is associated with a 1081 static mapping, an explicit action is requried to 1082 remove that mapping."; 1083 } 1084 } 1086 /* 1087 * NAT Module 1088 */ 1090 container nat { 1091 description 1092 "NAT module"; 1094 container instances { 1095 description 1096 "NAT instances"; 1098 list instance { 1099 key "id"; 1101 description 1102 "A NAT instance."; 1104 leaf id { 1105 type uint32; 1106 description 1107 "NAT instance identifier."; 1108 reference 1109 "RFC 7659."; 1110 } 1112 leaf name { 1113 type string; 1114 description 1115 "A name associated with the NAT instance."; 1116 } 1118 leaf enable { 1119 type boolean; 1120 description 1121 "Status of the the NAT instance."; 1122 } 1124 container capabilities { 1125 description 1126 "NAT capabilities"; 1128 leaf-list nat-flavor { 1129 type identityref { 1130 base nat-type; 1131 } 1132 description 1133 "Type of NAT."; 1134 } 1136 leaf-list nat44-flavor { 1137 when "../nat-flavor = 'nat44'"; 1138 type identityref { 1139 base nat44; 1140 } 1141 description 1142 "Type of NAT44: Basic NAT or NAPT."; 1143 } 1145 leaf restricted-port-support { 1146 type boolean; 1147 description 1148 "Indicates source port NAT restriction 1149 support."; 1150 reference 1151 "RFC 7596: Lightweight 4over6: An Extension to 1152 the Dual-Stack Lite Architecture."; 1153 } 1155 leaf static-mapping-support { 1156 type boolean; 1157 description 1158 "Indicates whether static mappings are supported."; 1159 } 1161 leaf port-randomization-support { 1162 type boolean; 1163 description 1164 "Indicates whether port randomization is supported."; 1165 reference 1166 "Section 4.2.1. of RFC 4787."; 1167 } 1169 leaf port-range-allocation-support { 1170 type boolean; 1171 description 1172 "Indicates whether port range allocation is supported."; 1173 reference 1174 "Section 1.1 of RFC 7753."; 1175 } 1177 leaf port-preservation-suport { 1178 type boolean; 1179 description 1180 "Indicates whether port preservation is supported."; 1181 reference 1182 "Section 4.2.1. of RFC 4787."; 1183 } 1185 leaf port-parity-preservation-support { 1186 type boolean; 1187 description 1188 "Indicates whether port parity preservation is supported."; 1189 reference 1190 "Section 8 of RFC 7857."; 1191 } 1193 leaf address-roundrobin-support { 1194 type boolean; 1195 description 1196 "Indicates whether address allocation round robin is supported."; 1197 } 1199 leaf paired-address-pooling-support { 1200 type boolean; 1201 description 1202 "Indicates whether paired-address-pooling is supported"; 1203 reference 1204 "REQ-2 of RFC 4787."; 1205 } 1207 leaf endpoint-independent-mapping-support { 1208 type boolean; 1209 description 1210 "Indicates whether endpoint-independent- 1211 mapping in Section 4 of RFC 4787 is 1212 supported."; 1213 reference 1214 "Section 4 of RFC 4787."; 1215 } 1217 leaf address-dependent-mapping-support { 1218 type boolean; 1219 description 1220 "Indicates whether address-dependent-mapping is supported."; 1221 reference 1222 "Section 4 of RFC 4787."; 1223 } 1225 leaf address-and-port-dependent-mapping-support { 1226 type boolean; 1227 description 1228 "Indicates whether address-and-port-dependent-mapping is supported."; 1229 reference 1230 "Section 4 of RFC 4787."; 1231 } 1233 leaf endpoint-independent-filtering-support { 1234 type boolean; 1235 description 1236 "Indicates whether endpoint-independent-filtering is supported."; 1237 reference 1238 "Section 5 of RFC 4787."; 1239 } 1241 leaf address-dependent-filtering { 1242 type boolean; 1243 description 1244 "Indicates whether address-dependent-filtering is supported."; 1245 reference 1246 "Section 5 of RFC 4787."; 1247 } 1249 leaf address-and-port-dependent-filtering { 1250 type boolean; 1251 description 1252 "Indicates whether address-and-port-dependent is supported."; 1253 reference 1254 "Section 5 of RFC 4787."; 1255 } 1256 } 1258 list nat-pass-through { 1259 key id; 1261 description 1262 "IP prefix NAT pass through."; 1264 leaf id { 1265 type uint32; 1266 description 1267 "An identifier of the IP prefix pass 1268 through."; 1269 } 1271 leaf prefix { 1272 type inet:ip-prefix; 1273 description 1274 "The IP addresses that match 1275 should not be translated. According to 1276 REQ#6 of RFC6888, it must be possible 1277 to administratively turn off translation 1278 for specific destination addresses 1279 and/or ports."; 1280 reference 1281 "REQ#6 of RFC6888."; 1282 } 1284 leaf port { 1285 type inet:port-number; 1286 description 1287 "According to REQ#6 of RFC6888, it must 1288 be possible to administratively turn off 1289 translation for specific destination addresses 1290 and/or ports. 1292 If no prefix is defined, the NAT pass through 1293 bound to a given port applies for any destination 1294 address."; 1296 reference 1297 "REQ#6 of RFC6888."; 1298 } 1299 } 1301 list policy { 1302 key id; 1303 description 1304 "NAT parameters for a given instance"; 1306 leaf id { 1307 type uint32; 1308 description 1309 "An identifier of the NAT policy."; 1310 } 1312 container clat-parameters { 1313 description 1314 "CLAT parameters."; 1316 list clat-ipv6-prefixes { 1317 when "../../../capabilities/nat-flavor = 'clat' "; 1318 key ipv6-prefix; 1319 description 1320 "464XLAT double translation treatment is 1321 stateless when a dedicated /64 is available 1322 for translation on the CLAT. Otherwise, the 1323 CLAT will have both stateful and stateless 1324 since it requires NAT44 from the LAN to 1325 a single IPv4 address and then stateless 1326 translation to a single IPv6 address."; 1327 reference 1328 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1329 Translation"; 1331 leaf ipv6-prefix { 1332 type inet:ipv6-prefix; 1333 description 1334 "An IPv6 prefix used for CLAT."; 1335 } 1336 } 1338 list ipv4-prefixes { 1339 when "../../../capabilities/nat-flavor = 'clat'"; 1340 key ipv4-prefix; 1341 description 1342 "Pool of IPv4 addresses used for CLAT. 1343 192.0.0.0/29 is the IPv4 service continuity 1344 prefix."; 1345 reference 1346 "RFC 7335: IPv4 Service Continuity Prefix"; 1348 leaf ipv4-prefix { 1349 type inet:ipv4-prefix; 1350 description 1351 "464XLAT double translation treatment is 1352 stateless when a dedicated /64 is available 1353 for translation on the CLAT. Otherwise, the 1354 CLAT will have both stateful and stateless 1355 since it requires NAT44 from the LAN to 1356 a single IPv4 address and then stateless 1357 translation to a single IPv6 address. 1358 The CLAT performs NAT44 for all IPv4 LAN 1359 packets so that all the LAN-originated IPv4 1360 packets appear from a single IPv4 address 1361 and are then statelessly translated to one 1362 interface IPv6 address that is claimed by 1363 the CLAT. 1365 An IPv4 address from this pool is also 1366 provided to an application that makes 1367 use of literals."; 1369 reference 1370 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1371 Translation"; 1372 } 1373 } 1374 } 1376 list nptv6-prefixes { 1377 when "../../capabilities/nat-flavor = 'nptv6' "; 1378 key translation-id; 1379 description 1380 "Provides one or a list of (internal IPv6 prefix, 1381 external IPv6 prefix) required for NPTv6. 1383 In its simplest form, NPTv6 interconnects two network 1384 links, one of which is an 'internal' network link 1385 attached to a leaf network within a single 1386 administrative domain and the other of which is an 1387 'external' network with connectivity to the global 1388 Internet."; 1389 reference 1390 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1392 leaf translation-id { 1393 type uint32; 1394 description 1395 "An identifier of the NPTv6 prefixes."; 1396 } 1398 leaf internal-ipv6-prefix { 1399 type inet:ipv6-prefix; 1400 description 1401 "An IPv6 prefix used by an internal interface 1402 of NPTv6."; 1403 reference 1404 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1405 } 1407 leaf external-ipv6-prefix { 1408 type inet:ipv6-prefix; 1409 description 1410 "An IPv6 prefix used by the external interface 1411 of NPTv6."; 1412 reference 1413 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1414 } 1415 } 1417 list eam { 1418 when "../../capabilities/nat-flavor = 'eam' "; 1419 key ipv4-prefix; 1420 description 1421 "The Explicit Address Mapping Table, a conceptual 1422 table in which each row represents an EAM. 1424 Each EAM describes a mapping between IPv4 and IPv6 1425 prefixes/addresses."; 1426 reference 1427 "Section 3.1 of RFC 7757."; 1429 leaf ipv4-prefix { 1430 type inet:ipv4-prefix; 1431 description 1432 "The IPv4 prefix of an EAM."; 1433 reference 1434 "Section 3.2 of RFC 7757."; 1435 } 1437 leaf ipv6-prefix { 1438 type inet:ipv6-prefix; 1439 description 1440 "The IPv6 prefix of an EAM."; 1441 reference 1442 "Section 3.2 of RFC 7757."; 1443 } 1444 } 1446 list nat64-prefixes { 1447 when "../../capabilities/nat-flavor = 'nat64' " + 1448 " or ../../capabilities/nat-flavor = 'clat'"; 1449 key nat64-prefix; 1450 description 1451 "Provides one or a list of NAT64 prefixes 1452 with or without a list of destination IPv4 prefixes. 1454 Destination-based Pref64::/n is discussed in 1455 Section 5.1 of [RFC7050]). For example: 1456 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 1457 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 1458 reference 1459 "Section 5.1 of RFC7050."; 1461 leaf nat64-prefix { 1462 type inet:ipv6-prefix; 1463 description 1464 "A NAT64 prefix. Can be NSP or a Well-Known 1465 Prefix (WKP). 1467 Organizations deploying stateless IPv4/IPv6 1468 translation should assign a Network-Specific 1469 Prefix to their IPv4/IPv6 translation service. 1471 For stateless NAT64, IPv4-translatable IPv6 1472 addresses must use the selected Network-Specific 1473 Prefix. Both IPv4-translatable IPv6 addresses 1474 and IPv4-converted IPv6 addresses should use 1475 the same prefix."; 1476 reference 1477 "Sections 3.3 and 3.4 of RFC 6052."; 1478 } 1479 list destination-ipv4-prefix { 1480 key ipv4-prefix; 1481 description 1482 "An IPv4 prefix/address."; 1484 leaf ipv4-prefix { 1485 type inet:ipv4-prefix; 1486 description 1487 "An IPv4 address/prefix."; 1488 } 1489 } 1491 leaf stateless-enable { 1492 type boolean; 1493 description 1494 "Enable explicitly statless NAT64."; 1495 } 1496 } 1498 list external-ip-address-pool { 1499 key pool-id; 1501 description 1502 "Pool of external IP addresses used to 1503 service internal hosts. 1505 A pool is a set of IP prefixes."; 1507 leaf pool-id { 1508 type uint32; 1509 description 1510 "An identifier of the address pool."; 1511 } 1513 leaf external-ip-pool { 1514 type inet:ipv4-prefix; 1515 description 1516 "An IPv4 prefix used for NAT purposes."; 1517 } 1518 } 1520 container port-set-restrict { 1521 when "../../capabilities/restricted-port-support = 'true'"; 1523 description 1524 "Configures contiguous and non-contiguous port ranges."; 1526 uses port-set; 1528 } 1530 leaf dst-nat-enable { 1531 type boolean; 1532 default false; 1533 description 1534 "Enable/Disable destination NAT. 1535 A NAT44 may be configured to enable 1536 Destination NAT, too."; 1537 } 1539 list dst-ip-address-pool { 1540 when "../../capabilities/nat-flavor = 'dst-nat' "; 1542 key pool-id; 1544 description 1545 "Pool of IP addresses used for destination NAT."; 1547 leaf pool-id { 1548 type uint32; 1549 description 1550 "An identifier of the address pool."; 1551 } 1553 leaf dst-in-ip-pool { 1554 type inet:ip-prefix; 1555 description 1556 "Internal IP prefix/address"; 1557 } 1559 leaf dst-out-ip-pool { 1560 type inet:ip-prefix; 1561 description 1562 "IP address/prefix used for destination NAT."; 1563 } 1564 } 1566 list supported-transport-protocols { 1567 key transport-protocol-id; 1569 description 1570 "Supported transport protocols. 1571 TCP and UDP are supported by default."; 1573 leaf transport-protocol-id { 1574 type uint8; 1575 mandatory true; 1576 description 1577 "Upper-layer protocol associated with this mapping. 1578 Values are taken from the IANA protocol registry. 1579 For example, this field contains 6 (TCP) for a TCP 1580 mapping or 17 (UDP) for a UDP mapping."; 1581 } 1583 leaf transport-protocol-name { 1584 type string; 1585 description 1586 "For example, TCP, UDP, DCCP, and SCTP."; 1587 } 1588 } 1590 leaf subscriber-mask-v6 { 1591 type uint8 { 1592 range "0 .. 128"; 1593 } 1595 description 1596 "The subscriber-mask is an integer that indicates 1597 the length of significant bits to be applied on 1598 the source IPv6 address (internal side) to 1599 unambiguously identify a CPE. 1601 Subscriber-mask is a system-wide configuration 1602 parameter that is used to enforce generic 1603 per-subscriber policies (e.g., port-quota). 1605 The enforcement of these generic policies does not 1606 require the configuration of every subscriber's 1607 prefix. 1609 Example: suppose the 2001:db8:100:100::/56 prefix 1610 is assigned to a NAT64 serviced CPE. Suppose also 1611 that 2001:db8:100:100::1 is the IPv6 address used 1612 by the client that resides in that CPE. When the 1613 NAT64 receives a packet from this client, 1614 it applies the subscriber-mask (e.g., 56) on 1615 the source IPv6 address to compute the associated 1616 prefix for this client (2001:db8:100:100::/56). 1617 Then, the NAT64 enforces policies based on that 1618 prefix (2001:db8:100:100::/56), not on the exact 1619 source IPv6 address."; 1621 } 1623 list subscriber-match { 1624 key sub-match-id; 1626 description 1627 "IP prefix match."; 1629 leaf sub-match-id { 1630 type uint32; 1631 description 1632 "An identifier of the subscriber mask."; 1633 } 1635 leaf sub-mask { 1636 type inet:ip-prefix; 1637 mandatory true; 1638 description 1639 "The IP address subnets that match 1640 should be translated. E.g., all addresses 1641 that belong to the 192.0.2.0/24 prefix must 1642 be processed by the NAT."; 1643 } 1644 } 1646 leaf paired-address-pooling { 1647 type boolean; 1648 default true; 1649 description 1650 "Paired address pooling informs the NAT 1651 that all the flows from an internal IP 1652 address must be assigned the same external 1653 address."; 1655 reference 1656 "RFC 4787: Network Address Translation (NAT) Behavioral Requirements 1657 for Unicast UDP"; 1658 } 1660 leaf mapping-type { 1661 type enumeration { 1662 enum "eim" { 1663 description 1664 "endpoint-independent-mapping."; 1665 reference 1666 "Section 4 of RFC 4787."; 1667 } 1669 enum "adm" { 1670 description 1671 "address-dependent-mapping."; 1673 reference 1674 "Section 4 of RFC 4787."; 1675 } 1677 enum "edm" { 1678 description 1679 "address-and-port-dependent-mapping."; 1680 reference 1681 "Section 4 of RFC 4787."; 1682 } 1683 } 1684 description 1685 "Indicates the type of a NAT mapping."; 1686 } 1688 leaf filtering-type { 1689 type enumeration { 1690 enum "eif" { 1691 description 1692 "endpoint-independent-filtering."; 1693 reference 1694 "Section 5 of RFC 4787."; 1695 } 1697 enum "adf" { 1698 description 1699 "address-dependent-filtering."; 1700 reference 1701 "Section 5 of RFC 4787."; 1702 } 1704 enum "edf" { 1705 description 1706 "address-and-port-dependent-filtering"; 1707 reference 1708 "Section 5 of RFC 4787."; 1709 } 1710 } 1711 description 1712 "Indicates the type of a NAT filtering."; 1713 } 1715 list port-quota { 1716 when "../../capabilities/nat44-flavor = "+ 1717 "'napt' or "+ 1718 "../../capabilities/nat-flavor = "+ 1719 "'nat64'"; 1721 key quota-type; 1722 description 1723 "Configures a port quota to be assigned per 1724 subscriber. It corresponds to the maximum 1725 number of ports to be used by a subscriber."; 1727 leaf port-limit { 1728 type uint16; 1729 description 1730 "Configures a port quota to be assigned per 1731 subscriber. It corresponds to the maximum 1732 number of ports to be used by a subscriber."; 1733 reference 1734 "REQ-4 of RFC 6888."; 1735 } 1737 leaf quota-type { 1738 type uint8; 1740 description 1741 "Indicates whether the port quota applies to 1742 all protocols (0) or to a specific transport."; 1743 } 1744 } 1746 leaf port-allocation-type { 1747 type enumeration { 1748 enum "random" { 1749 description 1750 "Port randomization is enabled."; 1751 } 1753 enum "port-preservation" { 1754 description 1755 "Indicates whether the NAT should 1756 preserve the internal port number."; 1757 } 1759 enum "port-parity-preservation" { 1760 description 1761 "Indicates whether the NAT should 1762 preserve the port parity of the 1763 internal port number."; 1764 } 1766 enum "port-range-allocation" { 1767 description 1768 "Indicates whether the NAT assigns a 1769 range of ports for an internal host."; 1770 } 1771 } 1772 description 1773 "Indicates the type of a port allocation."; 1774 } 1776 leaf address-roundrobin-enable { 1777 type boolean; 1779 description 1780 "Enable/disable address allocation 1781 round robin."; 1782 } 1784 container port-set { 1785 when "../port-allocation-type='port-range-allocation'"; 1787 description 1788 "Manages port-set assignments."; 1790 leaf port-set-size { 1791 type uint16; 1792 description 1793 "Indicates the size of assigned port 1794 sets."; 1795 } 1797 leaf port-set-timeout { 1798 type uint32; 1799 units "seconds"; 1800 description 1801 "Inactivty timeout for port sets."; 1802 } 1803 } 1805 container timers { 1806 description 1807 "Configure values of various timeouts."; 1809 leaf udp-timeout { 1810 type uint32; 1811 units "seconds"; 1812 default 300; 1813 description 1814 "UDP inactivity timeout. That is the time a mapping 1815 will stay active without packets traversing the NAT."; 1816 reference 1817 "RFC 4787: Network Address Translation (NAT) Behavioral 1818 Requirements for Unicast UDP"; 1819 } 1821 leaf tcp-idle-timeout { 1822 type uint32; 1823 units "seconds"; 1824 default 7440; 1825 description 1826 "TCP Idle timeout should be 1827 2 hours and 4 minutes."; 1828 reference 1829 "RFC 5382: NAT Behavioral Requirements for TCP"; 1830 } 1832 leaf tcp-trans-open-timeout { 1833 type uint32; 1834 units "seconds"; 1835 default 240; 1836 description 1837 "The value of the transitory open connection 1838 idle-timeout. 1840 Section 2.1 of [RFC7857] clarifies that a NAT 1841 should provide different configurable 1843 parameters for configuring the open and 1844 closing idle timeouts. 1846 To accommodate deployments that consider 1847 a partially open timeout of 4 minutes as being 1848 excessive from a security standpoint, a NAT may 1849 allow the configured timeout to be less than 1850 4 minutes. 1852 However, a minimum default transitory connection 1853 idle-timeout of 4 minutes is recommended."; 1854 reference 1855 "Section 2.1 of RFC 7857."; 1856 } 1858 leaf tcp-trans-close-timeout { 1859 type uint32; 1860 units "seconds"; 1861 default 240; 1862 description 1863 "The value of the transitory close connection 1864 idle-timeout. 1866 Section 2.1 of [RFC7857] clarifies that a NAT 1867 should provide different configurable 1868 parameters for configuring the open and 1869 closing idle timeouts."; 1870 reference 1871 "Section 2.1 of RFC 7857."; 1872 } 1874 leaf tcp-in-syn-timeout { 1875 type uint32; 1876 units "seconds"; 1877 default 6; 1878 description 1879 "A NAT must not respond to an unsolicited 1880 inbound SYN packet for at least 6 seconds 1881 after the packet is received. If during 1882 this interval the NAT receives and translates 1883 an outbound SYN for the connection the NAT 1884 must silently drop the original unsolicited 1885 inbound SYN packet."; 1886 reference 1887 "RFC 5382 NAT Behavioral Requirements for TCP"; 1888 } 1890 leaf fragment-min-timeout { 1891 type uint32; 1892 units "seconds"; 1893 default 2; 1894 description 1895 "As long as the NAT has available resources, 1896 the NAT allows the fragments to arrive 1897 over fragment-min-timeout interval. 1898 The default value is inspired from RFC6146."; 1899 } 1901 leaf icmp-timeout { 1902 type uint32; 1903 units "seconds"; 1904 default 60; 1905 description 1906 "An ICMP Query session timer must not expire 1907 in less than 60 seconds. It is recommended 1908 that the ICMP Query session timer be made 1909 configurable"; 1910 reference 1911 "RFC 5508: NAT Behavioral Requirements for ICMP"; 1912 } 1913 list per-port-timeout { 1914 key port-number; 1915 description 1916 "Some NATs are configurable with short timeouts 1917 for some ports, e.g., as 10 seconds on 1918 port 53 (DNS) and NTP (123) and longer timeouts 1919 on other ports."; 1921 leaf port-number { 1922 type inet:port-number; 1923 description 1924 "A port number."; 1925 } 1927 leaf port-timeout { 1928 type uint32; 1929 units "seconds"; 1930 mandatory true; 1931 description 1932 "Timeout for this port"; 1933 } 1934 } 1936 leaf hold-down-timeout { 1937 type uint32; 1938 units "seconds"; 1939 default 120; 1940 description 1941 "Hold down timer. 1943 Ports in the hold down pool are not reassigned 1944 until hold-down-timeout expires. 1946 The length of time and the maximum 1947 number of ports in this state must be 1948 configurable by the administrator. 1949 This is necessary in order 1950 to prevent collisions between old 1951 and new mappings and sessions. It ensures 1952 that all established sessions are broken 1953 instead of redirected to a different peer."; 1954 reference 1955 "REQ#8 of RFC 6888."; 1956 } 1958 leaf hold-down-max { 1959 type uint32; 1960 description 1961 "Maximum ports in the Hold down timer pool. 1963 Ports in the hold down pool are not reassigned 1964 until hold-down-timeout expires. 1966 The length of time and the maximum 1967 number of ports in this state must be 1968 configurable by the administrator. 1969 This is necessary in order 1970 to prevent collisions between old 1971 and new mappings and sessions. It ensures 1972 that all established sessions are broken 1973 instead of redirected to a different peer."; 1974 reference 1975 "REQ#8 of RFC 6888."; 1976 } 1977 } 1979 list algs { 1980 key name; 1981 description 1982 "ALG-related features."; 1984 leaf name { 1985 type string; 1986 description 1987 "The name of the ALG"; 1988 } 1990 leaf transport-protocol { 1991 type uint32; 1992 description 1993 "The transport protocol used by the ALG."; 1994 } 1996 leaf transport-port { 1997 type inet:port-number; 1998 description 1999 "The port number used by the ALG."; 2000 } 2002 leaf status { 2003 type boolean; 2004 description 2005 "Enable/disable the ALG."; 2006 } 2007 } 2008 leaf all-algs-enable { 2009 type boolean; 2010 description 2011 "Enable/disable all ALGs. 2013 When specified, this parameter overrides the one 2014 that may be indicated, eventually, by the 'status' 2015 of an individual ALG."; 2016 } 2018 container notify-pool-usage { 2019 description 2020 "Notification of pool usage when certain criteria 2021 are met."; 2023 leaf pool-id { 2024 type uint32; 2025 description 2026 "Pool-ID for which the notification 2027 criteria is defined"; 2028 } 2030 leaf high-threshold { 2031 type percent; 2032 mandatory true; 2033 description 2034 "Notification must be generated when the 2035 defined high threshold is reached. 2037 For example, if a notification is 2038 required when the pool utilization reaches 2039 90%, this configuration parameter must 2040 be set to 90%."; 2041 } 2043 leaf low-threshold { 2044 type percent; 2045 description 2046 "Notification must be generated when the defined 2047 low threshold is reached. 2049 For example, if a notification is required when 2050 the pool utilization reaches below 10%, 2051 this configuration parameter must be set to 2052 10%."; 2053 } 2054 } 2055 container external-realm { 2056 description 2057 "Identifies the external realm of the NAT."; 2059 choice realm-type { 2060 description 2061 "Interface or VRF."; 2063 case interface { 2064 description 2065 "External interface."; 2067 leaf external-interface { 2068 type if:interface-ref; 2069 description 2070 "Name of an external interface."; 2071 } 2072 } 2074 case vrf { 2075 description 2076 "External VRF instance."; 2078 leaf external-vrf-instance { 2079 type identityref { 2080 base vrf-routing-instance; 2081 } 2082 description 2083 "A VRF instance."; 2084 } 2085 } 2086 } 2087 } 2088 } 2090 container mapping-limit { 2091 description 2092 "Information about the configuration parameters that 2093 limits the mappings based upon various criteria."; 2095 leaf limit-per-subscriber { 2096 type uint32; 2097 description 2098 "Maximum number of NAT mappings per subscriber. 2100 A subscriber is identifier by a given prefix."; 2101 } 2102 leaf limit-per-vrf { 2103 type uint32; 2104 description 2105 "Maximum number of NAT mappings per VLAN/VRF."; 2106 } 2108 leaf limit-per-instance { 2109 type uint32; 2110 mandatory true; 2111 description 2112 "Maximum number of NAT mappings per instance."; 2113 } 2115 leaf limit-per-udp { 2116 type uint32; 2117 mandatory true; 2118 description 2119 "Maximum number of UDP NAT mappings per subscriber."; 2120 } 2122 leaf limit-per-tcp { 2123 type uint32; 2124 mandatory true; 2125 description 2126 "Maximum number of TCP NAT mappings per subscriber."; 2127 } 2129 leaf limit-per-icmp { 2130 type uint32; 2131 mandatory true; 2132 description 2133 "Maximum number of ICMP NAT mappings per subscriber."; 2134 } 2135 } 2137 container connection-limit { 2138 description 2139 "Information about the configuration parameters that 2140 rate limit the translation based upon various 2141 criteria."; 2143 leaf limit-per-subscriber { 2144 type uint32; 2145 units "bits/second"; 2146 description 2147 "Rate-limit the number of new mappings 2148 and sessions per subscriber."; 2149 } 2150 leaf limit-per-vrf { 2151 type uint32; 2152 units "bits/second"; 2153 description 2154 "Rate-limit the number of new mappings 2155 and sessions per VLAN/VRF."; 2156 } 2158 leaf limit-per-instance { 2159 type uint32; 2160 units "bits/second"; 2161 mandatory true; 2162 description 2163 "Rate-limit the number of new mappings 2164 and sessions per instance."; 2165 } 2167 leaf limit-per-udp { 2168 type uint32; 2169 units "bits/second"; 2170 mandatory true; 2171 description 2172 "Rate-limit the number of new UDP mappings 2173 and sessions per subscriber."; 2174 } 2176 leaf limit-per-tcp { 2177 type uint32; 2178 units "bits/second"; 2179 mandatory true; 2180 description 2181 "Rate-limit the number of new TCP mappings 2182 and sessions per subscriber."; 2183 } 2185 leaf limit-per-icmp { 2186 type uint32; 2187 units "bits/second"; 2188 mandatory true; 2189 description 2190 "Rate-limit the number of new ICMP mappings 2191 and sessions per subscriber."; 2192 } 2193 } 2195 container logging-info { 2196 description 2197 "Information about logging NAT events"; 2199 leaf logging-enable { 2200 type boolean; 2201 description 2202 "Enable logging features."; 2203 reference 2204 "Section 2.3 of RFC 6908."; 2205 } 2207 leaf destination-address { 2208 type inet:ip-prefix; 2209 mandatory true; 2210 description 2211 "Address of the collector that receives 2212 the logs"; 2213 } 2215 leaf destination-port { 2216 type inet:port-number; 2217 mandatory true; 2218 description 2219 "Destination port of the collector."; 2220 } 2222 choice protocol { 2224 description 2225 "Enable the protocol to be used for 2226 the retrieval of logging entries."; 2228 case syslog { 2229 leaf syslog { 2230 type boolean; 2231 description 2232 "If SYSLOG is in use."; 2233 } 2234 } 2236 case ipfix { 2237 leaf ipfix { 2238 type boolean; 2239 description 2240 "If IPFIX is in use."; 2241 } 2242 } 2244 case ftp { 2245 leaf ftp { 2246 type boolean; 2247 description 2248 "If FTP is in use."; 2249 } 2250 } 2251 } 2252 } 2254 container mapping-table { 2255 when "../capabilities/nat-flavor = "+ 2256 "'nat44' or "+ 2257 "../capabilities/nat-flavor = "+ 2258 "'nat64'or "+ 2259 "../capabilities/nat-flavor = "+ 2260 "'clat'or "+ 2261 "../capabilities/nat-flavor = 'dst-nat'"; 2263 description 2264 "NAT mapping table. Applicable for functions 2265 which maintains static and/or dynamic mappings, 2266 such as NAT44, Destination NAT, NAT64, or CLAT."; 2268 list mapping-entry { 2269 key "index"; 2270 description 2271 "NAT mapping entry."; 2272 uses mapping-entry; 2273 } 2274 } 2276 container statistics { 2277 config false; 2279 description 2280 "Statistics related to the NAT instance."; 2282 container traffic-statistics { 2283 description 2284 "Generic traffic statistics."; 2286 leaf sent-packets { 2287 type yang:zero-based-counter64; 2288 description 2289 "Number of packets sent."; 2290 } 2292 leaf sent-bytes { 2293 type yang:zero-based-counter64; 2294 description 2295 "Counter for sent traffic in bytes."; 2296 } 2298 leaf rcvd-packets { 2299 type yang:zero-based-counter64; 2300 description 2301 "Number of received packets."; 2302 } 2304 leaf rcvd-bytes { 2305 type yang:zero-based-counter64; 2306 description 2307 "Counter for received traffic 2308 in bytes."; 2309 } 2311 leaf dropped-packets { 2312 type yang:zero-based-counter64; 2313 description 2314 "Number of dropped packets."; 2315 } 2317 leaf dropped-bytes { 2318 type yang:zero-based-counter64; 2319 description 2320 "Counter for dropped traffic in 2321 bytes."; 2322 } 2323 } 2325 container mapping-statistics { 2326 when "../../capabilities/nat-flavor = "+ 2327 "'nat44' or "+ 2328 "../../capabilities/nat-flavor = "+ 2329 "'nat64'or "+ 2330 "../../capabilities/nat-flavor = 'dst-nat'"; 2332 description 2333 "Mapping statistics."; 2335 leaf total-mappings { 2336 type yang:gauge32; 2337 description 2338 "Total number of NAT mappings present 2339 at a given time. This variable includes 2340 all the static and dynamic mappings."; 2341 } 2342 leaf total-tcp-mappings { 2343 type yang:gauge32; 2344 description 2345 "Total number of TCP mappings present 2346 at a given time."; 2347 } 2349 leaf total-udp-mappings { 2350 type yang:gauge32; 2351 description 2352 "Total number of UDP mappings present 2353 at a given time."; 2354 } 2356 leaf total-icmp-mappings { 2357 type yang:gauge32; 2358 description 2359 "Total number of ICMP mappings present 2360 at a given time."; 2361 } 2362 } 2364 container pool-stats { 2366 when "../../capabilities/nat-flavor = "+ 2367 "'nat44' or "+ 2368 "../../capabilities/nat-flavor = "+ 2369 "'nat64'"; 2371 description 2372 "Statistics related to address/prefix 2373 pool usage"; 2375 leaf pool-id { 2376 type uint32; 2377 description 2378 "Unique Identifier that represents 2379 a pool of addresses/prefixes."; 2380 } 2382 leaf addresses-allocated { 2383 type yang:gauge32; 2384 description 2385 "Number of allocated addresses in 2386 the pool"; 2387 } 2389 leaf addresses-free { 2390 type yang:gauge32; 2391 description 2392 "Number of unallocated addresses in 2393 the pool at a given time.The sum of 2394 unallocated and allocated 2395 addresses is the total number of 2396 addresses of the pool."; 2397 } 2399 container port-stats { 2401 description 2402 "Statistics related to port 2403 usage."; 2405 leaf ports-allocated { 2406 type yang:gauge32; 2407 description 2408 "Number of allocated ports 2409 in the pool."; 2410 } 2412 leaf ports-free { 2413 type yang:gauge32; 2414 description 2415 "Number of unallocated addresses 2416 in the pool."; 2417 } 2418 } 2419 } 2420 } 2421 } 2422 } 2423 } 2425 /* 2426 * Notifications 2427 */ 2429 notification nat-event { 2430 description 2431 "Notifications must be generated when the defined 2432 high/low threshold is reached. Related 2433 configuration parameters must be provided to 2434 trigger the notifications."; 2436 leaf id { 2437 type leafref { 2438 path 2439 "/nat/instances/" 2440 + "instance/id"; 2441 } 2442 description 2443 "NAT instance ID."; 2444 } 2446 leaf policy-id { 2447 type leafref { 2448 path 2449 "/nat/instances/" 2450 + "instance/policy/id"; 2451 } 2453 description 2454 "Policy ID."; 2455 } 2457 leaf pool-id { 2458 type leafref { 2459 path 2460 "/nat/instances/" 2461 + "instance/policy/" 2462 + "external-ip-address-pool/pool-id"; 2463 } 2464 description 2465 "Pool ID."; 2466 } 2468 leaf notify-pool-threshold { 2469 type percent; 2470 mandatory true; 2471 description 2472 "A treshhold has been fired."; 2473 } 2474 } 2475 } 2476 2478 4. Security Considerations 2480 The YANG module defined in this document is designed to be accessed 2481 via network management protocols such as NETCONF [RFC6241] or 2482 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 2483 layer, and the mandatory-to-implement secure transport is Secure 2484 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 2485 mandatory-to-implement secure transport is TLS [RFC5246]. 2487 The NETCONF access control model [RFC6536] provides the means to 2488 restrict access for particular NETCONF or RESTCONF users to a 2489 preconfigured subset of all available NETCONF or RESTCONF protocol 2490 operations and content. 2492 All data nodes defined in the YANG module which can be created, 2493 modified and deleted (i.e., config true, which is the default). 2494 These data nodes are considered sensitive. Write operations (e.g., 2495 edit-config) applied to these data nodes without proper protection 2496 can negatively affect network operations. 2498 Security considerations related to address and prefix translation are 2499 discussed in [RFC6888], [RFC6146], [RFC6877], [RFC7757], and 2500 [RFC6296]. 2502 5. IANA Considerations 2504 This document requests IANA to register the following URI in the 2505 "IETF XML Registry" [RFC3688]: 2507 URI: urn:ietf:params:xml:ns:yang:ietf-nat 2508 Registrant Contact: The IESG. 2509 XML: N/A; the requested URI is an XML namespace. 2511 This document requests IANA to register the following YANG module in 2512 the "YANG Module Names" registry [RFC7950]. 2514 name: ietf-nat 2515 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 2516 prefix: nat 2517 reference: RFC XXXX 2519 6. Acknowledgements 2521 Many thanks to Dan Wing and Tianran Zhou for the review. 2523 Thanks to Juergen Schoenwaelder for the comments on the YANG 2524 structure and the suggestion to use NMDA. 2526 Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred 2527 Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and 2528 Kristian Poscic for the CGN review. 2530 Special thanks to Maros Marsalek and Marek Gradzki for sharing their 2531 comments based on the FD.io implementation of an earlier version of 2532 this module. 2534 Rajiv Asati suggested to clarify how the module applies for both 2535 stateless and stateful NAT64. 2537 Juergen Schoenwaelder provided an early yandgoctors review. Many 2538 thanks to him. 2540 7. References 2542 7.1. Normative References 2544 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 2545 DOI 10.17487/RFC3688, January 2004, 2546 . 2548 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 2549 Translation (NAT) Behavioral Requirements for Unicast 2550 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2551 2007, . 2553 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 2554 (TLS) Protocol Version 1.2", RFC 5246, 2555 DOI 10.17487/RFC5246, August 2008, 2556 . 2558 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 2559 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 2560 RFC 5382, DOI 10.17487/RFC5382, October 2008, 2561 . 2563 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 2564 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 2565 DOI 10.17487/RFC5508, April 2009, 2566 . 2568 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 2569 NAT64: Network Address and Protocol Translation from IPv6 2570 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 2571 April 2011, . 2573 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 2574 and A. Bierman, Ed., "Network Configuration Protocol 2575 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 2576 . 2578 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 2579 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 2580 . 2582 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 2583 Protocol (NETCONF) Access Control Model", RFC 6536, 2584 DOI 10.17487/RFC6536, March 2012, 2585 . 2587 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 2588 Combination of Stateful and Stateless Translation", 2589 RFC 6877, DOI 10.17487/RFC6877, April 2013, 2590 . 2592 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 2593 A., and H. Ashida, "Common Requirements for Carrier-Grade 2594 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 2595 April 2013, . 2597 [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address 2598 Mappings for Stateless IP/ICMP Translation", RFC 7757, 2599 DOI 10.17487/RFC7757, February 2016, 2600 . 2602 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 2603 S., and K. Naito, "Updates to Network Address Translation 2604 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 2605 DOI 10.17487/RFC7857, April 2016, 2606 . 2608 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 2609 RFC 7950, DOI 10.17487/RFC7950, August 2016, 2610 . 2612 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 2613 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 2614 . 2616 7.2. Informative References 2618 [I-D.boucadair-pcp-yang] 2619 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 2620 Vinapamula, "YANG Modules for the Port Control Protocol 2621 (PCP)", draft-boucadair-pcp-yang-05 (work in progress), 2622 October 2017. 2624 [I-D.ietf-behave-ipfix-nat-logging] 2625 Sivakumar, S. and R. Penno, "IPFIX Information Elements 2626 for logging NAT Events", draft-ietf-behave-ipfix-nat- 2627 logging-13 (work in progress), January 2017. 2629 [I-D.ietf-softwire-dslite-yang] 2630 Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data 2631 Modules for the DS-Lite", draft-ietf-softwire-dslite- 2632 yang-07 (work in progress), October 2017. 2634 [I-D.ietf-tsvwg-natsupp] 2635 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 2636 Transmission Protocol (SCTP) Network Address Translation 2637 Support", draft-ietf-tsvwg-natsupp-11 (work in progress), 2638 July 2017. 2640 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 2641 Translator (NAT) Terminology and Considerations", 2642 RFC 2663, DOI 10.17487/RFC2663, August 1999, 2643 . 2645 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 2646 Address Translator (Traditional NAT)", RFC 3022, 2647 DOI 10.17487/RFC3022, January 2001, 2648 . 2650 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 2651 Behavioral Requirements for the Datagram Congestion 2652 Control Protocol", BCP 150, RFC 5597, 2653 DOI 10.17487/RFC5597, September 2009, 2654 . 2656 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 2657 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 2658 DOI 10.17487/RFC6052, October 2010, 2659 . 2661 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 2662 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 2663 . 2665 [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 2666 "Logging Recommendations for Internet-Facing Servers", 2667 BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, 2668 . 2670 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 2671 "Diameter Network Address and Port Translation Control 2672 Application", RFC 6736, DOI 10.17487/RFC6736, October 2673 2012, . 2675 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 2676 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 2677 DOI 10.17487/RFC6887, April 2013, 2678 . 2680 [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT 2681 (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, 2682 DOI 10.17487/RFC7289, June 2014, 2683 . 2685 [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, 2686 DOI 10.17487/RFC7335, August 2014, 2687 . 2689 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 2690 Farrer, "Lightweight 4over6: An Extension to the Dual- 2691 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 2692 July 2015, . 2694 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 2695 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 2696 Port with Encapsulation (MAP-E)", RFC 7597, 2697 DOI 10.17487/RFC7597, July 2015, 2698 . 2700 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 2701 "Definitions of Managed Objects for Network Address 2702 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 2703 October 2015, . 2705 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 2706 and S. Perreault, "Port Control Protocol (PCP) Extension 2707 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 2708 February 2016, . 2710 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 2711 "RADIUS Extensions for IP Port Configuration and 2712 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 2713 . 2715 Appendix A. Sample Examples 2717 This section provides a non-exhaustive set of examples to illustrate 2718 the use of the NAT YANG module. 2720 A.1. Traditional NAT44 2722 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 2723 same IPv4 address among hosts that are owned by the same subscriber. 2724 This is typically the NAT that is embedded in CPE devices. 2726 This NAT is usually provided with one single external IPv4 address; 2727 disambiguating connections is achieved by rewriting the source port 2728 number. The XML snippet to configure the external IPv4 address in 2729 such case together with a mapping entry is depicted below: 2731 2732 2733 1 2734 NAT_Subscriber_A 2735 .... 2736 2737 1 2738 2739 192.0.2.1 2740 2741 2742 .... 2743 2744 .... 2745 2746 192.0.2.1 2747 2748 .... 2749 2750 2751 2753 The following shows the XML excerpt depicting a dynamic UDP mapping 2754 entry maintained by a traditional NAT44. In reference to this 2755 example, the UDP packet received with a source IPv4 address 2756 (192.0.2.1) and source port number (1568) is translated into a UDP 2757 packet having a source IPv4 address (198.51.100.1) and source port 2758 (15000). The lifetime of this mapping is 300 seconds. 2760 2761 15 2762 2763 dynamic-explicit 2764 2765 2766 17 2767 2768 2769 192.0.2.1 2770 2771 2772 2773 1568 2774 2775 2776 2777 198.51.100.1 2778 2779 2780 2781 15000 2782 2783 2784 2785 300 2786 2787 2789 A.2. CGN 2791 The following XML snippet shows the example of the capabilities 2792 supported by a CGN as retrieved using NETCONF. 2794 2796 nat44 2797 2798 2799 false 2800 2801 2802 true 2803 2804 2805 true 2806 2807 2808 true 2809 2810 2811 true 2812 2813 2814 false 2815 2816 2817 true 2818 2819 2820 true 2821 2822 2823 true 2824 2825 2826 false 2827 2828 2829 false 2830 2831 2832 true 2833 2834 2835 false 2836 2837 2838 false 2839 2840 2841 The following XML snippet shows the example of a CGN that is 2842 provisioned with one contiguous pool of external IPv4 addresses 2843 (192.0.2.0/24). Further, the CGN is instructed to limit the number 2844 of allocated ports per subscriber to 1024. Ports can be allocated by 2845 the CGN by assigning ranges of 256 ports (that is, a subscriber can 2846 be allocated up to four port ranges of 256 ports each). 2848 2849 2850 1 2851 myCGN 2852 .... 2853 2854 1 2855 2856 192.0.2.0/24 2857 2858 2859 2860 2861 1024 2862 2863 2864 all 2865 2866 2867 2868 port-range-allocation 2869 2870 2871 2872 256 2873 2874 2875 .... 2876 2877 2879 An administrator may decide to allocate one single port range per 2880 subscriber (port range of 1024 ports) as shown below: 2882 2883 2884 1 2885 myotherCGN 2886 .... 2887 2888 1 2889 2890 192.0.2.0/24 2891 2892 2893 2894 2895 1024 2896 2897 2898 all 2899 2900 2901 2902 port-range-allocation 2903 2904 2905 2906 1024 2907 2908 .... 2909 2910 .... 2911 2912 2914 A.3. CGN Pass-Through 2916 Figure 1 illustrates an example of the CGN pass-through feature. 2918 X1:x1 X1':x1' X2:x2 2919 +---+from X1:x1 +---+from X1:x1 +---+ 2920 | C | to X2:x2 | | to X2:x2 | S | 2921 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 2922 | i | | G | | r | 2923 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 2924 | n |from X2:x2 | |from X2:x2 | e | 2925 | t | to X1:x1 | | to X1:x1 | r | 2926 +---+ +---+ +---+ 2928 Figure 1: CGN Pass-Through 2930 For example, in order to disable NAT for communications issued by the 2931 client (192.0.2.25), the following configuration parameter must be 2932 set: 2934 2935 ... 2936 192.0.2.25 2937 ... 2938 2940 A.4. NAT64 2942 Let's consider the example of a NAT64 that should use 2943 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 2944 The XML snippet to configure the NAT64 prefix in such case is 2945 depicted below: 2947 2948 2949 2001:db8:122:300::/56 2950 2951 2953 A NAT64 can be instructed to behave in the stateless mode by 2954 providing the following configuration. The same NAT64 prefix is used 2955 for constructing both IPv4- translatable IPv6 addresses and 2956 IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]). 2958 2959 2960 2001:db8:122:300::/56 2961 2962 2963 true 2964 2965 2967 Let's now consider the example of a NAT64 that should use 2968 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 2969 the destination address matches 198.51.100.0/24. The XML snippet to 2970 configure the NAT64 prefix in such case is shown below: 2972 2973 2974 2001:db8:122::/48 2975 2976 2977 2978 198.51.100.0/24 2979 2980 2981 2983 A.5. Explicit Address Mappings for Stateless IP/ICMP Translation 2985 As specified in [RFC7757], an EAM consists of an IPv4 prefix and an 2986 IPv6 prefix. Let's consider the set of EAM examples in Figure 2. 2988 +---+----------------+----------------------+ 2989 | # | IPv4 Prefix | IPv6 Prefix | 2990 +---+----------------+----------------------+ 2991 | 1 | 192.0.2.1 | 2001:db8:aaaa:: | 2992 | 2 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | 2993 | 3 | 192.0.2.16/28 | 2001:db8:cccc::/124 | 2994 | 4 | 192.0.2.128/26 | 2001:db8:dddd::/64 | 2995 | 5 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | 2996 | 6 | 192.0.2.224/31 | 64:ff9b::/127 | 2997 +---+----------------+----------------------+ 2999 Figure 2: EAM Examples (RFC7757) 3001 The following XML excerpt illustrates how these EAMs can be 3002 configured using the YANG NAT module: 3004 3005 3006 192.0.2.1 3007 3008 3009 2001:db8:aaaa:: 3010 3011 3012 3013 3014 192.0.2.2/32 3015 3016 3017 2001:db8:bbbb::b/128 3018 3019 3020 3021 3022 192.0.2.16/28 3023 3024 3025 2001:db8:cccc::/124 3026 3027 3028 3029 3030 192.0.2.128/26 3031 3032 3033 2001:db8:dddd::/64 3034 3035 3036 3037 3038 192.0.2.192/29 3039 3040 3041 2001:db8:eeee:8::/62 3042 3043 3044 3045 3046 192.0.2.224/31 3047 3048 3049 64:ff9b::/127 3050 3051 3052 EAMs may be enabled jointly with statefull NAT64. This example shows 3053 a NAT64 fucntion that supports static mappings: 3055 3057 nat64 3058 3059 3060 true 3061 3062 3063 true 3064 3065 3066 true 3067 3068 3069 true 3070 3071 3072 false 3073 3074 3075 true 3076 3077 3078 true 3079 3080 3081 true 3082 3083 3084 false 3085 3086 3087 false 3088 3089 3090 true 3091 3092 3093 false 3094 3095 3096 false 3097 3098 3100 A.6. Static Mappings with Port Ranges 3102 The following example shows a static mapping that instructs a NAT to 3103 translate packets issued from 192.0.2.1 and with source ports in the 3104 100-500 range to 198.51.100.1:1100-1500. 3106 3107 1 3108 static 3109 6 3110 3111 192.0.2.1 3112 3113 3114 3115 100 3116 3117 3118 500 3119 3120 3121 3122 198.51.100.1 3123 3124 3125 3126 1100 3127 3128 3129 1500 3130 3131 3132 ... 3133 3135 A.7. Static Mappings with IP Prefixes 3137 The following example shows a static mapping that instructs a NAT to 3138 translate packets issued from 192.0.2.1/24 to 198.51.100.1/24. 3140 3141 1 3142 static 3143 6 3144 3145 192.0.2.1/24 3146 3147 3148 198.51.100.1/24 3149 3150 ... 3151 3153 A.8. Destination NAT 3155 The following XML snippet shows an example a destination NAT that is 3156 instructed to translate packets having 192.0.2.1 as a destination IP 3157 address to 198.51.100.1. 3159 3160 1 3161 3162 192.0.2.1 3163 3164 3165 198.51.100.1 3166 3167 3169 In order to instruct a NAT to translate TCP packets destined to 3170 192.0.2.1:80 to 198.51.100.1:8080, the following XML snippet shows 3171 the static mapping to be configured on the NAT: 3173 3174 1 3175 static 3176 6 3177 3178 192.0.2.1 3179 3180 3181 80 3182 3183 3184 198.51.100.1 3185 3186 3187 8080 3188 3189 3191 In order to instruct a NAT to translate TCP packets destined to 3192 192.0.2.1:80 (http traffic) to 198.51.100.1 and 192.0.2.1:22 (ssh 3193 traffic) to 198.51.100.2, the following XML snippet shows the static 3194 mappings to be configured on the NAT: 3196 3197 1 3198 static 3199 6 3200 3201 192.0.2.1 3202 3203 3204 3205 80 3206 3207 3208 3209 198.51.100.1 3210 3211 ... 3212 3213 3214 2 3215 static 3216 3217 6 3218 3219 3220 192.0.2.1 3221 3222 3223 3224 22 3225 3226 3227 3228 198.51.100.2 3229 3230 ... 3231 3233 The NAT may also be instructed to proceed with both source and 3234 destination NAT. To do so, in addition to the above sample to 3235 configure destination NAT, the NAT may be provided, for example with 3236 a pool of external IP addresses (198.51.100.0/24) to use for source 3237 address translation. An example of the corresponding XML snippet is 3238 provided hereafter: 3240 3241 1 3242 3243 198.51.100.0/24 3244 3245 3247 Instead of providing an external IP address to share, the NAT may be 3248 configured with static mapping entries that modifies the internal IP 3249 address and/or port number. 3251 A.9. CLAT 3253 The following XML snippet shows the example of a CLAT that is 3254 configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and 3255 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 3256 provided with 192.0.0.1/32 (which is selected from the IPv4 service 3257 continuity prefix defined in [RFC7335]). 3259 3260 3261 2001:db8:aaaa::/96 3262 3263 3264 3265 3266 192.0.0.1/32 3267 3268 3269 3270 3271 2001:db8:1234::/96 3272 3273 3275 A.10. NPTv6 3277 Let's consider the example of a NPTv6 translator that should rewrite 3278 packets with the source prefix (fd01:203:405:/48) with the external 3279 prefix (2001:db8:1:/48). The internal interface is "eth0" while the 3280 external interface is "eth1". 3282 External Network: Prefix = 2001:db8:1:/48 3283 -------------------------------------- 3284 | 3285 |eth1 3286 +-------------+ 3287 eth4| NPTv6 |eth2 3288 ...-----| |------... 3289 +-------------+ 3290 |eth0 3291 | 3292 -------------------------------------- 3293 Internal Network: Prefix = fd01:203:405:/48 3295 Example of NPTv6 (RFC6296) 3297 The XML snippet to configure NPTv6 prefixes in such case is depicted 3298 below: 3300 3301 1 3302 3303 fd01:203:405:/48 3304 3305 3306 2001:db8:1:/48 3307 3308 3309 ... 3310 3311 3312 eth1 3313 3314 3316 Figure 3 shows an example of an NPTv6 that interconnects two internal 3317 networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is 3318 translated using a dedicated prefix (2001:db8:1:/48 and 3319 2001:db8:6666:/48, respectively). 3321 Internal Prefix = fd01:4444:5555:/48 3322 -------------------------------------- 3323 V | External Prefix 3324 V |eth1 2001:db8:1:/48 3325 V +---------+ ^ 3326 V | NPTv6 | ^ 3327 V | | ^ 3328 V +---------+ ^ 3329 External Prefix |eth0 ^ 3330 2001:db8:6666:/48 | ^ 3331 -------------------------------------- 3332 Internal Prefix = fd01:203:405:/48 3334 Figure 3: Connecting two Peer Networks (RFC6296) 3336 To that aim, the following configuration is provided to the NPTv6: 3338 3339 1 3340 3341 1 3342 3343 fd01:203:405:/48 3344 3345 3346 2001:db8:1:/48 3347 3348 3349 3350 eth1 3351 3352 3353 3354 2 3355 3356 2 3357 3358 fd01:4444:5555:/48 3359 3360 3361 2001:db8:6666:/48 3362 3363 3364 3365 eth0 3366 3367 3369 Authors' Addresses 3371 Mohamed Boucadair 3372 Orange 3373 Rennes 35000 3374 France 3376 Email: mohamed.boucadair@orange.com 3378 Senthil Sivakumar 3379 Cisco Systems 3380 7100-8 Kit Creek Road 3381 Research Triangle Park, North Carolina 27709 3382 USA 3384 Phone: +1 919 392 5158 3385 Email: ssenthil@cisco.com 3387 Christian Jacquenet 3388 Orange 3389 Rennes 35000 3390 France 3392 Email: christian.jacquenet@orange.com 3394 Suresh Vinapamula 3395 Juniper Networks 3396 1133 Innovation Way 3397 Sunnyvale 94089 3398 USA 3400 Email: sureshk@juniper.net 3402 Qin Wu 3403 Huawei 3404 101 Software Avenue, Yuhua District 3405 Nanjing, Jiangsu 210012 3406 China 3408 Email: bill.wu@huawei.com