idnits 2.17.1 draft-ietf-opsawg-nat-yang-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 4 instances of too long lines in the document, the longest one being 7 characters in excess of 72. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 743 has weird spacing: '... prefix ine...' == Line 749 has weird spacing: '...-prefix ine...' == Line 751 has weird spacing: '...-prefix ine...' == Line 753 has weird spacing: '...-prefix ine...' == Line 754 has weird spacing: '...-prefix ine...' == (14 more instances...) -- The document date (November 15, 2017) is 2347 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Downref: Normative reference to an Experimental RFC: RFC 6296 ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) ** Downref: Normative reference to an Informational RFC: RFC 6877 == Outdated reference: A later version (-06) exists of draft-ietf-netmod-yang-tree-diagrams-02 == Outdated reference: A later version (-17) exists of draft-ietf-softwire-dslite-yang-09 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-11 Summary: 5 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: May 19, 2018 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 November 15, 2017 14 A YANG Data Model for Network Address Translation (NAT) and Network 15 Prefix Translation (NPT) 16 draft-ietf-opsawg-nat-yang-09 18 Abstract 20 For the sake of network automation and the need for programming 21 Network Address Translation (NAT) function in particular, a data 22 model for configuring and managing the NAT is essential. This 23 document defines a YANG module for the NAT function. 25 NAT44, Network Address and Protocol Translation from IPv6 Clients to 26 IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/ 27 ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/ 28 ICMP Translation (SIIT EAM), and IPv6 Network Prefix Translation 29 (NPTv6) are covered in this document. 31 Editorial Note (To be removed by RFC Editor) 33 Please update these statements with the RFC number to be assigned to 34 this document: 36 "This version of this YANG module is part of RFC XXXX;" 38 "RFC XXXX: A YANG Data Model for Network Address Translation (NAT) 39 and Network Prefix Translation (NPT)"; 41 "reference: RFC XXXX" 43 Status of This Memo 45 This Internet-Draft is submitted in full conformance with the 46 provisions of BCP 78 and BCP 79. 48 Internet-Drafts are working documents of the Internet Engineering 49 Task Force (IETF). Note that other groups may also distribute 50 working documents as Internet-Drafts. The list of current Internet- 51 Drafts is at https://datatracker.ietf.org/drafts/current/. 53 Internet-Drafts are draft documents valid for a maximum of six months 54 and may be updated, replaced, or obsoleted by other documents at any 55 time. It is inappropriate to use Internet-Drafts as reference 56 material or to cite them other than as "work in progress." 58 This Internet-Draft will expire on May 19, 2018. 60 Copyright Notice 62 Copyright (c) 2017 IETF Trust and the persons identified as the 63 document authors. All rights reserved. 65 This document is subject to BCP 78 and the IETF Trust's Legal 66 Provisions Relating to IETF Documents 67 (https://trustee.ietf.org/license-info) in effect on the date of 68 publication of this document. Please review these documents 69 carefully, as they describe your rights and restrictions with respect 70 to this document. Code Components extracted from this document must 71 include Simplified BSD License text as described in Section 4.e of 72 the Trust Legal Provisions and are provided without warranty as 73 described in the Simplified BSD License. 75 Table of Contents 77 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 78 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 79 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 80 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 81 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 82 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7 83 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 84 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 85 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 86 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 87 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8 88 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 89 2.10. Binding the NAT Function to an External Interface . . . . 15 90 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 91 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 92 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 93 4. Security Considerations . . . . . . . . . . . . . . . . . . . 72 94 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 95 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74 96 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 97 7.1. Normative References . . . . . . . . . . . . . . . . . . 74 98 7.2. Informative References . . . . . . . . . . . . . . . . . 76 99 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78 100 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 78 101 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80 102 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83 103 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84 104 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84 105 A.6. Explicit Address Mappings for Stateless IP/ICMP 106 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85 107 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 89 108 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89 109 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90 110 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93 111 A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 93 112 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96 114 1. Introduction 116 This document defines a data model for Network Address Translation 117 (NAT) and Network Prefix Translation (NPT) capabilities using the 118 YANG data modeling language [RFC7950]. 120 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 121 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 122 used to optimize the usage of global IP address space at the scale of 123 a domain: a CGN is not managed by end users, but by service providers 124 instead. This document covers both traditional NATs and CGNs. 126 This document also covers NAT64 [RFC6146], customer-side translator 127 (CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915], 128 Explicit Address Mappings for Stateless IP/ICMP Translation (EAM) 129 [RFC7757], and IPv6 Network Prefix Translation (NPTv6) [RFC6296]. 130 The full set of translation schemes that are in scope is included in 131 Section 2.2. 133 Sample examples are provided in Appendix A. These examples are not 134 intended to be exhaustive. 136 1.1. Terminology 138 This document makes use of the following terms: 140 o Basic NAT44: translation is limited to IP addresses alone 141 (Section 2.1 of [RFC3022]). 143 o Network Address/Port Translator (NAPT): translation in NAPT is 144 extended to include IP addresses and transport identifiers (such 145 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 146 [RFC3022]. A NAPT my use an extra identifier, in addition to the 147 five transport tuple, to disambiguate bindings [RFC6619]. 149 o Destination NAT: is a translation that acts on the destination IP 150 address and/or destination port number. This flavor is usually 151 deployed in load balancers or at devices in front of public 152 servers. 154 o Port-restricted IPv4 address: An IPv4 address with a restricted 155 port set. Multiple hosts may share the same IPv4 address; 156 however, their port sets must not overlap [RFC7596]. 158 o Restricted port set: A non-overlapping range of allowed external 159 ports to use for NAT operation. Source ports of IPv4 packets 160 translated by a NAT must belong to the assigned port set. The 161 port set is used for all port-aware IP protocols [RFC7596]. 163 o Internal Host: A host that may solicit a NAT or an NPTv6 (or both) 164 capability to send to and receive traffic from the Internet. 166 o Internal Address/prefix: The IP address/prefix of an internal 167 host. 169 o External Address: The IP address/prefix assigned by a NAT/NPTv6 to 170 an internal host; this is the address that will be seen by a 171 remote host on the Internet. 173 o Mapping: denotes a state at the NAT that is necessary for network 174 address and/or port translation. 176 o Dynamic implicit mapping: is created implicitly as a side effect 177 of processing a packet (e.g., an initial TCP SYN packet) that 178 requires a new mapping. A validity lifetime is associated with 179 this mapping. 181 o Dynamic explicit mapping: is created as a result of an explicit 182 request, e.g., PCP message [RFC6887]. A validity lifetime is 183 associated with this mapping. 185 o Static explicit mapping: is created using, e.g., a CLI interface. 186 This mapping is likely to be maintained by the NAT function till 187 an explicit action is executed to remove it. 189 The usage of the term NAT in this document refers to any translation 190 flavor (NAT44, NAT64, etc.) indifferently. 192 This document uses the term "session" as defined in [RFC2663] and 193 [RFC6146] for NAT64. 195 The meaning of the symbols in tree diagrams is defined in 196 [I-D.ietf-netmod-yang-tree-diagrams]. 198 2. Overview of the NAT YANG Data Model 200 2.1. Overview 202 The NAT YANG module is designed to cover dynamic implicit mappings 203 and static explicit mappings. The required functionality to instruct 204 dynamic explicit mappings is defined in separate documents such as 205 [I-D.boucadair-pcp-yang]. Considerations about instructing explicit 206 dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of 207 scope. As a reminder, REQ-9 of [RFC6888] requires that a CGN must 208 implement a protocol giving subscribers explicit control over NAT 209 mappings; that protocol should be the Port Control Protocol 210 [RFC6887]. 212 A single NAT device can have multiple NAT instances; each of these 213 instances can be provided with its own policies (e.g., be responsible 214 for serving a group of hosts). This document does not make any 215 assumption about how internal hosts or flows are associated with a 216 given NAT instance. 218 The NAT YANG module assumes that each NAT instance can be enabled/ 219 disabled, be provisioned with a specific set of configuration data, 220 and maintains its own mapping tables. 222 The NAT YANG module allows for a NAT instance to be provided with 223 multiple NAT policies (/nat/instances/instance/policy). The document 224 does not make any assumption about how flows are associated with a 225 given NAT policy of a given NAT instance. Classification filters are 226 out of scope. 228 Defining multiple NAT instances or configuring multiple NAT policies 229 within one single NAT instance is implementation- and deployment- 230 specific. 232 This YANG module allows to instruct a NAT function to enable the 233 logging feature. Nevertheless, configuration parameters specific to 234 logging protocols are out of the scope of this document. 236 2.2. Various Translation Flavors 238 The following translation modes are supported: 240 o Basic NAT44 241 o NAPT 242 o Destination NAT 243 o Port-restricted NAT 244 o Stateful NAT64 245 o SIIT 246 o CLAT 247 o EAM 248 o NPTv6 249 o Combination of Basic NAT/NAPT and Destination NAT 250 o Combination of port-restricted and Destination NAT 251 o Combination of NAT64 and EAM 252 o Stateful and Stateless NAT64 254 [I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT 255 YANG module to support DS-Lite. 257 The YANG "feature" statement is used to indicate which of the 258 different translation modes is relevant for a specific data node. 259 Table 1 lists defined features: 261 +---------------------------------+--------------+ 262 | Translation Mode | YANG Feature | 263 +---------------------------------+--------------+ 264 | Basic NAT44 | basic-nat44 | 265 | NAPT | napt44 | 266 | Destination NAT | dst-nat | 267 | Stateful NAT64 | nat64 | 268 | Stateless IPv4/IPv6 translation | siit | 269 | CLAT | clat | 270 | EAM | eam | 271 | NPTv6 | nptv6 | 272 +---------------------------------+--------------+ 274 Table 1: YANG NAT Features 276 The following translation modes do not require defining dedicated 277 features: 279 o Port-restricted NAT: This mode corresponds to supplying port 280 restriction policies to a NAPT or NAT64 (port-set-restrict). 281 o Combination of Basic NAT/NAPT and Destination NAT: This mode 282 corresponds to setting 'dst-nat-enable' for Basic NAT44 or NAPT. 284 o Combination of port-restricted and Destination NAT: This mode can 285 be achieved by configuring a NAPT with port restriction policies 286 (port-set-restrict) together with a destination IP address pool 287 (dst-ip-address-pool). 288 o Combination of NAT64 and EAM: This mode corresponds to configuring 289 static mappings for NAT64. 290 o Stateful and stateless NAT64: A NAT64 implementation can be 291 instructed to behave in the stateless mode for a given prefix by 292 setting the parameter (nat64-prefixes/stateless-enable). A NAT64 293 implementation may behave in both stateful and stateless modes if, 294 in addition to appropriately setting the parameter (nat64- 295 prefixes/stateless-enable), an external IPv4 address pool is 296 configured. 298 The NAT YANG module allows to retrieve the capabilities of a NAT 299 instance (including, list of supported translation modes, list of 300 supported protocols, port restriction support status, supported NAT 301 mapping types, supported NAT filtering types, port range allocation 302 support status, port parity preservation support status, port 303 preservation support status, the behavior for handling fragments 304 (all, out-of-order, in-order)). 306 2.3. TCP/UDP/ICMP NAT Behavioral Requirements 308 This document assumes NAT behavioral recommendations for UDP 309 [RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default. 311 Furthermore, the NAT YANG module relies upon the recommendations 312 detailed in [RFC6888] and [RFC7857]. 314 2.4. Other Transport Protocols 316 The module is structured to support other protocols than UDP, TCP, 317 and ICMP. The mapping table is designed so that it can indicate any 318 transport protocol. For example, this module may be used to manage a 319 DCCP-capable NAT that adheres to [RFC5597]. 321 Future extensions can be defined to cover NAT-related considerations 322 that are specific to other transport protocols such as SCTP 323 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 324 extended to record two optional SCTP-specific parameters: Internal 325 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 327 Also, the module allows to enable translation for these protocols 328 when required (/nat/instances/instance/policy/transport-protocols). 330 2.5. IP Addresses Used for Translation 332 The NAT YANG module assumes that blocks of IP external addresses 333 (external-ip-address-pool) can be provisioned to the NAT function. 334 These blocks may be contiguous or not. 336 This behavior is aligned with [RFC6888] which specifies that a NAT 337 function should not have any limitations on the size or the 338 contiguity of the external address pool. In particular, the NAT 339 function must be configurable with contiguous or non-contiguous 340 external IPv4 address ranges. To accommodate traditional NAT, the 341 module allows for a single IP address to be configured for external- 342 ip-address-pool. 344 Likewise, one or multiple IP address pools may be configured for 345 Destination NAT (dst-ip-address-pool). 347 2.6. Port Set Assignment 349 Port numbers can be assigned by a NAT individually (that is, a single 350 port is assigned on a per session basis). Nevertheless, this port 351 allocation scheme may not be optimal for logging purposes (Section 12 352 of [RFC6269]). Therefore, a NAT function should be able to assign 353 port sets (e.g., [RFC7753]) to optimize the volume of the logging 354 data (REQ-14 of [RFC6888]). Both allocation schemes are supported in 355 the NAT YANG module. 357 When port set assignment is activated (i.e., port-allocation- 358 type==port-range-allocation), the NAT can be provided with the size 359 of the port set to be assigned (port-set-size). 361 2.7. Port-Restricted IP Addresses 363 Some NATs require to restrict the source port numbers (e.g., 364 Lightweight 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port 365 set assignments (port-set-restrict) are supported in this document: 367 o Simple port range: is defined by two port values, the start and 368 the end of the port range [RFC8045]. 370 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 371 the set of ports that can be used. 373 2.8. NAT Mapping Entries 375 A TCP/UDP mapping entry maintains an association between the 376 following information: 378 (internal-src-address, internal-src-port) (internal-dst-address, 379 internal-dst-port) <=> (external-src-address, external-src-port) 380 (external-dst-address, external-dst-port) 382 An ICMP mapping entry maintains an association between the following 383 information: 385 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 386 identifier) <=> (external-src-address, external-dst-address, 387 external ICMP/ICMPv6 identifier) 389 As a reminder, all the ICMP Query messages contain an 'Identifier' 390 field, which is referred to in this document as the 'ICMP 391 Identifier'. 393 To cover TCP, UDP, and ICMP, the NAT YANG module assumes the 394 following structure of a mapping entry: 396 type: Indicates how the mapping was instantiated. For example, it 397 may indicate whether a mapping is dynamically instantiated by a 398 packet or statically configured. 400 transport-protocol: Indicates the transport protocol (e.g., UDP, 401 TCP, ICMP) of a given mapping. 403 internal-src-address: Indicates the source IP address/prefix as used 404 by an internal host. 406 internal-src-port: Indicates the source port number (or ICMP 407 identifier) as used by an internal host. 409 external-src-address: Indicates the source IP address/prefix as 410 assigned by the NAT. 412 external-src-port: Indicates the source port number (or ICMP 413 identifier) as assigned by the NAT. 415 internal-dst-address: Indicates the destination IP address/prefix as 416 used by an internal host when sending a packet to a remote host. 418 internal-dst-port: Indicates the destination port number as used by 419 an internal host when sending a packet to a remote host. 421 external-dst-address: Indicates the destination IP address/prefix 422 used by a NAT when processing a packet issued by an internal host 423 towards a remote host. 425 external-dst-port: Indicates the destination port number used by a 426 NAT when processing a packet issued by an internal host towards a 427 remote host. 429 In order to cover both NAT64 and NAT44 flavors in particular, the NAT 430 mapping structure allows to include an IPv4 or an IPv6 address as an 431 internal IP address. Remaining fields are common to both NAT 432 schemes. 434 For example, the mapping that will be created by a NAT64 upon receipt 435 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 436 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 437 and destination port number 8080 is shown in Table 2. This example 438 assumes EDM (Endpoint-Dependent Mapping). 440 +-----------------------+-------------------------------------------+ 441 | Mapping Entry | Value | 442 | Attribute | | 443 +-----------------------+-------------------------------------------+ 444 | type | dynamic implicit mapping | 445 | transport-protocol | 6 (TCP) | 446 | internal-src-address | 2001:db8:aaaa::1 | 447 | internal-src-port | 25636 | 448 | external-src-address | T (an IPv4 address configured on the | 449 | | NAT64) | 450 | external-src-port | t (a port number that is chosen by the | 451 | | NAT64) | 452 | internal-dst-address | 2001:db8:1234::198.51.100.1 | 453 | internal-dst-port | 8080 | 454 | external-dst-address | 198.51.100.1 | 455 | external-dst-port | 8080 | 456 +-----------------------+-------------------------------------------+ 458 Table 2: Example of an EDM NAT64 Mapping 460 The mappings that will be created by a NAT44 upon receipt of an ICMP 461 request from source address 198.51.100.1 and ICMP identifier (ID1) to 462 destination IP address 198.51.100.11 is depicted in Table 3. This 463 example assumes EIM (Endpoint-Independent Mapping). 465 +----------------------+--------------------------------------------+ 466 | Mapping Entry | Value | 467 | Attribute | | 468 +----------------------+--------------------------------------------+ 469 | type | dynamic implicit mapping | 470 | transport-protocol | 1 (ICMP) | 471 | internal-src-address | 198.51.100.1 | 472 | internal-src-port | ID1 | 473 | external-src-address | T (an IPv4 address configured on the | 474 | | NAT44) | 475 | external-src-port | ID2 (an ICMP identifier that is chosen by | 476 | | the NAT44) | 477 +----------------------+--------------------------------------------+ 479 Table 3: Example of an EIM NAT44 Mapping Entry 481 The mapping that will be created by a NAT64 (EIM mode) upon receipt 482 of an ICMP request from source address 2001:db8:aaaa::1 and ICMP 483 identifier (ID1) to destination IP address 484 2001:db8:1234::198.51.100.1 is shown in Table 4. 486 +----------------------+--------------------------------------------+ 487 | Mapping Entry | Value | 488 | Attribute | | 489 +----------------------+--------------------------------------------+ 490 | type | dynamic implicit mapping | 491 | transport-protocol | 58 (ICMPv6) | 492 | internal-src-address | 2001:db8:aaaa::1 | 493 | internal-src-port | ID1 | 494 | external-src-address | T (an IPv4 address configured on the | 495 | | NAT64) | 496 | external-src-port | ID2 (an ICMP identifier that is chosen by | 497 | | the NAT64) | 498 +----------------------+--------------------------------------------+ 500 Table 4: Example of an EIM NAT64 Mapping Entry 502 Note that a mapping table is maintained only for stateful NAT 503 functions. Particularly: 505 o No mapping table is maintained for NPTv6 given that it is 506 stateless and transport-agnostic. 508 o The double translations are stateless in CLAT if a dedicated IPv6 509 prefix is provided for CLAT. If not, a stateful NAT44 will be 510 required. 512 o No per-flow mapping is maintained for EAM [RFC7757]. 514 o No mapping table is maintained for Stateless IPv4/IPv6 515 translation. As a reminder, in such deployments internal IPv6 516 nodes are addressed using IPv4-translatable IPv6 addresses, which 517 enable them to be accessed by IPv4 nodes [RFC6052]. 519 2.9. Resource Limits 521 In order to comply with CGN deployments in particular, the NAT YANG 522 module allows limiting the number of external ports per subscriber 523 (port-quota) and the amount of state memory allocated per mapping and 524 per subscriber (mapping-limits and connection-limits). According to 525 [RFC6888], the model allows for the following: 527 o Per-subscriber limits are configurable by the NAT administrator. 529 o Per-subscriber limits are configurable independently per transport 530 protocol. 532 o Administrator-adjustable thresholds to prevent a single subscriber 533 from consuming excessive CPU resources from the NAT (e.g., rate- 534 limit the subscriber's creation of new mappings) can be 535 configured. 537 Table 5 lists the various limits that can be set using the NAT YANG 538 module. Once a limit is reached, packets that would normally trigger 539 new port mappings or be translated because they match existing 540 mappings, are dropped by the translator. 542 +-------------------+-----------------------------------------------+ 543 | Limit | Description | 544 +-------------------+-----------------------------------------------+ 545 | port-quota | Specifies a port quota to be assigned per | 546 | | subscriber. It corresponds to the maximum | 547 | | number of ports to be used by a subscriber. | 548 | | The port quota can be configured to apply to | 549 | | all protocols or to a specific protocol. | 550 | | Distinct port quota may be configured per | 551 | | protocol. | 552 +-------------------+-----------------------------------------------+ 553 | fragments-limit | In order to prevent denial of service attacks | 554 | | that can be caused by fragments, this | 555 | | parameter is used to limit the number of out- | 556 | | of-order fragments that can be handled by a | 557 | | translator. | 558 +-------------------+-----------------------------------------------+ 559 | mapping-limits | This parameter can be used to control the | 560 | | maximum number of subscribers that can be | 561 | | serviced by a NAT instance (limit-subscriber) | 562 | | and the maximum number of address and/or port | 563 | | mappings that can be maintained by a NAT | 564 | | instance (limit-address-mapings and limit- | 565 | | port-mappings). Also, limits specific to | 566 | | protocols (e.g., TCP, UDP, ICMP) can also be | 567 | | specified (limit-per-protocol). | 568 +-------------------+-----------------------------------------------+ 569 | connection-limits | In order to prevent exhausting the resources | 570 | | of a NAT implementation and to ensure | 571 | | fairness usage among subscribers, various | 572 | | rate-limits can be specified. Rate-limiting | 573 | | can be enforced per subscriber ((limit- | 574 | | subscriber), per NAT instance (limit-per- | 575 | | instance), and/or be specified for each | 576 | | supported protocol (limit-per-protocol). | 577 +-------------------+-----------------------------------------------+ 579 Table 5: NAT Limits 581 Table 6 describes limits, that once exceeded, will trigger 582 notifications to be generated: 584 +--------------------------+----------------------------------------+ 585 | Notification Threshold | Description | 586 +--------------------------+----------------------------------------+ 587 | high-threshold | Used to notify high address | 588 | | utilization of a given pool. When | 589 | | exceeded, a nat-pool-event | 590 | | notification will be generated. | 591 +--------------------------+----------------------------------------+ 592 | low-threshold | Used to notify low address utilization | 593 | | of a given pool. An administrator is | 594 | | supposed to configure low-threshold so | 595 | | that it can reflect an abnormal usage | 596 | | of NAT resources. When exceeded, a | 597 | | nat-pool-event notification will be | 598 | | generated. | 599 +--------------------------+----------------------------------------+ 600 | notify-addresses-usage | Used to notify high address | 601 | | utilization of all pools configured to | 602 | | a NAT instance. When exceeded, a nat- | 603 | | instance-event will be generated. | 604 +--------------------------+----------------------------------------+ 605 | notify-ports-usage | Used to notify high port allocation | 606 | | taking into account all pools | 607 | | configured to a NAT instance. When | 608 | | exceeded, a nat-instance-event | 609 | | notification will be generated. | 610 +--------------------------+----------------------------------------+ 611 | notify-subscribers-limit | Used to notify a high number of active | 612 | | subscribers that are serviced by a NAT | 613 | | instance. When exceeded, a nat- | 614 | | instance-event notification will be | 615 | | generated. | 616 +--------------------------+----------------------------------------+ 618 Table 6: Notification Thresholds 620 In order to prevent from generating frequent notifications, the NAT 621 YANG module supports the following limits (Table 7) used to control 622 how frequent notifications can be generated. That is, notifications 623 are subject to rate-limiting imposed by these intervals. 625 +-------------------------------------+-----------------------------+ 626 | Interval | Description | 627 +-------------------------------------+-----------------------------+ 628 | notify-pool-usage/notify-interval | Indicates the minimum | 629 | | number of seconds between | 630 | | successive notifications | 631 | | for a given address pool. | 632 +-------------------------------------+-----------------------------+ 633 | notification-limits/notify-interval | Indicates the minimum | 634 | | number of seconds between | 635 | | successive notifications | 636 | | for a NAT instance. | 637 +-------------------------------------+-----------------------------+ 639 Table 7: Notification Intervals 641 2.10. Binding the NAT Function to an External Interface 643 The model is designed to specify an external realm on which the NAT 644 function must be applied (external-realm). The module supports 645 indicating an interface as an external realm, but the module is 646 extensible so that other choices can be indicated in the future 647 (e.g., Virtual Routing and Forwarding (VRF) instance). 649 Distinct external realms can be provided as a function of the NAT 650 policy (see for example, Section 4 of [RFC7289]). 652 If no external realm is provided, this assumes that the system is 653 able to determine the external interface (VRF instance, etc.) on 654 which the NAT will be applied. Typically, the WAN and LAN interfaces 655 of a CPE are determined by the CPE. 657 2.11. Relationship to NATV2-MIB 659 Section of 5.1 of [RFC7659] indicates that the NATV2-MIB assumes that 660 the following information is configured on the NAT by some means, not 661 specified in [RFC7659]: 663 o The set of address realms to which the device connect. 665 o For the CGN case, per-subscriber information including subscriber 666 index, address realm, assigned prefix or address, and (possibly) 667 policies regarding address pool selection in the various possible 668 address realms to which the subscriber may connect. 670 o The set of NAT instances running on the device, identified by NAT 671 instance index and name. 673 o The port mapping, filtering, pooling, and fragment behavior for 674 each NAT instance. 676 o The set of protocols supported by each NAT instance. 678 o Address pools for each NAT instance, including for each pool the 679 pool index, address realm, and minimum and maximum port number. 681 o Static address and port mapping entries. 683 All the above parameters can be configured by means of the NAT YANG 684 module. 686 Unlike the NATV2-MIB, the NAT YANG module allows to configure 687 multiple policies per NAT instance. 689 2.12. Tree Structure 691 The tree structure of the NAT YANG module is provided below: 693 module: ietf-nat 694 +--rw nat 695 +--rw instances 696 +--rw instance* [id] 697 +--rw id uint32 698 +--rw name? string 699 +--rw enable? boolean 700 +--ro capabilities 701 | +--ro nat-flavor* 702 | | identityref 703 | +--ro per-interface-binding* 704 | | enumeration 705 | +--ro transport-protocols* [protocol-id] 706 | | +--ro protocol-id uint8 707 | | +--ro protocol-name? string 708 | +--ro restricted-port-support? 709 | | boolean 710 | +--ro static-mapping-support? 711 | | boolean 712 | +--ro port-randomization-support? 713 | | boolean 714 | +--ro port-range-allocation-support? 715 | | boolean 716 | +--ro port-preservation-suport? 717 | | boolean 718 | +--ro port-parity-preservation-support? 719 | | boolean 720 | +--ro address-roundrobin-support? 721 | | boolean 722 | +--ro paired-address-pooling-support? 723 | | boolean 724 | +--ro endpoint-independent-mapping-support? 725 | | boolean 726 | +--ro address-dependent-mapping-support? 727 | | boolean 728 | +--ro address-and-port-dependent-mapping-support? 729 | | boolean 730 | +--ro endpoint-independent-filtering-support? 731 | | boolean 732 | +--ro address-dependent-filtering? 733 | | boolean 734 | +--ro address-and-port-dependent-filtering? 735 | | boolean 736 | +--ro fragment-behavior? 737 | enumeration 738 +--rw type? identityref 739 +--rw per-interface-binding? enumeration 740 +--rw nat-pass-through* [id] 741 | {basic-nat44 or napt44 or dst-nat}? 742 | +--rw id uint32 743 | +--rw prefix inet:ip-prefix 744 | +--rw port? inet:port-number 745 +--rw policy* [id] 746 | +--rw id uint32 747 | +--rw clat-parameters {clat}? 748 | | +--rw clat-ipv6-prefixes* [ipv6-prefix] 749 | | | +--rw ipv6-prefix inet:ipv6-prefix 750 | | +--rw ipv4-prefixes* [ipv4-prefix] 751 | | +--rw ipv4-prefix inet:ipv4-prefix 752 | +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}? 753 | | +--rw internal-ipv6-prefix inet:ipv6-prefix 754 | | +--rw external-ipv6-prefix inet:ipv6-prefix 755 | +--rw eam* [ipv4-prefix] {eam}? 756 | | +--rw ipv4-prefix inet:ipv4-prefix 757 | | +--rw ipv6-prefix inet:ipv6-prefix 758 | +--rw nat64-prefixes* [nat64-prefix] 759 | | {siit or nat64 or clat}? 760 | | +--rw nat64-prefix inet:ipv6-prefix 761 | | +--rw destination-ipv4-prefix* [ipv4-prefix] 762 | | | +--rw ipv4-prefix inet:ipv4-prefix 763 | | +--rw stateless-enable? boolean 764 | +--rw external-ip-address-pool* [pool-id] 765 | | {basic-nat44 or napt44 or nat64}? 766 | | +--rw pool-id uint32 767 | | +--rw external-ip-pool inet:ipv4-prefix 768 | +--rw port-set-restrict {napt44 or nat64}? 769 | | +--rw (port-type)? 770 | | +--:(port-range) 771 | | | +--rw start-port-number? inet:port-number 772 | | | +--rw end-port-number? inet:port-number 773 | | +--:(port-set-algo) 774 | | +--rw psid-offset? uint8 775 | | +--rw psid-len uint8 776 | | +--rw psid uint16 777 | +--rw dst-nat-enable? boolean 778 | | {basic-nat44 or napt44}? 779 | +--rw dst-ip-address-pool* [pool-id] {dst-nat}? 780 | | +--rw pool-id uint32 781 | | +--rw dst-in-ip-pool? inet:ip-prefix 782 | | +--rw dst-out-ip-pool inet:ip-prefix 783 | +--rw transport-protocols* [protocol-id] 784 | | {napt44 or nat64 or dst-nat}? 785 | | +--rw protocol-id uint8 786 | | +--rw protocol-name? string 787 | +--rw subscriber-mask-v6? uint8 788 | +--rw subscriber-match* [match-id] 789 | | {basic-nat44 or napt44 or dst-nat}? 790 | | +--rw match-id uint32 791 | | +--rw subnet inet:ip-prefix 792 | +--rw address-allocation-type? enumeration 793 | +--rw port-allocation-type? enumeration 794 | | {napt44 or nat64}? 795 | +--rw mapping-type? enumeration 796 | | {napt44 or nat64}? 797 | +--rw filtering-type? enumeration 798 | | {napt44 or nat64}? 799 | +--rw fragment-behavior? enumeration 800 | | {napt44 or nat64}? 801 | +--rw port-quota* [quota-type] {napt44 or nat64}? 802 | | +--rw port-limit? uint16 803 | | +--rw quota-type uint8 804 | +--rw port-set {napt44 or nat64}? 805 | | +--rw port-set-size uint16 806 | | +--rw port-set-timeout? uint32 807 | +--rw timers {napt44 or nat64}? 808 | | +--rw udp-timeout? uint32 809 | | +--rw tcp-idle-timeout? uint32 810 | | +--rw tcp-trans-open-timeout? uint32 811 | | +--rw tcp-trans-close-timeout? uint32 812 | | +--rw tcp-in-syn-timeout? uint32 813 | | +--rw fragment-min-timeout? uint32 814 | | +--rw icmp-timeout? uint32 815 | | +--rw per-port-timeout* [port-number] 816 | | | +--rw port-number inet:port-number 817 | | | +--rw timeout uint32 818 | | +--rw hold-down-timeout? uint32 819 | | +--rw hold-down-max? uint32 820 | +--rw fragments-limit? uint32 821 | +--rw algs* [name] 822 | | +--rw name string 823 | | +--rw transport-protocol? uint32 824 | | +--rw dst-transport-port 825 | | | +--rw start-port-number? inet:port-number 826 | | | +--rw end-port-number? inet:port-number 827 | | +--rw src-transport-port 828 | | | +--rw start-port-number? inet:port-number 829 | | | +--rw end-port-number? inet:port-number 830 | | +--rw status? boolean 831 | +--rw all-algs-enable? boolean 832 | +--rw notify-pool-usage 833 | | {basic-nat44 or napt44 or nat64}? 834 | | +--rw pool-id? uint32 835 | | +--rw high-threshold? percent 836 | | +--rw low-threshold? percent 837 | | +--rw notify-interval? uint32 838 | +--rw external-realm 839 | +--rw (realm-type)? 840 | +--:(interface) 841 | +--rw external-interface? if:interface-ref 842 +--rw mapping-limits {napt44 or nat64}? 843 | +--rw limit-subscribers? uint32 844 | +--rw limit-address-mapings? uint32 845 | +--rw limit-port-mappings? uint32 846 | +--rw limit-per-protocol* [protocol-id] 847 | {napt44 or nat64 or dst-nat}? 848 | +--rw protocol-id uint8 849 | +--rw limit? uint32 850 +--rw connection-limits 851 | {basic-nat44 or napt44 or nat64}? 852 | +--rw limit-per-subscriber? uint32 853 | +--rw limit-per-instance uint32 854 | +--rw limit-per-protocol* [protocol-id] 855 | {napt44 or nat64}? 856 | +--rw protocol-id uint8 857 | +--rw limit? uint32 858 +--rw notification-limits 859 | +--rw notify-interval? uint32 860 | | {basic-nat44 or napt44 or nat64}? 861 | +--rw notify-addresses-usage? percent 862 | | {basic-nat44 or napt44 or nat64}? 863 | +--rw notify-ports-usage? percent 864 | | {napt44 or nat64}? 865 | +--rw notify-subscribers-limit? uint32 866 | {basic-nat44 or napt44 or nat64}? 867 +--rw logging-enable? boolean 868 | {basic-nat44 or napt44 or nat64}? 869 +--rw mapping-table 870 | {basic-nat44 or napt44 or nat64 or clat or dst-nat}? 871 | +--rw mapping-entry* [index] 872 | +--rw index uint32 873 | +--rw type? enumeration 874 | +--rw transport-protocol? uint8 875 | +--rw internal-src-address? inet:ip-prefix 876 | +--rw internal-src-port 877 | | +--rw start-port-number? inet:port-number 878 | | +--rw end-port-number? inet:port-number 879 | +--rw external-src-address? inet:ip-prefix 880 | +--rw external-src-port 881 | | +--rw start-port-number? inet:port-number 882 | | +--rw end-port-number? inet:port-number 883 | +--rw internal-dst-address? inet:ip-prefix 884 | +--rw internal-dst-port 885 | | +--rw start-port-number? inet:port-number 886 | | +--rw end-port-number? inet:port-number 887 | +--rw external-dst-address? inet:ip-prefix 888 | +--rw external-dst-port 889 | | +--rw start-port-number? inet:port-number 890 | | +--rw end-port-number? inet:port-number 891 | +--rw lifetime? uint32 892 +--ro statistics 893 +--ro discontinuity-time yang:date-and-time 894 +--ro traffic-statistics 895 | +--ro sent-packets? 896 | | yang:zero-based-counter64 897 | +--ro sent-bytes? 898 | | yang:zero-based-counter64 899 | +--ro rcvd-packets? 900 | | yang:zero-based-counter64 901 | +--ro rcvd-bytes? 902 | | yang:zero-based-counter64 903 | +--ro dropped-packets? 904 | | yang:zero-based-counter64 905 | +--ro dropped-bytes? 906 | | yang:zero-based-counter64 907 | +--ro dropped-fragments? 908 | | yang:zero-based-counter64 909 | | {napt44 or nat64}? 910 | +--ro dropped-address-limit-packets? 911 | | yang:zero-based-counter64 912 | | {basic-nat44 or napt44 or nat64}? 913 | +--ro dropped-address-limit-bytes? 914 | | yang:zero-based-counter64 915 | | {basic-nat44 or napt44 or nat64}? 916 | +--ro dropped-address-packets? 917 | | yang:zero-based-counter64 918 | | {basic-nat44 or napt44 or nat64}? 919 | +--ro dropped-address-bytes? 920 | | yang:zero-based-counter64 921 | | {basic-nat44 or napt44 or nat64}? 922 | +--ro dropped-port-limit-packets? 923 | | yang:zero-based-counter64 924 | | {napt44 or nat64}? 925 | +--ro dropped-port-limit-bytes? 926 | | yang:zero-based-counter64 927 | | {napt44 or nat64}? 928 | +--ro dropped-port-packets? 929 | | yang:zero-based-counter64 930 | | {napt44 or nat64}? 931 | +--ro dropped-port-bytes? 932 | | yang:zero-based-counter64 933 | | {napt44 or nat64}? 934 | +--ro dropped-subscriber-limit-packets? 935 | | yang:zero-based-counter64 936 | | {basic-nat44 or napt44 or nat64}? 937 | +--ro dropped-subscriber-limit-bytes? 938 | yang:zero-based-counter64 939 | {basic-nat44 or napt44 or nat64}? 940 +--ro mappings-statistics 941 | +--ro total-active-subscribers? yang:gauge32 942 | | {basic-nat44 or napt44 or nat64}? 943 | +--ro total-address-mappings? yang:gauge32 944 | | {basic-nat44 or napt44 or nat64 or clat or dst-nat}? 945 | +--ro total-port-mappings? yang:gauge32 946 | | {napt44 or nat64}? 947 | +--ro total-per-protocol* [protocol-id] 948 | {napt44 or nat64}? 949 | +--ro protocol-id uint8 950 | +--ro total? yang:gauge32 951 +--ro pools-stats {basic-nat44 or napt44 or nat64}? 952 +--ro addresses-allocated? yang:gauge32 953 +--ro addresses-free? yang:gauge32 954 +--ro ports-stats {napt44 or nat64}? 955 | +--ro ports-allocated? yang:gauge32 956 | +--ro ports-free? yang:gauge32 957 +--ro per-pool-stats* [pool-id] 958 {basic-nat44 or napt44 or nat64}? 959 +--ro pool-id uint32 960 +--ro discontinuity-time yang:date-and-time 961 +--ro pool-stats 962 | +--ro addresses-allocated? yang:gauge32 963 | +--ro addresses-free? yang:gauge32 964 +--ro port-stats {napt44 or nat64}? 965 +--ro ports-allocated? yang:gauge32 966 +--ro ports-free? yang:gauge32 968 notifications: 969 +---n nat-pool-event {basic-nat44 or napt44 or nat64}? 970 | +--ro id -> /nat/instances/instance/id 971 | +--ro policy-id? 972 | | -> /nat/instances/instance/policy/id 973 | +--ro pool-id leafref 974 | +--ro notify-pool-threshold percent 975 +---n nat-instance-event {basic-nat44 or napt44 or nat64}? 976 +--ro id 977 | -> /nat/instances/instance/id 978 +--ro notify-subscribers-threshold? uint32 979 +--ro notify-addresses-threshold? percent 980 +--ro notify-ports-threshold? percent 982 3. NAT YANG Module 984 file "ietf-nat@2017-11-16.yang" 986 module ietf-nat { 987 yang-version 1.1; 988 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 990 //namespace to be assigned by IANA 991 prefix "nat"; 993 import ietf-inet-types { prefix inet; } 994 import ietf-yang-types { prefix yang; } 995 import ietf-interfaces { prefix if; } 997 organization 998 "IETF OPSAWG (Operations and Management Area Working Group)"; 1000 contact 1002 "WG Web: 1003 WG List: 1005 Editor: Mohamed Boucadair 1006 1008 Editor: Senthil Sivakumar 1009 1011 Editor: Christian Jacquenet 1012 1014 Editor: Suresh Vinapamula 1015 1017 Editor: Qin Wu 1018 "; 1020 description 1021 "This module is a YANG module for NAT implementations. 1023 NAT44, Network Address and Protocol Translation from IPv6 1024 Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), 1025 Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings 1026 for Stateless IP/ICMP Translation (SIIT EAM), and IPv6 Network 1027 Prefix Translation (NPTv6) are covered. 1029 Copyright (c) 2017 IETF Trust and the persons identified as 1030 authors of the code. All rights reserved. 1032 Redistribution and use in source and binary forms, with or 1033 without modification, is permitted pursuant to, and subject 1034 to the license terms contained in, the Simplified BSD License 1035 set forth in Section 4.c of the IETF Trust's Legal Provisions 1036 Relating to IETF Documents 1037 (http://trustee.ietf.org/license-info). 1039 This version of this YANG module is part of RFC XXXX; see 1040 the RFC itself for full legal notices."; 1042 revision 2017-11-16 { 1043 description 1044 "Initial revision."; 1045 reference 1046 "RFC XXXX: A YANG Data Model for Network Address Translation 1047 (NAT) and Network Prefix Translation (NPT)"; 1048 } 1050 /* 1051 * Definitions 1052 */ 1054 typedef percent { 1055 type uint8 { 1056 range "0 .. 100"; 1057 } 1058 description 1059 "Percentage"; 1060 } 1062 /* 1063 * Features 1064 */ 1066 feature basic-nat44{ 1067 description 1068 "Basic NAT44 translation is limited to IP addresses alone."; 1069 reference 1070 "RFC 3022: Traditional IP Network Address Translator 1071 (Traditional NAT)"; 1072 } 1074 feature napt44 { 1075 description 1076 "Network Address/Port Translator (NAPT): translation is 1077 extended to include IP addresses and transport identifiers 1078 (such as a TCP/UDP port or ICMP query ID). 1080 If the internal IP address is not sufficient to uniquely 1081 disambiguate NAPT44 mappings, an additional attribute is 1082 required. For example, that additional attribute may 1083 be an IPv6 address (a.k.a., DS-Lite (RFC 6333)) or 1084 a Layer 2 identifier (a.k.a., Per-Interface NAT 1085 (RFC 6619))"; 1086 reference 1087 "RFC 3022: Traditional IP Network Address Translator 1088 (Traditional NAT)"; 1089 } 1091 feature dst-nat { 1092 description 1093 "Destination NAT is a translation that acts on the destination 1094 IP address and/or destination port number. This flavor is 1095 usually deployed in load balancers or at devices 1096 in front of public servers."; 1097 } 1099 feature nat64 { 1100 description 1101 "NAT64 translation allows IPv6-only clients to contact IPv4 1102 servers using unicast UDP, TCP, or ICMP. One or more 1103 public IPv4 addresses assigned to a NAT64 translator are 1104 shared among several IPv6-only clients."; 1105 reference 1106 "RFC 6146: Stateful NAT64: Network Address and Protocol 1107 Translation from IPv6 Clients to IPv4 Servers"; 1108 } 1110 feature siit { 1111 description 1112 "The Stateless IP/ICMP Translation Algorithm (SIIT), which 1113 translates between IPv4 and IPv6 packet headers (including 1114 ICMP headers). 1116 In the stateless mode, an IP/ICMP translator converts IPv4 1117 addresses to IPv6 and vice versa solely based on the 1118 configuration of the stateless IP/ICMP translator and 1119 information contained within the packet being translated. 1121 The translator must support the stateless address mapping 1122 algorithm defined in RFC6052, which is the default behavior."; 1123 reference 1124 "RFC 7915: IP/ICMP Translation Algorithm"; 1125 } 1127 feature clat { 1128 description 1129 "CLAT is customer-side translator that algorithmically 1130 translates 1:1 private IPv4 addresses to global IPv6 addresses, 1131 and vice versa. 1133 When a dedicated /64 prefix is not available for translation 1134 from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN 1135 packets so that all the LAN-originated IPv4 packets appear 1136 from a single IPv4 address and are then statelessly translated 1137 to one interface IPv6 address that is claimed by the CLAT via 1138 the Neighbor Discovery Protocol (NDP) and defended with 1139 Duplicate Address Detection."; 1140 reference 1141 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1142 Translation"; 1143 } 1145 feature eam { 1146 description 1147 "Explicit Address Mapping (EAM) is a bidirectional coupling 1148 between an IPv4 Prefix and an IPv6 Prefix."; 1149 reference 1150 "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP 1151 Translation"; 1153 } 1155 feature nptv6 { 1156 description 1157 "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6 1158 prefix translation."; 1159 reference 1160 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1161 } 1163 /* 1164 * Identities 1165 */ 1167 identity nat-type { 1168 description 1169 "Base identity for nat type."; 1170 } 1172 identity basic-nat44 { 1173 base nat:nat-type; 1174 description 1175 "Identity for Basic NAT support."; 1176 reference 1177 "RFC 3022: Traditional IP Network Address Translator 1178 (Traditional NAT)"; 1179 } 1181 identity napt44 { 1182 base nat:nat-type; 1183 description 1184 "Identity for NAPT support."; 1185 reference 1186 "RFC 3022: Traditional IP Network Address Translator 1187 (Traditional NAT)"; 1188 } 1190 identity dst-nat { 1191 base nat:nat-type; 1192 description 1193 "Identity for Destination NAT support."; 1194 } 1196 identity nat64 { 1197 base nat:nat-type; 1198 description 1199 "Identity for NAT64 support."; 1200 reference 1201 "RFC 6146: Stateful NAT64: Network Address and Protocol 1202 Translation from IPv6 Clients to IPv4 Servers"; 1203 } 1205 identity siit { 1206 base nat:nat-type; 1207 description 1208 "Identity for SIIT support."; 1209 reference 1210 "RFC 7915: IP/ICMP Translation Algorithm"; 1211 } 1213 identity clat { 1214 base nat:nat-type; 1215 description 1216 "Identity for CLAT support."; 1217 reference 1218 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1219 Translation"; 1220 } 1222 identity eam { 1223 base nat:nat-type; 1224 description 1225 "Identity for EAM support."; 1226 reference 1227 "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP 1228 Translation"; 1229 } 1231 identity nptv6 { 1232 base nat:nat-type; 1233 description 1234 "Identity for NPTv6 support."; 1235 reference 1236 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1237 } 1239 /* 1240 * Grouping 1241 */ 1243 grouping port-number { 1244 description 1245 "Individual port or a range of ports. 1246 When only start-port-number is present, 1247 it represents a single port."; 1249 leaf start-port-number { 1250 type inet:port-number; 1251 description 1252 "Begining of the port range."; 1253 reference 1254 "Section 3.2.9 of RFC 8045."; 1255 } 1257 leaf end-port-number { 1258 type inet:port-number; 1260 must ". >= ../start-port-number" 1261 { 1262 error-message 1263 "The end-port-number must be greater than or 1264 equal to start-port-number."; 1265 } 1266 description 1267 "End of the port range."; 1268 reference 1269 "Section 3.2.10 of RFC 8045."; 1270 } 1271 } 1273 grouping port-set { 1274 description 1275 "Indicates a set of ports. 1277 It may be a simple port range, or use the Port Set ID (PSID) 1278 algorithm to represent a range of transport layer 1279 ports which will be used by a NAPT."; 1281 choice port-type { 1282 default port-range; 1283 description 1284 "Port type: port-range or port-set-algo."; 1285 case port-range { 1286 uses port-number; 1287 } 1289 case port-set-algo { 1290 leaf psid-offset { 1291 type uint8 { 1292 range 0..15; 1293 } 1295 description 1296 "The number of offset bits (a.k.a., 'a' bits). 1298 Specifies the numeric value for the excluded port 1299 range/offset bits. 1301 Allowed values are between 0 and 15 "; 1303 reference 1304 "Section 5.1 of RFC 7597"; 1305 } 1307 leaf psid-len { 1308 type uint8 { 1309 range 0..15; 1310 } 1311 mandatory true; 1313 description 1314 "The length of PSID, representing the sharing 1315 ratio for an IPv4 address. 1317 (also known as 'k'). 1319 The address-sharing ratio would be 2^k."; 1320 reference 1321 "Section 5.1 of RFC 7597"; 1322 } 1324 leaf psid { 1325 type uint16; 1326 mandatory true; 1327 description 1328 "Port Set Identifier (PSID) value, which 1329 identifies a set of ports algorithmically."; 1330 reference 1331 "Section 5.1 of RFC 7597"; 1332 } 1333 } 1334 reference 1335 "Section 7597: Mapping of Address and Port with 1336 Encapsulation (MAP-E)"; 1337 } 1338 } 1340 grouping mapping-entry { 1341 description 1342 "NAT mapping entry. 1344 If an attribute is not stored in the mapping/session table, 1345 this means the corresponding fields of a packet that 1346 matches this entry is not rewritten by the NAT or this 1347 information is not required for NAT filtering purposes."; 1349 leaf index { 1350 type uint32; 1351 description 1352 "A unique identifier of a mapping entry. This identifier can be 1353 automatically assigned by the NAT instance or be explicitly 1354 configured."; 1355 } 1357 leaf type { 1358 type enumeration { 1359 enum "static" { 1360 description 1361 "The mapping entry is explicitly configured 1362 (e.g., via command-line interface)."; 1363 } 1365 enum "dynamic-implicit" { 1366 description 1367 "This mapping is created implicitly as a side effect 1368 of processing a packet that requires a new mapping."; 1370 } 1372 enum "dynamic-explicit" { 1373 description 1374 "This mapping is created as a result of an explicit 1375 request, e.g., a PCP message."; 1377 } 1378 } 1379 description 1380 "Indicates the type of a mapping entry. E.g., 1381 a mapping can be: static, implicit dynamic 1382 or explicit dynamic."; 1383 } 1385 leaf transport-protocol { 1386 type uint8; 1387 description 1388 "Upper-layer protocol associated with this mapping. 1389 Values are taken from the IANA protocol registry. 1390 For example, this field contains 6 (TCP) for a TCP 1391 mapping or 17 (UDP) for a UDP mapping. 1393 If this leaf is not instantiated, then the mapping 1394 applies to any protocol."; 1395 } 1397 leaf internal-src-address { 1398 type inet:ip-prefix; 1399 description 1400 "Corresponds to the source IPv4/IPv6 address/prefix 1401 of the packet received on an internal 1402 interface."; 1403 } 1405 container internal-src-port { 1406 description 1407 "Corresponds to the source port of the packet received 1408 on an internal interface. 1410 It is used also to indicate the internal source ICMP 1411 identifier. 1413 As a reminder, all the ICMP Query messages contain 1414 an 'Identifier' field, which is referred to in this 1415 document as the 'ICMP Identifier'."; 1417 uses port-number; 1418 } 1420 leaf external-src-address { 1421 type inet:ip-prefix; 1422 description 1423 "Source IP address/prefix of the packet sent on an 1424 external interface of the NAT."; 1425 } 1427 container external-src-port { 1428 description 1429 "Source port of the packet sent on an external 1430 interface of the NAT. 1432 It is used also to indicate the external source ICMP 1433 identifier."; 1435 uses port-number; 1436 } 1438 leaf internal-dst-address { 1439 type inet:ip-prefix; 1440 description 1441 "Corresponds to the destination IP address/prefix 1442 of the packet received on an internal interface 1443 of the NAT. 1445 For example, some NAT implementations support 1446 the translation of both source and destination 1447 addresses and ports, sometimes referred to 1448 as 'Twice NAT'."; 1449 } 1451 container internal-dst-port { 1452 description 1453 "Corresponds to the destination port of the 1454 IP packet received on the internal interface. 1456 It is used also to include the internal 1457 destination ICMP identifier."; 1459 uses port-number; 1460 } 1462 leaf external-dst-address { 1463 type inet:ip-prefix; 1464 description 1465 "Corresponds to the destination IP address/prefix 1466 of the packet sent on an external interface 1467 of the NAT."; 1468 } 1470 container external-dst-port { 1471 description 1472 "Corresponds to the destination port number of 1473 the packet sent on the external interface 1474 of the NAT. 1476 It is used also to include the external 1477 destination ICMP identifier."; 1479 uses port-number; 1480 } 1482 leaf lifetime { 1483 type uint32; 1484 units "seconds"; 1485 description 1486 "When specified, it is used to track the connection that is 1487 fully-formed (e.g., once the three-way handshake 1488 TCP is completed) or the duration for maintaining 1489 an explicit mapping alive. The mapping entry will be 1490 removed by the NAT instance once this lifetime is expired. 1492 When reported in a get operation, the lifetime indicates 1493 the remaining validity lifetime. 1495 Static mappings may not be associated with a 1496 lifetime. If no lifetime is associated with a 1497 static mapping, an explicit action is required to 1498 remove that mapping."; 1499 } 1500 } 1502 /* 1503 * NAT Module 1504 */ 1506 container nat { 1507 description 1508 "NAT module"; 1510 container instances { 1511 description 1512 "NAT instances"; 1514 list instance { 1515 key "id"; 1517 description 1518 "A NAT instance. This identifier can be automatically assigned 1519 or explicitly configured."; 1521 leaf id { 1522 type uint32; 1523 must ". >= 1"; 1524 description 1525 "NAT instance identifier. 1527 The identifier must be greater than zero as per RFC 7659."; 1528 reference 1529 "RFC 7659: Definitions of Managed Objects for Network 1530 Address Translators (NATs)"; 1531 } 1533 leaf name { 1534 type string; 1535 description 1536 "A name associated with the NAT instance."; 1537 reference 1538 "RFC 7659: Definitions of Managed Objects for Network 1539 Address Translators (NATs)"; 1540 } 1542 leaf enable { 1543 type boolean; 1544 description 1545 "Status of the NAT instance."; 1546 } 1548 container capabilities { 1549 config false; 1551 description 1552 "NAT capabilities"; 1554 leaf-list nat-flavor { 1555 type identityref { 1556 base nat-type; 1557 } 1558 description 1559 "Supported translation type(s)."; 1560 } 1562 leaf-list per-interface-binding { 1563 type enumeration { 1564 enum "unsupported" { 1565 description 1566 "No capability to associate a NAT binding with 1567 an extra identifier."; 1568 } 1570 enum "layer-2" { 1571 description 1572 "The NAT instance is able to associate a mapping with 1573 a layer-2 identifier."; 1574 } 1576 enum "dslite" { 1577 description 1578 "The NAT instance is able to associate a mapping with 1579 an IPv6 address (a.k.a., DS-Lite)."; 1580 } 1581 } 1582 description 1583 "Indicates the capability of a NAT to associate a particular 1584 NAT session not only with the five tuples used for the 1585 transport connection on both sides of the NAT but also with 1586 the internal interface on which the user device is 1587 connected to the NAT."; 1588 reference 1589 "Section 4 of RFC 6619"; 1590 } 1592 list transport-protocols { 1593 key protocol-id; 1595 description 1596 "List of supported protocols."; 1598 leaf protocol-id { 1599 type uint8; 1600 mandatory true; 1601 description 1602 "Upper-layer protocol associated with this mapping. 1604 Values are taken from the IANA protocol registry: 1605 https://www.iana.org/assignments/protocol-numbers/ 1606 protocol-numbers.xhtml 1608 For example, this field contains 6 (TCP) for a TCP 1609 mapping or 17 (UDP) for a UDP mapping."; 1610 } 1612 leaf protocol-name { 1613 type string; 1614 description 1615 "The name of the Upper-layer protocol associated 1616 with this mapping. 1618 Values are taken from the IANA protocol registry: 1619 https://www.iana.org/assignments/protocol-numbers/ 1620 protocol-numbers.xhtml 1622 For example, TCP, UDP, DCCP, and SCTP."; 1623 } 1624 } 1626 leaf restricted-port-support { 1627 type boolean; 1628 description 1629 "Indicates source port NAT restriction support."; 1630 reference 1631 "RFC 7596: Lightweight 4over6: An Extension to 1632 the Dual-Stack Lite Architecture."; 1633 } 1634 leaf static-mapping-support { 1635 type boolean; 1636 description 1637 "Indicates whether static mappings are supported."; 1638 } 1640 leaf port-randomization-support { 1641 type boolean; 1642 description 1643 "Indicates whether port randomization is supported."; 1644 reference 1645 "Section 4.2.1 of RFC 4787."; 1646 } 1648 leaf port-range-allocation-support { 1649 type boolean; 1650 description 1651 "Indicates whether port range allocation is supported."; 1652 reference 1653 "Section 1.1 of RFC 7753."; 1654 } 1656 leaf port-preservation-suport { 1657 type boolean; 1658 description 1659 "Indicates whether port preservation is supported."; 1660 reference 1661 "Section 4.2.1 of RFC 4787."; 1662 } 1664 leaf port-parity-preservation-support { 1665 type boolean; 1666 description 1667 "Indicates whether port parity preservation is 1668 supported."; 1669 reference 1670 "Section 8 of RFC 7857."; 1671 } 1673 leaf address-roundrobin-support { 1674 type boolean; 1675 description 1676 "Indicates whether address allocation round robin is 1677 supported."; 1678 } 1680 leaf paired-address-pooling-support { 1681 type boolean; 1682 description 1683 "Indicates whether paired-address-pooling is 1684 supported"; 1685 reference 1686 "REQ-2 of RFC 4787."; 1687 } 1689 leaf endpoint-independent-mapping-support { 1690 type boolean; 1691 description 1692 "Indicates whether endpoint-independent- 1693 mapping in Section 4 of RFC 4787 is 1694 supported."; 1695 reference 1696 "Section 4 of RFC 4787."; 1697 } 1699 leaf address-dependent-mapping-support { 1700 type boolean; 1701 description 1702 "Indicates whether address-dependent-mapping is 1703 supported."; 1704 reference 1705 "Section 4 of RFC 4787."; 1706 } 1708 leaf address-and-port-dependent-mapping-support { 1709 type boolean; 1710 description 1711 "Indicates whether address-and-port-dependent-mapping is 1712 supported."; 1713 reference 1714 "Section 4 of RFC 4787."; 1715 } 1717 leaf endpoint-independent-filtering-support { 1718 type boolean; 1719 description 1720 "Indicates whether endpoint-independent-filtering is 1721 supported."; 1722 reference 1723 "Section 5 of RFC 4787."; 1724 } 1726 leaf address-dependent-filtering { 1727 type boolean; 1728 description 1729 "Indicates whether address-dependent-filtering is 1730 supported."; 1731 reference 1732 "Section 5 of RFC 4787."; 1733 } 1735 leaf address-and-port-dependent-filtering { 1736 type boolean; 1737 description 1738 "Indicates whether address-and-port-dependent is 1739 supported."; 1740 reference 1741 "Section 5 of RFC 4787."; 1742 } 1744 leaf fragment-behavior { 1745 type enumeration { 1746 enum "unsupported" { 1747 description 1748 "No capability to translate incoming fragments. 1749 All received fragments are dropped."; 1750 } 1752 enum "in-order" { 1753 description 1754 "The NAT instance is able to translate fragments only if 1755 they are received in order. That is, in particular the 1756 header is in the first packet. Fragments received 1757 out of order are dropped. "; 1758 } 1760 enum "out-of-order" { 1761 description 1762 "The NAT instance is able to translate a fragment even 1763 if it is received out of order. 1765 This behavior is the one recommended in RFC4787."; 1766 reference 1767 "REQ-14 of RFC 4787"; 1768 } 1769 } 1770 description 1771 "The fragment behavior is the NAT instance's capability to 1772 translate fragments received on the external interface of 1773 the NAT."; 1774 } 1775 } 1777 leaf type { 1778 type identityref { 1779 base nat-type; 1780 } 1781 description 1782 "Specify the translation type. Particularly useful when 1783 multiple translation flavors are supported. 1785 If one type is supported by a NAT, this parameter is by 1786 default set to that type."; 1787 } 1789 leaf per-interface-binding { 1790 type enumeration { 1791 enum "disabled" { 1792 description 1793 "Disable the capability to associate an extra identifier 1794 with NAT mappings."; 1795 } 1797 enum "layer-2" { 1798 description 1799 "The NAT instance is able to associate a mapping with 1800 a layer-2 identifier."; 1801 } 1803 enum "dslite" { 1804 description 1805 "The NAT instance is able to associate a mapping with 1806 an IPv6 address (a.k.a., DS-Lite)."; 1807 } 1808 } 1809 description 1810 "A NAT that associates a particular NAT session not only with 1811 the five tuples used for the transport connection on both 1812 sides of the NAT but also with the internal interface on 1813 which the user device is connected to the NAT. 1815 If supported, this mode of operation should be configurable, 1816 and it should be disabled by default in general-purpose NAT 1817 devices. 1819 If one single per-interface binding behavior is supported by 1820 a NAT, this parameter is by default set to that behavior."; 1821 reference 1822 "Section 4 of RFC 6619"; 1823 } 1825 list nat-pass-through { 1826 if-feature "basic-nat44 or napt44 or dst-nat"; 1827 key id; 1829 description 1830 "IP prefix NAT pass through."; 1832 leaf id { 1833 type uint32; 1834 description 1835 "An identifier of the IP prefix pass through."; 1836 } 1838 leaf prefix { 1839 type inet:ip-prefix; 1840 mandatory true; 1841 description 1842 "The IP addresses that match should not be translated. 1844 According to REQ#6 of RFC6888, it must be possible to 1845 administratively turn off translation for specific 1846 destination addresses and/or ports."; 1847 reference 1848 "REQ#6 of RFC6888."; 1849 } 1851 leaf port { 1852 type inet:port-number; 1853 description 1854 "According to REQ#6 of RFC6888, it must be possible to 1855 administratively turn off translation for specific 1856 destination addresses and/or ports. 1858 If no prefix is defined, the NAT pass through bound 1859 to a given port applies for any destination address."; 1861 reference 1862 "REQ#6 of RFC6888."; 1863 } 1864 } 1866 list policy { 1867 key id; 1868 description 1869 "NAT parameters for a given instance"; 1871 leaf id { 1872 type uint32; 1873 description 1874 "An identifier of the NAT policy. It must be unique 1875 within the NAT instance."; 1876 } 1878 container clat-parameters { 1879 if-feature clat; 1880 description 1881 "CLAT parameters."; 1883 list clat-ipv6-prefixes { 1884 key ipv6-prefix; 1885 description 1886 "464XLAT double translation treatment is stateless when a 1887 dedicated /64 is available for translation on the CLAT. 1888 Otherwise, the CLAT will have both stateful and stateless 1889 since it requires NAT44 from the LAN to a single IPv4 1890 address and then stateless translation to a single 1891 IPv6 address."; 1892 reference 1893 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1894 Translation"; 1896 leaf ipv6-prefix { 1897 type inet:ipv6-prefix; 1898 description 1899 "An IPv6 prefix used for CLAT."; 1900 } 1901 } 1903 list ipv4-prefixes { 1904 key ipv4-prefix; 1905 description 1906 "Pool of IPv4 addresses used for CLAT. 1907 192.0.0.0/29 is the IPv4 service continuity prefix."; 1908 reference 1909 "RFC 7335: IPv4 Service Continuity Prefix"; 1911 leaf ipv4-prefix { 1912 type inet:ipv4-prefix; 1913 description 1914 "464XLAT double translation treatment is 1915 stateless when a dedicated /64 is available 1916 for translation on the CLAT. Otherwise, the 1917 CLAT will have both stateful and stateless 1918 since it requires NAT44 from the LAN to 1919 a single IPv4 address and then stateless 1920 translation to a single IPv6 address. 1921 The CLAT performs NAT44 for all IPv4 LAN 1922 packets so that all the LAN-originated IPv4 1923 packets appear from a single IPv4 address 1924 and are then statelessly translated to one 1925 interface IPv6 address that is claimed by 1926 the CLAT. 1928 An IPv4 address from this pool is also 1929 provided to an application that makes 1930 use of literals."; 1932 reference 1933 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1934 Translation"; 1935 } 1936 } 1937 } 1939 list nptv6-prefixes { 1940 if-feature nptv6; 1941 key internal-ipv6-prefix ; 1942 description 1943 "Provides one or a list of (internal IPv6 prefix, 1944 external IPv6 prefix) required for NPTv6. 1946 In its simplest form, NPTv6 interconnects two network 1947 links, one of which is an 'internal' network link 1948 attached to a leaf network within a single 1949 administrative domain and the other of which is an 1950 'external' network with connectivity to the global 1951 Internet."; 1952 reference 1953 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1955 leaf internal-ipv6-prefix { 1956 type inet:ipv6-prefix; 1957 mandatory true; 1958 description 1959 "An IPv6 prefix used by an internal interface of NPTv6."; 1960 reference 1961 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1962 } 1964 leaf external-ipv6-prefix { 1965 type inet:ipv6-prefix; 1966 mandatory true; 1967 description 1968 "An IPv6 prefix used by the external interface of NPTv6."; 1969 reference 1970 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1971 } 1972 } 1974 list eam { 1975 if-feature eam; 1976 key ipv4-prefix; 1977 description 1978 "The Explicit Address Mapping Table, a conceptual 1979 table in which each row represents an EAM. 1981 Each EAM describes a mapping between IPv4 and IPv6 1982 prefixes/addresses."; 1983 reference 1984 "Section 3.1 of RFC 7757."; 1986 leaf ipv4-prefix { 1987 type inet:ipv4-prefix; 1988 mandatory true; 1989 description 1990 "The IPv4 prefix of an EAM."; 1991 reference 1992 "Section 3.2 of RFC 7757."; 1993 } 1995 leaf ipv6-prefix { 1996 type inet:ipv6-prefix; 1997 mandatory true; 1998 description 1999 "The IPv6 prefix of an EAM."; 2000 reference 2001 "Section 3.2 of RFC 7757."; 2002 } 2003 } 2005 list nat64-prefixes { 2006 if-feature "siit or nat64 or clat"; 2007 key nat64-prefix; 2008 description 2009 "Provides one or a list of NAT64 prefixes 2010 with or without a list of destination IPv4 prefixes. 2012 Destination-based Pref64::/n is discussed in 2013 Section 5.1 of [RFC7050]). For example: 2014 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 2015 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 2016 reference 2017 "Section 5.1 of RFC7050."; 2019 leaf nat64-prefix { 2020 type inet:ipv6-prefix; 2021 mandatory true; 2022 description 2023 "A NAT64 prefix. Can be Network-Specific Prefix (NSP) or 2024 Well-Known Prefix (WKP). 2026 Organizations deploying stateless IPv4/IPv6 translation 2027 should assign a Network-Specific Prefix to their 2028 IPv4/IPv6 translation service. 2030 For stateless NAT64, IPv4-translatable IPv6 addresses 2031 must use the selected Network-Specific Prefix. 2033 Both IPv4-translatable IPv6 addresses and IPv4-converted 2034 IPv6 addresses should use the same prefix."; 2035 reference 2036 "Sections 3.3 and 3.4 of RFC 6052."; 2037 } 2039 list destination-ipv4-prefix { 2040 key ipv4-prefix; 2041 description 2042 "An IPv4 prefix/address."; 2044 leaf ipv4-prefix { 2045 type inet:ipv4-prefix; 2046 description 2047 "An IPv4 address/prefix."; 2048 } 2049 } 2051 leaf stateless-enable { 2052 type boolean; 2053 default false; 2054 description 2055 "Enable explicitly stateless NAT64."; 2056 } 2057 } 2059 list external-ip-address-pool { 2060 if-feature "basic-nat44 or napt44 or nat64"; 2061 key pool-id; 2063 description 2064 "Pool of external IP addresses used to service internal 2065 hosts. 2067 A pool is a set of IP prefixes."; 2069 leaf pool-id { 2070 type uint32; 2071 must ". >= 1"; 2072 description 2073 "An identifier that uniquely identifies the address pool 2074 within a NAT instance. 2076 The identifier must be greater than zero as per 2077 RFC 7659."; 2078 reference 2079 "RFC 7659: Definitions of Managed Objects for 2080 Network Address Translators (NATs)"; 2081 } 2083 leaf external-ip-pool { 2084 type inet:ipv4-prefix; 2085 mandatory true; 2086 description 2087 "An IPv4 prefix used for NAT purposes."; 2088 } 2089 } 2091 container port-set-restrict { 2092 if-feature "napt44 or nat64"; 2093 description 2094 "Configures contiguous and non-contiguous port ranges. 2096 The port set is used to restrict the external source 2097 port numbers used by the translator."; 2099 uses port-set; 2100 } 2102 leaf dst-nat-enable { 2103 if-feature "basic-nat44 or napt44"; 2104 type boolean; 2105 default false; 2106 description 2107 "Enable/Disable destination NAT. 2109 A NAT44 may be configured to enable Destination 2110 NAT, too."; 2111 } 2113 list dst-ip-address-pool { 2114 if-feature dst-nat; 2115 key pool-id; 2116 description 2117 "Pool of IP addresses used for destination NAT."; 2119 leaf pool-id { 2120 type uint32; 2121 description 2122 "An identifier of the address pool."; 2123 } 2125 leaf dst-in-ip-pool { 2126 type inet:ip-prefix; 2127 description 2128 "Is used to identify an internal IP prefix/address 2129 to be translated."; 2130 } 2132 leaf dst-out-ip-pool { 2133 type inet:ip-prefix; 2134 mandatory true; 2135 description 2136 "IP address/prefix used for destination NAT."; 2137 } 2138 } 2140 list transport-protocols { 2141 if-feature "napt44 or nat64 or dst-nat"; 2142 key protocol-id; 2144 description 2145 "Configure the transport protocols to be handled by 2146 the translator. 2148 TCP and UDP are supported by default."; 2150 leaf protocol-id { 2151 type uint8; 2152 mandatory true; 2153 description 2154 "Upper-layer protocol associated with this mapping. 2156 Values are taken from the IANA protocol registry: 2157 https://www.iana.org/assignments/protocol-numbers/ 2158 protocol-numbers.xhtml 2160 For example, this field contains 6 (TCP) for a TCP 2161 mapping or 17 (UDP) for a UDP mapping."; 2162 } 2163 leaf protocol-name { 2164 type string; 2165 description 2166 "The name of the Upper-layer protocol associated 2167 with this mapping. 2169 Values are taken from the IANA protocol registry: 2170 https://www.iana.org/assignments/protocol-numbers/ 2171 protocol-numbers.xhtml 2173 For example, TCP, UDP, DCCP, and SCTP."; 2174 } 2175 } 2177 leaf subscriber-mask-v6 { 2178 type uint8 { 2179 range "0 .. 128"; 2180 } 2182 description 2183 "The subscriber mask is an integer that indicates 2184 the length of significant bits to be applied on 2185 the source IPv6 address (internal side) to 2186 unambiguously identify a user device (e.g., CPE). 2188 Subscriber mask is a system-wide configuration 2189 parameter that is used to enforce generic 2190 per-subscriber policies (e.g., port-quota). 2192 The enforcement of these generic policies does not 2193 require the configuration of every subscriber's 2194 prefix. 2196 Example: suppose the 2001:db8:100:100::/56 prefix 2197 is assigned to a NAT64 serviced CPE. Suppose also 2198 that 2001:db8:100:100::1 is the IPv6 address used 2199 by the client that resides in that CPE. When the 2200 NAT64 receives a packet from this client, 2201 it applies the subscriber-mask-v6 (e.g., 56) on 2202 the source IPv6 address to compute the associated 2203 prefix for this client (2001:db8:100:100::/56). 2204 Then, the NAT64 enforces policies based on that 2205 prefix (2001:db8:100:100::/56), not on the exact 2206 source IPv6 address."; 2207 } 2209 list subscriber-match { 2210 if-feature "basic-nat44 or napt44 or dst-nat"; 2211 key match-id; 2213 description 2214 "IP prefix match. 2215 A subscriber is identified by a subnet."; 2217 leaf match-id { 2218 type uint32; 2219 description 2220 "An identifier of the subscriber match."; 2221 } 2223 leaf subnet { 2224 type inet:ip-prefix; 2225 mandatory true; 2226 description 2227 "The IP address subnets that match 2228 should be translated. E.g., all addresses 2229 that belong to the 192.0.2.0/24 prefix must 2230 be processed by the NAT."; 2231 } 2232 } 2234 leaf address-allocation-type { 2235 type enumeration { 2236 enum "arbitrary" { 2237 if-feature "basic-nat44 or napt44 or nat64"; 2238 description 2239 "Arbitrary pooling behavior means that the NAT 2240 instance may create the new port mapping using any 2241 address in the pool that has a free port for the 2242 protocol concerned."; 2243 } 2245 enum "roundrobin" { 2246 if-feature "basic-nat44 or napt44 or nat64"; 2247 description 2248 "Round robin allocation."; 2249 } 2251 enum "paired" { 2252 if-feature "napt44 or nat64"; 2253 description 2254 "Paired address pooling informs the NAT 2255 that all the flows from an internal IP 2256 address must be assigned the same external 2257 address. This is the recommended behavior for 2258 NAPT/NAT64."; 2260 reference 2261 "RFC 4787: Network Address Translation (NAT) 2262 Behavioral Requirements for Unicast UDP"; 2263 } 2264 } 2265 description 2266 "Specifies how external IP addresses are allocated."; 2267 } 2269 leaf port-allocation-type { 2270 if-feature "napt44 or nat64"; 2271 type enumeration { 2272 enum "random" { 2273 description 2274 "Port randomization is enabled. A NAT port allocation 2275 scheme should make it hard for attackers to guess 2276 port numbers"; 2277 reference 2278 "REQ-15 of RFC 6888"; 2279 } 2281 enum "port-preservation" { 2282 description 2283 "Indicates whether the NAT should preserve the internal 2284 port number."; 2285 } 2287 enum "port-parity-preservation" { 2288 description 2289 "Indicates whether the NAT should preserve the port 2290 parity of the internal port number."; 2291 } 2293 enum "port-range-allocation" { 2294 description 2295 "Indicates whether the NAT assigns a range of ports 2296 for an internal host. This scheme allows to minimize 2297 log volume."; 2298 reference 2299 "REQ-14 of RFC 6888"; 2300 } 2301 } 2302 description 2303 "Indicates the type of port allocation."; 2304 } 2306 leaf mapping-type { 2307 if-feature "napt44 or nat64"; 2308 type enumeration { 2309 enum "eim" { 2310 description 2311 "endpoint-independent-mapping."; 2312 reference 2313 "Section 4 of RFC 4787."; 2314 } 2316 enum "adm" { 2317 description 2318 "address-dependent-mapping."; 2319 reference 2320 "Section 4 of RFC 4787."; 2321 } 2323 enum "edm" { 2324 description 2325 "address-and-port-dependent-mapping."; 2326 reference 2327 "Section 4 of RFC 4787."; 2328 } 2329 } 2330 description 2331 "Indicates the type of a NAT mapping."; 2332 } 2334 leaf filtering-type { 2335 if-feature "napt44 or nat64"; 2336 type enumeration { 2337 enum "eif" { 2338 description 2339 "endpoint-independent-filtering."; 2340 reference 2341 "Section 5 of RFC 4787."; 2342 } 2344 enum "adf" { 2345 description 2346 "address-dependent-filtering."; 2347 reference 2348 "Section 5 of RFC 4787."; 2349 } 2351 enum "edf" { 2352 description 2353 "address-and-port-dependent-filtering"; 2354 reference 2355 "Section 5 of RFC 4787."; 2357 } 2358 } 2359 description 2360 "Indicates the type of a NAT filtering."; 2361 } 2363 leaf fragment-behavior { 2364 if-feature "napt44 or nat64"; 2365 type enumeration { 2366 enum "drop-all" { 2367 description 2368 "All received fragments are dropped."; 2369 } 2371 enum "in-order" { 2372 description 2373 "Translate fragments only if they are received 2374 in order."; 2375 } 2377 enum "out-of-order" { 2378 description 2379 "Translate a fragment even if it is received out 2380 of order. 2382 This behavior is the recommended behavior."; 2383 reference 2384 "REQ-14 of RFC 4787"; 2385 } 2386 } 2387 description 2388 "The fragment behavior instructs the NAT about the 2389 behavior to follow to translate fragments received 2390 on the external interface of the NAT."; 2391 } 2393 list port-quota { 2394 if-feature "napt44 or nat64"; 2395 key quota-type; 2396 description 2397 "Configures a port quota to be assigned per subscriber. 2398 It corresponds to the maximum number of ports to be 2399 used by a subscriber."; 2401 leaf port-limit { 2402 type uint16; 2403 description 2404 "Configures a port quota to be assigned per subscriber. 2406 It corresponds to the maximum number of ports to be 2407 used by a subscriber."; 2408 reference 2409 "REQ-4 of RFC 6888."; 2410 } 2412 leaf quota-type { 2413 type uint8; 2414 description 2415 "Indicates whether the port quota applies to 2416 all protocols (0) or to a specific protocol."; 2417 } 2418 } 2420 container port-set { 2422 when "../port-allocation-type = 'port-range-allocation'"; 2424 if-feature "napt44 or nat64"; 2425 description 2426 "Manages port-set assignments."; 2428 leaf port-set-size { 2429 type uint16; 2430 mandatory true; 2431 description 2432 "Indicates the size of assigned port sets."; 2433 } 2435 leaf port-set-timeout { 2436 type uint32; 2437 units "seconds"; 2438 description 2439 "inactivity timeout for port sets."; 2440 } 2441 } 2443 container timers { 2444 if-feature "napt44 or nat64"; 2445 description 2446 "Configure values of various timeouts."; 2448 leaf udp-timeout { 2449 type uint32; 2450 units "seconds"; 2451 default 300; 2452 description 2453 "UDP inactivity timeout. That is the time a mapping 2454 will stay active without packets traversing the NAT."; 2455 reference 2456 "RFC 4787: Network Address Translation (NAT) 2457 Behavioral Requirements for Unicast UDP"; 2458 } 2460 leaf tcp-idle-timeout { 2461 type uint32; 2462 units "seconds"; 2463 default 7440; 2464 description 2465 "TCP Idle timeout should be 2 hours and 4 minutes."; 2466 reference 2467 "RFC 5382: NAT Behavioral Requirements for TCP"; 2468 } 2470 leaf tcp-trans-open-timeout { 2471 type uint32; 2472 units "seconds"; 2473 default 240; 2474 description 2475 "The value of the transitory open connection 2476 idle-timeout. 2478 Section 2.1 of [RFC7857] clarifies that a NAT 2479 should provide different configurable 2480 parameters for configuring the open and 2481 closing idle timeouts. 2483 To accommodate deployments that consider 2484 a partially open timeout of 4 minutes as being 2485 excessive from a security standpoint, a NAT may 2486 allow the configured timeout to be less than 2487 4 minutes. 2489 However, a minimum default transitory connection 2490 idle-timeout of 4 minutes is recommended."; 2491 reference 2492 "Section 2.1 of RFC 7857."; 2493 } 2495 leaf tcp-trans-close-timeout { 2496 type uint32; 2497 units "seconds"; 2498 default 240; 2499 description 2500 "The value of the transitory close connection 2501 idle-timeout. 2503 Section 2.1 of [RFC7857] clarifies that a NAT 2504 should provide different configurable 2505 parameters for configuring the open and 2506 closing idle timeouts."; 2507 reference 2508 "Section 2.1 of RFC 7857."; 2509 } 2511 leaf tcp-in-syn-timeout { 2512 type uint32; 2513 units "seconds"; 2514 default 6; 2515 description 2516 "A NAT must not respond to an unsolicited 2517 inbound SYN packet for at least 6 seconds 2518 after the packet is received. If during 2519 this interval the NAT receives and translates 2520 an outbound SYN for the connection the NAT 2521 must silently drop the original unsolicited 2522 inbound SYN packet."; 2523 reference 2524 "RFC 5382 NAT Behavioral Requirements for TCP"; 2525 } 2527 leaf fragment-min-timeout { 2528 when "../../fragment-behavior='out-of-order'"; 2529 type uint32; 2530 units "seconds"; 2531 default 2; 2532 description 2533 "As long as the NAT has available resources, 2534 the NAT allows the fragments to arrive 2535 over fragment-min-timeout interval. 2536 The default value is inspired from RFC6146."; 2537 } 2539 leaf icmp-timeout { 2540 type uint32; 2541 units "seconds"; 2542 default 60; 2543 description 2544 "An ICMP Query session timer must not expire 2545 in less than 60 seconds. It is recommended 2546 that the ICMP Query session timer be made 2547 configurable"; 2548 reference 2549 "RFC 5508: NAT Behavioral Requirements for ICMP"; 2550 } 2551 list per-port-timeout { 2552 key port-number; 2553 description 2554 "Some NATs are configurable with short timeouts 2555 for some ports, e.g., as 10 seconds on 2556 port 53 (DNS) and 123 (NTP) and longer timeouts 2557 on other ports."; 2559 leaf port-number { 2560 type inet:port-number; 2561 description 2562 "A port number."; 2563 } 2565 leaf timeout { 2566 type uint32; 2567 units "seconds"; 2568 mandatory true; 2569 description 2570 "Timeout for this port number"; 2571 } 2572 } 2574 leaf hold-down-timeout { 2575 type uint32; 2576 units "seconds"; 2577 default 120; 2578 description 2579 "Hold down timer. 2581 Ports in the hold down pool are not reassigned until 2582 hold-down-timeout expires. 2584 The length of time and the maximum number of ports in 2585 this state must be configurable by the administrator. 2587 This is necessary in order to prevent collisions 2588 between old and new mappings and sessions. It ensures 2589 that all established sessions are broken instead of 2590 redirected to a different peer."; 2591 reference 2592 "REQ#8 of RFC 6888."; 2593 } 2595 leaf hold-down-max { 2596 type uint32; 2597 description 2598 "Maximum ports in the Hold down timer pool. 2600 Ports in the hold down pool are not reassigned 2601 until hold-down-timeout expires. 2603 The length of time and the maximum 2604 number of ports in this state must be 2605 configurable by the administrator. 2606 This is necessary in order 2607 to prevent collisions between old 2608 and new mappings and sessions. It ensures 2609 that all established sessions are broken 2610 instead of redirected to a different peer."; 2611 reference 2612 "REQ#8 of RFC 6888."; 2613 } 2614 } 2616 leaf fragments-limit{ 2617 when "../fragment-behavior='out-of-order'"; 2618 type uint32; 2619 description 2620 "Limits the number of out of order fragments that can 2621 be handled."; 2622 reference 2623 "Section 11 of RFC 4787."; 2624 } 2626 list algs { 2627 key name; 2628 description 2629 "ALG-related features."; 2631 leaf name { 2632 type string; 2633 description 2634 "The name of the ALG."; 2635 } 2637 leaf transport-protocol { 2638 type uint32; 2639 description 2640 "The transport protocol used by the ALG 2641 (e.g., TCP, UDP)."; 2642 } 2644 container dst-transport-port { 2645 uses port-number; 2646 description 2647 "The destination port number(s) used by the ALG. 2649 For example, 2650 - 21 for the FTP ALG 2651 - 53 for the DNS ALG."; 2652 } 2654 container src-transport-port { 2655 uses port-number; 2656 description 2657 "The source port number(s) used by the ALG."; 2658 } 2660 leaf status { 2661 type boolean; 2662 description 2663 "Enable/disable the ALG."; 2664 } 2665 } 2667 leaf all-algs-enable { 2668 type boolean; 2669 description 2670 "Enable/disable all ALGs. 2672 When specified, this parameter overrides the one 2673 that may be indicated, eventually, by the 'status' 2674 of an individual ALG."; 2675 } 2677 container notify-pool-usage { 2678 if-feature "basic-nat44 or napt44 or nat64"; 2679 description 2680 "Notification of pool usage when certain criteria 2681 are met."; 2683 leaf pool-id { 2684 type uint32; 2685 description 2686 "Pool-ID for which the notification criteria 2687 is defined"; 2688 } 2690 leaf high-threshold { 2691 type percent; 2692 description 2693 "Notification must be generated when the defined high 2694 threshold is reached. 2696 For example, if a notification is required when the 2697 pool utilization reaches 90%, this configuration 2698 parameter must be set to 90. 2700 0% indicates that no high threshold is enabled."; 2701 } 2703 leaf low-threshold { 2704 type percent; 2705 must ". >= ../high-threshold" { 2706 error-message 2707 "The upper port number must be greater than or 2708 equal to lower port number."; 2709 } 2710 description 2711 "Notification must be generated when the defined low 2712 threshold is reached. 2714 For example, if a notification is required when the 2715 pool utilization reaches below 10%, this 2716 configuration parameter must be set to 10"; 2717 } 2719 leaf notify-interval { 2720 type uint32 { 2721 range "1 .. 3600"; 2722 } 2723 units "seconds"; 2724 default '20'; 2725 description 2726 "Minimum number of seconds between successive 2727 notifications for this pool."; 2729 reference 2730 "RFC 7659: Definitions of Managed Objects for 2731 Network Address Translators (NATs)"; 2732 } 2733 } 2735 container external-realm { 2736 description 2737 "Identifies the external realm of the NAT instance."; 2739 choice realm-type { 2740 description 2741 "Can be an interface, VRF instance, etc."; 2743 case interface { 2744 description 2745 "External interface."; 2747 leaf external-interface { 2748 type if:interface-ref; 2749 description 2750 "Name of the external interface."; 2751 } 2752 } 2753 } 2754 } 2755 } 2757 container mapping-limits { 2758 if-feature "napt44 or nat64"; 2759 description 2760 "Information about the configuration parameters that 2761 limits the mappings based upon various criteria."; 2763 leaf limit-subscribers { 2764 type uint32; 2765 description 2766 "Maximum number of subscribers that can be serviced 2767 by a NAT instance. 2769 A subscriber is identified by a given prefix."; 2770 reference 2771 "RFC 7659: Definitions of Managed Objects for 2772 Network Address Translators (NATs)"; 2773 } 2775 leaf limit-address-mapings { 2776 type uint32; 2777 description 2778 "Maximum number of address mappings that can be 2779 handled by a NAT instance. 2781 When this limit is reached, packets that would 2782 normally trigger translation, will be dropped."; 2783 reference 2784 "RFC 7659: Definitions of Managed Objects 2785 for Network Address Translators 2786 (NATs)"; 2787 } 2789 leaf limit-port-mappings { 2790 type uint32; 2791 description 2792 "Maximum number of port mappings that can be handled 2793 by a NAT instance. 2795 When this limit is reached, packets that would 2796 normally trigger translation, will be dropped."; 2797 reference 2798 "RFC 7659: Definitions of Managed Objects for 2799 Network Address Translators (NATs)"; 2800 } 2802 list limit-per-protocol { 2803 if-feature "napt44 or nat64 or dst-nat"; 2804 key protocol-id; 2806 description 2807 "Configure limits per transport protocol"; 2809 leaf protocol-id { 2810 type uint8; 2811 mandatory true; 2812 description 2813 "Upper-layer protocol associated with this mapping. 2815 Values are taken from the IANA protocol registry: 2816 https://www.iana.org/assignments/protocol-numbers/ 2817 protocol-numbers.xhtml 2819 For example, this field contains 6 (TCP) for a TCP 2820 mapping or 17 (UDP) for a UDP mapping."; 2821 } 2823 leaf limit { 2824 type uint32; 2825 description 2826 "Maximum number of protocol-specific NAT mappings 2827 per instance."; 2828 } 2829 } 2830 } 2832 container connection-limits { 2833 if-feature "basic-nat44 or napt44 or nat64"; 2834 description 2835 "Information about the configuration parameters that 2836 rate limit the translation based upon various criteria."; 2838 leaf limit-per-subscriber { 2839 type uint32; 2840 units "bits/second"; 2841 description 2842 "Rate-limit the number of new mappings and sessions 2843 per subscriber."; 2844 } 2846 leaf limit-per-instance { 2847 type uint32; 2848 units "bits/second"; 2849 mandatory true; 2850 description 2851 "Rate-limit the number of new mappings and sessions 2852 per instance."; 2853 } 2855 list limit-per-protocol { 2856 if-feature "napt44 or nat64"; 2857 key protocol-id; 2858 description 2859 "Configure limits per transport protocol"; 2861 leaf protocol-id { 2862 type uint8; 2863 mandatory true; 2864 description 2865 "Upper-layer protocol associated with this mapping. 2867 Values are taken from the IANA protocol registry: 2868 https://www.iana.org/assignments/protocol-numbers/ 2869 protocol-numbers.xhtml 2871 For example, this field contains 6 (TCP) for a TCP 2872 mapping or 17 (UDP) for a UDP mapping."; 2873 } 2875 leaf limit { 2876 type uint32; 2877 description 2878 "Rate-limit the number of protocol-specific mappings 2879 and sessions per instance."; 2880 } 2881 } 2882 } 2884 container notification-limits { 2885 description "Sets notification limits."; 2887 leaf notify-interval { 2888 if-feature "basic-nat44 or napt44 or nat64"; 2889 type uint32 { 2890 range "1 .. 3600"; 2891 } 2892 units "seconds"; 2893 default '10'; 2894 description 2895 "Minimum number of seconds between successive 2896 notifications for this NAT instance."; 2897 reference 2898 "RFC 7659: Definitions of Managed Objects 2899 for Network Address Translators (NATs)"; 2900 } 2902 leaf notify-addresses-usage { 2903 if-feature "basic-nat44 or napt44 or nat64"; 2904 type percent; 2905 description 2906 "Notification of address mappings usage over 2907 the whole NAT instance. 2909 Notification must be generated when the defined 2910 threshold is reached. 2912 For example, if a notification is required when 2913 the address mappings utilization reaches 90%, 2914 this configuration parameter must be set 2915 to 90."; 2916 } 2918 leaf notify-ports-usage { 2919 if-feature "napt44 or nat64"; 2920 type percent; 2921 description 2922 "Notification of port mappings usage over the 2923 whole NAT instance. 2925 Notification must be generated when the defined 2926 threshold is reached. 2928 For example, if a notification is required when 2929 the port mappings utilization reaches 90%, this 2930 configuration parameter must be set to 90."; 2931 } 2933 leaf notify-subscribers-limit { 2934 if-feature "basic-nat44 or napt44 or nat64"; 2935 type uint32; 2936 description 2937 "Notification of active subscribers per NAT 2938 instance. 2940 Notification must be generated when the defined 2941 threshold is reached."; 2942 } 2943 } 2945 leaf logging-enable { 2946 if-feature "basic-nat44 or napt44 or nat64"; 2947 type boolean; 2948 description 2949 "Enable logging features."; 2950 reference 2951 "Section 2.3 of RFC 6908 and REQ-12 of RFC6888."; 2952 } 2954 container mapping-table { 2955 if-feature "basic-nat44 or napt44 " + 2956 "or nat64 or clat or dst-nat"; 2957 description 2958 "NAT mapping table. Applicable for functions which maintain 2959 static and/or dynamic mappings, such as NAT44, Destination 2960 NAT, NAT64, or CLAT."; 2962 list mapping-entry { 2963 key "index"; 2964 description "NAT mapping entry."; 2965 uses mapping-entry; 2966 } 2967 } 2969 container statistics { 2970 config false; 2972 description 2973 "Statistics related to the NAT instance."; 2975 leaf discontinuity-time { 2976 type yang:date-and-time; 2977 mandatory true; 2978 description 2979 "The time on the most recent occasion at which the NAT 2980 instance suffered a discontinuity. This must be 2981 initialized when the NAT instance is configured 2982 or rebooted."; 2983 } 2984 container traffic-statistics { 2985 description 2986 "Generic traffic statistics."; 2988 leaf sent-packets { 2989 type yang:zero-based-counter64; 2990 description 2991 "Number of packets sent."; 2992 } 2994 leaf sent-bytes { 2995 type yang:zero-based-counter64; 2996 units 'bytes'; 2997 description 2998 "Counter for sent traffic in bytes."; 2999 } 3001 leaf rcvd-packets { 3002 type yang:zero-based-counter64; 3003 description 3004 "Number of received packets."; 3005 } 3007 leaf rcvd-bytes { 3008 type yang:zero-based-counter64; 3009 units 'bytes'; 3010 description 3011 "Counter for received traffic in bytes."; 3012 } 3014 leaf dropped-packets { 3015 type yang:zero-based-counter64; 3016 description 3017 "Number of dropped packets."; 3018 } 3020 leaf dropped-bytes { 3021 type yang:zero-based-counter64; 3022 units 'bytes'; 3023 description 3024 "Counter for dropped traffic in bytes."; 3025 } 3027 leaf dropped-fragments { 3028 if-feature "napt44 or nat64"; 3029 type yang:zero-based-counter64; 3030 description 3031 "Number of dropped fragments on the external realm."; 3033 } 3035 leaf dropped-address-limit-packets { 3036 if-feature "basic-nat44 or napt44 or nat64"; 3037 type yang:zero-based-counter64; 3038 description 3039 "Number of dropped packets because an address limit 3040 is reached."; 3041 } 3043 leaf dropped-address-limit-bytes { 3044 if-feature "basic-nat44 or napt44 or nat64"; 3045 type yang:zero-based-counter64; 3046 units 'bytes'; 3047 description 3048 "Counter of dropped packets because an address limit 3049 is reached, in bytes."; 3050 } 3052 leaf dropped-address-packets { 3053 if-feature "basic-nat44 or napt44 or nat64"; 3054 type yang:zero-based-counter64; 3055 description 3056 "Number of dropped packets because no address is 3057 available for allocation."; 3058 } 3060 leaf dropped-address-bytes { 3061 if-feature "basic-nat44 or napt44 or nat64"; 3062 type yang:zero-based-counter64; 3063 units 'bytes'; 3064 description 3065 "Counter of dropped packets because no address is 3066 available for allocation, in bytes."; 3067 } 3069 leaf dropped-port-limit-packets { 3070 if-feature "napt44 or nat64"; 3071 type yang:zero-based-counter64; 3072 description 3073 "Number of dropped packets because a port limit 3074 is reached."; 3075 } 3077 leaf dropped-port-limit-bytes { 3078 if-feature "napt44 or nat64"; 3079 type yang:zero-based-counter64; 3080 units 'bytes'; 3081 description 3082 "Counter of dropped packets because a port limit 3083 is reached, in bytes."; 3084 } 3086 leaf dropped-port-packets { 3087 if-feature "napt44 or nat64"; 3088 type yang:zero-based-counter64; 3089 description 3090 "Number of dropped packets because no port is 3091 available for allocation."; 3092 } 3094 leaf dropped-port-bytes { 3095 if-feature "napt44 or nat64"; 3096 type yang:zero-based-counter64; 3097 units 'bytes'; 3098 description 3099 "Counter of dropped packets because no port is 3100 available for allocation, in bytes."; 3101 } 3103 leaf dropped-subscriber-limit-packets { 3104 if-feature "basic-nat44 or napt44 or nat64"; 3105 type yang:zero-based-counter64; 3106 description 3107 "Number of dropped packets because the subscriber 3108 limit per instance is reached."; 3109 } 3111 leaf dropped-subscriber-limit-bytes { 3112 if-feature "basic-nat44 or napt44 or nat64"; 3113 type yang:zero-based-counter64; 3114 units 'bytes'; 3115 description 3116 "Counter of dropped packets because the subscriber 3117 limit per instance is reached, in bytes."; 3118 } 3119 } 3121 container mappings-statistics { 3122 description 3123 "Mappings statistics."; 3125 leaf total-active-subscribers { 3126 if-feature "basic-nat44 or napt44 or nat64"; 3127 type yang:gauge32; 3128 description 3129 "Total number of active subscribers (that is, subscribers 3130 for which the NAT maintains active mappings. 3132 A subscriber is identified by a subnet, subscriber-mask, 3133 etc."; 3134 } 3136 leaf total-address-mappings { 3137 if-feature "basic-nat44 or napt44 " + 3138 "or nat64 or clat or dst-nat"; 3139 type yang:gauge32; 3140 description 3141 "Total number of address mappings present at a given 3142 time. It includes both static and dynamic mappings."; 3143 reference 3144 "Section 3.3.8 of RFC 7659"; 3145 } 3147 leaf total-port-mappings { 3148 if-feature "napt44 or nat64"; 3149 type yang:gauge32; 3150 description 3151 "Total number of NAT port mappings present at 3152 a given time. It includes both static and dynamic 3153 mappings."; 3154 reference 3155 "Section 3.3.9 of RFC 7659"; 3156 } 3158 list total-per-protocol { 3159 if-feature "napt44 or nat64"; 3160 key protocol-id; 3161 description 3162 "Total mappings for each enabled/supported protocol."; 3164 leaf protocol-id { 3165 type uint8; 3166 mandatory true; 3167 description 3168 "Upper-layer protocol associated with this mapping. 3169 For example, this field contains 6 (TCP) for a TCP 3170 mapping or 17 (UDP) for a UDP mapping."; 3171 } 3173 leaf total { 3174 type yang:gauge32; 3175 description 3176 "Total number of a protocol-specific mappings present 3177 at a given time. The protocol is identified by 3178 protocol-id."; 3179 } 3180 } 3181 } 3183 container pools-stats { 3184 if-feature "basic-nat44 or napt44 or nat64"; 3185 description 3186 "Statistics related to address/prefix pools 3187 usage"; 3189 leaf addresses-allocated { 3190 type yang:gauge32; 3191 description 3192 "Number of all allocated addresses."; 3193 } 3195 leaf addresses-free { 3196 type yang:gauge32; 3197 description 3198 "Number of unallocated addresses of all pools at 3199 a given time. The sum of unallocated and allocated 3200 addresses is the total number of addresses of 3201 the pools."; 3202 } 3204 container ports-stats { 3205 if-feature "napt44 or nat64"; 3207 description 3208 "Statistics related to port numbers usage."; 3210 leaf ports-allocated { 3211 type yang:gauge32; 3212 description 3213 "Number of allocated ports from all pools."; 3214 } 3216 leaf ports-free { 3217 type yang:gauge32; 3218 description 3219 "Number of unallocated addresses from all pools."; 3220 } 3221 } 3223 list per-pool-stats { 3224 if-feature "basic-nat44 or napt44 or nat64"; 3225 key "pool-id"; 3226 description 3227 "Statistics related to address/prefix pool usage"; 3229 leaf pool-id { 3230 type uint32; 3231 description 3232 "Unique Identifier that represents a pool of 3233 addresses/prefixes."; 3234 } 3236 leaf discontinuity-time { 3237 type yang:date-and-time; 3238 mandatory true; 3239 description 3240 "The time on the most recent occasion at which this 3241 pool counters suffered a discontinuity. This must 3242 be initialized when the address pool is 3243 configured."; 3244 } 3246 container pool-stats { 3247 description 3248 "Statistics related to address/prefix pool usage"; 3250 leaf addresses-allocated { 3251 type yang:gauge32; 3252 description 3253 "Number of allocated addresses from this pool."; 3254 } 3256 leaf addresses-free { 3257 type yang:gauge32; 3258 description 3259 "Number of unallocated addresses in this pool."; 3260 } 3261 } 3263 container port-stats { 3264 if-feature "napt44 or nat64"; 3265 description 3266 "Statistics related to port numbers usage."; 3268 leaf ports-allocated { 3269 type yang:gauge32; 3270 description 3271 "Number of allocated ports from this pool."; 3272 } 3273 leaf ports-free { 3274 type yang:gauge32; 3275 description 3276 "Number of unallocated addresses from this pool."; 3277 } 3278 } 3279 } 3280 } 3281 } 3282 } 3283 } 3284 } 3286 /* 3287 * Notifications 3288 */ 3290 notification nat-pool-event { 3291 if-feature "basic-nat44 or napt44 or nat64"; 3292 description 3293 "Notifications must be generated when the defined high/low 3294 threshold is reached. Related configuration parameters 3295 must be provided to trigger the notifications."; 3297 leaf id { 3298 type leafref { 3299 path "/nat/instances/instance/id"; 3300 } 3301 mandatory true; 3302 description 3303 "NAT instance Identifier."; 3304 } 3306 leaf policy-id { 3307 type leafref { 3308 path "/nat/instances/instance/policy/id"; 3309 } 3311 description 3312 "Policy Identifier."; 3313 } 3315 leaf pool-id { 3316 type leafref { 3317 path 3318 "/nat/instances/instance/policy/" 3319 + "external-ip-address-pool/pool-id"; 3320 } 3321 mandatory true; 3322 description 3323 "Pool Identifier."; 3324 } 3326 leaf notify-pool-threshold { 3327 type percent; 3328 mandatory true; 3329 description 3330 "A threshold (high-threshold or low-threshold) has 3331 been fired."; 3332 } 3333 } 3335 notification nat-instance-event { 3336 if-feature "basic-nat44 or napt44 or nat64"; 3337 description 3338 "Notifications must be generated when notify-addresses-usage 3339 and/or notify-ports-usage threshold are reached."; 3341 leaf id { 3342 type leafref { 3343 path "/nat/instances/instance/id"; 3344 } 3345 mandatory true; 3346 description 3347 "NAT instance Identifier."; 3348 } 3350 leaf notify-subscribers-threshold { 3351 type uint32; 3352 description 3353 "The notify-subscribers-limit threshold has been fired."; 3354 } 3356 leaf notify-addresses-threshold { 3357 type percent; 3358 description 3359 "The notify-addresses-usage threshold has been fired."; 3360 } 3362 leaf notify-ports-threshold { 3363 type percent; 3364 description 3365 "The notify-ports-usage threshold has been fired."; 3366 } 3367 } 3368 } 3369 3371 4. Security Considerations 3373 Security considerations related to address and prefix translation are 3374 discussed in [RFC6888], [RFC6146], [RFC6877], [RFC7757], and 3375 [RFC6296]. 3377 The YANG module defined in this document is designed to be accessed 3378 via network management protocols such as NETCONF [RFC6241] or 3379 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 3380 layer, and the mandatory-to-implement secure transport is Secure 3381 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 3382 mandatory-to-implement secure transport is TLS [RFC5246]. 3384 The NETCONF access control model [RFC6536] provides the means to 3385 restrict access for particular NETCONF or RESTCONF users to a 3386 preconfigured subset of all available NETCONF or RESTCONF protocol 3387 operations and content. 3389 All data nodes defined in the YANG module which can be created, 3390 modified and deleted (i.e., config true, which is the default) are 3391 considered sensitive. Write operations (e.g., edit-config) applied 3392 to these data nodes without proper protection can negatively affect 3393 network operations. The NAT YANG module allows to set parameters to 3394 prevent a user from aggressively using NAT resources (port-quota), 3395 rate-limit connections as a guard against Denial-of-Service, or to 3396 enable notifications so that appropriate measures are enforced to 3397 anticipate traffic drops. Nevertheless, an attacker who is able to 3398 access to the NAT can undertake various attacks, such as: 3400 o Set a high or low resource limit to cause a DoS attack: 3402 * /nat/instances/instance/policy/port-quota 3404 * /nat/instances/instance/policy/fragments-limit 3406 * /nat/instances/instance/mapping-limits 3408 * /nat/instances/instance/connection-limits 3410 o Set a low notification threshold to cause useless notifications to 3411 be generated: 3413 * /nat/instances/instance/policy/notify-pool-usage/high-threshold 3415 * /nat/instances/instance/notification-limits/notify-addresses- 3416 usage 3418 * /nat/instances/instance/notification-limits/notify-ports-usage 3420 * /nat/instances/instance/notification-limits/notify-subscribers- 3421 limit 3423 o Set an arbitrarily high threshold, which may lead to the 3424 deactivation of notifications: 3426 * /nat/instances/instance/policy/notify-pool-usage/high-threshold 3428 * /nat/instances/instance/notification-limits/notify-addresses- 3429 usage 3431 * /nat/instances/instance/notification-limits/notify-ports-usage 3433 * /nat/instances/instance/notification-limits/notify-subscribers- 3434 limit 3436 o Set a low notification interval and a low notification threshold 3437 to induce useless notifications to be generated: 3439 * /nat/instances/instance/policy/notify-pool-usage/notify- 3440 interval 3442 * /nat/instances/instance/notification-limits/notify-interval 3444 o Access to privacy data maintained in the mapping table. Such data 3445 can be misused to track the activity of a host: 3447 * /nat/instances/instance/mapping-table 3449 5. IANA Considerations 3451 This document requests IANA to register the following URI in the 3452 "IETF XML Registry" [RFC3688]: 3454 URI: urn:ietf:params:xml:ns:yang:ietf-nat 3455 Registrant Contact: The IESG. 3456 XML: N/A; the requested URI is an XML namespace. 3458 This document requests IANA to register the following YANG module in 3459 the "YANG Module Names" registry [RFC7950]. 3461 name: ietf-nat 3462 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 3463 prefix: nat 3464 reference: RFC XXXX 3466 6. Acknowledgements 3468 Many thanks to Dan Wing and Tianran Zhou for the review. 3470 Thanks to Juergen Schoenwaelder for the comments on the YANG 3471 structure and the suggestion to use NMDA. Mahesh Jethanandani 3472 provided useful comments. 3474 Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred 3475 Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and 3476 Kristian Poscic for the CGN review. 3478 Special thanks to Maros Marsalek and Marek Gradzki for sharing their 3479 comments based on the FD.io implementation of an earlier version of 3480 this module. 3482 Rajiv Asati suggested to clarify how the module applies for both 3483 stateless and stateful NAT64. 3485 Juergen Schoenwaelder provided an early yandgoctors review. Many 3486 thanks to him. 3488 7. References 3490 7.1. Normative References 3492 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3493 DOI 10.17487/RFC3688, January 2004, 3494 . 3496 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 3497 Translation (NAT) Behavioral Requirements for Unicast 3498 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 3499 2007, . 3501 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 3502 (TLS) Protocol Version 1.2", RFC 5246, 3503 DOI 10.17487/RFC5246, August 2008, 3504 . 3506 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 3507 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 3508 RFC 5382, DOI 10.17487/RFC5382, October 2008, 3509 . 3511 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 3512 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 3513 DOI 10.17487/RFC5508, April 2009, 3514 . 3516 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 3517 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 3518 DOI 10.17487/RFC6052, October 2010, 3519 . 3521 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 3522 NAT64: Network Address and Protocol Translation from IPv6 3523 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 3524 April 2011, . 3526 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3527 and A. Bierman, Ed., "Network Configuration Protocol 3528 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3529 . 3531 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3532 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3533 . 3535 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 3536 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 3537 . 3539 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 3540 Protocol (NETCONF) Access Control Model", RFC 6536, 3541 DOI 10.17487/RFC6536, March 2012, 3542 . 3544 [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable 3545 Operation of Address Translators with Per-Interface 3546 Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, 3547 . 3549 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 3550 Combination of Stateful and Stateless Translation", 3551 RFC 6877, DOI 10.17487/RFC6877, April 2013, 3552 . 3554 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 3555 A., and H. Ashida, "Common Requirements for Carrier-Grade 3556 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 3557 April 2013, . 3559 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 3560 Farrer, "Lightweight 4over6: An Extension to the Dual- 3561 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 3562 July 2015, . 3564 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 3565 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 3566 Port with Encapsulation (MAP-E)", RFC 7597, 3567 DOI 10.17487/RFC7597, July 2015, 3568 . 3570 [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address 3571 Mappings for Stateless IP/ICMP Translation", RFC 7757, 3572 DOI 10.17487/RFC7757, February 2016, 3573 . 3575 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 3576 S., and K. Naito, "Updates to Network Address Translation 3577 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 3578 DOI 10.17487/RFC7857, April 2016, 3579 . 3581 [RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont, 3582 "IP/ICMP Translation Algorithm", RFC 7915, 3583 DOI 10.17487/RFC7915, June 2016, 3584 . 3586 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3587 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3588 . 3590 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3591 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3592 . 3594 7.2. Informative References 3596 [I-D.boucadair-pcp-yang] 3597 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 3598 Vinapamula, "YANG Modules for the Port Control Protocol 3599 (PCP)", draft-boucadair-pcp-yang-05 (work in progress), 3600 October 2017. 3602 [I-D.ietf-netmod-yang-tree-diagrams] 3603 Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft- 3604 ietf-netmod-yang-tree-diagrams-02 (work in progress), 3605 October 2017. 3607 [I-D.ietf-softwire-dslite-yang] 3608 Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data 3609 Modules for Dual-Stack Lite (DS-Lite)", draft-ietf- 3610 softwire-dslite-yang-09 (work in progress), November 2017. 3612 [I-D.ietf-tsvwg-natsupp] 3613 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 3614 Transmission Protocol (SCTP) Network Address Translation 3615 Support", draft-ietf-tsvwg-natsupp-11 (work in progress), 3616 July 2017. 3618 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 3619 Translator (NAT) Terminology and Considerations", 3620 RFC 2663, DOI 10.17487/RFC2663, August 1999, 3621 . 3623 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 3624 Address Translator (Traditional NAT)", RFC 3022, 3625 DOI 10.17487/RFC3022, January 2001, 3626 . 3628 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 3629 Behavioral Requirements for the Datagram Congestion 3630 Control Protocol", BCP 150, RFC 5597, 3631 DOI 10.17487/RFC5597, September 2009, 3632 . 3634 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 3635 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 3636 DOI 10.17487/RFC6269, June 2011, 3637 . 3639 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 3640 "Diameter Network Address and Port Translation Control 3641 Application", RFC 6736, DOI 10.17487/RFC6736, October 3642 2012, . 3644 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 3645 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 3646 DOI 10.17487/RFC6887, April 2013, 3647 . 3649 [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT 3650 (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, 3651 DOI 10.17487/RFC7289, June 2014, 3652 . 3654 [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, 3655 DOI 10.17487/RFC7335, August 2014, 3656 . 3658 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 3659 "Definitions of Managed Objects for Network Address 3660 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 3661 October 2015, . 3663 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 3664 and S. Perreault, "Port Control Protocol (PCP) Extension 3665 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 3666 February 2016, . 3668 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 3669 "RADIUS Extensions for IP Port Configuration and 3670 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 3671 . 3673 Appendix A. Sample Examples 3675 This section provides a non-exhaustive set of examples to illustrate 3676 the use of the NAT YANG module. 3678 A.1. Traditional NAT44 3680 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 3681 same IPv4 address among hosts that are owned by the same subscriber. 3682 This is typically the NAT that is embedded in CPE devices. 3684 This NAT is usually provided with one single external IPv4 address; 3685 disambiguating connections is achieved by rewriting the source port 3686 number. The XML snippet to configure the external IPv4 address in 3687 such case together with a mapping entry is depicted below: 3689 3690 3691 1 3692 NAT_Subscriber_A 3693 .... 3694 3695 1 3696 3697 192.0.2.1 3698 3699 3700 .... 3701 3702 .... 3703 3704 192.0.2.1 3705 3706 .... 3707 3708 3709 3711 The following shows the XML excerpt depicting a dynamic UDP mapping 3712 entry maintained by a traditional NAPT44. In reference to this 3713 example, the UDP packet received with a source IPv4 address 3714 (192.0.2.1) and source port number (1568) is translated into a UDP 3715 packet having a source IPv4 address (198.51.100.1) and source port 3716 (15000). The remaining lifetime of this mapping is 300 seconds. 3718 3719 15 3720 3721 dynamic-explicit 3722 3723 3724 17 3725 3726 3727 192.0.2.1 3728 3729 3730 3731 1568 3732 3733 3734 3735 198.51.100.1 3736 3737 3738 3739 15000 3740 3741 3742 3743 300 3744 3745 3747 A.2. Carrier Grade NAT (CGN) 3749 The following XML snippet shows the example of the capabilities 3750 supported by a CGN as retrieved using NETCONF. 3752 3754 napt44 3755 3756 3757 false 3758 3759 3760 true 3761 3762 3763 true 3764 3765 3766 true 3767 3768 3769 true 3770 3771 3772 false 3773 3774 3775 true 3776 3777 3778 true 3779 3780 3781 true 3782 3783 3784 false 3785 3786 3787 false 3788 3789 3790 true 3791 3792 3793 false 3794 3795 3796 false 3797 3798 3799 The following XML snippet shows the example of a CGN that is 3800 provisioned with one contiguous pool of external IPv4 addresses 3801 (192.0.2.0/24). Further, the CGN is instructed to limit the number 3802 of allocated ports per subscriber to 1024. Ports can be allocated by 3803 the CGN by assigning ranges of 256 ports (that is, a subscriber can 3804 be allocated up to four port ranges of 256 ports each). 3806 3807 3808 1 3809 myCGN 3810 .... 3811 3812 1 3813 3814 192.0.2.0/24 3815 3816 3817 3818 3819 1024 3820 3821 3822 all 3823 3824 3825 3826 port-range-allocation 3827 3828 3829 3830 256 3831 3832 3833 .... 3834 3835 3837 An administrator may decide to allocate one single port range per 3838 subscriber (port range of 1024 ports) as shown below: 3840 3841 3842 1 3843 myotherCGN 3844 .... 3845 3846 1 3847 3848 192.0.2.0/24 3849 3850 3851 3852 3853 1024 3854 3855 3856 all 3857 3858 3859 3860 port-range-allocation 3861 3862 3863 3864 1024 3865 3866 .... 3867 3868 .... 3869 3870 3872 A.3. CGN Pass-Through 3874 Figure 1 illustrates an example of the CGN pass-through feature. 3876 X1:x1 X1':x1' X2:x2 3877 +---+from X1:x1 +---+from X1:x1 +---+ 3878 | C | to X2:x2 | | to X2:x2 | S | 3879 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 3880 | i | | G | | r | 3881 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 3882 | n |from X2:x2 | |from X2:x2 | e | 3883 | t | to X1:x1 | | to X1:x1 | r | 3884 +---+ +---+ +---+ 3886 Figure 1: CGN Pass-Through 3888 For example, in order to disable NAT for communications issued by the 3889 client (192.0.2.25), the following configuration parameter must be 3890 set: 3892 3893 ... 3894 192.0.2.25 3895 ... 3896 3898 A.4. NAT64 3900 Let's consider the example of a NAT64 that should use 3901 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 3902 The XML snippet to configure the NAT64 prefix in such case is 3903 depicted below: 3905 3906 3907 2001:db8:122:300::/56 3908 3909 3911 Let's now consider the example of a NAT64 that should use 3912 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 3913 the destination address matches 198.51.100.0/24. The XML snippet to 3914 configure the NAT64 prefix in such case is shown below: 3916 3917 3918 2001:db8:122::/48 3919 3920 3921 3922 198.51.100.0/24 3923 3924 3925 3927 A.5. Stateless IP/ICMP Translation (SIIT) 3929 Let's consider the example of a stateless translator that is 3930 configured with 2001:db8:100::/40 to perform IPv6 address synthesis 3931 [RFC6052]. Similar to the NAT64 case, the XML snippet to configure 3932 the NAT64 prefix in such case is depicted below: 3934 3935 3936 2001:db8:100::/40 3937 3938 3940 When the translator receives an IPv6 packet, for example, with a 3941 source address (2001:db8:1c0:2:21::) and destination address 3942 (2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses 3943 following RFC6052 rules with 2001:db8:100::/40 as the NSP: 3945 o 192.0.2.33 is extracted from 2001:db8:1c0:2:21:: 3947 o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2:: 3949 The translator transforms the IPv6 header into an IPv4 header using 3950 the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will 3951 include 192.0.2.33 as the source address and 198.51.100.2 as the 3952 destination address. 3954 Also, a NAT64 can be instructed to behave in the stateless mode by 3955 providing the following configuration. The same NAT64 prefix is used 3956 for constructing both IPv4-translatable IPv6 addresses and 3957 IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]). 3959 3960 3961 2001:db8:122:300::/56 3962 3963 3964 true 3965 3966 3968 A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM 3969 SIIT) 3971 As specified in [RFC7757], an EAM consists of an IPv4 prefix and an 3972 IPv6 prefix. Let's consider the set of EAM examples in Figure 2. 3974 +----------------+----------------------+ 3975 | IPv4 Prefix | IPv6 Prefix | 3976 +----------------+----------------------+ 3977 | 192.0.2.1 | 2001:db8:aaaa:: | 3978 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | 3979 | 192.0.2.16/28 | 2001:db8:cccc::/124 | 3980 | 192.0.2.128/26 | 2001:db8:dddd::/64 | 3981 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | 3982 | 192.0.2.224/31 | 64:ff9b::/127 | 3983 +----------------+----------------------+ 3985 Figure 2: EAM Examples (RFC7757) 3987 The following XML excerpt illustrates how these EAMs can be 3988 configured using the YANG NAT module: 3990 3991 3992 192.0.2.1 3993 3994 3995 2001:db8:aaaa:: 3996 3997 3998 3999 4000 192.0.2.2/32 4001 4002 4003 2001:db8:bbbb::b/128 4004 4005 4006 4007 4008 192.0.2.16/28 4009 4010 4011 2001:db8:cccc::/124 4012 4013 4014 4015 4016 192.0.2.128/26 4017 4018 4019 2001:db8:dddd::/64 4020 4021 4022 4023 4024 192.0.2.192/29 4025 4026 4027 2001:db8:eeee:8::/62 4028 4029 4030 4031 4032 192.0.2.224/31 4033 4034 4035 64:ff9b::/127 4036 4037 4038 EAMs may be enabled jointly with statefull NAT64. This example shows 4039 a NAT64 function that supports static mappings: 4041 4043 nat64 4044 4045 4046 true 4047 4048 4049 true 4050 4051 4052 true 4053 4054 4055 true 4056 4057 4058 false 4059 4060 4061 true 4062 4063 4064 true 4065 4066 4067 true 4068 4069 4070 false 4071 4072 4073 false 4074 4075 4076 true 4077 4078 4079 false 4080 4081 4082 false 4083 4084 4086 A.7. Static Mappings with Port Ranges 4088 The following example shows a static mapping that instructs a NAT to 4089 translate packets issued from 192.0.2.1 and with source ports in the 4090 100-500 range to 198.51.100.1:1100-1500. 4092 4093 1 4094 static 4095 6 4096 4097 192.0.2.1 4098 4099 4100 4101 100 4102 4103 4104 500 4105 4106 4107 4108 198.51.100.1 4109 4110 4111 4112 1100 4113 4114 4115 1500 4116 4117 4118 ... 4119 4121 A.8. Static Mappings with IP Prefixes 4123 The following example shows a static mapping that instructs a NAT to 4124 translate TCP packets issued from 192.0.2.1/24 to 198.51.100.1/24. 4126 4127 1 4128 static 4129 6 4130 4131 192.0.2.1/24 4132 4133 4134 198.51.100.1/24 4135 4136 ... 4137 4139 A.9. Destination NAT 4141 The following XML snippet shows an example of a destination NAT that 4142 is instructed to translate all packets having 192.0.2.1 as a 4143 destination IP address to 198.51.100.1. 4145 4146 1 4147 4148 192.0.2.1 4149 4150 4151 198.51.100.1 4152 4153 4155 In order to instruct a NAT to translate TCP packets destined to 4156 '192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet 4157 shows the static mapping to be configured on the NAT: 4159 4160 1 4161 static 4162 6 4163 4164 192.0.2.1 4165 4166 4167 80 4168 4169 4170 198.51.100.1 4171 4172 4173 8080 4174 4175 4177 In order to instruct a NAT to translate TCP packets destined to 4178 '192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh 4179 traffic) to 198.51.100.2, the following XML snippet shows the static 4180 mappings to be configured on the NAT: 4182 4183 1 4184 static 4185 6 4186 4187 192.0.2.1 4188 4189 4190 4191 80 4192 4193 4194 4195 198.51.100.1 4196 4197 ... 4198 4199 4200 2 4201 static 4202 4203 6 4204 4205 4206 192.0.2.1 4207 4208 4209 4210 22 4211 4212 4213 4214 198.51.100.2 4215 4216 ... 4217 4219 The NAT may also be instructed to proceed with both source and 4220 destination NAT. To do so, in addition to the above sample to 4221 configure destination NAT, the NAT may be provided, for example with 4222 a pool of external IP addresses (198.51.100.0/24) to use for source 4223 address translation. An example of the corresponding XML snippet is 4224 provided hereafter: 4226 4227 1 4228 4229 198.51.100.0/24 4230 4231 4233 Instead of providing an external IP address to share, the NAT may be 4234 configured with static mapping entries that modifies the internal IP 4235 address and/or port number. 4237 A.10. Customer-side Translator (CLAT) 4239 The following XML snippet shows the example of a CLAT that is 4240 configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and 4241 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 4242 provided with 192.0.0.1/32 (which is selected from the IPv4 service 4243 continuity prefix defined in [RFC7335]). 4245 4246 4247 2001:db8:aaaa::/96 4248 4249 4250 4251 4252 192.0.0.1/32 4253 4254 4255 4256 4257 2001:db8:1234::/96 4258 4259 4261 A.11. IPv6 Network Prefix Translation (NPTv6) 4263 Let's consider the example of a NPTv6 translator that should rewrite 4264 packets with the source prefix (fd01:203:405:/48) with the external 4265 prefix (2001:db8:1:/48). The internal interface is "eth0" while the 4266 external interface is "eth1". 4268 External Network: Prefix = 2001:db8:1:/48 4269 -------------------------------------- 4270 | 4271 |eth1 4272 +-------------+ 4273 eth4| NPTv6 |eth2 4274 ...-----| |------... 4275 +-------------+ 4276 |eth0 4277 | 4278 -------------------------------------- 4279 Internal Network: Prefix = fd01:203:405:/48 4281 Example of NPTv6 (RFC6296) 4283 The XML snippet to configure NPTv6 prefixes in such case is depicted 4284 below: 4286 4287 4288 fd01:203:405:/48 4289 4290 4291 2001:db8:1:/48 4292 4293 4294 ... 4295 4296 4297 eth1 4298 4299 4301 Figure 3 shows an example of an NPTv6 that interconnects two internal 4302 networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is 4303 translated using a dedicated prefix (2001:db8:1:/48 and 4304 2001:db8:6666:/48, respectively). 4306 Internal Prefix = fd01:4444:5555:/48 4307 -------------------------------------- 4308 V | External Prefix 4309 V |eth1 2001:db8:1:/48 4310 V +---------+ ^ 4311 V | NPTv6 | ^ 4312 V | | ^ 4313 V +---------+ ^ 4314 External Prefix |eth0 ^ 4315 2001:db8:6666:/48 | ^ 4316 -------------------------------------- 4317 Internal Prefix = fd01:203:405:/48 4319 Figure 3: Connecting two Peer Networks (RFC6296) 4321 To that aim, the following configuration is provided to the NPTv6: 4323 4324 1 4325 4326 4327 fd01:203:405:/48 4328 4329 4330 2001:db8:1:/48 4331 4332 4333 4334 4335 eth1 4336 4337 4338 4339 4340 2 4341 4342 4343 fd01:4444:5555:/48 4344 4345 4346 2001:db8:6666:/48 4347 4348 4349 4350 4351 eth0 4352 4353 4354 4356 Authors' Addresses 4358 Mohamed Boucadair 4359 Orange 4360 Rennes 35000 4361 France 4363 Email: mohamed.boucadair@orange.com 4364 Senthil Sivakumar 4365 Cisco Systems 4366 7100-8 Kit Creek Road 4367 Research Triangle Park, North Carolina 27709 4368 USA 4370 Phone: +1 919 392 5158 4371 Email: ssenthil@cisco.com 4373 Christian Jacquenet 4374 Orange 4375 Rennes 35000 4376 France 4378 Email: christian.jacquenet@orange.com 4380 Suresh Vinapamula 4381 Juniper Networks 4382 1133 Innovation Way 4383 Sunnyvale 94089 4384 USA 4386 Email: sureshk@juniper.net 4388 Qin Wu 4389 Huawei 4390 101 Software Avenue, Yuhua District 4391 Nanjing, Jiangsu 210012 4392 China 4394 Email: bill.wu@huawei.com