idnits 2.17.1 draft-ietf-opsawg-nat-yang-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 743 has weird spacing: '... prefix ine...' == Line 749 has weird spacing: '...-prefix ine...' == Line 751 has weird spacing: '...-prefix ine...' == Line 753 has weird spacing: '...-prefix ine...' == Line 754 has weird spacing: '...-prefix ine...' == (14 more instances...) -- The document date (January 16, 2018) is 2291 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Downref: Normative reference to an Experimental RFC: RFC 6296 ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) ** Downref: Normative reference to an Informational RFC: RFC 6877 == Outdated reference: A later version (-06) exists of draft-ietf-netmod-yang-tree-diagrams-04 == Outdated reference: A later version (-17) exists of draft-ietf-softwire-dslite-yang-14 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-11 Summary: 4 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: July 20, 2018 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 January 16, 2018 14 A YANG Data Model for Network Address Translation (NAT) and Network 15 Prefix Translation (NPT) 16 draft-ietf-opsawg-nat-yang-10 18 Abstract 20 For the sake of network automation and the need for programming 21 Network Address Translation (NAT) function in particular, a data 22 model for configuring and managing the NAT is essential. This 23 document defines a YANG module for the NAT function. 25 NAT44, Network Address and Protocol Translation from IPv6 Clients to 26 IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/ 27 ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/ 28 ICMP Translation (SIIT EAM), and IPv6 Network Prefix Translation 29 (NPTv6) are covered in this document. 31 Editorial Note (To be removed by RFC Editor) 33 Please update these statements with the RFC number to be assigned to 34 this document: 36 "This version of this YANG module is part of RFC XXXX;" 38 "RFC XXXX: A YANG Data Model for Network Address Translation (NAT) 39 and Network Prefix Translation (NPT)"; 41 "reference: RFC XXXX" 43 Status of This Memo 45 This Internet-Draft is submitted in full conformance with the 46 provisions of BCP 78 and BCP 79. 48 Internet-Drafts are working documents of the Internet Engineering 49 Task Force (IETF). Note that other groups may also distribute 50 working documents as Internet-Drafts. The list of current Internet- 51 Drafts is at https://datatracker.ietf.org/drafts/current/. 53 Internet-Drafts are draft documents valid for a maximum of six months 54 and may be updated, replaced, or obsoleted by other documents at any 55 time. It is inappropriate to use Internet-Drafts as reference 56 material or to cite them other than as "work in progress." 58 This Internet-Draft will expire on July 20, 2018. 60 Copyright Notice 62 Copyright (c) 2018 IETF Trust and the persons identified as the 63 document authors. All rights reserved. 65 This document is subject to BCP 78 and the IETF Trust's Legal 66 Provisions Relating to IETF Documents 67 (https://trustee.ietf.org/license-info) in effect on the date of 68 publication of this document. Please review these documents 69 carefully, as they describe your rights and restrictions with respect 70 to this document. Code Components extracted from this document must 71 include Simplified BSD License text as described in Section 4.e of 72 the Trust Legal Provisions and are provided without warranty as 73 described in the Simplified BSD License. 75 Table of Contents 77 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 78 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 79 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 80 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 81 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 82 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7 83 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 84 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 85 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 86 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 87 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8 88 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 89 2.10. Binding the NAT Function to an External Interface . . . . 15 90 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 91 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 92 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 93 4. Security Considerations . . . . . . . . . . . . . . . . . . . 72 94 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 95 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74 96 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 97 7.1. Normative References . . . . . . . . . . . . . . . . . . 74 98 7.2. Informative References . . . . . . . . . . . . . . . . . 76 99 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78 100 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 78 101 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80 102 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83 103 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84 104 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84 105 A.6. Explicit Address Mappings for Stateless IP/ICMP 106 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85 107 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 89 108 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89 109 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90 110 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93 111 A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 93 112 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96 114 1. Introduction 116 This document defines a data model for Network Address Translation 117 (NAT) and Network Prefix Translation (NPT) capabilities using the 118 YANG data modeling language [RFC7950]. 120 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 121 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 122 used to optimize the usage of global IP address space at the scale of 123 a domain: a CGN is not managed by end users, but by service providers 124 instead. This document covers both traditional NATs and CGNs. 126 This document also covers NAT64 [RFC6146], customer-side translator 127 (CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915], 128 Explicit Address Mappings for Stateless IP/ICMP Translation (EAM) 129 [RFC7757], and IPv6 Network Prefix Translation (NPTv6) [RFC6296]. 130 The full set of translation schemes that are in scope is included in 131 Section 2.2. 133 Sample examples are provided in Appendix A. These examples are not 134 intended to be exhaustive. 136 1.1. Terminology 138 This document makes use of the following terms: 140 o Basic NAT44: translation is limited to IP addresses alone 141 (Section 2.1 of [RFC3022]). 143 o Network Address/Port Translator (NAPT): translation in NAPT is 144 extended to include IP addresses and transport identifiers (such 145 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 146 [RFC3022]. A NAPT my use an extra identifier, in addition to the 147 five transport tuple, to disambiguate bindings [RFC6619]. 149 o Destination NAT: is a translation that acts on the destination IP 150 address and/or destination port number. This flavor is usually 151 deployed in load balancers or at devices in front of public 152 servers. 154 o Port-restricted IPv4 address: An IPv4 address with a restricted 155 port set. Multiple hosts may share the same IPv4 address; 156 however, their port sets must not overlap [RFC7596]. 158 o Restricted port set: A non-overlapping range of allowed external 159 ports to use for NAT operation. Source ports of IPv4 packets 160 translated by a NAT must belong to the assigned port set. The 161 port set is used for all port-aware IP protocols [RFC7596]. 163 o Internal Host: A host that may solicit a NAT or an NPTv6 (or both) 164 capability to send to and receive traffic from the Internet. 166 o Internal Address/prefix: The IP address/prefix of an internal 167 host. 169 o External Address: The IP address/prefix assigned by a NAT/NPTv6 to 170 an internal host; this is the address that will be seen by a 171 remote host on the Internet. 173 o Mapping: denotes a state at the NAT that is necessary for network 174 address and/or port translation. 176 o Dynamic implicit mapping: is created implicitly as a side effect 177 of processing a packet (e.g., an initial TCP SYN packet) that 178 requires a new mapping. A validity lifetime is associated with 179 this mapping. 181 o Dynamic explicit mapping: is created as a result of an explicit 182 request, e.g., PCP message [RFC6887]. A validity lifetime is 183 associated with this mapping. 185 o Static explicit mapping: is created using, e.g., a CLI interface. 186 This mapping is likely to be maintained by the NAT function till 187 an explicit action is executed to remove it. 189 The usage of the term NAT in this document refers to any translation 190 flavor (NAT44, NAT64, etc.) indifferently. 192 This document uses the term "session" as defined in [RFC2663] and 193 [RFC6146] for NAT64. 195 The meaning of the symbols in tree diagrams is defined in 196 [I-D.ietf-netmod-yang-tree-diagrams]. 198 2. Overview of the NAT YANG Data Model 200 2.1. Overview 202 The NAT YANG module is designed to cover dynamic implicit mappings 203 and static explicit mappings. The required functionality to instruct 204 dynamic explicit mappings is defined in separate documents such as 205 [I-D.boucadair-pcp-yang]. Considerations about instructing explicit 206 dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of 207 scope. As a reminder, REQ-9 of [RFC6888] requires that a CGN must 208 implement a protocol giving subscribers explicit control over NAT 209 mappings; that protocol should be the Port Control Protocol 210 [RFC6887]. 212 A single NAT device can have multiple NAT instances; each of these 213 instances can be provided with its own policies (e.g., be responsible 214 for serving a group of hosts). This document does not make any 215 assumption about how internal hosts or flows are associated with a 216 given NAT instance. 218 The NAT YANG module assumes that each NAT instance can be enabled/ 219 disabled, be provisioned with a specific set of configuration data, 220 and maintains its own mapping tables. 222 The NAT YANG module allows for a NAT instance to be provided with 223 multiple NAT policies (/nat/instances/instance/policy). The document 224 does not make any assumption about how flows are associated with a 225 given NAT policy of a given NAT instance. Classification filters are 226 out of scope. 228 Defining multiple NAT instances or configuring multiple NAT policies 229 within one single NAT instance is implementation- and deployment- 230 specific. 232 This YANG module allows to instruct a NAT function to enable the 233 logging feature. Nevertheless, configuration parameters specific to 234 logging protocols are out of the scope of this document. 236 2.2. Various Translation Flavors 238 The following translation modes are supported: 240 o Basic NAT44 241 o NAPT 242 o Destination NAT 243 o Port-restricted NAT 244 o Stateful NAT64 245 o SIIT 246 o CLAT 247 o EAM 248 o NPTv6 249 o Combination of Basic NAT/NAPT and Destination NAT 250 o Combination of port-restricted and Destination NAT 251 o Combination of NAT64 and EAM 252 o Stateful and Stateless NAT64 254 [I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT 255 YANG module to support DS-Lite. 257 The YANG "feature" statement is used to indicate which of the 258 different translation modes is relevant for a specific data node. 259 Table 1 lists defined features: 261 +---------------------------------+--------------+ 262 | Translation Mode | YANG Feature | 263 +---------------------------------+--------------+ 264 | Basic NAT44 | basic-nat44 | 265 | NAPT | napt44 | 266 | Destination NAT | dst-nat | 267 | Stateful NAT64 | nat64 | 268 | Stateless IPv4/IPv6 translation | siit | 269 | CLAT | clat | 270 | EAM | eam | 271 | NPTv6 | nptv6 | 272 +---------------------------------+--------------+ 274 Table 1: YANG NAT Features 276 The following translation modes do not require defining dedicated 277 features: 279 o Port-restricted NAT: This mode corresponds to supplying port 280 restriction policies to a NAPT or NAT64 (port-set-restrict). 281 o Combination of Basic NAT/NAPT and Destination NAT: This mode 282 corresponds to setting 'dst-nat-enable' for Basic NAT44 or NAPT. 284 o Combination of port-restricted and Destination NAT: This mode can 285 be achieved by configuring a NAPT with port restriction policies 286 (port-set-restrict) together with a destination IP address pool 287 (dst-ip-address-pool). 288 o Combination of NAT64 and EAM: This mode corresponds to configuring 289 static mappings for NAT64. 290 o Stateful and stateless NAT64: A NAT64 implementation can be 291 instructed to behave in the stateless mode for a given prefix by 292 setting the parameter (nat64-prefixes/stateless-enable). A NAT64 293 implementation may behave in both stateful and stateless modes if, 294 in addition to appropriately setting the parameter (nat64- 295 prefixes/stateless-enable), an external IPv4 address pool is 296 configured. 298 The NAT YANG module allows to retrieve the capabilities of a NAT 299 instance (including, list of supported translation modes, list of 300 supported protocols, port restriction support status, supported NAT 301 mapping types, supported NAT filtering types, port range allocation 302 support status, port parity preservation support status, port 303 preservation support status, the behavior for handling fragments 304 (all, out-of-order, in-order)). 306 2.3. TCP/UDP/ICMP NAT Behavioral Requirements 308 This document assumes NAT behavioral recommendations for UDP 309 [RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default. 311 Furthermore, the NAT YANG module relies upon the recommendations 312 detailed in [RFC6888] and [RFC7857]. 314 2.4. Other Transport Protocols 316 The module is structured to support other protocols than UDP, TCP, 317 and ICMP. The mapping table is designed so that it can indicate any 318 transport protocol. For example, this module may be used to manage a 319 DCCP-capable NAT that adheres to [RFC5597]. 321 Future extensions can be defined to cover NAT-related considerations 322 that are specific to other transport protocols such as SCTP 323 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 324 extended to record two optional SCTP-specific parameters: Internal 325 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 327 Also, the module allows to enable translation for these protocols 328 when required (/nat/instances/instance/policy/transport-protocols). 330 2.5. IP Addresses Used for Translation 332 The NAT YANG module assumes that blocks of IP external addresses 333 (external-ip-address-pool) can be provisioned to the NAT function. 334 These blocks may be contiguous or not. 336 This behavior is aligned with [RFC6888] which specifies that a NAT 337 function should not have any limitations on the size or the 338 contiguity of the external address pool. In particular, the NAT 339 function must be configurable with contiguous or non-contiguous 340 external IPv4 address ranges. To accommodate traditional NAT, the 341 module allows for a single IP address to be configured for external- 342 ip-address-pool. 344 Likewise, one or multiple IP address pools may be configured for 345 Destination NAT (dst-ip-address-pool). 347 2.6. Port Set Assignment 349 Port numbers can be assigned by a NAT individually (that is, a single 350 port is assigned on a per session basis). Nevertheless, this port 351 allocation scheme may not be optimal for logging purposes (Section 12 352 of [RFC6269]). Therefore, a NAT function should be able to assign 353 port sets (e.g., [RFC7753]) to optimize the volume of the logging 354 data (REQ-14 of [RFC6888]). Both allocation schemes are supported in 355 the NAT YANG module. 357 When port set assignment is activated (i.e., port-allocation- 358 type==port-range-allocation), the NAT can be provided with the size 359 of the port set to be assigned (port-set-size). 361 2.7. Port-Restricted IP Addresses 363 Some NATs require to restrict the source port numbers (e.g., 364 Lightweight 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port 365 set assignments (port-set-restrict) are supported in this document: 367 o Simple port range: is defined by two port values, the start and 368 the end of the port range [RFC8045]. 370 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 371 the set of ports that can be used. 373 2.8. NAT Mapping Entries 375 A TCP/UDP mapping entry maintains an association between the 376 following information: 378 (internal-src-address, internal-src-port) (internal-dst-address, 379 internal-dst-port) <=> (external-src-address, external-src-port) 380 (external-dst-address, external-dst-port) 382 An ICMP mapping entry maintains an association between the following 383 information: 385 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 386 identifier) <=> (external-src-address, external-dst-address, 387 external ICMP/ICMPv6 identifier) 389 As a reminder, all the ICMP Query messages contain an 'Identifier' 390 field, which is referred to in this document as the 'ICMP 391 Identifier'. 393 To cover TCP, UDP, and ICMP, the NAT YANG module assumes the 394 following structure of a mapping entry: 396 type: Indicates how the mapping was instantiated. For example, it 397 may indicate whether a mapping is dynamically instantiated by a 398 packet or statically configured. 400 transport-protocol: Indicates the transport protocol (e.g., UDP, 401 TCP, ICMP) of a given mapping. 403 internal-src-address: Indicates the source IP address/prefix as used 404 by an internal host. 406 internal-src-port: Indicates the source port number (or ICMP 407 identifier) as used by an internal host. 409 external-src-address: Indicates the source IP address/prefix as 410 assigned by the NAT. 412 external-src-port: Indicates the source port number (or ICMP 413 identifier) as assigned by the NAT. 415 internal-dst-address: Indicates the destination IP address/prefix as 416 used by an internal host when sending a packet to a remote host. 418 internal-dst-port: Indicates the destination port number as used by 419 an internal host when sending a packet to a remote host. 421 external-dst-address: Indicates the destination IP address/prefix 422 used by a NAT when processing a packet issued by an internal host 423 towards a remote host. 425 external-dst-port: Indicates the destination port number used by a 426 NAT when processing a packet issued by an internal host towards a 427 remote host. 429 In order to cover both NAT64 and NAT44 flavors in particular, the NAT 430 mapping structure allows to include an IPv4 or an IPv6 address as an 431 internal IP address. Remaining fields are common to both NAT 432 schemes. 434 For example, the mapping that will be created by a NAT64 upon receipt 435 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 436 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 437 and destination port number 8080 is shown in Table 2. This example 438 assumes EDM (Endpoint-Dependent Mapping). 440 +-----------------------+-------------------------------------------+ 441 | Mapping Entry | Value | 442 | Attribute | | 443 +-----------------------+-------------------------------------------+ 444 | type | dynamic implicit mapping | 445 | transport-protocol | 6 (TCP) | 446 | internal-src-address | 2001:db8:aaaa::1 | 447 | internal-src-port | 25636 | 448 | external-src-address | T (an IPv4 address configured on the | 449 | | NAT64) | 450 | external-src-port | t (a port number that is chosen by the | 451 | | NAT64) | 452 | internal-dst-address | 2001:db8:1234::198.51.100.1 | 453 | internal-dst-port | 8080 | 454 | external-dst-address | 198.51.100.1 | 455 | external-dst-port | 8080 | 456 +-----------------------+-------------------------------------------+ 458 Table 2: Example of an EDM NAT64 Mapping 460 The mappings that will be created by a NAT44 upon receipt of an ICMP 461 request from source address 198.51.100.1 and ICMP identifier (ID1) to 462 destination IP address 198.51.100.11 is depicted in Table 3. This 463 example assumes EIM (Endpoint-Independent Mapping). 465 +----------------------+--------------------------------------------+ 466 | Mapping Entry | Value | 467 | Attribute | | 468 +----------------------+--------------------------------------------+ 469 | type | dynamic implicit mapping | 470 | transport-protocol | 1 (ICMP) | 471 | internal-src-address | 198.51.100.1 | 472 | internal-src-port | ID1 | 473 | external-src-address | T (an IPv4 address configured on the | 474 | | NAT44) | 475 | external-src-port | ID2 (an ICMP identifier that is chosen by | 476 | | the NAT44) | 477 +----------------------+--------------------------------------------+ 479 Table 3: Example of an EIM NAT44 Mapping Entry 481 The mapping that will be created by a NAT64 (EIM mode) upon receipt 482 of an ICMP request from source address 2001:db8:aaaa::1 and ICMP 483 identifier (ID1) to destination IP address 484 2001:db8:1234::198.51.100.1 is shown in Table 4. 486 +----------------------+--------------------------------------------+ 487 | Mapping Entry | Value | 488 | Attribute | | 489 +----------------------+--------------------------------------------+ 490 | type | dynamic implicit mapping | 491 | transport-protocol | 58 (ICMPv6) | 492 | internal-src-address | 2001:db8:aaaa::1 | 493 | internal-src-port | ID1 | 494 | external-src-address | T (an IPv4 address configured on the | 495 | | NAT64) | 496 | external-src-port | ID2 (an ICMP identifier that is chosen by | 497 | | the NAT64) | 498 +----------------------+--------------------------------------------+ 500 Table 4: Example of an EIM NAT64 Mapping Entry 502 Note that a mapping table is maintained only for stateful NAT 503 functions. Particularly: 505 o No mapping table is maintained for NPTv6 given that it is 506 stateless and transport-agnostic. 508 o The double translations are stateless in CLAT if a dedicated IPv6 509 prefix is provided for CLAT. If not, a stateful NAT44 will be 510 required. 512 o No per-flow mapping is maintained for EAM [RFC7757]. 514 o No mapping table is maintained for Stateless IPv4/IPv6 515 translation. As a reminder, in such deployments internal IPv6 516 nodes are addressed using IPv4-translatable IPv6 addresses, which 517 enable them to be accessed by IPv4 nodes [RFC6052]. 519 2.9. Resource Limits 521 In order to comply with CGN deployments in particular, the NAT YANG 522 module allows limiting the number of external ports per subscriber 523 (port-quota) and the amount of state memory allocated per mapping and 524 per subscriber (mapping-limits and connection-limits). According to 525 [RFC6888], the model allows for the following: 527 o Per-subscriber limits are configurable by the NAT administrator. 529 o Per-subscriber limits are configurable independently per transport 530 protocol. 532 o Administrator-adjustable thresholds to prevent a single subscriber 533 from consuming excessive CPU resources from the NAT (e.g., rate- 534 limit the subscriber's creation of new mappings) can be 535 configured. 537 Table 5 lists the various limits that can be set using the NAT YANG 538 module. Once a limit is reached, packets that would normally trigger 539 new port mappings or be translated because they match existing 540 mappings, are dropped by the translator. 542 +-------------------+-----------------------------------------------+ 543 | Limit | Description | 544 +-------------------+-----------------------------------------------+ 545 | port-quota | Specifies a port quota to be assigned per | 546 | | subscriber. It corresponds to the maximum | 547 | | number of ports to be used by a subscriber. | 548 | | The port quota can be configured to apply to | 549 | | all protocols or to a specific protocol. | 550 | | Distinct port quota may be configured per | 551 | | protocol. | 552 +-------------------+-----------------------------------------------+ 553 | fragments-limit | In order to prevent denial of service attacks | 554 | | that can be caused by fragments, this | 555 | | parameter is used to limit the number of out- | 556 | | of-order fragments that can be handled by a | 557 | | translator. | 558 +-------------------+-----------------------------------------------+ 559 | mapping-limits | This parameter can be used to control the | 560 | | maximum number of subscribers that can be | 561 | | serviced by a NAT instance (limit-subscriber) | 562 | | and the maximum number of address and/or port | 563 | | mappings that can be maintained by a NAT | 564 | | instance (limit-address-mapings and limit- | 565 | | port-mappings). Also, limits specific to | 566 | | protocols (e.g., TCP, UDP, ICMP) can also be | 567 | | specified (limit-per-protocol). | 568 +-------------------+-----------------------------------------------+ 569 | connection-limits | In order to prevent exhausting the resources | 570 | | of a NAT implementation and to ensure | 571 | | fairness usage among subscribers, various | 572 | | rate-limits can be specified. Rate-limiting | 573 | | can be enforced per subscriber ((limit- | 574 | | subscriber), per NAT instance (limit-per- | 575 | | instance), and/or be specified for each | 576 | | supported protocol (limit-per-protocol). | 577 +-------------------+-----------------------------------------------+ 579 Table 5: NAT Limits 581 Table 6 describes limits, that once exceeded, will trigger 582 notifications to be generated: 584 +--------------------------+----------------------------------------+ 585 | Notification Threshold | Description | 586 +--------------------------+----------------------------------------+ 587 | high-threshold | Used to notify high address | 588 | | utilization of a given pool. When | 589 | | exceeded, a nat-pool-event | 590 | | notification will be generated. | 591 +--------------------------+----------------------------------------+ 592 | low-threshold | Used to notify low address utilization | 593 | | of a given pool. An administrator is | 594 | | supposed to configure low-threshold so | 595 | | that it can reflect an abnormal usage | 596 | | of NAT resources. When exceeded, a | 597 | | nat-pool-event notification will be | 598 | | generated. | 599 +--------------------------+----------------------------------------+ 600 | notify-addresses-usage | Used to notify high address | 601 | | utilization of all pools configured to | 602 | | a NAT instance. When exceeded, a nat- | 603 | | instance-event will be generated. | 604 +--------------------------+----------------------------------------+ 605 | notify-ports-usage | Used to notify high port allocation | 606 | | taking into account all pools | 607 | | configured to a NAT instance. When | 608 | | exceeded, a nat-instance-event | 609 | | notification will be generated. | 610 +--------------------------+----------------------------------------+ 611 | notify-subscribers-limit | Used to notify a high number of active | 612 | | subscribers that are serviced by a NAT | 613 | | instance. When exceeded, a nat- | 614 | | instance-event notification will be | 615 | | generated. | 616 +--------------------------+----------------------------------------+ 618 Table 6: Notification Thresholds 620 In order to prevent from generating frequent notifications, the NAT 621 YANG module supports the following limits (Table 7) used to control 622 how frequent notifications can be generated. That is, notifications 623 are subject to rate-limiting imposed by these intervals. 625 +-------------------------------------+-----------------------------+ 626 | Interval | Description | 627 +-------------------------------------+-----------------------------+ 628 | notify-pool-usage/notify-interval | Indicates the minimum | 629 | | number of seconds between | 630 | | successive notifications | 631 | | for a given address pool. | 632 +-------------------------------------+-----------------------------+ 633 | notification-limits/notify-interval | Indicates the minimum | 634 | | number of seconds between | 635 | | successive notifications | 636 | | for a NAT instance. | 637 +-------------------------------------+-----------------------------+ 639 Table 7: Notification Intervals 641 2.10. Binding the NAT Function to an External Interface 643 The model is designed to specify an external realm on which the NAT 644 function must be applied (external-realm). The module supports 645 indicating an interface as an external realm, but the module is 646 extensible so that other choices can be indicated in the future 647 (e.g., Virtual Routing and Forwarding (VRF) instance). 649 Distinct external realms can be provided as a function of the NAT 650 policy (see for example, Section 4 of [RFC7289]). 652 If no external realm is provided, this assumes that the system is 653 able to determine the external interface (VRF instance, etc.) on 654 which the NAT will be applied. Typically, the WAN and LAN interfaces 655 of a CPE are determined by the CPE. 657 2.11. Relationship to NATV2-MIB 659 Section of 5.1 of [RFC7659] indicates that the NATV2-MIB assumes that 660 the following information is configured on the NAT by some means, not 661 specified in [RFC7659]: 663 o The set of address realms to which the device connect. 665 o For the CGN case, per-subscriber information including subscriber 666 index, address realm, assigned prefix or address, and (possibly) 667 policies regarding address pool selection in the various possible 668 address realms to which the subscriber may connect. 670 o The set of NAT instances running on the device, identified by NAT 671 instance index and name. 673 o The port mapping, filtering, pooling, and fragment behavior for 674 each NAT instance. 676 o The set of protocols supported by each NAT instance. 678 o Address pools for each NAT instance, including for each pool the 679 pool index, address realm, and minimum and maximum port number. 681 o Static address and port mapping entries. 683 All the above parameters can be configured by means of the NAT YANG 684 module. 686 Unlike the NATV2-MIB, the NAT YANG module allows to configure 687 multiple policies per NAT instance. 689 2.12. Tree Structure 691 The tree structure of the NAT YANG module is provided below: 693 module: ietf-nat 694 +--rw nat 695 +--rw instances 696 +--rw instance* [id] 697 +--rw id uint32 698 +--rw name? string 699 +--rw enable? boolean 700 +--ro capabilities 701 | +--ro nat-flavor* 702 | | identityref 703 | +--ro per-interface-binding* 704 | | enumeration 705 | +--ro transport-protocols* [protocol-id] 706 | | +--ro protocol-id uint8 707 | | +--ro protocol-name? string 708 | +--ro restricted-port-support? 709 | | boolean 710 | +--ro static-mapping-support? 711 | | boolean 712 | +--ro port-randomization-support? 713 | | boolean 714 | +--ro port-range-allocation-support? 715 | | boolean 716 | +--ro port-preservation-suport? 717 | | boolean 718 | +--ro port-parity-preservation-support? 719 | | boolean 720 | +--ro address-roundrobin-support? 721 | | boolean 722 | +--ro paired-address-pooling-support? 723 | | boolean 724 | +--ro endpoint-independent-mapping-support? 725 | | boolean 726 | +--ro address-dependent-mapping-support? 727 | | boolean 728 | +--ro address-and-port-dependent-mapping-support? 729 | | boolean 730 | +--ro endpoint-independent-filtering-support? 731 | | boolean 732 | +--ro address-dependent-filtering? 733 | | boolean 734 | +--ro address-and-port-dependent-filtering? 735 | | boolean 736 | +--ro fragment-behavior? 737 | enumeration 738 +--rw type? identityref 739 +--rw per-interface-binding? enumeration 740 +--rw nat-pass-through* [id] 741 | {basic-nat44 or napt44 or dst-nat}? 742 | +--rw id uint32 743 | +--rw prefix inet:ip-prefix 744 | +--rw port? inet:port-number 745 +--rw policy* [id] 746 | +--rw id uint32 747 | +--rw clat-parameters {clat}? 748 | | +--rw clat-ipv6-prefixes* [ipv6-prefix] 749 | | | +--rw ipv6-prefix inet:ipv6-prefix 750 | | +--rw ipv4-prefixes* [ipv4-prefix] 751 | | +--rw ipv4-prefix inet:ipv4-prefix 752 | +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}? 753 | | +--rw internal-ipv6-prefix inet:ipv6-prefix 754 | | +--rw external-ipv6-prefix inet:ipv6-prefix 755 | +--rw eam* [ipv4-prefix] {eam}? 756 | | +--rw ipv4-prefix inet:ipv4-prefix 757 | | +--rw ipv6-prefix inet:ipv6-prefix 758 | +--rw nat64-prefixes* [nat64-prefix] 759 | | {siit or nat64 or clat}? 760 | | +--rw nat64-prefix inet:ipv6-prefix 761 | | +--rw destination-ipv4-prefix* [ipv4-prefix] 762 | | | +--rw ipv4-prefix inet:ipv4-prefix 763 | | +--rw stateless-enable? boolean 764 | +--rw external-ip-address-pool* [pool-id] 765 | | {basic-nat44 or napt44 or nat64}? 766 | | +--rw pool-id uint32 767 | | +--rw external-ip-pool inet:ipv4-prefix 768 | +--rw port-set-restrict {napt44 or nat64}? 769 | | +--rw (port-type)? 770 | | +--:(port-range) 771 | | | +--rw start-port-number? inet:port-number 772 | | | +--rw end-port-number? inet:port-number 773 | | +--:(port-set-algo) 774 | | +--rw psid-offset? uint8 775 | | +--rw psid-len uint8 776 | | +--rw psid uint16 777 | +--rw dst-nat-enable? boolean 778 | | {basic-nat44 or napt44}? 779 | +--rw dst-ip-address-pool* [pool-id] {dst-nat}? 780 | | +--rw pool-id uint32 781 | | +--rw dst-in-ip-pool? inet:ip-prefix 782 | | +--rw dst-out-ip-pool inet:ip-prefix 783 | +--rw transport-protocols* [protocol-id] 784 | | {napt44 or nat64 or dst-nat}? 785 | | +--rw protocol-id uint8 786 | | +--rw protocol-name? string 787 | +--rw subscriber-mask-v6? uint8 788 | +--rw subscriber-match* [match-id] 789 | | {basic-nat44 or napt44 or dst-nat}? 790 | | +--rw match-id uint32 791 | | +--rw subnet inet:ip-prefix 792 | +--rw address-allocation-type? enumeration 793 | +--rw port-allocation-type? enumeration 794 | | {napt44 or nat64}? 795 | +--rw mapping-type? enumeration 796 | | {napt44 or nat64}? 797 | +--rw filtering-type? enumeration 798 | | {napt44 or nat64}? 799 | +--rw fragment-behavior? enumeration 800 | | {napt44 or nat64}? 801 | +--rw port-quota* [quota-type] {napt44 or nat64}? 802 | | +--rw port-limit? uint16 803 | | +--rw quota-type uint8 804 | +--rw port-set {napt44 or nat64}? 805 | | +--rw port-set-size uint16 806 | | +--rw port-set-timeout? uint32 807 | +--rw timers {napt44 or nat64}? 808 | | +--rw udp-timeout? uint32 809 | | +--rw tcp-idle-timeout? uint32 810 | | +--rw tcp-trans-open-timeout? uint32 811 | | +--rw tcp-trans-close-timeout? uint32 812 | | +--rw tcp-in-syn-timeout? uint32 813 | | +--rw fragment-min-timeout? uint32 814 | | +--rw icmp-timeout? uint32 815 | | +--rw per-port-timeout* [port-number] 816 | | | +--rw port-number inet:port-number 817 | | | +--rw timeout uint32 818 | | +--rw hold-down-timeout? uint32 819 | | +--rw hold-down-max? uint32 820 | +--rw fragments-limit? uint32 821 | +--rw algs* [name] 822 | | +--rw name string 823 | | +--rw transport-protocol? uint32 824 | | +--rw dst-transport-port 825 | | | +--rw start-port-number? inet:port-number 826 | | | +--rw end-port-number? inet:port-number 827 | | +--rw src-transport-port 828 | | | +--rw start-port-number? inet:port-number 829 | | | +--rw end-port-number? inet:port-number 830 | | +--rw status? boolean 831 | +--rw all-algs-enable? boolean 832 | +--rw notify-pool-usage 833 | | {basic-nat44 or napt44 or nat64}? 834 | | +--rw pool-id? uint32 835 | | +--rw high-threshold? percent 836 | | +--rw low-threshold? percent 837 | | +--rw notify-interval? uint32 838 | +--rw external-realm 839 | +--rw (realm-type)? 840 | +--:(interface) 841 | +--rw external-interface? if:interface-ref 842 +--rw mapping-limits {napt44 or nat64}? 843 | +--rw limit-subscribers? uint32 844 | +--rw limit-address-mapings? uint32 845 | +--rw limit-port-mappings? uint32 846 | +--rw limit-per-protocol* [protocol-id] 847 | {napt44 or nat64 or dst-nat}? 848 | +--rw protocol-id uint8 849 | +--rw limit? uint32 850 +--rw connection-limits 851 | {basic-nat44 or napt44 or nat64}? 852 | +--rw limit-per-subscriber? uint32 853 | +--rw limit-per-instance uint32 854 | +--rw limit-per-protocol* [protocol-id] 855 | {napt44 or nat64}? 856 | +--rw protocol-id uint8 857 | +--rw limit? uint32 858 +--rw notification-limits 859 | +--rw notify-interval? uint32 860 | | {basic-nat44 or napt44 or nat64}? 861 | +--rw notify-addresses-usage? percent 862 | | {basic-nat44 or napt44 or nat64}? 863 | +--rw notify-ports-usage? percent 864 | | {napt44 or nat64}? 865 | +--rw notify-subscribers-limit? uint32 866 | {basic-nat44 or napt44 or nat64}? 867 +--rw logging-enable? boolean 868 | {basic-nat44 or napt44 or nat64}? 869 +--rw mapping-table 870 | {basic-nat44 or napt44 or nat64 or clat or dst-nat}? 871 | +--rw mapping-entry* [index] 872 | +--rw index uint32 873 | +--rw type? enumeration 874 | +--rw transport-protocol? uint8 875 | +--rw internal-src-address? inet:ip-prefix 876 | +--rw internal-src-port 877 | | +--rw start-port-number? inet:port-number 878 | | +--rw end-port-number? inet:port-number 879 | +--rw external-src-address? inet:ip-prefix 880 | +--rw external-src-port 881 | | +--rw start-port-number? inet:port-number 882 | | +--rw end-port-number? inet:port-number 883 | +--rw internal-dst-address? inet:ip-prefix 884 | +--rw internal-dst-port 885 | | +--rw start-port-number? inet:port-number 886 | | +--rw end-port-number? inet:port-number 887 | +--rw external-dst-address? inet:ip-prefix 888 | +--rw external-dst-port 889 | | +--rw start-port-number? inet:port-number 890 | | +--rw end-port-number? inet:port-number 891 | +--rw lifetime? uint32 892 +--ro statistics 893 +--ro discontinuity-time yang:date-and-time 894 +--ro traffic-statistics 895 | +--ro sent-packets? 896 | | yang:zero-based-counter64 897 | +--ro sent-bytes? 898 | | yang:zero-based-counter64 899 | +--ro rcvd-packets? 900 | | yang:zero-based-counter64 901 | +--ro rcvd-bytes? 902 | | yang:zero-based-counter64 903 | +--ro dropped-packets? 904 | | yang:zero-based-counter64 905 | +--ro dropped-bytes? 906 | | yang:zero-based-counter64 907 | +--ro dropped-fragments? 908 | | yang:zero-based-counter64 909 | | {napt44 or nat64}? 910 | +--ro dropped-address-limit-packets? 911 | | yang:zero-based-counter64 912 | | {basic-nat44 or napt44 or nat64}? 913 | +--ro dropped-address-limit-bytes? 914 | | yang:zero-based-counter64 915 | | {basic-nat44 or napt44 or nat64}? 916 | +--ro dropped-address-packets? 917 | | yang:zero-based-counter64 918 | | {basic-nat44 or napt44 or nat64}? 919 | +--ro dropped-address-bytes? 920 | | yang:zero-based-counter64 921 | | {basic-nat44 or napt44 or nat64}? 922 | +--ro dropped-port-limit-packets? 923 | | yang:zero-based-counter64 924 | | {napt44 or nat64}? 925 | +--ro dropped-port-limit-bytes? 926 | | yang:zero-based-counter64 927 | | {napt44 or nat64}? 928 | +--ro dropped-port-packets? 929 | | yang:zero-based-counter64 930 | | {napt44 or nat64}? 931 | +--ro dropped-port-bytes? 932 | | yang:zero-based-counter64 933 | | {napt44 or nat64}? 934 | +--ro dropped-subscriber-limit-packets? 935 | | yang:zero-based-counter64 936 | | {basic-nat44 or napt44 or nat64}? 937 | +--ro dropped-subscriber-limit-bytes? 938 | yang:zero-based-counter64 939 | {basic-nat44 or napt44 or nat64}? 940 +--ro mappings-statistics 941 | +--ro total-active-subscribers? yang:gauge32 942 | | {basic-nat44 or napt44 or nat64}? 943 | +--ro total-address-mappings? yang:gauge32 944 | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? 945 | +--ro total-port-mappings? yang:gauge32 946 | | {napt44 or nat64}? 947 | +--ro total-per-protocol* [protocol-id] 948 | {napt44 or nat64}? 949 | +--ro protocol-id uint8 950 | +--ro total? yang:gauge32 951 +--ro pools-stats {basic-nat44 or napt44 or nat64}? 952 +--ro addresses-allocated? yang:gauge32 953 +--ro addresses-free? yang:gauge32 954 +--ro ports-stats {napt44 or nat64}? 955 | +--ro ports-allocated? yang:gauge32 956 | +--ro ports-free? yang:gauge32 957 +--ro per-pool-stats* [pool-id] 958 {basic-nat44 or napt44 or nat64}? 959 +--ro pool-id uint32 960 +--ro discontinuity-time yang:date-and-time 961 +--ro pool-stats 962 | +--ro addresses-allocated? yang:gauge32 963 | +--ro addresses-free? yang:gauge32 964 +--ro port-stats {napt44 or nat64}? 965 +--ro ports-allocated? yang:gauge32 966 +--ro ports-free? yang:gauge32 968 notifications: 969 +---n nat-pool-event {basic-nat44 or napt44 or nat64}? 970 | +--ro id -> /nat/instances/instance/id 971 | +--ro policy-id? 972 | | -> /nat/instances/instance/policy/id 973 | +--ro pool-id leafref 974 | +--ro notify-pool-threshold percent 975 +---n nat-instance-event {basic-nat44 or napt44 or nat64}? 976 +--ro id 977 | -> /nat/instances/instance/id 978 +--ro notify-subscribers-threshold? uint32 979 +--ro notify-addresses-threshold? percent 980 +--ro notify-ports-threshold? percent 982 3. NAT YANG Module 984 file "ietf-nat@2017-11-16.yang" 986 module ietf-nat { 987 yang-version 1.1; 988 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 990 //namespace to be assigned by IANA 991 prefix "nat"; 993 import ietf-inet-types { prefix inet; } 994 import ietf-yang-types { prefix yang; } 995 import ietf-interfaces { prefix if; } 997 organization 998 "IETF OPSAWG (Operations and Management Area Working Group)"; 1000 contact 1002 "WG Web: 1003 WG List: 1005 Editor: Mohamed Boucadair 1006 1008 Editor: Senthil Sivakumar 1009 1011 Editor: Christian Jacquenet 1012 1014 Editor: Suresh Vinapamula 1015 1017 Editor: Qin Wu 1018 "; 1020 description 1021 "This module is a YANG module for NAT implementations. 1023 NAT44, Network Address and Protocol Translation from IPv6 1024 Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), 1025 Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings 1026 for Stateless IP/ICMP Translation (SIIT EAM), and IPv6 Network 1027 Prefix Translation (NPTv6) are covered. 1029 Copyright (c) 2017 IETF Trust and the persons identified as 1030 authors of the code. All rights reserved. 1032 Redistribution and use in source and binary forms, with or 1033 without modification, is permitted pursuant to, and subject 1034 to the license terms contained in, the Simplified BSD License 1035 set forth in Section 4.c of the IETF Trust's Legal Provisions 1036 Relating to IETF Documents 1037 (http://trustee.ietf.org/license-info). 1039 This version of this YANG module is part of RFC XXXX; see 1040 the RFC itself for full legal notices."; 1042 revision 2017-11-16 { 1043 description 1044 "Initial revision."; 1045 reference 1046 "RFC XXXX: A YANG Data Model for Network Address Translation 1047 (NAT) and Network Prefix Translation (NPT)"; 1048 } 1050 /* 1051 * Definitions 1052 */ 1054 typedef percent { 1055 type uint8 { 1056 range "0 .. 100"; 1057 } 1058 description 1059 "Percentage"; 1060 } 1062 /* 1063 * Features 1064 */ 1066 feature basic-nat44{ 1067 description 1068 "Basic NAT44 translation is limited to IP addresses alone."; 1069 reference 1070 "RFC 3022: Traditional IP Network Address Translator 1071 (Traditional NAT)"; 1072 } 1074 feature napt44 { 1075 description 1076 "Network Address/Port Translator (NAPT): translation is 1077 extended to include IP addresses and transport identifiers 1078 (such as a TCP/UDP port or ICMP query ID). 1080 If the internal IP address is not sufficient to uniquely 1081 disambiguate NAPT44 mappings, an additional attribute is 1082 required. For example, that additional attribute may 1083 be an IPv6 address (a.k.a., DS-Lite (RFC 6333)) or 1084 a Layer 2 identifier (a.k.a., Per-Interface NAT 1085 (RFC 6619))"; 1086 reference 1087 "RFC 3022: Traditional IP Network Address Translator 1088 (Traditional NAT)"; 1089 } 1091 feature dst-nat { 1092 description 1093 "Destination NAT is a translation that acts on the destination 1094 IP address and/or destination port number. This flavor is 1095 usually deployed in load balancers or at devices 1096 in front of public servers."; 1097 } 1099 feature nat64 { 1100 description 1101 "NAT64 translation allows IPv6-only clients to contact IPv4 1102 servers using unicast UDP, TCP, or ICMP. One or more 1103 public IPv4 addresses assigned to a NAT64 translator are 1104 shared among several IPv6-only clients."; 1105 reference 1106 "RFC 6146: Stateful NAT64: Network Address and Protocol 1107 Translation from IPv6 Clients to IPv4 Servers"; 1108 } 1110 feature siit { 1111 description 1112 "The Stateless IP/ICMP Translation Algorithm (SIIT), which 1113 translates between IPv4 and IPv6 packet headers (including 1114 ICMP headers). 1116 In the stateless mode, an IP/ICMP translator converts IPv4 1117 addresses to IPv6 and vice versa solely based on the 1118 configuration of the stateless IP/ICMP translator and 1119 information contained within the packet being translated. 1121 The translator must support the stateless address mapping 1122 algorithm defined in RFC6052, which is the default behavior."; 1123 reference 1124 "RFC 7915: IP/ICMP Translation Algorithm"; 1125 } 1127 feature clat { 1128 description 1129 "CLAT is customer-side translator that algorithmically 1130 translates 1:1 private IPv4 addresses to global IPv6 addresses, 1131 and vice versa. 1133 When a dedicated /64 prefix is not available for translation 1134 from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN 1135 packets so that all the LAN-originated IPv4 packets appear 1136 from a single IPv4 address and are then statelessly translated 1137 to one interface IPv6 address that is claimed by the CLAT via 1138 the Neighbor Discovery Protocol (NDP) and defended with 1139 Duplicate Address Detection."; 1140 reference 1141 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1142 Translation"; 1143 } 1145 feature eam { 1146 description 1147 "Explicit Address Mapping (EAM) is a bidirectional coupling 1148 between an IPv4 Prefix and an IPv6 Prefix."; 1149 reference 1150 "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP 1151 Translation"; 1153 } 1155 feature nptv6 { 1156 description 1157 "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6 1158 prefix translation."; 1159 reference 1160 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1161 } 1163 /* 1164 * Identities 1165 */ 1167 identity nat-type { 1168 description 1169 "Base identity for nat type."; 1170 } 1172 identity basic-nat44 { 1173 base nat:nat-type; 1174 description 1175 "Identity for Basic NAT support."; 1176 reference 1177 "RFC 3022: Traditional IP Network Address Translator 1178 (Traditional NAT)"; 1179 } 1181 identity napt44 { 1182 base nat:nat-type; 1183 description 1184 "Identity for NAPT support."; 1185 reference 1186 "RFC 3022: Traditional IP Network Address Translator 1187 (Traditional NAT)"; 1188 } 1190 identity dst-nat { 1191 base nat:nat-type; 1192 description 1193 "Identity for Destination NAT support."; 1194 } 1196 identity nat64 { 1197 base nat:nat-type; 1198 description 1199 "Identity for NAT64 support."; 1200 reference 1201 "RFC 6146: Stateful NAT64: Network Address and Protocol 1202 Translation from IPv6 Clients to IPv4 Servers"; 1203 } 1205 identity siit { 1206 base nat:nat-type; 1207 description 1208 "Identity for SIIT support."; 1209 reference 1210 "RFC 7915: IP/ICMP Translation Algorithm"; 1211 } 1213 identity clat { 1214 base nat:nat-type; 1215 description 1216 "Identity for CLAT support."; 1217 reference 1218 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1219 Translation"; 1220 } 1222 identity eam { 1223 base nat:nat-type; 1224 description 1225 "Identity for EAM support."; 1226 reference 1227 "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP 1228 Translation"; 1229 } 1231 identity nptv6 { 1232 base nat:nat-type; 1233 description 1234 "Identity for NPTv6 support."; 1235 reference 1236 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1237 } 1239 /* 1240 * Grouping 1241 */ 1243 grouping port-number { 1244 description 1245 "Individual port or a range of ports. 1246 When only start-port-number is present, 1247 it represents a single port."; 1249 leaf start-port-number { 1250 type inet:port-number; 1251 description 1252 "Begining of the port range."; 1253 reference 1254 "Section 3.2.9 of RFC 8045."; 1255 } 1257 leaf end-port-number { 1258 type inet:port-number; 1260 must ". >= ../start-port-number" 1261 { 1262 error-message 1263 "The end-port-number must be greater than or 1264 equal to start-port-number."; 1265 } 1266 description 1267 "End of the port range."; 1268 reference 1269 "Section 3.2.10 of RFC 8045."; 1270 } 1271 } 1273 grouping port-set { 1274 description 1275 "Indicates a set of ports. 1277 It may be a simple port range, or use the Port Set ID (PSID) 1278 algorithm to represent a range of transport layer 1279 ports which will be used by a NAPT."; 1281 choice port-type { 1282 default port-range; 1283 description 1284 "Port type: port-range or port-set-algo."; 1285 case port-range { 1286 uses port-number; 1287 } 1289 case port-set-algo { 1290 leaf psid-offset { 1291 type uint8 { 1292 range 0..15; 1293 } 1295 description 1296 "The number of offset bits (a.k.a., 'a' bits). 1298 Specifies the numeric value for the excluded port 1299 range/offset bits. 1301 Allowed values are between 0 and 15 "; 1303 reference 1304 "Section 5.1 of RFC 7597"; 1305 } 1307 leaf psid-len { 1308 type uint8 { 1309 range 0..15; 1310 } 1311 mandatory true; 1313 description 1314 "The length of PSID, representing the sharing 1315 ratio for an IPv4 address. 1317 (also known as 'k'). 1319 The address-sharing ratio would be 2^k."; 1320 reference 1321 "Section 5.1 of RFC 7597"; 1322 } 1324 leaf psid { 1325 type uint16; 1326 mandatory true; 1327 description 1328 "Port Set Identifier (PSID) value, which 1329 identifies a set of ports algorithmically."; 1330 reference 1331 "Section 5.1 of RFC 7597"; 1332 } 1333 } 1334 reference 1335 "Section 7597: Mapping of Address and Port with 1336 Encapsulation (MAP-E)"; 1337 } 1338 } 1340 grouping mapping-entry { 1341 description 1342 "NAT mapping entry. 1344 If an attribute is not stored in the mapping/session table, 1345 this means the corresponding fields of a packet that 1346 matches this entry is not rewritten by the NAT or this 1347 information is not required for NAT filtering purposes."; 1349 leaf index { 1350 type uint32; 1351 description 1352 "A unique identifier of a mapping entry. This identifier can be 1353 automatically assigned by the NAT instance or be explicitly 1354 configured."; 1355 } 1357 leaf type { 1358 type enumeration { 1359 enum "static" { 1360 description 1361 "The mapping entry is explicitly configured 1362 (e.g., via command-line interface)."; 1363 } 1365 enum "dynamic-implicit" { 1366 description 1367 "This mapping is created implicitly as a side effect 1368 of processing a packet that requires a new mapping."; 1370 } 1372 enum "dynamic-explicit" { 1373 description 1374 "This mapping is created as a result of an explicit 1375 request, e.g., a PCP message."; 1377 } 1378 } 1379 description 1380 "Indicates the type of a mapping entry. E.g., 1381 a mapping can be: static, implicit dynamic 1382 or explicit dynamic."; 1383 } 1385 leaf transport-protocol { 1386 type uint8; 1387 description 1388 "Upper-layer protocol associated with this mapping. 1389 Values are taken from the IANA protocol registry. 1390 For example, this field contains 6 (TCP) for a TCP 1391 mapping or 17 (UDP) for a UDP mapping. 1393 If this leaf is not instantiated, then the mapping 1394 applies to any protocol."; 1395 } 1397 leaf internal-src-address { 1398 type inet:ip-prefix; 1399 description 1400 "Corresponds to the source IPv4/IPv6 address/prefix 1401 of the packet received on an internal 1402 interface."; 1403 } 1405 container internal-src-port { 1406 description 1407 "Corresponds to the source port of the packet received 1408 on an internal interface. 1410 It is used also to indicate the internal source ICMP 1411 identifier. 1413 As a reminder, all the ICMP Query messages contain 1414 an 'Identifier' field, which is referred to in this 1415 document as the 'ICMP Identifier'."; 1417 uses port-number; 1418 } 1420 leaf external-src-address { 1421 type inet:ip-prefix; 1422 description 1423 "Source IP address/prefix of the packet sent on an 1424 external interface of the NAT."; 1425 } 1427 container external-src-port { 1428 description 1429 "Source port of the packet sent on an external 1430 interface of the NAT. 1432 It is used also to indicate the external source ICMP 1433 identifier."; 1435 uses port-number; 1436 } 1438 leaf internal-dst-address { 1439 type inet:ip-prefix; 1440 description 1441 "Corresponds to the destination IP address/prefix 1442 of the packet received on an internal interface 1443 of the NAT. 1445 For example, some NAT implementations support 1446 the translation of both source and destination 1447 addresses and ports, sometimes referred to 1448 as 'Twice NAT'."; 1449 } 1451 container internal-dst-port { 1452 description 1453 "Corresponds to the destination port of the 1454 IP packet received on the internal interface. 1456 It is used also to include the internal 1457 destination ICMP identifier."; 1459 uses port-number; 1460 } 1462 leaf external-dst-address { 1463 type inet:ip-prefix; 1464 description 1465 "Corresponds to the destination IP address/prefix 1466 of the packet sent on an external interface 1467 of the NAT."; 1468 } 1470 container external-dst-port { 1471 description 1472 "Corresponds to the destination port number of 1473 the packet sent on the external interface 1474 of the NAT. 1476 It is used also to include the external 1477 destination ICMP identifier."; 1479 uses port-number; 1480 } 1482 leaf lifetime { 1483 type uint32; 1484 units "seconds"; 1485 description 1486 "When specified, it is used to track the connection that is 1487 fully-formed (e.g., once the three-way handshake 1488 TCP is completed) or the duration for maintaining 1489 an explicit mapping alive. The mapping entry will be 1490 removed by the NAT instance once this lifetime is expired. 1492 When reported in a get operation, the lifetime indicates 1493 the remaining validity lifetime. 1495 Static mappings may not be associated with a 1496 lifetime. If no lifetime is associated with a 1497 static mapping, an explicit action is required to 1498 remove that mapping."; 1499 } 1500 } 1502 /* 1503 * NAT Module 1504 */ 1506 container nat { 1507 description 1508 "NAT module"; 1510 container instances { 1511 description 1512 "NAT instances"; 1514 list instance { 1515 key "id"; 1517 description 1518 "A NAT instance. This identifier can be automatically assigned 1519 or explicitly configured."; 1521 leaf id { 1522 type uint32; 1523 must ". >= 1"; 1524 description 1525 "NAT instance identifier. 1527 The identifier must be greater than zero as per RFC 7659."; 1528 reference 1529 "RFC 7659: Definitions of Managed Objects for Network 1530 Address Translators (NATs)"; 1531 } 1533 leaf name { 1534 type string; 1535 description 1536 "A name associated with the NAT instance."; 1537 reference 1538 "RFC 7659: Definitions of Managed Objects for Network 1539 Address Translators (NATs)"; 1540 } 1542 leaf enable { 1543 type boolean; 1544 description 1545 "Status of the NAT instance."; 1546 } 1548 container capabilities { 1549 config false; 1551 description 1552 "NAT capabilities"; 1554 leaf-list nat-flavor { 1555 type identityref { 1556 base nat-type; 1557 } 1558 description 1559 "Supported translation type(s)."; 1560 } 1562 leaf-list per-interface-binding { 1563 type enumeration { 1564 enum "unsupported" { 1565 description 1566 "No capability to associate a NAT binding with 1567 an extra identifier."; 1568 } 1570 enum "layer-2" { 1571 description 1572 "The NAT instance is able to associate a mapping with 1573 a layer-2 identifier."; 1574 } 1576 enum "dslite" { 1577 description 1578 "The NAT instance is able to associate a mapping with 1579 an IPv6 address (a.k.a., DS-Lite)."; 1580 } 1581 } 1582 description 1583 "Indicates the capability of a NAT to associate a particular 1584 NAT session not only with the five tuples used for the 1585 transport connection on both sides of the NAT but also with 1586 the internal interface on which the user device is 1587 connected to the NAT."; 1588 reference 1589 "Section 4 of RFC 6619"; 1590 } 1592 list transport-protocols { 1593 key protocol-id; 1595 description 1596 "List of supported protocols."; 1598 leaf protocol-id { 1599 type uint8; 1600 mandatory true; 1601 description 1602 "Upper-layer protocol associated with this mapping. 1604 Values are taken from the IANA protocol registry: 1605 https://www.iana.org/assignments/protocol-numbers/ 1606 protocol-numbers.xhtml 1608 For example, this field contains 6 (TCP) for a TCP 1609 mapping or 17 (UDP) for a UDP mapping."; 1610 } 1612 leaf protocol-name { 1613 type string; 1614 description 1615 "The name of the Upper-layer protocol associated 1616 with this mapping. 1618 Values are taken from the IANA protocol registry: 1619 https://www.iana.org/assignments/protocol-numbers/ 1620 protocol-numbers.xhtml 1622 For example, TCP, UDP, DCCP, and SCTP."; 1623 } 1624 } 1626 leaf restricted-port-support { 1627 type boolean; 1628 description 1629 "Indicates source port NAT restriction support."; 1630 reference 1631 "RFC 7596: Lightweight 4over6: An Extension to 1632 the Dual-Stack Lite Architecture."; 1633 } 1634 leaf static-mapping-support { 1635 type boolean; 1636 description 1637 "Indicates whether static mappings are supported."; 1638 } 1640 leaf port-randomization-support { 1641 type boolean; 1642 description 1643 "Indicates whether port randomization is supported."; 1644 reference 1645 "Section 4.2.1 of RFC 4787."; 1646 } 1648 leaf port-range-allocation-support { 1649 type boolean; 1650 description 1651 "Indicates whether port range allocation is supported."; 1652 reference 1653 "Section 1.1 of RFC 7753."; 1654 } 1656 leaf port-preservation-suport { 1657 type boolean; 1658 description 1659 "Indicates whether port preservation is supported."; 1660 reference 1661 "Section 4.2.1 of RFC 4787."; 1662 } 1664 leaf port-parity-preservation-support { 1665 type boolean; 1666 description 1667 "Indicates whether port parity preservation is 1668 supported."; 1669 reference 1670 "Section 8 of RFC 7857."; 1671 } 1673 leaf address-roundrobin-support { 1674 type boolean; 1675 description 1676 "Indicates whether address allocation round robin is 1677 supported."; 1678 } 1680 leaf paired-address-pooling-support { 1681 type boolean; 1682 description 1683 "Indicates whether paired-address-pooling is 1684 supported"; 1685 reference 1686 "REQ-2 of RFC 4787."; 1687 } 1689 leaf endpoint-independent-mapping-support { 1690 type boolean; 1691 description 1692 "Indicates whether endpoint-independent- 1693 mapping in Section 4 of RFC 4787 is 1694 supported."; 1695 reference 1696 "Section 4 of RFC 4787."; 1697 } 1699 leaf address-dependent-mapping-support { 1700 type boolean; 1701 description 1702 "Indicates whether address-dependent-mapping is 1703 supported."; 1704 reference 1705 "Section 4 of RFC 4787."; 1706 } 1708 leaf address-and-port-dependent-mapping-support { 1709 type boolean; 1710 description 1711 "Indicates whether address-and-port-dependent-mapping is 1712 supported."; 1713 reference 1714 "Section 4 of RFC 4787."; 1715 } 1717 leaf endpoint-independent-filtering-support { 1718 type boolean; 1719 description 1720 "Indicates whether endpoint-independent-filtering is 1721 supported."; 1722 reference 1723 "Section 5 of RFC 4787."; 1724 } 1726 leaf address-dependent-filtering { 1727 type boolean; 1728 description 1729 "Indicates whether address-dependent-filtering is 1730 supported."; 1731 reference 1732 "Section 5 of RFC 4787."; 1733 } 1735 leaf address-and-port-dependent-filtering { 1736 type boolean; 1737 description 1738 "Indicates whether address-and-port-dependent is 1739 supported."; 1740 reference 1741 "Section 5 of RFC 4787."; 1742 } 1744 leaf fragment-behavior { 1745 type enumeration { 1746 enum "unsupported" { 1747 description 1748 "No capability to translate incoming fragments. 1749 All received fragments are dropped."; 1750 } 1752 enum "in-order" { 1753 description 1754 "The NAT instance is able to translate fragments only if 1755 they are received in order. That is, in particular the 1756 header is in the first packet. Fragments received 1757 out of order are dropped. "; 1758 } 1760 enum "out-of-order" { 1761 description 1762 "The NAT instance is able to translate a fragment even 1763 if it is received out of order. 1765 This behavior is the one recommended in RFC4787."; 1766 reference 1767 "REQ-14 of RFC 4787"; 1768 } 1769 } 1770 description 1771 "The fragment behavior is the NAT instance's capability to 1772 translate fragments received on the external interface of 1773 the NAT."; 1774 } 1775 } 1777 leaf type { 1778 type identityref { 1779 base nat-type; 1780 } 1781 description 1782 "Specify the translation type. Particularly useful when 1783 multiple translation flavors are supported. 1785 If one type is supported by a NAT, this parameter is by 1786 default set to that type."; 1787 } 1789 leaf per-interface-binding { 1790 type enumeration { 1791 enum "disabled" { 1792 description 1793 "Disable the capability to associate an extra identifier 1794 with NAT mappings."; 1795 } 1797 enum "layer-2" { 1798 description 1799 "The NAT instance is able to associate a mapping with 1800 a layer-2 identifier."; 1801 } 1803 enum "dslite" { 1804 description 1805 "The NAT instance is able to associate a mapping with 1806 an IPv6 address (a.k.a., DS-Lite)."; 1807 } 1808 } 1809 description 1810 "A NAT that associates a particular NAT session not only with 1811 the five tuples used for the transport connection on both 1812 sides of the NAT but also with the internal interface on 1813 which the user device is connected to the NAT. 1815 If supported, this mode of operation should be configurable, 1816 and it should be disabled by default in general-purpose NAT 1817 devices. 1819 If one single per-interface binding behavior is supported by 1820 a NAT, this parameter is by default set to that behavior."; 1821 reference 1822 "Section 4 of RFC 6619"; 1823 } 1825 list nat-pass-through { 1826 if-feature "basic-nat44 or napt44 or dst-nat"; 1827 key id; 1829 description 1830 "IP prefix NAT pass through."; 1832 leaf id { 1833 type uint32; 1834 description 1835 "An identifier of the IP prefix pass through."; 1836 } 1838 leaf prefix { 1839 type inet:ip-prefix; 1840 mandatory true; 1841 description 1842 "The IP addresses that match should not be translated. 1844 According to REQ#6 of RFC6888, it must be possible to 1845 administratively turn off translation for specific 1846 destination addresses and/or ports."; 1847 reference 1848 "REQ#6 of RFC6888."; 1849 } 1851 leaf port { 1852 type inet:port-number; 1853 description 1854 "According to REQ#6 of RFC6888, it must be possible to 1855 administratively turn off translation for specific 1856 destination addresses and/or ports. 1858 If no prefix is defined, the NAT pass through bound 1859 to a given port applies for any destination address."; 1861 reference 1862 "REQ#6 of RFC6888."; 1863 } 1864 } 1866 list policy { 1867 key id; 1868 description 1869 "NAT parameters for a given instance"; 1871 leaf id { 1872 type uint32; 1873 description 1874 "An identifier of the NAT policy. It must be unique 1875 within the NAT instance."; 1876 } 1878 container clat-parameters { 1879 if-feature clat; 1880 description 1881 "CLAT parameters."; 1883 list clat-ipv6-prefixes { 1884 key ipv6-prefix; 1885 description 1886 "464XLAT double translation treatment is stateless when a 1887 dedicated /64 is available for translation on the CLAT. 1888 Otherwise, the CLAT will have both stateful and stateless 1889 since it requires NAT44 from the LAN to a single IPv4 1890 address and then stateless translation to a single 1891 IPv6 address."; 1892 reference 1893 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1894 Translation"; 1896 leaf ipv6-prefix { 1897 type inet:ipv6-prefix; 1898 description 1899 "An IPv6 prefix used for CLAT."; 1900 } 1901 } 1903 list ipv4-prefixes { 1904 key ipv4-prefix; 1905 description 1906 "Pool of IPv4 addresses used for CLAT. 1907 192.0.0.0/29 is the IPv4 service continuity prefix."; 1908 reference 1909 "RFC 7335: IPv4 Service Continuity Prefix"; 1911 leaf ipv4-prefix { 1912 type inet:ipv4-prefix; 1913 description 1914 "464XLAT double translation treatment is 1915 stateless when a dedicated /64 is available 1916 for translation on the CLAT. Otherwise, the 1917 CLAT will have both stateful and stateless 1918 since it requires NAT44 from the LAN to 1919 a single IPv4 address and then stateless 1920 translation to a single IPv6 address. 1921 The CLAT performs NAT44 for all IPv4 LAN 1922 packets so that all the LAN-originated IPv4 1923 packets appear from a single IPv4 address 1924 and are then statelessly translated to one 1925 interface IPv6 address that is claimed by 1926 the CLAT. 1928 An IPv4 address from this pool is also 1929 provided to an application that makes 1930 use of literals."; 1932 reference 1933 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1934 Translation"; 1935 } 1936 } 1937 } 1939 list nptv6-prefixes { 1940 if-feature nptv6; 1941 key internal-ipv6-prefix ; 1942 description 1943 "Provides one or a list of (internal IPv6 prefix, 1944 external IPv6 prefix) required for NPTv6. 1946 In its simplest form, NPTv6 interconnects two network 1947 links, one of which is an 'internal' network link 1948 attached to a leaf network within a single 1949 administrative domain and the other of which is an 1950 'external' network with connectivity to the global 1951 Internet."; 1952 reference 1953 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1955 leaf internal-ipv6-prefix { 1956 type inet:ipv6-prefix; 1957 mandatory true; 1958 description 1959 "An IPv6 prefix used by an internal interface of NPTv6."; 1960 reference 1961 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1962 } 1964 leaf external-ipv6-prefix { 1965 type inet:ipv6-prefix; 1966 mandatory true; 1967 description 1968 "An IPv6 prefix used by the external interface of NPTv6."; 1969 reference 1970 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1971 } 1972 } 1974 list eam { 1975 if-feature eam; 1976 key ipv4-prefix; 1977 description 1978 "The Explicit Address Mapping Table, a conceptual 1979 table in which each row represents an EAM. 1981 Each EAM describes a mapping between IPv4 and IPv6 1982 prefixes/addresses."; 1983 reference 1984 "Section 3.1 of RFC 7757."; 1986 leaf ipv4-prefix { 1987 type inet:ipv4-prefix; 1988 mandatory true; 1989 description 1990 "The IPv4 prefix of an EAM."; 1991 reference 1992 "Section 3.2 of RFC 7757."; 1993 } 1995 leaf ipv6-prefix { 1996 type inet:ipv6-prefix; 1997 mandatory true; 1998 description 1999 "The IPv6 prefix of an EAM."; 2000 reference 2001 "Section 3.2 of RFC 7757."; 2002 } 2003 } 2005 list nat64-prefixes { 2006 if-feature "siit or nat64 or clat"; 2007 key nat64-prefix; 2008 description 2009 "Provides one or a list of NAT64 prefixes 2010 with or without a list of destination IPv4 prefixes. 2012 Destination-based Pref64::/n is discussed in 2013 Section 5.1 of [RFC7050]). For example: 2014 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 2015 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 2016 reference 2017 "Section 5.1 of RFC7050."; 2019 leaf nat64-prefix { 2020 type inet:ipv6-prefix; 2021 mandatory true; 2022 description 2023 "A NAT64 prefix. Can be Network-Specific Prefix (NSP) or 2024 Well-Known Prefix (WKP). 2026 Organizations deploying stateless IPv4/IPv6 translation 2027 should assign a Network-Specific Prefix to their 2028 IPv4/IPv6 translation service. 2030 For stateless NAT64, IPv4-translatable IPv6 addresses 2031 must use the selected Network-Specific Prefix. 2033 Both IPv4-translatable IPv6 addresses and IPv4-converted 2034 IPv6 addresses should use the same prefix."; 2035 reference 2036 "Sections 3.3 and 3.4 of RFC 6052."; 2037 } 2039 list destination-ipv4-prefix { 2040 key ipv4-prefix; 2041 description 2042 "An IPv4 prefix/address."; 2044 leaf ipv4-prefix { 2045 type inet:ipv4-prefix; 2046 description 2047 "An IPv4 address/prefix."; 2048 } 2049 } 2051 leaf stateless-enable { 2052 type boolean; 2053 default false; 2054 description 2055 "Enable explicitly stateless NAT64."; 2056 } 2057 } 2059 list external-ip-address-pool { 2060 if-feature "basic-nat44 or napt44 or nat64"; 2061 key pool-id; 2063 description 2064 "Pool of external IP addresses used to service internal 2065 hosts. 2067 A pool is a set of IP prefixes."; 2069 leaf pool-id { 2070 type uint32; 2071 must ". >= 1"; 2072 description 2073 "An identifier that uniquely identifies the address pool 2074 within a NAT instance. 2076 The identifier must be greater than zero as per 2077 RFC 7659."; 2078 reference 2079 "RFC 7659: Definitions of Managed Objects for 2080 Network Address Translators (NATs)"; 2081 } 2083 leaf external-ip-pool { 2084 type inet:ipv4-prefix; 2085 mandatory true; 2086 description 2087 "An IPv4 prefix used for NAT purposes."; 2088 } 2089 } 2091 container port-set-restrict { 2092 if-feature "napt44 or nat64"; 2093 description 2094 "Configures contiguous and non-contiguous port ranges. 2096 The port set is used to restrict the external source 2097 port numbers used by the translator."; 2099 uses port-set; 2100 } 2102 leaf dst-nat-enable { 2103 if-feature "basic-nat44 or napt44"; 2104 type boolean; 2105 default false; 2106 description 2107 "Enable/Disable destination NAT. 2109 A NAT44 may be configured to enable Destination 2110 NAT, too."; 2111 } 2113 list dst-ip-address-pool { 2114 if-feature dst-nat; 2115 key pool-id; 2116 description 2117 "Pool of IP addresses used for destination NAT."; 2119 leaf pool-id { 2120 type uint32; 2121 description 2122 "An identifier of the address pool."; 2123 } 2125 leaf dst-in-ip-pool { 2126 type inet:ip-prefix; 2127 description 2128 "Is used to identify an internal IP prefix/address 2129 to be translated."; 2130 } 2132 leaf dst-out-ip-pool { 2133 type inet:ip-prefix; 2134 mandatory true; 2135 description 2136 "IP address/prefix used for destination NAT."; 2137 } 2138 } 2140 list transport-protocols { 2141 if-feature "napt44 or nat64 or dst-nat"; 2142 key protocol-id; 2144 description 2145 "Configure the transport protocols to be handled by 2146 the translator. 2148 TCP and UDP are supported by default."; 2150 leaf protocol-id { 2151 type uint8; 2152 mandatory true; 2153 description 2154 "Upper-layer protocol associated with this mapping. 2156 Values are taken from the IANA protocol registry: 2157 https://www.iana.org/assignments/protocol-numbers/ 2158 protocol-numbers.xhtml 2160 For example, this field contains 6 (TCP) for a TCP 2161 mapping or 17 (UDP) for a UDP mapping."; 2162 } 2163 leaf protocol-name { 2164 type string; 2165 description 2166 "The name of the Upper-layer protocol associated 2167 with this mapping. 2169 Values are taken from the IANA protocol registry: 2170 https://www.iana.org/assignments/protocol-numbers/ 2171 protocol-numbers.xhtml 2173 For example, TCP, UDP, DCCP, and SCTP."; 2174 } 2175 } 2177 leaf subscriber-mask-v6 { 2178 type uint8 { 2179 range "0 .. 128"; 2180 } 2182 description 2183 "The subscriber mask is an integer that indicates 2184 the length of significant bits to be applied on 2185 the source IPv6 address (internal side) to 2186 unambiguously identify a user device (e.g., CPE). 2188 Subscriber mask is a system-wide configuration 2189 parameter that is used to enforce generic 2190 per-subscriber policies (e.g., port-quota). 2192 The enforcement of these generic policies does not 2193 require the configuration of every subscriber's 2194 prefix. 2196 Example: suppose the 2001:db8:100:100::/56 prefix 2197 is assigned to a NAT64 serviced CPE. Suppose also 2198 that 2001:db8:100:100::1 is the IPv6 address used 2199 by the client that resides in that CPE. When the 2200 NAT64 receives a packet from this client, 2201 it applies the subscriber-mask-v6 (e.g., 56) on 2202 the source IPv6 address to compute the associated 2203 prefix for this client (2001:db8:100:100::/56). 2204 Then, the NAT64 enforces policies based on that 2205 prefix (2001:db8:100:100::/56), not on the exact 2206 source IPv6 address."; 2207 } 2209 list subscriber-match { 2210 if-feature "basic-nat44 or napt44 or dst-nat"; 2211 key match-id; 2213 description 2214 "IP prefix match. 2215 A subscriber is identified by a subnet."; 2217 leaf match-id { 2218 type uint32; 2219 description 2220 "An identifier of the subscriber match."; 2221 } 2223 leaf subnet { 2224 type inet:ip-prefix; 2225 mandatory true; 2226 description 2227 "The IP address subnets that match 2228 should be translated. E.g., all addresses 2229 that belong to the 192.0.2.0/24 prefix must 2230 be processed by the NAT."; 2231 } 2232 } 2234 leaf address-allocation-type { 2235 type enumeration { 2236 enum "arbitrary" { 2237 if-feature "basic-nat44 or napt44 or nat64"; 2238 description 2239 "Arbitrary pooling behavior means that the NAT 2240 instance may create the new port mapping using any 2241 address in the pool that has a free port for the 2242 protocol concerned."; 2243 } 2245 enum "roundrobin" { 2246 if-feature "basic-nat44 or napt44 or nat64"; 2247 description 2248 "Round robin allocation."; 2249 } 2251 enum "paired" { 2252 if-feature "napt44 or nat64"; 2253 description 2254 "Paired address pooling informs the NAT 2255 that all the flows from an internal IP 2256 address must be assigned the same external 2257 address. This is the recommended behavior for 2258 NAPT/NAT64."; 2260 reference 2261 "RFC 4787: Network Address Translation (NAT) 2262 Behavioral Requirements for Unicast UDP"; 2263 } 2264 } 2265 description 2266 "Specifies how external IP addresses are allocated."; 2267 } 2269 leaf port-allocation-type { 2270 if-feature "napt44 or nat64"; 2271 type enumeration { 2272 enum "random" { 2273 description 2274 "Port randomization is enabled. A NAT port allocation 2275 scheme should make it hard for attackers to guess 2276 port numbers"; 2277 reference 2278 "REQ-15 of RFC 6888"; 2279 } 2281 enum "port-preservation" { 2282 description 2283 "Indicates whether the NAT should preserve the internal 2284 port number."; 2285 } 2287 enum "port-parity-preservation" { 2288 description 2289 "Indicates whether the NAT should preserve the port 2290 parity of the internal port number."; 2291 } 2293 enum "port-range-allocation" { 2294 description 2295 "Indicates whether the NAT assigns a range of ports 2296 for an internal host. This scheme allows to minimize 2297 log volume."; 2298 reference 2299 "REQ-14 of RFC 6888"; 2300 } 2301 } 2302 description 2303 "Indicates the type of port allocation."; 2304 } 2306 leaf mapping-type { 2307 if-feature "napt44 or nat64"; 2308 type enumeration { 2309 enum "eim" { 2310 description 2311 "endpoint-independent-mapping."; 2312 reference 2313 "Section 4 of RFC 4787."; 2314 } 2316 enum "adm" { 2317 description 2318 "address-dependent-mapping."; 2319 reference 2320 "Section 4 of RFC 4787."; 2321 } 2323 enum "edm" { 2324 description 2325 "address-and-port-dependent-mapping."; 2326 reference 2327 "Section 4 of RFC 4787."; 2328 } 2329 } 2330 description 2331 "Indicates the type of a NAT mapping."; 2332 } 2334 leaf filtering-type { 2335 if-feature "napt44 or nat64"; 2336 type enumeration { 2337 enum "eif" { 2338 description 2339 "endpoint-independent-filtering."; 2340 reference 2341 "Section 5 of RFC 4787."; 2342 } 2344 enum "adf" { 2345 description 2346 "address-dependent-filtering."; 2347 reference 2348 "Section 5 of RFC 4787."; 2349 } 2351 enum "edf" { 2352 description 2353 "address-and-port-dependent-filtering"; 2354 reference 2355 "Section 5 of RFC 4787."; 2357 } 2358 } 2359 description 2360 "Indicates the type of a NAT filtering."; 2361 } 2363 leaf fragment-behavior { 2364 if-feature "napt44 or nat64"; 2365 type enumeration { 2366 enum "drop-all" { 2367 description 2368 "All received fragments are dropped."; 2369 } 2371 enum "in-order" { 2372 description 2373 "Translate fragments only if they are received 2374 in order."; 2375 } 2377 enum "out-of-order" { 2378 description 2379 "Translate a fragment even if it is received out 2380 of order. 2382 This behavior is the recommended behavior."; 2383 reference 2384 "REQ-14 of RFC 4787"; 2385 } 2386 } 2387 description 2388 "The fragment behavior instructs the NAT about the 2389 behavior to follow to translate fragments received 2390 on the external interface of the NAT."; 2391 } 2393 list port-quota { 2394 if-feature "napt44 or nat64"; 2395 key quota-type; 2396 description 2397 "Configures a port quota to be assigned per subscriber. 2398 It corresponds to the maximum number of ports to be 2399 used by a subscriber."; 2401 leaf port-limit { 2402 type uint16; 2403 description 2404 "Configures a port quota to be assigned per subscriber. 2406 It corresponds to the maximum number of ports to be 2407 used by a subscriber."; 2408 reference 2409 "REQ-4 of RFC 6888."; 2410 } 2412 leaf quota-type { 2413 type uint8; 2414 description 2415 "Indicates whether the port quota applies to 2416 all protocols (0) or to a specific protocol."; 2417 } 2418 } 2420 container port-set { 2422 when "../port-allocation-type = 'port-range-allocation'"; 2424 if-feature "napt44 or nat64"; 2425 description 2426 "Manages port-set assignments."; 2428 leaf port-set-size { 2429 type uint16; 2430 mandatory true; 2431 description 2432 "Indicates the size of assigned port sets."; 2433 } 2435 leaf port-set-timeout { 2436 type uint32; 2437 units "seconds"; 2438 description 2439 "inactivity timeout for port sets."; 2440 } 2441 } 2443 container timers { 2444 if-feature "napt44 or nat64"; 2445 description 2446 "Configure values of various timeouts."; 2448 leaf udp-timeout { 2449 type uint32; 2450 units "seconds"; 2451 default 300; 2452 description 2453 "UDP inactivity timeout. That is the time a mapping 2454 will stay active without packets traversing the NAT."; 2455 reference 2456 "RFC 4787: Network Address Translation (NAT) 2457 Behavioral Requirements for Unicast UDP"; 2458 } 2460 leaf tcp-idle-timeout { 2461 type uint32; 2462 units "seconds"; 2463 default 7440; 2464 description 2465 "TCP Idle timeout should be 2 hours and 4 minutes."; 2466 reference 2467 "RFC 5382: NAT Behavioral Requirements for TCP"; 2468 } 2470 leaf tcp-trans-open-timeout { 2471 type uint32; 2472 units "seconds"; 2473 default 240; 2474 description 2475 "The value of the transitory open connection 2476 idle-timeout. 2478 Section 2.1 of [RFC7857] clarifies that a NAT 2479 should provide different configurable 2480 parameters for configuring the open and 2481 closing idle timeouts. 2483 To accommodate deployments that consider 2484 a partially open timeout of 4 minutes as being 2485 excessive from a security standpoint, a NAT may 2486 allow the configured timeout to be less than 2487 4 minutes. 2489 However, a minimum default transitory connection 2490 idle-timeout of 4 minutes is recommended."; 2491 reference 2492 "Section 2.1 of RFC 7857."; 2493 } 2495 leaf tcp-trans-close-timeout { 2496 type uint32; 2497 units "seconds"; 2498 default 240; 2499 description 2500 "The value of the transitory close connection 2501 idle-timeout. 2503 Section 2.1 of [RFC7857] clarifies that a NAT 2504 should provide different configurable 2505 parameters for configuring the open and 2506 closing idle timeouts."; 2507 reference 2508 "Section 2.1 of RFC 7857."; 2509 } 2511 leaf tcp-in-syn-timeout { 2512 type uint32; 2513 units "seconds"; 2514 default 6; 2515 description 2516 "A NAT must not respond to an unsolicited 2517 inbound SYN packet for at least 6 seconds 2518 after the packet is received. If during 2519 this interval the NAT receives and translates 2520 an outbound SYN for the connection the NAT 2521 must silently drop the original unsolicited 2522 inbound SYN packet."; 2523 reference 2524 "RFC 5382 NAT Behavioral Requirements for TCP"; 2525 } 2527 leaf fragment-min-timeout { 2528 when "../../fragment-behavior='out-of-order'"; 2529 type uint32; 2530 units "seconds"; 2531 default 2; 2532 description 2533 "As long as the NAT has available resources, 2534 the NAT allows the fragments to arrive 2535 over fragment-min-timeout interval. 2536 The default value is inspired from RFC6146."; 2537 } 2539 leaf icmp-timeout { 2540 type uint32; 2541 units "seconds"; 2542 default 60; 2543 description 2544 "An ICMP Query session timer must not expire 2545 in less than 60 seconds. It is recommended 2546 that the ICMP Query session timer be made 2547 configurable"; 2548 reference 2549 "RFC 5508: NAT Behavioral Requirements for ICMP"; 2550 } 2551 list per-port-timeout { 2552 key port-number; 2553 description 2554 "Some NATs are configurable with short timeouts 2555 for some ports, e.g., as 10 seconds on 2556 port 53 (DNS) and 123 (NTP) and longer timeouts 2557 on other ports."; 2559 leaf port-number { 2560 type inet:port-number; 2561 description 2562 "A port number."; 2563 } 2565 leaf timeout { 2566 type uint32; 2567 units "seconds"; 2568 mandatory true; 2569 description 2570 "Timeout for this port number"; 2571 } 2572 } 2574 leaf hold-down-timeout { 2575 type uint32; 2576 units "seconds"; 2577 default 120; 2578 description 2579 "Hold down timer. 2581 Ports in the hold down pool are not reassigned until 2582 hold-down-timeout expires. 2584 The length of time and the maximum number of ports in 2585 this state must be configurable by the administrator. 2587 This is necessary in order to prevent collisions 2588 between old and new mappings and sessions. It ensures 2589 that all established sessions are broken instead of 2590 redirected to a different peer."; 2591 reference 2592 "REQ#8 of RFC 6888."; 2593 } 2595 leaf hold-down-max { 2596 type uint32; 2597 description 2598 "Maximum ports in the Hold down timer pool. 2600 Ports in the hold down pool are not reassigned 2601 until hold-down-timeout expires. 2603 The length of time and the maximum 2604 number of ports in this state must be 2605 configurable by the administrator. 2606 This is necessary in order 2607 to prevent collisions between old 2608 and new mappings and sessions. It ensures 2609 that all established sessions are broken 2610 instead of redirected to a different peer."; 2611 reference 2612 "REQ#8 of RFC 6888."; 2613 } 2614 } 2616 leaf fragments-limit{ 2617 when "../fragment-behavior='out-of-order'"; 2618 type uint32; 2619 description 2620 "Limits the number of out of order fragments that can 2621 be handled."; 2622 reference 2623 "Section 11 of RFC 4787."; 2624 } 2626 list algs { 2627 key name; 2628 description 2629 "ALG-related features."; 2631 leaf name { 2632 type string; 2633 description 2634 "The name of the ALG."; 2635 } 2637 leaf transport-protocol { 2638 type uint32; 2639 description 2640 "The transport protocol used by the ALG 2641 (e.g., TCP, UDP)."; 2642 } 2644 container dst-transport-port { 2645 uses port-number; 2646 description 2647 "The destination port number(s) used by the ALG. 2649 For example, 2650 - 21 for the FTP ALG 2651 - 53 for the DNS ALG."; 2652 } 2654 container src-transport-port { 2655 uses port-number; 2656 description 2657 "The source port number(s) used by the ALG."; 2658 } 2660 leaf status { 2661 type boolean; 2662 description 2663 "Enable/disable the ALG."; 2664 } 2665 } 2667 leaf all-algs-enable { 2668 type boolean; 2669 description 2670 "Enable/disable all ALGs. 2672 When specified, this parameter overrides the one 2673 that may be indicated, eventually, by the 'status' 2674 of an individual ALG."; 2675 } 2677 container notify-pool-usage { 2678 if-feature "basic-nat44 or napt44 or nat64"; 2679 description 2680 "Notification of pool usage when certain criteria 2681 are met."; 2683 leaf pool-id { 2684 type uint32; 2685 description 2686 "Pool-ID for which the notification criteria 2687 is defined"; 2688 } 2690 leaf high-threshold { 2691 type percent; 2692 description 2693 "Notification must be generated when the defined high 2694 threshold is reached. 2696 For example, if a notification is required when the 2697 pool utilization reaches 90%, this configuration 2698 parameter must be set to 90. 2700 0% indicates that no high threshold is enabled."; 2701 } 2703 leaf low-threshold { 2704 type percent; 2705 must ". >= ../high-threshold" { 2706 error-message 2707 "The upper port number must be greater than or 2708 equal to lower port number."; 2709 } 2710 description 2711 "Notification must be generated when the defined low 2712 threshold is reached. 2714 For example, if a notification is required when the 2715 pool utilization reaches below 10%, this 2716 configuration parameter must be set to 10"; 2717 } 2719 leaf notify-interval { 2720 type uint32 { 2721 range "1 .. 3600"; 2722 } 2723 units "seconds"; 2724 default '20'; 2725 description 2726 "Minimum number of seconds between successive 2727 notifications for this pool."; 2729 reference 2730 "RFC 7659: Definitions of Managed Objects for 2731 Network Address Translators (NATs)"; 2732 } 2733 } 2735 container external-realm { 2736 description 2737 "Identifies the external realm of the NAT instance."; 2739 choice realm-type { 2740 description 2741 "Can be an interface, VRF instance, etc."; 2743 case interface { 2744 description 2745 "External interface."; 2747 leaf external-interface { 2748 type if:interface-ref; 2749 description 2750 "Name of the external interface."; 2751 } 2752 } 2753 } 2754 } 2755 } 2757 container mapping-limits { 2758 if-feature "napt44 or nat64"; 2759 description 2760 "Information about the configuration parameters that 2761 limits the mappings based upon various criteria."; 2763 leaf limit-subscribers { 2764 type uint32; 2765 description 2766 "Maximum number of subscribers that can be serviced 2767 by a NAT instance. 2769 A subscriber is identified by a given prefix."; 2770 reference 2771 "RFC 7659: Definitions of Managed Objects for 2772 Network Address Translators (NATs)"; 2773 } 2775 leaf limit-address-mapings { 2776 type uint32; 2777 description 2778 "Maximum number of address mappings that can be 2779 handled by a NAT instance. 2781 When this limit is reached, packets that would 2782 normally trigger translation, will be dropped."; 2783 reference 2784 "RFC 7659: Definitions of Managed Objects 2785 for Network Address Translators 2786 (NATs)"; 2787 } 2789 leaf limit-port-mappings { 2790 type uint32; 2791 description 2792 "Maximum number of port mappings that can be handled 2793 by a NAT instance. 2795 When this limit is reached, packets that would 2796 normally trigger translation, will be dropped."; 2797 reference 2798 "RFC 7659: Definitions of Managed Objects for 2799 Network Address Translators (NATs)"; 2800 } 2802 list limit-per-protocol { 2803 if-feature "napt44 or nat64 or dst-nat"; 2804 key protocol-id; 2806 description 2807 "Configure limits per transport protocol"; 2809 leaf protocol-id { 2810 type uint8; 2811 mandatory true; 2812 description 2813 "Upper-layer protocol associated with this mapping. 2815 Values are taken from the IANA protocol registry: 2816 https://www.iana.org/assignments/protocol-numbers/ 2817 protocol-numbers.xhtml 2819 For example, this field contains 6 (TCP) for a TCP 2820 mapping or 17 (UDP) for a UDP mapping."; 2821 } 2823 leaf limit { 2824 type uint32; 2825 description 2826 "Maximum number of protocol-specific NAT mappings 2827 per instance."; 2828 } 2829 } 2830 } 2832 container connection-limits { 2833 if-feature "basic-nat44 or napt44 or nat64"; 2834 description 2835 "Information about the configuration parameters that 2836 rate limit the translation based upon various criteria."; 2838 leaf limit-per-subscriber { 2839 type uint32; 2840 units "bits/second"; 2841 description 2842 "Rate-limit the number of new mappings and sessions 2843 per subscriber."; 2844 } 2846 leaf limit-per-instance { 2847 type uint32; 2848 units "bits/second"; 2849 mandatory true; 2850 description 2851 "Rate-limit the number of new mappings and sessions 2852 per instance."; 2853 } 2855 list limit-per-protocol { 2856 if-feature "napt44 or nat64"; 2857 key protocol-id; 2858 description 2859 "Configure limits per transport protocol"; 2861 leaf protocol-id { 2862 type uint8; 2863 mandatory true; 2864 description 2865 "Upper-layer protocol associated with this mapping. 2867 Values are taken from the IANA protocol registry: 2868 https://www.iana.org/assignments/protocol-numbers/ 2869 protocol-numbers.xhtml 2871 For example, this field contains 6 (TCP) for a TCP 2872 mapping or 17 (UDP) for a UDP mapping."; 2873 } 2875 leaf limit { 2876 type uint32; 2877 description 2878 "Rate-limit the number of protocol-specific mappings 2879 and sessions per instance."; 2880 } 2881 } 2882 } 2884 container notification-limits { 2885 description "Sets notification limits."; 2887 leaf notify-interval { 2888 if-feature "basic-nat44 or napt44 or nat64"; 2889 type uint32 { 2890 range "1 .. 3600"; 2891 } 2892 units "seconds"; 2893 default '10'; 2894 description 2895 "Minimum number of seconds between successive 2896 notifications for this NAT instance."; 2897 reference 2898 "RFC 7659: Definitions of Managed Objects 2899 for Network Address Translators (NATs)"; 2900 } 2902 leaf notify-addresses-usage { 2903 if-feature "basic-nat44 or napt44 or nat64"; 2904 type percent; 2905 description 2906 "Notification of address mappings usage over 2907 the whole NAT instance. 2909 Notification must be generated when the defined 2910 threshold is reached. 2912 For example, if a notification is required when 2913 the address mappings utilization reaches 90%, 2914 this configuration parameter must be set 2915 to 90."; 2916 } 2918 leaf notify-ports-usage { 2919 if-feature "napt44 or nat64"; 2920 type percent; 2921 description 2922 "Notification of port mappings usage over the 2923 whole NAT instance. 2925 Notification must be generated when the defined 2926 threshold is reached. 2928 For example, if a notification is required when 2929 the port mappings utilization reaches 90%, this 2930 configuration parameter must be set to 90."; 2931 } 2933 leaf notify-subscribers-limit { 2934 if-feature "basic-nat44 or napt44 or nat64"; 2935 type uint32; 2936 description 2937 "Notification of active subscribers per NAT 2938 instance. 2940 Notification must be generated when the defined 2941 threshold is reached."; 2942 } 2943 } 2945 leaf logging-enable { 2946 if-feature "basic-nat44 or napt44 or nat64"; 2947 type boolean; 2948 description 2949 "Enable logging features."; 2950 reference 2951 "Section 2.3 of RFC 6908 and REQ-12 of RFC6888."; 2952 } 2954 container mapping-table { 2955 if-feature "basic-nat44 or napt44 " + 2956 "or nat64 or clat or dst-nat"; 2957 description 2958 "NAT mapping table. Applicable for functions which maintain 2959 static and/or dynamic mappings, such as NAT44, Destination 2960 NAT, NAT64, or CLAT."; 2962 list mapping-entry { 2963 key "index"; 2964 description "NAT mapping entry."; 2965 uses mapping-entry; 2966 } 2967 } 2969 container statistics { 2970 config false; 2972 description 2973 "Statistics related to the NAT instance."; 2975 leaf discontinuity-time { 2976 type yang:date-and-time; 2977 mandatory true; 2978 description 2979 "The time on the most recent occasion at which the NAT 2980 instance suffered a discontinuity. This must be 2981 initialized when the NAT instance is configured 2982 or rebooted."; 2983 } 2984 container traffic-statistics { 2985 description 2986 "Generic traffic statistics."; 2988 leaf sent-packets { 2989 type yang:zero-based-counter64; 2990 description 2991 "Number of packets sent."; 2992 } 2994 leaf sent-bytes { 2995 type yang:zero-based-counter64; 2996 units 'bytes'; 2997 description 2998 "Counter for sent traffic in bytes."; 2999 } 3001 leaf rcvd-packets { 3002 type yang:zero-based-counter64; 3003 description 3004 "Number of received packets."; 3005 } 3007 leaf rcvd-bytes { 3008 type yang:zero-based-counter64; 3009 units 'bytes'; 3010 description 3011 "Counter for received traffic in bytes."; 3012 } 3014 leaf dropped-packets { 3015 type yang:zero-based-counter64; 3016 description 3017 "Number of dropped packets."; 3018 } 3020 leaf dropped-bytes { 3021 type yang:zero-based-counter64; 3022 units 'bytes'; 3023 description 3024 "Counter for dropped traffic in bytes."; 3025 } 3027 leaf dropped-fragments { 3028 if-feature "napt44 or nat64"; 3029 type yang:zero-based-counter64; 3030 description 3031 "Number of dropped fragments on the external realm."; 3033 } 3035 leaf dropped-address-limit-packets { 3036 if-feature "basic-nat44 or napt44 or nat64"; 3037 type yang:zero-based-counter64; 3038 description 3039 "Number of dropped packets because an address limit 3040 is reached."; 3041 } 3043 leaf dropped-address-limit-bytes { 3044 if-feature "basic-nat44 or napt44 or nat64"; 3045 type yang:zero-based-counter64; 3046 units 'bytes'; 3047 description 3048 "Counter of dropped packets because an address limit 3049 is reached, in bytes."; 3050 } 3052 leaf dropped-address-packets { 3053 if-feature "basic-nat44 or napt44 or nat64"; 3054 type yang:zero-based-counter64; 3055 description 3056 "Number of dropped packets because no address is 3057 available for allocation."; 3058 } 3060 leaf dropped-address-bytes { 3061 if-feature "basic-nat44 or napt44 or nat64"; 3062 type yang:zero-based-counter64; 3063 units 'bytes'; 3064 description 3065 "Counter of dropped packets because no address is 3066 available for allocation, in bytes."; 3067 } 3069 leaf dropped-port-limit-packets { 3070 if-feature "napt44 or nat64"; 3071 type yang:zero-based-counter64; 3072 description 3073 "Number of dropped packets because a port limit 3074 is reached."; 3075 } 3077 leaf dropped-port-limit-bytes { 3078 if-feature "napt44 or nat64"; 3079 type yang:zero-based-counter64; 3080 units 'bytes'; 3081 description 3082 "Counter of dropped packets because a port limit 3083 is reached, in bytes."; 3084 } 3086 leaf dropped-port-packets { 3087 if-feature "napt44 or nat64"; 3088 type yang:zero-based-counter64; 3089 description 3090 "Number of dropped packets because no port is 3091 available for allocation."; 3092 } 3094 leaf dropped-port-bytes { 3095 if-feature "napt44 or nat64"; 3096 type yang:zero-based-counter64; 3097 units 'bytes'; 3098 description 3099 "Counter of dropped packets because no port is 3100 available for allocation, in bytes."; 3101 } 3103 leaf dropped-subscriber-limit-packets { 3104 if-feature "basic-nat44 or napt44 or nat64"; 3105 type yang:zero-based-counter64; 3106 description 3107 "Number of dropped packets because the subscriber 3108 limit per instance is reached."; 3109 } 3111 leaf dropped-subscriber-limit-bytes { 3112 if-feature "basic-nat44 or napt44 or nat64"; 3113 type yang:zero-based-counter64; 3114 units 'bytes'; 3115 description 3116 "Counter of dropped packets because the subscriber 3117 limit per instance is reached, in bytes."; 3118 } 3119 } 3121 container mappings-statistics { 3122 description 3123 "Mappings statistics."; 3125 leaf total-active-subscribers { 3126 if-feature "basic-nat44 or napt44 or nat64"; 3127 type yang:gauge32; 3128 description 3129 "Total number of active subscribers (that is, 3130 subscribers for which the NAT maintains active 3131 mappings. 3133 A subscriber is identified by a subnet, 3134 subscriber-mask, etc."; 3135 } 3137 leaf total-address-mappings { 3138 if-feature "basic-nat44 or napt44 " + 3139 "or nat64 or clat or dst-nat"; 3140 type yang:gauge32; 3141 description 3142 "Total number of address mappings present at a given 3143 time. It includes both static and dynamic mappings."; 3144 reference 3145 "Section 3.3.8 of RFC 7659"; 3146 } 3148 leaf total-port-mappings { 3149 if-feature "napt44 or nat64"; 3150 type yang:gauge32; 3151 description 3152 "Total number of NAT port mappings present at 3153 a given time. It includes both static and dynamic 3154 mappings."; 3155 reference 3156 "Section 3.3.9 of RFC 7659"; 3157 } 3159 list total-per-protocol { 3160 if-feature "napt44 or nat64"; 3161 key protocol-id; 3162 description 3163 "Total mappings for each enabled/supported protocol."; 3165 leaf protocol-id { 3166 type uint8; 3167 mandatory true; 3168 description 3169 "Upper-layer protocol associated with this mapping. 3170 For example, this field contains 6 (TCP) for a TCP 3171 mapping or 17 (UDP) for a UDP mapping."; 3172 } 3174 leaf total { 3175 type yang:gauge32; 3176 description 3177 "Total number of a protocol-specific mappings present 3178 at a given time. The protocol is identified by 3179 protocol-id."; 3180 } 3181 } 3182 } 3184 container pools-stats { 3185 if-feature "basic-nat44 or napt44 or nat64"; 3186 description 3187 "Statistics related to address/prefix pools 3188 usage"; 3190 leaf addresses-allocated { 3191 type yang:gauge32; 3192 description 3193 "Number of all allocated addresses."; 3194 } 3196 leaf addresses-free { 3197 type yang:gauge32; 3198 description 3199 "Number of unallocated addresses of all pools at 3200 a given time. The sum of unallocated and allocated 3201 addresses is the total number of addresses of 3202 the pools."; 3203 } 3205 container ports-stats { 3206 if-feature "napt44 or nat64"; 3208 description 3209 "Statistics related to port numbers usage."; 3211 leaf ports-allocated { 3212 type yang:gauge32; 3213 description 3214 "Number of allocated ports from all pools."; 3215 } 3217 leaf ports-free { 3218 type yang:gauge32; 3219 description 3220 "Number of unallocated addresses from all pools."; 3221 } 3222 } 3224 list per-pool-stats { 3225 if-feature "basic-nat44 or napt44 or nat64"; 3226 key "pool-id"; 3227 description 3228 "Statistics related to address/prefix pool usage"; 3230 leaf pool-id { 3231 type uint32; 3232 description 3233 "Unique Identifier that represents a pool of 3234 addresses/prefixes."; 3235 } 3237 leaf discontinuity-time { 3238 type yang:date-and-time; 3239 mandatory true; 3240 description 3241 "The time on the most recent occasion at which this 3242 pool counters suffered a discontinuity. This must 3243 be initialized when the address pool is 3244 configured."; 3245 } 3247 container pool-stats { 3248 description 3249 "Statistics related to address/prefix pool usage"; 3251 leaf addresses-allocated { 3252 type yang:gauge32; 3253 description 3254 "Number of allocated addresses from this pool."; 3255 } 3257 leaf addresses-free { 3258 type yang:gauge32; 3259 description 3260 "Number of unallocated addresses in this pool."; 3261 } 3262 } 3264 container port-stats { 3265 if-feature "napt44 or nat64"; 3266 description 3267 "Statistics related to port numbers usage."; 3269 leaf ports-allocated { 3270 type yang:gauge32; 3271 description 3272 "Number of allocated ports from this pool."; 3274 } 3276 leaf ports-free { 3277 type yang:gauge32; 3278 description 3279 "Number of unallocated addresses from this pool."; 3280 } 3281 } 3282 } 3283 } 3284 } 3285 } 3286 } 3287 } 3289 /* 3290 * Notifications 3291 */ 3293 notification nat-pool-event { 3294 if-feature "basic-nat44 or napt44 or nat64"; 3295 description 3296 "Notifications must be generated when the defined high/low 3297 threshold is reached. Related configuration parameters 3298 must be provided to trigger the notifications."; 3300 leaf id { 3301 type leafref { 3302 path "/nat/instances/instance/id"; 3303 } 3304 mandatory true; 3305 description 3306 "NAT instance Identifier."; 3307 } 3309 leaf policy-id { 3310 type leafref { 3311 path "/nat/instances/instance/policy/id"; 3312 } 3314 description 3315 "Policy Identifier."; 3316 } 3318 leaf pool-id { 3319 type leafref { 3320 path 3321 "/nat/instances/instance/policy/" 3322 + "external-ip-address-pool/pool-id"; 3323 } 3324 mandatory true; 3325 description 3326 "Pool Identifier."; 3327 } 3329 leaf notify-pool-threshold { 3330 type percent; 3331 mandatory true; 3332 description 3333 "A threshold (high-threshold or low-threshold) has 3334 been fired."; 3335 } 3336 } 3338 notification nat-instance-event { 3339 if-feature "basic-nat44 or napt44 or nat64"; 3340 description 3341 "Notifications must be generated when notify-addresses-usage 3342 and/or notify-ports-usage threshold are reached."; 3344 leaf id { 3345 type leafref { 3346 path "/nat/instances/instance/id"; 3347 } 3348 mandatory true; 3349 description 3350 "NAT instance Identifier."; 3351 } 3353 leaf notify-subscribers-threshold { 3354 type uint32; 3355 description 3356 "The notify-subscribers-limit threshold has been fired."; 3357 } 3359 leaf notify-addresses-threshold { 3360 type percent; 3361 description 3362 "The notify-addresses-usage threshold has been fired."; 3363 } 3365 leaf notify-ports-threshold { 3366 type percent; 3367 description 3368 "The notify-ports-usage threshold has been fired."; 3369 } 3371 } 3372 } 3373 3375 4. Security Considerations 3377 Security considerations related to address and prefix translation are 3378 discussed in [RFC6888], [RFC6146], [RFC6877], [RFC7757], and 3379 [RFC6296]. 3381 The YANG module defined in this document is designed to be accessed 3382 via network management protocols such as NETCONF [RFC6241] or 3383 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 3384 layer, and the mandatory-to-implement secure transport is Secure 3385 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 3386 mandatory-to-implement secure transport is TLS [RFC5246]. 3388 The NETCONF access control model [RFC6536] provides the means to 3389 restrict access for particular NETCONF or RESTCONF users to a 3390 preconfigured subset of all available NETCONF or RESTCONF protocol 3391 operations and content. 3393 All data nodes defined in the YANG module which can be created, 3394 modified and deleted (i.e., config true, which is the default) are 3395 considered sensitive. Write operations (e.g., edit-config) applied 3396 to these data nodes without proper protection can negatively affect 3397 network operations. The NAT YANG module allows to set parameters to 3398 prevent a user from aggressively using NAT resources (port-quota), 3399 rate-limit connections as a guard against Denial-of-Service, or to 3400 enable notifications so that appropriate measures are enforced to 3401 anticipate traffic drops. Nevertheless, an attacker who is able to 3402 access to the NAT can undertake various attacks, such as: 3404 o Set a high or low resource limit to cause a DoS attack: 3406 * /nat/instances/instance/policy/port-quota 3408 * /nat/instances/instance/policy/fragments-limit 3410 * /nat/instances/instance/mapping-limits 3412 * /nat/instances/instance/connection-limits 3414 o Set a low notification threshold to cause useless notifications to 3415 be generated: 3417 * /nat/instances/instance/policy/notify-pool-usage/high-threshold 3418 * /nat/instances/instance/notification-limits/notify-addresses- 3419 usage 3421 * /nat/instances/instance/notification-limits/notify-ports-usage 3423 * /nat/instances/instance/notification-limits/notify-subscribers- 3424 limit 3426 o Set an arbitrarily high threshold, which may lead to the 3427 deactivation of notifications: 3429 * /nat/instances/instance/policy/notify-pool-usage/high-threshold 3431 * /nat/instances/instance/notification-limits/notify-addresses- 3432 usage 3434 * /nat/instances/instance/notification-limits/notify-ports-usage 3436 * /nat/instances/instance/notification-limits/notify-subscribers- 3437 limit 3439 o Set a low notification interval and a low notification threshold 3440 to induce useless notifications to be generated: 3442 * /nat/instances/instance/policy/notify-pool-usage/notify- 3443 interval 3445 * /nat/instances/instance/notification-limits/notify-interval 3447 o Access to privacy data maintained in the mapping table. Such data 3448 can be misused to track the activity of a host: 3450 * /nat/instances/instance/mapping-table 3452 5. IANA Considerations 3454 This document requests IANA to register the following URI in the 3455 "IETF XML Registry" [RFC3688]: 3457 URI: urn:ietf:params:xml:ns:yang:ietf-nat 3458 Registrant Contact: The IESG. 3459 XML: N/A; the requested URI is an XML namespace. 3461 This document requests IANA to register the following YANG module in 3462 the "YANG Module Names" registry [RFC7950]. 3464 name: ietf-nat 3465 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 3466 prefix: nat 3467 reference: RFC XXXX 3469 6. Acknowledgements 3471 Many thanks to Dan Wing and Tianran Zhou for the review. 3473 Thanks to Juergen Schoenwaelder for the comments on the YANG 3474 structure and the suggestion to use NMDA. Mahesh Jethanandani 3475 provided useful comments. 3477 Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred 3478 Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and 3479 Kristian Poscic for the CGN review. 3481 Special thanks to Maros Marsalek and Marek Gradzki for sharing their 3482 comments based on the FD.io implementation of an earlier version of 3483 this module. 3485 Rajiv Asati suggested to clarify how the module applies for both 3486 stateless and stateful NAT64. 3488 Juergen Schoenwaelder provided an early yandgoctors review. Many 3489 thanks to him. 3491 Thanks to Roni Even and Mach Chen for the directorates review. Igor 3492 Ryzhov identified a nit in one example. 3494 7. References 3496 7.1. Normative References 3498 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3499 DOI 10.17487/RFC3688, January 2004, 3500 . 3502 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 3503 Translation (NAT) Behavioral Requirements for Unicast 3504 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 3505 2007, . 3507 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 3508 (TLS) Protocol Version 1.2", RFC 5246, 3509 DOI 10.17487/RFC5246, August 2008, 3510 . 3512 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 3513 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 3514 RFC 5382, DOI 10.17487/RFC5382, October 2008, 3515 . 3517 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 3518 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 3519 DOI 10.17487/RFC5508, April 2009, 3520 . 3522 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 3523 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 3524 DOI 10.17487/RFC6052, October 2010, 3525 . 3527 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 3528 NAT64: Network Address and Protocol Translation from IPv6 3529 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 3530 April 2011, . 3532 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3533 and A. Bierman, Ed., "Network Configuration Protocol 3534 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3535 . 3537 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3538 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3539 . 3541 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 3542 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 3543 . 3545 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 3546 Protocol (NETCONF) Access Control Model", RFC 6536, 3547 DOI 10.17487/RFC6536, March 2012, 3548 . 3550 [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable 3551 Operation of Address Translators with Per-Interface 3552 Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, 3553 . 3555 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 3556 Combination of Stateful and Stateless Translation", 3557 RFC 6877, DOI 10.17487/RFC6877, April 2013, 3558 . 3560 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 3561 A., and H. Ashida, "Common Requirements for Carrier-Grade 3562 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 3563 April 2013, . 3565 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 3566 Farrer, "Lightweight 4over6: An Extension to the Dual- 3567 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 3568 July 2015, . 3570 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 3571 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 3572 Port with Encapsulation (MAP-E)", RFC 7597, 3573 DOI 10.17487/RFC7597, July 2015, 3574 . 3576 [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address 3577 Mappings for Stateless IP/ICMP Translation", RFC 7757, 3578 DOI 10.17487/RFC7757, February 2016, 3579 . 3581 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 3582 S., and K. Naito, "Updates to Network Address Translation 3583 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 3584 DOI 10.17487/RFC7857, April 2016, 3585 . 3587 [RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont, 3588 "IP/ICMP Translation Algorithm", RFC 7915, 3589 DOI 10.17487/RFC7915, June 2016, 3590 . 3592 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3593 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3594 . 3596 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3597 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3598 . 3600 7.2. Informative References 3602 [I-D.boucadair-pcp-yang] 3603 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 3604 Vinapamula, "YANG Modules for the Port Control Protocol 3605 (PCP)", draft-boucadair-pcp-yang-05 (work in progress), 3606 October 2017. 3608 [I-D.ietf-netmod-yang-tree-diagrams] 3609 Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft- 3610 ietf-netmod-yang-tree-diagrams-04 (work in progress), 3611 December 2017. 3613 [I-D.ietf-softwire-dslite-yang] 3614 Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG 3615 Data Module for Dual-Stack Lite (DS-Lite)", draft-ietf- 3616 softwire-dslite-yang-14 (work in progress), January 2018. 3618 [I-D.ietf-tsvwg-natsupp] 3619 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 3620 Transmission Protocol (SCTP) Network Address Translation 3621 Support", draft-ietf-tsvwg-natsupp-11 (work in progress), 3622 July 2017. 3624 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 3625 Translator (NAT) Terminology and Considerations", 3626 RFC 2663, DOI 10.17487/RFC2663, August 1999, 3627 . 3629 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 3630 Address Translator (Traditional NAT)", RFC 3022, 3631 DOI 10.17487/RFC3022, January 2001, 3632 . 3634 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 3635 Behavioral Requirements for the Datagram Congestion 3636 Control Protocol", BCP 150, RFC 5597, 3637 DOI 10.17487/RFC5597, September 2009, 3638 . 3640 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 3641 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 3642 DOI 10.17487/RFC6269, June 2011, 3643 . 3645 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 3646 "Diameter Network Address and Port Translation Control 3647 Application", RFC 6736, DOI 10.17487/RFC6736, October 3648 2012, . 3650 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 3651 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 3652 DOI 10.17487/RFC6887, April 2013, 3653 . 3655 [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT 3656 (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, 3657 DOI 10.17487/RFC7289, June 2014, 3658 . 3660 [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, 3661 DOI 10.17487/RFC7335, August 2014, 3662 . 3664 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 3665 "Definitions of Managed Objects for Network Address 3666 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 3667 October 2015, . 3669 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 3670 and S. Perreault, "Port Control Protocol (PCP) Extension 3671 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 3672 February 2016, . 3674 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 3675 "RADIUS Extensions for IP Port Configuration and 3676 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 3677 . 3679 Appendix A. Sample Examples 3681 This section provides a non-exhaustive set of examples to illustrate 3682 the use of the NAT YANG module. 3684 A.1. Traditional NAT44 3686 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 3687 same IPv4 address among hosts that are owned by the same subscriber. 3688 This is typically the NAT that is embedded in CPE devices. 3690 This NAT is usually provided with one single external IPv4 address; 3691 disambiguating connections is achieved by rewriting the source port 3692 number. The XML snippet to configure the external IPv4 address in 3693 such case together with a mapping entry is depicted below: 3695 3696 3697 1 3698 NAT_Subscriber_A 3699 .... 3700 3701 1 3702 3703 192.0.2.1 3704 3705 3706 .... 3707 3708 .... 3709 3710 192.0.2.1 3711 3712 .... 3713 3714 3715 3717 The following shows the XML excerpt depicting a dynamic UDP mapping 3718 entry maintained by a traditional NAPT44. In reference to this 3719 example, the UDP packet received with a source IPv4 address 3720 (192.0.2.1) and source port number (1568) is translated into a UDP 3721 packet having a source IPv4 address (198.51.100.1) and source port 3722 (15000). The remaining lifetime of this mapping is 300 seconds. 3724 3725 15 3726 3727 dynamic-explicit 3728 3729 3730 17 3731 3732 3733 192.0.2.1 3734 3735 3736 3737 1568 3738 3739 3740 3741 198.51.100.1 3742 3743 3744 3745 15000 3746 3747 3748 3749 300 3750 3751 3753 A.2. Carrier Grade NAT (CGN) 3755 The following XML snippet shows the example of the capabilities 3756 supported by a CGN as retrieved using NETCONF. 3758 3760 napt44 3761 3762 3763 false 3764 3765 3766 true 3767 3768 3769 true 3770 3771 3772 true 3773 3774 3775 true 3776 3777 3778 false 3779 3780 3781 true 3782 3783 3784 true 3785 3786 3787 true 3788 3789 3790 false 3791 3792 3793 false 3794 3795 3796 true 3797 3798 3799 false 3800 3801 3802 false 3803 3804 3805 The following XML snippet shows the example of a CGN that is 3806 provisioned with one contiguous pool of external IPv4 addresses 3807 (192.0.2.0/24). Further, the CGN is instructed to limit the number 3808 of allocated ports per subscriber to 1024. Ports can be allocated by 3809 the CGN by assigning ranges of 256 ports (that is, a subscriber can 3810 be allocated up to four port ranges of 256 ports each). 3812 3813 3814 1 3815 myCGN 3816 .... 3817 3818 1 3819 3820 192.0.2.0/24 3821 3822 3823 3824 3825 1024 3826 3827 3828 all 3829 3830 3831 3832 port-range-allocation 3833 3834 3835 3836 256 3837 3838 3839 .... 3840 3841 3843 An administrator may decide to allocate one single port range per 3844 subscriber (port range of 1024 ports) as shown below: 3846 3847 3848 1 3849 myotherCGN 3850 .... 3851 3852 1 3853 3854 192.0.2.0/24 3855 3856 3857 3858 3859 1024 3860 3861 3862 all 3863 3864 3865 3866 port-range-allocation 3867 3868 3869 3870 1024 3871 3872 .... 3873 3874 .... 3875 3876 3878 A.3. CGN Pass-Through 3880 Figure 1 illustrates an example of the CGN pass-through feature. 3882 X1:x1 X1':x1' X2:x2 3883 +---+from X1:x1 +---+from X1:x1 +---+ 3884 | C | to X2:x2 | | to X2:x2 | S | 3885 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 3886 | i | | G | | r | 3887 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 3888 | n |from X2:x2 | |from X2:x2 | e | 3889 | t | to X1:x1 | | to X1:x1 | r | 3890 +---+ +---+ +---+ 3892 Figure 1: CGN Pass-Through 3894 For example, in order to disable NAT for communications issued by the 3895 client (192.0.2.25), the following configuration parameter must be 3896 set: 3898 3899 ... 3900 192.0.2.25 3901 ... 3902 3904 A.4. NAT64 3906 Let's consider the example of a NAT64 that should use 3907 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 3908 The XML snippet to configure the NAT64 prefix in such case is 3909 depicted below: 3911 3912 3913 2001:db8:122:300::/56 3914 3915 3917 Let's now consider the example of a NAT64 that should use 3918 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 3919 the destination address matches 198.51.100.0/24. The XML snippet to 3920 configure the NAT64 prefix in such case is shown below: 3922 3923 3924 2001:db8:122::/48 3925 3926 3927 3928 198.51.100.0/24 3929 3930 3931 3933 A.5. Stateless IP/ICMP Translation (SIIT) 3935 Let's consider the example of a stateless translator that is 3936 configured with 2001:db8:100::/40 to perform IPv6 address synthesis 3937 [RFC6052]. Similar to the NAT64 case, the XML snippet to configure 3938 the NAT64 prefix in such case is depicted below: 3940 3941 3942 2001:db8:100::/40 3943 3944 3946 When the translator receives an IPv6 packet, for example, with a 3947 source address (2001:db8:1c0:2:21::) and destination address 3948 (2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses 3949 following RFC6052 rules with 2001:db8:100::/40 as the NSP: 3951 o 192.0.2.33 is extracted from 2001:db8:1c0:2:21:: 3953 o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2:: 3955 The translator transforms the IPv6 header into an IPv4 header using 3956 the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will 3957 include 192.0.2.33 as the source address and 198.51.100.2 as the 3958 destination address. 3960 Also, a NAT64 can be instructed to behave in the stateless mode by 3961 providing the following configuration. The same NAT64 prefix is used 3962 for constructing both IPv4-translatable IPv6 addresses and 3963 IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]). 3965 3966 3967 2001:db8:122:300::/56 3968 3969 3970 true 3971 3972 3974 A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM 3975 SIIT) 3977 As specified in [RFC7757], an EAM consists of an IPv4 prefix and an 3978 IPv6 prefix. Let's consider the set of EAM examples in Figure 2. 3980 +----------------+----------------------+ 3981 | IPv4 Prefix | IPv6 Prefix | 3982 +----------------+----------------------+ 3983 | 192.0.2.1 | 2001:db8:aaaa:: | 3984 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | 3985 | 192.0.2.16/28 | 2001:db8:cccc::/124 | 3986 | 192.0.2.128/26 | 2001:db8:dddd::/64 | 3987 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | 3988 | 192.0.2.224/31 | 64:ff9b::/127 | 3989 +----------------+----------------------+ 3991 Figure 2: EAM Examples (RFC7757) 3993 The following XML excerpt illustrates how these EAMs can be 3994 configured using the YANG NAT module: 3996 3997 3998 192.0.2.1 3999 4000 4001 2001:db8:aaaa:: 4002 4003 4004 4005 4006 192.0.2.2/32 4007 4008 4009 2001:db8:bbbb::b/128 4010 4011 4012 4013 4014 192.0.2.16/28 4015 4016 4017 2001:db8:cccc::/124 4018 4019 4020 4021 4022 192.0.2.128/26 4023 4024 4025 2001:db8:dddd::/64 4026 4027 4028 4029 4030 192.0.2.192/29 4031 4032 4033 2001:db8:eeee:8::/62 4034 4035 4036 4037 4038 192.0.2.224/31 4039 4040 4041 64:ff9b::/127 4042 4043 4044 EAMs may be enabled jointly with statefull NAT64. This example shows 4045 a NAT64 function that supports static mappings: 4047 4049 nat64 4050 4051 4052 true 4053 4054 4055 true 4056 4057 4058 true 4059 4060 4061 true 4062 4063 4064 false 4065 4066 4067 true 4068 4069 4070 true 4071 4072 4073 true 4074 4075 4076 false 4077 4078 4079 false 4080 4081 4082 true 4083 4084 4085 false 4086 4087 4088 false 4089 4090 4092 A.7. Static Mappings with Port Ranges 4094 The following example shows a static mapping that instructs a NAT to 4095 translate packets issued from 192.0.2.1 and with source ports in the 4096 100-500 range to 198.51.100.1:1100-1500. 4098 4099 1 4100 static 4101 6 4102 4103 192.0.2.1 4104 4105 4106 4107 100 4108 4109 4110 500 4111 4112 4113 4114 198.51.100.1 4115 4116 4117 4118 1100 4119 4120 4121 1500 4122 4123 4124 ... 4125 4127 A.8. Static Mappings with IP Prefixes 4129 The following example shows a static mapping that instructs a NAT to 4130 translate TCP packets issued from 192.0.2.1/24 to 198.51.100.1/24. 4132 4133 1 4134 static 4135 6 4136 4137 192.0.2.1/24 4138 4139 4140 198.51.100.1/24 4141 4142 ... 4143 4145 A.9. Destination NAT 4147 The following XML snippet shows an example of a destination NAT that 4148 is instructed to translate all packets having 192.0.2.1 as a 4149 destination IP address to 198.51.100.1. 4151 4152 1 4153 4154 192.0.2.1 4155 4156 4157 198.51.100.1 4158 4159 4161 In order to instruct a NAT to translate TCP packets destined to 4162 '192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet 4163 shows the static mapping to be configured on the NAT: 4165 4166 1 4167 static 4168 6 4169 4170 192.0.2.1 4171 4172 4173 80 4174 4175 4176 198.51.100.1 4177 4178 4179 8080 4180 4181 4183 In order to instruct a NAT to translate TCP packets destined to 4184 '192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh 4185 traffic) to 198.51.100.2, the following XML snippet shows the static 4186 mappings to be configured on the NAT: 4188 4189 1 4190 static 4191 6 4192 4193 192.0.2.1 4194 4195 4196 4197 80 4198 4199 4200 4201 198.51.100.1 4202 4203 ... 4204 4205 4206 2 4207 static 4208 4209 6 4210 4211 4212 192.0.2.1 4213 4214 4215 4216 22 4217 4218 4219 4220 198.51.100.2 4221 4222 ... 4223 4225 The NAT may also be instructed to proceed with both source and 4226 destination NAT. To do so, in addition to the above sample to 4227 configure destination NAT, the NAT may be provided, for example with 4228 a pool of external IP addresses (198.51.100.0/24) to use for source 4229 address translation. An example of the corresponding XML snippet is 4230 provided hereafter: 4232 4233 1 4234 4235 198.51.100.0/24 4236 4237 4239 Instead of providing an external IP address to share, the NAT may be 4240 configured with static mapping entries that modifies the internal IP 4241 address and/or port number. 4243 A.10. Customer-side Translator (CLAT) 4245 The following XML snippet shows the example of a CLAT that is 4246 configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and 4247 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 4248 provided with 192.0.0.1/32 (which is selected from the IPv4 service 4249 continuity prefix defined in [RFC7335]). 4251 4252 4253 2001:db8:aaaa::/96 4254 4255 4256 4257 4258 192.0.0.1/32 4259 4260 4261 4262 4263 2001:db8:1234::/96 4264 4265 4267 A.11. IPv6 Network Prefix Translation (NPTv6) 4269 Let's consider the example of a NPTv6 translator that should rewrite 4270 packets with the source prefix (fd01:203:405:/48) with the external 4271 prefix (2001:db8:1:/48). The internal interface is "eth0" while the 4272 external interface is "eth1". 4274 External Network: Prefix = 2001:db8:1:/48 4275 -------------------------------------- 4276 | 4277 |eth1 4278 +-------------+ 4279 eth4| NPTv6 |eth2 4280 ...-----| |------... 4281 +-------------+ 4282 |eth0 4283 | 4284 -------------------------------------- 4285 Internal Network: Prefix = fd01:203:405:/48 4287 Example of NPTv6 (RFC6296) 4289 The XML snippet to configure NPTv6 prefixes in such case is depicted 4290 below: 4292 4293 4294 fd01:203:405:/48 4295 4296 4297 2001:db8:1:/48 4298 4299 4300 ... 4301 4302 4303 eth1 4304 4305 4307 Figure 3 shows an example of an NPTv6 that interconnects two internal 4308 networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is 4309 translated using a dedicated prefix (2001:db8:1:/48 and 4310 2001:db8:6666:/48, respectively). 4312 Internal Prefix = fd01:4444:5555:/48 4313 -------------------------------------- 4314 V | External Prefix 4315 V |eth1 2001:db8:1:/48 4316 V +---------+ ^ 4317 V | NPTv6 | ^ 4318 V | | ^ 4319 V +---------+ ^ 4320 External Prefix |eth0 ^ 4321 2001:db8:6666:/48 | ^ 4322 -------------------------------------- 4323 Internal Prefix = fd01:203:405:/48 4325 Figure 3: Connecting two Peer Networks (RFC6296) 4327 To that aim, the following configuration is provided to the NPTv6: 4329 4330 1 4331 4332 4333 fd01:203:405:/48 4334 4335 4336 2001:db8:1:/48 4337 4338 4339 4340 4341 eth1 4342 4343 4344 4345 4346 2 4347 4348 4349 fd01:4444:5555:/48 4350 4351 4352 2001:db8:6666:/48 4353 4354 4355 4356 4357 eth0 4358 4359 4360 4362 Authors' Addresses 4364 Mohamed Boucadair 4365 Orange 4366 Rennes 35000 4367 France 4369 Email: mohamed.boucadair@orange.com 4370 Senthil Sivakumar 4371 Cisco Systems 4372 7100-8 Kit Creek Road 4373 Research Triangle Park, North Carolina 27709 4374 USA 4376 Phone: +1 919 392 5158 4377 Email: ssenthil@cisco.com 4379 Christian Jacquenet 4380 Orange 4381 Rennes 35000 4382 France 4384 Email: christian.jacquenet@orange.com 4386 Suresh Vinapamula 4387 Juniper Networks 4388 1133 Innovation Way 4389 Sunnyvale 94089 4390 USA 4392 Email: sureshk@juniper.net 4394 Qin Wu 4395 Huawei 4396 101 Software Avenue, Yuhua District 4397 Nanjing, Jiangsu 210012 4398 China 4400 Email: bill.wu@huawei.com