idnits 2.17.1 draft-ietf-opsawg-nat-yang-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 752 has weird spacing: '... prefix ine...' == Line 758 has weird spacing: '...-prefix ine...' == Line 760 has weird spacing: '...-prefix ine...' == Line 762 has weird spacing: '...-prefix ine...' == Line 763 has weird spacing: '...-prefix ine...' == (14 more instances...) -- The document date (June 27, 2018) is 2131 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Downref: Normative reference to an Experimental RFC: RFC 6296 ** Downref: Normative reference to an Informational RFC: RFC 6877 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-11 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 3 errors (**), 0 flaws (~~), 9 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair, Ed. 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: December 29, 2018 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 June 27, 2018 14 A YANG Module for Network Address Translation (NAT) and Network Prefix 15 Translation (NPT) 16 draft-ietf-opsawg-nat-yang-15 18 Abstract 20 This document defines a YANG module for the Network Address 21 Translation (NAT) function. 23 Network Address Translation from IPv4 to IPv4 (NAT44), Network 24 Address and Protocol Translation from IPv6 Clients to IPv4 Servers 25 (NAT64), Customer-side transLATor (CLAT), Stateless IP/ICMP 26 Translation (SIIT), Explicit Address Mappings for Stateless IP/ICMP 27 Translation (SIIT EAM), IPv6 Network Prefix Translation (NPTv6), and 28 Destination NAT are covered in this document. 30 Editorial Note (To be removed by RFC Editor) 32 Please update these statements within the document with the RFC 33 number to be assigned to this document: 35 "This version of this YANG module is part of RFC XXXX;" 37 "RFC XXXX: A YANG Module for Network Address Translation (NAT) and 38 Network Prefix Translation (NPT)" 40 "reference: RFC XXXX" 42 Please update the "revision" date of the YANG module. 44 Status of This Memo 46 This Internet-Draft is submitted in full conformance with the 47 provisions of BCP 78 and BCP 79. 49 Internet-Drafts are working documents of the Internet Engineering 50 Task Force (IETF). Note that other groups may also distribute 51 working documents as Internet-Drafts. The list of current Internet- 52 Drafts is at https://datatracker.ietf.org/drafts/current/. 54 Internet-Drafts are draft documents valid for a maximum of six months 55 and may be updated, replaced, or obsoleted by other documents at any 56 time. It is inappropriate to use Internet-Drafts as reference 57 material or to cite them other than as "work in progress." 59 This Internet-Draft will expire on December 29, 2018. 61 Copyright Notice 63 Copyright (c) 2018 IETF Trust and the persons identified as the 64 document authors. All rights reserved. 66 This document is subject to BCP 78 and the IETF Trust's Legal 67 Provisions Relating to IETF Documents 68 (https://trustee.ietf.org/license-info) in effect on the date of 69 publication of this document. Please review these documents 70 carefully, as they describe your rights and restrictions with respect 71 to this document. Code Components extracted from this document must 72 include Simplified BSD License text as described in Section 4.e of 73 the Trust Legal Provisions and are provided without warranty as 74 described in the Simplified BSD License. 76 Table of Contents 78 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 79 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 80 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 81 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 82 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 83 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7 84 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 85 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 86 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 87 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 88 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8 89 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 90 2.10. Binding the NAT Function to an External Interface . . . . 15 91 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 92 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 93 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 94 4. Security Considerations . . . . . . . . . . . . . . . . . . . 71 95 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 96 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 73 97 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 98 7.1. Normative References . . . . . . . . . . . . . . . . . . 74 99 7.2. Informative References . . . . . . . . . . . . . . . . . 76 100 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78 101 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 78 102 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80 103 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83 104 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84 105 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84 106 A.6. Explicit Address Mappings for Stateless IP/ICMP 107 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85 108 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 88 109 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89 110 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90 111 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93 112 A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 93 113 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96 115 1. Introduction 117 This document defines a data model for Network Address Translation 118 (NAT) and Network Prefix Translation (NPT) capabilities using the 119 YANG data modeling language [RFC7950]. 121 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 122 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 123 used to optimize the usage of global IP address space at the scale of 124 a domain: a CGN is not managed by end users, but by service providers 125 instead. This document covers both traditional NATs and CGNs. 127 This document also covers NAT64 [RFC6146], customer-side translator 128 (CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915], 129 Explicit Address Mappings for Stateless IP/ICMP Translation (EAM) 130 [RFC7757], IPv6 Network Prefix Translation (NPTv6) [RFC6296], and 131 Destination NAT. The full set of translation schemes that are in 132 scope is included in Section 2.2. 134 Sample examples are provided in Appendix A. These examples are not 135 intended to be exhaustive. 137 1.1. Terminology 139 This document makes use of the following terms: 141 o Basic Network Address Translation from IPv4 to IPv4 (NAT44): 142 translation is limited to IP addresses alone (Section 2.1 of 143 [RFC3022]). 145 o Network Address/Port Translator (NAPT): translation in NAPT is 146 extended to include IP addresses and transport identifiers (such 147 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 148 [RFC3022]. A NAPT may use an extra identifier, in addition to the 149 five transport tuple, to disambiguate bindings [RFC6619]. 151 o Destination NAT: is a translation that acts on the destination IP 152 address and/or destination port number. This flavor is usually 153 deployed in load balancers or at devices in front of public 154 servers. 156 o Port-restricted IPv4 address: An IPv4 address with a restricted 157 port set. Multiple hosts may share the same IPv4 address; 158 however, their port sets must not overlap [RFC7596]. 160 o Restricted port set: A non-overlapping range of allowed external 161 ports to use for NAT operation. Source ports of IPv4 packets 162 translated by a NAT must belong to the assigned port set. The 163 port set is used for all port-aware IP protocols [RFC7596]. 165 o Internal Host: A host that may need to use a translation 166 capability to send to and receive traffic from the Internet. 168 o Internal Address/prefix: The IP address/prefix of an internal 169 host. 171 o External Address: The IP address/prefix assigned by a translator 172 to an internal host; this is the address that will be seen by a 173 remote host on the Internet. 175 o Mapping: denotes a state at the translator that is necessary for 176 network address and/or port translation. 178 o Dynamic implicit mapping: is created implicitly as a side effect 179 of processing a packet (e.g., an initial TCP SYN packet) that 180 requires a new mapping. A validity lifetime is associated with 181 this mapping. 183 o Dynamic explicit mapping: is created as a result of an explicit 184 request, e.g., PCP message [RFC6887]. A validity lifetime is 185 associated with this mapping. 187 o Static explicit mapping: is created using, e.g., a CLI interface. 188 This mapping is likely to be maintained by the NAT function till 189 an explicit action is executed to remove it. 191 The usage of the term NAT in this document refers to any translation 192 flavor (NAT44, NAT64, etc.) indifferently. 194 This document uses the term "session" as defined in [RFC2663] and 195 [RFC6146] for NAT64. 197 This document follows the guidelines of [RFC6087], uses the common 198 YANG types defined in [RFC6991], and adopts the Network Management 199 Datastore Architecture (NMDA). The meaning of the symbols in tree 200 diagrams is defined in [RFC8340]. 202 2. Overview of the NAT YANG Data Model 204 2.1. Overview 206 The NAT YANG module is designed to cover dynamic implicit mappings 207 and static explicit mappings. The required functionality to instruct 208 dynamic explicit mappings is defined in separate documents such as 209 [I-D.boucadair-pcp-yang]. Considerations about instructing explicit 210 dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of 211 scope. As a reminder, REQ-9 of [RFC6888] requires that a CGN must 212 implement a protocol giving subscribers explicit control over NAT 213 mappings; that protocol should be the Port Control Protocol 214 [RFC6887]. 216 A single NAT device can have multiple NAT instances; each of these 217 instances can be provided with its own policies (e.g., be responsible 218 for serving a group of hosts). This document does not make any 219 assumption about how internal hosts or flows are associated with a 220 given NAT instance. 222 The NAT YANG module assumes that each NAT instance can be enabled/ 223 disabled, be provisioned with a specific set of configuration data, 224 and maintains its own mapping tables. 226 The NAT YANG module allows for a NAT instance to be provided with 227 multiple NAT policies (/nat/instances/instance/policy). The document 228 does not make any assumption about how flows are associated with a 229 given NAT policy of a given NAT instance. Classification filters are 230 out of scope. 232 Defining multiple NAT instances or configuring multiple NAT policies 233 within one single NAT instance is implementation- and deployment- 234 specific. 236 This YANG module does not provide any method to instruct a NAT 237 function to enable the logging feature or to specify the information 238 to be logged for administrative or regulatory reasons (Section 2.3 of 239 [RFC6908] and REQ-12 of [RFC6888]). Those considerations are out of 240 the scope of this document. 242 2.2. Various Translation Flavors 244 The following translation modes are supported: 246 o Basic NAT44 247 o NAPT 248 o Destination NAT 249 o Port-restricted NAT 250 o Stateful NAT64 (including with destination-based Pref64::/n 251 [RFC7050]) 252 o SIIT 253 o CLAT 254 o EAM 255 o NPTv6 256 o Combination of Basic NAT/NAPT and Destination NAT 257 o Combination of port-restricted and Destination NAT 258 o Combination of NAT64 and EAM 259 o Stateful and Stateless NAT64 261 [I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT 262 YANG module to support DS-Lite. 264 The YANG "feature" statement is used to indicate which of the 265 different translation modes is relevant for a specific data node. 266 Table 1 lists defined features: 268 +---------------------------------+--------------+ 269 | Translation Mode | YANG Feature | 270 +---------------------------------+--------------+ 271 | Basic NAT44 | basic-nat44 | 272 | NAPT | napt44 | 273 | Destination NAT | dst-nat | 274 | Stateful NAT64 | nat64 | 275 | Stateless IPv4/IPv6 translation | siit | 276 | CLAT | clat | 277 | EAM | eam | 278 | NPTv6 | nptv6 | 279 +---------------------------------+--------------+ 281 Table 1: YANG NAT Features 283 The following translation modes do not require defining dedicated 284 features: 286 o Port-restricted NAT: This mode corresponds to supplying port 287 restriction policies to a NAPT or NAT64 (port-set-restrict). 288 o Combination of Basic NAT/NAPT and Destination NAT: This mode 289 corresponds to setting 'dst-nat-enable' for Basic NAT44 or NAPT. 291 o Combination of port-restricted and Destination NAT: This mode can 292 be achieved by configuring a NAPT with port restriction policies 293 (port-set-restrict) together with a destination IP address pool 294 (dst-ip-address-pool). 295 o Combination of NAT64 and EAM: This mode corresponds to configuring 296 static mappings for NAT64. 297 o Stateful and stateless NAT64: A NAT64 implementation can be 298 instructed to behave in the stateless mode for a given prefix by 299 setting the parameter (nat64-prefixes/stateless-enable). A NAT64 300 implementation may behave in both stateful and stateless modes if, 301 in addition to appropriately setting the parameter (nat64- 302 prefixes/stateless-enable), an external IPv4 address pool is 303 configured. 305 The NAT YANG module provides a method to retrieve the capabilities of 306 a NAT instance (including, list of supported translation modes, list 307 of supported protocols, port restriction support status, supported 308 NAT mapping types, supported NAT filtering types, port range 309 allocation support status, port parity preservation support status, 310 port preservation support status, the behavior for handling fragments 311 (all, out-of-order, in-order)). 313 2.3. TCP/UDP/ICMP NAT Behavioral Requirements 315 This document assumes NAT behavioral recommendations for UDP 316 [RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default. 318 Furthermore, the NAT YANG module relies upon the recommendations 319 detailed in [RFC6888] and [RFC7857]. 321 2.4. Other Transport Protocols 323 The module is structured to support protocols other than UDP, TCP, 324 and ICMP. The mapping table is designed so that it can indicate any 325 transport protocol. For example, this module may be used to manage a 326 DCCP-capable NAT that adheres to [RFC5597]. 328 Future extensions may be needed to cover NAT-related considerations 329 that are specific to other transport protocols such as SCTP 330 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 331 extended to record two optional SCTP-specific parameters: Internal 332 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 334 Also, the module allows the operator to enable translation for these 335 protocols when required (/nat/instances/instance/policy/transport- 336 protocols). 338 2.5. IP Addresses Used for Translation 340 The NAT YANG module assumes that blocks of IP external addresses 341 (external-ip-address-pool) can be provisioned to the NAT function. 342 These blocks may be contiguous or not. 344 This behavior is aligned with [RFC6888] which specifies that a NAT 345 function should not have any limitations on the size or the 346 contiguity of the external address pool. In particular, the NAT 347 function must be configurable with contiguous or non-contiguous 348 external IPv4 address ranges. To accommodate traditional NAT, the 349 module allows for a single IP address to be configured for external- 350 ip-address-pool. 352 Likewise, one or multiple IP address pools may be configured for 353 Destination NAT (dst-ip-address-pool). 355 2.6. Port Set Assignment 357 Port numbers can be assigned by a NAT individually (that is, a single 358 port is assigned on a per session basis), but this port allocation 359 scheme may not be optimal for logging purposes (Section 12 of 360 [RFC6269]). A NAT function should be able to assign port sets (e.g., 361 [RFC7753]) to optimize the volume of the logging data (REQ-14 of 362 [RFC6888]). Both allocation schemes are supported in the NAT YANG 363 module. 365 When port set assignment is activated (i.e., port-allocation- 366 type==port-range-allocation), the NAT can be provided with the size 367 of the port set to be assigned (port-set-size). 369 2.7. Port-Restricted IP Addresses 371 Some NATs restrict the source port numbers (e.g., Lightweight 4over6 372 [RFC7596], MAP-E [RFC7597]). Two schemes of port set assignments 373 (port-set-restrict) are supported in this document: 375 o Simple port range: is defined by two port values, the start and 376 the end of the port range [RFC8045]. 378 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 379 the set of ports that can be used. 381 2.8. NAT Mapping Entries 383 A TCP/UDP mapping entry maintains an association between the 384 following information: 386 (internal-src-address, internal-src-port) (internal-dst-address, 387 internal-dst-port) <=> (external-src-address, external-src-port) 388 (external-dst-address, external-dst-port) 390 An ICMP mapping entry maintains an association between the following 391 information: 393 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 394 identifier) <=> (external-src-address, external-dst-address, 395 external ICMP/ICMPv6 identifier) 397 As a reminder, all the ICMP Query messages contain an 'Identifier' 398 field, which is referred to in this document as the 'ICMP 399 Identifier'. 401 To cover TCP, UDP, and ICMP, the NAT YANG module assumes the 402 following structure of a mapping entry: 404 type: Indicates how the mapping was instantiated. For example, it 405 may indicate whether a mapping is dynamically instantiated by a 406 packet or statically configured. 408 transport-protocol: Indicates the transport protocol (e.g., UDP, 409 TCP, ICMP) of a given mapping. 411 internal-src-address: Indicates the source IP address/prefix as used 412 by an internal host. 414 internal-src-port: Indicates the source port number (or ICMP 415 identifier) as used by an internal host. 417 external-src-address: Indicates the source IP address/prefix as 418 assigned by the NAT. 420 external-src-port: Indicates the source port number (or ICMP 421 identifier) as assigned by the NAT. 423 internal-dst-address: Indicates the destination IP address/prefix as 424 used by an internal host when sending a packet to a remote host. 426 internal-dst-port: Indicates the destination port number as used by 427 an internal host when sending a packet to a remote host. 429 external-dst-address: Indicates the destination IP address/prefix 430 used by a NAT when processing a packet issued by an internal host 431 towards a remote host. 433 external-dst-port: Indicates the destination port number used by a 434 NAT when processing a packet issued by an internal host towards a 435 remote host. 437 In order to cover both NAT64 and NAT44 flavors, the NAT mapping 438 structure allows for the inclusion of an IPv4 or an IPv6 address as 439 an internal IP address. Remaining fields are common to both NAT 440 schemes. 442 For example, the mapping that will be created by a NAT64 upon receipt 443 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 444 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 445 and destination port number 8080 is shown in Table 2. This example 446 assumes EDM (Endpoint-Dependent Mapping). 448 +-----------------------+-------------------------------------------+ 449 | Mapping Entry | Value | 450 | Attribute | | 451 +-----------------------+-------------------------------------------+ 452 | type | dynamic implicit mapping | 453 | transport-protocol | 6 (TCP) | 454 | internal-src-address | 2001:db8:aaaa::1 | 455 | internal-src-port | 25636 | 456 | external-src-address | T (an IPv4 address configured on the | 457 | | NAT64) | 458 | external-src-port | t (a port number that is chosen by the | 459 | | NAT64) | 460 | internal-dst-address | 2001:db8:1234::198.51.100.1 | 461 | internal-dst-port | 8080 | 462 | external-dst-address | 198.51.100.1 | 463 | external-dst-port | 8080 | 464 +-----------------------+-------------------------------------------+ 466 Table 2: Example of an EDM NAT64 Mapping 468 The mappings that will be created by a NAT44 upon receipt of an ICMP 469 request from source address 198.51.100.1 and ICMP identifier (ID1) to 470 destination IP address 198.51.100.11 is depicted in Table 3. This 471 example assumes EIM (Endpoint-Independent Mapping). 473 +----------------------+--------------------------------------------+ 474 | Mapping Entry | Value | 475 | Attribute | | 476 +----------------------+--------------------------------------------+ 477 | type | dynamic implicit mapping | 478 | transport-protocol | 1 (ICMP) | 479 | internal-src-address | 198.51.100.1 | 480 | internal-src-port | ID1 | 481 | external-src-address | T (an IPv4 address configured on the | 482 | | NAT44) | 483 | external-src-port | ID2 (an ICMP identifier that is chosen by | 484 | | the NAT44) | 485 +----------------------+--------------------------------------------+ 487 Table 3: Example of an EIM NAT44 Mapping Entry 489 The mapping that will be created by a NAT64 (EIM mode) upon receipt 490 of an ICMP request from source address 2001:db8:aaaa::1 and ICMP 491 identifier (ID1) to destination IP address 492 2001:db8:1234::198.51.100.1 is shown in Table 4. 494 +----------------------+--------------------------------------------+ 495 | Mapping Entry | Value | 496 | Attribute | | 497 +----------------------+--------------------------------------------+ 498 | type | dynamic implicit mapping | 499 | transport-protocol | 58 (ICMPv6) | 500 | internal-src-address | 2001:db8:aaaa::1 | 501 | internal-src-port | ID1 | 502 | external-src-address | T (an IPv4 address configured on the | 503 | | NAT64) | 504 | external-src-port | ID2 (an ICMP identifier that is chosen by | 505 | | the NAT64) | 506 +----------------------+--------------------------------------------+ 508 Table 4: Example of an EIM NAT64 Mapping Entry 510 Note that a mapping table is maintained only for stateful NAT 511 functions. Particularly: 513 o No mapping table is maintained for NPTv6 given that it is 514 stateless and transport-agnostic. 516 o The double translations are stateless in CLAT if a dedicated IPv6 517 prefix is provided for CLAT. If not, a stateful NAT44 will be 518 required. 520 o No per-flow mapping is maintained for EAM [RFC7757]. 522 o No mapping table is maintained for Stateless IPv4/IPv6 523 translation. As a reminder, in such deployments internal IPv6 524 nodes are addressed using IPv4-translatable IPv6 addresses, which 525 enable them to be accessed by IPv4 nodes [RFC6052]. 527 2.9. Resource Limits 529 In order to comply with CGN deployments in particular, the NAT YANG 530 module allows limiting the number of external ports per subscriber 531 (port-quota) and the amount of state memory allocated per mapping and 532 per subscriber (mapping-limits and connection-limits). According to 533 [RFC6888], the module is designed to allow for the following: 535 o Per-subscriber limits are configurable by the NAT administrator. 537 o Per-subscriber limits are configurable independently per transport 538 protocol. 540 o Administrator-adjustable thresholds to prevent a single subscriber 541 from consuming excessive CPU resources from the NAT (e.g., rate- 542 limit the subscriber's creation of new mappings) can be 543 configured. 545 Table 5 lists the various limits that can be set using the NAT YANG 546 module. Once a limit is reached, packets that would normally trigger 547 new port mappings or be translated because they match existing 548 mappings, are dropped by the translator. 550 +-------------------+-----------------------------------------------+ 551 | Limit | Description | 552 +-------------------+-----------------------------------------------+ 553 | port-quota | Specifies a port quota to be assigned per | 554 | | subscriber. It corresponds to the maximum | 555 | | number of ports to be used by a subscriber. | 556 | | The port quota can be configured to apply to | 557 | | all protocols or to a specific protocol. | 558 | | Distinct port quota may be configured per | 559 | | protocol. | 560 +-------------------+-----------------------------------------------+ 561 | fragments-limit | In order to prevent denial of service attacks | 562 | | that can be caused by fragments, this | 563 | | parameter is used to limit the number of out- | 564 | | of-order fragments that can be handled by a | 565 | | translator. | 566 +-------------------+-----------------------------------------------+ 567 | mapping-limits | This parameter can be used to control the | 568 | | maximum number of subscribers that can be | 569 | | serviced by a NAT instance (limit-subscriber) | 570 | | and the maximum number of address and/or port | 571 | | mappings that can be maintained by a NAT | 572 | | instance (limit-address-mappings and limit- | 573 | | port-mappings). Also, limits specific to | 574 | | protocols (e.g., TCP, UDP, ICMP) can also be | 575 | | specified (limit-per-protocol). | 576 +-------------------+-----------------------------------------------+ 577 | connection-limits | In order to prevent exhausting the resources | 578 | | of a NAT implementation and to ensure | 579 | | fairness usage among subscribers, various | 580 | | rate-limits can be specified. Rate-limiting | 581 | | can be enforced per subscriber ((limit- | 582 | | subscriber), per NAT instance (limit-per- | 583 | | instance), and/or be specified for each | 584 | | supported protocol (limit-per-protocol). | 585 +-------------------+-----------------------------------------------+ 587 Table 5: NAT Limits 589 Table 6 describes limits, that once exceeded, will trigger 590 notifications to be generated: 592 +--------------------------+----------------------------------------+ 593 | Notification Threshold | Description | 594 +--------------------------+----------------------------------------+ 595 | high-threshold | Used to notify high address | 596 | | utilization of a given pool. When | 597 | | exceeded, a nat-pool-event | 598 | | notification will be generated. | 599 +--------------------------+----------------------------------------+ 600 | low-threshold | Used to notify low address utilization | 601 | | of a given pool. An administrator is | 602 | | supposed to configure low-threshold so | 603 | | that it can reflect an abnormal usage | 604 | | of NAT resources. When exceeded, a | 605 | | nat-pool-event notification will be | 606 | | generated. | 607 +--------------------------+----------------------------------------+ 608 | notify-addresses-usage | Used to notify high address | 609 | | utilization of all pools configured to | 610 | | a NAT instance. When exceeded, a nat- | 611 | | instance-event will be generated. | 612 +--------------------------+----------------------------------------+ 613 | notify-ports-usage | Used to notify high port allocation | 614 | | taking into account all pools | 615 | | configured to a NAT instance. When | 616 | | exceeded, a nat-instance-event | 617 | | notification will be generated. | 618 +--------------------------+----------------------------------------+ 619 | notify-subscribers-limit | Used to notify a high number of active | 620 | | subscribers that are serviced by a NAT | 621 | | instance. When exceeded, a nat- | 622 | | instance-event notification will be | 623 | | generated. | 624 +--------------------------+----------------------------------------+ 626 Table 6: Notification Thresholds 628 In order to prevent a NAT implementation from generating frequent 629 notifications, the NAT YANG module supports the following limits 630 (Table 7) used to control how frequent notifications can be 631 generated. That is, notifications are subject to rate-limiting 632 imposed by these intervals. 634 +-------------------------------------+-----------------------------+ 635 | Interval | Description | 636 +-------------------------------------+-----------------------------+ 637 | notify-pool-usage/notify-interval | Indicates the minimum | 638 | | number of seconds between | 639 | | successive notifications | 640 | | for a given address pool. | 641 +-------------------------------------+-----------------------------+ 642 | notification-limits/notify-interval | Indicates the minimum | 643 | | number of seconds between | 644 | | successive notifications | 645 | | for a NAT instance. | 646 +-------------------------------------+-----------------------------+ 648 Table 7: Notification Intervals 650 2.10. Binding the NAT Function to an External Interface 652 The module is designed to specify an external realm on which the NAT 653 function must be applied (external-realm). The module supports 654 indicating an interface as an external realm [RFC8343], but the 655 module is extensible so that other choices can be indicated in the 656 future (e.g., Virtual Routing and Forwarding (VRF) instance). 658 Distinct external realms can be provided as a function of the NAT 659 policy (see for example, Section 4 of [RFC7289]). 661 If no external realm is provided, this assumes that the system is 662 able to determine the external interface (VRF instance, etc.) on 663 which the NAT will be applied. Typically, the WAN and LAN interfaces 664 of a CPE are determined by the CPE. 666 2.11. Relationship to NATV2-MIB 668 Section of 5.1 of [RFC7659] indicates that the NATV2-MIB assumes that 669 the following information is configured on the NAT by some means, not 670 specified in [RFC7659]: 672 o The set of address realms to which the device connect. 674 o For the CGN case, per-subscriber information including subscriber 675 index, address realm, assigned prefix or address, and (possibly) 676 policies regarding address pool selection in the various possible 677 address realms to which the subscriber may connect. 679 o The set of NAT instances running on the device, identified by NAT 680 instance index and name. 682 o The port mapping, filtering, pooling, and fragment behaviors for 683 each NAT instance. 685 o The set of protocols supported by each NAT instance. 687 o Address pools for each NAT instance, including for each pool the 688 pool index, address realm, and minimum and maximum port number. 690 o Static address and port mapping entries. 692 All the above parameters can be configured by means of the NAT YANG 693 module. 695 Unlike the NATV2-MIB, the NAT YANG module allows to configure 696 multiple policies per NAT instance. 698 2.12. Tree Structure 700 The tree structure of the NAT YANG module is provided below: 702 module: ietf-nat 703 +--rw nat 704 +--rw instances 705 +--rw instance* [id] 706 +--rw id uint32 707 +--rw name? string 708 +--rw enable? boolean 709 +--ro capabilities 710 | +--ro nat-flavor* 711 | | identityref 712 | +--ro per-interface-binding* 713 | | enumeration 714 | +--ro transport-protocols* [protocol-id] 715 | | +--ro protocol-id uint8 716 | | +--ro protocol-name? string 717 | +--ro restricted-port-support? 718 | | boolean 719 | +--ro static-mapping-support? 720 | | boolean 721 | +--ro port-randomization-support? 722 | | boolean 723 | +--ro port-range-allocation-support? 724 | | boolean 725 | +--ro port-preservation-suport? 726 | | boolean 727 | +--ro port-parity-preservation-support? 728 | | boolean 729 | +--ro address-roundrobin-support? 730 | | boolean 731 | +--ro paired-address-pooling-support? 732 | | boolean 733 | +--ro endpoint-independent-mapping-support? 734 | | boolean 735 | +--ro address-dependent-mapping-support? 736 | | boolean 737 | +--ro address-and-port-dependent-mapping-support? 738 | | boolean 739 | +--ro endpoint-independent-filtering-support? 740 | | boolean 741 | +--ro address-dependent-filtering? 742 | | boolean 743 | +--ro address-and-port-dependent-filtering? 744 | | boolean 745 | +--ro fragment-behavior? 746 | enumeration 747 +--rw type? identityref 748 +--rw per-interface-binding? enumeration 749 +--rw nat-pass-through* [id] 750 | {basic-nat44 or napt44 or dst-nat}? 751 | +--rw id uint32 752 | +--rw prefix inet:ip-prefix 753 | +--rw port? inet:port-number 754 +--rw policy* [id] 755 | +--rw id uint32 756 | +--rw clat-parameters {clat}? 757 | | +--rw clat-ipv6-prefixes* [ipv6-prefix] 758 | | | +--rw ipv6-prefix inet:ipv6-prefix 759 | | +--rw ipv4-prefixes* [ipv4-prefix] 760 | | +--rw ipv4-prefix inet:ipv4-prefix 761 | +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}? 762 | | +--rw internal-ipv6-prefix inet:ipv6-prefix 763 | | +--rw external-ipv6-prefix inet:ipv6-prefix 764 | +--rw eam* [ipv4-prefix] {eam}? 765 | | +--rw ipv4-prefix inet:ipv4-prefix 766 | | +--rw ipv6-prefix inet:ipv6-prefix 767 | +--rw nat64-prefixes* [nat64-prefix] 768 | | {siit or nat64 or clat}? 769 | | +--rw nat64-prefix inet:ipv6-prefix 770 | | +--rw destination-ipv4-prefix* [ipv4-prefix] 771 | | | +--rw ipv4-prefix inet:ipv4-prefix 772 | | +--rw stateless-enable? boolean 773 | +--rw external-ip-address-pool* [pool-id] 774 | | {basic-nat44 or napt44 or nat64}? 775 | | +--rw pool-id uint32 776 | | +--rw external-ip-pool inet:ipv4-prefix 777 | +--rw port-set-restrict {napt44 or nat64}? 778 | | +--rw (port-type)? 779 | | +--:(port-range) 780 | | | +--rw start-port-number? inet:port-number 781 | | | +--rw end-port-number? inet:port-number 782 | | +--:(port-set-algo) 783 | | +--rw psid-offset? uint8 784 | | +--rw psid-len uint8 785 | | +--rw psid uint16 786 | +--rw dst-nat-enable? boolean 787 | | {basic-nat44 or napt44}? 788 | +--rw dst-ip-address-pool* [pool-id] {dst-nat}? 789 | | +--rw pool-id uint32 790 | | +--rw dst-in-ip-pool? inet:ip-prefix 791 | | +--rw dst-out-ip-pool inet:ip-prefix 792 | +--rw transport-protocols* [protocol-id] 793 | | {napt44 or nat64 or dst-nat}? 794 | | +--rw protocol-id uint8 795 | | +--rw protocol-name? string 796 | +--rw subscriber-mask-v6? uint8 797 | +--rw subscriber-match* [match-id] 798 | | {basic-nat44 or napt44 or dst-nat}? 799 | | +--rw match-id uint32 800 | | +--rw subnet inet:ip-prefix 801 | +--rw address-allocation-type? enumeration 802 | +--rw port-allocation-type? enumeration 803 | | {napt44 or nat64}? 804 | +--rw mapping-type? enumeration 805 | | {napt44 or nat64}? 806 | +--rw filtering-type? enumeration 807 | | {napt44 or nat64}? 808 | +--rw fragment-behavior? enumeration 809 | | {napt44 or nat64}? 810 | +--rw port-quota* [quota-type] {napt44 or nat64}? 811 | | +--rw port-limit? uint16 812 | | +--rw quota-type uint8 813 | +--rw port-set {napt44 or nat64}? 814 | | +--rw port-set-size uint16 815 | | +--rw port-set-timeout? uint32 816 | +--rw timers {napt44 or nat64}? 817 | | +--rw udp-timeout? uint32 818 | | +--rw tcp-idle-timeout? uint32 819 | | +--rw tcp-trans-open-timeout? uint32 820 | | +--rw tcp-trans-close-timeout? uint32 821 | | +--rw tcp-in-syn-timeout? uint32 822 | | +--rw fragment-min-timeout? uint32 823 | | +--rw icmp-timeout? uint32 824 | | +--rw per-port-timeout* [port-number] 825 | | | +--rw port-number inet:port-number 826 | | | +--rw timeout uint32 827 | | +--rw hold-down-timeout? uint32 828 | | +--rw hold-down-max? uint32 829 | +--rw fragments-limit? uint32 830 | +--rw algs* [name] 831 | | +--rw name string 832 | | +--rw transport-protocol? uint32 833 | | +--rw dst-transport-port 834 | | | +--rw start-port-number? inet:port-number 835 | | | +--rw end-port-number? inet:port-number 836 | | +--rw src-transport-port 837 | | | +--rw start-port-number? inet:port-number 838 | | | +--rw end-port-number? inet:port-number 839 | | +--rw status? boolean 840 | +--rw all-algs-enable? boolean 841 | +--rw notify-pool-usage 842 | | {basic-nat44 or napt44 or nat64}? 843 | | +--rw pool-id? uint32 844 | | +--rw high-threshold? percent 845 | | +--rw low-threshold? percent 846 | | +--rw notify-interval? uint32 847 | +--rw external-realm 848 | +--rw (realm-type)? 849 | +--:(interface) 850 | +--rw external-interface? if:interface-ref 851 +--rw mapping-limits {napt44 or nat64}? 852 | +--rw limit-subscribers? uint32 853 | +--rw limit-address-mappings? uint32 854 | +--rw limit-port-mappings? uint32 855 | +--rw limit-per-protocol* [protocol-id] 856 | {napt44 or nat64 or dst-nat}? 857 | +--rw protocol-id uint8 858 | +--rw limit? uint32 859 +--rw connection-limits 860 | {basic-nat44 or napt44 or nat64}? 861 | +--rw limit-per-subscriber? uint32 862 | +--rw limit-per-instance? uint32 863 | +--rw limit-per-protocol* [protocol-id] 864 | {napt44 or nat64}? 865 | +--rw protocol-id uint8 866 | +--rw limit? uint32 867 +--rw notification-limits 868 | +--rw notify-interval? uint32 869 | | {basic-nat44 or napt44 or nat64}? 870 | +--rw notify-addresses-usage? percent 871 | | {basic-nat44 or napt44 or nat64}? 872 | +--rw notify-ports-usage? percent 873 | | {napt44 or nat64}? 874 | +--rw notify-subscribers-limit? uint32 875 | {basic-nat44 or napt44 or nat64}? 876 +--rw mapping-table 877 | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? 878 | +--rw mapping-entry* [index] 879 | +--rw index uint32 880 | +--rw type? enumeration 881 | +--rw transport-protocol? uint8 882 | +--rw internal-src-address? inet:ip-prefix 883 | +--rw internal-src-port 884 | | +--rw start-port-number? inet:port-number 885 | | +--rw end-port-number? inet:port-number 886 | +--rw external-src-address? inet:ip-prefix 887 | +--rw external-src-port 888 | | +--rw start-port-number? inet:port-number 889 | | +--rw end-port-number? inet:port-number 890 | +--rw internal-dst-address? inet:ip-prefix 891 | +--rw internal-dst-port 892 | | +--rw start-port-number? inet:port-number 893 | | +--rw end-port-number? inet:port-number 894 | +--rw external-dst-address? inet:ip-prefix 895 | +--rw external-dst-port 896 | | +--rw start-port-number? inet:port-number 897 | | +--rw end-port-number? inet:port-number 898 | +--rw lifetime? uint32 899 +--ro statistics 900 +--ro discontinuity-time yang:date-and-time 901 +--ro traffic-statistics 902 | +--ro sent-packets? 903 | | yang:zero-based-counter64 904 | +--ro sent-bytes? 905 | | yang:zero-based-counter64 906 | +--ro rcvd-packets? 907 | | yang:zero-based-counter64 908 | +--ro rcvd-bytes? 909 | | yang:zero-based-counter64 910 | +--ro dropped-packets? 911 | | yang:zero-based-counter64 912 | +--ro dropped-bytes? 913 | | yang:zero-based-counter64 914 | +--ro dropped-fragments? 915 | | yang:zero-based-counter64 916 | | {napt44 or nat64}? 917 | +--ro dropped-address-limit-packets? 918 | | yang:zero-based-counter64 919 | | {basic-nat44 or napt44 or nat64}? 920 | +--ro dropped-address-limit-bytes? 921 | | yang:zero-based-counter64 922 | | {basic-nat44 or napt44 or nat64}? 923 | +--ro dropped-address-packets? 924 | | yang:zero-based-counter64 925 | | {basic-nat44 or napt44 or nat64}? 926 | +--ro dropped-address-bytes? 927 | | yang:zero-based-counter64 928 | | {basic-nat44 or napt44 or nat64}? 929 | +--ro dropped-port-limit-packets? 930 | | yang:zero-based-counter64 931 | | {napt44 or nat64}? 932 | +--ro dropped-port-limit-bytes? 933 | | yang:zero-based-counter64 934 | | {napt44 or nat64}? 935 | +--ro dropped-port-packets? 936 | | yang:zero-based-counter64 937 | | {napt44 or nat64}? 938 | +--ro dropped-port-bytes? 939 | | yang:zero-based-counter64 940 | | {napt44 or nat64}? 941 | +--ro dropped-subscriber-limit-packets? 942 | | yang:zero-based-counter64 943 | | {basic-nat44 or napt44 or nat64}? 944 | +--ro dropped-subscriber-limit-bytes? 945 | yang:zero-based-counter64 946 | {basic-nat44 or napt44 or nat64}? 947 +--ro mappings-statistics 948 | +--ro total-active-subscribers? yang:gauge32 949 | | {basic-nat44 or napt44 or nat64}? 950 | +--ro total-address-mappings? yang:gauge32 951 | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? 952 | +--ro total-port-mappings? yang:gauge32 953 | | {napt44 or nat64}? 954 | +--ro total-per-protocol* [protocol-id] 955 | {napt44 or nat64}? 956 | +--ro protocol-id uint8 957 | +--ro total? yang:gauge32 958 +--ro pools-stats {basic-nat44 or napt44 or nat64}? 959 +--ro addresses-allocated? yang:gauge32 960 +--ro addresses-free? yang:gauge32 961 +--ro ports-stats {napt44 or nat64}? 962 | +--ro ports-allocated? yang:gauge32 963 | +--ro ports-free? yang:gauge32 964 +--ro per-pool-stats* [pool-id] 965 {basic-nat44 or napt44 or nat64}? 966 +--ro pool-id uint32 967 +--ro discontinuity-time yang:date-and-time 968 +--ro pool-stats 969 | +--ro addresses-allocated? yang:gauge32 970 | +--ro addresses-free? yang:gauge32 971 +--ro port-stats {napt44 or nat64}? 972 +--ro ports-allocated? yang:gauge32 973 +--ro ports-free? yang:gauge32 975 notifications: 976 +---n nat-pool-event {basic-nat44 or napt44 or nat64}? 977 | +--ro id -> /nat/instances/instance/id 978 | +--ro policy-id? 979 | | -> /nat/instances/instance/policy/id 980 | +--ro pool-id leafref 981 | +--ro notify-pool-threshold percent 982 +---n nat-instance-event {basic-nat44 or napt44 or nat64}? 983 +--ro id 984 | -> /nat/instances/instance/id 985 +--ro notify-subscribers-threshold? uint32 986 +--ro notify-addresses-threshold? percent 987 +--ro notify-ports-threshold? percent 989 3. NAT YANG Module 991 file "ietf-nat@2018-06-28.yang" 993 module ietf-nat { 994 yang-version 1.1; 995 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 996 prefix "nat"; 998 import ietf-inet-types { 999 prefix inet; 1000 reference 1001 "Section 4 of RFC 6991"; 1002 } 1004 import ietf-yang-types { 1005 prefix yang; 1006 reference 1007 "Section 3 of RFC 6991"; 1008 } 1010 import ietf-interfaces { 1011 prefix if; 1012 reference 1013 "RFC 8343: A YANG Data Model for Interface Management"; 1014 } 1016 organization 1017 "IETF OPSAWG (Operations and Management Area Working Group)"; 1019 contact 1021 "WG Web: 1022 WG List: 1024 Editor: Mohamed Boucadair 1025 1027 Editor: Senthil Sivakumar 1028 1030 Editor: Christian Jacquenet 1031 1033 Editor: Suresh Vinapamula 1034 1036 Editor: Qin Wu 1037 "; 1039 description 1040 "This module is a YANG module for NAT implementations. 1042 NAT44, Network Address and Protocol Translation from IPv6 1043 Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), 1044 Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings 1045 for Stateless IP/ICMP Translation (SIIT EAM), IPv6 Network 1046 Prefix Translation (NPTv6), and Destination NAT are covered. 1048 Copyright (c) 2018 IETF Trust and the persons identified as 1049 authors of the code. All rights reserved. 1051 Redistribution and use in source and binary forms, with or 1052 without modification, is permitted pursuant to, and subject 1053 to the license terms contained in, the Simplified BSD License 1054 set forth in Section 4.c of the IETF Trust's Legal Provisions 1055 Relating to IETF Documents 1056 (http://trustee.ietf.org/license-info). 1058 This version of this YANG module is part of RFC XXXX; see 1059 the RFC itself for full legal notices."; 1061 revision 2018-06-28 { 1062 description 1063 "Initial revision."; 1064 reference 1065 "RFC XXXX: A YANG Module for Network Address Translation 1066 (NAT) and Network Prefix Translation (NPT)"; 1067 } 1069 /* 1070 * Definitions 1071 */ 1073 typedef percent { 1074 type uint8 { 1075 range "0 .. 100"; 1076 } 1077 description 1078 "Percentage"; 1079 } 1081 /* 1082 * Features 1083 */ 1085 feature basic-nat44{ 1086 description 1087 "Basic NAT44 translation is limited to IP addresses alone."; 1088 reference 1089 "RFC 3022: Traditional IP Network Address Translator 1090 (Traditional NAT)"; 1091 } 1093 feature napt44 { 1094 description 1095 "Network Address/Port Translator (NAPT): translation is 1096 extended to include IP addresses and transport identifiers 1097 (such as a TCP/UDP port or ICMP query ID). 1099 If the internal IP address is not sufficient to uniquely 1100 disambiguate NAPT44 mappings, an additional attribute is 1101 required. For example, that additional attribute may 1102 be an IPv6 address (a.k.a., DS-Lite) or 1103 a Layer 2 identifier (a.k.a., Per-Interface NAT)"; 1104 reference 1105 "RFC 3022: Traditional IP Network Address Translator 1106 (Traditional NAT)"; 1107 } 1109 feature dst-nat { 1110 description 1111 "Destination NAT is a translation that acts on the destination 1112 IP address and/or destination port number. This flavor is 1113 usually deployed in load balancers or at devices 1114 in front of public servers."; 1115 } 1117 feature nat64 { 1118 description 1119 "NAT64 translation allows IPv6-only clients to contact IPv4 1120 servers using unicast UDP, TCP, or ICMP. One or more 1121 public IPv4 addresses assigned to a NAT64 translator are 1122 shared among several IPv6-only clients."; 1123 reference 1124 "RFC 6146: Stateful NAT64: Network Address and Protocol 1125 Translation from IPv6 Clients to IPv4 Servers"; 1126 } 1128 feature siit { 1129 description 1130 "The Stateless IP/ICMP Translation Algorithm (SIIT), which 1131 translates between IPv4 and IPv6 packet headers (including 1132 ICMP headers). 1134 In the stateless mode, an IP/ICMP translator converts IPv4 1135 addresses to IPv6 and vice versa solely based on the 1136 configuration of the stateless IP/ICMP translator and 1137 information contained within the packet being translated. 1139 The translator must support the stateless address mapping 1140 algorithm defined in RFC6052, which is the default behavior."; 1141 reference 1142 "RFC 7915: IP/ICMP Translation Algorithm"; 1143 } 1145 feature clat { 1146 description 1147 "CLAT is customer-side translator that algorithmically 1148 translates 1:1 private IPv4 addresses to global IPv6 addresses, 1149 and vice versa. 1151 When a dedicated /64 prefix is not available for translation 1152 from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN 1153 packets so that all the LAN-originated IPv4 packets appear 1154 from a single IPv4 address and are then statelessly translated 1155 to one interface IPv6 address that is claimed by the CLAT via 1156 the Neighbor Discovery Protocol (NDP) and defended with 1157 Duplicate Address Detection."; 1158 reference 1159 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1160 Translation"; 1162 } 1164 feature eam { 1165 description 1166 "Explicit Address Mapping (EAM) is a bidirectional coupling 1167 between an IPv4 Prefix and an IPv6 Prefix."; 1168 reference 1169 "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP 1170 Translation"; 1171 } 1173 feature nptv6 { 1174 description 1175 "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6 1176 prefix translation."; 1177 reference 1178 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1179 } 1181 /* 1182 * Identities 1183 */ 1185 identity nat-type { 1186 description 1187 "Base identity for nat type."; 1188 } 1190 identity basic-nat44 { 1191 base nat:nat-type; 1192 description 1193 "Identity for Basic NAT support."; 1194 reference 1195 "RFC 3022: Traditional IP Network Address Translator 1196 (Traditional NAT)"; 1197 } 1199 identity napt44 { 1200 base nat:nat-type; 1201 description 1202 "Identity for NAPT support."; 1203 reference 1204 "RFC 3022: Traditional IP Network Address Translator 1205 (Traditional NAT)"; 1206 } 1208 identity dst-nat { 1209 base nat:nat-type; 1210 description 1211 "Identity for Destination NAT support."; 1212 } 1214 identity nat64 { 1215 base nat:nat-type; 1216 description 1217 "Identity for NAT64 support."; 1218 reference 1219 "RFC 6146: Stateful NAT64: Network Address and Protocol 1220 Translation from IPv6 Clients to IPv4 Servers"; 1221 } 1223 identity siit { 1224 base nat:nat-type; 1225 description 1226 "Identity for SIIT support."; 1227 reference 1228 "RFC 7915: IP/ICMP Translation Algorithm"; 1229 } 1231 identity clat { 1232 base nat:nat-type; 1233 description 1234 "Identity for CLAT support."; 1235 reference 1236 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1237 Translation"; 1238 } 1240 identity eam { 1241 base nat:nat-type; 1242 description 1243 "Identity for EAM support."; 1244 reference 1245 "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP 1246 Translation"; 1247 } 1249 identity nptv6 { 1250 base nat:nat-type; 1251 description 1252 "Identity for NPTv6 support."; 1253 reference 1254 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1255 } 1257 /* 1258 * Grouping 1259 */ 1261 grouping port-number { 1262 description 1263 "Individual port or a range of ports. 1264 When only start-port-number is present, 1265 it represents a single port number."; 1267 leaf start-port-number { 1268 type inet:port-number; 1269 description 1270 "Beginning of the port range."; 1271 reference 1272 "Section 3.2.9 of RFC 8045."; 1273 } 1275 leaf end-port-number { 1276 type inet:port-number; 1278 must ". >= ../start-port-number" 1279 { 1280 error-message 1281 "The end-port-number must be greater than or 1282 equal to start-port-number."; 1283 } 1284 description 1285 "End of the port range."; 1286 reference 1287 "Section 3.2.10 of RFC 8045."; 1288 } 1289 } 1291 grouping port-set { 1292 description 1293 "Indicates a set of ports. 1295 It may be a simple port range, or use the Port Set ID (PSID) 1296 algorithm to represent a range of transport layer 1297 ports which will be used by a NAPT."; 1299 choice port-type { 1300 default port-range; 1301 description 1302 "Port type: port-range or port-set-algo."; 1303 case port-range { 1304 uses port-number; 1305 } 1307 case port-set-algo { 1308 leaf psid-offset { 1309 type uint8 { 1310 range 0..15; 1311 } 1313 description 1314 "The number of offset bits (a.k.a., 'a' bits). 1316 Specifies the numeric value for the excluded port 1317 range/offset bits. 1319 Allowed values are between 0 and 15 "; 1321 reference 1322 "Section 5.1 of RFC 7597"; 1323 } 1325 leaf psid-len { 1326 type uint8 { 1327 range 0..15; 1328 } 1329 mandatory true; 1331 description 1332 "The length of PSID, representing the sharing 1333 ratio for an IPv4 address. 1335 (also known as 'k'). 1337 The address-sharing ratio would be 2^k."; 1338 reference 1339 "Section 5.1 of RFC 7597"; 1340 } 1342 leaf psid { 1343 type uint16; 1344 mandatory true; 1345 description 1346 "Port Set Identifier (PSID) value, which 1347 identifies a set of ports algorithmically."; 1348 reference 1349 "Section 5.1 of RFC 7597"; 1350 } 1351 } 1352 reference 1353 "Section 7597: Mapping of Address and Port with 1354 Encapsulation (MAP-E)"; 1356 } 1357 } 1359 grouping mapping-entry { 1360 description 1361 "NAT mapping entry. 1363 If an attribute is not stored in the mapping/session table, 1364 this means the corresponding fields of a packet that 1365 matches this entry is not rewritten by the NAT or this 1366 information is not required for NAT filtering purposes."; 1368 leaf index { 1369 type uint32; 1370 description 1371 "A unique identifier of a mapping entry. This identifier can be 1372 automatically assigned by the NAT instance or be explicitly 1373 configured."; 1374 } 1376 leaf type { 1377 type enumeration { 1378 enum "static" { 1379 description 1380 "The mapping entry is explicitly configured 1381 (e.g., via command-line interface)."; 1382 } 1384 enum "dynamic-implicit" { 1385 description 1386 "This mapping is created implicitly as a side effect 1387 of processing a packet that requires a new mapping."; 1389 } 1391 enum "dynamic-explicit" { 1392 description 1393 "This mapping is created as a result of an explicit 1394 request, e.g., a PCP message."; 1396 } 1397 } 1398 description 1399 "Indicates the type of a mapping entry. E.g., 1400 a mapping can be: static, implicit dynamic 1401 or explicit dynamic."; 1402 } 1403 leaf transport-protocol { 1404 type uint8; 1405 description 1406 "Upper-layer protocol associated with this mapping. 1407 Values are taken from the IANA protocol registry. 1408 For example, this field contains 6 (TCP) for a TCP 1409 mapping or 17 (UDP) for a UDP mapping. 1411 If this leaf is not instantiated, then the mapping 1412 applies to any protocol."; 1413 } 1415 leaf internal-src-address { 1416 type inet:ip-prefix; 1417 description 1418 "Corresponds to the source IPv4/IPv6 address/prefix 1419 of the packet received on an internal 1420 interface."; 1421 } 1423 container internal-src-port { 1424 description 1425 "Corresponds to the source port of the packet received 1426 on an internal interface. 1428 It is used also to indicate the internal source ICMP 1429 identifier. 1431 As a reminder, all the ICMP Query messages contain 1432 an 'Identifier' field, which is referred to in this 1433 document as the 'ICMP Identifier'."; 1435 uses port-number; 1436 } 1438 leaf external-src-address { 1439 type inet:ip-prefix; 1440 description 1441 "Source IP address/prefix of the packet sent on an 1442 external interface of the NAT."; 1443 } 1445 container external-src-port { 1446 description 1447 "Source port of the packet sent on an external 1448 interface of the NAT. 1450 It is used also to indicate the external source ICMP 1451 identifier."; 1453 uses port-number; 1454 } 1456 leaf internal-dst-address { 1457 type inet:ip-prefix; 1458 description 1459 "Corresponds to the destination IP address/prefix 1460 of the packet received on an internal interface 1461 of the NAT. 1463 For example, some NAT implementations support 1464 the translation of both source and destination 1465 addresses and ports, sometimes referred to 1466 as 'Twice NAT'."; 1467 } 1469 container internal-dst-port { 1470 description 1471 "Corresponds to the destination port of the 1472 IP packet received on the internal interface. 1474 It is used also to include the internal 1475 destination ICMP identifier."; 1477 uses port-number; 1478 } 1480 leaf external-dst-address { 1481 type inet:ip-prefix; 1482 description 1483 "Corresponds to the destination IP address/prefix 1484 of the packet sent on an external interface 1485 of the NAT."; 1486 } 1488 container external-dst-port { 1489 description 1490 "Corresponds to the destination port number of 1491 the packet sent on the external interface 1492 of the NAT. 1494 It is used also to include the external 1495 destination ICMP identifier."; 1497 uses port-number; 1498 } 1499 leaf lifetime { 1500 type uint32; 1501 units "seconds"; 1502 description 1503 "When specified, it is used to track the connection that is 1504 fully-formed (e.g., once the three-way handshake 1505 TCP is completed) or the duration for maintaining 1506 an explicit mapping alive. The mapping entry will be 1507 removed by the NAT instance once this lifetime is expired. 1509 When reported in a get operation, the lifetime indicates 1510 the remaining validity lifetime. 1512 Static mappings may not be associated with a 1513 lifetime. If no lifetime is associated with a 1514 static mapping, an explicit action is required to 1515 remove that mapping."; 1516 } 1517 } 1519 /* 1520 * NAT Module 1521 */ 1523 container nat { 1524 description 1525 "NAT module"; 1527 container instances { 1528 description 1529 "NAT instances"; 1531 list instance { 1532 key "id"; 1534 description 1535 "A NAT instance. This identifier can be automatically assigned 1536 or explicitly configured."; 1538 leaf id { 1539 type uint32; 1540 must ". >= 1"; 1541 description 1542 "NAT instance identifier. 1544 The identifier must be greater than zero."; 1545 reference 1546 "RFC 7659: Definitions of Managed Objects for Network 1547 Address Translators (NATs)"; 1548 } 1550 leaf name { 1551 type string; 1552 description 1553 "A name associated with the NAT instance."; 1554 reference 1555 "RFC 7659: Definitions of Managed Objects for Network 1556 Address Translators (NATs)"; 1557 } 1559 leaf enable { 1560 type boolean; 1561 description 1562 "Status of the NAT instance."; 1563 } 1565 container capabilities { 1566 config false; 1568 description 1569 "NAT capabilities"; 1571 leaf-list nat-flavor { 1572 type identityref { 1573 base nat-type; 1574 } 1575 description 1576 "Supported translation type(s)."; 1577 } 1579 leaf-list per-interface-binding { 1580 type enumeration { 1581 enum "unsupported" { 1582 description 1583 "No capability to associate a NAT binding with 1584 an extra identifier."; 1585 } 1587 enum "layer-2" { 1588 description 1589 "The NAT instance is able to associate a mapping with 1590 a layer-2 identifier."; 1591 } 1593 enum "dslite" { 1594 description 1595 "The NAT instance is able to associate a mapping with 1596 an IPv6 address (a.k.a., DS-Lite)."; 1597 } 1598 } 1599 description 1600 "Indicates the capability of a NAT to associate a particular 1601 NAT session not only with the five tuples used for the 1602 transport connection on both sides of the NAT but also with 1603 the internal interface on which the user device is 1604 connected to the NAT."; 1605 reference 1606 "Section 4 of RFC 6619"; 1607 } 1609 list transport-protocols { 1610 key protocol-id; 1612 description 1613 "List of supported protocols."; 1615 leaf protocol-id { 1616 type uint8; 1617 mandatory true; 1618 description 1619 "Upper-layer protocol associated with this mapping. 1621 Values are taken from the IANA protocol registry: 1622 https://www.iana.org/assignments/protocol-numbers/ 1623 protocol-numbers.xhtml 1625 For example, this field contains 6 (TCP) for a TCP 1626 mapping or 17 (UDP) for a UDP mapping."; 1627 } 1629 leaf protocol-name { 1630 type string; 1631 description 1632 "The name of the Upper-layer protocol associated 1633 with this mapping. 1635 Values are taken from the IANA protocol registry: 1636 https://www.iana.org/assignments/protocol-numbers/ 1637 protocol-numbers.xhtml 1639 For example, TCP, UDP, DCCP, and SCTP."; 1640 } 1641 } 1642 leaf restricted-port-support { 1643 type boolean; 1644 description 1645 "Indicates source port NAT restriction support."; 1646 reference 1647 "RFC 7596: Lightweight 4over6: An Extension to 1648 the Dual-Stack Lite Architecture."; 1649 } 1651 leaf static-mapping-support { 1652 type boolean; 1653 description 1654 "Indicates whether static mappings are supported."; 1655 } 1657 leaf port-randomization-support { 1658 type boolean; 1659 description 1660 "Indicates whether port randomization is supported."; 1661 reference 1662 "Section 4.2.1 of RFC 4787."; 1663 } 1665 leaf port-range-allocation-support { 1666 type boolean; 1667 description 1668 "Indicates whether port range allocation is supported."; 1669 reference 1670 "Section 1.1 of RFC 7753."; 1671 } 1673 leaf port-preservation-suport { 1674 type boolean; 1675 description 1676 "Indicates whether port preservation is supported."; 1677 reference 1678 "Section 4.2.1 of RFC 4787."; 1679 } 1681 leaf port-parity-preservation-support { 1682 type boolean; 1683 description 1684 "Indicates whether port parity preservation is 1685 supported."; 1686 reference 1687 "Section 8 of RFC 7857."; 1688 } 1689 leaf address-roundrobin-support { 1690 type boolean; 1691 description 1692 "Indicates whether address allocation round robin is 1693 supported."; 1694 } 1696 leaf paired-address-pooling-support { 1697 type boolean; 1698 description 1699 "Indicates whether paired-address-pooling is 1700 supported"; 1701 reference 1702 "REQ-2 of RFC 4787."; 1703 } 1705 leaf endpoint-independent-mapping-support { 1706 type boolean; 1707 description 1708 "Indicates whether endpoint-independent- 1709 mapping is supported."; 1710 reference 1711 "Section 4 of RFC 4787."; 1712 } 1714 leaf address-dependent-mapping-support { 1715 type boolean; 1716 description 1717 "Indicates whether address-dependent-mapping is 1718 supported."; 1719 reference 1720 "Section 4 of RFC 4787."; 1721 } 1723 leaf address-and-port-dependent-mapping-support { 1724 type boolean; 1725 description 1726 "Indicates whether address-and-port-dependent-mapping is 1727 supported."; 1728 reference 1729 "Section 4 of RFC 4787."; 1730 } 1732 leaf endpoint-independent-filtering-support { 1733 type boolean; 1734 description 1735 "Indicates whether endpoint-independent-filtering is 1736 supported."; 1738 reference 1739 "Section 5 of RFC 4787."; 1740 } 1742 leaf address-dependent-filtering { 1743 type boolean; 1744 description 1745 "Indicates whether address-dependent-filtering is 1746 supported."; 1747 reference 1748 "Section 5 of RFC 4787."; 1749 } 1751 leaf address-and-port-dependent-filtering { 1752 type boolean; 1753 description 1754 "Indicates whether address-and-port-dependent is 1755 supported."; 1756 reference 1757 "Section 5 of RFC 4787."; 1758 } 1760 leaf fragment-behavior { 1761 type enumeration { 1762 enum "unsupported" { 1763 description 1764 "No capability to translate incoming fragments. 1765 All received fragments are dropped."; 1766 } 1768 enum "in-order" { 1769 description 1770 "The NAT instance is able to translate fragments only if 1771 they are received in order. That is, in particular the 1772 header is in the first packet. Fragments received 1773 out of order are dropped. "; 1774 } 1776 enum "out-of-order" { 1777 description 1778 "The NAT instance is able to translate a fragment even 1779 if it is received out of order. 1781 This behavior is recommended."; 1782 reference 1783 "REQ-14 of RFC 4787"; 1784 } 1785 } 1786 description 1787 "The fragment behavior is the NAT instance's capability to 1788 translate fragments received on the external interface of 1789 the NAT."; 1790 } 1791 } 1793 leaf type { 1794 type identityref { 1795 base nat-type; 1796 } 1797 description 1798 "Specify the translation type. Particularly useful when 1799 multiple translation flavors are supported. 1801 If one type is supported by a NAT, this parameter is by 1802 default set to that type."; 1803 } 1805 leaf per-interface-binding { 1806 type enumeration { 1807 enum "disabled" { 1808 description 1809 "Disable the capability to associate an extra identifier 1810 with NAT mappings."; 1811 } 1813 enum "layer-2" { 1814 description 1815 "The NAT instance is able to associate a mapping with 1816 a layer-2 identifier."; 1817 } 1819 enum "dslite" { 1820 description 1821 "The NAT instance is able to associate a mapping with 1822 an IPv6 address (a.k.a., DS-Lite)."; 1823 } 1824 } 1825 description 1826 "A NAT that associates a particular NAT session not only with 1827 the five tuples used for the transport connection on both 1828 sides of the NAT but also with the internal interface on 1829 which the user device is connected to the NAT. 1831 If supported, this mode of operation should be configurable, 1832 and it should be disabled by default in general-purpose NAT 1833 devices. 1835 If one single per-interface binding behavior is supported by 1836 a NAT, this parameter is by default set to that behavior."; 1837 reference 1838 "Section 4 of RFC 6619"; 1839 } 1841 list nat-pass-through { 1842 if-feature "basic-nat44 or napt44 or dst-nat"; 1843 key id; 1845 description 1846 "IP prefix NAT pass through."; 1848 leaf id { 1849 type uint32; 1850 description 1851 "An identifier of the IP prefix pass through."; 1852 } 1854 leaf prefix { 1855 type inet:ip-prefix; 1856 mandatory true; 1857 description 1858 "The IP addresses that match should not be translated. 1860 It must be possible to administratively turn 1861 off translation for specific destination addresses 1862 and/or ports."; 1863 reference 1864 "REQ#6 of RFC 6888."; 1865 } 1867 leaf port { 1868 type inet:port-number; 1869 description 1870 "It must be possible to administratively turn off 1871 translation for specific destination addresses 1872 and/or ports. 1874 If no prefix is defined, the NAT pass through bound 1875 to a given port applies for any destination address."; 1876 reference 1877 "REQ#6 of RFC 6888."; 1878 } 1879 } 1881 list policy { 1882 key id; 1883 description 1884 "NAT parameters for a given instance"; 1886 leaf id { 1887 type uint32; 1888 description 1889 "An identifier of the NAT policy. It must be unique 1890 within the NAT instance."; 1891 } 1893 container clat-parameters { 1894 if-feature clat; 1895 description 1896 "CLAT parameters."; 1898 list clat-ipv6-prefixes { 1899 key ipv6-prefix; 1900 description 1901 "464XLAT double translation treatment is stateless when a 1902 dedicated /64 is available for translation on the CLAT. 1903 Otherwise, the CLAT will have both stateful and stateless 1904 since it requires NAT44 from the LAN to a single IPv4 1905 address and then stateless translation to a single 1906 IPv6 address."; 1907 reference 1908 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1909 Translation"; 1911 leaf ipv6-prefix { 1912 type inet:ipv6-prefix; 1913 description 1914 "An IPv6 prefix used for CLAT."; 1915 } 1916 } 1918 list ipv4-prefixes { 1919 key ipv4-prefix; 1920 description 1921 "Pool of IPv4 addresses used for CLAT. 1922 192.0.0.0/29 is the IPv4 service continuity prefix."; 1923 reference 1924 "RFC 7335: IPv4 Service Continuity Prefix"; 1926 leaf ipv4-prefix { 1927 type inet:ipv4-prefix; 1928 description 1929 "464XLAT double translation treatment is 1930 stateless when a dedicated /64 is available 1931 for translation on the CLAT. Otherwise, the 1932 CLAT will have both stateful and stateless 1933 since it requires NAT44 from the LAN to 1934 a single IPv4 address and then stateless 1935 translation to a single IPv6 address. 1936 The CLAT performs NAT44 for all IPv4 LAN 1937 packets so that all the LAN-originated IPv4 1938 packets appear from a single IPv4 address 1939 and are then statelessly translated to one 1940 interface IPv6 address that is claimed by 1941 the CLAT. 1943 An IPv4 address from this pool is also 1944 provided to an application that makes 1945 use of literals."; 1947 reference 1948 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1949 Translation"; 1950 } 1951 } 1952 } 1954 list nptv6-prefixes { 1955 if-feature nptv6; 1956 key internal-ipv6-prefix ; 1957 description 1958 "Provides one or a list of (internal IPv6 prefix, 1959 external IPv6 prefix) required for NPTv6. 1961 In its simplest form, NPTv6 interconnects two network 1962 links, one of which is an 'internal' network link 1963 attached to a leaf network within a single 1964 administrative domain and the other of which is an 1965 'external' network with connectivity to the global 1966 Internet."; 1967 reference 1968 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1970 leaf internal-ipv6-prefix { 1971 type inet:ipv6-prefix; 1972 mandatory true; 1973 description 1974 "An IPv6 prefix used by an internal interface of NPTv6."; 1975 reference 1976 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1977 } 1978 leaf external-ipv6-prefix { 1979 type inet:ipv6-prefix; 1980 mandatory true; 1981 description 1982 "An IPv6 prefix used by the external interface of NPTv6."; 1983 reference 1984 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1985 } 1986 } 1988 list eam { 1989 if-feature eam; 1990 key ipv4-prefix; 1991 description 1992 "The Explicit Address Mapping Table, a conceptual 1993 table in which each row represents an EAM. 1995 Each EAM describes a mapping between IPv4 and IPv6 1996 prefixes/addresses."; 1997 reference 1998 "Section 3.1 of RFC 7757."; 2000 leaf ipv4-prefix { 2001 type inet:ipv4-prefix; 2002 mandatory true; 2003 description 2004 "The IPv4 prefix of an EAM."; 2005 reference 2006 "Section 3.2 of RFC 7757."; 2007 } 2009 leaf ipv6-prefix { 2010 type inet:ipv6-prefix; 2011 mandatory true; 2012 description 2013 "The IPv6 prefix of an EAM."; 2014 reference 2015 "Section 3.2 of RFC 7757."; 2016 } 2017 } 2019 list nat64-prefixes { 2020 if-feature "siit or nat64 or clat"; 2021 key nat64-prefix; 2022 description 2023 "Provides one or a list of NAT64 prefixes 2024 with or without a list of destination IPv4 prefixes. 2025 It allows mapping IPv4 address ranges to IPv6 prefixes. 2027 For example: 2028 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 2029 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 2030 reference 2031 "Section 5.1 of RFC 7050."; 2033 leaf nat64-prefix { 2034 type inet:ipv6-prefix; 2035 mandatory true; 2036 description 2037 "A NAT64 prefix. Can be Network-Specific Prefix (NSP) or 2038 Well-Known Prefix (WKP). 2040 Organizations deploying stateless IPv4/IPv6 translation 2041 should assign a Network-Specific Prefix to their 2042 IPv4/IPv6 translation service. 2044 For stateless NAT64, IPv4-translatable IPv6 addresses 2045 must use the selected Network-Specific Prefix. 2047 Both IPv4-translatable IPv6 addresses and IPv4-converted 2048 IPv6 addresses should use the same prefix."; 2049 reference 2050 "Sections 3.3 and 3.4 of RFC 6052."; 2051 } 2053 list destination-ipv4-prefix { 2054 key ipv4-prefix; 2055 description 2056 "An IPv4 prefix/address."; 2058 leaf ipv4-prefix { 2059 type inet:ipv4-prefix; 2060 description 2061 "An IPv4 address/prefix."; 2062 } 2063 } 2065 leaf stateless-enable { 2066 type boolean; 2067 default false; 2068 description 2069 "Enable explicitly stateless NAT64."; 2070 } 2071 } 2073 list external-ip-address-pool { 2074 if-feature "basic-nat44 or napt44 or nat64"; 2075 key pool-id; 2077 description 2078 "Pool of external IP addresses used to service internal 2079 hosts. 2081 A pool is a set of IP prefixes."; 2083 leaf pool-id { 2084 type uint32; 2085 must ". >= 1"; 2086 description 2087 "An identifier that uniquely identifies the address pool 2088 within a NAT instance. 2090 The identifier must be greater than zero."; 2091 reference 2092 "RFC 7659: Definitions of Managed Objects for 2093 Network Address Translators (NATs)"; 2094 } 2096 leaf external-ip-pool { 2097 type inet:ipv4-prefix; 2098 mandatory true; 2099 description 2100 "An IPv4 prefix used for NAT purposes."; 2101 } 2102 } 2104 container port-set-restrict { 2105 if-feature "napt44 or nat64"; 2106 description 2107 "Configures contiguous and non-contiguous port ranges. 2109 The port set is used to restrict the external source 2110 port numbers used by the translator."; 2112 uses port-set; 2113 } 2115 leaf dst-nat-enable { 2116 if-feature "basic-nat44 or napt44"; 2117 type boolean; 2118 default false; 2119 description 2120 "Enable/Disable destination NAT. 2122 A NAT44 may be configured to enable Destination 2123 NAT, too."; 2124 } 2126 list dst-ip-address-pool { 2127 if-feature dst-nat; 2128 key pool-id; 2129 description 2130 "Pool of IP addresses used for destination NAT."; 2132 leaf pool-id { 2133 type uint32; 2134 description 2135 "An identifier of the address pool."; 2136 } 2138 leaf dst-in-ip-pool { 2139 type inet:ip-prefix; 2140 description 2141 "Is used to identify an internal destination 2142 IP prefix/address to be translated."; 2143 } 2145 leaf dst-out-ip-pool { 2146 type inet:ip-prefix; 2147 mandatory true; 2148 description 2149 "IP address/prefix used for destination NAT."; 2150 } 2151 } 2153 list transport-protocols { 2154 if-feature "napt44 or nat64 or dst-nat"; 2155 key protocol-id; 2157 description 2158 "Configure the transport protocols to be handled by 2159 the translator. 2161 TCP and UDP are supported by default."; 2163 leaf protocol-id { 2164 type uint8; 2165 mandatory true; 2166 description 2167 "Upper-layer protocol associated with this mapping. 2169 Values are taken from the IANA protocol registry: 2170 https://www.iana.org/assignments/protocol-numbers/ 2171 protocol-numbers.xhtml 2173 For example, this field contains 6 (TCP) for a TCP 2174 mapping or 17 (UDP) for a UDP mapping."; 2175 } 2177 leaf protocol-name { 2178 type string; 2179 description 2180 "The name of the Upper-layer protocol associated 2181 with this mapping. 2183 Values are taken from the IANA protocol registry: 2184 https://www.iana.org/assignments/protocol-numbers/ 2185 protocol-numbers.xhtml 2187 For example, TCP, UDP, DCCP, and SCTP."; 2188 } 2189 } 2191 leaf subscriber-mask-v6 { 2192 type uint8 { 2193 range "0 .. 128"; 2194 } 2196 description 2197 "The subscriber mask is an integer that indicates 2198 the length of significant bits to be applied on 2199 the source IPv6 address (internal side) to 2200 unambiguously identify a user device (e.g., CPE). 2202 Subscriber mask is a system-wide configuration 2203 parameter that is used to enforce generic 2204 per-subscriber policies (e.g., port-quota). 2206 The enforcement of these generic policies does not 2207 require the configuration of every subscriber's 2208 prefix. 2210 Example: suppose the 2001:db8:100:100::/56 prefix 2211 is assigned to a NAT64 serviced CPE. Suppose also 2212 that 2001:db8:100:100::1 is the IPv6 address used 2213 by the client that resides in that CPE. When the 2214 NAT64 receives a packet from this client, 2215 it applies the subscriber-mask-v6 (e.g., 56) on 2216 the source IPv6 address to compute the associated 2217 prefix for this client (2001:db8:100:100::/56). 2218 Then, the NAT64 enforces policies based on that 2219 prefix (2001:db8:100:100::/56), not on the exact 2220 source IPv6 address."; 2221 } 2223 list subscriber-match { 2224 if-feature "basic-nat44 or napt44 or dst-nat"; 2225 key match-id; 2227 description 2228 "IP prefix match. 2229 A subscriber is identified by a subnet."; 2231 leaf match-id { 2232 type uint32; 2233 description 2234 "An identifier of the subscriber match."; 2235 } 2237 leaf subnet { 2238 type inet:ip-prefix; 2239 mandatory true; 2240 description 2241 "The IP address subnets that match 2242 should be translated. E.g., all addresses 2243 that belong to the 192.0.2.0/24 prefix must 2244 be processed by the NAT."; 2245 } 2246 } 2248 leaf address-allocation-type { 2249 type enumeration { 2250 enum "arbitrary" { 2251 if-feature "basic-nat44 or napt44 or nat64"; 2252 description 2253 "Arbitrary pooling behavior means that the NAT 2254 instance may create the new port mapping using any 2255 address in the pool that has a free port for the 2256 protocol concerned."; 2257 } 2259 enum "roundrobin" { 2260 if-feature "basic-nat44 or napt44 or nat64"; 2261 description 2262 "Round robin allocation."; 2263 } 2265 enum "paired" { 2266 if-feature "napt44 or nat64"; 2267 description 2268 "Paired address pooling informs the NAT 2269 that all the flows from an internal IP 2270 address must be assigned the same external 2271 address. This is the recommended behavior for 2272 NAPT/NAT64."; 2273 reference 2274 "RFC 4787: Network Address Translation (NAT) 2275 Behavioral Requirements for Unicast UDP"; 2276 } 2277 } 2278 description 2279 "Specifies how external IP addresses are allocated."; 2280 } 2282 leaf port-allocation-type { 2283 if-feature "napt44 or nat64"; 2284 type enumeration { 2285 enum "random" { 2286 description 2287 "Port randomization is enabled. A NAT port allocation 2288 scheme should make it hard for attackers to guess 2289 port numbers"; 2290 reference 2291 "REQ-15 of RFC 6888"; 2292 } 2294 enum "port-preservation" { 2295 description 2296 "Indicates whether the NAT should preserve the internal 2297 port number."; 2298 } 2300 enum "port-parity-preservation" { 2301 description 2302 "Indicates whether the NAT should preserve the port 2303 parity of the internal port number."; 2304 } 2306 enum "port-range-allocation" { 2307 description 2308 "Indicates whether the NAT assigns a range of ports 2309 for an internal host. This scheme allows to minimize 2310 log volume."; 2311 reference 2312 "REQ-14 of RFC 6888"; 2313 } 2314 } 2315 description 2316 "Indicates the type of port allocation."; 2317 } 2319 leaf mapping-type { 2320 if-feature "napt44 or nat64"; 2321 type enumeration { 2322 enum "eim" { 2323 description 2324 "endpoint-independent-mapping."; 2325 reference 2326 "Section 4 of RFC 4787."; 2327 } 2329 enum "adm" { 2330 description 2331 "address-dependent-mapping."; 2332 reference 2333 "Section 4 of RFC 4787."; 2334 } 2336 enum "edm" { 2337 description 2338 "address-and-port-dependent-mapping."; 2339 reference 2340 "Section 4 of RFC 4787."; 2341 } 2342 } 2343 description 2344 "Indicates the type of a NAT mapping."; 2345 } 2347 leaf filtering-type { 2348 if-feature "napt44 or nat64"; 2349 type enumeration { 2350 enum "eif" { 2351 description 2352 "endpoint-independent-filtering."; 2353 reference 2354 "Section 5 of RFC 4787."; 2355 } 2357 enum "adf" { 2358 description 2359 "address-dependent-filtering."; 2360 reference 2361 "Section 5 of RFC 4787."; 2362 } 2363 enum "edf" { 2364 description 2365 "address-and-port-dependent-filtering"; 2366 reference 2367 "Section 5 of RFC 4787."; 2368 } 2369 } 2370 description 2371 "Indicates the type of a NAT filtering."; 2372 } 2374 leaf fragment-behavior { 2375 if-feature "napt44 or nat64"; 2376 type enumeration { 2377 enum "drop-all" { 2378 description 2379 "All received fragments are dropped."; 2380 } 2382 enum "in-order" { 2383 description 2384 "Translate fragments only if they are received 2385 in order."; 2386 } 2388 enum "out-of-order" { 2389 description 2390 "Translate a fragment even if it is received out 2391 of order. 2393 This behavior is recommended."; 2394 reference 2395 "REQ-14 of RFC 4787"; 2396 } 2397 } 2398 description 2399 "The fragment behavior instructs the NAT about the 2400 behavior to follow to translate fragments received 2401 on the external interface of the NAT."; 2402 } 2404 list port-quota { 2405 if-feature "napt44 or nat64"; 2406 key quota-type; 2407 description 2408 "Configures a port quota to be assigned per subscriber. 2409 It corresponds to the maximum number of ports to be 2410 used by a subscriber."; 2412 leaf port-limit { 2413 type uint16; 2414 description 2415 "Configures a port quota to be assigned per subscriber. 2416 It corresponds to the maximum number of ports to be 2417 used by a subscriber."; 2418 reference 2419 "REQ-4 of RFC 6888."; 2420 } 2422 leaf quota-type { 2423 type uint8; 2424 description 2425 "Indicates whether the port quota applies to 2426 all protocols (0) or to a specific protocol."; 2427 } 2428 } 2430 container port-set { 2432 when "../port-allocation-type = 'port-range-allocation'"; 2434 if-feature "napt44 or nat64"; 2435 description 2436 "Manages port-set assignments."; 2438 leaf port-set-size { 2439 type uint16; 2440 mandatory true; 2441 description 2442 "Indicates the size of assigned port sets."; 2443 } 2445 leaf port-set-timeout { 2446 type uint32; 2447 units "seconds"; 2448 description 2449 "inactivity timeout for port sets."; 2450 } 2451 } 2453 container timers { 2454 if-feature "napt44 or nat64"; 2455 description 2456 "Configure values of various timeouts."; 2458 leaf udp-timeout { 2459 type uint32; 2460 units "seconds"; 2461 default 300; 2462 description 2463 "UDP inactivity timeout. That is the time a mapping 2464 will stay active without packets traversing the NAT."; 2465 reference 2466 "RFC 4787: Network Address Translation (NAT) 2467 Behavioral Requirements for Unicast UDP"; 2468 } 2470 leaf tcp-idle-timeout { 2471 type uint32; 2472 units "seconds"; 2473 default 7440; 2474 description 2475 "TCP Idle timeout should be 2 hours and 4 minutes."; 2476 reference 2477 "RFC 5382: NAT Behavioral Requirements for TCP"; 2478 } 2480 leaf tcp-trans-open-timeout { 2481 type uint32; 2482 units "seconds"; 2483 default 240; 2484 description 2485 "The value of the transitory open connection 2486 idle-timeout. 2488 A NAT should provide different configurable 2489 parameters for configuring the open and 2490 closing idle timeouts. 2492 To accommodate deployments that consider 2493 a partially open timeout of 4 minutes as being 2494 excessive from a security standpoint, a NAT may 2495 allow the configured timeout to be less than 2496 4 minutes. 2498 However, a minimum default transitory connection 2499 idle-timeout of 4 minutes is recommended."; 2500 reference 2501 "Section 2.1 of RFC 7857."; 2502 } 2504 leaf tcp-trans-close-timeout { 2505 type uint32; 2506 units "seconds"; 2507 default 240; 2508 description 2509 "The value of the transitory close connection 2510 idle-timeout. 2512 A NAT should provide different configurable 2513 parameters for configuring the open and 2514 closing idle timeouts."; 2515 reference 2516 "Section 2.1 of RFC 7857."; 2517 } 2519 leaf tcp-in-syn-timeout { 2520 type uint32; 2521 units "seconds"; 2522 default 6; 2523 description 2524 "A NAT must not respond to an unsolicited 2525 inbound SYN packet for at least 6 seconds 2526 after the packet is received. If during 2527 this interval the NAT receives and translates 2528 an outbound SYN for the connection the NAT 2529 must silently drop the original unsolicited 2530 inbound SYN packet."; 2531 reference 2532 "RFC 5382 NAT Behavioral Requirements for TCP"; 2533 } 2535 leaf fragment-min-timeout { 2536 when "../../fragment-behavior='out-of-order'"; 2537 type uint32; 2538 units "seconds"; 2539 default 2; 2540 description 2541 "As long as the NAT has available resources, 2542 the NAT allows the fragments to arrive 2543 over fragment-min-timeout interval. 2544 The default value is inspired from RFC6146."; 2545 } 2547 leaf icmp-timeout { 2548 type uint32; 2549 units "seconds"; 2550 default 60; 2551 description 2552 "An ICMP Query session timer must not expire 2553 in less than 60 seconds. It is recommended 2554 that the ICMP Query session timer be made 2555 configurable"; 2557 reference 2558 "RFC 5508: NAT Behavioral Requirements for ICMP"; 2559 } 2561 list per-port-timeout { 2562 key port-number; 2563 description 2564 "Some NATs are configurable with short timeouts 2565 for some ports, e.g., as 10 seconds on 2566 port 53 (DNS) and 123 (NTP) and longer timeouts 2567 on other ports."; 2569 leaf port-number { 2570 type inet:port-number; 2571 description 2572 "A port number."; 2573 } 2575 leaf timeout { 2576 type uint32; 2577 units "seconds"; 2578 mandatory true; 2579 description 2580 "Timeout for this port number"; 2581 } 2582 } 2584 leaf hold-down-timeout { 2585 type uint32; 2586 units "seconds"; 2587 default 120; 2588 description 2589 "Hold down timer. 2591 Ports in the hold down pool are not reassigned until 2592 hold-down-timeout expires. 2594 The length of time and the maximum number of ports in 2595 this state must be configurable by the administrator. 2597 This is necessary in order to prevent collisions 2598 between old and new mappings and sessions. It ensures 2599 that all established sessions are broken instead of 2600 redirected to a different peer."; 2601 reference 2602 "REQ#8 of RFC 6888."; 2603 } 2604 leaf hold-down-max { 2605 type uint32; 2606 description 2607 "Maximum ports in the Hold down timer pool. 2609 Ports in the hold down pool are not reassigned 2610 until hold-down-timeout expires. 2612 The length of time and the maximum 2613 number of ports in this state must be 2614 configurable by the administrator. 2615 This is necessary in order 2616 to prevent collisions between old 2617 and new mappings and sessions. It ensures 2618 that all established sessions are broken 2619 instead of redirected to a different peer."; 2620 reference 2621 "REQ#8 of RFC 6888."; 2622 } 2623 } 2625 leaf fragments-limit{ 2626 when "../fragment-behavior='out-of-order'"; 2627 type uint32; 2628 description 2629 "Limits the number of out of order fragments that can 2630 be handled."; 2631 reference 2632 "Section 11 of RFC 4787."; 2633 } 2635 list algs { 2636 key name; 2637 description 2638 "ALG-related features."; 2640 leaf name { 2641 type string; 2642 description 2643 "The name of the ALG."; 2644 } 2646 leaf transport-protocol { 2647 type uint32; 2648 description 2649 "The transport protocol used by the ALG 2650 (e.g., TCP, UDP)."; 2651 } 2652 container dst-transport-port { 2653 uses port-number; 2654 description 2655 "The destination port number(s) used by the ALG. 2656 For example, 2657 - 21 for the FTP ALG 2658 - 53 for the DNS ALG."; 2659 } 2661 container src-transport-port { 2662 uses port-number; 2663 description 2664 "The source port number(s) used by the ALG."; 2665 } 2667 leaf status { 2668 type boolean; 2669 description 2670 "Enable/disable the ALG."; 2671 } 2672 } 2674 leaf all-algs-enable { 2675 type boolean; 2676 description 2677 "Enable/disable all ALGs. 2679 When specified, this parameter overrides the one 2680 that may be indicated, eventually, by the 'status' 2681 of an individual ALG."; 2682 } 2684 container notify-pool-usage { 2685 if-feature "basic-nat44 or napt44 or nat64"; 2686 description 2687 "Notification of pool usage when certain criteria 2688 are met."; 2690 leaf pool-id { 2691 type uint32; 2692 description 2693 "Pool-ID for which the notification criteria 2694 is defined"; 2695 } 2697 leaf high-threshold { 2698 type percent; 2699 description 2700 "Notification must be generated when the defined high 2701 threshold is reached. 2703 For example, if a notification is required when the 2704 pool utilization reaches 90%, this configuration 2705 parameter must be set to 90. 2707 0% indicates that no high threshold is enabled."; 2708 } 2710 leaf low-threshold { 2711 type percent; 2712 must ". >= ../high-threshold" { 2713 error-message 2714 "The upper port number must be greater than or 2715 equal to lower port number."; 2716 } 2717 description 2718 "Notification must be generated when the defined low 2719 threshold is reached. 2721 For example, if a notification is required when the 2722 pool utilization reaches below 10%, this 2723 configuration parameter must be set to 10"; 2724 } 2726 leaf notify-interval { 2727 type uint32 { 2728 range "1 .. 3600"; 2729 } 2730 units "seconds"; 2731 default '20'; 2732 description 2733 "Minimum number of seconds between successive 2734 notifications for this pool."; 2736 reference 2737 "RFC 7659: Definitions of Managed Objects for 2738 Network Address Translators (NATs)"; 2739 } 2740 } 2742 container external-realm { 2743 description 2744 "Identifies the external realm of the NAT instance."; 2746 choice realm-type { 2747 description 2748 "Can be an interface, VRF instance, etc."; 2750 case interface { 2751 description 2752 "External interface."; 2754 leaf external-interface { 2755 type if:interface-ref; 2756 description 2757 "Name of the external interface."; 2758 } 2759 } 2760 } 2761 } 2762 } 2764 container mapping-limits { 2765 if-feature "napt44 or nat64"; 2766 description 2767 "Information about the configuration parameters that 2768 limits the mappings based upon various criteria."; 2770 leaf limit-subscribers { 2771 type uint32; 2772 description 2773 "Maximum number of subscribers that can be serviced 2774 by a NAT instance. 2776 A subscriber is identified by a given prefix."; 2777 reference 2778 "RFC 7659: Definitions of Managed Objects for 2779 Network Address Translators (NATs)"; 2780 } 2782 leaf limit-address-mappings { 2783 type uint32; 2784 description 2785 "Maximum number of address mappings that can be 2786 handled by a NAT instance. 2788 When this limit is reached, packets that would 2789 normally trigger translation, will be dropped."; 2790 reference 2791 "RFC 7659: Definitions of Managed Objects 2792 for Network Address Translators 2793 (NATs)"; 2794 } 2795 leaf limit-port-mappings { 2796 type uint32; 2797 description 2798 "Maximum number of port mappings that can be handled 2799 by a NAT instance. 2801 When this limit is reached, packets that would 2802 normally trigger translation, will be dropped."; 2803 reference 2804 "RFC 7659: Definitions of Managed Objects for 2805 Network Address Translators (NATs)"; 2806 } 2808 list limit-per-protocol { 2809 if-feature "napt44 or nat64 or dst-nat"; 2810 key protocol-id; 2812 description 2813 "Configure limits per transport protocol"; 2815 leaf protocol-id { 2816 type uint8; 2817 mandatory true; 2818 description 2819 "Upper-layer protocol associated with this mapping. 2821 Values are taken from the IANA protocol registry: 2822 https://www.iana.org/assignments/protocol-numbers/ 2823 protocol-numbers.xhtml 2825 For example, this field contains 6 (TCP) for a TCP 2826 mapping or 17 (UDP) for a UDP mapping."; 2827 } 2829 leaf limit { 2830 type uint32; 2831 description 2832 "Maximum number of protocol-specific NAT mappings 2833 per instance."; 2834 } 2835 } 2836 } 2838 container connection-limits { 2839 if-feature "basic-nat44 or napt44 or nat64"; 2840 description 2841 "Information about the configuration parameters that 2842 rate limit the translation based upon various criteria."; 2844 leaf limit-per-subscriber { 2845 type uint32; 2846 units "bits/second"; 2847 description 2848 "Rate-limit the number of new mappings and sessions 2849 per subscriber."; 2850 } 2852 leaf limit-per-instance { 2853 type uint32; 2854 units "bits/second"; 2855 description 2856 "Rate-limit the number of new mappings and sessions 2857 per instance."; 2858 } 2860 list limit-per-protocol { 2861 if-feature "napt44 or nat64"; 2862 key protocol-id; 2863 description 2864 "Configure limits per transport protocol"; 2866 leaf protocol-id { 2867 type uint8; 2868 mandatory true; 2869 description 2870 "Upper-layer protocol associated with this mapping. 2872 Values are taken from the IANA protocol registry: 2873 https://www.iana.org/assignments/protocol-numbers/ 2874 protocol-numbers.xhtml 2876 For example, this field contains 6 (TCP) for a TCP 2877 mapping or 17 (UDP) for a UDP mapping."; 2878 } 2880 leaf limit { 2881 type uint32; 2882 description 2883 "Rate-limit the number of protocol-specific mappings 2884 and sessions per instance."; 2885 } 2886 } 2887 } 2889 container notification-limits { 2890 description "Sets notification limits."; 2892 leaf notify-interval { 2893 if-feature "basic-nat44 or napt44 or nat64"; 2894 type uint32 { 2895 range "1 .. 3600"; 2896 } 2897 units "seconds"; 2898 default '10'; 2899 description 2900 "Minimum number of seconds between successive 2901 notifications for this NAT instance."; 2902 reference 2903 "RFC 7659: Definitions of Managed Objects 2904 for Network Address Translators (NATs)"; 2905 } 2907 leaf notify-addresses-usage { 2908 if-feature "basic-nat44 or napt44 or nat64"; 2909 type percent; 2910 description 2911 "Notification of address mappings usage over 2912 the whole NAT instance. 2914 Notification must be generated when the defined 2915 threshold is reached. 2917 For example, if a notification is required when 2918 the address mappings utilization reaches 90%, 2919 this configuration parameter must be set 2920 to 90."; 2921 } 2923 leaf notify-ports-usage { 2924 if-feature "napt44 or nat64"; 2925 type percent; 2926 description 2927 "Notification of port mappings usage over the 2928 whole NAT instance. 2930 Notification must be generated when the defined 2931 threshold is reached. 2933 For example, if a notification is required when 2934 the port mappings utilization reaches 90%, this 2935 configuration parameter must be set to 90."; 2936 } 2938 leaf notify-subscribers-limit { 2939 if-feature "basic-nat44 or napt44 or nat64"; 2940 type uint32; 2941 description 2942 "Notification of active subscribers per NAT 2943 instance. 2945 Notification must be generated when the defined 2946 threshold is reached."; 2947 } 2948 } 2950 container mapping-table { 2951 if-feature "basic-nat44 or napt44 " + 2952 "or nat64 or clat or dst-nat"; 2953 description 2954 "NAT mapping table. Applicable for functions which maintain 2955 static and/or dynamic mappings, such as NAT44, Destination 2956 NAT, NAT64, or CLAT."; 2958 list mapping-entry { 2959 key "index"; 2960 description "NAT mapping entry."; 2961 uses mapping-entry; 2962 } 2963 } 2965 container statistics { 2966 config false; 2968 description 2969 "Statistics related to the NAT instance."; 2971 leaf discontinuity-time { 2972 type yang:date-and-time; 2973 mandatory true; 2974 description 2975 "The time on the most recent occasion at which the NAT 2976 instance suffered a discontinuity. This must be 2977 initialized when the NAT instance is configured 2978 or rebooted."; 2979 } 2981 container traffic-statistics { 2982 description 2983 "Generic traffic statistics."; 2985 leaf sent-packets { 2986 type yang:zero-based-counter64; 2987 description 2988 "Number of packets sent."; 2989 } 2991 leaf sent-bytes { 2992 type yang:zero-based-counter64; 2993 units 'bytes'; 2994 description 2995 "Counter for sent traffic in bytes."; 2996 } 2998 leaf rcvd-packets { 2999 type yang:zero-based-counter64; 3000 description 3001 "Number of received packets."; 3002 } 3004 leaf rcvd-bytes { 3005 type yang:zero-based-counter64; 3006 units 'bytes'; 3007 description 3008 "Counter for received traffic in bytes."; 3009 } 3011 leaf dropped-packets { 3012 type yang:zero-based-counter64; 3013 description 3014 "Number of dropped packets."; 3015 } 3017 leaf dropped-bytes { 3018 type yang:zero-based-counter64; 3019 units 'bytes'; 3020 description 3021 "Counter for dropped traffic in bytes."; 3022 } 3024 leaf dropped-fragments { 3025 if-feature "napt44 or nat64"; 3026 type yang:zero-based-counter64; 3027 description 3028 "Number of dropped fragments on the external realm."; 3029 } 3031 leaf dropped-address-limit-packets { 3032 if-feature "basic-nat44 or napt44 or nat64"; 3033 type yang:zero-based-counter64; 3034 description 3035 "Number of dropped packets because an address limit 3036 is reached."; 3037 } 3039 leaf dropped-address-limit-bytes { 3040 if-feature "basic-nat44 or napt44 or nat64"; 3041 type yang:zero-based-counter64; 3042 units 'bytes'; 3043 description 3044 "Counter of dropped packets because an address limit 3045 is reached, in bytes."; 3046 } 3048 leaf dropped-address-packets { 3049 if-feature "basic-nat44 or napt44 or nat64"; 3050 type yang:zero-based-counter64; 3051 description 3052 "Number of dropped packets because no address is 3053 available for allocation."; 3054 } 3056 leaf dropped-address-bytes { 3057 if-feature "basic-nat44 or napt44 or nat64"; 3058 type yang:zero-based-counter64; 3059 units 'bytes'; 3060 description 3061 "Counter of dropped packets because no address is 3062 available for allocation, in bytes."; 3063 } 3065 leaf dropped-port-limit-packets { 3066 if-feature "napt44 or nat64"; 3067 type yang:zero-based-counter64; 3068 description 3069 "Number of dropped packets because a port limit 3070 is reached."; 3071 } 3073 leaf dropped-port-limit-bytes { 3074 if-feature "napt44 or nat64"; 3075 type yang:zero-based-counter64; 3076 units 'bytes'; 3077 description 3078 "Counter of dropped packets because a port limit 3079 is reached, in bytes."; 3080 } 3082 leaf dropped-port-packets { 3083 if-feature "napt44 or nat64"; 3084 type yang:zero-based-counter64; 3085 description 3086 "Number of dropped packets because no port is 3087 available for allocation."; 3088 } 3090 leaf dropped-port-bytes { 3091 if-feature "napt44 or nat64"; 3092 type yang:zero-based-counter64; 3093 units 'bytes'; 3094 description 3095 "Counter of dropped packets because no port is 3096 available for allocation, in bytes."; 3097 } 3099 leaf dropped-subscriber-limit-packets { 3100 if-feature "basic-nat44 or napt44 or nat64"; 3101 type yang:zero-based-counter64; 3102 description 3103 "Number of dropped packets because the subscriber 3104 limit per instance is reached."; 3105 } 3107 leaf dropped-subscriber-limit-bytes { 3108 if-feature "basic-nat44 or napt44 or nat64"; 3109 type yang:zero-based-counter64; 3110 units 'bytes'; 3111 description 3112 "Counter of dropped packets because the subscriber 3113 limit per instance is reached, in bytes."; 3114 } 3115 } 3117 container mappings-statistics { 3118 description 3119 "Mappings statistics."; 3121 leaf total-active-subscribers { 3122 if-feature "basic-nat44 or napt44 or nat64"; 3123 type yang:gauge32; 3124 description 3125 "Total number of active subscribers (that is, 3126 subscribers for which the NAT maintains active 3127 mappings. 3129 A subscriber is identified by a subnet, 3130 subscriber-mask, etc."; 3131 } 3132 leaf total-address-mappings { 3133 if-feature "basic-nat44 or napt44 " + 3134 "or nat64 or clat or dst-nat"; 3135 type yang:gauge32; 3136 description 3137 "Total number of address mappings present at a given 3138 time. It includes both static and dynamic mappings."; 3139 reference 3140 "Section 3.3.8 of RFC 7659"; 3141 } 3143 leaf total-port-mappings { 3144 if-feature "napt44 or nat64"; 3145 type yang:gauge32; 3146 description 3147 "Total number of NAT port mappings present at 3148 a given time. It includes both static and dynamic 3149 mappings."; 3150 reference 3151 "Section 3.3.9 of RFC 7659"; 3152 } 3154 list total-per-protocol { 3155 if-feature "napt44 or nat64"; 3156 key protocol-id; 3157 description 3158 "Total mappings for each enabled/supported protocol."; 3160 leaf protocol-id { 3161 type uint8; 3162 mandatory true; 3163 description 3164 "Upper-layer protocol associated with this mapping. 3165 For example, this field contains 6 (TCP) for a TCP 3166 mapping or 17 (UDP) for a UDP mapping."; 3167 } 3169 leaf total { 3170 type yang:gauge32; 3171 description 3172 "Total number of a protocol-specific mappings present 3173 at a given time. The protocol is identified by 3174 protocol-id."; 3175 } 3176 } 3177 } 3179 container pools-stats { 3180 if-feature "basic-nat44 or napt44 or nat64"; 3181 description 3182 "Statistics related to address/prefix pools 3183 usage"; 3185 leaf addresses-allocated { 3186 type yang:gauge32; 3187 description 3188 "Number of all allocated addresses."; 3189 } 3191 leaf addresses-free { 3192 type yang:gauge32; 3193 description 3194 "Number of unallocated addresses of all pools at 3195 a given time. The sum of unallocated and allocated 3196 addresses is the total number of addresses of 3197 the pools."; 3198 } 3200 container ports-stats { 3201 if-feature "napt44 or nat64"; 3203 description 3204 "Statistics related to port numbers usage."; 3206 leaf ports-allocated { 3207 type yang:gauge32; 3208 description 3209 "Number of allocated ports from all pools."; 3210 } 3212 leaf ports-free { 3213 type yang:gauge32; 3214 description 3215 "Number of unallocated addresses from all pools."; 3216 } 3217 } 3219 list per-pool-stats { 3220 if-feature "basic-nat44 or napt44 or nat64"; 3221 key "pool-id"; 3222 description 3223 "Statistics related to address/prefix pool usage"; 3225 leaf pool-id { 3226 type uint32; 3227 description 3228 "Unique Identifier that represents a pool of 3229 addresses/prefixes."; 3230 } 3232 leaf discontinuity-time { 3233 type yang:date-and-time; 3234 mandatory true; 3235 description 3236 "The time on the most recent occasion at which this 3237 pool counters suffered a discontinuity. This must 3238 be initialized when the address pool is 3239 configured."; 3240 } 3242 container pool-stats { 3243 description 3244 "Statistics related to address/prefix pool usage"; 3246 leaf addresses-allocated { 3247 type yang:gauge32; 3248 description 3249 "Number of allocated addresses from this pool."; 3250 } 3252 leaf addresses-free { 3253 type yang:gauge32; 3254 description 3255 "Number of unallocated addresses in this pool."; 3256 } 3257 } 3259 container port-stats { 3260 if-feature "napt44 or nat64"; 3261 description 3262 "Statistics related to port numbers usage."; 3264 leaf ports-allocated { 3265 type yang:gauge32; 3266 description 3267 "Number of allocated ports from this pool."; 3268 } 3270 leaf ports-free { 3271 type yang:gauge32; 3272 description 3273 "Number of unallocated addresses from this pool."; 3274 } 3275 } 3277 } 3278 } 3279 } 3280 } 3281 } 3282 } 3284 /* 3285 * Notifications 3286 */ 3288 notification nat-pool-event { 3289 if-feature "basic-nat44 or napt44 or nat64"; 3290 description 3291 "Notifications must be generated when the defined high/low 3292 threshold is reached. Related configuration parameters 3293 must be provided to trigger the notifications."; 3295 leaf id { 3296 type leafref { 3297 path "/nat/instances/instance/id"; 3298 } 3299 mandatory true; 3300 description 3301 "NAT instance Identifier."; 3302 } 3304 leaf policy-id { 3305 type leafref { 3306 path "/nat/instances/instance/policy/id"; 3307 } 3309 description 3310 "Policy Identifier."; 3311 } 3313 leaf pool-id { 3314 type leafref { 3315 path "/nat/instances/instance/policy/" + 3316 "external-ip-address-pool/pool-id"; 3317 } 3318 mandatory true; 3319 description 3320 "Pool Identifier."; 3321 } 3323 leaf notify-pool-threshold { 3324 type percent; 3325 mandatory true; 3326 description 3327 "A threshold (high-threshold or low-threshold) has 3328 been fired."; 3329 } 3330 } 3332 notification nat-instance-event { 3333 if-feature "basic-nat44 or napt44 or nat64"; 3334 description 3335 "Notifications must be generated when notify-addresses-usage 3336 and/or notify-ports-usage threshold are reached."; 3338 leaf id { 3339 type leafref { 3340 path "/nat/instances/instance/id"; 3341 } 3342 mandatory true; 3343 description 3344 "NAT instance Identifier."; 3345 } 3347 leaf notify-subscribers-threshold { 3348 type uint32; 3349 description 3350 "The notify-subscribers-limit threshold has been fired."; 3351 } 3353 leaf notify-addresses-threshold { 3354 type percent; 3355 description 3356 "The notify-addresses-usage threshold has been fired."; 3357 } 3359 leaf notify-ports-threshold { 3360 type percent; 3361 description 3362 "The notify-ports-usage threshold has been fired."; 3363 } 3364 } 3365 } 3366 3368 4. Security Considerations 3370 Security considerations related to address and prefix translation are 3371 discussed in [RFC6888], [RFC6146], [RFC6877], [RFC6296], and 3372 [RFC7757]. 3374 The YANG module defined in this document is designed to be accessed 3375 via network management protocols such as NETCONF [RFC6241] or 3376 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 3377 layer, and the mandatory-to-implement secure transport is Secure 3378 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 3379 mandatory-to-implement secure transport is TLS [RFC5246]. 3381 The NETCONF access control model [RFC8341] provides the means to 3382 restrict access for particular NETCONF or RESTCONF users to a 3383 preconfigured subset of all available NETCONF or RESTCONF protocol 3384 operations and content. 3386 All data nodes defined in the YANG module which can be created, 3387 modified and deleted (i.e., config true, which is the default) are 3388 considered sensitive. Write operations (e.g., edit-config) applied 3389 to these data nodes without proper protection can negatively affect 3390 network operations. The NAT YANG module provides a method to set 3391 parameters to prevent a user from aggressively using NAT resources 3392 (port-quota), rate-limit connections as a guard against Denial-of- 3393 Service, or to enable notifications so that appropriate measures are 3394 enforced to anticipate traffic drops. Nevertheless, an attacker who 3395 is able to access the NAT can undertake various attacks, such as: 3397 o Set a high or low resource limit to cause a DoS attack: 3399 * /nat/instances/instance/policy/port-quota 3401 * /nat/instances/instance/policy/fragments-limit 3403 * /nat/instances/instance/mapping-limits 3405 * /nat/instances/instance/connection-limits 3407 o Set a low notification threshold to cause useless notifications to 3408 be generated: 3410 * /nat/instances/instance/policy/notify-pool-usage/high-threshold 3412 * /nat/instances/instance/notification-limits/notify-addresses- 3413 usage 3415 * /nat/instances/instance/notification-limits/notify-ports-usage 3417 * /nat/instances/instance/notification-limits/notify-subscribers- 3418 limit 3420 o Set an arbitrarily high threshold, which may lead to the 3421 deactivation of notifications: 3423 * /nat/instances/instance/policy/notify-pool-usage/high-threshold 3425 * /nat/instances/instance/notification-limits/notify-addresses- 3426 usage 3428 * /nat/instances/instance/notification-limits/notify-ports-usage 3430 * /nat/instances/instance/notification-limits/notify-subscribers- 3431 limit 3433 o Set a low notification interval and a low notification threshold 3434 to induce useless notifications to be generated: 3436 * /nat/instances/instance/policy/notify-pool-usage/notify- 3437 interval 3439 * /nat/instances/instance/notification-limits/notify-interval 3441 o Access to privacy data maintained in the mapping table. Such data 3442 can be misused to track the activity of a host: 3444 * /nat/instances/instance/mapping-table 3446 5. IANA Considerations 3448 This document requests IANA to register the following URI in the 3449 "IETF XML Registry" [RFC3688]: 3451 URI: urn:ietf:params:xml:ns:yang:ietf-nat 3452 Registrant Contact: The IESG. 3453 XML: N/A; the requested URI is an XML namespace. 3455 This document requests IANA to register the following YANG module in 3456 the "YANG Module Names" registry [RFC7950]. 3458 name: ietf-nat 3459 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 3460 prefix: nat 3461 reference: RFC XXXX 3463 6. Acknowledgements 3465 Many thanks to Dan Wing, Tianran Zhou, Tom Petch, and Warren Kumari 3466 for the review. 3468 Thanks to Juergen Schoenwaelder for the comments on the YANG 3469 structure and the suggestion to use NMDA. Mahesh Jethanandani 3470 provided useful comments. 3472 Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred 3473 Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and 3474 Kristian Poscic for the CGN review. 3476 Special thanks to Maros Marsalek and Marek Gradzki for sharing their 3477 comments based on the FD.io implementation of this module 3478 (https://git.fd.io/hc2vpp/tree/nat/nat-api/src/main/yang). 3480 Rajiv Asati suggested to clarify how the module applies for both 3481 stateless and stateful NAT64. 3483 Juergen Schoenwaelder provided an early yandgoctors review. Many 3484 thanks to him. 3486 Thanks to Roni Even, Mach Chen, Tim Chown, and Stephen Farrel for the 3487 directorates review. Igor Ryzhov identified a nit in one example. 3489 7. References 3491 7.1. Normative References 3493 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3494 DOI 10.17487/RFC3688, January 2004, 3495 . 3497 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 3498 Translation (NAT) Behavioral Requirements for Unicast 3499 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 3500 2007, . 3502 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 3503 (TLS) Protocol Version 1.2", RFC 5246, 3504 DOI 10.17487/RFC5246, August 2008, 3505 . 3507 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 3508 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 3509 RFC 5382, DOI 10.17487/RFC5382, October 2008, 3510 . 3512 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 3513 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 3514 DOI 10.17487/RFC5508, April 2009, 3515 . 3517 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 3518 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 3519 DOI 10.17487/RFC6052, October 2010, 3520 . 3522 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 3523 NAT64: Network Address and Protocol Translation from IPv6 3524 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 3525 April 2011, . 3527 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3528 and A. Bierman, Ed., "Network Configuration Protocol 3529 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3530 . 3532 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3533 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3534 . 3536 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 3537 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 3538 . 3540 [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable 3541 Operation of Address Translators with Per-Interface 3542 Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, 3543 . 3545 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 3546 Combination of Stateful and Stateless Translation", 3547 RFC 6877, DOI 10.17487/RFC6877, April 2013, 3548 . 3550 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 3551 A., and H. Ashida, "Common Requirements for Carrier-Grade 3552 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 3553 April 2013, . 3555 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 3556 RFC 6991, DOI 10.17487/RFC6991, July 2013, 3557 . 3559 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 3560 Farrer, "Lightweight 4over6: An Extension to the Dual- 3561 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 3562 July 2015, . 3564 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 3565 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 3566 Port with Encapsulation (MAP-E)", RFC 7597, 3567 DOI 10.17487/RFC7597, July 2015, 3568 . 3570 [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address 3571 Mappings for Stateless IP/ICMP Translation", RFC 7757, 3572 DOI 10.17487/RFC7757, February 2016, 3573 . 3575 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 3576 S., and K. Naito, "Updates to Network Address Translation 3577 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 3578 DOI 10.17487/RFC7857, April 2016, 3579 . 3581 [RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont, 3582 "IP/ICMP Translation Algorithm", RFC 7915, 3583 DOI 10.17487/RFC7915, June 2016, 3584 . 3586 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3587 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3588 . 3590 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3591 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3592 . 3594 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 3595 Access Control Model", STD 91, RFC 8341, 3596 DOI 10.17487/RFC8341, March 2018, 3597 . 3599 [RFC8343] Bjorklund, M., "A YANG Data Model for Interface 3600 Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, 3601 . 3603 7.2. Informative References 3605 [I-D.boucadair-pcp-yang] 3606 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 3607 Vinapamula, "YANG Modules for the Port Control Protocol 3608 (PCP)", draft-boucadair-pcp-yang-05 (work in progress), 3609 October 2017. 3611 [I-D.ietf-softwire-dslite-yang] 3612 Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG 3613 Data Model for Dual-Stack Lite (DS-Lite)", draft-ietf- 3614 softwire-dslite-yang-17 (work in progress), May 2018. 3616 [I-D.ietf-tsvwg-natsupp] 3617 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 3618 Transmission Protocol (SCTP) Network Address Translation 3619 Support", draft-ietf-tsvwg-natsupp-11 (work in progress), 3620 July 2017. 3622 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 3623 Translator (NAT) Terminology and Considerations", 3624 RFC 2663, DOI 10.17487/RFC2663, August 1999, 3625 . 3627 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 3628 Address Translator (Traditional NAT)", RFC 3022, 3629 DOI 10.17487/RFC3022, January 2001, 3630 . 3632 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 3633 Behavioral Requirements for the Datagram Congestion 3634 Control Protocol", BCP 150, RFC 5597, 3635 DOI 10.17487/RFC5597, September 2009, 3636 . 3638 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 3639 Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, 3640 January 2011, . 3642 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 3643 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 3644 DOI 10.17487/RFC6269, June 2011, 3645 . 3647 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 3648 "Diameter Network Address and Port Translation Control 3649 Application", RFC 6736, DOI 10.17487/RFC6736, October 3650 2012, . 3652 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 3653 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 3654 DOI 10.17487/RFC6887, April 2013, 3655 . 3657 [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M. 3658 Boucadair, "Deployment Considerations for Dual-Stack 3659 Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013, 3660 . 3662 [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of 3663 the IPv6 Prefix Used for IPv6 Address Synthesis", 3664 RFC 7050, DOI 10.17487/RFC7050, November 2013, 3665 . 3667 [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT 3668 (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, 3669 DOI 10.17487/RFC7289, June 2014, 3670 . 3672 [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, 3673 DOI 10.17487/RFC7335, August 2014, 3674 . 3676 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 3677 "Definitions of Managed Objects for Network Address 3678 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 3679 October 2015, . 3681 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 3682 and S. Perreault, "Port Control Protocol (PCP) Extension 3683 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 3684 February 2016, . 3686 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 3687 "RADIUS Extensions for IP Port Configuration and 3688 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 3689 . 3691 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 3692 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 3693 . 3695 Appendix A. Sample Examples 3697 This section provides a non-exhaustive set of examples to illustrate 3698 the use of the NAT YANG module. 3700 A.1. Traditional NAT44 3702 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 3703 same IPv4 address among hosts that are owned by the same subscriber. 3704 This is typically the NAT that is embedded in CPE devices. 3706 This NAT is usually provided with one single external IPv4 address; 3707 disambiguating connections is achieved by rewriting the source port 3708 number. The XML snippet to configure the external IPv4 address in 3709 such case together with a mapping entry is depicted below: 3711 3712 3713 1 3714 NAT_Subscriber_A 3715 .... 3716 3717 1 3718 3719 198.51.100.1/32 3720 3721 3722 .... 3723 3724 .... 3725 3726 198.51.100.1/32 3727 3728 .... 3729 3730 3731 3733 The following shows the XML excerpt depicting a dynamic UDP mapping 3734 entry maintained by a traditional NAPT44. In reference to this 3735 example, the UDP packet received with a source IPv4 address 3736 (192.0.2.1) and source port number (1568) is translated into a UDP 3737 packet having a source IPv4 address (198.51.100.1) and source port 3738 (15000). The remaining lifetime of this mapping is 300 seconds. 3740 3741 15 3742 3743 dynamic-explicit 3744 3745 3746 17 3747 3748 3749 192.0.2.1/32 3750 3751 3752 3753 1568 3754 3755 3756 3757 198.51.100.1/32 3758 3759 3760 3761 15000 3762 3763 3764 3765 300 3766 3767 3769 A.2. Carrier Grade NAT (CGN) 3771 The following XML snippet shows the example of the capabilities 3772 supported by a CGN as retrieved using NETCONF. 3774 napt44 3776 3777 1 3778 3779 3780 6 3781 3782 3783 17 3784 3785 3786 false 3787 3788 3789 true 3790 3791 3792 true 3793 3794 3795 true 3796 3797 3798 true 3799 3800 3801 false 3802 3803 3804 true 3805 3806 3807 true 3808 3809 3810 true 3811 3812 3813 true 3814 3815 3816 true 3817 3818 3819 true 3820 3821 3822 true 3823 3824 3825 true 3826 3827 3829 The following XML snippet shows the example of a CGN that is 3830 provisioned with one contiguous pool of external IPv4 addresses 3831 (198.51.100.0/24). Further, the CGN is instructed to limit the 3832 number of allocated ports per subscriber to 1024. Ports can be 3833 allocated by the CGN by assigning ranges of 256 ports (that is, a 3834 subscriber can be allocated up to four port ranges of 256 ports 3835 each). 3837 3838 3839 1 3840 myCGN 3841 .... 3842 3843 1 3844 3845 198.51.100.0/24 3846 3847 3848 3849 3850 1024 3851 3852 3853 all 3854 3855 3856 3857 port-range-allocation 3858 3859 3860 3861 256 3862 3863 3864 .... 3865 3866 3868 An administrator may decide to allocate one single port range per 3869 subscriber (e.g., port range of 1024 ports) as shown below: 3871 3872 3873 1 3874 myCGN 3875 .... 3876 3877 1 3878 3879 198.51.100.0/24 3880 3881 3882 3883 3884 1024 3885 3886 3887 all 3888 3889 3890 3891 port-range-allocation 3892 3893 3894 3895 1024 3896 3897 3898 .... 3899 3900 3902 A.3. CGN Pass-Through 3904 Figure 1 illustrates an example of the CGN pass-through feature. 3906 X1:x1 X1':x1' X2:x2 3907 +---+from X1:x1 +---+from X1:x1 +---+ 3908 | C | to X2:x2 | | to X2:x2 | S | 3909 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 3910 | i | | G | | r | 3911 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 3912 | n |from X2:x2 | |from X2:x2 | e | 3913 | t | to X1:x1 | | to X1:x1 | r | 3914 +---+ +---+ +---+ 3916 Figure 1: CGN Pass-Through 3918 For example, in order to disable NAT for communications issued by the 3919 client (192.0.2.1), the following configuration parameter must be 3920 set: 3922 3923 ... 3924 192.0.2.1/32 3925 ... 3926 3928 A.4. NAT64 3930 Let's consider the example of a NAT64 that should use 3931 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 3932 The XML snippet to configure the NAT64 prefix in such case is 3933 depicted below: 3935 3936 3937 2001:db8:122:300::/56 3938 3939 3941 Let's now consider the example of a NAT64 that should use 3942 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 3943 the destination address matches 198.51.100.0/24. The XML snippet to 3944 configure the NAT64 prefix in such case is shown below: 3946 3947 3948 2001:db8:122::/48 3949 3950 3951 3952 198.51.100.0/24 3953 3954 3955 3957 A.5. Stateless IP/ICMP Translation (SIIT) 3959 Let's consider the example of a stateless translator that is 3960 configured with 2001:db8:100::/40 to perform IPv6 address synthesis 3961 [RFC6052]. Similar to the NAT64 case, the XML snippet to configure 3962 the NAT64 prefix in such case is depicted below: 3964 3965 3966 2001:db8:100::/40 3967 3968 3970 When the translator receives an IPv6 packet, for example, with a 3971 source address (2001:db8:1c0:2:21::) and destination address 3972 (2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses 3973 following RFC6052 rules with 2001:db8:100::/40 as the NSP: 3975 o 192.0.2.33 is extracted from 2001:db8:1c0:2:21:: 3977 o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2:: 3979 The translator transforms the IPv6 header into an IPv4 header using 3980 the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will 3981 include 192.0.2.33 as the source address and 198.51.100.2 as the 3982 destination address. 3984 Also, a NAT64 can be instructed to behave in the stateless mode by 3985 providing the following configuration. The same NAT64 prefix is used 3986 for constructing both IPv4-translatable IPv6 addresses and 3987 IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]). 3989 3990 3991 2001:db8:122:300::/56 3992 3993 3994 true 3995 3996 3998 A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM 3999 SIIT) 4001 As specified in [RFC7757], an EAM consists of an IPv4 prefix and an 4002 IPv6 prefix. Let's consider the set of EAM examples in Table 8. 4004 +----------------+----------------------+ 4005 | IPv4 Prefix | IPv6 Prefix | 4006 +----------------+----------------------+ 4007 | 192.0.2.1 | 2001:db8:aaaa:: | 4008 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | 4009 | 192.0.2.16/28 | 2001:db8:cccc::/124 | 4010 | 192.0.2.128/26 | 2001:db8:dddd::/64 | 4011 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | 4012 | 192.0.2.224/31 | 64:ff9b::/127 | 4013 +----------------+----------------------+ 4015 Table 8: EAM Examples (RFC7757) 4017 The following XML excerpt illustrates how these EAMs can be 4018 configured using the YANG NAT module: 4020 4021 4022 192.0.2.1/32 4023 4024 4025 2001:db8:aaaa::/128 4026 4027 4028 4029 4030 192.0.2.2/32 4031 4032 4033 2001:db8:bbbb::b/128 4034 4035 4036 4037 4038 192.0.2.16/28 4039 4040 4041 2001:db8:cccc::/124 4042 4043 4044 4045 4046 192.0.2.128/26 4047 4048 4049 2001:db8:dddd::/64 4050 4051 4052 4053 4054 192.0.2.192/29 4055 4056 4057 2001:db8:eeee:8::/62 4058 4059 4060 4061 4062 192.0.2.224/31 4063 4064 4065 64:ff9b::/127 4066 4067 4068 EAMs may be enabled jointly with statefull NAT64. This example shows 4069 a NAT64 function that supports static mappings: 4071 4073 nat64 4074 4075 4076 true 4077 4078 4079 true 4080 4081 4082 true 4083 4084 4085 true 4086 4087 4088 true 4089 4090 4091 true 4092 4093 4094 true 4095 4096 4097 true 4098 4099 4101 A.7. Static Mappings with Port Ranges 4103 The following example shows a static mapping that instructs a NAT to 4104 translate packets issued from 192.0.2.1 and with source ports in the 4105 100-500 range to 198.51.100.1:1100-1500. 4107 4108 1 4109 4110 static 4111 4112 4113 6 4114 4115 4116 192.0.2.1/32 4117 4118 4119 4120 100 4121 4122 4123 500 4124 4125 4126 4127 198.51.100.1/32 4128 4129 4130 4131 1100 4132 4133 4134 1500 4135 4136 4137 ... 4138 4140 A.8. Static Mappings with IP Prefixes 4142 The following example shows a static mapping that instructs a NAT to 4143 translate TCP packets issued from 192.0.2.0/24 to 198.51.100.0/24. 4145 4146 1 4147 4148 static 4149 4150 4151 6 4152 4153 4154 192.0.2.0/24 4155 4156 4157 198.51.100.0/24 4158 4159 ... 4160 4162 A.9. Destination NAT 4164 The following XML snippet shows an example of a destination NAT that 4165 is instructed to translate all packets having 192.0.2.1 as a 4166 destination IP address to 198.51.100.1. 4168 4169 1 4170 4171 192.0.2.1/32 4172 4173 4174 198.51.100.1/32 4175 4176 4178 In order to instruct a NAT to translate TCP packets destined to 4179 '192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet 4180 shows the static mapping configured on the NAT: 4182 4183 1568 4184 4185 static 4186 4187 4188 6 4189 4190 4191 192.0.2.1/32 4192 4193 4194 4195 80 4196 4197 4198 4199 198.51.100.1/32 4200 4201 4202 4203 8080 4204 4205 4206 4208 In order to instruct a NAT to translate TCP packets destined to 4209 '192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh 4210 traffic) to 198.51.100.2, the following XML snippet shows the static 4211 mappings configured on the NAT: 4213 4214 123 4215 4216 static 4217 4218 4219 6 4220 4221 4222 192.0.2.1/32 4223 4224 4225 4226 80 4227 4228 4229 4230 198.51.100.1/32 4231 4232 ... 4233 4234 4235 1236 4236 4237 static 4238 4239 4240 6 4241 4242 4243 192.0.2.1/32 4244 4245 4246 4247 22 4248 4249 4250 4251 198.51.100.2/32 4252 4253 ... 4254 4256 The NAT may also be instructed to proceed with both source and 4257 destination NAT. To do so, in addition to the above sample to 4258 configure destination NAT, the NAT may be provided, for example with 4259 a pool of external IP addresses (198.51.100.0/24) to use for source 4260 address translation. An example of the corresponding XML snippet is 4261 provided hereafter: 4263 4264 1 4265 4266 198.51.100.0/24 4267 4268 4270 Instead of providing an external IP address to share, the NAT may be 4271 configured with static mapping entries that modify the internal IP 4272 address and/or port number. 4274 A.10. Customer-side Translator (CLAT) 4276 The following XML snippet shows the example of a CLAT that is 4277 configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and 4278 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 4279 provided with 192.0.0.1/32 (which is selected from the IPv4 service 4280 continuity prefix defined in [RFC7335]). 4282 4283 4284 2001:db8:aaaa::/96 4285 4286 4287 4288 4289 192.0.0.1/32 4290 4291 4292 4293 4294 2001:db8:1234::/96 4295 4296 4298 A.11. IPv6 Network Prefix Translation (NPTv6) 4300 Let's consider the example of an NPTv6 translator that should rewrite 4301 packets with the source prefix (fd03:c03a:ecab::/48) with the 4302 external prefix (2001:db8:1::/48). The internal interface is "eth0" 4303 while the external interface is "eth1" (Figure 2). 4305 External Network: Prefix = 2001:db8:1::/48 4306 -------------------------------------- 4307 | 4308 |eth1 4309 +-------------+ 4310 eth4| NPTv6 |eth2 4311 ...-----| |------... 4312 +-------------+ 4313 |eth0 4314 | 4315 -------------------------------------- 4316 Internal Network: Prefix = fd03:c03a:ecab::/48 4318 Figure 2: Example of NPTv6 4320 The XML snippet to configure NPTv6 prefixes in such case is depicted 4321 below: 4323 4324 4325 fd03:c03a:ecab::/48 4326 4327 4328 2001:db8:1::/48 4329 4330 4331 ... 4332 4333 4334 eth1 4335 4336 4338 Figure 3 shows an example of an NPTv6 translator that interconnects 4339 two internal networks (fd03:c03a:ecab::/48 and fda8:d5cb:14f3::/48); 4340 each is translated using a dedicated prefix (2001:db8:1::/48 and 4341 2001:db8:6666::/48, respectively). 4343 Internal Prefix = fda8:d5cb:14f3::/48 4344 -------------------------------------- 4345 V | External Prefix 4346 V |eth1 2001:db8:1::/48 4347 V +---------+ ^ 4348 V | NPTv6 | ^ 4349 V | | ^ 4350 V +---------+ ^ 4351 External Prefix |eth0 ^ 4352 2001:db8:6666::/48 | ^ 4353 -------------------------------------- 4354 Internal Prefix = fd03:c03a:ecab::/48 4356 Figure 3: Connecting two Peer Networks 4358 To that aim, the following configuration is provided to the NPTv6 4359 translator: 4361 4362 1 4363 4364 4365 fd03:c03a:ecab::/48 4366 4367 4368 2001:db8:1::/48 4369 4370 4371 4372 4373 eth1 4374 4375 4376 4377 4378 2 4379 4380 4381 fda8:d5cb:14f3::/48 4382 4383 4384 2001:db8:6666::/48 4385 4386 4387 4388 4389 eth0 4390 4391 4392 4394 Authors' Addresses 4396 Mohamed Boucadair (editor) 4397 Orange 4398 Rennes 35000 4399 France 4401 Email: mohamed.boucadair@orange.com 4402 Senthil Sivakumar 4403 Cisco Systems 4404 7100-8 Kit Creek Road 4405 Research Triangle Park, North Carolina 27709 4406 USA 4408 Phone: +1 919 392 5158 4409 Email: ssenthil@cisco.com 4411 Christian Jacquenet 4412 Orange 4413 Rennes 35000 4414 France 4416 Email: christian.jacquenet@orange.com 4418 Suresh Vinapamula 4419 Juniper Networks 4420 1133 Innovation Way 4421 Sunnyvale 94089 4422 USA 4424 Email: sureshk@juniper.net 4426 Qin Wu 4427 Huawei 4428 101 Software Avenue, Yuhua District 4429 Nanjing, Jiangsu 210012 4430 China 4432 Email: bill.wu@huawei.com