idnits 2.17.1 draft-ietf-opsawg-nat-yang-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 758 has weird spacing: '... prefix ine...' == Line 764 has weird spacing: '...-prefix ine...' == Line 766 has weird spacing: '...-prefix ine...' == Line 768 has weird spacing: '...-prefix ine...' == Line 769 has weird spacing: '...-prefix ine...' == (14 more instances...) -- The document date (September 24, 2018) is 2034 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Downref: Normative reference to an Experimental RFC: RFC 6296 ** Downref: Normative reference to an Informational RFC: RFC 6877 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-12 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 3 errors (**), 0 flaws (~~), 9 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair, Ed. 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: March 28, 2019 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 September 24, 2018 14 A YANG Module for Network Address Translation (NAT) and Network Prefix 15 Translation (NPT) 16 draft-ietf-opsawg-nat-yang-16 18 Abstract 20 This document defines a YANG module for the Network Address 21 Translation (NAT) function. 23 Network Address Translation from IPv4 to IPv4 (NAT44), Network 24 Address and Protocol Translation from IPv6 Clients to IPv4 Servers 25 (NAT64), Customer-side transLATor (CLAT), Stateless IP/ICMP 26 Translation (SIIT), Explicit Address Mappings for Stateless IP/ICMP 27 Translation (SIIT EAM), IPv6 Network Prefix Translation (NPTv6), and 28 Destination NAT are covered in this document. 30 Editorial Note (To be removed by RFC Editor) 32 Please update these statements within the document with the RFC 33 number to be assigned to this document: 35 "This version of this YANG module is part of RFC XXXX;" 37 "RFC XXXX: A YANG Module for Network Address Translation (NAT) and 38 Network Prefix Translation (NPT)" 40 "reference: RFC XXXX" 42 Please update the "revision" date of the YANG module. 44 Status of This Memo 46 This Internet-Draft is submitted in full conformance with the 47 provisions of BCP 78 and BCP 79. 49 Internet-Drafts are working documents of the Internet Engineering 50 Task Force (IETF). Note that other groups may also distribute 51 working documents as Internet-Drafts. The list of current Internet- 52 Drafts is at https://datatracker.ietf.org/drafts/current/. 54 Internet-Drafts are draft documents valid for a maximum of six months 55 and may be updated, replaced, or obsoleted by other documents at any 56 time. It is inappropriate to use Internet-Drafts as reference 57 material or to cite them other than as "work in progress." 59 This Internet-Draft will expire on March 28, 2019. 61 Copyright Notice 63 Copyright (c) 2018 IETF Trust and the persons identified as the 64 document authors. All rights reserved. 66 This document is subject to BCP 78 and the IETF Trust's Legal 67 Provisions Relating to IETF Documents 68 (https://trustee.ietf.org/license-info) in effect on the date of 69 publication of this document. Please review these documents 70 carefully, as they describe your rights and restrictions with respect 71 to this document. Code Components extracted from this document must 72 include Simplified BSD License text as described in Section 4.e of 73 the Trust Legal Provisions and are provided without warranty as 74 described in the Simplified BSD License. 76 Table of Contents 78 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 79 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 80 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 81 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 82 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 83 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7 84 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 85 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 86 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 87 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 88 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 9 89 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 90 2.10. Binding the NAT Function to an External Interface . . . . 15 91 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 92 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 93 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 94 4. Security Considerations . . . . . . . . . . . . . . . . . . . 72 95 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 96 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74 97 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 98 7.1. Normative References . . . . . . . . . . . . . . . . . . 75 99 7.2. Informative References . . . . . . . . . . . . . . . . . 77 100 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 79 101 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 79 102 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 81 103 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 84 104 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 85 105 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 85 106 A.6. Explicit Address Mappings for Stateless IP/ICMP 107 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 86 108 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 89 109 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 90 110 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 91 111 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 94 112 A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 94 113 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 97 115 1. Introduction 117 This document defines a data model for Network Address Translation 118 (NAT) and Network Prefix Translation (NPT) capabilities using the 119 YANG data modeling language [RFC7950]. 121 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 122 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 123 used to optimize the usage of global IP address space at the scale of 124 a domain: a CGN is not managed by end users, but by service providers 125 instead. This document covers both traditional NATs and CGNs. 127 This document also covers NAT64 [RFC6146], customer-side translator 128 (CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915], 129 Explicit Address Mappings for Stateless IP/ICMP Translation (EAM) 130 [RFC7757], IPv6 Network Prefix Translation (NPTv6) [RFC6296], and 131 Destination NAT. The full set of translation schemes that are in 132 scope is included in Section 2.2. 134 Sample examples are provided in Appendix A. These examples are not 135 intended to be exhaustive. 137 1.1. Terminology 139 This document makes use of the following terms: 141 o Basic Network Address Translation from IPv4 to IPv4 (NAT44): 142 translation is limited to IP addresses alone (Section 2.1 of 143 [RFC3022]). 145 o Network Address/Port Translator (NAPT): translation in NAPT is 146 extended to include IP addresses and transport identifiers (such 147 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 148 [RFC3022]. A NAPT may use an extra identifier, in addition to the 149 five transport tuple, to disambiguate bindings [RFC6619]. 151 o Destination NAT: is a translation that acts on the destination IP 152 address and/or destination port number. This flavor is usually 153 deployed in load balancers or at devices in front of public 154 servers. 156 o Port-restricted IPv4 address: An IPv4 address with a restricted 157 port set. Multiple hosts may share the same IPv4 address; 158 however, their port sets must not overlap [RFC7596]. 160 o Restricted port set: A non-overlapping range of allowed external 161 ports to use for NAT operation. Source ports of IPv4 packets 162 translated by a NAT must belong to the assigned port set. The 163 port set is used for all port-aware IP protocols [RFC7596]. 165 o Internal Host: A host that may need to use a translation 166 capability to send to and receive traffic from the Internet. 168 o Internal Address/prefix: The IP address/prefix of an internal 169 host. 171 o External Address: The IP address/prefix assigned by a translator 172 to an internal host; this is the address that will be seen by a 173 remote host on the Internet. 175 o Mapping: denotes a state at the translator that is necessary for 176 network address and/or port translation. 178 o Dynamic implicit mapping: is created implicitly as a side effect 179 of processing a packet (e.g., an initial TCP SYN packet) that 180 requires a new mapping. A validity lifetime is associated with 181 this mapping. 183 o Dynamic explicit mapping: is created as a result of an explicit 184 request, e.g., PCP message [RFC6887]. A validity lifetime is 185 associated with this mapping. 187 o Static explicit mapping: is created using, e.g., a CLI interface. 188 This mapping is likely to be maintained by the NAT function till 189 an explicit action is executed to remove it. 191 The usage of the term NAT in this document refers to any translation 192 flavor (NAT44, NAT64, etc.) indifferently. 194 This document uses the term "session" as defined in [RFC2663] and 195 [RFC6146] for NAT64. 197 This document follows the guidelines of [RFC6087], uses the common 198 YANG types defined in [RFC6991], and adopts the Network Management 199 Datastore Architecture (NMDA). The meaning of the symbols in tree 200 diagrams is defined in [RFC8340]. 202 2. Overview of the NAT YANG Data Model 204 2.1. Overview 206 The NAT YANG module is designed to cover dynamic implicit mappings 207 and static explicit mappings. The required functionality to instruct 208 dynamic explicit mappings is defined in separate documents such as 209 [I-D.boucadair-pcp-yang]. Considerations about instructing explicit 210 dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of 211 scope. As a reminder, REQ-9 of [RFC6888] requires that a CGN must 212 implement a protocol giving subscribers explicit control over NAT 213 mappings; that protocol should be the Port Control Protocol 214 [RFC6887]. 216 A single NAT device can have multiple NAT instances; each of these 217 instances can be provided with its own policies (e.g., be responsible 218 for serving a group of hosts). This document does not make any 219 assumption about how internal hosts or flows are associated with a 220 given NAT instance. 222 The NAT YANG module assumes that each NAT instance can be enabled/ 223 disabled, be provisioned with a specific set of configuration data, 224 and maintains its own mapping tables. 226 The NAT YANG module allows for a NAT instance to be provided with 227 multiple NAT policies (/nat/instances/instance/policy). The document 228 does not make any assumption about how flows are associated with a 229 given NAT policy of a given NAT instance. Classification filters are 230 out of scope. 232 Defining multiple NAT instances or configuring multiple NAT policies 233 within one single NAT instance is implementation- and deployment- 234 specific. 236 This YANG module does not provide any method to instruct a NAT 237 function to enable the logging feature or to specify the information 238 to be logged for administrative or regulatory reasons (Section 2.3 of 239 [RFC6908] and REQ-12 of [RFC6888]). Those considerations are out of 240 the scope of this document. 242 2.2. Various Translation Flavors 244 The following translation modes are supported: 246 o Basic NAT44 247 o NAPT 248 o Destination NAT 249 o Port-restricted NAT 250 o Stateful NAT64 (including with destination-based Pref64::/n 251 [RFC7050]) 252 o SIIT 253 o CLAT 254 o EAM 255 o NPTv6 256 o Combination of Basic NAT/NAPT and Destination NAT 257 o Combination of port-restricted and Destination NAT 258 o Combination of NAT64 and EAM 259 o Stateful and Stateless NAT64 261 [I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT 262 YANG module to support DS-Lite. 264 The YANG "feature" statement is used to indicate which of the 265 different translation modes is relevant for a specific data node. 266 Table 1 lists defined features: 268 +---------------------------------+--------------+ 269 | Translation Mode | YANG Feature | 270 +---------------------------------+--------------+ 271 | Basic NAT44 | basic-nat44 | 272 | NAPT | napt44 | 273 | Destination NAT | dst-nat | 274 | Stateful NAT64 | nat64 | 275 | Stateless IPv4/IPv6 translation | siit | 276 | CLAT | clat | 277 | EAM | eam | 278 | NPTv6 | nptv6 | 279 +---------------------------------+--------------+ 281 Table 1: YANG NAT Features 283 The following translation modes do not require defining dedicated 284 features: 286 o Port-restricted NAT: This mode corresponds to supplying port 287 restriction policies to a NAPT or NAT64 (port-set-restrict). 288 o Combination of Basic NAT/NAPT and Destination NAT: This mode 289 corresponds to setting 'dst-nat-enable' for Basic NAT44 or NAPT. 291 o Combination of port-restricted and Destination NAT: This mode can 292 be achieved by configuring a NAPT with port restriction policies 293 (port-set-restrict) together with a destination IP address pool 294 (dst-ip-address-pool). 295 o Combination of NAT64 and EAM: This mode corresponds to configuring 296 static mappings for NAT64. 297 o Stateful and stateless NAT64: A NAT64 implementation can be 298 instructed to behave in the stateless mode for a given prefix by 299 setting the parameter (nat64-prefixes/stateless-enable). A NAT64 300 implementation may behave in both stateful and stateless modes if, 301 in addition to appropriately setting the parameter (nat64- 302 prefixes/stateless-enable), an external IPv4 address pool is 303 configured. 305 The NAT YANG module provides a method to retrieve the capabilities of 306 a NAT instance (including, list of supported translation modes, list 307 of supported protocols, port restriction support status, supported 308 NAT mapping types, supported NAT filtering types, port range 309 allocation support status, port parity preservation support status, 310 port preservation support status, the behavior for handling fragments 311 (all, out-of-order, in-order)). 313 2.3. TCP/UDP/ICMP NAT Behavioral Requirements 315 This document assumes NAT behavioral recommendations for UDP 316 [RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default. 318 Furthermore, the NAT YANG module relies upon the recommendations 319 detailed in [RFC6888] and [RFC7857]. 321 2.4. Other Transport Protocols 323 The module is structured to support protocols other than UDP, TCP, 324 and ICMP. Concretely, the module allows the operator to enable 325 translation for other transport protocols when required 326 (/nat/instances/instance/policy/transport-protocols). Moreover, the 327 mapping table is designed so that it can indicate any transport 328 protocol. For example, this module may be used to manage a DCCP- 329 capable NAT that adheres to [RFC5597]. 331 Future extensions may be needed to cover NAT-related considerations 332 that are specific to other transport protocols such as SCTP 333 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 334 extended to record two optional SCTP-specific parameters: Internal 335 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 337 This document only specifies transport protocol specific timers for 338 UDP, TCP, and ICMP. While some timers could potentially be 339 generalized for other connection-oriented protocols, this document 340 does not follow such an approach because there is no standard 341 document specifying such generic behavior. Future documents may be 342 edited to clarify how to reuse TCP-specific timers when needed. 344 2.5. IP Addresses Used for Translation 346 The NAT YANG module assumes that blocks of IP external addresses 347 (external-ip-address-pool) can be provisioned to the NAT function. 348 These blocks may be contiguous or not. 350 This behavior is aligned with [RFC6888] which specifies that a NAT 351 function should not have any limitations on the size or the 352 contiguity of the external address pool. In particular, the NAT 353 function must be configurable with contiguous or non-contiguous 354 external IPv4 address ranges. To accommodate traditional NAT, the 355 module allows for a single IP address to be configured for external- 356 ip-address-pool. 358 Likewise, one or multiple IP address pools may be configured for 359 Destination NAT (dst-ip-address-pool). 361 2.6. Port Set Assignment 363 Port numbers can be assigned by a NAT individually (that is, a single 364 port is assigned on a per session basis), but this port allocation 365 scheme may not be optimal for logging purposes (Section 12 of 366 [RFC6269]). A NAT function should be able to assign port sets (e.g., 367 [RFC7753]) to optimize the volume of the logging data (REQ-14 of 368 [RFC6888]). Both allocation schemes are supported in the NAT YANG 369 module. 371 When port set assignment is activated (i.e., port-allocation- 372 type==port-range-allocation), the NAT can be provided with the size 373 of the port set to be assigned (port-set-size). 375 2.7. Port-Restricted IP Addresses 377 Some NATs restrict the source port numbers (e.g., Lightweight 4over6 378 [RFC7596], MAP-E [RFC7597]). Two schemes of port set assignments 379 (port-set-restrict) are supported in this document: 381 o Simple port range: is defined by two port values, the start and 382 the end of the port range [RFC8045]. 384 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 385 the set of ports that can be used. 387 2.8. NAT Mapping Entries 389 A TCP/UDP mapping entry maintains an association between the 390 following information: 392 (internal-src-address, internal-src-port) (internal-dst-address, 393 internal-dst-port) <=> (external-src-address, external-src-port) 394 (external-dst-address, external-dst-port) 396 An ICMP mapping entry maintains an association between the following 397 information: 399 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 400 identifier) <=> (external-src-address, external-dst-address, 401 external ICMP/ICMPv6 identifier) 403 As a reminder, all the ICMP Query messages contain an 'Identifier' 404 field, which is referred to in this document as the 'ICMP 405 Identifier'. 407 To cover TCP, UDP, and ICMP, the NAT YANG module assumes the 408 following structure of a mapping entry: 410 type: Indicates how the mapping was instantiated. For example, it 411 may indicate whether a mapping is dynamically instantiated by a 412 packet or statically configured. 414 transport-protocol: Indicates the transport protocol (e.g., UDP, 415 TCP, ICMP) of a given mapping. 417 internal-src-address: Indicates the source IP address/prefix as used 418 by an internal host. 420 internal-src-port: Indicates the source port number (or ICMP 421 identifier) as used by an internal host. 423 external-src-address: Indicates the source IP address/prefix as 424 assigned by the NAT. 426 external-src-port: Indicates the source port number (or ICMP 427 identifier) as assigned by the NAT. 429 internal-dst-address: Indicates the destination IP address/prefix as 430 used by an internal host when sending a packet to a remote host. 432 internal-dst-port: Indicates the destination port number as used by 433 an internal host when sending a packet to a remote host. 435 external-dst-address: Indicates the destination IP address/prefix 436 used by a NAT when processing a packet issued by an internal host 437 towards a remote host. 439 external-dst-port: Indicates the destination port number used by a 440 NAT when processing a packet issued by an internal host towards a 441 remote host. 443 In order to cover both NAT64 and NAT44 flavors, the NAT mapping 444 structure allows for the inclusion of an IPv4 or an IPv6 address as 445 an internal IP address. Remaining fields are common to both NAT 446 schemes. 448 For example, the mapping that will be created by a NAT64 upon receipt 449 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 450 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 451 and destination port number 8080 is shown in Table 2. This example 452 assumes EDM (Endpoint-Dependent Mapping). 454 +-----------------------+-------------------------------------------+ 455 | Mapping Entry | Value | 456 | Attribute | | 457 +-----------------------+-------------------------------------------+ 458 | type | dynamic implicit mapping | 459 | transport-protocol | 6 (TCP) | 460 | internal-src-address | 2001:db8:aaaa::1 | 461 | internal-src-port | 25636 | 462 | external-src-address | T (an IPv4 address configured on the | 463 | | NAT64) | 464 | external-src-port | t (a port number that is chosen by the | 465 | | NAT64) | 466 | internal-dst-address | 2001:db8:1234::198.51.100.1 | 467 | internal-dst-port | 8080 | 468 | external-dst-address | 198.51.100.1 | 469 | external-dst-port | 8080 | 470 +-----------------------+-------------------------------------------+ 472 Table 2: Example of an EDM NAT64 Mapping 474 The mappings that will be created by a NAT44 upon receipt of an ICMP 475 request from source address 198.51.100.1 and ICMP identifier (ID1) to 476 destination IP address 198.51.100.11 is depicted in Table 3. This 477 example assumes EIM (Endpoint-Independent Mapping). 479 +----------------------+--------------------------------------------+ 480 | Mapping Entry | Value | 481 | Attribute | | 482 +----------------------+--------------------------------------------+ 483 | type | dynamic implicit mapping | 484 | transport-protocol | 1 (ICMP) | 485 | internal-src-address | 198.51.100.1 | 486 | internal-src-port | ID1 | 487 | external-src-address | T (an IPv4 address configured on the | 488 | | NAT44) | 489 | external-src-port | ID2 (an ICMP identifier that is chosen by | 490 | | the NAT44) | 491 +----------------------+--------------------------------------------+ 493 Table 3: Example of an EIM NAT44 Mapping Entry 495 The mapping that will be created by a NAT64 (EIM mode) upon receipt 496 of an ICMP request from source address 2001:db8:aaaa::1 and ICMP 497 identifier (ID1) to destination IP address 498 2001:db8:1234::198.51.100.1 is shown in Table 4. 500 +----------------------+--------------------------------------------+ 501 | Mapping Entry | Value | 502 | Attribute | | 503 +----------------------+--------------------------------------------+ 504 | type | dynamic implicit mapping | 505 | transport-protocol | 58 (ICMPv6) | 506 | internal-src-address | 2001:db8:aaaa::1 | 507 | internal-src-port | ID1 | 508 | external-src-address | T (an IPv4 address configured on the | 509 | | NAT64) | 510 | external-src-port | ID2 (an ICMP identifier that is chosen by | 511 | | the NAT64) | 512 +----------------------+--------------------------------------------+ 514 Table 4: Example of an EIM NAT64 Mapping Entry 516 Note that a mapping table is maintained only for stateful NAT 517 functions. Particularly: 519 o No mapping table is maintained for NPTv6 given that it is 520 stateless and transport-agnostic. 522 o The double translations are stateless in CLAT if a dedicated IPv6 523 prefix is provided for CLAT. If not, a stateful NAT44 will be 524 required. 526 o No per-flow mapping is maintained for EAM [RFC7757]. 528 o No mapping table is maintained for Stateless IPv4/IPv6 529 translation. As a reminder, in such deployments internal IPv6 530 nodes are addressed using IPv4-translatable IPv6 addresses, which 531 enable them to be accessed by IPv4 nodes [RFC6052]. 533 2.9. Resource Limits 535 In order to comply with CGN deployments in particular, the NAT YANG 536 module allows limiting the number of external ports per subscriber 537 (port-quota) and the amount of state memory allocated per mapping and 538 per subscriber (mapping-limits and connection-limits). According to 539 [RFC6888], the module is designed to allow for the following: 541 o Per-subscriber limits are configurable by the NAT administrator. 543 o Per-subscriber limits are configurable independently per transport 544 protocol. 546 o Administrator-adjustable thresholds to prevent a single subscriber 547 from consuming excessive CPU resources from the NAT (e.g., rate- 548 limit the subscriber's creation of new mappings) can be 549 configured. 551 Table 5 lists the various limits that can be set using the NAT YANG 552 module. Once a limit is reached, packets that would normally trigger 553 new port mappings or be translated because they match existing 554 mappings, are dropped by the translator. 556 +-------------------+-----------------------------------------------+ 557 | Limit | Description | 558 +-------------------+-----------------------------------------------+ 559 | port-quota | Specifies a port quota to be assigned per | 560 | | subscriber. It corresponds to the maximum | 561 | | number of ports to be used by a subscriber. | 562 | | The port quota can be configured to apply to | 563 | | all protocols or to a specific protocol. | 564 | | Distinct port quota may be configured per | 565 | | protocol. | 566 +-------------------+-----------------------------------------------+ 567 | fragments-limit | In order to prevent denial of service attacks | 568 | | that can be caused by fragments, this | 569 | | parameter is used to limit the number of out- | 570 | | of-order fragments that can be handled by a | 571 | | translator. | 572 +-------------------+-----------------------------------------------+ 573 | mapping-limits | This parameter can be used to control the | 574 | | maximum number of subscribers that can be | 575 | | serviced by a NAT instance (limit-subscriber) | 576 | | and the maximum number of address and/or port | 577 | | mappings that can be maintained by a NAT | 578 | | instance (limit-address-mappings and limit- | 579 | | port-mappings). Also, limits specific to | 580 | | protocols (e.g., TCP, UDP, ICMP) can also be | 581 | | specified (limit-per-protocol). | 582 +-------------------+-----------------------------------------------+ 583 | connection-limits | In order to prevent exhausting the resources | 584 | | of a NAT implementation and to ensure | 585 | | fairness usage among subscribers, various | 586 | | rate-limits can be specified. Rate-limiting | 587 | | can be enforced per subscriber ((limit- | 588 | | subscriber), per NAT instance (limit-per- | 589 | | instance), and/or be specified for each | 590 | | supported protocol (limit-per-protocol). | 591 +-------------------+-----------------------------------------------+ 593 Table 5: NAT Limits 595 Table 6 describes limits, that once exceeded, will trigger 596 notifications to be generated: 598 +--------------------------+----------------------------------------+ 599 | Notification Threshold | Description | 600 +--------------------------+----------------------------------------+ 601 | high-threshold | Used to notify high address | 602 | | utilization of a given pool. When | 603 | | exceeded, a nat-pool-event | 604 | | notification will be generated. | 605 +--------------------------+----------------------------------------+ 606 | low-threshold | Used to notify low address utilization | 607 | | of a given pool. An administrator is | 608 | | supposed to configure low-threshold so | 609 | | that it can reflect an abnormal usage | 610 | | of NAT resources. When exceeded, a | 611 | | nat-pool-event notification will be | 612 | | generated. | 613 +--------------------------+----------------------------------------+ 614 | notify-addresses-usage | Used to notify high address | 615 | | utilization of all pools configured to | 616 | | a NAT instance. When exceeded, a nat- | 617 | | instance-event will be generated. | 618 +--------------------------+----------------------------------------+ 619 | notify-ports-usage | Used to notify high port allocation | 620 | | taking into account all pools | 621 | | configured to a NAT instance. When | 622 | | exceeded, a nat-instance-event | 623 | | notification will be generated. | 624 +--------------------------+----------------------------------------+ 625 | notify-subscribers-limit | Used to notify a high number of active | 626 | | subscribers that are serviced by a NAT | 627 | | instance. When exceeded, a nat- | 628 | | instance-event notification will be | 629 | | generated. | 630 +--------------------------+----------------------------------------+ 632 Table 6: Notification Thresholds 634 In order to prevent a NAT implementation from generating frequent 635 notifications, the NAT YANG module supports the following limits 636 (Table 7) used to control how frequent notifications can be 637 generated. That is, notifications are subject to rate-limiting 638 imposed by these intervals. 640 +-------------------------------------+-----------------------------+ 641 | Interval | Description | 642 +-------------------------------------+-----------------------------+ 643 | notify-pool-usage/notify-interval | Indicates the minimum | 644 | | number of seconds between | 645 | | successive notifications | 646 | | for a given address pool. | 647 +-------------------------------------+-----------------------------+ 648 | notification-limits/notify-interval | Indicates the minimum | 649 | | number of seconds between | 650 | | successive notifications | 651 | | for a NAT instance. | 652 +-------------------------------------+-----------------------------+ 654 Table 7: Notification Intervals 656 2.10. Binding the NAT Function to an External Interface 658 The module is designed to specify an external realm on which the NAT 659 function must be applied (external-realm). The module supports 660 indicating an interface as an external realm [RFC8343], but the 661 module is extensible so that other choices can be indicated in the 662 future (e.g., Virtual Routing and Forwarding (VRF) instance). 664 Distinct external realms can be provided as a function of the NAT 665 policy (see for example, Section 4 of [RFC7289]). 667 If no external realm is provided, this assumes that the system is 668 able to determine the external interface (VRF instance, etc.) on 669 which the NAT will be applied. Typically, the WAN and LAN interfaces 670 of a CPE are determined by the CPE. 672 2.11. Relationship to NATV2-MIB 674 Section of 5.1 of [RFC7659] indicates that the NATV2-MIB assumes that 675 the following information is configured on the NAT by some means, not 676 specified in [RFC7659]: 678 o The set of address realms to which the device connect. 680 o For the CGN case, per-subscriber information including subscriber 681 index, address realm, assigned prefix or address, and (possibly) 682 policies regarding address pool selection in the various possible 683 address realms to which the subscriber may connect. 685 o The set of NAT instances running on the device, identified by NAT 686 instance index and name. 688 o The port mapping, filtering, pooling, and fragment behaviors for 689 each NAT instance. 691 o The set of protocols supported by each NAT instance. 693 o Address pools for each NAT instance, including for each pool the 694 pool index, address realm, and minimum and maximum port number. 696 o Static address and port mapping entries. 698 All the above parameters can be configured by means of the NAT YANG 699 module. 701 Unlike the NATV2-MIB, the NAT YANG module allows to configure 702 multiple policies per NAT instance. 704 2.12. Tree Structure 706 The tree structure of the NAT YANG module is provided below: 708 module: ietf-nat 709 +--rw nat 710 +--rw instances 711 +--rw instance* [id] 712 +--rw id uint32 713 +--rw name? string 714 +--rw enable? boolean 715 +--ro capabilities 716 | +--ro nat-flavor* 717 | | identityref 718 | +--ro per-interface-binding* 719 | | enumeration 720 | +--ro transport-protocols* [protocol-id] 721 | | +--ro protocol-id uint8 722 | | +--ro protocol-name? string 723 | +--ro restricted-port-support? 724 | | boolean 725 | +--ro static-mapping-support? 726 | | boolean 727 | +--ro port-randomization-support? 728 | | boolean 729 | +--ro port-range-allocation-support? 730 | | boolean 731 | +--ro port-preservation-suport? 732 | | boolean 733 | +--ro port-parity-preservation-support? 734 | | boolean 735 | +--ro address-roundrobin-support? 736 | | boolean 737 | +--ro paired-address-pooling-support? 738 | | boolean 739 | +--ro endpoint-independent-mapping-support? 740 | | boolean 741 | +--ro address-dependent-mapping-support? 742 | | boolean 743 | +--ro address-and-port-dependent-mapping-support? 744 | | boolean 745 | +--ro endpoint-independent-filtering-support? 746 | | boolean 747 | +--ro address-dependent-filtering? 748 | | boolean 749 | +--ro address-and-port-dependent-filtering? 750 | | boolean 751 | +--ro fragment-behavior? 752 | enumeration 753 +--rw type? identityref 754 +--rw per-interface-binding? enumeration 755 +--rw nat-pass-through* [id] 756 | {basic-nat44 or napt44 or dst-nat}? 757 | +--rw id uint32 758 | +--rw prefix inet:ip-prefix 759 | +--rw port? inet:port-number 760 +--rw policy* [id] 761 | +--rw id uint32 762 | +--rw clat-parameters {clat}? 763 | | +--rw clat-ipv6-prefixes* [ipv6-prefix] 764 | | | +--rw ipv6-prefix inet:ipv6-prefix 765 | | +--rw ipv4-prefixes* [ipv4-prefix] 766 | | +--rw ipv4-prefix inet:ipv4-prefix 767 | +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}? 768 | | +--rw internal-ipv6-prefix inet:ipv6-prefix 769 | | +--rw external-ipv6-prefix inet:ipv6-prefix 770 | +--rw eam* [ipv4-prefix] {eam}? 771 | | +--rw ipv4-prefix inet:ipv4-prefix 772 | | +--rw ipv6-prefix inet:ipv6-prefix 773 | +--rw nat64-prefixes* [nat64-prefix] 774 | | {siit or nat64 or clat}? 775 | | +--rw nat64-prefix inet:ipv6-prefix 776 | | +--rw destination-ipv4-prefix* [ipv4-prefix] 777 | | | +--rw ipv4-prefix inet:ipv4-prefix 778 | | +--rw stateless-enable? boolean 779 | +--rw external-ip-address-pool* [pool-id] 780 | | {basic-nat44 or napt44 or nat64}? 781 | | +--rw pool-id uint32 782 | | +--rw external-ip-pool inet:ipv4-prefix 783 | +--rw port-set-restrict {napt44 or nat64}? 784 | | +--rw (port-type)? 785 | | +--:(port-range) 786 | | | +--rw start-port-number? inet:port-number 787 | | | +--rw end-port-number? inet:port-number 788 | | +--:(port-set-algo) 789 | | +--rw psid-offset? uint8 790 | | +--rw psid-len uint8 791 | | +--rw psid uint16 792 | +--rw dst-nat-enable? boolean 793 | | {basic-nat44 or napt44}? 794 | +--rw dst-ip-address-pool* [pool-id] {dst-nat}? 795 | | +--rw pool-id uint32 796 | | +--rw dst-in-ip-pool? inet:ip-prefix 797 | | +--rw dst-out-ip-pool inet:ip-prefix 798 | +--rw transport-protocols* [protocol-id] 799 | | {napt44 or nat64 or dst-nat}? 800 | | +--rw protocol-id uint8 801 | | +--rw protocol-name? string 802 | +--rw subscriber-mask-v6? uint8 803 | +--rw subscriber-match* [match-id] 804 | | {basic-nat44 or napt44 or dst-nat}? 805 | | +--rw match-id uint32 806 | | +--rw subnet inet:ip-prefix 807 | +--rw address-allocation-type? enumeration 808 | +--rw port-allocation-type? enumeration 809 | | {napt44 or nat64}? 810 | +--rw mapping-type? enumeration 811 | | {napt44 or nat64}? 812 | +--rw filtering-type? enumeration 813 | | {napt44 or nat64}? 814 | +--rw fragment-behavior? enumeration 815 | | {napt44 or nat64}? 816 | +--rw port-quota* [quota-type] {napt44 or nat64}? 817 | | +--rw port-limit? uint16 818 | | +--rw quota-type uint8 819 | +--rw port-set {napt44 or nat64}? 820 | | +--rw port-set-size uint16 821 | | +--rw port-set-timeout? uint32 822 | +--rw timers {napt44 or nat64}? 823 | | +--rw udp-timeout? uint32 824 | | +--rw tcp-idle-timeout? uint32 825 | | +--rw tcp-trans-open-timeout? uint32 826 | | +--rw tcp-trans-close-timeout? uint32 827 | | +--rw tcp-in-syn-timeout? uint32 828 | | +--rw fragment-min-timeout? uint32 829 | | +--rw icmp-timeout? uint32 830 | | +--rw per-port-timeout* [port-number] 831 | | | +--rw port-number inet:port-number 832 | | | +--rw protocol? uint32 833 | | | +--rw timeout uint32 834 | | +--rw hold-down-timeout? uint32 835 | | +--rw hold-down-max? uint32 836 | +--rw fragments-limit? uint32 837 | +--rw algs* [name] 838 | | +--rw name string 839 | | +--rw transport-protocol? uint32 840 | | +--rw dst-transport-port 841 | | | +--rw start-port-number? inet:port-number 842 | | | +--rw end-port-number? inet:port-number 843 | | +--rw src-transport-port 844 | | | +--rw start-port-number? inet:port-number 845 | | | +--rw end-port-number? inet:port-number 846 | | +--rw status? boolean 847 | +--rw all-algs-enable? boolean 848 | +--rw notify-pool-usage 849 | | {basic-nat44 or napt44 or nat64}? 850 | | +--rw pool-id? uint32 851 | | +--rw high-threshold? percent 852 | | +--rw low-threshold? percent 853 | | +--rw notify-interval? uint32 854 | +--rw external-realm 855 | +--rw (realm-type)? 856 | +--:(interface) 857 | +--rw external-interface? if:interface-ref 858 +--rw mapping-limits {napt44 or nat64}? 859 | +--rw limit-subscribers? uint32 860 | +--rw limit-address-mappings? uint32 861 | +--rw limit-port-mappings? uint32 862 | +--rw limit-per-protocol* [protocol-id] 863 | {napt44 or nat64 or dst-nat}? 864 | +--rw protocol-id uint8 865 | +--rw limit? uint32 866 +--rw connection-limits 867 | {basic-nat44 or napt44 or nat64}? 868 | +--rw limit-per-subscriber? uint32 869 | +--rw limit-per-instance? uint32 870 | +--rw limit-per-protocol* [protocol-id] 871 | {napt44 or nat64}? 872 | +--rw protocol-id uint8 873 | +--rw limit? uint32 874 +--rw notification-limits 875 | +--rw notify-interval? uint32 876 | | {basic-nat44 or napt44 or nat64}? 877 | +--rw notify-addresses-usage? percent 878 | | {basic-nat44 or napt44 or nat64}? 879 | +--rw notify-ports-usage? percent 880 | | {napt44 or nat64}? 881 | +--rw notify-subscribers-limit? uint32 882 | {basic-nat44 or napt44 or nat64}? 883 +--rw mapping-table 884 | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? 885 | +--rw mapping-entry* [index] 886 | +--rw index uint32 887 | +--rw type? enumeration 888 | +--rw transport-protocol? uint8 889 | +--rw internal-src-address? inet:ip-prefix 890 | +--rw internal-src-port 891 | | +--rw start-port-number? inet:port-number 892 | | +--rw end-port-number? inet:port-number 893 | +--rw external-src-address? inet:ip-prefix 894 | +--rw external-src-port 895 | | +--rw start-port-number? inet:port-number 896 | | +--rw end-port-number? inet:port-number 897 | +--rw internal-dst-address? inet:ip-prefix 898 | +--rw internal-dst-port 899 | | +--rw start-port-number? inet:port-number 900 | | +--rw end-port-number? inet:port-number 901 | +--rw external-dst-address? inet:ip-prefix 902 | +--rw external-dst-port 903 | | +--rw start-port-number? inet:port-number 904 | | +--rw end-port-number? inet:port-number 905 | +--rw lifetime? uint32 906 +--ro statistics 907 +--ro discontinuity-time yang:date-and-time 908 +--ro traffic-statistics 909 | +--ro sent-packets? 910 | | yang:zero-based-counter64 911 | +--ro sent-bytes? 912 | | yang:zero-based-counter64 913 | +--ro rcvd-packets? 914 | | yang:zero-based-counter64 915 | +--ro rcvd-bytes? 916 | | yang:zero-based-counter64 917 | +--ro dropped-packets? 918 | | yang:zero-based-counter64 919 | +--ro dropped-bytes? 920 | | yang:zero-based-counter64 921 | +--ro dropped-fragments? 922 | | yang:zero-based-counter64 923 | | {napt44 or nat64}? 924 | +--ro dropped-address-limit-packets? 925 | | yang:zero-based-counter64 926 | | {basic-nat44 or napt44 or nat64}? 927 | +--ro dropped-address-limit-bytes? 928 | | yang:zero-based-counter64 929 | | {basic-nat44 or napt44 or nat64}? 930 | +--ro dropped-address-packets? 931 | | yang:zero-based-counter64 932 | | {basic-nat44 or napt44 or nat64}? 933 | +--ro dropped-address-bytes? 934 | | yang:zero-based-counter64 935 | | {basic-nat44 or napt44 or nat64}? 936 | +--ro dropped-port-limit-packets? 937 | | yang:zero-based-counter64 938 | | {napt44 or nat64}? 939 | +--ro dropped-port-limit-bytes? 940 | | yang:zero-based-counter64 941 | | {napt44 or nat64}? 942 | +--ro dropped-port-packets? 943 | | yang:zero-based-counter64 944 | | {napt44 or nat64}? 945 | +--ro dropped-port-bytes? 946 | | yang:zero-based-counter64 947 | | {napt44 or nat64}? 948 | +--ro dropped-subscriber-limit-packets? 949 | | yang:zero-based-counter64 950 | | {basic-nat44 or napt44 or nat64}? 951 | +--ro dropped-subscriber-limit-bytes? 952 | yang:zero-based-counter64 953 | {basic-nat44 or napt44 or nat64}? 954 +--ro mappings-statistics 955 | +--ro total-active-subscribers? yang:gauge32 956 | | {basic-nat44 or napt44 or nat64}? 957 | +--ro total-address-mappings? yang:gauge32 958 | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? 959 | +--ro total-port-mappings? yang:gauge32 960 | | {napt44 or nat64}? 961 | +--ro total-per-protocol* [protocol-id] 962 | {napt44 or nat64}? 963 | +--ro protocol-id uint8 964 | +--ro total? yang:gauge32 965 +--ro pools-stats {basic-nat44 or napt44 or nat64}? 966 +--ro addresses-allocated? yang:gauge32 967 +--ro addresses-free? yang:gauge32 968 +--ro ports-stats {napt44 or nat64}? 969 | +--ro ports-allocated? yang:gauge32 970 | +--ro ports-free? yang:gauge32 971 +--ro per-pool-stats* [pool-id] 972 {basic-nat44 or napt44 or nat64}? 973 +--ro pool-id uint32 974 +--ro discontinuity-time yang:date-and-time 975 +--ro pool-stats 976 | +--ro addresses-allocated? yang:gauge32 977 | +--ro addresses-free? yang:gauge32 978 +--ro port-stats {napt44 or nat64}? 979 +--ro ports-allocated? yang:gauge32 980 +--ro ports-free? yang:gauge32 982 notifications: 983 +---n nat-pool-event {basic-nat44 or napt44 or nat64}? 984 | +--ro id -> /nat/instances/instance/id 985 | +--ro policy-id? 986 | | -> /nat/instances/instance/policy/id 987 | +--ro pool-id leafref 988 | +--ro notify-pool-threshold percent 989 +---n nat-instance-event {basic-nat44 or napt44 or nat64}? 990 +--ro id 991 | -> /nat/instances/instance/id 992 +--ro notify-subscribers-threshold? uint32 993 +--ro notify-addresses-threshold? percent 994 +--ro notify-ports-threshold? percent 996 3. NAT YANG Module 998 file "ietf-nat@2018-06-28.yang" 1000 module ietf-nat { 1001 yang-version 1.1; 1002 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 1003 prefix "nat"; 1005 import ietf-inet-types { 1006 prefix inet; 1007 reference 1008 "Section 4 of RFC 6991"; 1009 } 1011 import ietf-yang-types { 1012 prefix yang; 1013 reference 1014 "Section 3 of RFC 6991"; 1015 } 1017 import ietf-interfaces { 1018 prefix if; 1019 reference 1020 "RFC 8343: A YANG Data Model for Interface Management"; 1021 } 1022 organization 1023 "IETF OPSAWG (Operations and Management Area Working Group)"; 1025 contact 1027 "WG Web: 1028 WG List: 1030 Editor: Mohamed Boucadair 1031 1033 Author: Senthil Sivakumar 1034 1036 Author: Christian Jacquenet 1037 1039 Author: Suresh Vinapamula 1040 1042 Author: Qin Wu 1043 "; 1045 description 1046 "This module is a YANG module for NAT implementations. 1048 NAT44, Network Address and Protocol Translation from IPv6 1049 Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), 1050 Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings 1051 for Stateless IP/ICMP Translation (SIIT EAM), IPv6 Network 1052 Prefix Translation (NPTv6), and Destination NAT are covered. 1054 Copyright (c) 2018 IETF Trust and the persons identified as 1055 authors of the code. All rights reserved. 1057 Redistribution and use in source and binary forms, with or 1058 without modification, is permitted pursuant to, and subject 1059 to the license terms contained in, the Simplified BSD License 1060 set forth in Section 4.c of the IETF Trust's Legal Provisions 1061 Relating to IETF Documents 1062 (http://trustee.ietf.org/license-info). 1064 This version of this YANG module is part of RFC XXXX; see 1065 the RFC itself for full legal notices."; 1067 revision 2018-06-28 { 1068 description 1069 "Initial revision."; 1071 reference 1072 "RFC XXXX: A YANG Module for Network Address Translation 1073 (NAT) and Network Prefix Translation (NPT)"; 1074 } 1076 /* 1077 * Definitions 1078 */ 1080 typedef percent { 1081 type uint8 { 1082 range "0 .. 100"; 1083 } 1084 description 1085 "Percentage"; 1086 } 1088 /* 1089 * Features 1090 */ 1092 feature basic-nat44{ 1093 description 1094 "Basic NAT44 translation is limited to IP addresses alone."; 1095 reference 1096 "RFC 3022: Traditional IP Network Address Translator 1097 (Traditional NAT)"; 1098 } 1100 feature napt44 { 1101 description 1102 "Network Address/Port Translator (NAPT): translation is 1103 extended to include IP addresses and transport identifiers 1104 (such as a TCP/UDP port or ICMP query ID). 1106 If the internal IP address is not sufficient to uniquely 1107 disambiguate NAPT44 mappings, an additional attribute is 1108 required. For example, that additional attribute may 1109 be an IPv6 address (a.k.a., DS-Lite) or 1110 a Layer 2 identifier (a.k.a., Per-Interface NAT)"; 1111 reference 1112 "RFC 3022: Traditional IP Network Address Translator 1113 (Traditional NAT)"; 1114 } 1116 feature dst-nat { 1117 description 1118 "Destination NAT is a translation that acts on the destination 1119 IP address and/or destination port number. This flavor is 1120 usually deployed in load balancers or at devices 1121 in front of public servers."; 1122 } 1124 feature nat64 { 1125 description 1126 "NAT64 translation allows IPv6-only clients to contact IPv4 1127 servers using, e.g., UDP, TCP, or ICMP. One or more 1128 public IPv4 addresses assigned to a NAT64 translator are 1129 shared among several IPv6-only clients."; 1130 reference 1131 "RFC 6146: Stateful NAT64: Network Address and Protocol 1132 Translation from IPv6 Clients to IPv4 Servers"; 1133 } 1135 feature siit { 1136 description 1137 "The Stateless IP/ICMP Translation Algorithm (SIIT), which 1138 translates between IPv4 and IPv6 packet headers (including 1139 ICMP headers). 1141 In the stateless mode, an IP/ICMP translator converts IPv4 1142 addresses to IPv6 and vice versa solely based on the 1143 configuration of the stateless IP/ICMP translator and 1144 information contained within the packet being translated. 1146 The translator must support the stateless address mapping 1147 algorithm defined in RFC6052, which is the default behavior."; 1148 reference 1149 "RFC 7915: IP/ICMP Translation Algorithm"; 1150 } 1152 feature clat { 1153 description 1154 "CLAT is customer-side translator that algorithmically 1155 translates 1:1 private IPv4 addresses to global IPv6 addresses, 1156 and vice versa. 1158 When a dedicated /64 prefix is not available for translation 1159 from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN 1160 packets so that all the LAN-originated IPv4 packets appear 1161 from a single IPv4 address and are then statelessly translated 1162 to one interface IPv6 address that is claimed by the CLAT via 1163 the Neighbor Discovery Protocol (NDP) and defended with 1164 Duplicate Address Detection."; 1165 reference 1166 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1167 Translation"; 1168 } 1170 feature eam { 1171 description 1172 "Explicit Address Mapping (EAM) is a bidirectional coupling 1173 between an IPv4 Prefix and an IPv6 Prefix."; 1174 reference 1175 "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP 1176 Translation"; 1177 } 1179 feature nptv6 { 1180 description 1181 "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6 1182 prefix translation."; 1183 reference 1184 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1185 } 1187 /* 1188 * Identities 1189 */ 1191 identity nat-type { 1192 description 1193 "Base identity for nat type."; 1194 } 1196 identity basic-nat44 { 1197 base nat:nat-type; 1198 description 1199 "Identity for Basic NAT support."; 1200 reference 1201 "RFC 3022: Traditional IP Network Address Translator 1202 (Traditional NAT)"; 1203 } 1205 identity napt44 { 1206 base nat:nat-type; 1207 description 1208 "Identity for NAPT support."; 1209 reference 1210 "RFC 3022: Traditional IP Network Address Translator 1211 (Traditional NAT)"; 1212 } 1214 identity dst-nat { 1215 base nat:nat-type; 1216 description 1217 "Identity for Destination NAT support."; 1218 } 1220 identity nat64 { 1221 base nat:nat-type; 1222 description 1223 "Identity for NAT64 support."; 1224 reference 1225 "RFC 6146: Stateful NAT64: Network Address and Protocol 1226 Translation from IPv6 Clients to IPv4 Servers"; 1227 } 1229 identity siit { 1230 base nat:nat-type; 1231 description 1232 "Identity for SIIT support."; 1233 reference 1234 "RFC 7915: IP/ICMP Translation Algorithm"; 1235 } 1237 identity clat { 1238 base nat:nat-type; 1239 description 1240 "Identity for CLAT support."; 1241 reference 1242 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1243 Translation"; 1244 } 1246 identity eam { 1247 base nat:nat-type; 1248 description 1249 "Identity for EAM support."; 1250 reference 1251 "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP 1252 Translation"; 1253 } 1255 identity nptv6 { 1256 base nat:nat-type; 1257 description 1258 "Identity for NPTv6 support."; 1259 reference 1260 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1261 } 1263 /* 1264 * Grouping 1265 */ 1267 grouping port-number { 1268 description 1269 "Individual port or a range of ports. 1270 When only start-port-number is present, 1271 it represents a single port number."; 1273 leaf start-port-number { 1274 type inet:port-number; 1275 description 1276 "Beginning of the port range."; 1277 reference 1278 "Section 3.2.9 of RFC 8045."; 1279 } 1281 leaf end-port-number { 1282 type inet:port-number; 1284 must ". >= ../start-port-number" 1285 { 1286 error-message 1287 "The end-port-number must be greater than or 1288 equal to start-port-number."; 1289 } 1290 description 1291 "End of the port range."; 1292 reference 1293 "Section 3.2.10 of RFC 8045."; 1294 } 1295 } 1297 grouping port-set { 1298 description 1299 "Indicates a set of ports. 1301 It may be a simple port range, or use the Port Set ID (PSID) 1302 algorithm to represent a range of transport layer 1303 ports which will be used by a NAPT."; 1305 choice port-type { 1306 default port-range; 1307 description 1308 "Port type: port-range or port-set-algo."; 1309 case port-range { 1310 uses port-number; 1312 } 1314 case port-set-algo { 1315 leaf psid-offset { 1316 type uint8 { 1317 range 0..15; 1318 } 1320 description 1321 "The number of offset bits (a.k.a., 'a' bits). 1323 Specifies the numeric value for the excluded port 1324 range/offset bits. 1326 Allowed values are between 0 and 15 "; 1328 reference 1329 "Section 5.1 of RFC 7597"; 1330 } 1332 leaf psid-len { 1333 type uint8 { 1334 range 0..15; 1335 } 1336 mandatory true; 1338 description 1339 "The length of PSID, representing the sharing 1340 ratio for an IPv4 address. 1342 (also known as 'k'). 1344 The address-sharing ratio would be 2^k."; 1345 reference 1346 "Section 5.1 of RFC 7597"; 1347 } 1349 leaf psid { 1350 type uint16; 1351 mandatory true; 1352 description 1353 "Port Set Identifier (PSID) value, which 1354 identifies a set of ports algorithmically."; 1355 reference 1356 "Section 5.1 of RFC 7597"; 1357 } 1358 } 1359 reference 1360 "Section 7597: Mapping of Address and Port with 1361 Encapsulation (MAP-E)"; 1362 } 1363 } 1365 grouping mapping-entry { 1366 description 1367 "NAT mapping entry. 1369 If an attribute is not stored in the mapping/session table, 1370 this means the corresponding fields of a packet that 1371 matches this entry is not rewritten by the NAT or this 1372 information is not required for NAT filtering purposes."; 1374 leaf index { 1375 type uint32; 1376 description 1377 "A unique identifier of a mapping entry. This identifier can be 1378 automatically assigned by the NAT instance or be explicitly 1379 configured."; 1380 } 1382 leaf type { 1383 type enumeration { 1384 enum "static" { 1385 description 1386 "The mapping entry is explicitly configured 1387 (e.g., via command-line interface)."; 1388 } 1390 enum "dynamic-implicit" { 1391 description 1392 "This mapping is created implicitly as a side effect 1393 of processing a packet that requires a new mapping."; 1395 } 1397 enum "dynamic-explicit" { 1398 description 1399 "This mapping is created as a result of an explicit 1400 request, e.g., a PCP message."; 1402 } 1403 } 1404 description 1405 "Indicates the type of a mapping entry. E.g., 1406 a mapping can be: static, implicit dynamic 1407 or explicit dynamic."; 1409 } 1411 leaf transport-protocol { 1412 type uint8; 1413 description 1414 "Upper-layer protocol associated with this mapping. 1415 Values are taken from the IANA protocol registry. 1417 For example, this field contains 6 for TCP, 1418 17 for UDP, 33 for DCCP, or 132 for SCTP. 1420 If this leaf is not instantiated, then the mapping 1421 applies to any protocol."; 1422 } 1424 leaf internal-src-address { 1425 type inet:ip-prefix; 1426 description 1427 "Corresponds to the source IPv4/IPv6 address/prefix 1428 of the packet received on an internal 1429 interface."; 1430 } 1432 container internal-src-port { 1433 description 1434 "Corresponds to the source port of the packet received 1435 on an internal interface. 1437 It is used also to indicate the internal source ICMP 1438 identifier. 1440 As a reminder, all the ICMP Query messages contain 1441 an 'Identifier' field, which is referred to in this 1442 document as the 'ICMP Identifier'."; 1444 uses port-number; 1445 } 1447 leaf external-src-address { 1448 type inet:ip-prefix; 1449 description 1450 "Source IP address/prefix of the packet sent on an 1451 external interface of the NAT."; 1452 } 1454 container external-src-port { 1455 description 1456 "Source port of the packet sent on an external 1457 interface of the NAT. 1459 It is used also to indicate the external source ICMP 1460 identifier."; 1462 uses port-number; 1463 } 1465 leaf internal-dst-address { 1466 type inet:ip-prefix; 1467 description 1468 "Corresponds to the destination IP address/prefix 1469 of the packet received on an internal interface 1470 of the NAT. 1472 For example, some NAT implementations support 1473 the translation of both source and destination 1474 addresses and ports, sometimes referred to 1475 as 'Twice NAT'."; 1476 } 1478 container internal-dst-port { 1479 description 1480 "Corresponds to the destination port of the 1481 IP packet received on the internal interface. 1483 It is used also to include the internal 1484 destination ICMP identifier."; 1486 uses port-number; 1487 } 1489 leaf external-dst-address { 1490 type inet:ip-prefix; 1491 description 1492 "Corresponds to the destination IP address/prefix 1493 of the packet sent on an external interface 1494 of the NAT."; 1495 } 1497 container external-dst-port { 1498 description 1499 "Corresponds to the destination port number of 1500 the packet sent on the external interface 1501 of the NAT. 1503 It is used also to include the external 1504 destination ICMP identifier."; 1506 uses port-number; 1507 } 1509 leaf lifetime { 1510 type uint32; 1511 units "seconds"; 1512 description 1513 "When specified, it is used to track the connection that is 1514 fully-formed (e.g., once the three-way handshake 1515 TCP is completed) or the duration for maintaining 1516 an explicit mapping alive. The mapping entry will be 1517 removed by the NAT instance once this lifetime is expired. 1519 When reported in a get operation, the lifetime indicates 1520 the remaining validity lifetime. 1522 Static mappings may not be associated with a 1523 lifetime. If no lifetime is associated with a 1524 static mapping, an explicit action is required to 1525 remove that mapping."; 1526 } 1527 } 1529 /* 1530 * NAT Module 1531 */ 1533 container nat { 1534 description 1535 "NAT module"; 1537 container instances { 1538 description 1539 "NAT instances"; 1541 list instance { 1542 key "id"; 1544 description 1545 "A NAT instance. This identifier can be automatically assigned 1546 or explicitly configured."; 1548 leaf id { 1549 type uint32; 1550 must ". >= 1"; 1551 description 1552 "NAT instance identifier. 1554 The identifier must be greater than zero."; 1555 reference 1556 "RFC 7659: Definitions of Managed Objects for Network 1557 Address Translators (NATs)"; 1558 } 1560 leaf name { 1561 type string; 1562 description 1563 "A name associated with the NAT instance."; 1564 reference 1565 "RFC 7659: Definitions of Managed Objects for Network 1566 Address Translators (NATs)"; 1567 } 1569 leaf enable { 1570 type boolean; 1571 description 1572 "Status of the NAT instance."; 1573 } 1575 container capabilities { 1576 config false; 1578 description 1579 "NAT capabilities"; 1581 leaf-list nat-flavor { 1582 type identityref { 1583 base nat-type; 1584 } 1585 description 1586 "Supported translation type(s)."; 1587 } 1589 leaf-list per-interface-binding { 1590 type enumeration { 1591 enum "unsupported" { 1592 description 1593 "No capability to associate a NAT binding with 1594 an extra identifier."; 1595 } 1597 enum "layer-2" { 1598 description 1599 "The NAT instance is able to associate a mapping with 1600 a layer-2 identifier."; 1601 } 1602 enum "dslite" { 1603 description 1604 "The NAT instance is able to associate a mapping with 1605 an IPv6 address (a.k.a., DS-Lite)."; 1606 } 1607 } 1608 description 1609 "Indicates the capability of a NAT to associate a particular 1610 NAT session not only with the five tuples used for the 1611 transport connection on both sides of the NAT but also with 1612 the internal interface on which the user device is 1613 connected to the NAT."; 1614 reference 1615 "Section 4 of RFC 6619"; 1616 } 1618 list transport-protocols { 1619 key protocol-id; 1621 description 1622 "List of supported protocols."; 1624 leaf protocol-id { 1625 type uint8; 1626 mandatory true; 1627 description 1628 "Upper-layer protocol associated with a mapping. 1630 Values are taken from the IANA protocol registry: 1631 https://www.iana.org/assignments/protocol-numbers/ 1632 protocol-numbers.xhtml 1634 For example, this field contains 6 for TCP, 1635 17 for UDP, 33 for DCCP, or 132 for SCTP."; 1636 } 1638 leaf protocol-name { 1639 type string; 1640 description 1641 "The name of the Upper-layer protocol associated 1642 with this mapping. 1644 Values are taken from the IANA protocol registry: 1645 https://www.iana.org/assignments/protocol-numbers/ 1646 protocol-numbers.xhtml 1648 For example, TCP, UDP, DCCP, and SCTP."; 1649 } 1651 } 1653 leaf restricted-port-support { 1654 type boolean; 1655 description 1656 "Indicates source port NAT restriction support."; 1657 reference 1658 "RFC 7596: Lightweight 4over6: An Extension to 1659 the Dual-Stack Lite Architecture."; 1660 } 1662 leaf static-mapping-support { 1663 type boolean; 1664 description 1665 "Indicates whether static mappings are supported."; 1666 } 1668 leaf port-randomization-support { 1669 type boolean; 1670 description 1671 "Indicates whether port randomization is supported."; 1672 reference 1673 "Section 4.2.1 of RFC 4787."; 1674 } 1676 leaf port-range-allocation-support { 1677 type boolean; 1678 description 1679 "Indicates whether port range allocation is supported."; 1680 reference 1681 "Section 1.1 of RFC 7753."; 1682 } 1684 leaf port-preservation-suport { 1685 type boolean; 1686 description 1687 "Indicates whether port preservation is supported."; 1688 reference 1689 "Section 4.2.1 of RFC 4787."; 1690 } 1692 leaf port-parity-preservation-support { 1693 type boolean; 1694 description 1695 "Indicates whether port parity preservation is 1696 supported."; 1697 reference 1698 "Section 8 of RFC 7857."; 1700 } 1702 leaf address-roundrobin-support { 1703 type boolean; 1704 description 1705 "Indicates whether address allocation round robin is 1706 supported."; 1707 } 1709 leaf paired-address-pooling-support { 1710 type boolean; 1711 description 1712 "Indicates whether paired-address-pooling is 1713 supported"; 1714 reference 1715 "REQ-2 of RFC 4787."; 1716 } 1718 leaf endpoint-independent-mapping-support { 1719 type boolean; 1720 description 1721 "Indicates whether endpoint-independent- 1722 mapping is supported."; 1723 reference 1724 "Section 4 of RFC 4787."; 1725 } 1727 leaf address-dependent-mapping-support { 1728 type boolean; 1729 description 1730 "Indicates whether address-dependent-mapping is 1731 supported."; 1732 reference 1733 "Section 4 of RFC 4787."; 1734 } 1736 leaf address-and-port-dependent-mapping-support { 1737 type boolean; 1738 description 1739 "Indicates whether address-and-port-dependent-mapping is 1740 supported."; 1741 reference 1742 "Section 4 of RFC 4787."; 1743 } 1745 leaf endpoint-independent-filtering-support { 1746 type boolean; 1747 description 1748 "Indicates whether endpoint-independent-filtering is 1749 supported."; 1750 reference 1751 "Section 5 of RFC 4787."; 1752 } 1754 leaf address-dependent-filtering { 1755 type boolean; 1756 description 1757 "Indicates whether address-dependent-filtering is 1758 supported."; 1759 reference 1760 "Section 5 of RFC 4787."; 1761 } 1763 leaf address-and-port-dependent-filtering { 1764 type boolean; 1765 description 1766 "Indicates whether address-and-port-dependent is 1767 supported."; 1768 reference 1769 "Section 5 of RFC 4787."; 1770 } 1772 leaf fragment-behavior { 1773 type enumeration { 1774 enum "unsupported" { 1775 description 1776 "No capability to translate incoming fragments. 1777 All received fragments are dropped."; 1778 } 1780 enum "in-order" { 1781 description 1782 "The NAT instance is able to translate fragments only if 1783 they are received in order. That is, in particular the 1784 header is in the first packet. Fragments received 1785 out of order are dropped. "; 1786 } 1788 enum "out-of-order" { 1789 description 1790 "The NAT instance is able to translate a fragment even 1791 if it is received out of order. 1793 This behavior is recommended."; 1794 reference 1795 "REQ-14 of RFC 4787"; 1797 } 1798 } 1799 description 1800 "The fragment behavior is the NAT instance's capability to 1801 translate fragments received on the external interface of 1802 the NAT."; 1803 } 1804 } 1806 leaf type { 1807 type identityref { 1808 base nat-type; 1809 } 1810 description 1811 "Specify the translation type. Particularly useful when 1812 multiple translation flavors are supported. 1814 If one type is supported by a NAT, this parameter is by 1815 default set to that type."; 1816 } 1818 leaf per-interface-binding { 1819 type enumeration { 1820 enum "disabled" { 1821 description 1822 "Disable the capability to associate an extra identifier 1823 with NAT mappings."; 1824 } 1826 enum "layer-2" { 1827 description 1828 "The NAT instance is able to associate a mapping with 1829 a layer-2 identifier."; 1830 } 1832 enum "dslite" { 1833 description 1834 "The NAT instance is able to associate a mapping with 1835 an IPv6 address (a.k.a., DS-Lite)."; 1836 } 1837 } 1838 description 1839 "A NAT that associates a particular NAT session not only with 1840 the five tuples used for the transport connection on both 1841 sides of the NAT but also with the internal interface on 1842 which the user device is connected to the NAT. 1844 If supported, this mode of operation should be configurable, 1845 and it should be disabled by default in general-purpose NAT 1846 devices. 1848 If one single per-interface binding behavior is supported by 1849 a NAT, this parameter is by default set to that behavior."; 1850 reference 1851 "Section 4 of RFC 6619"; 1852 } 1854 list nat-pass-through { 1855 if-feature "basic-nat44 or napt44 or dst-nat"; 1856 key id; 1858 description 1859 "IP prefix NAT pass through."; 1861 leaf id { 1862 type uint32; 1863 description 1864 "An identifier of the IP prefix pass through."; 1865 } 1867 leaf prefix { 1868 type inet:ip-prefix; 1869 mandatory true; 1870 description 1871 "The IP addresses that match should not be translated. 1873 It must be possible to administratively turn 1874 off translation for specific destination addresses 1875 and/or ports."; 1876 reference 1877 "REQ#6 of RFC 6888."; 1878 } 1880 leaf port { 1881 type inet:port-number; 1882 description 1883 "It must be possible to administratively turn off 1884 translation for specific destination addresses 1885 and/or ports. 1887 If no prefix is defined, the NAT pass through bound 1888 to a given port applies for any destination address."; 1889 reference 1890 "REQ#6 of RFC 6888."; 1891 } 1892 } 1894 list policy { 1895 key id; 1896 description 1897 "NAT parameters for a given instance"; 1899 leaf id { 1900 type uint32; 1901 description 1902 "An identifier of the NAT policy. It must be unique 1903 within the NAT instance."; 1904 } 1906 container clat-parameters { 1907 if-feature clat; 1908 description 1909 "CLAT parameters."; 1911 list clat-ipv6-prefixes { 1912 key ipv6-prefix; 1913 description 1914 "464XLAT double translation treatment is stateless when a 1915 dedicated /64 is available for translation on the CLAT. 1916 Otherwise, the CLAT will have both stateful and stateless 1917 since it requires NAT44 from the LAN to a single IPv4 1918 address and then stateless translation to a single 1919 IPv6 address."; 1920 reference 1921 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1922 Translation"; 1924 leaf ipv6-prefix { 1925 type inet:ipv6-prefix; 1926 description 1927 "An IPv6 prefix used for CLAT."; 1928 } 1929 } 1931 list ipv4-prefixes { 1932 key ipv4-prefix; 1933 description 1934 "Pool of IPv4 addresses used for CLAT. 1935 192.0.0.0/29 is the IPv4 service continuity prefix."; 1936 reference 1937 "RFC 7335: IPv4 Service Continuity Prefix"; 1939 leaf ipv4-prefix { 1940 type inet:ipv4-prefix; 1941 description 1942 "464XLAT double translation treatment is 1943 stateless when a dedicated /64 is available 1944 for translation on the CLAT. Otherwise, the 1945 CLAT will have both stateful and stateless 1946 since it requires NAT44 from the LAN to 1947 a single IPv4 address and then stateless 1948 translation to a single IPv6 address. 1949 The CLAT performs NAT44 for all IPv4 LAN 1950 packets so that all the LAN-originated IPv4 1951 packets appear from a single IPv4 address 1952 and are then statelessly translated to one 1953 interface IPv6 address that is claimed by 1954 the CLAT. 1956 An IPv4 address from this pool is also 1957 provided to an application that makes 1958 use of literals."; 1960 reference 1961 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1962 Translation"; 1963 } 1964 } 1965 } 1967 list nptv6-prefixes { 1968 if-feature nptv6; 1969 key internal-ipv6-prefix ; 1970 description 1971 "Provides one or a list of (internal IPv6 prefix, 1972 external IPv6 prefix) required for NPTv6. 1974 In its simplest form, NPTv6 interconnects two network 1975 links, one of which is an 'internal' network link 1976 attached to a leaf network within a single 1977 administrative domain and the other of which is an 1978 'external' network with connectivity to the global 1979 Internet."; 1980 reference 1981 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1983 leaf internal-ipv6-prefix { 1984 type inet:ipv6-prefix; 1985 mandatory true; 1986 description 1987 "An IPv6 prefix used by an internal interface of NPTv6."; 1988 reference 1989 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1991 } 1993 leaf external-ipv6-prefix { 1994 type inet:ipv6-prefix; 1995 mandatory true; 1996 description 1997 "An IPv6 prefix used by the external interface of NPTv6."; 1998 reference 1999 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 2000 } 2001 } 2003 list eam { 2004 if-feature eam; 2005 key ipv4-prefix; 2006 description 2007 "The Explicit Address Mapping Table, a conceptual 2008 table in which each row represents an EAM. 2010 Each EAM describes a mapping between IPv4 and IPv6 2011 prefixes/addresses."; 2012 reference 2013 "Section 3.1 of RFC 7757."; 2015 leaf ipv4-prefix { 2016 type inet:ipv4-prefix; 2017 mandatory true; 2018 description 2019 "The IPv4 prefix of an EAM."; 2020 reference 2021 "Section 3.2 of RFC 7757."; 2022 } 2024 leaf ipv6-prefix { 2025 type inet:ipv6-prefix; 2026 mandatory true; 2027 description 2028 "The IPv6 prefix of an EAM."; 2029 reference 2030 "Section 3.2 of RFC 7757."; 2031 } 2032 } 2034 list nat64-prefixes { 2035 if-feature "siit or nat64 or clat"; 2036 key nat64-prefix; 2037 description 2038 "Provides one or a list of NAT64 prefixes 2039 with or without a list of destination IPv4 prefixes. 2040 It allows mapping IPv4 address ranges to IPv6 prefixes. 2042 For example: 2043 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 2044 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 2045 reference 2046 "Section 5.1 of RFC 7050."; 2048 leaf nat64-prefix { 2049 type inet:ipv6-prefix; 2050 mandatory true; 2051 description 2052 "A NAT64 prefix. Can be Network-Specific Prefix (NSP) or 2053 Well-Known Prefix (WKP). 2055 Organizations deploying stateless IPv4/IPv6 translation 2056 should assign a Network-Specific Prefix to their 2057 IPv4/IPv6 translation service. 2059 For stateless NAT64, IPv4-translatable IPv6 addresses 2060 must use the selected Network-Specific Prefix. 2062 Both IPv4-translatable IPv6 addresses and IPv4-converted 2063 IPv6 addresses should use the same prefix."; 2064 reference 2065 "Sections 3.3 and 3.4 of RFC 6052."; 2066 } 2068 list destination-ipv4-prefix { 2069 key ipv4-prefix; 2070 description 2071 "An IPv4 prefix/address."; 2073 leaf ipv4-prefix { 2074 type inet:ipv4-prefix; 2075 description 2076 "An IPv4 address/prefix."; 2077 } 2078 } 2080 leaf stateless-enable { 2081 type boolean; 2082 default false; 2083 description 2084 "Enable explicitly stateless NAT64."; 2085 } 2086 } 2087 list external-ip-address-pool { 2088 if-feature "basic-nat44 or napt44 or nat64"; 2089 key pool-id; 2091 description 2092 "Pool of external IP addresses used to service internal 2093 hosts. 2095 A pool is a set of IP prefixes."; 2097 leaf pool-id { 2098 type uint32; 2099 must ". >= 1"; 2100 description 2101 "An identifier that uniquely identifies the address pool 2102 within a NAT instance. 2104 The identifier must be greater than zero."; 2105 reference 2106 "RFC 7659: Definitions of Managed Objects for 2107 Network Address Translators (NATs)"; 2108 } 2110 leaf external-ip-pool { 2111 type inet:ipv4-prefix; 2112 mandatory true; 2113 description 2114 "An IPv4 prefix used for NAT purposes."; 2115 } 2116 } 2118 container port-set-restrict { 2119 if-feature "napt44 or nat64"; 2120 description 2121 "Configures contiguous and non-contiguous port ranges. 2123 The port set is used to restrict the external source 2124 port numbers used by the translator."; 2126 uses port-set; 2127 } 2129 leaf dst-nat-enable { 2130 if-feature "basic-nat44 or napt44"; 2131 type boolean; 2132 default false; 2133 description 2134 "Enable/Disable destination NAT. 2136 A NAT44 may be configured to enable Destination 2137 NAT, too."; 2138 } 2140 list dst-ip-address-pool { 2141 if-feature dst-nat; 2142 key pool-id; 2143 description 2144 "Pool of IP addresses used for destination NAT."; 2146 leaf pool-id { 2147 type uint32; 2148 description 2149 "An identifier of the address pool."; 2150 } 2152 leaf dst-in-ip-pool { 2153 type inet:ip-prefix; 2154 description 2155 "Is used to identify an internal destination 2156 IP prefix/address to be translated."; 2157 } 2159 leaf dst-out-ip-pool { 2160 type inet:ip-prefix; 2161 mandatory true; 2162 description 2163 "IP address/prefix used for destination NAT."; 2164 } 2165 } 2167 list transport-protocols { 2168 if-feature "napt44 or nat64 or dst-nat"; 2169 key protocol-id; 2171 description 2172 "Configure the transport protocols to be handled by 2173 the translator. 2175 TCP and UDP are supported by default."; 2177 leaf protocol-id { 2178 type uint8; 2179 mandatory true; 2180 description 2181 "Upper-layer protocol associated with this mapping. 2183 Values are taken from the IANA protocol registry: 2185 https://www.iana.org/assignments/protocol-numbers/ 2186 protocol-numbers.xhtml 2188 For example, this field contains 6 for TCP, 2189 17 for UDP, 33 for DCCP, or 132 for SCTP."; 2190 } 2192 leaf protocol-name { 2193 type string; 2194 description 2195 "The name of the Upper-layer protocol associated 2196 with this mapping. 2198 Values are taken from the IANA protocol registry: 2199 https://www.iana.org/assignments/protocol-numbers/ 2200 protocol-numbers.xhtml 2202 For example, TCP, UDP, DCCP, and SCTP."; 2203 } 2204 } 2206 leaf subscriber-mask-v6 { 2207 type uint8 { 2208 range "0 .. 128"; 2209 } 2211 description 2212 "The subscriber mask is an integer that indicates 2213 the length of significant bits to be applied on 2214 the source IPv6 address (internal side) to 2215 unambiguously identify a user device (e.g., CPE). 2217 Subscriber mask is a system-wide configuration 2218 parameter that is used to enforce generic 2219 per-subscriber policies (e.g., port-quota). 2221 The enforcement of these generic policies does not 2222 require the configuration of every subscriber's 2223 prefix. 2225 Example: suppose the 2001:db8:100:100::/56 prefix 2226 is assigned to a NAT64 serviced CPE. Suppose also 2227 that 2001:db8:100:100::1 is the IPv6 address used 2228 by the client that resides in that CPE. When the 2229 NAT64 receives a packet from this client, 2230 it applies the subscriber-mask-v6 (e.g., 56) on 2231 the source IPv6 address to compute the associated 2232 prefix for this client (2001:db8:100:100::/56). 2234 Then, the NAT64 enforces policies based on that 2235 prefix (2001:db8:100:100::/56), not on the exact 2236 source IPv6 address."; 2237 } 2239 list subscriber-match { 2240 if-feature "basic-nat44 or napt44 or dst-nat"; 2241 key match-id; 2243 description 2244 "IP prefix match. 2245 A subscriber is identified by a subnet."; 2247 leaf match-id { 2248 type uint32; 2249 description 2250 "An identifier of the subscriber match."; 2251 } 2253 leaf subnet { 2254 type inet:ip-prefix; 2255 mandatory true; 2256 description 2257 "The IP address subnets that match 2258 should be translated. E.g., all addresses 2259 that belong to the 192.0.2.0/24 prefix must 2260 be processed by the NAT."; 2261 } 2262 } 2264 leaf address-allocation-type { 2265 type enumeration { 2266 enum "arbitrary" { 2267 if-feature "basic-nat44 or napt44 or nat64"; 2268 description 2269 "Arbitrary pooling behavior means that the NAT 2270 instance may create the new port mapping using any 2271 address in the pool that has a free port for the 2272 protocol concerned."; 2273 } 2275 enum "roundrobin" { 2276 if-feature "basic-nat44 or napt44 or nat64"; 2277 description 2278 "Round robin allocation."; 2279 } 2281 enum "paired" { 2282 if-feature "napt44 or nat64"; 2283 description 2284 "Paired address pooling informs the NAT 2285 that all the flows from an internal IP 2286 address must be assigned the same external 2287 address. This is the recommended behavior for 2288 NAPT/NAT64."; 2289 reference 2290 "RFC 4787: Network Address Translation (NAT) 2291 Behavioral Requirements for Unicast UDP"; 2292 } 2293 } 2294 description 2295 "Specifies how external IP addresses are allocated."; 2296 } 2298 leaf port-allocation-type { 2299 if-feature "napt44 or nat64"; 2300 type enumeration { 2301 enum "random" { 2302 description 2303 "Port randomization is enabled. A NAT port allocation 2304 scheme should make it hard for attackers to guess 2305 port numbers"; 2306 reference 2307 "REQ-15 of RFC 6888"; 2308 } 2310 enum "port-preservation" { 2311 description 2312 "Indicates whether the NAT should preserve the internal 2313 port number."; 2314 } 2316 enum "port-parity-preservation" { 2317 description 2318 "Indicates whether the NAT should preserve the port 2319 parity of the internal port number."; 2320 } 2322 enum "port-range-allocation" { 2323 description 2324 "Indicates whether the NAT assigns a range of ports 2325 for an internal host. This scheme allows to minimize 2326 log volume."; 2327 reference 2328 "REQ-14 of RFC 6888"; 2329 } 2331 } 2332 description 2333 "Indicates the type of port allocation."; 2334 } 2336 leaf mapping-type { 2337 if-feature "napt44 or nat64"; 2338 type enumeration { 2339 enum "eim" { 2340 description 2341 "endpoint-independent-mapping."; 2342 reference 2343 "Section 4 of RFC 4787."; 2344 } 2346 enum "adm" { 2347 description 2348 "address-dependent-mapping."; 2349 reference 2350 "Section 4 of RFC 4787."; 2351 } 2353 enum "edm" { 2354 description 2355 "address-and-port-dependent-mapping."; 2356 reference 2357 "Section 4 of RFC 4787."; 2358 } 2359 } 2360 description 2361 "Indicates the type of a NAT mapping."; 2362 } 2364 leaf filtering-type { 2365 if-feature "napt44 or nat64"; 2366 type enumeration { 2367 enum "eif" { 2368 description 2369 "endpoint-independent-filtering."; 2370 reference 2371 "Section 5 of RFC 4787."; 2372 } 2374 enum "adf" { 2375 description 2376 "address-dependent-filtering."; 2377 reference 2378 "Section 5 of RFC 4787."; 2380 } 2382 enum "edf" { 2383 description 2384 "address-and-port-dependent-filtering"; 2385 reference 2386 "Section 5 of RFC 4787."; 2387 } 2388 } 2389 description 2390 "Indicates the type of a NAT filtering."; 2391 } 2393 leaf fragment-behavior { 2394 if-feature "napt44 or nat64"; 2395 type enumeration { 2396 enum "drop-all" { 2397 description 2398 "All received fragments are dropped."; 2399 } 2401 enum "in-order" { 2402 description 2403 "Translate fragments only if they are received 2404 in order."; 2405 } 2407 enum "out-of-order" { 2408 description 2409 "Translate a fragment even if it is received out 2410 of order. 2412 This behavior is recommended."; 2413 reference 2414 "REQ-14 of RFC 4787"; 2415 } 2416 } 2417 description 2418 "The fragment behavior instructs the NAT about the 2419 behavior to follow to translate fragments received 2420 on the external interface of the NAT."; 2421 } 2423 list port-quota { 2424 if-feature "napt44 or nat64"; 2425 key quota-type; 2426 description 2427 "Configures a port quota to be assigned per subscriber. 2429 It corresponds to the maximum number of ports to be 2430 used by a subscriber."; 2432 leaf port-limit { 2433 type uint16; 2434 description 2435 "Configures a port quota to be assigned per subscriber. 2436 It corresponds to the maximum number of ports to be 2437 used by a subscriber."; 2438 reference 2439 "REQ-4 of RFC 6888."; 2440 } 2442 leaf quota-type { 2443 type uint8; 2444 description 2445 "Indicates whether the port quota applies to 2446 all protocols (0) or to a specific protocol."; 2447 } 2448 } 2450 container port-set { 2452 when "../port-allocation-type = 'port-range-allocation'"; 2454 if-feature "napt44 or nat64"; 2455 description 2456 "Manages port-set assignments."; 2458 leaf port-set-size { 2459 type uint16; 2460 mandatory true; 2461 description 2462 "Indicates the size of assigned port sets."; 2463 } 2465 leaf port-set-timeout { 2466 type uint32; 2467 units "seconds"; 2468 description 2469 "inactivity timeout for port sets."; 2470 } 2471 } 2473 container timers { 2474 if-feature "napt44 or nat64"; 2475 description 2476 "Configure values of various timeouts."; 2477 leaf udp-timeout { 2478 type uint32; 2479 units "seconds"; 2480 default 300; 2481 description 2482 "UDP inactivity timeout. That is the time a mapping 2483 will stay active without packets traversing the NAT."; 2484 reference 2485 "RFC 4787: Network Address Translation (NAT) 2486 Behavioral Requirements for Unicast UDP"; 2487 } 2489 leaf tcp-idle-timeout { 2490 type uint32; 2491 units "seconds"; 2492 default 7440; 2493 description 2494 "TCP Idle timeout should be 2 hours and 4 minutes."; 2495 reference 2496 "RFC 5382: NAT Behavioral Requirements for TCP"; 2497 } 2499 leaf tcp-trans-open-timeout { 2500 type uint32; 2501 units "seconds"; 2502 default 240; 2503 description 2504 "The value of the transitory open connection 2505 idle-timeout. 2507 A NAT should provide different configurable 2508 parameters for configuring the open and 2509 closing idle timeouts. 2511 To accommodate deployments that consider 2512 a partially open timeout of 4 minutes as being 2513 excessive from a security standpoint, a NAT may 2514 allow the configured timeout to be less than 2515 4 minutes. 2517 However, a minimum default transitory connection 2518 idle-timeout of 4 minutes is recommended."; 2519 reference 2520 "Section 2.1 of RFC 7857."; 2521 } 2523 leaf tcp-trans-close-timeout { 2524 type uint32; 2525 units "seconds"; 2526 default 240; 2527 description 2528 "The value of the transitory close connection 2529 idle-timeout. 2531 A NAT should provide different configurable 2532 parameters for configuring the open and 2533 closing idle timeouts."; 2534 reference 2535 "Section 2.1 of RFC 7857."; 2536 } 2538 leaf tcp-in-syn-timeout { 2539 type uint32; 2540 units "seconds"; 2541 default 6; 2542 description 2543 "A NAT must not respond to an unsolicited 2544 inbound SYN packet for at least 6 seconds 2545 after the packet is received. If during 2546 this interval the NAT receives and translates 2547 an outbound SYN for the connection the NAT 2548 must silently drop the original unsolicited 2549 inbound SYN packet."; 2550 reference 2551 "RFC 5382 NAT Behavioral Requirements for TCP"; 2552 } 2554 leaf fragment-min-timeout { 2555 when "../../fragment-behavior='out-of-order'"; 2556 type uint32; 2557 units "seconds"; 2558 default 2; 2559 description 2560 "As long as the NAT has available resources, 2561 the NAT allows the fragments to arrive 2562 over fragment-min-timeout interval. 2563 The default value is inspired from RFC6146."; 2564 } 2566 leaf icmp-timeout { 2567 type uint32; 2568 units "seconds"; 2569 default 60; 2570 description 2571 "An ICMP Query session timer must not expire 2572 in less than 60 seconds. It is recommended 2573 that the ICMP Query session timer be made 2574 configurable"; 2575 reference 2576 "RFC 5508: NAT Behavioral Requirements for ICMP"; 2577 } 2579 list per-port-timeout { 2580 key port-number; 2581 description 2582 "Some NATs are configurable with short timeouts 2583 for some ports, e.g., as 10 seconds on 2584 port 53 (DNS) and 123 (NTP) and longer timeouts 2585 on other ports."; 2587 leaf port-number { 2588 type inet:port-number; 2589 description 2590 "A port number."; 2591 } 2593 leaf protocol { 2594 type uint8; 2595 description 2596 "Upper-layer protocol associated with this port. 2598 Values are taken from the IANA protocol registry: 2599 https://www.iana.org/assignments/protocol-numbers/ 2600 protocol-numbers.xhtml. 2602 If no protocol is indicated, this means 'any 2603 protocol'."; 2604 } 2606 leaf timeout { 2607 type uint32; 2608 units "seconds"; 2609 mandatory true; 2610 description 2611 "Timeout for this port number"; 2612 } 2613 } 2615 leaf hold-down-timeout { 2616 type uint32; 2617 units "seconds"; 2618 default 120; 2619 description 2620 "Hold down timer. 2622 Ports in the hold down pool are not reassigned until 2623 hold-down-timeout expires. 2625 The length of time and the maximum number of ports in 2626 this state must be configurable by the administrator. 2628 This is necessary in order to prevent collisions 2629 between old and new mappings and sessions. It ensures 2630 that all established sessions are broken instead of 2631 redirected to a different peer."; 2632 reference 2633 "REQ#8 of RFC 6888."; 2634 } 2636 leaf hold-down-max { 2637 type uint32; 2638 description 2639 "Maximum ports in the Hold down timer pool. 2641 Ports in the hold down pool are not reassigned 2642 until hold-down-timeout expires. 2644 The length of time and the maximum 2645 number of ports in this state must be 2646 configurable by the administrator. 2647 This is necessary in order 2648 to prevent collisions between old 2649 and new mappings and sessions. It ensures 2650 that all established sessions are broken 2651 instead of redirected to a different peer."; 2652 reference 2653 "REQ#8 of RFC 6888."; 2654 } 2655 } 2657 leaf fragments-limit{ 2658 when "../fragment-behavior='out-of-order'"; 2659 type uint32; 2660 description 2661 "Limits the number of out of order fragments that can 2662 be handled."; 2663 reference 2664 "Section 11 of RFC 4787."; 2665 } 2667 list algs { 2668 key name; 2669 description 2670 "ALG-related features."; 2672 leaf name { 2673 type string; 2674 description 2675 "The name of the ALG."; 2676 } 2678 leaf transport-protocol { 2679 type uint32; 2680 description 2681 "The transport protocol used by the ALG 2682 (e.g., TCP, UDP)."; 2683 } 2685 container dst-transport-port { 2686 uses port-number; 2687 description 2688 "The destination port number(s) used by the ALG. 2689 For example, 2690 - 21 for the FTP ALG 2691 - 53 for the DNS ALG."; 2692 } 2694 container src-transport-port { 2695 uses port-number; 2696 description 2697 "The source port number(s) used by the ALG."; 2698 } 2700 leaf status { 2701 type boolean; 2702 description 2703 "Enable/disable the ALG."; 2704 } 2705 } 2707 leaf all-algs-enable { 2708 type boolean; 2709 description 2710 "Enable/disable all ALGs. 2712 When specified, this parameter overrides the one 2713 that may be indicated, eventually, by the 'status' 2714 of an individual ALG."; 2715 } 2717 container notify-pool-usage { 2718 if-feature "basic-nat44 or napt44 or nat64"; 2719 description 2720 "Notification of pool usage when certain criteria 2721 are met."; 2723 leaf pool-id { 2724 type uint32; 2725 description 2726 "Pool-ID for which the notification criteria 2727 is defined"; 2728 } 2730 leaf high-threshold { 2731 type percent; 2732 description 2733 "Notification must be generated when the defined high 2734 threshold is reached. 2736 For example, if a notification is required when the 2737 pool utilization reaches 90%, this configuration 2738 parameter must be set to 90. 2740 0% indicates that no high threshold is enabled."; 2741 } 2743 leaf low-threshold { 2744 type percent; 2745 must ". >= ../high-threshold" { 2746 error-message 2747 "The upper port number must be greater than or 2748 equal to lower port number."; 2749 } 2750 description 2751 "Notification must be generated when the defined low 2752 threshold is reached. 2754 For example, if a notification is required when the 2755 pool utilization reaches below 10%, this 2756 configuration parameter must be set to 10"; 2757 } 2759 leaf notify-interval { 2760 type uint32 { 2761 range "1 .. 3600"; 2762 } 2763 units "seconds"; 2764 default '20'; 2765 description 2766 "Minimum number of seconds between successive 2767 notifications for this pool."; 2769 reference 2770 "RFC 7659: Definitions of Managed Objects for 2771 Network Address Translators (NATs)"; 2772 } 2773 } 2775 container external-realm { 2776 description 2777 "Identifies the external realm of the NAT instance."; 2779 choice realm-type { 2780 description 2781 "Can be an interface, VRF instance, etc."; 2783 case interface { 2784 description 2785 "External interface."; 2787 leaf external-interface { 2788 type if:interface-ref; 2789 description 2790 "Name of the external interface."; 2791 } 2792 } 2793 } 2794 } 2795 } 2797 container mapping-limits { 2798 if-feature "napt44 or nat64"; 2799 description 2800 "Information about the configuration parameters that 2801 limits the mappings based upon various criteria."; 2803 leaf limit-subscribers { 2804 type uint32; 2805 description 2806 "Maximum number of subscribers that can be serviced 2807 by a NAT instance. 2809 A subscriber is identified by a given prefix."; 2810 reference 2811 "RFC 7659: Definitions of Managed Objects for 2812 Network Address Translators (NATs)"; 2813 } 2814 leaf limit-address-mappings { 2815 type uint32; 2816 description 2817 "Maximum number of address mappings that can be 2818 handled by a NAT instance. 2820 When this limit is reached, packets that would 2821 normally trigger translation, will be dropped."; 2822 reference 2823 "RFC 7659: Definitions of Managed Objects 2824 for Network Address Translators 2825 (NATs)"; 2826 } 2828 leaf limit-port-mappings { 2829 type uint32; 2830 description 2831 "Maximum number of port mappings that can be handled 2832 by a NAT instance. 2834 When this limit is reached, packets that would 2835 normally trigger translation, will be dropped."; 2836 reference 2837 "RFC 7659: Definitions of Managed Objects for 2838 Network Address Translators (NATs)"; 2839 } 2841 list limit-per-protocol { 2842 if-feature "napt44 or nat64 or dst-nat"; 2843 key protocol-id; 2845 description 2846 "Configure limits per transport protocol"; 2848 leaf protocol-id { 2849 type uint8; 2850 mandatory true; 2851 description 2852 "Upper-layer protocol. 2854 Values are taken from the IANA protocol registry: 2855 https://www.iana.org/assignments/protocol-numbers/ 2856 protocol-numbers.xhtml 2858 For example, this field contains 6 for TCP, 2859 17 for UDP, 33 for DCCP, or 132 for SCTP."; 2860 } 2861 leaf limit { 2862 type uint32; 2863 description 2864 "Maximum number of protocol-specific NAT mappings 2865 per instance."; 2866 } 2867 } 2868 } 2870 container connection-limits { 2871 if-feature "basic-nat44 or napt44 or nat64"; 2872 description 2873 "Information about the configuration parameters that 2874 rate limit the translation based upon various criteria."; 2876 leaf limit-per-subscriber { 2877 type uint32; 2878 units "bits/second"; 2879 description 2880 "Rate-limit the number of new mappings and sessions 2881 per subscriber."; 2882 } 2884 leaf limit-per-instance { 2885 type uint32; 2886 units "bits/second"; 2887 description 2888 "Rate-limit the number of new mappings and sessions 2889 per instance."; 2890 } 2892 list limit-per-protocol { 2893 if-feature "napt44 or nat64"; 2894 key protocol-id; 2895 description 2896 "Configure limits per transport protocol"; 2898 leaf protocol-id { 2899 type uint8; 2900 mandatory true; 2901 description 2902 "Upper-layer protocol. 2904 Values are taken from the IANA protocol registry: 2905 https://www.iana.org/assignments/protocol-numbers/ 2906 protocol-numbers.xhtml 2908 For example, this field contains 6 for TCP, 2909 17 for UDP, 33 for DCCP, or 132 for SCTP."; 2910 } 2912 leaf limit { 2913 type uint32; 2914 description 2915 "Rate-limit the number of protocol-specific mappings 2916 and sessions per instance."; 2917 } 2918 } 2919 } 2921 container notification-limits { 2922 description "Sets notification limits."; 2924 leaf notify-interval { 2925 if-feature "basic-nat44 or napt44 or nat64"; 2926 type uint32 { 2927 range "1 .. 3600"; 2928 } 2929 units "seconds"; 2930 default '10'; 2931 description 2932 "Minimum number of seconds between successive 2933 notifications for this NAT instance."; 2934 reference 2935 "RFC 7659: Definitions of Managed Objects 2936 for Network Address Translators (NATs)"; 2937 } 2939 leaf notify-addresses-usage { 2940 if-feature "basic-nat44 or napt44 or nat64"; 2941 type percent; 2942 description 2943 "Notification of address mappings usage over 2944 the whole NAT instance. 2946 Notification must be generated when the defined 2947 threshold is reached. 2949 For example, if a notification is required when 2950 the address mappings utilization reaches 90%, 2951 this configuration parameter must be set 2952 to 90."; 2953 } 2955 leaf notify-ports-usage { 2956 if-feature "napt44 or nat64"; 2957 type percent; 2958 description 2959 "Notification of port mappings usage over the 2960 whole NAT instance. 2962 Notification must be generated when the defined 2963 threshold is reached. 2965 For example, if a notification is required when 2966 the port mappings utilization reaches 90%, this 2967 configuration parameter must be set to 90."; 2968 } 2970 leaf notify-subscribers-limit { 2971 if-feature "basic-nat44 or napt44 or nat64"; 2972 type uint32; 2973 description 2974 "Notification of active subscribers per NAT 2975 instance. 2977 Notification must be generated when the defined 2978 threshold is reached."; 2979 } 2980 } 2982 container mapping-table { 2983 if-feature "basic-nat44 or napt44 " + 2984 "or nat64 or clat or dst-nat"; 2985 description 2986 "NAT mapping table. Applicable for functions which maintain 2987 static and/or dynamic mappings, such as NAT44, Destination 2988 NAT, NAT64, or CLAT."; 2990 list mapping-entry { 2991 key "index"; 2992 description "NAT mapping entry."; 2993 uses mapping-entry; 2994 } 2995 } 2997 container statistics { 2998 config false; 3000 description 3001 "Statistics related to the NAT instance."; 3003 leaf discontinuity-time { 3004 type yang:date-and-time; 3005 mandatory true; 3006 description 3007 "The time on the most recent occasion at which the NAT 3008 instance suffered a discontinuity. This must be 3009 initialized when the NAT instance is configured 3010 or rebooted."; 3011 } 3013 container traffic-statistics { 3014 description 3015 "Generic traffic statistics."; 3017 leaf sent-packets { 3018 type yang:zero-based-counter64; 3019 description 3020 "Number of packets sent."; 3021 } 3023 leaf sent-bytes { 3024 type yang:zero-based-counter64; 3025 units 'bytes'; 3026 description 3027 "Counter for sent traffic in bytes."; 3028 } 3030 leaf rcvd-packets { 3031 type yang:zero-based-counter64; 3032 description 3033 "Number of received packets."; 3034 } 3036 leaf rcvd-bytes { 3037 type yang:zero-based-counter64; 3038 units 'bytes'; 3039 description 3040 "Counter for received traffic in bytes."; 3041 } 3043 leaf dropped-packets { 3044 type yang:zero-based-counter64; 3045 description 3046 "Number of dropped packets."; 3047 } 3049 leaf dropped-bytes { 3050 type yang:zero-based-counter64; 3051 units 'bytes'; 3052 description 3053 "Counter for dropped traffic in bytes."; 3054 } 3056 leaf dropped-fragments { 3057 if-feature "napt44 or nat64"; 3058 type yang:zero-based-counter64; 3059 description 3060 "Number of dropped fragments on the external realm."; 3061 } 3063 leaf dropped-address-limit-packets { 3064 if-feature "basic-nat44 or napt44 or nat64"; 3065 type yang:zero-based-counter64; 3066 description 3067 "Number of dropped packets because an address limit 3068 is reached."; 3069 } 3071 leaf dropped-address-limit-bytes { 3072 if-feature "basic-nat44 or napt44 or nat64"; 3073 type yang:zero-based-counter64; 3074 units 'bytes'; 3075 description 3076 "Counter of dropped packets because an address limit 3077 is reached, in bytes."; 3078 } 3080 leaf dropped-address-packets { 3081 if-feature "basic-nat44 or napt44 or nat64"; 3082 type yang:zero-based-counter64; 3083 description 3084 "Number of dropped packets because no address is 3085 available for allocation."; 3086 } 3088 leaf dropped-address-bytes { 3089 if-feature "basic-nat44 or napt44 or nat64"; 3090 type yang:zero-based-counter64; 3091 units 'bytes'; 3092 description 3093 "Counter of dropped packets because no address is 3094 available for allocation, in bytes."; 3095 } 3097 leaf dropped-port-limit-packets { 3098 if-feature "napt44 or nat64"; 3099 type yang:zero-based-counter64; 3100 description 3101 "Number of dropped packets because a port limit 3102 is reached."; 3103 } 3105 leaf dropped-port-limit-bytes { 3106 if-feature "napt44 or nat64"; 3107 type yang:zero-based-counter64; 3108 units 'bytes'; 3109 description 3110 "Counter of dropped packets because a port limit 3111 is reached, in bytes."; 3112 } 3114 leaf dropped-port-packets { 3115 if-feature "napt44 or nat64"; 3116 type yang:zero-based-counter64; 3117 description 3118 "Number of dropped packets because no port is 3119 available for allocation."; 3120 } 3122 leaf dropped-port-bytes { 3123 if-feature "napt44 or nat64"; 3124 type yang:zero-based-counter64; 3125 units 'bytes'; 3126 description 3127 "Counter of dropped packets because no port is 3128 available for allocation, in bytes."; 3129 } 3131 leaf dropped-subscriber-limit-packets { 3132 if-feature "basic-nat44 or napt44 or nat64"; 3133 type yang:zero-based-counter64; 3134 description 3135 "Number of dropped packets because the subscriber 3136 limit per instance is reached."; 3137 } 3139 leaf dropped-subscriber-limit-bytes { 3140 if-feature "basic-nat44 or napt44 or nat64"; 3141 type yang:zero-based-counter64; 3142 units 'bytes'; 3143 description 3144 "Counter of dropped packets because the subscriber 3145 limit per instance is reached, in bytes."; 3146 } 3147 } 3148 container mappings-statistics { 3149 description 3150 "Mappings statistics."; 3152 leaf total-active-subscribers { 3153 if-feature "basic-nat44 or napt44 or nat64"; 3154 type yang:gauge32; 3155 description 3156 "Total number of active subscribers (that is, 3157 subscribers for which the NAT maintains active 3158 mappings. 3160 A subscriber is identified by a subnet, 3161 subscriber-mask, etc."; 3162 } 3164 leaf total-address-mappings { 3165 if-feature "basic-nat44 or napt44 " + 3166 "or nat64 or clat or dst-nat"; 3167 type yang:gauge32; 3168 description 3169 "Total number of address mappings present at a given 3170 time. It includes both static and dynamic mappings."; 3171 reference 3172 "Section 3.3.8 of RFC 7659"; 3173 } 3175 leaf total-port-mappings { 3176 if-feature "napt44 or nat64"; 3177 type yang:gauge32; 3178 description 3179 "Total number of NAT port mappings present at 3180 a given time. It includes both static and dynamic 3181 mappings."; 3182 reference 3183 "Section 3.3.9 of RFC 7659"; 3184 } 3186 list total-per-protocol { 3187 if-feature "napt44 or nat64"; 3188 key protocol-id; 3189 description 3190 "Total mappings for each enabled/supported protocol."; 3192 leaf protocol-id { 3193 type uint8; 3194 mandatory true; 3195 description 3196 "Upper-layer protocol. 3197 For example, this field contains 6 for TCP, 3198 17 for UDP, 33 for DCCP, or 132 for SCTP."; 3199 } 3201 leaf total { 3202 type yang:gauge32; 3203 description 3204 "Total number of a protocol-specific mappings present 3205 at a given time. The protocol is identified by 3206 protocol-id."; 3207 } 3208 } 3209 } 3211 container pools-stats { 3212 if-feature "basic-nat44 or napt44 or nat64"; 3213 description 3214 "Statistics related to address/prefix pools 3215 usage"; 3217 leaf addresses-allocated { 3218 type yang:gauge32; 3219 description 3220 "Number of all allocated addresses."; 3221 } 3223 leaf addresses-free { 3224 type yang:gauge32; 3225 description 3226 "Number of unallocated addresses of all pools at 3227 a given time. The sum of unallocated and allocated 3228 addresses is the total number of addresses of 3229 the pools."; 3230 } 3232 container ports-stats { 3233 if-feature "napt44 or nat64"; 3235 description 3236 "Statistics related to port numbers usage."; 3238 leaf ports-allocated { 3239 type yang:gauge32; 3240 description 3241 "Number of allocated ports from all pools."; 3242 } 3243 leaf ports-free { 3244 type yang:gauge32; 3245 description 3246 "Number of unallocated addresses from all pools."; 3247 } 3248 } 3250 list per-pool-stats { 3251 if-feature "basic-nat44 or napt44 or nat64"; 3252 key "pool-id"; 3253 description 3254 "Statistics related to address/prefix pool usage"; 3256 leaf pool-id { 3257 type uint32; 3258 description 3259 "Unique Identifier that represents a pool of 3260 addresses/prefixes."; 3261 } 3263 leaf discontinuity-time { 3264 type yang:date-and-time; 3265 mandatory true; 3266 description 3267 "The time on the most recent occasion at which this 3268 pool counters suffered a discontinuity. This must 3269 be initialized when the address pool is 3270 configured."; 3271 } 3273 container pool-stats { 3274 description 3275 "Statistics related to address/prefix pool usage"; 3277 leaf addresses-allocated { 3278 type yang:gauge32; 3279 description 3280 "Number of allocated addresses from this pool."; 3281 } 3283 leaf addresses-free { 3284 type yang:gauge32; 3285 description 3286 "Number of unallocated addresses in this pool."; 3287 } 3288 } 3290 container port-stats { 3291 if-feature "napt44 or nat64"; 3292 description 3293 "Statistics related to port numbers usage."; 3295 leaf ports-allocated { 3296 type yang:gauge32; 3297 description 3298 "Number of allocated ports from this pool."; 3299 } 3301 leaf ports-free { 3302 type yang:gauge32; 3303 description 3304 "Number of unallocated addresses from this pool."; 3305 } 3306 } 3307 } 3308 } 3309 } 3310 } 3311 } 3312 } 3314 /* 3315 * Notifications 3316 */ 3318 notification nat-pool-event { 3319 if-feature "basic-nat44 or napt44 or nat64"; 3320 description 3321 "Notifications must be generated when the defined high/low 3322 threshold is reached. Related configuration parameters 3323 must be provided to trigger the notifications."; 3325 leaf id { 3326 type leafref { 3327 path "/nat/instances/instance/id"; 3328 } 3329 mandatory true; 3330 description 3331 "NAT instance Identifier."; 3332 } 3334 leaf policy-id { 3335 type leafref { 3336 path "/nat/instances/instance/policy/id"; 3337 } 3338 description 3339 "Policy Identifier."; 3340 } 3342 leaf pool-id { 3343 type leafref { 3344 path "/nat/instances/instance/policy/" + 3345 "external-ip-address-pool/pool-id"; 3346 } 3347 mandatory true; 3348 description 3349 "Pool Identifier."; 3350 } 3352 leaf notify-pool-threshold { 3353 type percent; 3354 mandatory true; 3355 description 3356 "A threshold (high-threshold or low-threshold) has 3357 been fired."; 3358 } 3359 } 3361 notification nat-instance-event { 3362 if-feature "basic-nat44 or napt44 or nat64"; 3363 description 3364 "Notifications must be generated when notify-addresses-usage 3365 and/or notify-ports-usage threshold are reached."; 3367 leaf id { 3368 type leafref { 3369 path "/nat/instances/instance/id"; 3370 } 3371 mandatory true; 3372 description 3373 "NAT instance Identifier."; 3374 } 3376 leaf notify-subscribers-threshold { 3377 type uint32; 3378 description 3379 "The notify-subscribers-limit threshold has been fired."; 3380 } 3382 leaf notify-addresses-threshold { 3383 type percent; 3384 description 3385 "The notify-addresses-usage threshold has been fired."; 3387 } 3389 leaf notify-ports-threshold { 3390 type percent; 3391 description 3392 "The notify-ports-usage threshold has been fired."; 3393 } 3394 } 3395 } 3396 3398 4. Security Considerations 3400 Security considerations related to address and prefix translation are 3401 discussed in [RFC6888], [RFC6146], [RFC6877], [RFC6296], and 3402 [RFC7757]. 3404 The YANG module defined in this document is designed to be accessed 3405 via network management protocols such as NETCONF [RFC6241] or 3406 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 3407 layer, and the mandatory-to-implement secure transport is Secure 3408 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 3409 mandatory-to-implement secure transport is TLS [RFC5246]. 3411 The NETCONF access control model [RFC8341] provides the means to 3412 restrict access for particular NETCONF or RESTCONF users to a 3413 preconfigured subset of all available NETCONF or RESTCONF protocol 3414 operations and content. 3416 All data nodes defined in the YANG module which can be created, 3417 modified and deleted (i.e., config true, which is the default) are 3418 considered sensitive. Write operations (e.g., edit-config) applied 3419 to these data nodes without proper protection can negatively affect 3420 network operations. The NAT YANG module provides a method to set 3421 parameters to prevent a user from aggressively using NAT resources 3422 (port-quota), rate-limit connections as a guard against Denial-of- 3423 Service, or to enable notifications so that appropriate measures are 3424 enforced to anticipate traffic drops. Nevertheless, an attacker who 3425 is able to access the NAT can undertake various attacks, such as: 3427 o Set a high or low resource limit to cause a DoS attack: 3429 * /nat/instances/instance/policy/port-quota 3431 * /nat/instances/instance/policy/fragments-limit 3433 * /nat/instances/instance/mapping-limits 3434 * /nat/instances/instance/connection-limits 3436 o Set a low notification threshold to cause useless notifications to 3437 be generated: 3439 * /nat/instances/instance/policy/notify-pool-usage/high-threshold 3441 * /nat/instances/instance/notification-limits/notify-addresses- 3442 usage 3444 * /nat/instances/instance/notification-limits/notify-ports-usage 3446 * /nat/instances/instance/notification-limits/notify-subscribers- 3447 limit 3449 o Set an arbitrarily high threshold, which may lead to the 3450 deactivation of notifications: 3452 * /nat/instances/instance/policy/notify-pool-usage/high-threshold 3454 * /nat/instances/instance/notification-limits/notify-addresses- 3455 usage 3457 * /nat/instances/instance/notification-limits/notify-ports-usage 3459 * /nat/instances/instance/notification-limits/notify-subscribers- 3460 limit 3462 o Set a low notification interval and a low notification threshold 3463 to induce useless notifications to be generated: 3465 * /nat/instances/instance/policy/notify-pool-usage/notify- 3466 interval 3468 * /nat/instances/instance/notification-limits/notify-interval 3470 o Access to privacy data maintained in the mapping table. Such data 3471 can be misused to track the activity of a host: 3473 * /nat/instances/instance/mapping-table 3475 5. IANA Considerations 3477 This document requests IANA to register the following URI in the 3478 "IETF XML Registry" [RFC3688]: 3480 URI: urn:ietf:params:xml:ns:yang:ietf-nat 3481 Registrant Contact: The IESG. 3482 XML: N/A; the requested URI is an XML namespace. 3484 This document requests IANA to register the following YANG module in 3485 the "YANG Module Names" registry [RFC7950]. 3487 name: ietf-nat 3488 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 3489 prefix: nat 3490 reference: RFC XXXX 3492 6. Acknowledgements 3494 Many thanks to Dan Wing, Tianran Zhou, Tom Petch, and Warren Kumari 3495 for the review. 3497 Thanks to Juergen Schoenwaelder for the comments on the YANG 3498 structure and the suggestion to use NMDA. Mahesh Jethanandani 3499 provided useful comments. 3501 Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred 3502 Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and 3503 Kristian Poscic for the CGN review. 3505 Special thanks to Maros Marsalek and Marek Gradzki for sharing their 3506 comments based on the FD.io implementation of this module 3507 (https://git.fd.io/hc2vpp/tree/nat/nat-api/src/main/yang). 3509 Rajiv Asati suggested to clarify how the module applies for both 3510 stateless and stateful NAT64. 3512 Juergen Schoenwaelder provided an early yandgoctors review. Many 3513 thanks to him. 3515 Thanks to Roni Even, Mach Chen, Tim Chown, and Stephen Farrel for the 3516 directorates review. Igor Ryzhov identified a nit in one example. 3518 Mirja Kuehlewind made a comment about the reuse of some TCP timers 3519 for any connection-oriented protocol. 3521 7. References 3522 7.1. Normative References 3524 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3525 DOI 10.17487/RFC3688, January 2004, 3526 . 3528 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 3529 Translation (NAT) Behavioral Requirements for Unicast 3530 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 3531 2007, . 3533 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 3534 (TLS) Protocol Version 1.2", RFC 5246, 3535 DOI 10.17487/RFC5246, August 2008, 3536 . 3538 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 3539 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 3540 RFC 5382, DOI 10.17487/RFC5382, October 2008, 3541 . 3543 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 3544 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 3545 DOI 10.17487/RFC5508, April 2009, 3546 . 3548 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 3549 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 3550 DOI 10.17487/RFC6052, October 2010, 3551 . 3553 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 3554 NAT64: Network Address and Protocol Translation from IPv6 3555 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 3556 April 2011, . 3558 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3559 and A. Bierman, Ed., "Network Configuration Protocol 3560 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3561 . 3563 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3564 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3565 . 3567 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 3568 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 3569 . 3571 [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable 3572 Operation of Address Translators with Per-Interface 3573 Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, 3574 . 3576 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 3577 Combination of Stateful and Stateless Translation", 3578 RFC 6877, DOI 10.17487/RFC6877, April 2013, 3579 . 3581 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 3582 A., and H. Ashida, "Common Requirements for Carrier-Grade 3583 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 3584 April 2013, . 3586 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 3587 RFC 6991, DOI 10.17487/RFC6991, July 2013, 3588 . 3590 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 3591 Farrer, "Lightweight 4over6: An Extension to the Dual- 3592 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 3593 July 2015, . 3595 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 3596 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 3597 Port with Encapsulation (MAP-E)", RFC 7597, 3598 DOI 10.17487/RFC7597, July 2015, 3599 . 3601 [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address 3602 Mappings for Stateless IP/ICMP Translation", RFC 7757, 3603 DOI 10.17487/RFC7757, February 2016, 3604 . 3606 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 3607 S., and K. Naito, "Updates to Network Address Translation 3608 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 3609 DOI 10.17487/RFC7857, April 2016, 3610 . 3612 [RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont, 3613 "IP/ICMP Translation Algorithm", RFC 7915, 3614 DOI 10.17487/RFC7915, June 2016, 3615 . 3617 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3618 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3619 . 3621 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3622 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3623 . 3625 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 3626 Access Control Model", STD 91, RFC 8341, 3627 DOI 10.17487/RFC8341, March 2018, 3628 . 3630 [RFC8343] Bjorklund, M., "A YANG Data Model for Interface 3631 Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, 3632 . 3634 7.2. Informative References 3636 [I-D.boucadair-pcp-yang] 3637 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 3638 Vinapamula, "YANG Modules for the Port Control Protocol 3639 (PCP)", draft-boucadair-pcp-yang-05 (work in progress), 3640 October 2017. 3642 [I-D.ietf-softwire-dslite-yang] 3643 Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG 3644 Data Model for Dual-Stack Lite (DS-Lite)", draft-ietf- 3645 softwire-dslite-yang-17 (work in progress), May 2018. 3647 [I-D.ietf-tsvwg-natsupp] 3648 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 3649 Transmission Protocol (SCTP) Network Address Translation 3650 Support", draft-ietf-tsvwg-natsupp-12 (work in progress), 3651 July 2018. 3653 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 3654 Translator (NAT) Terminology and Considerations", 3655 RFC 2663, DOI 10.17487/RFC2663, August 1999, 3656 . 3658 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 3659 Address Translator (Traditional NAT)", RFC 3022, 3660 DOI 10.17487/RFC3022, January 2001, 3661 . 3663 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 3664 Behavioral Requirements for the Datagram Congestion 3665 Control Protocol", BCP 150, RFC 5597, 3666 DOI 10.17487/RFC5597, September 2009, 3667 . 3669 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 3670 Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, 3671 January 2011, . 3673 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 3674 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 3675 DOI 10.17487/RFC6269, June 2011, 3676 . 3678 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 3679 "Diameter Network Address and Port Translation Control 3680 Application", RFC 6736, DOI 10.17487/RFC6736, October 3681 2012, . 3683 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 3684 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 3685 DOI 10.17487/RFC6887, April 2013, 3686 . 3688 [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M. 3689 Boucadair, "Deployment Considerations for Dual-Stack 3690 Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013, 3691 . 3693 [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of 3694 the IPv6 Prefix Used for IPv6 Address Synthesis", 3695 RFC 7050, DOI 10.17487/RFC7050, November 2013, 3696 . 3698 [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT 3699 (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, 3700 DOI 10.17487/RFC7289, June 2014, 3701 . 3703 [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, 3704 DOI 10.17487/RFC7335, August 2014, 3705 . 3707 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 3708 "Definitions of Managed Objects for Network Address 3709 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 3710 October 2015, . 3712 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 3713 and S. Perreault, "Port Control Protocol (PCP) Extension 3714 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 3715 February 2016, . 3717 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 3718 "RADIUS Extensions for IP Port Configuration and 3719 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 3720 . 3722 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 3723 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 3724 . 3726 Appendix A. Sample Examples 3728 This section provides a non-exhaustive set of examples to illustrate 3729 the use of the NAT YANG module. 3731 A.1. Traditional NAT44 3733 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 3734 same IPv4 address among hosts that are owned by the same subscriber. 3735 This is typically the NAT that is embedded in CPE devices. 3737 This NAT is usually provided with one single external IPv4 address; 3738 disambiguating connections is achieved by rewriting the source port 3739 number. The XML snippet to configure the external IPv4 address in 3740 such case together with a mapping entry is depicted below: 3742 3743 3744 1 3745 NAT_Subscriber_A 3746 .... 3747 3748 1 3749 3750 198.51.100.1/32 3751 3752 3753 .... 3754 3755 .... 3756 3757 198.51.100.1/32 3758 3759 .... 3760 3761 3762 3764 The following shows the XML excerpt depicting a dynamic UDP mapping 3765 entry maintained by a traditional NAPT44. In reference to this 3766 example, the UDP packet received with a source IPv4 address 3767 (192.0.2.1) and source port number (1568) is translated into a UDP 3768 packet having a source IPv4 address (198.51.100.1) and source port 3769 (15000). The remaining lifetime of this mapping is 300 seconds. 3771 3772 15 3773 3774 dynamic-explicit 3775 3776 3777 17 3778 3779 3780 192.0.2.1/32 3781 3782 3783 3784 1568 3785 3786 3787 3788 198.51.100.1/32 3789 3790 3791 3792 15000 3793 3794 3795 3796 300 3797 3798 3800 A.2. Carrier Grade NAT (CGN) 3802 The following XML snippet shows the example of the capabilities 3803 supported by a CGN as retrieved using NETCONF. 3805 napt44 3807 3808 1 3809 3810 3811 6 3812 3813 3814 17 3815 3816 3817 false 3818 3819 3820 true 3821 3822 3823 true 3824 3825 3826 true 3827 3828 3829 true 3830 3831 3832 false 3833 3834 3835 true 3836 3837 3838 true 3839 3840 3841 true 3842 3843 3844 true 3845 3846 3847 true 3848 3849 3850 true 3851 3852 3853 true 3854 3855 3856 true 3857 3858 3860 The following XML snippet shows the example of a CGN that is 3861 provisioned with one contiguous pool of external IPv4 addresses 3862 (198.51.100.0/24). Further, the CGN is instructed to limit the 3863 number of allocated ports per subscriber to 1024. Ports can be 3864 allocated by the CGN by assigning ranges of 256 ports (that is, a 3865 subscriber can be allocated up to four port ranges of 256 ports 3866 each). 3868 3869 3870 1 3871 myCGN 3872 .... 3873 3874 1 3875 3876 198.51.100.0/24 3877 3878 3879 3880 3881 1024 3882 3883 3884 all 3885 3886 3887 3888 port-range-allocation 3889 3890 3891 3892 256 3893 3894 3895 .... 3896 3897 3899 An administrator may decide to allocate one single port range per 3900 subscriber (e.g., port range of 1024 ports) as shown below: 3902 3903 3904 1 3905 myCGN 3906 .... 3907 3908 1 3909 3910 198.51.100.0/24 3911 3912 3913 3914 3915 1024 3916 3917 3918 all 3919 3920 3921 3922 port-range-allocation 3923 3924 3925 3926 1024 3927 3928 3929 .... 3930 3931 3933 A.3. CGN Pass-Through 3935 Figure 1 illustrates an example of the CGN pass-through feature. 3937 X1:x1 X1':x1' X2:x2 3938 +---+from X1:x1 +---+from X1:x1 +---+ 3939 | C | to X2:x2 | | to X2:x2 | S | 3940 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 3941 | i | | G | | r | 3942 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 3943 | n |from X2:x2 | |from X2:x2 | e | 3944 | t | to X1:x1 | | to X1:x1 | r | 3945 +---+ +---+ +---+ 3947 Figure 1: CGN Pass-Through 3949 For example, in order to disable NAT for communications issued by the 3950 client (192.0.2.1), the following configuration parameter must be 3951 set: 3953 3954 ... 3955 192.0.2.1/32 3956 ... 3957 3959 A.4. NAT64 3961 Let's consider the example of a NAT64 that should use 3962 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 3963 The XML snippet to configure the NAT64 prefix in such case is 3964 depicted below: 3966 3967 3968 2001:db8:122:300::/56 3969 3970 3972 Let's now consider the example of a NAT64 that should use 3973 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 3974 the destination address matches 198.51.100.0/24. The XML snippet to 3975 configure the NAT64 prefix in such case is shown below: 3977 3978 3979 2001:db8:122::/48 3980 3981 3982 3983 198.51.100.0/24 3984 3985 3986 3988 A.5. Stateless IP/ICMP Translation (SIIT) 3990 Let's consider the example of a stateless translator that is 3991 configured with 2001:db8:100::/40 to perform IPv6 address synthesis 3992 [RFC6052]. Similar to the NAT64 case, the XML snippet to configure 3993 the NAT64 prefix in such case is depicted below: 3995 3996 3997 2001:db8:100::/40 3998 3999 4001 When the translator receives an IPv6 packet, for example, with a 4002 source address (2001:db8:1c0:2:21::) and destination address 4003 (2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses 4004 following RFC6052 rules with 2001:db8:100::/40 as the NSP: 4006 o 192.0.2.33 is extracted from 2001:db8:1c0:2:21:: 4008 o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2:: 4010 The translator transforms the IPv6 header into an IPv4 header using 4011 the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will 4012 include 192.0.2.33 as the source address and 198.51.100.2 as the 4013 destination address. 4015 Also, a NAT64 can be instructed to behave in the stateless mode by 4016 providing the following configuration. The same NAT64 prefix is used 4017 for constructing both IPv4-translatable IPv6 addresses and 4018 IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]). 4020 4021 4022 2001:db8:122:300::/56 4023 4024 4025 true 4026 4027 4029 A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM 4030 SIIT) 4032 As specified in [RFC7757], an EAM consists of an IPv4 prefix and an 4033 IPv6 prefix. Let's consider the set of EAM examples in Table 8. 4035 +----------------+----------------------+ 4036 | IPv4 Prefix | IPv6 Prefix | 4037 +----------------+----------------------+ 4038 | 192.0.2.1 | 2001:db8:aaaa:: | 4039 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | 4040 | 192.0.2.16/28 | 2001:db8:cccc::/124 | 4041 | 192.0.2.128/26 | 2001:db8:dddd::/64 | 4042 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | 4043 | 192.0.2.224/31 | 64:ff9b::/127 | 4044 +----------------+----------------------+ 4046 Table 8: EAM Examples (RFC7757) 4048 The following XML excerpt illustrates how these EAMs can be 4049 configured using the YANG NAT module: 4051 4052 4053 192.0.2.1/32 4054 4055 4056 2001:db8:aaaa::/128 4057 4058 4059 4060 4061 192.0.2.2/32 4062 4063 4064 2001:db8:bbbb::b/128 4065 4066 4067 4068 4069 192.0.2.16/28 4070 4071 4072 2001:db8:cccc::/124 4073 4074 4075 4076 4077 192.0.2.128/26 4078 4079 4080 2001:db8:dddd::/64 4081 4082 4083 4084 4085 192.0.2.192/29 4086 4087 4088 2001:db8:eeee:8::/62 4089 4090 4091 4092 4093 192.0.2.224/31 4094 4095 4096 64:ff9b::/127 4097 4098 4099 EAMs may be enabled jointly with statefull NAT64. This example shows 4100 a NAT64 function that supports static mappings: 4102 4104 nat64 4105 4106 4107 true 4108 4109 4110 true 4111 4112 4113 true 4114 4115 4116 true 4117 4118 4119 true 4120 4121 4122 true 4123 4124 4125 true 4126 4127 4128 true 4129 4130 4132 A.7. Static Mappings with Port Ranges 4134 The following example shows a static mapping that instructs a NAT to 4135 translate packets issued from 192.0.2.1 and with source ports in the 4136 100-500 range to 198.51.100.1:1100-1500. 4138 4139 1 4140 4141 static 4142 4143 4144 6 4145 4146 4147 192.0.2.1/32 4148 4149 4150 4151 100 4152 4153 4154 500 4155 4156 4157 4158 198.51.100.1/32 4159 4160 4161 4162 1100 4163 4164 4165 1500 4166 4167 4168 ... 4169 4171 A.8. Static Mappings with IP Prefixes 4173 The following example shows a static mapping that instructs a NAT to 4174 translate TCP packets issued from 192.0.2.0/24 to 198.51.100.0/24. 4176 4177 1 4178 4179 static 4180 4181 4182 6 4183 4184 4185 192.0.2.0/24 4186 4187 4188 198.51.100.0/24 4189 4190 ... 4191 4193 A.9. Destination NAT 4195 The following XML snippet shows an example of a destination NAT that 4196 is instructed to translate all packets having 192.0.2.1 as a 4197 destination IP address to 198.51.100.1. 4199 4200 1 4201 4202 192.0.2.1/32 4203 4204 4205 198.51.100.1/32 4206 4207 4209 In order to instruct a NAT to translate TCP packets destined to 4210 '192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet 4211 shows the static mapping configured on the NAT: 4213 4214 1568 4215 4216 static 4217 4218 4219 6 4220 4221 4222 192.0.2.1/32 4223 4224 4225 4226 80 4227 4228 4229 4230 198.51.100.1/32 4231 4232 4233 4234 8080 4235 4236 4237 4239 In order to instruct a NAT to translate TCP packets destined to 4240 '192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh 4241 traffic) to 198.51.100.2, the following XML snippet shows the static 4242 mappings configured on the NAT: 4244 4245 123 4246 4247 static 4248 4249 4250 6 4251 4252 4253 192.0.2.1/32 4254 4255 4256 4257 80 4258 4259 4260 4261 198.51.100.1/32 4262 4263 ... 4264 4265 4266 1236 4267 4268 static 4269 4270 4271 6 4272 4273 4274 192.0.2.1/32 4275 4276 4277 4278 22 4279 4280 4281 4282 198.51.100.2/32 4283 4284 ... 4285 4287 The NAT may also be instructed to proceed with both source and 4288 destination NAT. To do so, in addition to the above sample to 4289 configure destination NAT, the NAT may be provided, for example with 4290 a pool of external IP addresses (198.51.100.0/24) to use for source 4291 address translation. An example of the corresponding XML snippet is 4292 provided hereafter: 4294 4295 1 4296 4297 198.51.100.0/24 4298 4299 4301 Instead of providing an external IP address to share, the NAT may be 4302 configured with static mapping entries that modify the internal IP 4303 address and/or port number. 4305 A.10. Customer-side Translator (CLAT) 4307 The following XML snippet shows the example of a CLAT that is 4308 configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and 4309 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 4310 provided with 192.0.0.1/32 (which is selected from the IPv4 service 4311 continuity prefix defined in [RFC7335]). 4313 4314 4315 2001:db8:aaaa::/96 4316 4317 4318 4319 4320 192.0.0.1/32 4321 4322 4323 4324 4325 2001:db8:1234::/96 4326 4327 4329 A.11. IPv6 Network Prefix Translation (NPTv6) 4331 Let's consider the example of an NPTv6 translator that should rewrite 4332 packets with the source prefix (fd03:c03a:ecab::/48) with the 4333 external prefix (2001:db8:1::/48). The internal interface is "eth0" 4334 while the external interface is "eth1" (Figure 2). 4336 External Network: Prefix = 2001:db8:1::/48 4337 -------------------------------------- 4338 | 4339 |eth1 4340 +-------------+ 4341 eth4| NPTv6 |eth2 4342 ...-----| |------... 4343 +-------------+ 4344 |eth0 4345 | 4346 -------------------------------------- 4347 Internal Network: Prefix = fd03:c03a:ecab::/48 4349 Figure 2: Example of NPTv6 4351 The XML snippet to configure NPTv6 prefixes in such case is depicted 4352 below: 4354 4355 4356 fd03:c03a:ecab::/48 4357 4358 4359 2001:db8:1::/48 4360 4361 4362 ... 4363 4364 4365 eth1 4366 4367 4369 Figure 3 shows an example of an NPTv6 translator that interconnects 4370 two internal networks (fd03:c03a:ecab::/48 and fda8:d5cb:14f3::/48); 4371 each is translated using a dedicated prefix (2001:db8:1::/48 and 4372 2001:db8:6666::/48, respectively). 4374 Internal Prefix = fda8:d5cb:14f3::/48 4375 -------------------------------------- 4376 V | External Prefix 4377 V |eth1 2001:db8:1::/48 4378 V +---------+ ^ 4379 V | NPTv6 | ^ 4380 V | | ^ 4381 V +---------+ ^ 4382 External Prefix |eth0 ^ 4383 2001:db8:6666::/48 | ^ 4384 -------------------------------------- 4385 Internal Prefix = fd03:c03a:ecab::/48 4387 Figure 3: Connecting two Peer Networks 4389 To that aim, the following configuration is provided to the NPTv6 4390 translator: 4392 4393 1 4394 4395 4396 fd03:c03a:ecab::/48 4397 4398 4399 2001:db8:1::/48 4400 4401 4402 4403 4404 eth1 4405 4406 4407 4408 4409 2 4410 4411 4412 fda8:d5cb:14f3::/48 4413 4414 4415 2001:db8:6666::/48 4416 4417 4418 4419 4420 eth0 4421 4422 4423 4425 Authors' Addresses 4427 Mohamed Boucadair (editor) 4428 Orange 4429 Rennes 35000 4430 France 4432 Email: mohamed.boucadair@orange.com 4433 Senthil Sivakumar 4434 Cisco Systems 4435 7100-8 Kit Creek Road 4436 Research Triangle Park, North Carolina 27709 4437 USA 4439 Phone: +1 919 392 5158 4440 Email: ssenthil@cisco.com 4442 Christian Jacquenet 4443 Orange 4444 Rennes 35000 4445 France 4447 Email: christian.jacquenet@orange.com 4449 Suresh Vinapamula 4450 Juniper Networks 4451 1133 Innovation Way 4452 Sunnyvale 94089 4453 USA 4455 Email: sureshk@juniper.net 4457 Qin Wu 4458 Huawei 4459 101 Software Avenue, Yuhua District 4460 Nanjing, Jiangsu 210012 4461 China 4463 Email: bill.wu@huawei.com