idnits 2.17.1 draft-ietf-opsawg-nat-yang-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 758 has weird spacing: '... prefix ine...' == Line 764 has weird spacing: '...-prefix ine...' == Line 766 has weird spacing: '...-prefix ine...' == Line 768 has weird spacing: '...-prefix ine...' == Line 769 has weird spacing: '...-prefix ine...' == (14 more instances...) -- The document date (September 27, 2018) is 2031 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Downref: Normative reference to an Experimental RFC: RFC 6296 ** Downref: Normative reference to an Informational RFC: RFC 6877 == Outdated reference: A later version (-23) exists of draft-ietf-tsvwg-natsupp-12 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 3 errors (**), 0 flaws (~~), 9 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair, Ed. 3 Internet-Draft Orange 4 Intended status: Standards Track S. Sivakumar 5 Expires: March 31, 2019 Cisco Systems 6 C. Jacquenet 7 Orange 8 S. Vinapamula 9 Juniper Networks 10 Q. Wu 11 Huawei 12 September 27, 2018 14 A YANG Module for Network Address Translation (NAT) and Network Prefix 15 Translation (NPT) 16 draft-ietf-opsawg-nat-yang-17 18 Abstract 20 This document defines a YANG module for the Network Address 21 Translation (NAT) function. 23 Network Address Translation from IPv4 to IPv4 (NAT44), Network 24 Address and Protocol Translation from IPv6 Clients to IPv4 Servers 25 (NAT64), Customer-side transLATor (CLAT), Stateless IP/ICMP 26 Translation (SIIT), Explicit Address Mappings for Stateless IP/ICMP 27 Translation (SIIT EAM), IPv6 Network Prefix Translation (NPTv6), and 28 Destination NAT are covered in this document. 30 Editorial Note (To be removed by RFC Editor) 32 Please update these statements within the document with the RFC 33 number to be assigned to this document: 35 "This version of this YANG module is part of RFC XXXX;" 37 "RFC XXXX: A YANG Module for Network Address Translation (NAT) and 38 Network Prefix Translation (NPT)" 40 "reference: RFC XXXX" 42 Please update the "revision" date of the YANG module. 44 Status of This Memo 46 This Internet-Draft is submitted in full conformance with the 47 provisions of BCP 78 and BCP 79. 49 Internet-Drafts are working documents of the Internet Engineering 50 Task Force (IETF). Note that other groups may also distribute 51 working documents as Internet-Drafts. The list of current Internet- 52 Drafts is at https://datatracker.ietf.org/drafts/current/. 54 Internet-Drafts are draft documents valid for a maximum of six months 55 and may be updated, replaced, or obsoleted by other documents at any 56 time. It is inappropriate to use Internet-Drafts as reference 57 material or to cite them other than as "work in progress." 59 This Internet-Draft will expire on March 31, 2019. 61 Copyright Notice 63 Copyright (c) 2018 IETF Trust and the persons identified as the 64 document authors. All rights reserved. 66 This document is subject to BCP 78 and the IETF Trust's Legal 67 Provisions Relating to IETF Documents 68 (https://trustee.ietf.org/license-info) in effect on the date of 69 publication of this document. Please review these documents 70 carefully, as they describe your rights and restrictions with respect 71 to this document. Code Components extracted from this document must 72 include Simplified BSD License text as described in Section 4.e of 73 the Trust Legal Provisions and are provided without warranty as 74 described in the Simplified BSD License. 76 Table of Contents 78 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 79 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 80 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 81 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 82 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 83 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7 84 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 85 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 86 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 87 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 88 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 9 89 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 90 2.10. Binding the NAT Function to an External Interface . . . . 15 91 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 92 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 93 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 94 4. Security Considerations . . . . . . . . . . . . . . . . . . . 71 95 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 96 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 73 97 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 98 7.1. Normative References . . . . . . . . . . . . . . . . . . 74 99 7.2. Informative References . . . . . . . . . . . . . . . . . 77 100 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78 101 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 79 102 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80 103 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83 104 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84 105 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84 106 A.6. Explicit Address Mappings for Stateless IP/ICMP 107 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85 108 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 88 109 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89 110 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90 111 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93 112 A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 93 113 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96 115 1. Introduction 117 This document defines a data model for Network Address Translation 118 (NAT) and Network Prefix Translation (NPT) capabilities using the 119 YANG data modeling language [RFC7950]. 121 Traditional NAT is defined in [RFC2663], while Carrier Grade NAT 122 (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is 123 used to optimize the usage of global IP address space at the scale of 124 a domain: a CGN is not managed by end users, but by service providers 125 instead. This document covers both traditional NATs and CGNs. 127 This document also covers NAT64 [RFC6146], customer-side translator 128 (CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915], 129 Explicit Address Mappings for Stateless IP/ICMP Translation (EAM) 130 [RFC7757], IPv6 Network Prefix Translation (NPTv6) [RFC6296], and 131 Destination NAT. The full set of translation schemes that are in 132 scope is included in Section 2.2. 134 Sample examples are provided in Appendix A. These examples are not 135 intended to be exhaustive. 137 1.1. Terminology 139 This document makes use of the following terms: 141 o Basic Network Address Translation from IPv4 to IPv4 (NAT44): 142 translation is limited to IP addresses alone (Section 2.1 of 143 [RFC3022]). 145 o Network Address/Port Translator (NAPT): translation in NAPT is 146 extended to include IP addresses and transport identifiers (such 147 as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of 148 [RFC3022]. A NAPT may use an extra identifier, in addition to the 149 five transport tuple, to disambiguate bindings [RFC6619]. 151 o Destination NAT: is a translation that acts on the destination IP 152 address and/or destination port number. This flavor is usually 153 deployed in load balancers or at devices in front of public 154 servers. 156 o Port-restricted IPv4 address: An IPv4 address with a restricted 157 port set. Multiple hosts may share the same IPv4 address; 158 however, their port sets must not overlap [RFC7596]. 160 o Restricted port set: A non-overlapping range of allowed external 161 ports to use for NAT operation. Source ports of IPv4 packets 162 translated by a NAT must belong to the assigned port set. The 163 port set is used for all port-aware IP protocols [RFC7596]. 165 o Internal Host: A host that may need to use a translation 166 capability to send to and receive traffic from the Internet. 168 o Internal Address/prefix: The IP address/prefix of an internal 169 host. 171 o External Address: The IP address/prefix assigned by a translator 172 to an internal host; this is the address that will be seen by a 173 remote host on the Internet. 175 o Mapping: denotes a state at the translator that is necessary for 176 network address and/or port translation. 178 o Dynamic implicit mapping: is created implicitly as a side effect 179 of processing a packet (e.g., an initial TCP SYN packet) that 180 requires a new mapping. A validity lifetime is associated with 181 this mapping. 183 o Dynamic explicit mapping: is created as a result of an explicit 184 request, e.g., PCP message [RFC6887]. A validity lifetime is 185 associated with this mapping. 187 o Static explicit mapping: is created using, e.g., a CLI interface. 188 This mapping is likely to be maintained by the NAT function till 189 an explicit action is executed to remove it. 191 The usage of the term NAT in this document refers to any translation 192 flavor (NAT44, NAT64, etc.) indifferently. 194 This document uses the term "session" as defined in [RFC2663] and 195 [RFC6146] for NAT64. 197 This document follows the guidelines of [RFC6087], uses the common 198 YANG types defined in [RFC6991], and adopts the Network Management 199 Datastore Architecture (NMDA). The meaning of the symbols in tree 200 diagrams is defined in [RFC8340]. 202 2. Overview of the NAT YANG Data Model 204 2.1. Overview 206 The NAT YANG module is designed to cover dynamic implicit mappings 207 and static explicit mappings. The required functionality to instruct 208 dynamic explicit mappings is defined in separate documents such as 209 [I-D.boucadair-pcp-yang]. Considerations about instructing by 210 explicit dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are 211 out of scope. As a reminder, REQ-9 of [RFC6888] requires that a CGN 212 must implement a protocol giving subscribers explicit control over 213 NAT mappings; that protocol should be the Port Control Protocol 214 [RFC6887]. 216 A single NAT device can have multiple NAT instances; each of these 217 instances can be provided with its own policies (e.g., be responsible 218 for serving a group of hosts). This document does not make any 219 assumption about how internal hosts or flows are associated with a 220 given NAT instance. 222 The NAT YANG module assumes that each NAT instance can be enabled/ 223 disabled, be provisioned with a specific set of configuration data, 224 and maintains its own mapping tables. 226 The NAT YANG module allows for a NAT instance to be provided with 227 multiple NAT policies (/nat/instances/instance/policy). The document 228 does not make any assumption about how flows are associated with a 229 given NAT policy of a given NAT instance. Classification filters are 230 out of scope. 232 Defining multiple NAT instances or configuring multiple NAT policies 233 within one single NAT instance is implementation- and deployment- 234 specific. 236 This YANG module does not provide any method to instruct a NAT 237 function to enable the logging feature or to specify the information 238 to be logged for administrative or regulatory reasons (Section 2.3 of 239 [RFC6908] and REQ-12 of [RFC6888]). Those considerations are out of 240 the scope of this document. 242 2.2. Various Translation Flavors 244 The following translation modes are supported: 246 o Basic NAT44 247 o NAPT 248 o Destination NAT 249 o Port-restricted NAT 250 o Stateful NAT64 (including with destination-based Pref64::/n 251 [RFC7050]) 252 o SIIT 253 o CLAT 254 o EAM 255 o NPTv6 256 o Combination of Basic NAT/NAPT and Destination NAT 257 o Combination of port-restricted and Destination NAT 258 o Combination of NAT64 and EAM 259 o Stateful and Stateless NAT64 261 [I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT 262 YANG module to support DS-Lite. 264 The YANG "feature" statement is used to indicate which of the 265 different translation modes is relevant for a specific data node. 266 Table 1 lists defined features: 268 +---------------------------------+--------------+ 269 | Translation Mode | YANG Feature | 270 +---------------------------------+--------------+ 271 | Basic NAT44 | basic-nat44 | 272 | NAPT | napt44 | 273 | Destination NAT | dst-nat | 274 | Stateful NAT64 | nat64 | 275 | Stateless IPv4/IPv6 translation | siit | 276 | CLAT | clat | 277 | EAM | eam | 278 | NPTv6 | nptv6 | 279 +---------------------------------+--------------+ 281 Table 1: YANG NAT Features 283 The following translation modes do not require defining dedicated 284 features: 286 o Port-restricted NAT: This mode corresponds to supplying port 287 restriction policies to a NAPT or NAT64 (port-set-restrict). 288 o Combination of Basic NAT/NAPT and Destination NAT: This mode 289 corresponds to setting 'dst-nat-enable' for Basic NAT44 or NAPT. 291 o Combination of port-restricted and Destination NAT: This mode can 292 be achieved by configuring a NAPT with port restriction policies 293 (port-set-restrict) together with a destination IP address pool 294 (dst-ip-address-pool). 295 o Combination of NAT64 and EAM: This mode corresponds to configuring 296 static mappings for NAT64. 297 o Stateful and stateless NAT64: A NAT64 implementation can be 298 instructed to behave in the stateless mode for a given prefix by 299 setting the parameter (nat64-prefixes/stateless-enable). A NAT64 300 implementation may behave in both stateful and stateless modes if, 301 in addition to appropriately setting the parameter (nat64- 302 prefixes/stateless-enable), an external IPv4 address pool is 303 configured. 305 The NAT YANG module provides a method to retrieve the capabilities of 306 a NAT instance (including, list of supported translation modes, list 307 of supported protocols, port restriction support status, supported 308 NAT mapping types, supported NAT filtering types, port range 309 allocation support status, port parity preservation support status, 310 port preservation support status, the behavior for handling fragments 311 (all, out-of-order, in-order)). 313 2.3. TCP/UDP/ICMP NAT Behavioral Requirements 315 This document assumes NAT behavioral recommendations for UDP 316 [RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default. 318 Furthermore, the NAT YANG module relies upon the recommendations 319 detailed in [RFC6888] and [RFC7857]. 321 2.4. Other Transport Protocols 323 The module is structured to support protocols other than UDP, TCP, 324 and ICMP. Concretely, the module allows the operator to enable 325 translation for other transport protocols when required 326 (/nat/instances/instance/policy/transport-protocols). Moreover, the 327 mapping table is designed so that it can indicate any transport 328 protocol. For example, this module may be used to manage a DCCP- 329 capable NAT that adheres to [RFC5597]. 331 Future extensions may be needed to cover NAT-related considerations 332 that are specific to other transport protocols such as SCTP 333 [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be 334 extended to record two optional SCTP-specific parameters: Internal 335 Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). 337 This document only specifies transport protocol specific timers for 338 UDP, TCP, and ICMP. While some timers could potentially be 339 generalized for other connection-oriented protocols, this document 340 does not follow such an approach because there is no standard 341 document specifying such generic behavior. Future documents may be 342 edited to clarify how to reuse TCP-specific timers when needed. 344 2.5. IP Addresses Used for Translation 346 The NAT YANG module assumes that blocks of IP external addresses 347 (external-ip-address-pool) can be provisioned to the NAT function. 348 These blocks may be contiguous or not. 350 This behavior is aligned with [RFC6888] which specifies that a NAT 351 function should not have any limitations on the size or the 352 contiguity of the external address pool. In particular, the NAT 353 function must be configurable with contiguous or non-contiguous 354 external IPv4 address ranges. To accommodate traditional NAT, the 355 module allows for a single IP address to be configured for external- 356 ip-address-pool. 358 Likewise, one or multiple IP address pools may be configured for 359 Destination NAT (dst-ip-address-pool). 361 2.6. Port Set Assignment 363 Port numbers can be assigned by a NAT individually (that is, a single 364 port is assigned on a per session basis), but this port allocation 365 scheme may not be optimal for logging purposes (Section 12 of 366 [RFC6269]). A NAT function should be able to assign port sets (e.g., 367 [RFC7753]) to optimize the volume of the logging data (REQ-14 of 368 [RFC6888]). Both allocation schemes are supported in the NAT YANG 369 module. 371 When port set assignment is activated (i.e., port-allocation- 372 type==port-range-allocation), the NAT can be provided with the size 373 of the port set to be assigned (port-set-size). 375 2.7. Port-Restricted IP Addresses 377 Some NATs restrict the source port numbers (e.g., Lightweight 4over6 378 [RFC7596], MAP-E [RFC7597]). Two schemes of port set assignments 379 (port-set-restrict) are supported in this document: 381 o Simple port range: is defined by two port values, the start and 382 the end of the port range [RFC8045]. 384 o Algorithmic: an algorithm is defined in [RFC7597] to characterize 385 the set of ports that can be used. 387 2.8. NAT Mapping Entries 389 A TCP/UDP mapping entry maintains an association between the 390 following information: 392 (internal-src-address, internal-src-port) (internal-dst-address, 393 internal-dst-port) <=> (external-src-address, external-src-port) 394 (external-dst-address, external-dst-port) 396 An ICMP mapping entry maintains an association between the following 397 information: 399 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6 400 identifier) <=> (external-src-address, external-dst-address, 401 external ICMP/ICMPv6 identifier) 403 As a reminder, all the ICMP Query messages contain an 'Identifier' 404 field, which is referred to in this document as the 'ICMP 405 Identifier'. 407 To cover TCP, UDP, and ICMP, the NAT YANG module assumes the 408 following structure of a mapping entry: 410 type: Indicates how the mapping was instantiated. For example, it 411 may indicate whether a mapping is dynamically instantiated by a 412 packet or statically configured. 414 transport-protocol: Indicates the transport protocol (e.g., UDP, 415 TCP, ICMP) of a given mapping. 417 internal-src-address: Indicates the source IP address/prefix as used 418 by an internal host. 420 internal-src-port: Indicates the source port number (or ICMP 421 identifier) as used by an internal host. 423 external-src-address: Indicates the source IP address/prefix as 424 assigned by the NAT. 426 external-src-port: Indicates the source port number (or ICMP 427 identifier) as assigned by the NAT. 429 internal-dst-address: Indicates the destination IP address/prefix as 430 used by an internal host when sending a packet to a remote host. 432 internal-dst-port: Indicates the destination port number as used by 433 an internal host when sending a packet to a remote host. 435 external-dst-address: Indicates the destination IP address/prefix 436 used by a NAT when processing a packet issued by an internal host 437 towards a remote host. 439 external-dst-port: Indicates the destination port number used by a 440 NAT when processing a packet issued by an internal host towards a 441 remote host. 443 In order to cover both NAT64 and NAT44 flavors, the NAT mapping 444 structure allows for the inclusion of an IPv4 or an IPv6 address as 445 an internal IP address. Remaining fields are common to both NAT 446 schemes. 448 For example, the mapping that will be created by a NAT64 upon receipt 449 of a TCP SYN from source address 2001:db8:aaaa::1 and source port 450 number 25636 to destination IP address 2001:db8:1234::198.51.100.1 451 and destination port number 8080 is shown in Table 2. This example 452 assumes EDM (Endpoint-Dependent Mapping). 454 +-----------------------+-------------------------------------------+ 455 | Mapping Entry | Value | 456 | Attribute | | 457 +-----------------------+-------------------------------------------+ 458 | type | dynamic implicit mapping | 459 | transport-protocol | 6 (TCP) | 460 | internal-src-address | 2001:db8:aaaa::1 | 461 | internal-src-port | 25636 | 462 | external-src-address | T (an IPv4 address configured on the | 463 | | NAT64) | 464 | external-src-port | t (a port number that is chosen by the | 465 | | NAT64) | 466 | internal-dst-address | 2001:db8:1234::198.51.100.1 | 467 | internal-dst-port | 8080 | 468 | external-dst-address | 198.51.100.1 | 469 | external-dst-port | 8080 | 470 +-----------------------+-------------------------------------------+ 472 Table 2: Example of an EDM NAT64 Mapping 474 The mappings that will be created by a NAT44 upon receipt of an ICMP 475 request from source address 198.51.100.1 and ICMP identifier (ID1) to 476 destination IP address 198.51.100.11 is depicted in Table 3. This 477 example assumes EIM (Endpoint-Independent Mapping). 479 +----------------------+--------------------------------------------+ 480 | Mapping Entry | Value | 481 | Attribute | | 482 +----------------------+--------------------------------------------+ 483 | type | dynamic implicit mapping | 484 | transport-protocol | 1 (ICMP) | 485 | internal-src-address | 198.51.100.1 | 486 | internal-src-port | ID1 | 487 | external-src-address | T (an IPv4 address configured on the | 488 | | NAT44) | 489 | external-src-port | ID2 (an ICMP identifier that is chosen by | 490 | | the NAT44) | 491 +----------------------+--------------------------------------------+ 493 Table 3: Example of an EIM NAT44 Mapping Entry 495 The mapping that will be created by a NAT64 (EIM mode) upon receipt 496 of an ICMP request from source address 2001:db8:aaaa::1 and ICMP 497 identifier (ID1) to destination IP address 498 2001:db8:1234::198.51.100.1 is shown in Table 4. 500 +----------------------+--------------------------------------------+ 501 | Mapping Entry | Value | 502 | Attribute | | 503 +----------------------+--------------------------------------------+ 504 | type | dynamic implicit mapping | 505 | transport-protocol | 58 (ICMPv6) | 506 | internal-src-address | 2001:db8:aaaa::1 | 507 | internal-src-port | ID1 | 508 | external-src-address | T (an IPv4 address configured on the | 509 | | NAT64) | 510 | external-src-port | ID2 (an ICMP identifier that is chosen by | 511 | | the NAT64) | 512 +----------------------+--------------------------------------------+ 514 Table 4: Example of an EIM NAT64 Mapping Entry 516 Note that a mapping table is maintained only for stateful NAT 517 functions. Particularly: 519 o No mapping table is maintained for NPTv6 given that it is 520 stateless and transport-agnostic. 522 o The double translations are stateless in CLAT if a dedicated IPv6 523 prefix is provided for CLAT. If not, a stateful NAT44 will be 524 required. 526 o No per-flow mapping is maintained for EAM [RFC7757]. 528 o No mapping table is maintained for Stateless IPv4/IPv6 529 translation. As a reminder, in such deployments internal IPv6 530 nodes are addressed using IPv4-translatable IPv6 addresses, which 531 enable them to be accessed by IPv4 nodes [RFC6052]. 533 2.9. Resource Limits 535 In order to comply with CGN deployments in particular, the NAT YANG 536 module allows limiting the number of external ports per subscriber 537 (port-quota) and the amount of state memory allocated per mapping and 538 per subscriber (mapping-limits and connection-limits). According to 539 [RFC6888], the module is designed to allow for the following: 541 o Per-subscriber limits are configurable by the NAT administrator. 543 o Per-subscriber limits are configurable independently per transport 544 protocol. 546 o Administrator-adjustable thresholds to prevent a single subscriber 547 from consuming excessive CPU resources from the NAT (e.g., rate- 548 limit the subscriber's creation of new mappings) can be 549 configured. 551 Table 5 lists the various limits that can be set using the NAT YANG 552 module. Once a limit is reached, packets that would normally trigger 553 new port mappings or be translated because they match existing 554 mappings, are dropped by the translator. 556 +-------------------+-----------------------------------------------+ 557 | Limit | Description | 558 +-------------------+-----------------------------------------------+ 559 | port-quota | Specifies a port quota to be assigned per | 560 | | subscriber. It corresponds to the maximum | 561 | | number of ports to be used by a subscriber. | 562 | | The port quota can be configured to apply to | 563 | | all protocols or to a specific protocol. | 564 | | Distinct port quota may be configured per | 565 | | protocol. | 566 +-------------------+-----------------------------------------------+ 567 | fragments-limit | In order to prevent denial of service attacks | 568 | | that can be caused by fragments, this | 569 | | parameter is used to limit the number of out- | 570 | | of-order fragments that can be handled by a | 571 | | translator. | 572 +-------------------+-----------------------------------------------+ 573 | mapping-limits | This parameter can be used to control the | 574 | | maximum number of subscribers that can be | 575 | | serviced by a NAT instance (limit-subscriber) | 576 | | and the maximum number of address and/or port | 577 | | mappings that can be maintained by a NAT | 578 | | instance (limit-address-mappings and limit- | 579 | | port-mappings). Also, limits specific to | 580 | | protocols (e.g., TCP, UDP, ICMP) can also be | 581 | | specified (limit-per-protocol). | 582 +-------------------+-----------------------------------------------+ 583 | connection-limits | In order to prevent exhausting the resources | 584 | | of a NAT implementation and to ensure | 585 | | fairness usage among subscribers, various | 586 | | rate-limits can be specified. Rate-limiting | 587 | | can be enforced per subscriber ((limit- | 588 | | subscriber), per NAT instance (limit-per- | 589 | | instance), and/or be specified for each | 590 | | supported protocol (limit-per-protocol). | 591 +-------------------+-----------------------------------------------+ 593 Table 5: NAT Limits 595 Table 6 describes limits, that once exceeded, will trigger 596 notifications to be generated: 598 +--------------------------+----------------------------------------+ 599 | Notification Threshold | Description | 600 +--------------------------+----------------------------------------+ 601 | high-threshold | Used to notify high address | 602 | | utilization of a given pool. When | 603 | | exceeded, a nat-pool-event | 604 | | notification will be generated. | 605 +--------------------------+----------------------------------------+ 606 | low-threshold | Used to notify low address utilization | 607 | | of a given pool. An administrator is | 608 | | supposed to configure low-threshold so | 609 | | that it can reflect an abnormal usage | 610 | | of NAT resources. When exceeded, a | 611 | | nat-pool-event notification will be | 612 | | generated. | 613 +--------------------------+----------------------------------------+ 614 | notify-addresses-usage | Used to notify high address | 615 | | utilization of all pools configured to | 616 | | a NAT instance. When exceeded, a nat- | 617 | | instance-event will be generated. | 618 +--------------------------+----------------------------------------+ 619 | notify-ports-usage | Used to notify high port allocation | 620 | | taking into account all pools | 621 | | configured to a NAT instance. When | 622 | | exceeded, a nat-instance-event | 623 | | notification will be generated. | 624 +--------------------------+----------------------------------------+ 625 | notify-subscribers-limit | Used to notify a high number of active | 626 | | subscribers that are serviced by a NAT | 627 | | instance. When exceeded, a nat- | 628 | | instance-event notification will be | 629 | | generated. | 630 +--------------------------+----------------------------------------+ 632 Table 6: Notification Thresholds 634 In order to prevent a NAT implementation from generating frequent 635 notifications, the NAT YANG module supports the following limits 636 (Table 7) used to control how frequent notifications can be 637 generated. That is, notifications are subject to rate-limiting 638 imposed by these intervals. 640 +-------------------------------------+-----------------------------+ 641 | Interval | Description | 642 +-------------------------------------+-----------------------------+ 643 | notify-pool-usage/notify-interval | Indicates the minimum | 644 | | number of seconds between | 645 | | successive notifications | 646 | | for a given address pool. | 647 +-------------------------------------+-----------------------------+ 648 | notification-limits/notify-interval | Indicates the minimum | 649 | | number of seconds between | 650 | | successive notifications | 651 | | for a NAT instance. | 652 +-------------------------------------+-----------------------------+ 654 Table 7: Notification Intervals 656 2.10. Binding the NAT Function to an External Interface 658 The module is designed to specify an external realm on which the NAT 659 function must be applied (external-realm). The module supports 660 indicating an interface as an external realm [RFC8343], but the 661 module is extensible so that other choices can be indicated in the 662 future (e.g., Virtual Routing and Forwarding (VRF) instance). 664 Distinct external realms can be provided as a function of the NAT 665 policy (see for example, Section 4 of [RFC7289]). 667 If no external realm is provided, this assumes that the system is 668 able to determine the external interface (VRF instance, etc.) on 669 which the NAT will be applied. Typically, the WAN and LAN interfaces 670 of a CPE are determined by the CPE. 672 2.11. Relationship to NATV2-MIB 674 Section of 5.1 of [RFC7659] indicates that the NATV2-MIB assumes that 675 the following information is configured on the NAT by some means, not 676 specified in [RFC7659]: 678 o The set of address realms to which the device connect. 680 o For the CGN case, per-subscriber information including subscriber 681 index, address realm, assigned prefix or address, and (possibly) 682 policies regarding address pool selection in the various possible 683 address realms to which the subscriber may connect. 685 o The set of NAT instances running on the device, identified by NAT 686 instance index and name. 688 o The port mapping, filtering, pooling, and fragment behaviors for 689 each NAT instance. 691 o The set of protocols supported by each NAT instance. 693 o Address pools for each NAT instance, including for each pool the 694 pool index, address realm, and minimum and maximum port number. 696 o Static address and port mapping entries. 698 All the above parameters can be configured by means of the NAT YANG 699 module. 701 Unlike the NATV2-MIB, the NAT YANG module allows to configure 702 multiple policies per NAT instance. 704 2.12. Tree Structure 706 The tree structure of the NAT YANG module is provided below: 708 module: ietf-nat 709 +--rw nat 710 +--rw instances 711 +--rw instance* [id] 712 +--rw id uint32 713 +--rw name? string 714 +--rw enable? boolean 715 +--ro capabilities 716 | +--ro nat-flavor* 717 | | identityref 718 | +--ro per-interface-binding* 719 | | enumeration 720 | +--ro transport-protocols* [protocol-id] 721 | | +--ro protocol-id uint8 722 | | +--ro protocol-name? string 723 | +--ro restricted-port-support? 724 | | boolean 725 | +--ro static-mapping-support? 726 | | boolean 727 | +--ro port-randomization-support? 728 | | boolean 729 | +--ro port-range-allocation-support? 730 | | boolean 731 | +--ro port-preservation-suport? 732 | | boolean 733 | +--ro port-parity-preservation-support? 734 | | boolean 735 | +--ro address-roundrobin-support? 736 | | boolean 737 | +--ro paired-address-pooling-support? 738 | | boolean 739 | +--ro endpoint-independent-mapping-support? 740 | | boolean 741 | +--ro address-dependent-mapping-support? 742 | | boolean 743 | +--ro address-and-port-dependent-mapping-support? 744 | | boolean 745 | +--ro endpoint-independent-filtering-support? 746 | | boolean 747 | +--ro address-dependent-filtering? 748 | | boolean 749 | +--ro address-and-port-dependent-filtering? 750 | | boolean 751 | +--ro fragment-behavior? 752 | enumeration 753 +--rw type? identityref 754 +--rw per-interface-binding? enumeration 755 +--rw nat-pass-through* [id] 756 | {basic-nat44 or napt44 or dst-nat}? 757 | +--rw id uint32 758 | +--rw prefix inet:ip-prefix 759 | +--rw port? inet:port-number 760 +--rw policy* [id] 761 | +--rw id uint32 762 | +--rw clat-parameters {clat}? 763 | | +--rw clat-ipv6-prefixes* [ipv6-prefix] 764 | | | +--rw ipv6-prefix inet:ipv6-prefix 765 | | +--rw ipv4-prefixes* [ipv4-prefix] 766 | | +--rw ipv4-prefix inet:ipv4-prefix 767 | +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}? 768 | | +--rw internal-ipv6-prefix inet:ipv6-prefix 769 | | +--rw external-ipv6-prefix inet:ipv6-prefix 770 | +--rw eam* [ipv4-prefix] {eam}? 771 | | +--rw ipv4-prefix inet:ipv4-prefix 772 | | +--rw ipv6-prefix inet:ipv6-prefix 773 | +--rw nat64-prefixes* [nat64-prefix] 774 | | {siit or nat64 or clat}? 775 | | +--rw nat64-prefix inet:ipv6-prefix 776 | | +--rw destination-ipv4-prefix* [ipv4-prefix] 777 | | | +--rw ipv4-prefix inet:ipv4-prefix 778 | | +--rw stateless-enable? boolean 779 | +--rw external-ip-address-pool* [pool-id] 780 | | {basic-nat44 or napt44 or nat64}? 781 | | +--rw pool-id uint32 782 | | +--rw external-ip-pool inet:ipv4-prefix 783 | +--rw port-set-restrict {napt44 or nat64}? 784 | | +--rw (port-type)? 785 | | +--:(port-range) 786 | | | +--rw start-port-number? inet:port-number 787 | | | +--rw end-port-number? inet:port-number 788 | | +--:(port-set-algo) 789 | | +--rw psid-offset? uint8 790 | | +--rw psid-len uint8 791 | | +--rw psid uint16 792 | +--rw dst-nat-enable? boolean 793 | | {basic-nat44 or napt44}? 794 | +--rw dst-ip-address-pool* [pool-id] {dst-nat}? 795 | | +--rw pool-id uint32 796 | | +--rw dst-in-ip-pool? inet:ip-prefix 797 | | +--rw dst-out-ip-pool inet:ip-prefix 798 | +--rw transport-protocols* [protocol-id] 799 | | {napt44 or nat64 or dst-nat}? 800 | | +--rw protocol-id uint8 801 | | +--rw protocol-name? string 802 | +--rw subscriber-mask-v6? uint8 803 | +--rw subscriber-match* [match-id] 804 | | {basic-nat44 or napt44 or dst-nat}? 805 | | +--rw match-id uint32 806 | | +--rw subnet inet:ip-prefix 807 | +--rw address-allocation-type? enumeration 808 | +--rw port-allocation-type? enumeration 809 | | {napt44 or nat64}? 810 | +--rw mapping-type? enumeration 811 | | {napt44 or nat64}? 812 | +--rw filtering-type? enumeration 813 | | {napt44 or nat64}? 814 | +--rw fragment-behavior? enumeration 815 | | {napt44 or nat64}? 816 | +--rw port-quota* [quota-type] {napt44 or nat64}? 817 | | +--rw port-limit? uint16 818 | | +--rw quota-type uint8 819 | +--rw port-set {napt44 or nat64}? 820 | | +--rw port-set-size uint16 821 | | +--rw port-set-timeout? uint32 822 | +--rw timers {napt44 or nat64}? 823 | | +--rw udp-timeout? uint32 824 | | +--rw tcp-idle-timeout? uint32 825 | | +--rw tcp-trans-open-timeout? uint32 826 | | +--rw tcp-trans-close-timeout? uint32 827 | | +--rw tcp-in-syn-timeout? uint32 828 | | +--rw fragment-min-timeout? uint32 829 | | +--rw icmp-timeout? uint32 830 | | +--rw per-port-timeout* [port-number] 831 | | | +--rw port-number inet:port-number 832 | | | +--rw protocol? uint32 833 | | | +--rw timeout uint32 834 | | +--rw hold-down-timeout? uint32 835 | | +--rw hold-down-max? uint32 836 | +--rw fragments-limit? uint32 837 | +--rw algs* [name] 838 | | +--rw name string 839 | | +--rw transport-protocol? uint32 840 | | +--rw dst-transport-port 841 | | | +--rw start-port-number? inet:port-number 842 | | | +--rw end-port-number? inet:port-number 843 | | +--rw src-transport-port 844 | | | +--rw start-port-number? inet:port-number 845 | | | +--rw end-port-number? inet:port-number 846 | | +--rw status? boolean 847 | +--rw all-algs-enable? boolean 848 | +--rw notify-pool-usage 849 | | {basic-nat44 or napt44 or nat64}? 850 | | +--rw pool-id? uint32 851 | | +--rw low-threshold? percent 852 | | +--rw high-threshold? percent 853 | | +--rw notify-interval? uint32 854 | +--rw external-realm 855 | +--rw (realm-type)? 856 | +--:(interface) 857 | +--rw external-interface? if:interface-ref 858 +--rw mapping-limits {napt44 or nat64}? 859 | +--rw limit-subscribers? uint32 860 | +--rw limit-address-mappings? uint32 861 | +--rw limit-port-mappings? uint32 862 | +--rw limit-per-protocol* [protocol-id] 863 | {napt44 or nat64 or dst-nat}? 864 | +--rw protocol-id uint8 865 | +--rw limit? uint32 866 +--rw connection-limits 867 | {basic-nat44 or napt44 or nat64}? 868 | +--rw limit-per-subscriber? uint32 869 | +--rw limit-per-instance? uint32 870 | +--rw limit-per-protocol* [protocol-id] 871 | {napt44 or nat64}? 872 | +--rw protocol-id uint8 873 | +--rw limit? uint32 874 +--rw notification-limits 875 | +--rw notify-interval? uint32 876 | | {basic-nat44 or napt44 or nat64}? 877 | +--rw notify-addresses-usage? percent 878 | | {basic-nat44 or napt44 or nat64}? 879 | +--rw notify-ports-usage? percent 880 | | {napt44 or nat64}? 881 | +--rw notify-subscribers-limit? uint32 882 | {basic-nat44 or napt44 or nat64}? 883 +--rw mapping-table 884 | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? 885 | +--rw mapping-entry* [index] 886 | +--rw index uint32 887 | +--rw type? enumeration 888 | +--rw transport-protocol? uint8 889 | +--rw internal-src-address? inet:ip-prefix 890 | +--rw internal-src-port 891 | | +--rw start-port-number? inet:port-number 892 | | +--rw end-port-number? inet:port-number 893 | +--rw external-src-address? inet:ip-prefix 894 | +--rw external-src-port 895 | | +--rw start-port-number? inet:port-number 896 | | +--rw end-port-number? inet:port-number 897 | +--rw internal-dst-address? inet:ip-prefix 898 | +--rw internal-dst-port 899 | | +--rw start-port-number? inet:port-number 900 | | +--rw end-port-number? inet:port-number 901 | +--rw external-dst-address? inet:ip-prefix 902 | +--rw external-dst-port 903 | | +--rw start-port-number? inet:port-number 904 | | +--rw end-port-number? inet:port-number 905 | +--rw lifetime? uint32 906 +--ro statistics 907 +--ro discontinuity-time yang:date-and-time 908 +--ro traffic-statistics 909 | +--ro sent-packets? 910 | | yang:zero-based-counter64 911 | +--ro sent-bytes? 912 | | yang:zero-based-counter64 913 | +--ro rcvd-packets? 914 | | yang:zero-based-counter64 915 | +--ro rcvd-bytes? 916 | | yang:zero-based-counter64 917 | +--ro dropped-packets? 918 | | yang:zero-based-counter64 919 | +--ro dropped-bytes? 920 | | yang:zero-based-counter64 921 | +--ro dropped-fragments? 922 | | yang:zero-based-counter64 923 | | {napt44 or nat64}? 924 | +--ro dropped-address-limit-packets? 925 | | yang:zero-based-counter64 926 | | {basic-nat44 or napt44 or nat64}? 927 | +--ro dropped-address-limit-bytes? 928 | | yang:zero-based-counter64 929 | | {basic-nat44 or napt44 or nat64}? 930 | +--ro dropped-address-packets? 931 | | yang:zero-based-counter64 932 | | {basic-nat44 or napt44 or nat64}? 933 | +--ro dropped-address-bytes? 934 | | yang:zero-based-counter64 935 | | {basic-nat44 or napt44 or nat64}? 936 | +--ro dropped-port-limit-packets? 937 | | yang:zero-based-counter64 938 | | {napt44 or nat64}? 939 | +--ro dropped-port-limit-bytes? 940 | | yang:zero-based-counter64 941 | | {napt44 or nat64}? 942 | +--ro dropped-port-packets? 943 | | yang:zero-based-counter64 944 | | {napt44 or nat64}? 945 | +--ro dropped-port-bytes? 946 | | yang:zero-based-counter64 947 | | {napt44 or nat64}? 948 | +--ro dropped-subscriber-limit-packets? 949 | | yang:zero-based-counter64 950 | | {basic-nat44 or napt44 or nat64}? 951 | +--ro dropped-subscriber-limit-bytes? 952 | yang:zero-based-counter64 953 | {basic-nat44 or napt44 or nat64}? 954 +--ro mappings-statistics 955 | +--ro total-active-subscribers? yang:gauge32 956 | | {basic-nat44 or napt44 or nat64}? 957 | +--ro total-address-mappings? yang:gauge32 958 | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? 959 | +--ro total-port-mappings? yang:gauge32 960 | | {napt44 or nat64}? 961 | +--ro total-per-protocol* [protocol-id] 962 | {napt44 or nat64}? 963 | +--ro protocol-id uint8 964 | +--ro total? yang:gauge32 965 +--ro pools-stats {basic-nat44 or napt44 or nat64}? 966 +--ro addresses-allocated? yang:gauge32 967 +--ro addresses-free? yang:gauge32 968 +--ro ports-stats {napt44 or nat64}? 969 | +--ro ports-allocated? yang:gauge32 970 | +--ro ports-free? yang:gauge32 971 +--ro per-pool-stats* [pool-id] 972 | {basic-nat44 or napt44 or nat64}? 973 +--ro pool-id uint32 974 +--ro discontinuity-time yang:date-and-time 975 +--ro pool-stats 976 | +--ro addresses-allocated? yang:gauge32 977 | +--ro addresses-free? yang:gauge32 978 +--ro port-stats {napt44 or nat64}? 979 +--ro ports-allocated? yang:gauge32 980 +--ro ports-free? yang:gauge32 982 notifications: 983 +---n nat-pool-event {basic-nat44 or napt44 or nat64}? 984 | +--ro id -> /nat/instances/instance/id 985 | +--ro policy-id? 986 | | -> /nat/instances/instance/policy/id 987 | +--ro pool-id 988 | | -> /nat/instances/instance/policy/ 989 | | external-ip-address-pool/pool-id 990 | +--ro notify-pool-threshold percent 991 +---n nat-instance-event {basic-nat44 or napt44 or nat64}? 992 +--ro id 993 | -> /nat/instances/instance/id 994 +--ro notify-subscribers-threshold? uint32 995 +--ro notify-addresses-threshold? percent 996 +--ro notify-ports-threshold? percent 998 3. NAT YANG Module 1000 file "ietf-nat@2018-09-27.yang" 1002 module ietf-nat { 1003 yang-version 1.1; 1004 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 1005 prefix "nat"; 1007 import ietf-inet-types { 1008 prefix inet; 1009 reference 1010 "Section 4 of RFC 6991"; 1011 } 1013 import ietf-yang-types { 1014 prefix yang; 1015 reference 1016 "Section 3 of RFC 6991"; 1017 } 1019 import ietf-interfaces { 1020 prefix if; 1021 reference 1022 "RFC 8343: A YANG Data Model for Interface Management"; 1024 } 1026 organization 1027 "IETF OPSAWG (Operations and Management Area Working Group)"; 1029 contact 1031 "WG Web: 1032 WG List: 1034 Editor: Mohamed Boucadair 1035 1037 Author: Senthil Sivakumar 1038 1040 Author: Christian Jacquenet 1041 1043 Author: Suresh Vinapamula 1044 1046 Author: Qin Wu 1047 "; 1049 description 1050 "This module is a YANG module for NAT implementations. 1052 NAT44, Network Address and Protocol Translation from IPv6 1053 Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), 1054 Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings 1055 for Stateless IP/ICMP Translation (SIIT EAM), IPv6 Network 1056 Prefix Translation (NPTv6), and Destination NAT are covered. 1058 Copyright (c) 2018 IETF Trust and the persons identified as 1059 authors of the code. All rights reserved. 1061 Redistribution and use in source and binary forms, with or 1062 without modification, is permitted pursuant to, and subject 1063 to the license terms contained in, the Simplified BSD License 1064 set forth in Section 4.c of the IETF Trust's Legal Provisions 1065 Relating to IETF Documents 1066 (http://trustee.ietf.org/license-info). 1068 This version of this YANG module is part of RFC XXXX; see 1069 the RFC itself for full legal notices."; 1071 revision 2018-09-27 { 1072 description 1073 "Initial revision."; 1074 reference 1075 "RFC XXXX: A YANG Module for Network Address Translation 1076 (NAT) and Network Prefix Translation (NPT)"; 1077 } 1079 /* 1080 * Definitions 1081 */ 1083 typedef percent { 1084 type uint8 { 1085 range "0 .. 100"; 1086 } 1087 description 1088 "Percentage"; 1089 } 1091 /* 1092 * Features 1093 */ 1095 feature basic-nat44{ 1096 description 1097 "Basic NAT44 translation is limited to IP addresses alone."; 1098 reference 1099 "RFC 3022: Traditional IP Network Address Translator 1100 (Traditional NAT)"; 1101 } 1103 feature napt44 { 1104 description 1105 "Network Address/Port Translator (NAPT): translation is 1106 extended to include IP addresses and transport identifiers 1107 (such as a TCP/UDP port or ICMP query ID). 1109 If the internal IP address is not sufficient to uniquely 1110 disambiguate NAPT44 mappings, an additional attribute is 1111 required. For example, that additional attribute may 1112 be an IPv6 address (a.k.a., DS-Lite) or 1113 a Layer 2 identifier (a.k.a., Per-Interface NAT)"; 1114 reference 1115 "RFC 3022: Traditional IP Network Address Translator 1116 (Traditional NAT)"; 1117 } 1119 feature dst-nat { 1120 description 1121 "Destination NAT is a translation that acts on the destination 1122 IP address and/or destination port number. This flavor is 1123 usually deployed in load balancers or at devices 1124 in front of public servers."; 1125 } 1127 feature nat64 { 1128 description 1129 "NAT64 translation allows IPv6-only clients to contact IPv4 1130 servers using, e.g., UDP, TCP, or ICMP. One or more 1131 public IPv4 addresses assigned to a NAT64 translator are 1132 shared among several IPv6-only clients."; 1133 reference 1134 "RFC 6146: Stateful NAT64: Network Address and Protocol 1135 Translation from IPv6 Clients to IPv4 Servers"; 1136 } 1138 feature siit { 1139 description 1140 "The Stateless IP/ICMP Translation Algorithm (SIIT), which 1141 translates between IPv4 and IPv6 packet headers (including 1142 ICMP headers). 1144 In the stateless mode, an IP/ICMP translator converts IPv4 1145 addresses to IPv6 and vice versa solely based on the 1146 configuration of the stateless IP/ICMP translator and 1147 information contained within the packet being translated. 1149 The translator must support the stateless address mapping 1150 algorithm defined in RFC6052, which is the default behavior."; 1151 reference 1152 "RFC 7915: IP/ICMP Translation Algorithm"; 1153 } 1155 feature clat { 1156 description 1157 "CLAT is customer-side translator that algorithmically 1158 translates 1:1 private IPv4 addresses to global IPv6 addresses, 1159 and vice versa. 1161 When a dedicated /64 prefix is not available for translation 1162 from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN 1163 packets so that all the LAN-originated IPv4 packets appear 1164 from a single IPv4 address and are then statelessly translated 1165 to one interface IPv6 address that is claimed by the CLAT via 1166 the Neighbor Discovery Protocol (NDP) and defended with 1167 Duplicate Address Detection."; 1169 reference 1170 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1171 Translation"; 1172 } 1174 feature eam { 1175 description 1176 "Explicit Address Mapping (EAM) is a bidirectional coupling 1177 between an IPv4 Prefix and an IPv6 Prefix."; 1178 reference 1179 "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP 1180 Translation"; 1181 } 1183 feature nptv6 { 1184 description 1185 "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6 1186 prefix translation."; 1187 reference 1188 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1189 } 1191 /* 1192 * Identities 1193 */ 1195 identity nat-type { 1196 description 1197 "Base identity for nat type."; 1198 } 1200 identity basic-nat44 { 1201 base nat:nat-type; 1202 description 1203 "Identity for Basic NAT support."; 1204 reference 1205 "RFC 3022: Traditional IP Network Address Translator 1206 (Traditional NAT)"; 1207 } 1209 identity napt44 { 1210 base nat:nat-type; 1211 description 1212 "Identity for NAPT support."; 1213 reference 1214 "RFC 3022: Traditional IP Network Address Translator 1215 (Traditional NAT)"; 1216 } 1217 identity dst-nat { 1218 base nat:nat-type; 1219 description 1220 "Identity for Destination NAT support."; 1221 } 1223 identity nat64 { 1224 base nat:nat-type; 1225 description 1226 "Identity for NAT64 support."; 1227 reference 1228 "RFC 6146: Stateful NAT64: Network Address and Protocol 1229 Translation from IPv6 Clients to IPv4 Servers"; 1230 } 1232 identity siit { 1233 base nat:nat-type; 1234 description 1235 "Identity for SIIT support."; 1236 reference 1237 "RFC 7915: IP/ICMP Translation Algorithm"; 1238 } 1240 identity clat { 1241 base nat:nat-type; 1242 description 1243 "Identity for CLAT support."; 1244 reference 1245 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1246 Translation"; 1247 } 1249 identity eam { 1250 base nat:nat-type; 1251 description 1252 "Identity for EAM support."; 1253 reference 1254 "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP 1255 Translation"; 1256 } 1258 identity nptv6 { 1259 base nat:nat-type; 1260 description 1261 "Identity for NPTv6 support."; 1262 reference 1263 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1264 } 1266 /* 1267 * Grouping 1268 */ 1270 grouping port-number { 1271 description 1272 "An individual port number or a range of ports. 1273 When only start-port-number is present, 1274 it represents a single port number."; 1276 leaf start-port-number { 1277 type inet:port-number; 1278 description 1279 "Beginning of the port range."; 1280 reference 1281 "Section 3.2.9 of RFC 8045."; 1282 } 1284 leaf end-port-number { 1285 type inet:port-number; 1287 must ". >= ../start-port-number" 1288 { 1289 error-message 1290 "The end-port-number must be greater than or 1291 equal to start-port-number."; 1292 } 1293 description 1294 "End of the port range."; 1295 reference 1296 "Section 3.2.10 of RFC 8045."; 1297 } 1298 } 1300 grouping port-set { 1301 description 1302 "Indicates a set of port numbers. 1304 It may be a simple port range, or use the Port Set ID (PSID) 1305 algorithm to represent a range of transport layer 1306 port numbers which will be used by a NAPT."; 1308 choice port-type { 1309 default port-range; 1310 description 1311 "Port type: port-range or port-set-algo."; 1312 case port-range { 1313 uses port-number; 1315 } 1317 case port-set-algo { 1318 leaf psid-offset { 1319 type uint8 { 1320 range 0..15; 1321 } 1323 description 1324 "The number of offset bits (a.k.a., 'a' bits). 1326 Specifies the numeric value for the excluded port 1327 range/offset bits. 1329 Allowed values are between 0 and 15."; 1331 reference 1332 "Section 5.1 of RFC 7597"; 1333 } 1335 leaf psid-len { 1336 type uint8 { 1337 range 0..15; 1338 } 1339 mandatory true; 1341 description 1342 "The length of PSID, representing the sharing 1343 ratio for an IPv4 address. 1345 (also known as 'k'). 1347 The address-sharing ratio would be 2^k."; 1348 reference 1349 "Section 5.1 of RFC 7597"; 1350 } 1352 leaf psid { 1353 type uint16; 1354 mandatory true; 1355 description 1356 "Port Set Identifier (PSID) value, which 1357 identifies a set of ports algorithmically."; 1358 reference 1359 "Section 5.1 of RFC 7597"; 1360 } 1361 } 1362 reference 1363 "Section 7597: Mapping of Address and Port with 1364 Encapsulation (MAP-E)"; 1365 } 1366 } 1368 grouping mapping-entry { 1369 description 1370 "NAT mapping entry. 1372 If an attribute is not stored in the mapping/session table, 1373 this means the corresponding field of a packet that 1374 matches this entry is not rewritten by the NAT or this 1375 information is not required for NAT filtering purposes."; 1377 leaf index { 1378 type uint32; 1379 description 1380 "A unique identifier of a mapping entry. This identifier can be 1381 automatically assigned by the NAT instance or be explicitly 1382 configured."; 1383 } 1385 leaf type { 1386 type enumeration { 1387 enum "static" { 1388 description 1389 "The mapping entry is explicitly configured 1390 (e.g., via command-line interface)."; 1391 } 1393 enum "dynamic-implicit" { 1394 description 1395 "This mapping is created implicitly as a side effect 1396 of processing a packet that requires a new mapping."; 1398 } 1400 enum "dynamic-explicit" { 1401 description 1402 "This mapping is created as a result of an explicit 1403 request, e.g., a PCP message."; 1405 } 1406 } 1407 description 1408 "Indicates the type of a mapping entry. E.g., 1409 a mapping can be: static, implicit dynamic, 1410 or explicit dynamic."; 1412 } 1414 leaf transport-protocol { 1415 type uint8; 1416 description 1417 "Upper-layer protocol associated with this mapping. 1418 Values are taken from the IANA protocol registry:: 1419 https://www.iana.org/assignments/protocol-numbers/ 1420 protocol-numbers.xhtml 1422 For example, this field contains 6 for TCP, 1423 17 for UDP, 33 for DCCP, or 132 for SCTP. 1425 If this leaf is not instantiated, then the mapping 1426 applies to any protocol."; 1427 } 1429 leaf internal-src-address { 1430 type inet:ip-prefix; 1431 description 1432 "Corresponds to the source IPv4/IPv6 address/prefix 1433 of the packet received on an internal interface."; 1434 } 1436 container internal-src-port { 1437 description 1438 "Corresponds to the source port of the packet received 1439 on an internal interface. 1441 It is used also to indicate the internal source ICMP 1442 identifier. 1444 As a reminder, all the ICMP Query messages contain 1445 an 'Identifier' field, which is referred to in this 1446 document as the 'ICMP Identifier'."; 1448 uses port-number; 1449 } 1451 leaf external-src-address { 1452 type inet:ip-prefix; 1453 description 1454 "Source IP address/prefix of the packet sent on an 1455 external interface of the NAT."; 1456 } 1458 container external-src-port { 1459 description 1460 "Source port of the packet sent on an external 1461 interface of the NAT. 1463 It is used also to indicate the external source ICMP 1464 identifier."; 1466 uses port-number; 1467 } 1469 leaf internal-dst-address { 1470 type inet:ip-prefix; 1471 description 1472 "Corresponds to the destination IP address/prefix 1473 of the packet received on an internal interface 1474 of the NAT. 1476 For example, some NAT implementations support 1477 the translation of both source and destination 1478 addresses and port numbers, sometimes referred to 1479 as 'Twice NAT'."; 1480 } 1482 container internal-dst-port { 1483 description 1484 "Corresponds to the destination port of the 1485 IP packet received on the internal interface. 1487 It is used also to include the internal 1488 destination ICMP identifier."; 1490 uses port-number; 1491 } 1493 leaf external-dst-address { 1494 type inet:ip-prefix; 1495 description 1496 "Corresponds to the destination IP address/prefix 1497 of the packet sent on an external interface 1498 of the NAT."; 1499 } 1501 container external-dst-port { 1502 description 1503 "Corresponds to the destination port number of 1504 the packet sent on the external interface 1505 of the NAT. 1507 It is used also to include the external 1508 destination ICMP identifier."; 1510 uses port-number; 1511 } 1513 leaf lifetime { 1514 type uint32; 1515 units "seconds"; 1516 description 1517 "When specified, it is used to track the connection that is 1518 fully-formed (e.g., once the three-way handshake 1519 TCP is completed) or the duration for maintaining 1520 an explicit mapping alive. The mapping entry will be 1521 removed by the NAT instance once this lifetime is expired. 1523 When reported in a get operation, the lifetime indicates 1524 the remaining validity lifetime. 1526 Static mappings may not be associated with a 1527 lifetime. If no lifetime is associated with a 1528 static mapping, an explicit action is required to 1529 remove that mapping."; 1530 } 1531 } 1533 /* 1534 * NAT Module 1535 */ 1537 container nat { 1538 description 1539 "NAT module"; 1541 container instances { 1542 description 1543 "NAT instances"; 1545 list instance { 1546 key "id"; 1548 description 1549 "A NAT instance. This identifier can be automatically assigned 1550 or explicitly configured."; 1552 leaf id { 1553 type uint32; 1554 must ". >= 1"; 1555 description 1556 "NAT instance identifier. 1558 The identifier must be greater than zero."; 1559 reference 1560 "RFC 7659: Definitions of Managed Objects for Network 1561 Address Translators (NATs)"; 1562 } 1564 leaf name { 1565 type string; 1566 description 1567 "A name associated with the NAT instance."; 1568 reference 1569 "RFC 7659: Definitions of Managed Objects for Network 1570 Address Translators (NATs)"; 1571 } 1573 leaf enable { 1574 type boolean; 1575 description 1576 "Status of the NAT instance."; 1577 } 1579 container capabilities { 1580 config false; 1582 description 1583 "NAT capabilities"; 1585 leaf-list nat-flavor { 1586 type identityref { 1587 base nat-type; 1588 } 1589 description 1590 "Supported translation type(s)."; 1591 } 1593 leaf-list per-interface-binding { 1594 type enumeration { 1595 enum "unsupported" { 1596 description 1597 "No capability to associate a NAT binding with 1598 an extra identifier."; 1599 } 1601 enum "layer-2" { 1602 description 1603 "The NAT instance is able to associate a mapping with 1604 a layer-2 identifier."; 1605 } 1607 enum "dslite" { 1608 description 1609 "The NAT instance is able to associate a mapping with 1610 an IPv6 address (a.k.a., DS-Lite)."; 1611 } 1612 } 1613 description 1614 "Indicates the capability of a NAT to associate a particular 1615 NAT session not only with the five tuples used for the 1616 transport connection on both sides of the NAT but also with 1617 the internal interface on which the user device is 1618 connected to the NAT."; 1619 reference 1620 "Section 4 of RFC 6619"; 1621 } 1623 list transport-protocols { 1624 key protocol-id; 1626 description 1627 "List of supported protocols."; 1629 leaf protocol-id { 1630 type uint8; 1631 mandatory true; 1632 description 1633 "Upper-layer protocol associated with a mapping. 1635 Values are taken from the IANA protocol registry. 1637 For example, this field contains 6 for TCP, 1638 17 for UDP, 33 for DCCP, or 132 for SCTP."; 1639 } 1641 leaf protocol-name { 1642 type string; 1643 description 1644 "The name of the Upper-layer protocol associated 1645 with this mapping. 1647 For example, TCP, UDP, DCCP, and SCTP."; 1648 } 1649 } 1651 leaf restricted-port-support { 1652 type boolean; 1653 description 1654 "Indicates source port NAT restriction support."; 1655 reference 1656 "RFC 7596: Lightweight 4over6: An Extension to 1657 the Dual-Stack Lite Architecture."; 1658 } 1660 leaf static-mapping-support { 1661 type boolean; 1662 description 1663 "Indicates whether static mappings are supported."; 1664 } 1666 leaf port-randomization-support { 1667 type boolean; 1668 description 1669 "Indicates whether port randomization is supported."; 1670 reference 1671 "Section 4.2.1 of RFC 4787."; 1672 } 1674 leaf port-range-allocation-support { 1675 type boolean; 1676 description 1677 "Indicates whether port range allocation is supported."; 1678 reference 1679 "Section 1.1 of RFC 7753."; 1680 } 1682 leaf port-preservation-suport { 1683 type boolean; 1684 description 1685 "Indicates whether port preservation is supported."; 1686 reference 1687 "Section 4.2.1 of RFC 4787."; 1688 } 1690 leaf port-parity-preservation-support { 1691 type boolean; 1692 description 1693 "Indicates whether port parity preservation is 1694 supported."; 1695 reference 1696 "Section 8 of RFC 7857."; 1697 } 1699 leaf address-roundrobin-support { 1700 type boolean; 1701 description 1702 "Indicates whether address allocation round robin is 1703 supported."; 1704 } 1706 leaf paired-address-pooling-support { 1707 type boolean; 1708 description 1709 "Indicates whether paired-address-pooling is 1710 supported"; 1711 reference 1712 "REQ-2 of RFC 4787."; 1713 } 1715 leaf endpoint-independent-mapping-support { 1716 type boolean; 1717 description 1718 "Indicates whether endpoint-independent- 1719 mapping is supported."; 1720 reference 1721 "Section 4 of RFC 4787."; 1722 } 1724 leaf address-dependent-mapping-support { 1725 type boolean; 1726 description 1727 "Indicates whether address-dependent-mapping is 1728 supported."; 1729 reference 1730 "Section 4 of RFC 4787."; 1731 } 1733 leaf address-and-port-dependent-mapping-support { 1734 type boolean; 1735 description 1736 "Indicates whether address-and-port-dependent-mapping is 1737 supported."; 1738 reference 1739 "Section 4 of RFC 4787."; 1740 } 1742 leaf endpoint-independent-filtering-support { 1743 type boolean; 1744 description 1745 "Indicates whether endpoint-independent-filtering is 1746 supported."; 1747 reference 1748 "Section 5 of RFC 4787."; 1749 } 1751 leaf address-dependent-filtering { 1752 type boolean; 1753 description 1754 "Indicates whether address-dependent-filtering is 1755 supported."; 1756 reference 1757 "Section 5 of RFC 4787."; 1758 } 1760 leaf address-and-port-dependent-filtering { 1761 type boolean; 1762 description 1763 "Indicates whether address-and-port-dependent is 1764 supported."; 1765 reference 1766 "Section 5 of RFC 4787."; 1767 } 1769 leaf fragment-behavior { 1770 type enumeration { 1771 enum "unsupported" { 1772 description 1773 "No capability to translate incoming fragments. 1774 All received fragments are dropped."; 1775 } 1777 enum "in-order" { 1778 description 1779 "The NAT instance is able to translate fragments only if 1780 they are received in order. That is, in particular the 1781 header is in the first packet. Fragments received 1782 out of order are dropped. "; 1783 } 1785 enum "out-of-order" { 1786 description 1787 "The NAT instance is able to translate a fragment even 1788 if it is received out of order. 1790 This behavior is recommended."; 1791 reference 1792 "REQ-14 of RFC 4787"; 1793 } 1794 } 1795 description 1796 "The fragment behavior is the NAT instance's capability to 1797 translate fragments received on the external interface of 1798 the NAT."; 1799 } 1800 } 1802 leaf type { 1803 type identityref { 1804 base nat-type; 1805 } 1806 description 1807 "Specify the translation type. Particularly useful when 1808 multiple translation flavors are supported. 1810 If one type is supported by a NAT, this parameter is by 1811 default set to that type."; 1812 } 1814 leaf per-interface-binding { 1815 type enumeration { 1816 enum "disabled" { 1817 description 1818 "Disable the capability to associate an extra identifier 1819 with NAT mappings."; 1820 } 1822 enum "layer-2" { 1823 description 1824 "The NAT instance is able to associate a mapping with 1825 a layer-2 identifier."; 1826 } 1828 enum "dslite" { 1829 description 1830 "The NAT instance is able to associate a mapping with 1831 an IPv6 address (a.k.a., DS-Lite)."; 1832 } 1833 } 1834 description 1835 "A NAT that associates a particular NAT session not only with 1836 the five tuples used for the transport connection on both 1837 sides of the NAT but also with the internal interface on 1838 which the user device is connected to the NAT. 1840 If supported, this mode of operation should be configurable, 1841 and it should be disabled by default in general-purpose NAT 1842 devices. 1844 If one single per-interface binding behavior is supported by 1845 a NAT, this parameter is by default set to that behavior."; 1846 reference 1847 "Section 4 of RFC 6619"; 1848 } 1850 list nat-pass-through { 1851 if-feature "basic-nat44 or napt44 or dst-nat"; 1852 key id; 1854 description 1855 "IP prefix NAT pass through."; 1857 leaf id { 1858 type uint32; 1859 description 1860 "An identifier of the IP prefix pass through."; 1861 } 1863 leaf prefix { 1864 type inet:ip-prefix; 1865 mandatory true; 1866 description 1867 "The IP addresses that match should not be translated. 1869 It must be possible to administratively turn 1870 off translation for specific destination addresses 1871 and/or ports."; 1872 reference 1873 "REQ#6 of RFC 6888."; 1874 } 1876 leaf port { 1877 type inet:port-number; 1878 description 1879 "It must be possible to administratively turn off 1880 translation for specific destination addresses 1881 and/or ports. 1883 If no prefix is defined, the NAT pass through bound 1884 to a given port applies for any destination address."; 1885 reference 1886 "REQ#6 of RFC 6888."; 1887 } 1888 } 1890 list policy { 1891 key id; 1892 description 1893 "NAT parameters for a given instance"; 1895 leaf id { 1896 type uint32; 1897 description 1898 "An identifier of the NAT policy. It must be unique 1899 within the NAT instance."; 1900 } 1902 container clat-parameters { 1903 if-feature clat; 1904 description 1905 "CLAT parameters."; 1907 list clat-ipv6-prefixes { 1908 key ipv6-prefix; 1909 description 1910 "464XLAT double translation treatment is stateless when a 1911 dedicated /64 is available for translation on the CLAT. 1912 Otherwise, the CLAT will have both stateful and stateless 1913 since it requires NAT44 from the LAN to a single IPv4 1914 address and then stateless translation to a single 1915 IPv6 address."; 1916 reference 1917 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1918 Translation"; 1920 leaf ipv6-prefix { 1921 type inet:ipv6-prefix; 1922 description 1923 "An IPv6 prefix used for CLAT."; 1924 } 1925 } 1927 list ipv4-prefixes { 1928 key ipv4-prefix; 1929 description 1930 "Pool of IPv4 addresses used for CLAT. 1931 192.0.0.0/29 is the IPv4 service continuity prefix."; 1932 reference 1933 "RFC 7335: IPv4 Service Continuity Prefix"; 1935 leaf ipv4-prefix { 1936 type inet:ipv4-prefix; 1937 description 1938 "464XLAT double translation treatment is 1939 stateless when a dedicated /64 is available 1940 for translation on the CLAT. Otherwise, the 1941 CLAT will have both stateful and stateless 1942 since it requires NAT44 from the LAN to 1943 a single IPv4 address and then stateless 1944 translation to a single IPv6 address. 1945 The CLAT performs NAT44 for all IPv4 LAN 1946 packets so that all the LAN-originated IPv4 1947 packets appear from a single IPv4 address 1948 and are then statelessly translated to one 1949 interface IPv6 address that is claimed by 1950 the CLAT. 1952 An IPv4 address from this pool is also 1953 provided to an application that makes 1954 use of literals."; 1956 reference 1957 "RFC 6877: 464XLAT: Combination of Stateful and Stateless 1958 Translation"; 1959 } 1960 } 1961 } 1963 list nptv6-prefixes { 1964 if-feature nptv6; 1965 key internal-ipv6-prefix ; 1966 description 1967 "Provides one or a list of (internal IPv6 prefix, 1968 external IPv6 prefix) required for NPTv6. 1970 In its simplest form, NPTv6 interconnects two network 1971 links, one of which is an 'internal' network link 1972 attached to a leaf network within a single 1973 administrative domain and the other of which is an 1974 'external' network with connectivity to the global 1975 Internet."; 1976 reference 1977 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1979 leaf internal-ipv6-prefix { 1980 type inet:ipv6-prefix; 1981 mandatory true; 1982 description 1983 "An IPv6 prefix used by an internal interface of NPTv6."; 1984 reference 1985 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1986 } 1987 leaf external-ipv6-prefix { 1988 type inet:ipv6-prefix; 1989 mandatory true; 1990 description 1991 "An IPv6 prefix used by the external interface of NPTv6."; 1992 reference 1993 "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; 1994 } 1995 } 1997 list eam { 1998 if-feature eam; 1999 key ipv4-prefix; 2000 description 2001 "The Explicit Address Mapping Table, a conceptual 2002 table in which each row represents an EAM. 2004 Each EAM describes a mapping between IPv4 and IPv6 2005 prefixes/addresses."; 2006 reference 2007 "Section 3.1 of RFC 7757."; 2009 leaf ipv4-prefix { 2010 type inet:ipv4-prefix; 2011 mandatory true; 2012 description 2013 "The IPv4 prefix of an EAM."; 2014 reference 2015 "Section 3.2 of RFC 7757."; 2016 } 2018 leaf ipv6-prefix { 2019 type inet:ipv6-prefix; 2020 mandatory true; 2021 description 2022 "The IPv6 prefix of an EAM."; 2023 reference 2024 "Section 3.2 of RFC 7757."; 2025 } 2026 } 2028 list nat64-prefixes { 2029 if-feature "siit or nat64 or clat"; 2030 key nat64-prefix; 2031 description 2032 "Provides one or a list of NAT64 prefixes 2033 with or without a list of destination IPv4 prefixes. 2034 It allows mapping IPv4 address ranges to IPv6 prefixes. 2036 For example: 2037 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 2038 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 2039 reference 2040 "Section 5.1 of RFC 7050."; 2042 leaf nat64-prefix { 2043 type inet:ipv6-prefix; 2044 mandatory true; 2045 description 2046 "A NAT64 prefix. Can be Network-Specific Prefix (NSP) or 2047 Well-Known Prefix (WKP). 2049 Organizations deploying stateless IPv4/IPv6 translation 2050 should assign a Network-Specific Prefix to their 2051 IPv4/IPv6 translation service. 2053 For stateless NAT64, IPv4-translatable IPv6 addresses 2054 must use the selected Network-Specific Prefix. 2056 Both IPv4-translatable IPv6 addresses and IPv4-converted 2057 IPv6 addresses should use the same prefix."; 2058 reference 2059 "Sections 3.3 and 3.4 of RFC 6052."; 2060 } 2062 list destination-ipv4-prefix { 2063 key ipv4-prefix; 2064 description 2065 "An IPv4 prefix/address."; 2067 leaf ipv4-prefix { 2068 type inet:ipv4-prefix; 2069 description 2070 "An IPv4 address/prefix."; 2071 } 2072 } 2074 leaf stateless-enable { 2075 type boolean; 2076 default false; 2077 description 2078 "Enable explicitly stateless NAT64."; 2079 } 2080 } 2082 list external-ip-address-pool { 2083 if-feature "basic-nat44 or napt44 or nat64"; 2084 key pool-id; 2086 description 2087 "Pool of external IP addresses used to service internal 2088 hosts. 2090 A pool is a set of IP prefixes."; 2092 leaf pool-id { 2093 type uint32; 2094 must ". >= 1"; 2095 description 2096 "An identifier that uniquely identifies the address pool 2097 within a NAT instance. 2099 The identifier must be greater than zero."; 2100 reference 2101 "RFC 7659: Definitions of Managed Objects for 2102 Network Address Translators (NATs)"; 2103 } 2105 leaf external-ip-pool { 2106 type inet:ipv4-prefix; 2107 mandatory true; 2108 description 2109 "An IPv4 prefix used for NAT purposes."; 2110 } 2111 } 2113 container port-set-restrict { 2114 if-feature "napt44 or nat64"; 2115 description 2116 "Configures contiguous and non-contiguous port ranges. 2118 The port set is used to restrict the external source 2119 port numbers used by the translator."; 2121 uses port-set; 2122 } 2124 leaf dst-nat-enable { 2125 if-feature "basic-nat44 or napt44"; 2126 type boolean; 2127 default false; 2128 description 2129 "Enable/Disable destination NAT. 2131 A NAT44 may be configured to enable Destination 2132 NAT, too."; 2133 } 2135 list dst-ip-address-pool { 2136 if-feature dst-nat; 2137 key pool-id; 2138 description 2139 "Pool of IP addresses used for destination NAT."; 2141 leaf pool-id { 2142 type uint32; 2143 description 2144 "An identifier of the address pool."; 2145 } 2147 leaf dst-in-ip-pool { 2148 type inet:ip-prefix; 2149 description 2150 "Is used to identify an internal destination 2151 IP prefix/address to be translated."; 2152 } 2154 leaf dst-out-ip-pool { 2155 type inet:ip-prefix; 2156 mandatory true; 2157 description 2158 "IP address/prefix used for destination NAT."; 2159 } 2160 } 2162 list transport-protocols { 2163 if-feature "napt44 or nat64 or dst-nat"; 2164 key protocol-id; 2166 description 2167 "Configure the transport protocols to be handled by 2168 the translator. 2170 TCP and UDP are supported by default."; 2172 leaf protocol-id { 2173 type uint8; 2174 mandatory true; 2175 description 2176 "Upper-layer protocol associated with this mapping. 2178 Values are taken from the IANA protocol registry. 2180 For example, this field contains 6 for TCP, 2181 17 for UDP, 33 for DCCP, or 132 for SCTP."; 2182 } 2184 leaf protocol-name { 2185 type string; 2186 description 2187 "The name of the Upper-layer protocol associated 2188 with this mapping. 2190 For example, TCP, UDP, DCCP, and SCTP."; 2191 } 2192 } 2194 leaf subscriber-mask-v6 { 2195 type uint8 { 2196 range "0 .. 128"; 2197 } 2199 description 2200 "The subscriber mask is an integer that indicates 2201 the length of significant bits to be applied on 2202 the source IPv6 address (internal side) to 2203 unambiguously identify a user device (e.g., CPE). 2205 Subscriber mask is a system-wide configuration 2206 parameter that is used to enforce generic 2207 per-subscriber policies (e.g., port-quota). 2209 The enforcement of these generic policies does not 2210 require the configuration of every subscriber's 2211 prefix. 2213 Example: suppose the 2001:db8:100:100::/56 prefix 2214 is assigned to a NAT64 serviced CPE. Suppose also 2215 that 2001:db8:100:100::1 is the IPv6 address used 2216 by the client that resides in that CPE. When the 2217 NAT64 receives a packet from this client, 2218 it applies the subscriber-mask-v6 (e.g., 56) on 2219 the source IPv6 address to compute the associated 2220 prefix for this client (2001:db8:100:100::/56). 2221 Then, the NAT64 enforces policies based on that 2222 prefix (2001:db8:100:100::/56), not on the exact 2223 source IPv6 address."; 2224 } 2226 list subscriber-match { 2227 if-feature "basic-nat44 or napt44 or dst-nat"; 2228 key match-id; 2230 description 2231 "IP prefix match. 2232 A subscriber is identified by a subnet."; 2234 leaf match-id { 2235 type uint32; 2236 description 2237 "An identifier of the subscriber match."; 2238 } 2240 leaf subnet { 2241 type inet:ip-prefix; 2242 mandatory true; 2243 description 2244 "The IP address subnets that match 2245 should be translated. E.g., all addresses 2246 that belong to the 192.0.2.0/24 prefix must 2247 be processed by the NAT."; 2248 } 2249 } 2251 leaf address-allocation-type { 2252 type enumeration { 2253 enum "arbitrary" { 2254 if-feature "basic-nat44 or napt44 or nat64"; 2255 description 2256 "Arbitrary pooling behavior means that the NAT 2257 instance may create the new port mapping using any 2258 address in the pool that has a free port for the 2259 protocol concerned."; 2260 } 2262 enum "roundrobin" { 2263 if-feature "basic-nat44 or napt44 or nat64"; 2264 description 2265 "Round robin allocation."; 2266 } 2268 enum "paired" { 2269 if-feature "napt44 or nat64"; 2270 description 2271 "Paired address pooling informs the NAT 2272 that all the flows from an internal IP 2273 address must be assigned the same external 2274 address. This is the recommended behavior for 2275 NAPT/NAT64."; 2277 reference 2278 "RFC 4787: Network Address Translation (NAT) 2279 Behavioral Requirements for Unicast UDP"; 2280 } 2281 } 2282 description 2283 "Specifies how external IP addresses are allocated."; 2284 } 2286 leaf port-allocation-type { 2287 if-feature "napt44 or nat64"; 2288 type enumeration { 2289 enum "random" { 2290 description 2291 "Port randomization is enabled. A NAT port allocation 2292 scheme should make it hard for attackers to guess 2293 port numbers"; 2294 reference 2295 "REQ-15 of RFC 6888"; 2296 } 2298 enum "port-preservation" { 2299 description 2300 "Indicates whether the NAT should preserve the internal 2301 port number."; 2302 } 2304 enum "port-parity-preservation" { 2305 description 2306 "Indicates whether the NAT should preserve the port 2307 parity of the internal port number."; 2308 } 2310 enum "port-range-allocation" { 2311 description 2312 "Indicates whether the NAT assigns a range of ports 2313 for an internal host. This scheme allows to minimize 2314 log volume."; 2315 reference 2316 "REQ-14 of RFC 6888"; 2317 } 2318 } 2319 description 2320 "Indicates the type of port allocation."; 2321 } 2323 leaf mapping-type { 2324 if-feature "napt44 or nat64"; 2325 type enumeration { 2326 enum "eim" { 2327 description 2328 "endpoint-independent-mapping."; 2329 reference 2330 "Section 4 of RFC 4787."; 2331 } 2333 enum "adm" { 2334 description 2335 "address-dependent-mapping."; 2336 reference 2337 "Section 4 of RFC 4787."; 2338 } 2340 enum "edm" { 2341 description 2342 "address-and-port-dependent-mapping."; 2343 reference 2344 "Section 4 of RFC 4787."; 2345 } 2346 } 2347 description 2348 "Indicates the type of a NAT mapping."; 2349 } 2351 leaf filtering-type { 2352 if-feature "napt44 or nat64"; 2353 type enumeration { 2354 enum "eif" { 2355 description 2356 "endpoint-independent-filtering."; 2357 reference 2358 "Section 5 of RFC 4787."; 2359 } 2361 enum "adf" { 2362 description 2363 "address-dependent-filtering."; 2364 reference 2365 "Section 5 of RFC 4787."; 2366 } 2368 enum "edf" { 2369 description 2370 "address-and-port-dependent-filtering"; 2371 reference 2372 "Section 5 of RFC 4787."; 2374 } 2375 } 2376 description 2377 "Indicates the type of a NAT filtering."; 2378 } 2380 leaf fragment-behavior { 2381 if-feature "napt44 or nat64"; 2382 type enumeration { 2383 enum "drop-all" { 2384 description 2385 "All received fragments are dropped."; 2386 } 2388 enum "in-order" { 2389 description 2390 "Translate fragments only if they are received 2391 in order."; 2392 } 2394 enum "out-of-order" { 2395 description 2396 "Translate a fragment even if it is received out 2397 of order. 2399 This behavior is recommended."; 2400 reference 2401 "REQ-14 of RFC 4787"; 2402 } 2403 } 2404 description 2405 "The fragment behavior instructs the NAT about the 2406 behavior to follow to translate fragments received 2407 on the external interface of the NAT."; 2408 } 2410 list port-quota { 2411 if-feature "napt44 or nat64"; 2412 key quota-type; 2413 description 2414 "Configures a port quota to be assigned per subscriber. 2415 It corresponds to the maximum number of ports to be 2416 used by a subscriber."; 2418 leaf port-limit { 2419 type uint16; 2420 description 2421 "Configures a port quota to be assigned per subscriber. 2423 It corresponds to the maximum number of ports to be 2424 used by a subscriber."; 2425 reference 2426 "REQ-4 of RFC 6888."; 2427 } 2429 leaf quota-type { 2430 type uint8; 2431 description 2432 "Indicates whether the port quota applies to 2433 all protocols (0) or to a specific protocol."; 2434 } 2435 } 2437 container port-set { 2439 when "../port-allocation-type = 'port-range-allocation'"; 2441 if-feature "napt44 or nat64"; 2442 description 2443 "Manages port-set assignments."; 2445 leaf port-set-size { 2446 type uint16; 2447 mandatory true; 2448 description 2449 "Indicates the size of assigned port sets."; 2450 } 2452 leaf port-set-timeout { 2453 type uint32; 2454 units "seconds"; 2455 description 2456 "inactivity timeout for port sets."; 2457 } 2458 } 2460 container timers { 2461 if-feature "napt44 or nat64"; 2462 description 2463 "Configure values of various timeouts."; 2465 leaf udp-timeout { 2466 type uint32; 2467 units "seconds"; 2468 default 300; 2469 description 2470 "UDP inactivity timeout. That is the time a mapping 2471 will stay active without packets traversing the NAT."; 2472 reference 2473 "RFC 4787: Network Address Translation (NAT) 2474 Behavioral Requirements for Unicast UDP"; 2475 } 2477 leaf tcp-idle-timeout { 2478 type uint32; 2479 units "seconds"; 2480 default 7440; 2481 description 2482 "TCP Idle timeout should be 2 hours and 4 minutes."; 2483 reference 2484 "RFC 5382: NAT Behavioral Requirements for TCP"; 2485 } 2487 leaf tcp-trans-open-timeout { 2488 type uint32; 2489 units "seconds"; 2490 default 240; 2491 description 2492 "The value of the transitory open connection 2493 idle-timeout. 2495 A NAT should provide different configurable 2496 parameters for configuring the open and 2497 closing idle timeouts. 2499 To accommodate deployments that consider 2500 a partially open timeout of 4 minutes as being 2501 excessive from a security standpoint, a NAT may 2502 allow the configured timeout to be less than 2503 4 minutes. 2505 However, a minimum default transitory connection 2506 idle-timeout of 4 minutes is recommended."; 2507 reference 2508 "Section 2.1 of RFC 7857."; 2509 } 2511 leaf tcp-trans-close-timeout { 2512 type uint32; 2513 units "seconds"; 2514 default 240; 2515 description 2516 "The value of the transitory close connection 2517 idle-timeout. 2519 A NAT should provide different configurable 2520 parameters for configuring the open and 2521 closing idle timeouts."; 2522 reference 2523 "Section 2.1 of RFC 7857."; 2524 } 2526 leaf tcp-in-syn-timeout { 2527 type uint32; 2528 units "seconds"; 2529 default 6; 2530 description 2531 "A NAT must not respond to an unsolicited 2532 inbound SYN packet for at least 6 seconds 2533 after the packet is received. If during 2534 this interval the NAT receives and translates 2535 an outbound SYN for the connection the NAT 2536 must silently drop the original unsolicited 2537 inbound SYN packet."; 2538 reference 2539 "RFC 5382 NAT Behavioral Requirements for TCP"; 2540 } 2542 leaf fragment-min-timeout { 2543 when "../../fragment-behavior='out-of-order'"; 2544 type uint32; 2545 units "seconds"; 2546 default 2; 2547 description 2548 "As long as the NAT has available resources, 2549 the NAT allows the fragments to arrive 2550 over fragment-min-timeout interval. 2551 The default value is inspired from RFC6146."; 2552 } 2554 leaf icmp-timeout { 2555 type uint32; 2556 units "seconds"; 2557 default 60; 2558 description 2559 "An ICMP Query session timer must not expire 2560 in less than 60 seconds. It is recommended 2561 that the ICMP Query session timer be made 2562 configurable"; 2563 reference 2564 "RFC 5508: NAT Behavioral Requirements for ICMP"; 2565 } 2566 list per-port-timeout { 2567 key port-number; 2568 description 2569 "Some NATs are configurable with short timeouts 2570 for some ports, e.g., as 10 seconds on 2571 port 53 (DNS) and 123 (NTP) and longer timeouts 2572 on other ports."; 2574 leaf port-number { 2575 type inet:port-number; 2576 description 2577 "A port number."; 2578 } 2580 leaf protocol { 2581 type uint8; 2582 description 2583 "Upper-layer protocol associated with this port. 2585 Values are taken from the IANA protocol registry. 2587 If no protocol is indicated, this means 'any 2588 protocol'."; 2589 } 2591 leaf timeout { 2592 type uint32; 2593 units "seconds"; 2594 mandatory true; 2595 description 2596 "Timeout for this port number"; 2597 } 2598 } 2600 leaf hold-down-timeout { 2601 type uint32; 2602 units "seconds"; 2603 default 120; 2604 description 2605 "Hold down timer. 2607 Ports in the hold down pool are not reassigned until 2608 hold-down-timeout expires. 2610 The length of time and the maximum number of ports in 2611 this state must be configurable by the administrator. 2613 This is necessary in order to prevent collisions 2614 between old and new mappings and sessions. It ensures 2615 that all established sessions are broken instead of 2616 redirected to a different peer."; 2617 reference 2618 "REQ#8 of RFC 6888."; 2619 } 2621 leaf hold-down-max { 2622 type uint32; 2623 description 2624 "Maximum ports in the hold down port pool."; 2625 reference 2626 "REQ#8 of RFC 6888."; 2627 } 2628 } 2630 leaf fragments-limit{ 2631 when "../fragment-behavior='out-of-order'"; 2632 type uint32; 2633 description 2634 "Limits the number of out of order fragments that can 2635 be handled."; 2636 reference 2637 "Section 11 of RFC 4787."; 2638 } 2640 list algs { 2641 key name; 2642 description 2643 "ALG-related features."; 2645 leaf name { 2646 type string; 2647 description 2648 "The name of the ALG."; 2649 } 2651 leaf transport-protocol { 2652 type uint32; 2653 description 2654 "The transport protocol used by the ALG 2655 (e.g., TCP, UDP)."; 2656 } 2658 container dst-transport-port { 2659 uses port-number; 2660 description 2661 "The destination port number(s) used by the ALG. 2663 For example, 2664 - 21 for the FTP ALG 2665 - 53 for the DNS ALG."; 2666 } 2668 container src-transport-port { 2669 uses port-number; 2670 description 2671 "The source port number(s) used by the ALG."; 2672 } 2674 leaf status { 2675 type boolean; 2676 description 2677 "Enable/disable the ALG."; 2678 } 2679 } 2681 leaf all-algs-enable { 2682 type boolean; 2683 description 2684 "Disable/enable all ALGs. 2686 When specified, this parameter overrides the one 2687 that may be indicated, eventually, by the 'status' 2688 of an individual ALG."; 2689 } 2691 container notify-pool-usage { 2692 if-feature "basic-nat44 or napt44 or nat64"; 2693 description 2694 "Notification of pool usage when certain criteria 2695 are met."; 2697 leaf pool-id { 2698 type uint32; 2699 description 2700 "Pool-ID for which the notification criteria 2701 is defined"; 2702 } 2704 leaf low-threshold { 2705 type percent; 2706 description 2707 "Notification must be generated when the defined low 2708 threshold is reached. 2710 For example, if a notification is required when the 2711 pool utilization reaches below 10%, this 2712 configuration parameter must be set to 10. 2714 0% indicates that low-threshold notification is 2715 disabled."; 2716 } 2718 leaf high-threshold { 2719 type percent; 2720 must ". >= ../low-threshold" { 2721 error-message 2722 "The high threshold must be greater than or equal 2723 to the low threshold."; 2724 } 2725 description 2726 "Notification must be generated when the defined high 2727 threshold is reached. 2729 For example, if a notification is required when the 2730 pool utilization reaches 90%, this configuration 2731 parameter must be set to 90. 2733 Setting the same value as low-threshold is equivalent 2734 to disabling high-threshold notification."; 2735 } 2737 leaf notify-interval { 2738 type uint32 { 2739 range "1 .. 3600"; 2740 } 2741 units "seconds"; 2742 default '20'; 2743 description 2744 "Minimum number of seconds between successive 2745 notifications for this pool."; 2747 reference 2748 "RFC 7659: Definitions of Managed Objects for 2749 Network Address Translators (NATs)"; 2750 } 2751 } 2753 container external-realm { 2754 description 2755 "Identifies the external realm of the NAT instance."; 2757 choice realm-type { 2758 description 2759 "Can be an interface, VRF instance, etc."; 2761 case interface { 2762 description 2763 "External interface."; 2765 leaf external-interface { 2766 type if:interface-ref; 2767 description 2768 "Name of the external interface."; 2769 } 2770 } 2771 } 2772 } 2773 } 2775 container mapping-limits { 2776 if-feature "napt44 or nat64"; 2777 description 2778 "Information about the configuration parameters that 2779 limits the mappings based upon various criteria."; 2781 leaf limit-subscribers { 2782 type uint32; 2783 description 2784 "Maximum number of subscribers that can be serviced 2785 by a NAT instance. 2787 A subscriber is identified by a given prefix."; 2788 reference 2789 "RFC 7659: Definitions of Managed Objects for 2790 Network Address Translators (NATs)"; 2791 } 2793 leaf limit-address-mappings { 2794 type uint32; 2795 description 2796 "Maximum number of address mappings that can be 2797 handled by a NAT instance. 2799 When this limit is reached, packets that would 2800 normally trigger translation, will be dropped."; 2801 reference 2802 "RFC 7659: Definitions of Managed Objects 2803 for Network Address Translators 2804 (NATs)"; 2805 } 2806 leaf limit-port-mappings { 2807 type uint32; 2808 description 2809 "Maximum number of port mappings that can be handled 2810 by a NAT instance. 2812 When this limit is reached, packets that would 2813 normally trigger translation, will be dropped."; 2814 reference 2815 "RFC 7659: Definitions of Managed Objects for 2816 Network Address Translators (NATs)"; 2817 } 2819 list limit-per-protocol { 2820 if-feature "napt44 or nat64 or dst-nat"; 2821 key protocol-id; 2823 description 2824 "Configure limits per transport protocol"; 2826 leaf protocol-id { 2827 type uint8; 2828 mandatory true; 2829 description 2830 "Upper-layer protocol. 2832 Values are taken from the IANA protocol registry. 2834 For example, this field contains 6 for TCP, 2835 17 for UDP, 33 for DCCP, or 132 for SCTP."; 2836 } 2838 leaf limit { 2839 type uint32; 2840 description 2841 "Maximum number of protocol-specific NAT mappings 2842 per instance."; 2843 } 2844 } 2845 } 2847 container connection-limits { 2848 if-feature "basic-nat44 or napt44 or nat64"; 2849 description 2850 "Information about the configuration parameters that 2851 rate limit the translation based upon various criteria."; 2853 leaf limit-per-subscriber { 2854 type uint32; 2855 units "bits/second"; 2856 description 2857 "Rate-limit the number of new mappings and sessions 2858 per subscriber."; 2859 } 2861 leaf limit-per-instance { 2862 type uint32; 2863 units "bits/second"; 2864 description 2865 "Rate-limit the number of new mappings and sessions 2866 per instance."; 2867 } 2869 list limit-per-protocol { 2870 if-feature "napt44 or nat64"; 2871 key protocol-id; 2872 description 2873 "Configure limits per transport protocol"; 2875 leaf protocol-id { 2876 type uint8; 2877 mandatory true; 2878 description 2879 "Upper-layer protocol. 2881 Values are taken from the IANA protocol registry. 2883 For example, this field contains 6 for TCP, 2884 17 for UDP, 33 for DCCP, or 132 for SCTP."; 2885 } 2887 leaf limit { 2888 type uint32; 2889 description 2890 "Limit the number of protocol-specific mappings 2891 and sessions per instance."; 2892 } 2893 } 2894 } 2896 container notification-limits { 2897 description "Sets notification limits."; 2899 leaf notify-interval { 2900 if-feature "basic-nat44 or napt44 or nat64"; 2901 type uint32 { 2902 range "1 .. 3600"; 2903 } 2904 units "seconds"; 2905 default '10'; 2906 description 2907 "Minimum number of seconds between successive 2908 notifications for this NAT instance."; 2909 reference 2910 "RFC 7659: Definitions of Managed Objects 2911 for Network Address Translators (NATs)"; 2912 } 2914 leaf notify-addresses-usage { 2915 if-feature "basic-nat44 or napt44 or nat64"; 2916 type percent; 2917 description 2918 "Notification of address mappings usage over 2919 the whole NAT instance. 2921 Notification must be generated when the defined 2922 threshold is reached. 2924 For example, if a notification is required when 2925 the address mappings utilization reaches 90%, 2926 this configuration parameter must be set 2927 to 90."; 2928 } 2930 leaf notify-ports-usage { 2931 if-feature "napt44 or nat64"; 2932 type percent; 2933 description 2934 "Notification of port mappings usage over the 2935 whole NAT instance. 2937 Notification must be generated when the defined 2938 threshold is reached. 2940 For example, if a notification is required when 2941 the port mappings utilization reaches 90%, this 2942 configuration parameter must be set to 90."; 2943 } 2945 leaf notify-subscribers-limit { 2946 if-feature "basic-nat44 or napt44 or nat64"; 2947 type uint32; 2948 description 2949 "Notification of active subscribers per NAT 2950 instance. 2952 Notification must be generated when the defined 2953 threshold is reached."; 2954 } 2955 } 2957 container mapping-table { 2958 if-feature "basic-nat44 or napt44 " + 2959 "or nat64 or clat or dst-nat"; 2960 description 2961 "NAT mapping table. Applicable for functions which maintain 2962 static and/or dynamic mappings, such as NAT44, Destination 2963 NAT, NAT64, or CLAT."; 2965 list mapping-entry { 2966 key "index"; 2967 description "NAT mapping entry."; 2968 uses mapping-entry; 2969 } 2970 } 2972 container statistics { 2973 config false; 2975 description 2976 "Statistics related to the NAT instance."; 2978 leaf discontinuity-time { 2979 type yang:date-and-time; 2980 mandatory true; 2981 description 2982 "The time on the most recent occasion at which the NAT 2983 instance suffered a discontinuity. This must be 2984 initialized when the NAT instance is configured 2985 or rebooted."; 2986 } 2988 container traffic-statistics { 2989 description 2990 "Generic traffic statistics."; 2992 leaf sent-packets { 2993 type yang:zero-based-counter64; 2994 description 2995 "Number of packets sent."; 2996 } 2997 leaf sent-bytes { 2998 type yang:zero-based-counter64; 2999 units 'bytes'; 3000 description 3001 "Counter for sent traffic in bytes."; 3002 } 3004 leaf rcvd-packets { 3005 type yang:zero-based-counter64; 3006 description 3007 "Number of received packets."; 3008 } 3010 leaf rcvd-bytes { 3011 type yang:zero-based-counter64; 3012 units 'bytes'; 3013 description 3014 "Counter for received traffic in bytes."; 3015 } 3017 leaf dropped-packets { 3018 type yang:zero-based-counter64; 3019 description 3020 "Number of dropped packets."; 3021 } 3023 leaf dropped-bytes { 3024 type yang:zero-based-counter64; 3025 units 'bytes'; 3026 description 3027 "Counter for dropped traffic in bytes."; 3028 } 3030 leaf dropped-fragments { 3031 if-feature "napt44 or nat64"; 3032 type yang:zero-based-counter64; 3033 description 3034 "Number of dropped fragments on the external realm."; 3035 } 3037 leaf dropped-address-limit-packets { 3038 if-feature "basic-nat44 or napt44 or nat64"; 3039 type yang:zero-based-counter64; 3040 description 3041 "Number of dropped packets because an address limit 3042 is reached."; 3043 } 3044 leaf dropped-address-limit-bytes { 3045 if-feature "basic-nat44 or napt44 or nat64"; 3046 type yang:zero-based-counter64; 3047 units 'bytes'; 3048 description 3049 "Counter of dropped packets because an address limit 3050 is reached, in bytes."; 3051 } 3053 leaf dropped-address-packets { 3054 if-feature "basic-nat44 or napt44 or nat64"; 3055 type yang:zero-based-counter64; 3056 description 3057 "Number of dropped packets because no address is 3058 available for allocation."; 3059 } 3061 leaf dropped-address-bytes { 3062 if-feature "basic-nat44 or napt44 or nat64"; 3063 type yang:zero-based-counter64; 3064 units 'bytes'; 3065 description 3066 "Counter of dropped packets because no address is 3067 available for allocation, in bytes."; 3068 } 3070 leaf dropped-port-limit-packets { 3071 if-feature "napt44 or nat64"; 3072 type yang:zero-based-counter64; 3073 description 3074 "Number of dropped packets because a port limit 3075 is reached."; 3076 } 3078 leaf dropped-port-limit-bytes { 3079 if-feature "napt44 or nat64"; 3080 type yang:zero-based-counter64; 3081 units 'bytes'; 3082 description 3083 "Counter of dropped packets because a port limit 3084 is reached, in bytes."; 3085 } 3087 leaf dropped-port-packets { 3088 if-feature "napt44 or nat64"; 3089 type yang:zero-based-counter64; 3090 description 3091 "Number of dropped packets because no port is 3092 available for allocation."; 3093 } 3095 leaf dropped-port-bytes { 3096 if-feature "napt44 or nat64"; 3097 type yang:zero-based-counter64; 3098 units 'bytes'; 3099 description 3100 "Counter of dropped packets because no port is 3101 available for allocation, in bytes."; 3102 } 3104 leaf dropped-subscriber-limit-packets { 3105 if-feature "basic-nat44 or napt44 or nat64"; 3106 type yang:zero-based-counter64; 3107 description 3108 "Number of dropped packets because the subscriber 3109 limit per instance is reached."; 3110 } 3112 leaf dropped-subscriber-limit-bytes { 3113 if-feature "basic-nat44 or napt44 or nat64"; 3114 type yang:zero-based-counter64; 3115 units 'bytes'; 3116 description 3117 "Counter of dropped packets because the subscriber 3118 limit per instance is reached, in bytes."; 3119 } 3120 } 3122 container mappings-statistics { 3123 description 3124 "Mappings statistics."; 3126 leaf total-active-subscribers { 3127 if-feature "basic-nat44 or napt44 or nat64"; 3128 type yang:gauge32; 3129 description 3130 "Total number of active subscribers (that is, 3131 subscribers for which the NAT maintains active 3132 mappings. 3134 A subscriber is identified by a subnet, 3135 subscriber-mask, etc."; 3136 } 3138 leaf total-address-mappings { 3139 if-feature "basic-nat44 or napt44 " + 3140 "or nat64 or clat or dst-nat"; 3141 type yang:gauge32; 3142 description 3143 "Total number of address mappings present at a given 3144 time. It includes both static and dynamic mappings."; 3145 reference 3146 "Section 3.3.8 of RFC 7659"; 3147 } 3149 leaf total-port-mappings { 3150 if-feature "napt44 or nat64"; 3151 type yang:gauge32; 3152 description 3153 "Total number of NAT port mappings present at 3154 a given time. It includes both static and dynamic 3155 mappings."; 3156 reference 3157 "Section 3.3.9 of RFC 7659"; 3158 } 3160 list total-per-protocol { 3161 if-feature "napt44 or nat64"; 3162 key protocol-id; 3163 description 3164 "Total mappings for each enabled/supported protocol."; 3166 leaf protocol-id { 3167 type uint8; 3168 mandatory true; 3169 description 3170 "Upper-layer protocol. 3171 For example, this field contains 6 for TCP, 3172 17 for UDP, 33 for DCCP, or 132 for SCTP."; 3173 } 3175 leaf total { 3176 type yang:gauge32; 3177 description 3178 "Total number of a protocol-specific mappings present 3179 at a given time. The protocol is identified by 3180 protocol-id."; 3181 } 3182 } 3183 } 3185 container pools-stats { 3186 if-feature "basic-nat44 or napt44 or nat64"; 3187 description 3188 "Statistics related to address/prefix pools 3189 usage"; 3191 leaf addresses-allocated { 3192 type yang:gauge32; 3193 description 3194 "Number of all allocated addresses."; 3195 } 3197 leaf addresses-free { 3198 type yang:gauge32; 3199 description 3200 "Number of unallocated addresses of all pools at 3201 a given time. The sum of unallocated and allocated 3202 addresses is the total number of addresses of 3203 the pools."; 3204 } 3206 container ports-stats { 3207 if-feature "napt44 or nat64"; 3209 description 3210 "Statistics related to port numbers usage."; 3212 leaf ports-allocated { 3213 type yang:gauge32; 3214 description 3215 "Number of allocated ports from all pools."; 3216 } 3218 leaf ports-free { 3219 type yang:gauge32; 3220 description 3221 "Number of unallocated addresses from all pools."; 3222 } 3223 } 3225 list per-pool-stats { 3226 if-feature "basic-nat44 or napt44 or nat64"; 3227 key "pool-id"; 3228 description 3229 "Statistics related to address/prefix pool usage"; 3231 leaf pool-id { 3232 type uint32; 3233 description 3234 "Unique Identifier that represents a pool of 3235 addresses/prefixes."; 3237 } 3239 leaf discontinuity-time { 3240 type yang:date-and-time; 3241 mandatory true; 3242 description 3243 "The time on the most recent occasion at which this 3244 pool counters suffered a discontinuity. This must 3245 be initialized when the address pool is 3246 configured."; 3247 } 3249 container pool-stats { 3250 description 3251 "Statistics related to address/prefix pool usage"; 3253 leaf addresses-allocated { 3254 type yang:gauge32; 3255 description 3256 "Number of allocated addresses from this pool."; 3257 } 3259 leaf addresses-free { 3260 type yang:gauge32; 3261 description 3262 "Number of unallocated addresses in this pool."; 3263 } 3264 } 3266 container port-stats { 3267 if-feature "napt44 or nat64"; 3268 description 3269 "Statistics related to port numbers usage."; 3271 leaf ports-allocated { 3272 type yang:gauge32; 3273 description 3274 "Number of allocated ports from this pool."; 3275 } 3277 leaf ports-free { 3278 type yang:gauge32; 3279 description 3280 "Number of unallocated addresses from this pool."; 3281 } 3282 } 3283 } 3284 } 3286 } 3287 } 3288 } 3289 } 3291 /* 3292 * Notifications 3293 */ 3295 notification nat-pool-event { 3296 if-feature "basic-nat44 or napt44 or nat64"; 3297 description 3298 "Notifications must be generated when the defined high/low 3299 threshold is reached. Related configuration parameters 3300 must be provided to trigger the notifications."; 3302 leaf id { 3303 type leafref { 3304 path "/nat/instances/instance/id"; 3305 } 3306 mandatory true; 3307 description 3308 "NAT instance Identifier."; 3309 } 3311 leaf policy-id { 3312 type leafref { 3313 path "/nat/instances/instance/policy/id"; 3314 } 3316 description 3317 "Policy Identifier."; 3318 } 3320 leaf pool-id { 3321 type leafref { 3322 path "/nat/instances/instance/policy/" + 3323 "external-ip-address-pool/pool-id"; 3324 } 3325 mandatory true; 3326 description 3327 "Pool Identifier."; 3328 } 3330 leaf notify-pool-threshold { 3331 type percent; 3332 mandatory true; 3333 description 3334 "A threshold (high-threshold or low-threshold) has 3335 been fired."; 3336 } 3337 } 3339 notification nat-instance-event { 3340 if-feature "basic-nat44 or napt44 or nat64"; 3341 description 3342 "Notifications must be generated when notify-addresses-usage 3343 and/or notify-ports-usage threshold are reached."; 3345 leaf id { 3346 type leafref { 3347 path "/nat/instances/instance/id"; 3348 } 3349 mandatory true; 3350 description 3351 "NAT instance Identifier."; 3352 } 3354 leaf notify-subscribers-threshold { 3355 type uint32; 3356 description 3357 "The notify-subscribers-limit threshold has been fired."; 3358 } 3360 leaf notify-addresses-threshold { 3361 type percent; 3362 description 3363 "The notify-addresses-usage threshold has been fired."; 3364 } 3366 leaf notify-ports-threshold { 3367 type percent; 3368 description 3369 "The notify-ports-usage threshold has been fired."; 3370 } 3371 } 3372 } 3373 3375 4. Security Considerations 3377 Security considerations related to address and prefix translation are 3378 discussed in [RFC6888], [RFC6146], [RFC6877], [RFC6296], and 3379 [RFC7757]. 3381 The YANG module defined in this document is designed to be accessed 3382 via network management protocols such as NETCONF [RFC6241] or 3383 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 3384 layer, and the mandatory-to-implement secure transport is Secure 3385 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 3386 mandatory-to-implement secure transport is TLS [RFC5246]. 3388 The NETCONF access control model [RFC8341] provides the means to 3389 restrict access for particular NETCONF or RESTCONF users to a 3390 preconfigured subset of all available NETCONF or RESTCONF protocol 3391 operations and content. 3393 All data nodes defined in the YANG module which can be created, 3394 modified and deleted (i.e., config true, which is the default) are 3395 considered sensitive. Write operations (e.g., edit-config) applied 3396 to these data nodes without proper protection can negatively affect 3397 network operations. The NAT YANG module provides a method to set 3398 parameters to prevent a user from aggressively using NAT resources 3399 (port-quota), rate-limit connections as a guard against Denial-of- 3400 Service, or to enable notifications so that appropriate measures are 3401 enforced to anticipate traffic drops. Nevertheless, an attacker who 3402 is able to access the NAT can undertake various attacks, such as: 3404 o Set a high or low resource limit to cause a DoS attack: 3406 * /nat/instances/instance/policy/port-quota 3408 * /nat/instances/instance/policy/fragments-limit 3410 * /nat/instances/instance/mapping-limits 3412 * /nat/instances/instance/connection-limits 3414 o Set a low notification threshold to cause useless notifications to 3415 be generated: 3417 * /nat/instances/instance/policy/notify-pool-usage/high-threshold 3419 * /nat/instances/instance/notification-limits/notify-addresses- 3420 usage 3422 * /nat/instances/instance/notification-limits/notify-ports-usage 3424 * /nat/instances/instance/notification-limits/notify-subscribers- 3425 limit 3427 o Set an arbitrarily high threshold, which may lead to the 3428 deactivation of notifications: 3430 * /nat/instances/instance/policy/notify-pool-usage/high-threshold 3432 * /nat/instances/instance/notification-limits/notify-addresses- 3433 usage 3435 * /nat/instances/instance/notification-limits/notify-ports-usage 3437 * /nat/instances/instance/notification-limits/notify-subscribers- 3438 limit 3440 o Set a low notification interval and a low notification threshold 3441 to induce useless notifications to be generated: 3443 * /nat/instances/instance/policy/notify-pool-usage/notify- 3444 interval 3446 * /nat/instances/instance/notification-limits/notify-interval 3448 o Access to privacy data maintained in the mapping table. Such data 3449 can be misused to track the activity of a host: 3451 * /nat/instances/instance/mapping-table 3453 5. IANA Considerations 3455 This document requests IANA to register the following URI in the 3456 "IETF XML Registry" [RFC3688]: 3458 URI: urn:ietf:params:xml:ns:yang:ietf-nat 3459 Registrant Contact: The IESG. 3460 XML: N/A; the requested URI is an XML namespace. 3462 This document requests IANA to register the following YANG module in 3463 the "YANG Module Names" registry [RFC7950]. 3465 name: ietf-nat 3466 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 3467 prefix: nat 3468 reference: RFC XXXX 3470 6. Acknowledgements 3472 Many thanks to Dan Wing, Tianran Zhou, Tom Petch, Warren Kumari, and 3473 Benjamin Kaduk for the review. 3475 Thanks to Juergen Schoenwaelder for the comments on the YANG 3476 structure and the suggestion to use NMDA. Mahesh Jethanandani 3477 provided useful comments. 3479 Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred 3480 Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and 3481 Kristian Poscic for the CGN review. 3483 Special thanks to Maros Marsalek and Marek Gradzki for sharing their 3484 comments based on the FD.io implementation of this module 3485 (https://git.fd.io/hc2vpp/tree/nat/nat-api/src/main/yang). 3487 Rajiv Asati suggested to clarify how the module applies for both 3488 stateless and stateful NAT64. 3490 Juergen Schoenwaelder provided an early yandgoctors review. Many 3491 thanks to him. 3493 Thanks to Roni Even, Mach Chen, Tim Chown, and Stephen Farrel for the 3494 directorates review. Igor Ryzhov identified a nit in one example. 3496 Mirja Kuehlewind made a comment about the reuse of some TCP timers 3497 for any connection-oriented protocol. 3499 7. References 3501 7.1. Normative References 3503 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 3504 DOI 10.17487/RFC3688, January 2004, 3505 . 3507 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 3508 Translation (NAT) Behavioral Requirements for Unicast 3509 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 3510 2007, . 3512 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 3513 (TLS) Protocol Version 1.2", RFC 5246, 3514 DOI 10.17487/RFC5246, August 2008, 3515 . 3517 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 3518 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 3519 RFC 5382, DOI 10.17487/RFC5382, October 2008, 3520 . 3522 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 3523 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 3524 DOI 10.17487/RFC5508, April 2009, 3525 . 3527 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 3528 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 3529 DOI 10.17487/RFC6052, October 2010, 3530 . 3532 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 3533 NAT64: Network Address and Protocol Translation from IPv6 3534 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 3535 April 2011, . 3537 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 3538 and A. Bierman, Ed., "Network Configuration Protocol 3539 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 3540 . 3542 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 3543 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 3544 . 3546 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 3547 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 3548 . 3550 [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable 3551 Operation of Address Translators with Per-Interface 3552 Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, 3553 . 3555 [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: 3556 Combination of Stateful and Stateless Translation", 3557 RFC 6877, DOI 10.17487/RFC6877, April 2013, 3558 . 3560 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 3561 A., and H. Ashida, "Common Requirements for Carrier-Grade 3562 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 3563 April 2013, . 3565 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 3566 RFC 6991, DOI 10.17487/RFC6991, July 2013, 3567 . 3569 [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. 3570 Farrer, "Lightweight 4over6: An Extension to the Dual- 3571 Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, 3572 July 2015, . 3574 [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., 3575 Murakami, T., and T. Taylor, Ed., "Mapping of Address and 3576 Port with Encapsulation (MAP-E)", RFC 7597, 3577 DOI 10.17487/RFC7597, July 2015, 3578 . 3580 [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address 3581 Mappings for Stateless IP/ICMP Translation", RFC 7757, 3582 DOI 10.17487/RFC7757, February 2016, 3583 . 3585 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 3586 S., and K. Naito, "Updates to Network Address Translation 3587 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 3588 DOI 10.17487/RFC7857, April 2016, 3589 . 3591 [RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont, 3592 "IP/ICMP Translation Algorithm", RFC 7915, 3593 DOI 10.17487/RFC7915, June 2016, 3594 . 3596 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 3597 RFC 7950, DOI 10.17487/RFC7950, August 2016, 3598 . 3600 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 3601 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 3602 . 3604 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 3605 Access Control Model", STD 91, RFC 8341, 3606 DOI 10.17487/RFC8341, March 2018, 3607 . 3609 [RFC8343] Bjorklund, M., "A YANG Data Model for Interface 3610 Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, 3611 . 3613 7.2. Informative References 3615 [I-D.boucadair-pcp-yang] 3616 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 3617 Vinapamula, "YANG Modules for the Port Control Protocol 3618 (PCP)", draft-boucadair-pcp-yang-05 (work in progress), 3619 October 2017. 3621 [I-D.ietf-softwire-dslite-yang] 3622 Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG 3623 Data Model for Dual-Stack Lite (DS-Lite)", draft-ietf- 3624 softwire-dslite-yang-17 (work in progress), May 2018. 3626 [I-D.ietf-tsvwg-natsupp] 3627 Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control 3628 Transmission Protocol (SCTP) Network Address Translation 3629 Support", draft-ietf-tsvwg-natsupp-12 (work in progress), 3630 July 2018. 3632 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 3633 Translator (NAT) Terminology and Considerations", 3634 RFC 2663, DOI 10.17487/RFC2663, August 1999, 3635 . 3637 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 3638 Address Translator (Traditional NAT)", RFC 3022, 3639 DOI 10.17487/RFC3022, January 2001, 3640 . 3642 [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) 3643 Behavioral Requirements for the Datagram Congestion 3644 Control Protocol", BCP 150, RFC 5597, 3645 DOI 10.17487/RFC5597, September 2009, 3646 . 3648 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 3649 Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, 3650 January 2011, . 3652 [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and 3653 P. Roberts, "Issues with IP Address Sharing", RFC 6269, 3654 DOI 10.17487/RFC6269, June 2011, 3655 . 3657 [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, 3658 "Diameter Network Address and Port Translation Control 3659 Application", RFC 6736, DOI 10.17487/RFC6736, October 3660 2012, . 3662 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 3663 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 3664 DOI 10.17487/RFC6887, April 2013, 3665 . 3667 [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M. 3668 Boucadair, "Deployment Considerations for Dual-Stack 3669 Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013, 3670 . 3672 [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of 3673 the IPv6 Prefix Used for IPv6 Address Synthesis", 3674 RFC 7050, DOI 10.17487/RFC7050, November 2013, 3675 . 3677 [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT 3678 (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, 3679 DOI 10.17487/RFC7289, June 2014, 3680 . 3682 [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, 3683 DOI 10.17487/RFC7335, August 2014, 3684 . 3686 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 3687 "Definitions of Managed Objects for Network Address 3688 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 3689 October 2015, . 3691 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 3692 and S. Perreault, "Port Control Protocol (PCP) Extension 3693 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 3694 February 2016, . 3696 [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, 3697 "RADIUS Extensions for IP Port Configuration and 3698 Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, 3699 . 3701 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 3702 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 3703 . 3705 Appendix A. Sample Examples 3707 This section provides a non-exhaustive set of examples to illustrate 3708 the use of the NAT YANG module. 3710 A.1. Traditional NAT44 3712 Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the 3713 same IPv4 address among hosts that are owned by the same subscriber. 3714 This is typically the NAT that is embedded in CPE devices. 3716 This NAT is usually provided with one single external IPv4 address; 3717 disambiguating connections is achieved by rewriting the source port 3718 number. The XML snippet to configure the external IPv4 address in 3719 such case together with a mapping entry is depicted below: 3721 3722 3723 1 3724 NAT_Subscriber_A 3725 .... 3726 3727 1 3728 3729 198.51.100.1/32 3730 3731 3732 .... 3733 3734 .... 3735 3736 198.51.100.1/32 3737 3738 .... 3739 3740 3741 3743 The following shows the XML excerpt depicting a dynamic UDP mapping 3744 entry maintained by a traditional NAPT44. In reference to this 3745 example, the UDP packet received with a source IPv4 address 3746 (192.0.2.1) and source port number (1568) is translated into a UDP 3747 packet having a source IPv4 address (198.51.100.1) and source port 3748 (15000). The remaining lifetime of this mapping is 300 seconds. 3750 3751 15 3752 3753 dynamic-explicit 3754 3755 3756 17 3757 3758 3759 192.0.2.1/32 3760 3761 3762 3763 1568 3764 3765 3766 3767 198.51.100.1/32 3768 3769 3770 3771 15000 3772 3773 3774 3775 300 3776 3777 3779 A.2. Carrier Grade NAT (CGN) 3781 The following XML snippet shows the example of the capabilities 3782 supported by a CGN as retrieved using NETCONF. 3784 napt44 3786 3787 1 3788 3789 3790 6 3791 3792 3793 17 3794 3795 3796 false 3797 3798 3799 true 3800 3801 3802 true 3803 3804 3805 true 3806 3807 3808 true 3809 3810 3811 false 3812 3813 3814 true 3815 3816 3817 true 3818 3819 3820 true 3821 3822 3823 true 3824 3825 3826 true 3827 3828 3829 true 3830 3831 3832 true 3833 3834 3835 true 3836 3837 3839 The following XML snippet shows the example of a CGN that is 3840 provisioned with one contiguous pool of external IPv4 addresses 3841 (198.51.100.0/24). Further, the CGN is instructed to limit the 3842 number of allocated ports per subscriber to 1024. Ports can be 3843 allocated by the CGN by assigning ranges of 256 ports (that is, a 3844 subscriber can be allocated up to four port ranges of 256 ports 3845 each). 3847 3848 3849 1 3850 myCGN 3851 .... 3852 3853 1 3854 3855 198.51.100.0/24 3856 3857 3858 3859 3860 1024 3861 3862 3863 all 3864 3865 3866 3867 port-range-allocation 3868 3869 3870 3871 256 3872 3873 3874 .... 3875 3876 3878 An administrator may decide to allocate one single port range per 3879 subscriber (e.g., port range of 1024 ports) as shown below: 3881 3882 3883 1 3884 myCGN 3885 .... 3886 3887 1 3888 3889 198.51.100.0/24 3890 3891 3892 3893 3894 1024 3895 3896 3897 all 3898 3899 3900 3901 port-range-allocation 3902 3903 3904 3905 1024 3906 3907 3908 .... 3909 3910 3912 A.3. CGN Pass-Through 3914 Figure 1 illustrates an example of the CGN pass-through feature. 3916 X1:x1 X1':x1' X2:x2 3917 +---+from X1:x1 +---+from X1:x1 +---+ 3918 | C | to X2:x2 | | to X2:x2 | S | 3919 | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | 3920 | i | | G | | r | 3921 | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | 3922 | n |from X2:x2 | |from X2:x2 | e | 3923 | t | to X1:x1 | | to X1:x1 | r | 3924 +---+ +---+ +---+ 3926 Figure 1: CGN Pass-Through 3928 For example, in order to disable NAT for communications issued by the 3929 client (192.0.2.1), the following configuration parameter must be 3930 set: 3932 3933 ... 3934 192.0.2.1/32 3935 ... 3936 3938 A.4. NAT64 3940 Let's consider the example of a NAT64 that should use 3941 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 3942 The XML snippet to configure the NAT64 prefix in such case is 3943 depicted below: 3945 3946 3947 2001:db8:122:300::/56 3948 3949 3951 Let's now consider the example of a NAT64 that should use 3952 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 3953 the destination address matches 198.51.100.0/24. The XML snippet to 3954 configure the NAT64 prefix in such case is shown below: 3956 3957 3958 2001:db8:122::/48 3959 3960 3961 3962 198.51.100.0/24 3963 3964 3965 3967 A.5. Stateless IP/ICMP Translation (SIIT) 3969 Let's consider the example of a stateless translator that is 3970 configured with 2001:db8:100::/40 to perform IPv6 address synthesis 3971 [RFC6052]. Similar to the NAT64 case, the XML snippet to configure 3972 the NAT64 prefix in such case is depicted below: 3974 3975 3976 2001:db8:100::/40 3977 3978 3980 When the translator receives an IPv6 packet, for example, with a 3981 source address (2001:db8:1c0:2:21::) and destination address 3982 (2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses 3983 following RFC6052 rules with 2001:db8:100::/40 as the NSP: 3985 o 192.0.2.33 is extracted from 2001:db8:1c0:2:21:: 3987 o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2:: 3989 The translator transforms the IPv6 header into an IPv4 header using 3990 the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will 3991 include 192.0.2.33 as the source address and 198.51.100.2 as the 3992 destination address. 3994 Also, a NAT64 can be instructed to behave in the stateless mode by 3995 providing the following configuration. The same NAT64 prefix is used 3996 for constructing both IPv4-translatable IPv6 addresses and 3997 IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]). 3999 4000 4001 2001:db8:122:300::/56 4002 4003 4004 true 4005 4006 4008 A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM 4009 SIIT) 4011 As specified in [RFC7757], an EAM consists of an IPv4 prefix and an 4012 IPv6 prefix. Let's consider the set of EAM examples in Table 8. 4014 +----------------+----------------------+ 4015 | IPv4 Prefix | IPv6 Prefix | 4016 +----------------+----------------------+ 4017 | 192.0.2.1 | 2001:db8:aaaa:: | 4018 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | 4019 | 192.0.2.16/28 | 2001:db8:cccc::/124 | 4020 | 192.0.2.128/26 | 2001:db8:dddd::/64 | 4021 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | 4022 | 192.0.2.224/31 | 64:ff9b::/127 | 4023 +----------------+----------------------+ 4025 Table 8: EAM Examples (RFC7757) 4027 The following XML excerpt illustrates how these EAMs can be 4028 configured using the YANG NAT module: 4030 4031 4032 192.0.2.1/32 4033 4034 4035 2001:db8:aaaa::/128 4036 4037 4038 4039 4040 192.0.2.2/32 4041 4042 4043 2001:db8:bbbb::b/128 4044 4045 4046 4047 4048 192.0.2.16/28 4049 4050 4051 2001:db8:cccc::/124 4052 4053 4054 4055 4056 192.0.2.128/26 4057 4058 4059 2001:db8:dddd::/64 4060 4061 4062 4063 4064 192.0.2.192/29 4065 4066 4067 2001:db8:eeee:8::/62 4068 4069 4070 4071 4072 192.0.2.224/31 4073 4074 4075 64:ff9b::/127 4076 4077 4078 EAMs may be enabled jointly with stateful NAT64. This example shows 4079 a NAT64 function that supports static mappings: 4081 4083 nat64 4084 4085 4086 true 4087 4088 4089 true 4090 4091 4092 true 4093 4094 4095 true 4096 4097 4098 true 4099 4100 4101 true 4102 4103 4104 true 4105 4106 4107 true 4108 4109 4111 A.7. Static Mappings with Port Ranges 4113 The following example shows a static mapping that instructs a NAT to 4114 translate packets issued from 192.0.2.1 and with source ports in the 4115 100-500 range to 198.51.100.1:1100-1500. 4117 4118 1 4119 4120 static 4121 4122 4123 6 4124 4125 4126 192.0.2.1/32 4127 4128 4129 4130 100 4131 4132 4133 500 4134 4135 4136 4137 198.51.100.1/32 4138 4139 4140 4141 1100 4142 4143 4144 1500 4145 4146 4147 ... 4148 4150 A.8. Static Mappings with IP Prefixes 4152 The following example shows a static mapping that instructs a NAT to 4153 translate TCP packets issued from 192.0.2.0/24 to 198.51.100.0/24. 4155 4156 1 4157 4158 static 4159 4160 4161 6 4162 4163 4164 192.0.2.0/24 4165 4166 4167 198.51.100.0/24 4168 4169 ... 4170 4172 A.9. Destination NAT 4174 The following XML snippet shows an example of a destination NAT that 4175 is instructed to translate all packets having 192.0.2.1 as a 4176 destination IP address to 198.51.100.1. 4178 4179 1 4180 4181 192.0.2.1/32 4182 4183 4184 198.51.100.1/32 4185 4186 4188 In order to instruct a NAT to translate TCP packets destined to 4189 '192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet 4190 shows the static mapping configured on the NAT: 4192 4193 1568 4194 4195 static 4196 4197 4198 6 4199 4200 4201 192.0.2.1/32 4202 4203 4204 4205 80 4206 4207 4208 4209 198.51.100.1/32 4210 4211 4212 4213 8080 4214 4215 4216 4218 In order to instruct a NAT to translate TCP packets destined to 4219 '192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh 4220 traffic) to 198.51.100.2, the following XML snippet shows the static 4221 mappings configured on the NAT: 4223 4224 123 4225 4226 static 4227 4228 4229 6 4230 4231 4232 192.0.2.1/32 4233 4234 4235 4236 80 4237 4238 4239 4240 198.51.100.1/32 4241 4242 ... 4243 4244 4245 1236 4246 4247 static 4248 4249 4250 6 4251 4252 4253 192.0.2.1/32 4254 4255 4256 4257 22 4258 4259 4260 4261 198.51.100.2/32 4262 4263 ... 4264 4266 The NAT may also be instructed to proceed with both source and 4267 destination NAT. To do so, in addition to the above sample to 4268 configure destination NAT, the NAT may be provided, for example with 4269 a pool of external IP addresses (198.51.100.0/24) to use for source 4270 address translation. An example of the corresponding XML snippet is 4271 provided hereafter: 4273 4274 1 4275 4276 198.51.100.0/24 4277 4278 4280 Instead of providing an external IP address to share, the NAT may be 4281 configured with static mapping entries that modify the internal IP 4282 address and/or port number. 4284 A.10. Customer-side Translator (CLAT) 4286 The following XML snippet shows the example of a CLAT that is 4287 configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and 4288 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 4289 provided with 192.0.0.1/32 (which is selected from the IPv4 service 4290 continuity prefix defined in [RFC7335]). 4292 4293 4294 2001:db8:aaaa::/96 4295 4296 4297 4298 4299 192.0.0.1/32 4300 4301 4302 4303 4304 2001:db8:1234::/96 4305 4306 4308 A.11. IPv6 Network Prefix Translation (NPTv6) 4310 Let's consider the example of an NPTv6 translator that should rewrite 4311 packets with the source prefix (fd03:c03a:ecab::/48) with the 4312 external prefix (2001:db8:1::/48). The internal interface is "eth0" 4313 while the external interface is "eth1" (Figure 2). 4315 External Network: Prefix = 2001:db8:1::/48 4316 -------------------------------------- 4317 | 4318 |eth1 4319 +-------------+ 4320 eth4| NPTv6 |eth2 4321 ...-----| |------... 4322 +-------------+ 4323 |eth0 4324 | 4325 -------------------------------------- 4326 Internal Network: Prefix = fd03:c03a:ecab::/48 4328 Figure 2: Example of NPTv6 4330 The XML snippet to configure NPTv6 prefixes in such case is depicted 4331 below: 4333 4334 4335 fd03:c03a:ecab::/48 4336 4337 4338 2001:db8:1::/48 4339 4340 4341 ... 4342 4343 4344 eth1 4345 4346 4348 Figure 3 shows an example of an NPTv6 translator that interconnects 4349 two internal networks (fd03:c03a:ecab::/48 and fda8:d5cb:14f3::/48); 4350 each is translated using a dedicated prefix (2001:db8:1::/48 and 4351 2001:db8:6666::/48, respectively). 4353 Internal Prefix = fda8:d5cb:14f3::/48 4354 -------------------------------------- 4355 V | External Prefix 4356 V |eth1 2001:db8:1::/48 4357 V +---------+ ^ 4358 V | NPTv6 | ^ 4359 V | | ^ 4360 V +---------+ ^ 4361 External Prefix |eth0 ^ 4362 2001:db8:6666::/48 | ^ 4363 -------------------------------------- 4364 Internal Prefix = fd03:c03a:ecab::/48 4366 Figure 3: Connecting two Peer Networks 4368 To that aim, the following configuration is provided to the NPTv6 4369 translator: 4371 4372 1 4373 4374 4375 fd03:c03a:ecab::/48 4376 4377 4378 2001:db8:1::/48 4379 4380 4381 4382 4383 eth1 4384 4385 4386 4387 4388 2 4389 4390 4391 fda8:d5cb:14f3::/48 4392 4393 4394 2001:db8:6666::/48 4395 4396 4397 4398 4399 eth0 4400 4401 4402 4404 Authors' Addresses 4406 Mohamed Boucadair (editor) 4407 Orange 4408 Rennes 35000 4409 France 4411 Email: mohamed.boucadair@orange.com 4412 Senthil Sivakumar 4413 Cisco Systems 4414 7100-8 Kit Creek Road 4415 Research Triangle Park, North Carolina 27709 4416 USA 4418 Phone: +1 919 392 5158 4419 Email: ssenthil@cisco.com 4421 Christian Jacquenet 4422 Orange 4423 Rennes 35000 4424 France 4426 Email: christian.jacquenet@orange.com 4428 Suresh Vinapamula 4429 Juniper Networks 4430 1133 Innovation Way 4431 Sunnyvale 94089 4432 USA 4434 Email: sureshk@juniper.net 4436 Qin Wu 4437 Huawei 4438 101 Software Avenue, Yuhua District 4439 Nanjing, Jiangsu 210012 4440 China 4442 Email: bill.wu@huawei.com