idnits 2.17.1 draft-ietf-softwire-dslite-yang-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 10 characters in excess of 72. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 12, 2017) is 2356 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-17) exists of draft-ietf-opsawg-nat-yang-06 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) ** Obsolete normative reference: RFC 7223 (Obsoleted by RFC 8343) == Outdated reference: A later version (-21) exists of draft-ietf-netmod-acl-model-14 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 4 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft C. Jacquenet 4 Intended status: Standards Track Orange 5 Expires: May 16, 2018 S. Sivakumar 6 Cisco Systems 7 November 12, 2017 9 YANG Data Modules for Dual-Stack Lite (DS-Lite) 10 draft-ietf-softwire-dslite-yang-08 12 Abstract 14 This document defines YANG modules for the DS-Lite Address Family 15 Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements. 17 Editorial Note (To be removed by RFC Editor) 19 Please update these statements with the RFC number to be assigned to 20 this document: 22 o "This version of this YANG module is part of RFC XXXX;" 24 o "RFC XXXX: YANG Data Modules for Dual-Stack Lite (DS-Lite)"; 26 o "reference: RFC XXXX" 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at https://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on May 16, 2018. 45 Copyright Notice 47 Copyright (c) 2017 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (https://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 64 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 65 2. DS-Lite YANG Modules: An Overview . . . . . . . . . . . . . . 4 66 3. DS-Lite AFTR YANG Module . . . . . . . . . . . . . . . . . . 7 67 4. DS-Lite B4 YANG Module . . . . . . . . . . . . . . . . . . . 12 68 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 69 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 70 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 72 8.1. Normative references . . . . . . . . . . . . . . . . . . 17 73 8.2. Informative references . . . . . . . . . . . . . . . . . 18 74 Appendix A. B4 Example . . . . . . . . . . . . . . . . . . . . . 19 75 Appendix B. AFTR Examples . . . . . . . . . . . . . . . . . . . 19 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 78 1. Introduction 80 This document defines data models for DS-Lite [RFC6333], using the 81 YANG data modeling language [RFC7950]. Both the Address Family 82 Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements 83 are covered by this specification. 85 As a reminder, Figure 1 illustrates an overview of the DS-Lite 86 architecture that involves AFTR and B4 elements. 88 +-----------+ 89 | Host | 90 +-----+-----+ 91 |192.0.2.1 92 | 93 | 94 |192.0.2.2 95 +---------|---------+ 96 | | | 97 | Home router | 98 |+--------+--------+| 99 || B4 || 100 |+--------+--------+| 101 +--------|||--------+ 102 |||2001:db8:0:1::1 103 ||| 104 |||<-IPv4-in-IPv6 softwire 105 ||| 106 -------|||------- 107 / ||| \ 108 | ISP core network | 109 \ ||| / 110 -------|||------- 111 ||| 112 |||2001:db8:0:2::1 113 +--------|||--------+ 114 | AFTR | 115 |+--------+--------+| 116 || Concentrator || 117 |+--------+--------+| 118 | |NAT| | 119 | +-+-+ | 120 +---------|---------+ 121 |198.51.100.1 122 | 123 --------|-------- 124 / | \ 125 | Internet | 126 \ | / 127 --------|-------- 128 | 129 |203.0.113.1 130 +-----+-----+ 131 | IPv4 Host | 132 +-----------+ 134 Figure 1: DS-Lite Base Architecture 136 DS-Lite deployment considerations are discussed in [RFC6908]. 138 This document follows the guidelines of [RFC6087], uses the common 139 YANG types defined in [RFC6991], and adopts the Network Management 140 Datastore Architecture (NMDA). 142 1.1. Terminology 144 This document makes use of the terms defined in Section 3 of 145 [RFC6333]. 147 The terminology for describing YANG data modules is defined in 148 [RFC7950]. 150 1.2. Tree Diagrams 152 The meaning of the symbols in these diagrams is as follows: 154 o Brackets "[" and "]" enclose list keys. 156 o Curly braces "{" and "}" contain names of optional features that 157 make the corresponding node conditional. 159 o Abbreviations before data node names: "rw" means configuration 160 (read-write), "ro" state data (read-only). 162 o Symbols after data node names: "?" means an optional node, "!" a 163 container with presence, and "*" denotes a "list" or "leaf-list". 165 o Parentheses enclose choice and case nodes, and case nodes are also 166 marked with a colon (":"). 168 o Ellipsis ("...") stands for contents of subtrees that are not 169 shown. 171 2. DS-Lite YANG Modules: An Overview 173 As shown in Figure 1: 175 o The AFTR element is a combination of an IPv4-in-IPv6 tunnel and a 176 NAPT function (Section 2.2 of [RFC3022]). 178 o The B4 element is an IPv4-in-IPv6 tunnel. 180 Therefore, the AFTR YANG module is designed to augment both the 181 Interfaces YANG module [RFC7223] and the NAT YANG module 182 [I-D.ietf-opsawg-nat-yang] with DS-Lite specific features. The B4 183 YANG module augments the interfaces YANG module. 185 Concretely, the AFTR YANG module (Figure 2) augments the Interfaces 186 YANG module with the following: 188 o An IPv6 address used by the AFTR for sending and receiving IPv4- 189 in-IPv6 packets (aftr-ipv6-address). 191 o An IPv4 address that is used by the AFTR for troubleshooting 192 purposes (aftr-ipv4-address). 194 o The tunnel MTU, used to avoid fragmentation (tunnel-mtu). 196 o A policy to limit the number of DS-Lite softwires per subscriber 197 (max-softwire-per-subscriber). 199 o A policy to instruct the AFTR whether it must preserve DSCP 200 marking when encapsulating/decapsulating packets (v6-v4-dscp- 201 preservation). 203 In addition, the AFTR YANG module augments the NAT YANG module 204 (policy, in particular) with the following: 206 o A policy to instruct the AFTR whether a state can be automatically 207 migrated (state-migrate). 209 o Further, in order to prevent a denial-of-service by frequently 210 changing the source IPv6 address, 'b4-address-change-limit' is 211 used to rate-lmite such changes. 213 o An instruction to rewrite the TCP Maximum Segment Size (MSS) 214 option (mss-clamping) to avoid TCP fragmentation. 216 Given that the NAPT table of the AFTR element is extended to include 217 the source IPv6 address of incoming packets, the AFTR YANG module 218 augments the NAPT44 mapping-entry with the following: 220 o b4-ipv6-address which is used to record the source IPv6 address of 221 a packet received from a B4 element. This IPv6 address is 222 required to disambiguate between the overlapping IPv4 address 223 space of subscribers. 225 o The value of the Traffic Class field in the IPv6 header as 226 received from a B4 element (v6-dscp): This information is used to 227 preserve DSCP marking when encapsulating/decapsulationg at the 228 AFTR. 230 o The IPv4 DSCP marking of the IPv4 packet received from a B4 231 element (internal-v4-dscp): This information can be used by the 232 AFTR for setting the DSCP of packets relayed to a B4 element. 234 o The IPv4 DSCP marking as set by the AFTR in its external interface 235 (external-v4-dscp): An AFTR can be instructed to preserve the same 236 marking or to set it to another value when forwarding an IPv4 237 packet upstream. 239 Access Control List (ACL) and Quality of Service (QoS) policies 240 discussed in Section 2.5 of [RFC6908] are out of scope. A YANG 241 module for ACLs is documented in [I-D.ietf-netmod-acl-model]. 243 Likewise, PCP-related considerations discussed in Section 8.5 of 244 [RFC6333] are out of scope. A YANG module for PCP is documented in 245 [I-D.boucadair-pcp-yang]. 247 module: ietf-dslite-aftr 248 augment /if:interfaces/if:interface: 249 +--rw aftr-ipv6-address? inet:ipv6-address 250 +--rw aftr-ipv4-address? inet:ipv4-address 251 +--rw tunnel-mtu? uint16 252 +--rw max-softwire-per-subscriber? uint8 253 +--rw v6-v4-dscp-preservation? boolean 254 augment /nat:nat/nat:instances/nat:instance/nat:policy: 255 +--rw state-migrate? boolean 256 +--rw b4-address-change-limit? uint32 257 +--rw mss-clamping 258 +--rw enable? boolean 259 +--rw mss-value? uint16 260 augment /nat:nat/nat:instances/nat:instance/nat:mapping-table/nat:mapping-entry: 261 +--rw b4-ipv6-address? inet:ipv6-address 262 +--rw v6-dscp? uint8 263 +--rw internal-v4-dscp? uint8 264 +--rw external-v4-dscp? uint8 266 Figure 2: YANG Module for DS-Lite AFTR 268 Examples to illustrate the use of this module are provided in 269 Appendix B. 271 The B4 YANG module (Figure 3) augments the Interfaces YANG module 272 with the following: 274 o An IPv6 address used by a B4 element for sending and receiving 275 IPv4-in-IPv6 packets (b4-ipv6-address). 277 o The IPv6 address of the AFTR to use by a B4 element (aftr- 278 ipv6-addr). 280 o An IPv4 address that is used by a B4 element for troubleshooting 281 purposes (b4-ipv4-address). 283 o The tunnel MTU at the B4 side to avoid fragmentation (tunnel-mtu). 285 o An instruction whether DSCP marking is to be preserved when 286 encapsulating an IPv4 packet in an IPv6 packet (v6-v4-dscp- 287 preservation). 289 module: ietf-dslite-b4 290 augment /if:interfaces/if:interface: 291 +--rw b4-ipv6-address? inet:ipv6-address 292 +--rw aftr-ipv6-addr? inet:ipv6-address 293 +--rw b4-ipv4-address? inet:ipv4-address 294 +--rw tunnel-mtu? uint16 295 +--rw v6-v4-dscp-preservation? boolean 297 Figure 3: YANG Module for DS-Lite B4 299 An example to illustrate the use of this module is provided in 300 Appendix A. 302 3. DS-Lite AFTR YANG Module 304 file "ietf-dslite-aftr@2017-11-13.yang" 306 module ietf-dslite-aftr { 307 yang-version 1.1; 309 namespace "urn:ietf:params:xml:ns:yang:ietf-dslite-aftr"; 310 prefix dslite-aftr; 312 import ietf-inet-types { prefix inet; } 313 import ietf-interfaces { prefix if; } 314 import iana-if-type { prefix ianaift; } 315 import ietf-nat {prefix nat;} 317 organization "IETF Softwire Working Group"; 319 contact 321 "WG Web: 322 WG List: 324 WG Chair: Ian Farrer 325 327 WG Chair: Yong Cui 328 330 Editor: Mohamed Boucadair 331 333 Editor: Christian Jacquenet 334 336 Editor: Senthil Sivakumar 337 "; 339 description 340 "This module is a YANG module for DS-Lite AFTR 341 implementations. 343 Copyright (c) 2017 IETF Trust and the persons identified as 344 authors of the code. All rights reserved. 346 Redistribution and use in source and binary forms, with or 347 without modification, is permitted pursuant to, and subject 348 to the license terms contained in, the Simplified BSD License 349 set forth in Section 4.c of the IETF Trust's Legal Provisions 350 Relating to IETF Documents 351 (http://trustee.ietf.org/license-info). 353 This version of this YANG module is part of RFC XXXX; see 354 the RFC itself for full legal notices."; 356 revision 2017-11-13 { 357 description 358 "Initial revision."; 359 reference 360 "RFC XXXX: YANG Data Modules for Dual-Stack Lite (DS-Lite)"; 361 } 363 augment "/if:interfaces/if:interface" { 364 when "if:type = 'ianaift:tunnel'"; 365 description 366 "Augments Interface module with AFTR parameters. 367 IANA interface types are maintained at this registry: 368 https://www.iana.org/assignments/ianaiftype-mib/ianaiftype-mib. 370 tunnel (131), -- Encapsulation interface"; 372 leaf aftr-ipv6-address { 373 type inet:ipv6-address; 374 description 375 "IPv6 address of the DS-Lite AFTR."; 376 reference 377 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 378 IPv4 Exhaustion"; 380 } 382 leaf aftr-ipv4-address { 383 type inet:ipv4-address; 384 default "192.0.0.1"; 385 description 386 "IPv4 address of the DS-Lite AFTR. 388 192.0.0.1 is reserved for the AFTR element. 390 This address can be used to report ICMP problems and will 391 appear in traceroute outputs."; 392 reference 393 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 394 IPv4 Exhaustion"; 395 } 397 leaf tunnel-mtu { 398 type uint16; 399 description 400 "Configures a tunnel MTU. 401 [RFC6908] specifies that since fragmentation and reassembly 402 is not optimal, the operator should do everything possible 403 to eliminate the need for it. If the operator uses simple 404 IPv4-in-IPv6 softwire, it is recommended that the MTU size 405 of the IPv6 network between the B4 and the AFTR accounts for 406 the additional overhead (40 bytes)."; 407 reference 408 "RFC 6908: Deployment Considerations for Dual-Stack Lite"; 409 } 411 leaf max-softwire-per-subscriber { 412 type uint8; 413 default 1; 414 description 415 "Configures the maximum softwires per subscriber feature. 417 A subscriber is uniquely identified by means 418 of subscriber-mask. 420 This policy aims to prevent a misbehaving subscriber from 421 mounting several DS-Lite softwires that would consume 422 additional AFTR resources (e.g., get more external ports 423 if the quota were enforced on a per-softwire basis, 424 consume extra processing due to a large number of active 425 softwires)."; 427 reference 428 "Section 4 of RFC 7785."; 429 } 431 leaf v6-v4-dscp-preservation { 432 type boolean; 433 description 434 "Copies the DSCP value from the IPv6 header and vice versa. 436 According to Section 2.10 of [RFC6908], operators should 437 use this model by provisioning the network such that the AFTR 438 copies the DSCP value in the IPv4 header to the Traffic Class 439 field in the IPv6 header, after the encapsulation for 440 the downstream traffic."; 441 reference 442 "Section 2.10 of RFC 6908."; 443 } 444 } 446 augment "/nat:nat/nat:instances/"+ 447 "nat:instance/nat:policy" { 448 description 449 "Augments the NAPT44 module with AFTR parameters."; 451 leaf state-migrate { 452 type boolean; 453 default true; 454 description 455 "State migration is enabled by default. 457 In the event a new IPv6 address is assigned to the B4 element, 458 the AFTR should migrate existing state to be bound to the new 459 IPv6 address. This operation ensures that traffic destined to 460 the previous B4's IPv6 address will be redirected to the newer 461 B4's IPv6 address. The destination IPv6 address for tunneling 462 return traffic from the AFTR should be the last seen as the B4's 463 IPv6 source address from the CPE. 465 The AFTR uses the subscriber-mask to determine whether two 466 IPv6 addresses belong to the same CPE (e.g., if the 467 subscriber-mask is set to 56, the AFTR concludes that 468 2001:db8:100:100::1 and 2001:db8:100:100::2 belong to the same 469 CPE assigned with 2001:db8:100:100::/56)."; 471 reference 472 "RFC 7785: Recommendations for Prefix Binding in the Context 473 of Softwire Dual-Stack Lite"; 474 } 475 leaf b4-address-change-limit { 476 type uint32; 477 units "seconds"; 478 default '1800'; 479 description 480 "Minimum number of seconds between successive B4's IPv6 address 481 change from the same prefix. 483 Changing the source B4's IPv6 address may be used as an attack 484 vector. Packets with a new B4's IPv6 address from the same 485 prefix should be rate-limited. 487 It is recommended to set this rate limit to 30 minutes; other 488 values can be set on a per-deployment basis."; 490 reference 491 "RFC 7785: Recommendations for Prefix Binding in the Context 492 of Softwire Dual-Stack Lite"; 493 } 495 container mss-clamping { 496 description 497 "MSS rewriting configuration to avoid IPv6 fragmentation."; 499 leaf enable { 500 type boolean; 501 description 502 "Enable/disable MSS rewriting feature."; 503 } 505 leaf mss-value { 506 type uint16; 507 units "octets"; 508 description 509 "Sets the MSS value to be used for MSS rewriting."; 510 } 511 } 512 } 514 augment "/nat:nat/nat:instances/nat:instance/"+ 515 "nat:mapping-table/nat:mapping-entry"{ 516 description 517 "Augments the NAPT44 mapping table with DS-Lite specifics."; 519 leaf b4-ipv6-address { 520 type inet:ipv6-address; 521 description 522 "Corresponds to the IPv6 address used by the B4 element."; 524 reference 525 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 526 IPv4 Exhaustion"; 527 } 529 leaf v6-dscp { 530 when "/if:interfaces/if:interface/" + 531 "dslite-aftr:v6-v4-dscp-preservation='true'"; 532 type uint8; 533 description 534 "DSCP value used at the softwire level (i.e., IPv6 header)."; 535 } 537 leaf internal-v4-dscp { 538 when "/if:interfaces/if:interface/" + 539 "dslite-aftr:v6-v4-dscp-preservation='true'"; 540 type uint8; 541 description 542 "DSCP value of the encapsulated IPv4 packet."; 543 } 545 leaf external-v4-dscp { 546 when "/if:interfaces/if:interface/" + 547 "dslite-aftr:v6-v4-dscp-preservation='true'"; 548 type uint8; 549 description 550 "DSCP value of the translated IPv4 packet as marked by 551 the AFTR."; 552 } 553 } 554 } 555 557 4. DS-Lite B4 YANG Module 559 file "ietf-dslite-b4@2017-11-13.yang" 561 module ietf-dslite-b4 { 562 yang-version 1.1; 563 namespace "urn:ietf:params:xml:ns:yang:ietf-dslite-b4"; 564 prefix dslite-b4; 566 import ietf-inet-types { prefix inet; } 567 import ietf-interfaces { prefix if; } 568 import iana-if-type { prefix ianaift; } 570 organization "IETF Softwire Working Group"; 571 contact 573 "WG Web: 574 WG List: 576 WG Chair: Ian Farrer 577 579 WG Chair: Yong Cui 580 582 Editor: Mohamed Boucadair 583 585 Editor: Christian Jacquenet 586 588 Editor: Senthil Sivakumar 589 "; 591 description 592 "This module is a YANG module for DS-Lite B4 implementations. 594 Copyright (c) 2017 IETF Trust and the persons identified as 595 authors of the code. All rights reserved. 597 Redistribution and use in source and binary forms, with or 598 without modification, is permitted pursuant to, and subject 599 to the license terms contained in, the Simplified BSD License 600 set forth in Section 4.c of the IETF Trust's Legal Provisions 601 Relating to IETF Documents 602 (http://trustee.ietf.org/license-info). 604 This version of this YANG module is part of RFC XXXX; see 605 the RFC itself for full legal notices."; 607 revision 2017-11-13 { 608 description 609 "Initial revision."; 610 reference 611 "RFC XXXX: YANG Data Modules for Dual-Stack Lite (DS-Lite)"; 612 } 614 augment "/if:interfaces/if:interface" { 615 when "if:type = 'ianaift:tunnel'"; 616 description 617 "Augments Interface module with B4 parameters. 618 IANA interface types are maintained at this registry: 620 https://www.iana.org/assignments/ianaiftype-mib/ianaiftype-mib. 622 tunnel (131), -- Encapsulation interface"; 624 leaf b4-ipv6-address { 625 type inet:ipv6-address; 626 description 627 "The IPv6 address used by the B4 element."; 628 reference 629 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 630 IPv4 Exhaustion"; 631 } 633 leaf aftr-ipv6-addr { 634 type inet:ipv6-address; 635 description 636 "The AFTR's IPv6 address."; 637 reference 638 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 639 IPv4 Exhaustion"; 640 } 642 leaf b4-ipv4-address { 643 type inet:ipv4-address; 644 default "192.0.0.2"; 645 description 646 "IPv4 address of the DS-Lite B4. 648 192.0.0.0/29 is reserved for the B4 element. 650 This address can be used to report ICMP problems and will 651 appear in traceroute outputs."; 652 reference 653 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 654 IPv4 Exhaustion"; 655 } 657 leaf tunnel-mtu { 658 type uint16; 659 description 660 "Configures a tunnel MTU. 662 [RFC6908] specifies that since fragmentation and reassembly is 663 not optimal, the operator should do everything possible to 664 eliminate the need for it. If the operator uses simple 665 IPv4-in-IPv6 softwire, it is recommended that the MTU size of 666 the IPv6 network between the B4 and the AFTR accounts for 667 the additional overhead (40 bytes)."; 669 reference 670 "RFC 6908: Deployment Considerations for Dual-Stack Lite"; 671 } 673 leaf v6-v4-dscp-preservation { 674 type boolean; 675 description 676 "Copies the DSCP value from the IPv6 header and vice versa. 678 Operators should use this model by provisioning the network such 679 that the AFTR copies the DSCP value in the IPv4 header to 680 the Traffic Class field in the IPv6 header, after the 681 encapsulation for the downstream traffic."; 682 reference 683 "Section 2.10 of RFC 6908."; 684 } 685 } 686 } 687 689 5. Security Considerations 691 The YANG module defined in this document is designed to be accessed 692 via network management protocols such as NETCONF [RFC6241] or 693 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 694 layer, and the mandatory-to-implement secure transport is Secure 695 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 696 mandatory-to-implement secure transport is TLS [RFC5246]. 698 The NETCONF access control model [RFC6536] provides the means to 699 restrict access for particular NETCONF or RESTCONF users to a 700 preconfigured subset of all available NETCONF or RESTCONF protocol 701 operations and content. 703 All data nodes defined in the YANG module which can be created, 704 modified and deleted (i.e., config true, which is the default) are 705 considered sensitive. Write operations (e.g., edit-config) applied 706 to these data nodes without proper protection can negatively affect 707 network operations. An attacker who is able to access to the B4/AFTR 708 can undertake various attacks, such as: 710 o Set the value of 'aftr-ipv6-addr' on the B4 to point to an 711 illegitimate AFTR so that it can intercept all the traffic sent by 712 a B4. Illegitimately intercepting users' traffic is a attack with 713 severe implications on privacy. 715 o Set the MTU to a low value which may increase the number of 716 fragments (tunnel-mtu for both B4 and AFTR). 718 o Set 'max-softwire-per-subscriber' to an arbitrary high value, 719 which will be exploited by a misbehaving user to grab more 720 resources (by mounting as many softwires as required to get more 721 external IP addresses/ports) or to perform a Denial-of-Service on 722 the AFTR by mounting a massive number of softwires. 724 o Set 'state-migrate' to 'false' on the AFTR. This action may lead 725 to a service degradation for the users. 727 o Set 'b4-address-change-limit" to an arbitrary low value can ease 728 DoS attacks based on frequent change of B4 IPv6 address. 730 o Set 'v6-v4-dscp-preservation' to 'false" may lead to a service 731 degradation if some policies are applied on the network based on 732 the DSCP value. 734 Additional security considerations are discussed in 735 [I-D.ietf-opsawg-nat-yang]. 737 Security considerations related to DS-Lite are discussed in 738 [RFC6333]. 740 6. IANA Considerations 742 This document requests IANA to register the following URIs in the 743 "IETF XML Registry" [RFC3688]: 745 URI: urn:ietf:params:xml:ns:yang:ietf-dslite-aftr 746 Registrant Contact: The IESG. 747 XML: N/A; the requested URI is an XML namespace. 749 URI: urn:ietf:params:xml:ns:yang:ietf-dslite-b4 750 Registrant Contact: The IESG. 751 XML: N/A; the requested URI is an XML namespace. 753 This document requests IANA to register the following YANG modules in 754 the "YANG Module Names" registry [RFC7950]. 756 name: ietf-dslite-aftr 757 namespace: urn:ietf:params:xml:ns:yang:ietf-dslite-aftr 758 prefix: dslite-aftr 759 reference: RFC XXXX 761 name: ietf-dslite-b4 762 namespace: urn:ietf:params:xml:ns:yang:ietf-dslite-b4 763 prefix: dslite-b4 764 reference: RFC XXXX 766 7. Acknowledgements 768 Thanks to Qin Wu for identifying a compiling error. Mahesh 769 Jethanandani provided an early yangdoctors review; many thanks to 770 him. 772 Many thanks to Ian Farrer for the review and comments. 774 8. References 776 8.1. Normative references 778 [I-D.ietf-opsawg-nat-yang] 779 Boucadair, M., Sivakumar, S., Jacquenet, C., Vinapamula, 780 S., and Q. Wu, "A YANG Data Model for Network Address 781 Translation (NAT) and Network Prefix Translation (NPT)", 782 draft-ietf-opsawg-nat-yang-06 (work in progress), October 783 2017. 785 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 786 DOI 10.17487/RFC3688, January 2004, 787 . 789 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 790 (TLS) Protocol Version 1.2", RFC 5246, 791 DOI 10.17487/RFC5246, August 2008, 792 . 794 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 795 and A. Bierman, Ed., "Network Configuration Protocol 796 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 797 . 799 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 800 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 801 . 803 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 804 Stack Lite Broadband Deployments Following IPv4 805 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 806 . 808 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 809 Protocol (NETCONF) Access Control Model", RFC 6536, 810 DOI 10.17487/RFC6536, March 2012, 811 . 813 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 814 RFC 6991, DOI 10.17487/RFC6991, July 2013, 815 . 817 [RFC7223] Bjorklund, M., "A YANG Data Model for Interface 818 Management", RFC 7223, DOI 10.17487/RFC7223, May 2014, 819 . 821 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 822 RFC 7950, DOI 10.17487/RFC7950, August 2016, 823 . 825 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 826 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 827 . 829 8.2. Informative references 831 [I-D.boucadair-pcp-yang] 832 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 833 Vinapamula, "YANG Modules for the Port Control Protocol 834 (PCP)", draft-boucadair-pcp-yang-05 (work in progress), 835 October 2017. 837 [I-D.ietf-netmod-acl-model] 838 Jethanandani, M., Huang, L., Agarwal, S., and D. Blair, 839 "Network Access Control List (ACL) YANG Data Model", 840 draft-ietf-netmod-acl-model-14 (work in progress), October 841 2017. 843 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 844 Address Translator (Traditional NAT)", RFC 3022, 845 DOI 10.17487/RFC3022, January 2001, 846 . 848 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 849 Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, 850 January 2011, . 852 [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M. 853 Boucadair, "Deployment Considerations for Dual-Stack 854 Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013, 855 . 857 [RFC7785] Vinapamula, S. and M. Boucadair, "Recommendations for 858 Prefix Binding in the Context of Softwire Dual-Stack 859 Lite", RFC 7785, DOI 10.17487/RFC7785, February 2016, 860 . 862 Appendix A. B4 Example 864 The following example shows a B4 element (2001:db8:0:1::1) that is 865 configured with an AFTR element (2001:db8:0:2::1). The B4 element is 866 also instructed to preserve the DSCP marking. 868 869 myB4 870 ianaift:tunnel 871 true 872 2001:db8:0:1::1 873 2001:db8:0:2::1 874 true 875 877 Appendix B. AFTR Examples 879 The following example shows an AFTR that is reachable at 880 2001:db8:0:2::1. Also, this XML snippet indicates that the AFTR is 881 provided with an IPv4 address (192.0.0.1) to be used for 882 troubleshooting purposes such as reporting problems to B4s. 883 Moreover, the AFTR is instructed to limit the number of softwires per 884 subscriber to '1'. 886 Note that a subscriber is identified by a subscriber-mask ([RFC7785]) 887 that can be configured by means of [I-D.ietf-opsawg-nat-yang]. 889 890 myAFTR 891 ianaift:tunnel 892 true 893 2001:db8:0:2::1 894 192.0.0.1 895 1 896 898 The following shows an XML excerpt depicting a dynamic UDP mapping 899 entry maintained by a DS-Lite AFTR for a packet received from the B4 900 element introduced in Appendix A. Concretely, this UDP packet 901 received with a source IPv6 address (2001:db8:0:1::1), a source IPv4 902 address (192.0.2.1), and source port number (1568) is translated into 903 a UDP packet having a source IPv4 address (198.51.100.1) and source 904 port number (15000). The remaining lifetime of this mapping is 300 905 seconds. 907 908 15 909 910 dynamic-explicit 911 912 913 17 914 915 916 2001:db8:0:1::1 917 918 919 192.0.2.1 920 921 922 923 1568 924 925 926 927 198.51.100.1 928 929 930 931 15000 932 933 934 935 300 936 937 939 Authors' Addresses 941 Mohamed Boucadair 942 Orange 943 Rennes 35000 944 France 946 EMail: mohamed.boucadair@orange.com 948 Christian Jacquenet 949 Orange 950 Rennes 35000 951 France 953 EMail: christian.jacquenet@orange.com 954 Senthil Sivakumar 955 Cisco Systems 956 7100-8 Kit Creek Road 957 Research Triangle Park, North Carolina 27709 958 USA 960 Phone: +1 919 392 5158 961 EMail: ssenthil@cisco.com