idnits 2.17.1 draft-ietf-softwire-dslite-yang-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 13 characters in excess of 72. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 16, 2017) is 2352 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-17) exists of draft-ietf-opsawg-nat-yang-08 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) ** Obsolete normative reference: RFC 7223 (Obsoleted by RFC 8343) == Outdated reference: A later version (-21) exists of draft-ietf-netmod-acl-model-14 == Outdated reference: A later version (-06) exists of draft-ietf-netmod-yang-tree-diagrams-02 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft C. Jacquenet 4 Intended status: Standards Track Orange 5 Expires: May 20, 2018 S. Sivakumar 6 Cisco Systems 7 November 16, 2017 9 A YANG Data Module for Dual-Stack Lite (DS-Lite) 10 draft-ietf-softwire-dslite-yang-10 12 Abstract 14 This document defines a YANG module for the DS-Lite Address Family 15 Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements. 17 Editorial Note (To be removed by RFC Editor) 19 Please update these statements with the RFC number to be assigned to 20 this document: 22 o "This version of this YANG module is part of RFC XXXX;" 24 o "RFC XXXX: A YANG Data Module for Dual-Stack Lite (DS-Lite)"; 26 o "reference: RFC XXXX" 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at https://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on May 20, 2018. 45 Copyright Notice 47 Copyright (c) 2017 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (https://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 64 2. DS-Lite YANG Module: An Overview . . . . . . . . . . . . . . 4 65 3. DS-Lite YANG Module . . . . . . . . . . . . . . . . . . . . . 6 66 4. Security Considerations . . . . . . . . . . . . . . . . . . . 14 67 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 68 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 69 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 70 7.1. Normative references . . . . . . . . . . . . . . . . . . 16 71 7.2. Informative references . . . . . . . . . . . . . . . . . 17 72 Appendix A. B4 Example . . . . . . . . . . . . . . . . . . . . . 18 73 Appendix B. AFTR Examples . . . . . . . . . . . . . . . . . . . 18 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 76 1. Introduction 78 This document defines a data model for DS-Lite [RFC6333], using the 79 YANG data modeling language [RFC7950]. Both the Address Family 80 Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements 81 are covered by this specification. 83 As a reminder, Figure 1 illustrates an overview of the DS-Lite 84 architecture that involves AFTR and B4 elements. 86 +-----------+ 87 | Host | 88 +-----+-----+ 89 |192.0.2.1 90 | 91 | 92 |192.0.2.2 93 +---------|---------+ 94 | | | 95 | Home router | 96 |+--------+--------+| 97 || B4 || 98 |+--------+--------+| 99 +--------|||--------+ 100 |||2001:db8:0:1::1 101 ||| 102 |||<-IPv4-in-IPv6 softwire 103 ||| 104 -------|||------- 105 / ||| \ 106 | ISP core network | 107 \ ||| / 108 -------|||------- 109 ||| 110 |||2001:db8:0:2::1 111 +--------|||--------+ 112 | AFTR | 113 |+--------+--------+| 114 || Concentrator || 115 |+--------+--------+| 116 | |NAT| | 117 | +-+-+ | 118 +---------|---------+ 119 |198.51.100.1 120 | 121 --------|-------- 122 / | \ 123 | Internet | 124 \ | / 125 --------|-------- 126 | 127 |203.0.113.1 128 +-----+-----+ 129 | IPv4 Host | 130 +-----------+ 132 Figure 1: DS-Lite Base Architecture 134 DS-Lite deployment considerations are discussed in [RFC6908]. 136 This document follows the guidelines of [RFC6087], uses the common 137 YANG types defined in [RFC6991], and adopts the Network Management 138 Datastore Architecture (NMDA). 140 1.1. Terminology 142 This document makes use of the terms defined in Section 3 of 143 [RFC6333]. 145 The terminology for describing YANG data modules is defined in 146 [RFC7950]. 148 The meaning of the symbols in tree diagrams is defined in 149 [I-D.ietf-netmod-yang-tree-diagrams]. 151 2. DS-Lite YANG Module: An Overview 153 As shown in Figure 1: 155 o The AFTR element is a combination of an IPv4-in-IPv6 tunnel and a 156 NAPT function (Section 2.2 of [RFC3022]). 158 o The B4 element is an IPv4-in-IPv6 tunnel. 160 Therefore, the DS-Lite YANG module is designed to augment both the 161 Interfaces YANG module [RFC7223] and the NAT YANG module 162 [I-D.ietf-opsawg-nat-yang] with DS-Lite specific features. 164 The YANG "feature" statement is used to distinguish which of the DS- 165 Lite elements ('aftr' or 'b4') is relevant for a specific data node. 167 Concretely, the DS-Lite YANG module (Figure 2) augments the 168 Interfaces YANG module with the following: 170 o An IPv6 address used by the tunnel endpoint (AFTR or B4) for 171 sending and receiving IPv4-in-IPv6 packets (ipv6-address). 173 o An IPv4 address that is used by the tunnel endpoint (AFTR or B4) 174 for troubleshooting purposes (ipv4-address). 176 o An IPv6 address used by a B4 element to reach its AFTR (aftr- 177 ipv6-addr). 179 o The tunnel MTU used to avoid fragmentation (tunnel-mtu). 181 o A policy to instruct the tunnel endpoint (AFTR or B4) whether it 182 must preserve DSCP marking when encapsulating/decapsulating 183 packets (v6-v4-dscp-preservation). 185 In addition, the DS-Lite YANG module augments the NAT YANG module 186 (policy, in particular) with the following: 188 o A policy to limit the number of DS-Lite softwires per subscriber 189 (max-softwire-per-subscriber). 191 o A policy to instruct the AFTR whether a state can be automatically 192 migrated (state-migrate). 194 o Further, in order to prevent a denial-of-service by frequently 195 changing the source IPv6 address, 'b4-address-change-limit' is 196 used to rate-lmite such changes. 198 o An instruction to rewrite the TCP Maximum Segment Size (MSS) 199 option (mss-clamping) to avoid TCP fragmentation. 201 Given that the NAPT table of the AFTR element is extended to include 202 the source IPv6 address of incoming packets, the DS-Lite YANG module 203 augments the NAPT44 mapping-entry with the following: 205 o b4-ipv6-address which is used to record the source IPv6 address of 206 a packet received from a B4 element. This IPv6 address is 207 required to disambiguate between the overlapping IPv4 address 208 space of subscribers. 210 o The value of the Traffic Class field in the IPv6 header as 211 received from a B4 element (v6-dscp): This information is used to 212 preserve DSCP marking when encapsulating/decapsulationg at the 213 AFTR. 215 o The IPv4 DSCP marking of the IPv4 packet received from a B4 216 element (internal-v4-dscp): This information can be used by the 217 AFTR for setting the DSCP of packets relayed to a B4 element. 219 o The IPv4 DSCP marking as set by the AFTR in its external interface 220 (external-v4-dscp): An AFTR can be instructed to preserve the same 221 marking or to set it to another value when forwarding an IPv4 222 packet upstream. 224 Access Control List (ACL) and Quality of Service (QoS) policies 225 discussed in Section 2.5 of [RFC6908] are out of scope. A YANG 226 module for ACLs is documented in [I-D.ietf-netmod-acl-model]. 228 Likewise, PCP-related considerations discussed in Section 8.5 of 229 [RFC6333] are out of scope. A YANG module for PCP is documented in 230 [I-D.boucadair-pcp-yang]. 232 module: ietf-dslite 233 augment /if:interfaces/if:interface: 234 +--rw ipv6-address? inet:ipv6-address {aftr or b4}? 235 +--rw ipv4-address? inet:ipv4-address {aftr or b4}? 236 +--rw aftr-ipv6-addr? inet:ipv6-address {b4}? 237 +--rw tunnel-mtu? uint16 {aftr or b4}? 238 +--rw v6-v4-dscp-preservation? boolean {aftr or b4}? 239 augment /nat:nat/nat:instances/nat:instance/nat:policy: 240 +--rw max-softwires-per-subscriber? uint8 {aftr}? 241 +--rw state-migrate? boolean {aftr}? 242 +--rw b4-address-change-limit? uint32 {aftr}? 243 +--rw mss-clamping {aftr}? 244 +--rw enable? boolean 245 +--rw mss-value? uint16 246 augment /nat:nat/nat:instances/nat:instance/nat:mapping-table/nat:mapping-entry: 247 +--rw b4-ipv6-address {aftr}? 248 | +--rw address? inet:ipv6-address 249 | +--rw last-address-change? yang:date-and-time 250 +--rw v6-dscp? uint8 {aftr}? 251 +--rw internal-v4-dscp? uint8 {aftr}? 252 +--rw external-v4-dscp? uint8 {aftr}? 253 augment /nat:nat/nat:instances/nat:instance/nat:statistics/nat:mappings-statistics: 254 +--ro active-softwires? yang:gauge32 {aftr}? 256 notifications: 257 +---n b4-address-change-limit-policy-violation {aftr}? 258 +--ro id -> /nat:nat/instances/instance/id 259 +--ro policy-id -> /nat:nat/instances/instance/policy/id 260 +--ro address inet:ipv6-address 262 Figure 2: YANG Module for DS-Lite 264 Examples to illustrate the use of this module are provided in 265 Appendix A and Appendix B. 267 3. DS-Lite YANG Module 269 file "ietf-dslite@2017-11-15.yang" 271 module ietf-dslite { 272 yang-version 1.1; 274 namespace "urn:ietf:params:xml:ns:yang:ietf-dslite"; 275 prefix dslite; 276 import ietf-inet-types { prefix inet; } 277 import ietf-interfaces { prefix if; } 278 import iana-if-type { prefix ianaift; } 279 import ietf-nat {prefix nat;} 280 import ietf-yang-types { prefix yang; } 282 organization "IETF Softwire Working Group"; 284 contact 286 "WG Web: 287 WG List: 289 Editor: Mohamed Boucadair 290 292 Editor: Christian Jacquenet 293 295 Editor: Senthil Sivakumar 296 "; 298 description 299 "This module is a YANG module for DS-Lite AFTR and B4 300 implementations. 302 Copyright (c) 2017 IETF Trust and the persons identified as 303 authors of the code. All rights reserved. 305 Redistribution and use in source and binary forms, with or 306 without modification, is permitted pursuant to, and subject 307 to the license terms contained in, the Simplified BSD License 308 set forth in Section 4.c of the IETF Trust's Legal Provisions 309 Relating to IETF Documents 310 (http://trustee.ietf.org/license-info). 312 This version of this YANG module is part of RFC XXXX; see 313 the RFC itself for full legal notices."; 315 revision 2017-11-15 { 316 description 317 "Initial revision."; 318 reference 319 "RFC XXXX: A YANG Data Module for Dual-Stack Lite (DS-Lite)"; 320 } 322 /* 323 * Features 324 */ 326 feature b4 { 327 description 328 "The B4 element is a function implemented on a dual-stack-capable 329 node, either a directly connected device or a CPE, that creates 330 a tunnel to an AFTR."; 331 reference 332 "Section 5 of RFC 6333."; 333 } 335 feature aftr { 336 description 337 "An AFTR element is the combination of an IPv4-in-IPv6 tunnel 338 endpoint and an IPv4-IPv4 NAT implemented on the same node."; 339 reference 340 "Section 6 of RFC 6333."; 341 } 343 /* 344 * Augments 345 */ 347 augment "/if:interfaces/if:interface" { 348 when "if:type = 'ianaift:tunnel'"; 349 description 350 "Augments Interface module with AFTR parameters. 351 IANA interface types are maintained at this registry: 352 https://www.iana.org/assignments/ianaiftype-mib/ianaiftype-mib. 354 tunnel (131), -- Encapsulation interface"; 356 leaf ipv6-address { 357 if-feature "aftr or b4"; 358 type inet:ipv6-address; 359 description 360 "IPv6 address of the local DS-Lite endpoint (AFTR or B4)."; 361 reference 362 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 363 IPv4 Exhaustion"; 364 } 366 leaf ipv4-address { 367 if-feature "aftr or b4"; 368 type inet:ipv4-address; 369 description 370 "IPv4 address of the local DS-Lite AFTR or B4. 372 192.0.0.1 is reserved for the AFTR element, while 373 192.0.0.0/29 is reserved for the B4 element. 375 This address can be used to report ICMP problems and will 376 appear in traceroute outputs."; 377 reference 378 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 379 IPv4 Exhaustion"; 380 } 382 leaf aftr-ipv6-addr { 383 if-feature b4; 384 type inet:ipv6-address; 385 description 386 "Indicates the AFTR's IPv6 address to be used by a B4 element."; 387 reference 388 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 389 IPv4 Exhaustion"; 390 } 392 leaf tunnel-mtu { 393 if-feature "aftr or b4"; 394 type uint16; 395 description 396 "Configures a tunnel MTU. 398 [RFC6908] specifies that since fragmentation and reassembly 399 is not optimal, the operator should do everything possible 400 to eliminate the need for it. If the operator uses simple 401 IPv4-in-IPv6 softwire, it is recommended that the MTU size 402 of the IPv6 network between the B4 and the AFTR accounts for 403 the additional overhead (40 bytes)."; 404 reference 405 "RFC 6908: Deployment Considerations for Dual-Stack Lite"; 406 } 408 leaf v6-v4-dscp-preservation { 409 if-feature "aftr or b4"; 410 type boolean; 411 description 412 "Copies the DSCP value from the IPv6 header and vice versa. 414 According to Section 2.10 of [RFC6908], operators should 415 use this model by provisioning the network such that the 416 AFTR/B4 copies the DSCP value in the IPv4 header to 417 the Traffic Class field in the IPv6 header, after the 418 encapsulation for the downstream traffic."; 419 reference 420 "Section 2.10 of RFC 6908."; 421 } 422 } 424 augment "/nat:nat/nat:instances/nat:instance/nat:policy" { 425 when "/nat:nat/nat:instances/nat:instance/nat:type='napt44'" + 426 " and /nat:nat/nat:instances/nat:instance/" + 427 "nat:per-interface-binding='dslite'"; 428 if-feature aftr; 429 description 430 "Augments the NAPT44 module with AFTR parameters."; 432 leaf max-softwires-per-subscriber { 433 type uint8; 434 default 1; 435 description 436 "Configures the maximum softwires per subscriber feature. 438 A subscriber is uniquely identified by means 439 of a subscriber mask (subscriber-mask-v6). 441 This policy aims to prevent a misbehaving subscriber from 442 mounting several DS-Lite softwires that would consume 443 additional AFTR resources (e.g., get more external ports 444 if the quota were enforced on a per-softwire basis, 445 consume extra processing due to a large number of active 446 softwires)."; 448 reference 449 "Section 4 of RFC 7785."; 450 } 452 leaf state-migrate { 453 type boolean; 454 default true; 455 description 456 "State migration is enabled by default. 458 In the event a new IPv6 address is assigned to the B4 element, 459 the AFTR should migrate existing state to be bound to the new 460 IPv6 address. This operation ensures that traffic destined to 461 the previous B4's IPv6 address will be redirected to the newer 462 B4's IPv6 address. The destination IPv6 address for tunneling 463 return traffic from the AFTR should be the last seen as the 464 B4's IPv6 source address from the user device (e.g., CPE). 466 The AFTR uses the subscriber-mask-v6 to determine whether two 467 IPv6 addresses belong to the same CPE (e.g., if the 468 subscriber-mask-v6 is set to 56, the AFTR concludes that 469 2001:db8:100:100::1 and 2001:db8:100:100::2 belong to the same 470 CPE assigned with 2001:db8:100:100::/56)."; 472 reference 473 "RFC 7785: Recommendations for Prefix Binding in the Context 474 of Softwire Dual-Stack Lite"; 475 } 477 leaf b4-address-change-limit { 478 type uint32; 479 units "seconds"; 480 default '1800'; 481 description 482 "Minimum number of seconds between successive B4's IPv6 address 483 change from the same prefix. 485 Changing the source B4's IPv6 address may be used as an attack 486 vector. Packets with a new B4's IPv6 address from the same 487 prefix should be rate-limited. 489 It is recommended to set this rate limit to 30 minutes; other 490 values can be set on a per-deployment basis."; 492 reference 493 "RFC 7785: Recommendations for Prefix Binding in the Context 494 of Softwire Dual-Stack Lite"; 495 } 497 container mss-clamping { 498 description 499 "MSS rewriting configuration to avoid IPv6 fragmentation."; 501 leaf enable { 502 type boolean; 503 description 504 "Enable/disable MSS rewriting feature."; 505 } 507 leaf mss-value { 508 type uint16; 509 units "octets"; 510 description 511 "Sets the MSS value to be used for MSS rewriting."; 512 } 513 } 514 } 516 augment "/nat:nat/nat:instances/nat:instance/"+ 517 "nat:mapping-table/nat:mapping-entry"{ 518 when "/nat:nat/nat:instances/nat:instance/nat:type='napt44'" + 519 " and /nat:nat/nat:instances/nat:instance/" + 520 "nat:per-interface-binding='dslite'"; 521 if-feature aftr; 522 description 523 "Augments the NAPT44 mapping table with DS-Lite specifics."; 525 container b4-ipv6-address { 526 description 527 "Records the IPv6 address used by the B4 element and the last 528 time that address changed."; 530 leaf address { 531 type inet:ipv6-address; 532 description 533 "Corresponds to the IPv6 address used by the B4 element."; 534 reference 535 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 536 IPv4 Exhaustion"; 537 } 539 leaf last-address-change { 540 type yang:date-and-time; 541 description 542 "Records the last time when the address changed."; 543 } 544 } 546 leaf v6-dscp { 547 when "/if:interfaces/if:interface/" + 548 "dslite:v6-v4-dscp-preservation='true'"; 549 type uint8; 550 description 551 "DSCP value used at the softwire level (i.e., IPv6 header)."; 552 } 554 leaf internal-v4-dscp { 555 when "/if:interfaces/if:interface/" + 556 "dslite:v6-v4-dscp-preservation='true'"; 557 type uint8; 558 description 559 "DSCP value of the encapsulated IPv4 packet."; 560 } 562 leaf external-v4-dscp { 563 when "/if:interfaces/if:interface/" + 564 "dslite:v6-v4-dscp-preservation='true'"; 565 type uint8; 566 description 567 "DSCP value of the translated IPv4 packet as marked by 568 the AFTR."; 569 } 570 } 572 augment "/nat:nat/nat:instances/nat:instance/nat:statistics/" + 573 "nat:mappings-statistics" { 574 if-feature aftr; 575 description 576 "Indicates the number of active softwires."; 578 leaf active-softwires{ 579 type yang:gauge32; 580 description 581 "The number of currently active softwires on the AFTR 582 instance."; 583 } 584 } 586 /* 587 * Notifications 588 */ 590 notification b4-address-change-limit-policy-violation { 591 if-feature aftr; 592 description 593 "Generates notifications when a B4 unsuccessfully attempts 594 to change IPv6 address in a time shorter than the value of 595 b4-address-change-limit. 597 Notifications are rate-limited (notify-interval)."; 599 leaf id { 600 type leafref { 601 path "/nat:nat/nat:instances/nat:instance/nat:id"; 602 } 603 mandatory true; 604 description 605 "NAT instance identifier."; 606 } 608 leaf policy-id { 609 type leafref { 610 path "/nat:nat/nat:instances/nat:instance/nat:policy/nat:id"; 611 } 612 mandatory true; 613 description 614 "Policy Identifier."; 615 } 617 leaf address { 618 type inet:ipv6-address; 619 mandatory true; 620 description 621 "B4's IPv6 address."; 622 } 623 } 624 } 625 627 4. Security Considerations 629 The YANG module defined in this document is designed to be accessed 630 via network management protocols such as NETCONF [RFC6241] or 631 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 632 layer, and the mandatory-to-implement secure transport is Secure 633 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 634 mandatory-to-implement secure transport is TLS [RFC5246]. 636 The NETCONF access control model [RFC6536] provides the means to 637 restrict access for particular NETCONF or RESTCONF users to a 638 preconfigured subset of all available NETCONF or RESTCONF protocol 639 operations and content. 641 All data nodes defined in the YANG module which can be created, 642 modified and deleted (i.e., config true, which is the default) are 643 considered sensitive. Write operations (e.g., edit-config) applied 644 to these data nodes without proper protection can negatively affect 645 network operations. An attacker who is able to access to the B4/AFTR 646 can undertake various attacks, such as: 648 o Set the value of 'aftr-ipv6-addr' on the B4 to point to an 649 illegitimate AFTR so that it can intercept all the traffic sent by 650 a B4. Illegitimately intercepting users' traffic is a attack with 651 severe implications on privacy. 653 o Set the MTU to a low value which may increase the number of 654 fragments ('tunnel-mtu' for both B4 and AFTR). 656 o Set 'max-softwire-per-subscriber' to an arbitrary high value, 657 which will be exploited by a misbehaving user to grab more 658 resources (by mounting as many softwires as required to get more 659 external IP addresses/ports) or to perform a Denial-of-Service on 660 the AFTR by mounting a massive number of softwires. 662 o Set 'state-migrate' to 'false' on the AFTR. This action may lead 663 to a service degradation for the users. 665 o Set 'b4-address-change-limit" to an arbitrary low value can ease 666 DoS attacks based on frequent change of B4 IPv6 address. 668 o Set 'v6-v4-dscp-preservation' to 'false" may lead to a service 669 degradation if some policies are applied on the network based on 670 the DSCP value. 672 Additional security considerations are discussed in 673 [I-D.ietf-opsawg-nat-yang]. 675 Security considerations related to DS-Lite are discussed in 676 [RFC6333]. 678 5. IANA Considerations 680 This document requests IANA to register the following URI in the 681 "IETF XML Registry" [RFC3688]: 683 URI: urn:ietf:params:xml:ns:yang:ietf-dslite 684 Registrant Contact: The IESG. 685 XML: N/A; the requested URI is an XML namespace. 687 This document requests IANA to register the following YANG module in 688 the "YANG Module Names" registry [RFC7950]. 690 name: ietf-dslite 691 namespace: urn:ietf:params:xml:ns:yang:ietf-dslite 692 prefix: dslite-aftr 693 reference: RFC XXXX 695 6. Acknowledgements 697 Thanks to Qin Wu for identifying a compiling error. Mahesh 698 Jethanandani provided an early yangdoctors review; many thanks to 699 him. 701 Many thanks to Ian Farrer for the review and comments. 703 7. References 705 7.1. Normative references 707 [I-D.ietf-opsawg-nat-yang] 708 Boucadair, M., Sivakumar, S., Jacquenet, C., Vinapamula, 709 S., and Q. Wu, "A YANG Data Model for Network Address 710 Translation (NAT) and Network Prefix Translation (NPT)", 711 draft-ietf-opsawg-nat-yang-08 (work in progress), November 712 2017. 714 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 715 DOI 10.17487/RFC3688, January 2004, 716 . 718 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 719 (TLS) Protocol Version 1.2", RFC 5246, 720 DOI 10.17487/RFC5246, August 2008, 721 . 723 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 724 and A. Bierman, Ed., "Network Configuration Protocol 725 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 726 . 728 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 729 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 730 . 732 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 733 Stack Lite Broadband Deployments Following IPv4 734 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 735 . 737 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 738 Protocol (NETCONF) Access Control Model", RFC 6536, 739 DOI 10.17487/RFC6536, March 2012, 740 . 742 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 743 RFC 6991, DOI 10.17487/RFC6991, July 2013, 744 . 746 [RFC7223] Bjorklund, M., "A YANG Data Model for Interface 747 Management", RFC 7223, DOI 10.17487/RFC7223, May 2014, 748 . 750 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 751 RFC 7950, DOI 10.17487/RFC7950, August 2016, 752 . 754 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 755 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 756 . 758 7.2. Informative references 760 [I-D.boucadair-pcp-yang] 761 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 762 Vinapamula, "YANG Modules for the Port Control Protocol 763 (PCP)", draft-boucadair-pcp-yang-05 (work in progress), 764 October 2017. 766 [I-D.ietf-netmod-acl-model] 767 Jethanandani, M., Huang, L., Agarwal, S., and D. Blair, 768 "Network Access Control List (ACL) YANG Data Model", 769 draft-ietf-netmod-acl-model-14 (work in progress), October 770 2017. 772 [I-D.ietf-netmod-yang-tree-diagrams] 773 Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft- 774 ietf-netmod-yang-tree-diagrams-02 (work in progress), 775 October 2017. 777 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 778 Address Translator (Traditional NAT)", RFC 3022, 779 DOI 10.17487/RFC3022, January 2001, 780 . 782 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 783 Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, 784 January 2011, . 786 [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M. 787 Boucadair, "Deployment Considerations for Dual-Stack 788 Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013, 789 . 791 [RFC7785] Vinapamula, S. and M. Boucadair, "Recommendations for 792 Prefix Binding in the Context of Softwire Dual-Stack 793 Lite", RFC 7785, DOI 10.17487/RFC7785, February 2016, 794 . 796 Appendix A. B4 Example 798 The following example shows a B4 element (2001:db8:0:1::1) that is 799 configured with an AFTR element (2001:db8:0:2::1). The B4 element is 800 also instructed to preserve the DSCP marking. 802 803 myB4 804 ianaift:tunnel 805 true 806 2001:db8:0:1::1 807 2001:db8:0:2::1 808 true 809 811 Appendix B. AFTR Examples 813 The following example shows an AFTR that is reachable at 814 2001:db8:0:2::1. Also, this XML snippet indicates that the AFTR is 815 provided with an IPv4 address (192.0.0.1) to be used for 816 troubleshooting purposes such as reporting problems to B4s. 818 Note that a subscriber is identified by a subscriber mask ([RFC7785]) 819 that can be configured by means of [I-D.ietf-opsawg-nat-yang]. 821 822 myAFTR 823 ianaift:tunnel 824 true 825 2001:db8:0:2::1 826 192.0.0.1 827 829 The following shows an XML excerpt depicting a dynamic UDP mapping 830 entry maintained by a DS-Lite AFTR for a packet received from the B4 831 element introduced in Appendix A. Concretely, this UDP packet 832 received with a source IPv6 address (2001:db8:0:1::1), a source IPv4 833 address (192.0.2.1), and source port number (1568) is translated into 834 a UDP packet having a source IPv4 address (198.51.100.1) and source 835 port number (15000). The remaining lifetime of this mapping is 300 836 seconds. 838 839 15 840 841 dynamic-explicit 842 843 844 17 845 846 847
848 2001:db8:0:1::1 849
850 851 852 192.0.2.1 853 854 855 856 1568 857 858 859 860 198.51.100.1 861 862 863 864 15000 865 866 867 868 300 869 870 872 Authors' Addresses 874 Mohamed Boucadair 875 Orange 876 Rennes 35000 877 France 879 EMail: mohamed.boucadair@orange.com 880 Christian Jacquenet 881 Orange 882 Rennes 35000 883 France 885 EMail: christian.jacquenet@orange.com 887 Senthil Sivakumar 888 Cisco Systems 889 7100-8 Kit Creek Road 890 Research Triangle Park, North Carolina 27709 891 USA 893 Phone: +1 919 392 5158 894 EMail: ssenthil@cisco.com