idnits 2.17.1 draft-ietf-softwire-dslite-yang-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 13 characters in excess of 72. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 19, 2017) is 2349 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-17) exists of draft-ietf-opsawg-nat-yang-08 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) ** Obsolete normative reference: RFC 7223 (Obsoleted by RFC 8343) == Outdated reference: A later version (-21) exists of draft-ietf-netmod-acl-model-14 == Outdated reference: A later version (-06) exists of draft-ietf-netmod-yang-tree-diagrams-02 -- Obsolete informational reference (is this intentional?): RFC 6087 (Obsoleted by RFC 8407) Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Boucadair 3 Internet-Draft C. Jacquenet 4 Intended status: Standards Track Orange 5 Expires: May 23, 2018 S. Sivakumar 6 Cisco Systems 7 November 19, 2017 9 A YANG Data Module for Dual-Stack Lite (DS-Lite) 10 draft-ietf-softwire-dslite-yang-11 12 Abstract 14 This document defines a YANG module for the DS-Lite Address Family 15 Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements. 17 Editorial Note (To be removed by RFC Editor) 19 Please update these statements with the RFC number to be assigned to 20 this document: 22 o "This version of this YANG module is part of RFC XXXX;" 24 o "RFC XXXX: A YANG Data Module for Dual-Stack Lite (DS-Lite)"; 26 o "reference: RFC XXXX" 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at https://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on May 23, 2018. 45 Copyright Notice 47 Copyright (c) 2017 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (https://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 64 2. DS-Lite YANG Module: An Overview . . . . . . . . . . . . . . 4 65 3. DS-Lite YANG Module . . . . . . . . . . . . . . . . . . . . . 6 66 4. Security Considerations . . . . . . . . . . . . . . . . . . . 14 67 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 68 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 69 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 70 7.1. Normative references . . . . . . . . . . . . . . . . . . 16 71 7.2. Informative references . . . . . . . . . . . . . . . . . 17 72 Appendix A. B4 Example . . . . . . . . . . . . . . . . . . . . . 18 73 Appendix B. AFTR Examples . . . . . . . . . . . . . . . . . . . 18 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 76 1. Introduction 78 This document defines a data model for DS-Lite [RFC6333], using the 79 YANG data modeling language [RFC7950]. Both the Address Family 80 Transition Router (AFTR) and Basic Bridging BroadBand (B4) elements 81 are covered by this specification. 83 As a reminder, Figure 1 illustrates an overview of the DS-Lite 84 architecture that involves AFTR and B4 elements. 86 +-----------+ 87 | Host | 88 +-----+-----+ 89 |192.0.2.1 90 | 91 | 92 |192.0.2.2 93 +---------|---------+ 94 | | | 95 | Home router | 96 |+--------+--------+| 97 || B4 || 98 |+--------+--------+| 99 +--------|||--------+ 100 |||2001:db8:0:1::1 101 ||| 102 |||<-IPv4-in-IPv6 softwire 103 ||| 104 -------|||------- 105 / ||| \ 106 | ISP core network | 107 \ ||| / 108 -------|||------- 109 ||| 110 |||2001:db8:0:2::1 111 +--------|||--------+ 112 | AFTR | 113 |+--------+--------+| 114 || Concentrator || 115 |+--------+--------+| 116 | |NAT| | 117 | +-+-+ | 118 +---------|---------+ 119 |198.51.100.1 120 | 121 --------|-------- 122 / | \ 123 | Internet | 124 \ | / 125 --------|-------- 126 | 127 |203.0.113.1 128 +-----+-----+ 129 | IPv4 Host | 130 +-----------+ 132 Figure 1: DS-Lite Base Architecture 134 DS-Lite deployment considerations are discussed in [RFC6908]. 136 This document follows the guidelines of [RFC6087], uses the common 137 YANG types defined in [RFC6991], and adopts the Network Management 138 Datastore Architecture (NMDA). 140 1.1. Terminology 142 This document makes use of the terms defined in Section 3 of 143 [RFC6333]. 145 The terminology for describing YANG data modules is defined in 146 [RFC7950]. 148 The meaning of the symbols in tree diagrams is defined in 149 [I-D.ietf-netmod-yang-tree-diagrams]. 151 2. DS-Lite YANG Module: An Overview 153 As shown in Figure 1: 155 o The AFTR element is a combination of an IPv4-in-IPv6 tunnel and a 156 NAPT function (Section 2.2 of [RFC3022]). 158 o The B4 element is an IPv4-in-IPv6 tunnel. 160 Therefore, the DS-Lite YANG module is designed to augment both the 161 Interfaces YANG module [RFC7223] and the NAT YANG module 162 [I-D.ietf-opsawg-nat-yang] with DS-Lite specific features. 164 The YANG "feature" statement is used to distinguish which of the DS- 165 Lite elements ('aftr' or 'b4') is relevant for a specific data node. 167 Concretely, the DS-Lite YANG module (Figure 2) augments the 168 Interfaces YANG module with the following: 170 o An IPv6 address used by the tunnel endpoint (AFTR or B4) for 171 sending and receiving IPv4-in-IPv6 packets (ipv6-address). 173 o An IPv4 address that is used by the tunnel endpoint (AFTR or B4) 174 for troubleshooting purposes (ipv4-address). 176 o An IPv6 address used by a B4 element to reach its AFTR (aftr- 177 ipv6-addr). 179 o The tunnel MTU used to avoid fragmentation (tunnel-mtu). 181 o A policy to instruct the tunnel endpoint (AFTR or B4) whether it 182 must preserve DSCP marking when encapsulating/decapsulating 183 packets (v6-v4-dscp-preservation). 185 In addition, the DS-Lite YANG module augments the NAT YANG module 186 (policy, in particular) with the following: 188 o A policy to limit the number of DS-Lite softwires per subscriber 189 (max-softwire-per-subscriber). 191 o A policy to instruct the AFTR whether a state can be automatically 192 migrated (state-migrate). 194 o Further, in order to prevent a denial-of-service by frequently 195 changing the source IPv6 address, 'b4-address-change-limit' is 196 used to rate-lmite such changes. 198 o An instruction to rewrite the TCP Maximum Segment Size (MSS) 199 option (mss-clamping) to avoid TCP fragmentation. 201 Given that the NAPT table of the AFTR element is extended to include 202 the source IPv6 address of incoming packets, the DS-Lite YANG module 203 augments the NAPT44 mapping-entry with the following: 205 o b4-ipv6-address which is used to record the source IPv6 address of 206 a packet received from a B4 element. This IPv6 address is 207 required to disambiguate between the overlapping IPv4 address 208 space of subscribers. 210 o The value of the Traffic Class field in the IPv6 header as 211 received from a B4 element (v6-dscp): This information is used to 212 preserve DSCP marking when encapsulating/decapsulationg at the 213 AFTR. 215 o The IPv4 DSCP marking of the IPv4 packet received from a B4 216 element (internal-v4-dscp): This information can be used by the 217 AFTR for setting the DSCP of packets relayed to a B4 element. 219 o The IPv4 DSCP marking as set by the AFTR in its external interface 220 (external-v4-dscp): An AFTR can be instructed to preserve the same 221 marking or to set it to another value when forwarding an IPv4 222 packet upstream. 224 Access Control List (ACL) and Quality of Service (QoS) policies 225 discussed in Section 2.5 of [RFC6908] are out of scope. A YANG 226 module for ACLs is documented in [I-D.ietf-netmod-acl-model]. 228 Likewise, PCP-related considerations discussed in Section 8.5 of 229 [RFC6333] are out of scope. A YANG module for PCP is documented in 230 [I-D.boucadair-pcp-yang]. 232 module: ietf-dslite 233 augment /if:interfaces/if:interface: 234 +--rw ipv6-address? inet:ipv6-address {aftr or b4}? 235 +--rw ipv4-address? inet:ipv4-address {aftr or b4}? 236 +--rw aftr-ipv6-addr? inet:ipv6-address {b4}? 237 +--rw tunnel-mtu? uint16 {aftr or b4}? 238 +--rw v6-v4-dscp-preservation? boolean {aftr or b4}? 239 augment /nat:nat/nat:instances/nat:instance/nat:policy: 240 +--rw max-softwires-per-subscriber? uint8 {aftr}? 241 +--rw state-migrate? boolean {aftr}? 242 +--rw b4-address-change-limit? uint32 {aftr}? 243 +--rw mss-clamping {aftr}? 244 +--rw enable? boolean 245 +--rw mss-value? uint16 246 augment /nat:nat/nat:instances/nat:instance/nat:mapping-table/nat:mapping-entry: 247 +--rw b4-ipv6-address {aftr}? 248 | +--rw address? inet:ipv6-address 249 | +--rw last-address-change? yang:date-and-time 250 +--rw v6-dscp? uint8 {aftr}? 251 +--rw internal-v4-dscp? uint8 {aftr}? 252 +--rw external-v4-dscp? uint8 {aftr}? 253 augment /nat:nat/nat:instances/nat:instance/nat:statistics/nat:mappings-statistics: 254 +--ro active-softwires? yang:gauge32 {aftr}? 256 notifications: 257 +---n b4-address-change-limit-policy-violation {aftr}? 258 +--ro id -> /nat:nat/instances/instance/id 259 +--ro policy-id -> /nat:nat/instances/instance/policy/id 260 +--ro address inet:ipv6-address 262 Figure 2: YANG Module for DS-Lite 264 Examples to illustrate the use of this module are provided in 265 Appendix A and Appendix B. 267 3. DS-Lite YANG Module 269 file "ietf-dslite@2017-11-20.yang" 271 module ietf-dslite { 272 yang-version 1.1; 274 namespace "urn:ietf:params:xml:ns:yang:ietf-dslite"; 275 prefix dslite; 276 import ietf-inet-types { prefix inet; } 277 import ietf-interfaces { prefix if; } 278 import iana-if-type { prefix ianaift; } 279 import ietf-nat {prefix nat;} 280 import ietf-yang-types { prefix yang; } 282 organization "IETF Softwire Working Group"; 284 contact 286 "WG Web: 287 WG List: 289 Editor: Mohamed Boucadair 290 292 Editor: Christian Jacquenet 293 295 Editor: Senthil Sivakumar 296 "; 298 description 299 "This module is a YANG module for DS-Lite AFTR and B4 300 implementations. 302 Copyright (c) 2017 IETF Trust and the persons identified as 303 authors of the code. All rights reserved. 305 Redistribution and use in source and binary forms, with or 306 without modification, is permitted pursuant to, and subject 307 to the license terms contained in, the Simplified BSD License 308 set forth in Section 4.c of the IETF Trust's Legal Provisions 309 Relating to IETF Documents 310 (http://trustee.ietf.org/license-info). 312 This version of this YANG module is part of RFC XXXX; see 313 the RFC itself for full legal notices."; 315 revision 2017-11-20 { 316 description 317 "Initial revision."; 318 reference 319 "RFC XXXX: A YANG Data Module for Dual-Stack Lite (DS-Lite)"; 320 } 322 /* 323 * Features 324 */ 326 feature b4 { 327 description 328 "The B4 element is a function implemented on a dual-stack-capable 329 node, either a directly connected device or a CPE, that creates 330 a tunnel to an AFTR."; 331 reference 332 "Section 5 of RFC 6333."; 333 } 335 feature aftr { 336 description 337 "An AFTR element is the combination of an IPv4-in-IPv6 tunnel 338 endpoint and an IPv4-IPv4 NAT implemented on the same node."; 339 reference 340 "Section 6 of RFC 6333."; 341 } 343 /* 344 * Augments 345 */ 347 augment "/if:interfaces/if:interface" { 348 when "if:type = 'ianaift:tunnel'"; 349 description 350 "Augments Interface module with AFTR parameters. 351 IANA interface types are maintained at this registry: 352 https://www.iana.org/assignments/ianaiftype-mib/ianaiftype-mib. 354 tunnel (131), -- Encapsulation interface"; 356 leaf ipv6-address { 357 if-feature "aftr or b4"; 358 type inet:ipv6-address; 359 description 360 "IPv6 address of the local DS-Lite endpoint (AFTR or B4)."; 361 reference 362 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 363 IPv4 Exhaustion"; 364 } 366 leaf ipv4-address { 367 if-feature "aftr or b4"; 368 type inet:ipv4-address; 369 description 370 "IPv4 address of the local DS-Lite AFTR or B4. 372 192.0.0.1 is reserved for the AFTR element, while 373 192.0.0.0/29 is reserved for the B4 element. 375 This address can be used to report ICMP problems and will 376 appear in traceroute outputs."; 377 reference 378 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 379 IPv4 Exhaustion"; 380 } 382 leaf aftr-ipv6-addr { 383 if-feature b4; 384 type inet:ipv6-address; 385 description 386 "Indicates the AFTR's IPv6 address to be used by a B4 element."; 387 reference 388 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 389 IPv4 Exhaustion"; 390 } 392 leaf tunnel-mtu { 393 if-feature "aftr or b4"; 394 type uint16; 395 description 396 "Configures a tunnel MTU. 398 [RFC6908] specifies that since fragmentation and reassembly 399 is not optimal, the operator should do everything possible 400 to eliminate the need for it. If the operator uses simple 401 IPv4-in-IPv6 softwire, it is recommended that the MTU size 402 of the IPv6 network between the B4 and the AFTR accounts for 403 the additional overhead (40 bytes)."; 404 reference 405 "RFC 6908: Deployment Considerations for Dual-Stack Lite"; 406 } 408 leaf v6-v4-dscp-preservation { 409 if-feature "aftr or b4"; 410 type boolean; 411 description 412 "Copies the DSCP value from the IPv6 header and vice versa. 414 According to Section 2.10 of [RFC6908], operators should 415 use this model by provisioning the network such that the 416 AFTR/B4 copies the DSCP value in the IPv4 header to 417 the Traffic Class field in the IPv6 header, after the 418 encapsulation for the downstream traffic."; 419 reference 420 "Section 2.10 of RFC 6908."; 421 } 422 } 424 augment "/nat:nat/nat:instances/nat:instance/nat:policy" { 425 when "/nat:nat/nat:instances/nat:instance/nat:type='nat:napt44'" + 426 " and /nat:nat/nat:instances/nat:instance/" + 427 "nat:per-interface-binding='dslite'"; 428 if-feature aftr; 429 description 430 "Augments the NAPT44 module with AFTR parameters."; 432 leaf max-softwires-per-subscriber { 433 type uint8; 434 default 1; 435 description 436 "Configures the maximum softwires per subscriber feature. 438 A subscriber is uniquely identified by means 439 of a subscriber mask (subscriber-mask-v6). 441 This policy aims to prevent a misbehaving subscriber from 442 mounting several DS-Lite softwires that would consume 443 additional AFTR resources (e.g., get more external ports 444 if the quota were enforced on a per-softwire basis, 445 consume extra processing due to a large number of active 446 softwires)."; 448 reference 449 "Section 4 of RFC 7785."; 450 } 452 leaf state-migrate { 453 type boolean; 454 default true; 455 description 456 "State migration is enabled by default. 458 In the event a new IPv6 address is assigned to the B4 element, 459 the AFTR should migrate existing state to be bound to the new 460 IPv6 address. This operation ensures that traffic destined to 461 the previous B4's IPv6 address will be redirected to the newer 462 B4's IPv6 address. The destination IPv6 address for tunneling 463 return traffic from the AFTR should be the last seen as the 464 B4's IPv6 source address from the user device (e.g., CPE). 466 The AFTR uses the subscriber-mask-v6 to determine whether two 467 IPv6 addresses belong to the same CPE (e.g., if the 468 subscriber-mask-v6 is set to 56, the AFTR concludes that 469 2001:db8:100:100::1 and 2001:db8:100:100::2 belong to the same 470 CPE assigned with 2001:db8:100:100::/56)."; 472 reference 473 "RFC 7785: Recommendations for Prefix Binding in the Context 474 of Softwire Dual-Stack Lite"; 475 } 477 leaf b4-address-change-limit { 478 type uint32; 479 units "seconds"; 480 default '1800'; 481 description 482 "Minimum number of seconds between successive B4's IPv6 address 483 change from the same prefix. 485 Changing the source B4's IPv6 address may be used as an attack 486 vector. Packets with a new B4's IPv6 address from the same 487 prefix should be rate-limited. 489 It is recommended to set this rate limit to 30 minutes; other 490 values can be set on a per-deployment basis."; 492 reference 493 "RFC 7785: Recommendations for Prefix Binding in the Context 494 of Softwire Dual-Stack Lite"; 495 } 497 container mss-clamping { 498 description 499 "MSS rewriting configuration to avoid IPv6 fragmentation."; 501 leaf enable { 502 type boolean; 503 description 504 "Enable/disable MSS rewriting feature."; 505 } 507 leaf mss-value { 508 type uint16; 509 units "octets"; 510 description 511 "Sets the MSS value to be used for MSS rewriting."; 512 } 513 } 514 } 515 augment "/nat:nat/nat:instances/nat:instance/"+ 516 "nat:mapping-table/nat:mapping-entry"{ 517 when "/nat:nat/nat:instances/nat:instance/nat:type='nat:napt44'" + 518 " and /nat:nat/nat:instances/nat:instance/" + 519 "nat:per-interface-binding='dslite'"; 520 if-feature aftr; 521 description 522 "Augments the NAPT44 mapping table with DS-Lite specifics."; 524 container b4-ipv6-address { 525 description 526 "Records the IPv6 address used by the B4 element and the last 527 time that address changed."; 529 leaf address { 530 type inet:ipv6-address; 531 description 532 "Corresponds to the IPv6 address used by the B4 element."; 533 reference 534 "RFC 6333: Dual-Stack Lite Broadband Deployments Following 535 IPv4 Exhaustion"; 536 } 538 leaf last-address-change { 539 type yang:date-and-time; 540 description 541 "Records the last time when the address changed."; 542 } 543 } 545 leaf v6-dscp { 546 when "/if:interfaces/if:interface/" + 547 "dslite:v6-v4-dscp-preservation='true'"; 548 type uint8; 549 description 550 "DSCP value used at the softwire level (i.e., IPv6 header)."; 551 } 553 leaf internal-v4-dscp { 554 when "/if:interfaces/if:interface/" + 555 "dslite:v6-v4-dscp-preservation='true'"; 556 type uint8; 557 description 558 "DSCP value of the encapsulated IPv4 packet."; 559 } 561 leaf external-v4-dscp { 562 when "/if:interfaces/if:interface/" + 563 "dslite:v6-v4-dscp-preservation='true'"; 564 type uint8; 565 description 566 "DSCP value of the translated IPv4 packet as marked by 567 the AFTR."; 568 } 569 } 571 augment "/nat:nat/nat:instances/nat:instance/nat:statistics/" + 572 "nat:mappings-statistics" { 573 if-feature aftr; 574 description 575 "Indicates the number of active softwires."; 577 leaf active-softwires{ 578 type yang:gauge32; 579 description 580 "The number of currently active softwires on the AFTR 581 instance."; 582 } 583 } 585 /* 586 * Notifications 587 */ 589 notification b4-address-change-limit-policy-violation { 590 if-feature aftr; 591 description 592 "Generates notifications when a B4 unsuccessfully attempts 593 to change IPv6 address in a time shorter than the value of 594 b4-address-change-limit. 596 Notifications are rate-limited (notify-interval)."; 598 leaf id { 599 type leafref { 600 path "/nat:nat/nat:instances/nat:instance/nat:id"; 601 } 602 mandatory true; 603 description 604 "NAT instance identifier."; 605 } 607 leaf policy-id { 608 type leafref { 609 path "/nat:nat/nat:instances/nat:instance/nat:policy/nat:id"; 610 } 611 mandatory true; 612 description 613 "Policy Identifier."; 614 } 616 leaf address { 617 type inet:ipv6-address; 618 mandatory true; 619 description 620 "B4's IPv6 address."; 621 } 622 } 623 } 624 626 4. Security Considerations 628 The YANG module defined in this document is designed to be accessed 629 via network management protocols such as NETCONF [RFC6241] or 630 RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport 631 layer, and the mandatory-to-implement secure transport is Secure 632 Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the 633 mandatory-to-implement secure transport is TLS [RFC5246]. 635 The NETCONF access control model [RFC6536] provides the means to 636 restrict access for particular NETCONF or RESTCONF users to a 637 preconfigured subset of all available NETCONF or RESTCONF protocol 638 operations and content. 640 All data nodes defined in the YANG module which can be created, 641 modified and deleted (i.e., config true, which is the default) are 642 considered sensitive. Write operations (e.g., edit-config) applied 643 to these data nodes without proper protection can negatively affect 644 network operations. An attacker who is able to access to the B4/AFTR 645 can undertake various attacks, such as: 647 o Set the value of 'aftr-ipv6-addr' on the B4 to point to an 648 illegitimate AFTR so that it can intercept all the traffic sent by 649 a B4. Illegitimately intercepting users' traffic is a attack with 650 severe implications on privacy. 652 o Set the MTU to a low value which may increase the number of 653 fragments ('tunnel-mtu' for both B4 and AFTR). 655 o Set 'max-softwire-per-subscriber' to an arbitrary high value, 656 which will be exploited by a misbehaving user to grab more 657 resources (by mounting as many softwires as required to get more 658 external IP addresses/ports) or to perform a Denial-of-Service on 659 the AFTR by mounting a massive number of softwires. 661 o Set 'state-migrate' to 'false' on the AFTR. This action may lead 662 to a service degradation for the users. 664 o Set 'b4-address-change-limit" to an arbitrary low value can ease 665 DoS attacks based on frequent change of B4 IPv6 address. 667 o Set 'v6-v4-dscp-preservation' to 'false" may lead to a service 668 degradation if some policies are applied on the network based on 669 the DSCP value. 671 Additional security considerations are discussed in 672 [I-D.ietf-opsawg-nat-yang]. 674 Security considerations related to DS-Lite are discussed in 675 [RFC6333]. 677 5. IANA Considerations 679 This document requests IANA to register the following URI in the 680 "IETF XML Registry" [RFC3688]: 682 URI: urn:ietf:params:xml:ns:yang:ietf-dslite 683 Registrant Contact: The IESG. 684 XML: N/A; the requested URI is an XML namespace. 686 This document requests IANA to register the following YANG module in 687 the "YANG Module Names" registry [RFC7950]. 689 name: ietf-dslite 690 namespace: urn:ietf:params:xml:ns:yang:ietf-dslite 691 prefix: dslite-aftr 692 reference: RFC XXXX 694 6. Acknowledgements 696 Thanks to Qin Wu, Benoit Claise, and Andy Bierman who helped for 697 identifying compiling errors. Mahesh Jethanandani provided an early 698 yangdoctors review; many thanks to him. 700 Many thanks to Ian Farrer for the review and comments. 702 7. References 704 7.1. Normative references 706 [I-D.ietf-opsawg-nat-yang] 707 Boucadair, M., Sivakumar, S., Jacquenet, C., Vinapamula, 708 S., and Q. Wu, "A YANG Data Model for Network Address 709 Translation (NAT) and Network Prefix Translation (NPT)", 710 draft-ietf-opsawg-nat-yang-08 (work in progress), November 711 2017. 713 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 714 DOI 10.17487/RFC3688, January 2004, 715 . 717 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 718 (TLS) Protocol Version 1.2", RFC 5246, 719 DOI 10.17487/RFC5246, August 2008, 720 . 722 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 723 and A. Bierman, Ed., "Network Configuration Protocol 724 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 725 . 727 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 728 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 729 . 731 [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual- 732 Stack Lite Broadband Deployments Following IPv4 733 Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011, 734 . 736 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 737 Protocol (NETCONF) Access Control Model", RFC 6536, 738 DOI 10.17487/RFC6536, March 2012, 739 . 741 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 742 RFC 6991, DOI 10.17487/RFC6991, July 2013, 743 . 745 [RFC7223] Bjorklund, M., "A YANG Data Model for Interface 746 Management", RFC 7223, DOI 10.17487/RFC7223, May 2014, 747 . 749 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 750 RFC 7950, DOI 10.17487/RFC7950, August 2016, 751 . 753 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 754 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 755 . 757 7.2. Informative references 759 [I-D.boucadair-pcp-yang] 760 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 761 Vinapamula, "YANG Modules for the Port Control Protocol 762 (PCP)", draft-boucadair-pcp-yang-05 (work in progress), 763 October 2017. 765 [I-D.ietf-netmod-acl-model] 766 Jethanandani, M., Huang, L., Agarwal, S., and D. Blair, 767 "Network Access Control List (ACL) YANG Data Model", 768 draft-ietf-netmod-acl-model-14 (work in progress), October 769 2017. 771 [I-D.ietf-netmod-yang-tree-diagrams] 772 Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft- 773 ietf-netmod-yang-tree-diagrams-02 (work in progress), 774 October 2017. 776 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 777 Address Translator (Traditional NAT)", RFC 3022, 778 DOI 10.17487/RFC3022, January 2001, 779 . 781 [RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG 782 Data Model Documents", RFC 6087, DOI 10.17487/RFC6087, 783 January 2011, . 785 [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M. 786 Boucadair, "Deployment Considerations for Dual-Stack 787 Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013, 788 . 790 [RFC7785] Vinapamula, S. and M. Boucadair, "Recommendations for 791 Prefix Binding in the Context of Softwire Dual-Stack 792 Lite", RFC 7785, DOI 10.17487/RFC7785, February 2016, 793 . 795 Appendix A. B4 Example 797 The following example shows a B4 element (2001:db8:0:1::1) that is 798 configured with an AFTR element (2001:db8:0:2::1). The B4 element is 799 also instructed to preserve the DSCP marking. 801 802 myB4 803 ianaift:tunnel 804 true 805 2001:db8:0:1::1 806 2001:db8:0:2::1 807 true 808 810 Appendix B. AFTR Examples 812 The following example shows an AFTR that is reachable at 813 2001:db8:0:2::1. Also, this XML snippet indicates that the AFTR is 814 provided with an IPv4 address (192.0.0.1) to be used for 815 troubleshooting purposes such as reporting problems to B4s. 817 Note that a subscriber is identified by a subscriber mask ([RFC7785]) 818 that can be configured by means of [I-D.ietf-opsawg-nat-yang]. 820 821 myAFTR 822 ianaift:tunnel 823 true 824 2001:db8:0:2::1 825 192.0.0.1 826 828 The following shows an XML excerpt depicting a dynamic UDP mapping 829 entry maintained by a DS-Lite AFTR for a packet received from the B4 830 element introduced in Appendix A. Concretely, this UDP packet 831 received with a source IPv6 address (2001:db8:0:1::1), a source IPv4 832 address (192.0.2.1), and source port number (1568) is translated into 833 a UDP packet having a source IPv4 address (198.51.100.1) and source 834 port number (15000). The remaining lifetime of this mapping is 300 835 seconds. 837 838 15 839 840 dynamic-explicit 841 842 843 17 844 845 846
847 2001:db8:0:1::1 848
849 850 851 192.0.2.1 852 853 854 855 1568 856 857 858 859 198.51.100.1 860 861 862 863 15000 864 865 866 867 300 868 869 871 Authors' Addresses 873 Mohamed Boucadair 874 Orange 875 Rennes 35000 876 France 878 EMail: mohamed.boucadair@orange.com 879 Christian Jacquenet 880 Orange 881 Rennes 35000 882 France 884 EMail: christian.jacquenet@orange.com 886 Senthil Sivakumar 887 Cisco Systems 888 7100-8 Kit Creek Road 889 Research Triangle Park, North Carolina 27709 890 USA 892 Phone: +1 919 392 5158 893 EMail: ssenthil@cisco.com