idnits 2.17.1 draft-sivakumar-yang-nat-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 160 has weird spacing: '...mask-id uin...' == Line 183 has weird spacing: '...address ine...' == Line 214 has weird spacing: '...efix-id uin...' == Line 220 has weird spacing: '...address ine...' == Line 228 has weird spacing: '...address ine...' == (6 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (September 11, 2016) is 2782 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) == Outdated reference: A later version (-05) exists of draft-boucadair-pcp-yang-02 Summary: 1 error (**), 0 flaws (~~), 9 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Sivakumar 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track M. Boucadair 5 Expires: March 15, 2017 France Telecom 6 S. Vinapamula 7 Juniper Networks 8 September 11, 2016 10 YANG Data Model for Network Address Translation (NAT) 11 draft-sivakumar-yang-nat-05 13 Abstract 15 For the sake of network automation and the need for programming NAT 16 function in particular, a data model for configuring and managing the 17 NAT device is essential. This document defines a YANG data model for 18 the NAT function. Both the NAT44 and NAT64 are covered in this 19 document. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on March 15, 2017. 38 Copyright Notice 40 Copyright (c) 2016 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 57 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 3 59 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9 60 4. Security Considerations . . . . . . . . . . . . . . . . . . . 31 61 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 62 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 63 6.1. Normative References . . . . . . . . . . . . . . . . . . 32 64 6.2. Informative References . . . . . . . . . . . . . . . . . 33 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 67 1. Introduction 69 This document defines a data model for Network Address Translation 70 (NAT) using the YANG data modeling language [RFC6020]. Traditional 71 NAT is defined in [RFC2663] and Carrier Grade NAT is defined in 72 [RFC6888]. This document covers the NAT features in both documents. 73 This document also covers the NAT64 as defined in [RFC6146]. 75 This document assumes [RFC4787][RFC5382][RFC5508] are enabled by 76 default. 78 1.1. Requirements Language 80 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 81 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 82 document are to be interpreted as described in [RFC2119]. 84 The usage of the term "NAT device" in this document refer to any 85 NAT44 and NAT64 devices. This document uses the term "Session" as it 86 is defined in [RFC2663] and the term BIB as it is defined in 87 [RFC6146]. 89 1.2. Tree Diagrams 91 The meaning of the symbols in these diagrams is as follows: 93 o Brackets "[" and "]" enclose list keys. 95 o Curly braces "{" and "}" contain names of optional features that 96 make the corresponding node conditional. 98 o Abbreviations before data node names: "rw" means configuration 99 (read-write), "ro" state data (read-only). 101 o Symbols after data node names: "?" means an optional node, "!" a 102 container with presence, and "*" denotes a "list" or "leaf-list". 104 o Parentheses enclose choice and case nodes, and case nodes are also 105 marked with a colon (":"). 107 o Ellipsis ("...") stands for contents of subtrees that are not 108 shown. 110 2. Overview of the NAT YANG Data Model 112 The NAT data model is designed to cover both configuration and state 113 retrieval, nevertheless this document covers dynamic (implicit) 114 mapping while PCP-related functionality to instruct dynamic explicit 115 mapping is defined in [I-D.boucadair-pcp-yang]. 117 In order to cover both NAT64 and NAT44 flavors, the NAT mapping 118 structure allows to include an IPv4 or IPv6 address as an internal IP 119 address. Remaining fields are common to both NAT schemes. 121 A NAT function can either assign individual port numbers or port 122 sets. Both features are supported in the YANG data model. 124 To accommodate deployments where [RFC6302] is not enabled, the NAT 125 function can be configured to log the destination port number. 127 This data model assumes that pools of IPv4 addresses can be 128 provisioned to NAT function. These pools may be contiguous or non- 129 contiguous. 131 A NAT device can enabled multiple NAT instances; each responsible to 132 service a group of internal hosts. This document does make any 133 assumption how internal hosts are attached to a given NAT instance. 135 The data model assumes that each NAT instance can: be enable/ 136 disabled, be provisioned with a dedicated configuration data, and 137 maintain its own mapping table. 139 This version of the document does not cover the following 140 functionalities: 142 o DSCP-related operations. 143 o Exclude/include ports (e.g.; system port) from the port assignment 144 pool. 145 o Deterministic NAT assignment scheme. 147 The tree structure of the NAT data model is provided below: 149 module: ietf-nat 150 +--rw nat-config 151 | +--rw nat-instances 152 | +--rw nat-instance* [id] 153 | +--rw id uint32 154 | +--rw enable? boolean 155 | +--rw external-ip-address-pool* [pool-id] 156 | | +--rw pool-id uint32 157 | | +--rw external-ip-pool? inet:ipv4-prefix 158 | +--rw subscriber-mask-v6? uint8 159 | +--rw subscriber-mask-v4* [sub-mask-id] 160 | | +--rw sub-mask-id uint32 161 | | +--rw sub-mask inet:ipv4-prefix 162 | +--rw paired-address-pooling? boolean 163 | +--rw nat-mapping-type? enumeration 164 | +--rw nat-filtering-type? enumeration 165 | +--rw port-quota? uint16 166 | +--rw port-set 167 | | +--rw port-set-enable? boolean 168 | | +--rw port-set-size? uint16 169 | | +--rw port-set-timeout? uint32 170 | +--rw port-randomization-enable? boolean 171 | +--rw port-preservation-enable? boolean 172 | +--rw port-range-preservation-enable? boolean 173 | +--rw port-parity-preservation-enable? boolean 174 | +--rw address-roundrobin-enable? boolean 175 | +--rw udp-timeouts? uint32 176 | +--rw tcp-idle-timeout? uint32 177 | +--rw tcp-trans-open-timeout? uint32 178 | +--rw tcp-trans-close-timeout? uint32 179 | +--rw tcp-in-syn-timeout? uint32 180 | +--rw fragment-min-timeout? uint32 181 | +--rw icmp-timeout? uint32 182 | +--rw logging-info 183 | | +--rw destination-address inet:ipv4-prefix 184 | | +--rw destination-port inet:port-number 185 | +--rw connection-limit 186 | | +--rw limit-per-subscriber? uint32 187 | | +--rw limit-per-vrf? uint32 188 | | +--rw limit-per-subnet? inet:ipv4-prefix 189 | | +--rw limit-per-instance uint32 190 | +--rw mapping-limit 191 | | +--rw limit-per-subscriber? uint32 192 | | +--rw limit-per-vrf? uint32 193 | | +--rw limit-per-subnet? inet:ipv4-prefix 194 | | +--rw limit-per-instance uint32 195 | +--rw ftp-alg-enable? boolean 196 | +--rw dns-alg-enable? boolean 197 | +--rw tftp-alg-enable? boolean 198 | +--rw msrpc-alg-enable? boolean 199 | +--rw netbios-alg-enable? boolean 200 | +--rw rcmd-alg-enable? boolean 201 | +--rw ldap-alg-enable? boolean 202 | +--rw sip-alg-enable? boolean 203 | +--rw rtsp-alg-enable? boolean 204 | +--rw h323-alg-enable? boolean 205 | +--rw all-algs-enable? boolean 206 | +--rw notify-pool-usage 207 | | +--rw pool-id? uint32 208 | | +--rw notify-pool-hi-threshold percent 209 | | +--rw notify-pool-low-threshold? percent 210 | +--rw nat64-prefixes* [nat64-prefix-id] 211 | | +--rw nat64-prefix-id uint32 212 | | +--rw nat64-prefix? inet:ipv6-prefix 213 | | +--rw destination-ipv4-prefix* [ipv4-prefix-id] 214 | | +--rw ipv4-prefix-id uint32 215 | | +--rw ipv4-prefix? inet:ipv4-prefix 216 | +--rw mapping-table 217 | +--rw mapping-entry* [index] 218 | +--rw index uint32 219 | +--rw type? enumeration 220 | +--rw internal-src-address inet:ip-address 221 | +--rw internal-src-port 222 | | +--rw (port-type)? 223 | | +--:(single-port-number) 224 | | | +--rw single-port-number? inet:port-number 225 | | +--:(port-range) 226 | | +--rw start-port-number? inet:port-number 227 | | +--rw end-port-number? inet:port-number 228 | +--rw external-src-address inet:ipv4-address 229 | +--rw external-src-port 230 | | +--rw (port-type)? 231 | | +--:(single-port-number) 232 | | | +--rw single-port-number? inet:port-number 233 | | +--:(port-range) 234 | | +--rw start-port-number? inet:port-number 235 | | +--rw end-port-number? inet:port-number 236 | +--rw transport-protocol uint8 237 | +--rw internal-dst-address? inet:ipv4-prefix 238 | +--rw internal-dst-port 239 | | +--rw (port-type)? 240 | | +--:(single-port-number) 241 | | | +--rw single-port-number? inet:port-number 242 | | +--:(port-range) 243 | | +--rw start-port-number? inet:port-number 244 | | +--rw end-port-number? inet:port-number 245 | +--rw external-dst-address? inet:ipv4-address 246 | +--rw external-dst-port 247 | | +--rw (port-type)? 248 | | +--:(single-port-number) 249 | | | +--rw single-port-number? inet:port-number 250 | | +--:(port-range) 251 | | +--rw start-port-number? inet:port-number 252 | | +--rw end-port-number? inet:port-number 253 | +--rw lifetime uint32 254 +--ro nat-state 255 +--ro nat-instances 256 +--ro nat-instance* [id] 257 +--ro id int32 258 +--ro nat-capabilities 259 | +--ro nat44-support? boolean 260 | +--ro nat64-support? boolean 261 | +--ro static-mapping-support? boolean 262 | +--ro port-set-support? boolean 263 | +--ro port-randomization-support? boolean 264 | +--ro port-range-preservation-support? boolean 265 | +--ro port-preservation-suport? boolean 266 | +--ro port-parity-preservation-support? boolean 267 | +--ro address-roundrobin-support? boolean 268 | +--ro ftp-alg-support? boolean 269 | +--ro dns-alg-support? boolean 270 | +--ro tftp-support? boolean 271 | +--ro msrpc-alg-support? boolean 272 | +--ro netbios-alg-support? boolean 273 | +--ro rcmd-alg-support? boolean 274 | +--ro ldap-alg-support? boolean 275 | +--ro sip-alg-support? boolean 276 | +--ro rtsp-alg-support? boolean 277 | +--ro h323-alg-support? boolean 278 | +--ro paired-address-pooling-support? boolean 279 | +--ro endpoint-independent-mapping-support? boolean 280 | +--ro address-dependent-mapping-support? boolean 281 | +--ro address-and-port-dependent-mapping-support? boolean 282 | +--ro endpoint-independent-filtering-support? boolean 283 | +--ro address-dependent-filtering? boolean 284 | +--ro address-and-port-dependent-filtering? boolean 285 | +--ro stealth-mode-support? boolean 286 +--ro nat-current-config 287 | +--ro external-ip-address-pool* [pool-id] 288 | | +--ro pool-id uint32 289 | | +--ro external-ip-pool? inet:ipv4-prefix 290 | +--ro subscriber-mask-v6? uint8 291 | +--ro subscriber-mask-v4* [sub-mask-id] 292 | | +--ro sub-mask-id uint32 293 | | +--ro sub-mask inet:ipv4-prefix 294 | +--ro paired-address-pooling? boolean 295 | +--ro nat-mapping-type? enumeration 296 | +--ro nat-filtering-type? enumeration 297 | +--ro port-quota? uint16 298 | +--ro port-set 299 | | +--ro port-set-enable? boolean 300 | | +--ro port-set-size? uint16 301 | | +--ro port-set-timeout? uint32 302 | +--ro port-randomization-enable? boolean 303 | +--ro port-preservation-enable? boolean 304 | +--ro port-range-preservation-enable? boolean 305 | +--ro port-parity-preservation-enable? boolean 306 | +--ro address-roundrobin-enable? boolean 307 | +--ro udp-timeouts? uint32 308 | +--ro tcp-idle-timeout? uint32 309 | +--ro tcp-trans-open-timeout? uint32 310 | +--ro tcp-trans-close-timeout? uint32 311 | +--ro tcp-in-syn-timeout? uint32 312 | +--ro fragment-min-timeout? uint32 313 | +--ro icmp-timeout? uint32 314 | +--ro logging-info 315 | | +--ro destination-address inet:ipv4-prefix 316 | | +--ro destination-port inet:port-number 317 | +--ro connection-limit 318 | | +--ro limit-per-subscriber? uint32 319 | | +--ro limit-per-vrf? uint32 320 | | +--ro limit-per-subnet? inet:ipv4-prefix 321 | | +--ro limit-per-instance uint32 322 | +--ro mapping-limit 323 | | +--ro limit-per-subscriber? uint32 324 | | +--ro limit-per-vrf? uint32 325 | | +--ro limit-per-subnet? inet:ipv4-prefix 326 | | +--ro limit-per-instance uint32 327 | +--ro ftp-alg-enable? boolean 328 | +--ro dns-alg-enable? boolean 329 | +--ro tftp-alg-enable? boolean 330 | +--ro msrpc-alg-enable? boolean 331 | +--ro netbios-alg-enable? boolean 332 | +--ro rcmd-alg-enable? boolean 333 | +--ro ldap-alg-enable? boolean 334 | +--ro sip-alg-enable? boolean 335 | +--ro rtsp-alg-enable? boolean 336 | +--ro h323-alg-enable? boolean 337 | +--ro all-algs-enable? boolean 338 | +--ro notify-pool-usage 339 | | +--ro pool-id? uint32 340 | | +--ro notify-pool-hi-threshold percent 341 | | +--ro notify-pool-low-threshold? percent 342 | +--ro nat64-prefixes* [nat64-prefix-id] 343 | +--ro nat64-prefix-id uint32 344 | +--ro nat64-prefix? inet:ipv6-prefix 345 | +--ro destination-ipv4-prefix* [ipv4-prefix-id] 346 | +--ro ipv4-prefix-id uint32 347 | +--ro ipv4-prefix? inet:ipv4-prefix 348 +--ro mapping-table 349 | +--ro mapping-entry* [index] 350 | +--ro index uint32 351 | +--ro type? enumeration 352 | +--ro internal-src-address inet:ip-address 353 | +--ro internal-src-port 354 | | +--ro (port-type)? 355 | | +--:(single-port-number) 356 | | | +--ro single-port-number? inet:port-number 357 | | +--:(port-range) 358 | | +--ro start-port-number? inet:port-number 359 | | +--ro end-port-number? inet:port-number 360 | +--ro external-src-address inet:ipv4-address 361 | +--ro external-src-port 362 | | +--ro (port-type)? 363 | | +--:(single-port-number) 364 | | | +--ro single-port-number? inet:port-number 365 | | +--:(port-range) 366 | | +--ro start-port-number? inet:port-number 367 | | +--ro end-port-number? inet:port-number 368 | +--ro transport-protocol uint8 369 | +--ro internal-dst-address? inet:ipv4-prefix 370 | +--ro internal-dst-port 371 | | +--ro (port-type)? 372 | | +--:(single-port-number) 373 | | | +--ro single-port-number? inet:port-number 374 | | +--:(port-range) 375 | | +--ro start-port-number? inet:port-number 376 | | +--ro end-port-number? inet:port-number 377 | +--ro external-dst-address? inet:ipv4-address 378 | +--ro external-dst-port 379 | | +--ro (port-type)? 380 | | +--:(single-port-number) 381 | | | +--ro single-port-number? inet:port-number 382 | | +--:(port-range) 383 | | +--ro start-port-number? inet:port-number 384 | | +--ro end-port-number? inet:port-number 385 | +--ro lifetime uint32 386 +--ro statistics 387 +--ro total-mappings? uint32 388 +--ro total-tcp-mappings? uint32 389 +--ro total-udp-mappings? uint32 390 +--ro total-icmp-mappings? uint32 391 +--ro pool-stats 392 +--ro pool-id? uint32 393 +--ro address-allocated? uint32 394 +--ro address-free? uint32 395 +--ro port-stats 396 +--ro ports-allocated? uint32 397 +--ro ports-free? uint32 399 notifications: 400 +---n nat-event 401 +--ro id? -> /nat-state/nat-instances/ 402 | nat-instance/id 403 +--ro notify-pool-threshold percent 405 3. NAT YANG Module 407 file "ietf-nat@2015-09-08.yang" 409 module ietf-nat { 410 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 411 //namespace to be assigned by IANA 412 prefix "nat"; 413 import ietf-inet-types { 414 prefix "inet"; 415 } 416 organization "IETF NetMod Working Group"; 417 contact 418 "Senthil Sivakumar 419 Mohamed Boucadair 420 Suresh Vinapamula "; 422 description 423 "This module is a YANG module for NAT implementations 424 (including both NAT44 and NAT64 flavors. 426 Copyright (c) 2015 IETF Trust and the persons identified as 427 authors of the code. All rights reserved. 429 Redistribution and use in source and binary forms, with or 430 without modification, is permitted pursuant to, and subject 431 to the license terms contained in, the Simplified BSD License 432 set forth in Section 4.c of the IETF Trust's Legal Provisions 433 Relating to IETF Documents 434 (http://trustee.ietf.org/license-info). 436 This version of this YANG module is part of RFC XXXX; see 437 the RFC itself for full legal notices."; 439 revision 2015-09-08 { 440 description "Fixes few YANG errors."; 441 reference "-02"; 442 } 444 revision 2015-09-07 { 445 description "Completes the NAT64 model."; 446 reference "01"; 447 } 449 revision 2015-08-29 { 450 description "Initial version."; 451 reference "00"; 452 } 454 typedef percent { 455 type uint8 { 456 range "0 .. 100"; 457 } 458 description 459 "Percentage"; 460 } 462 /* 463 * Grouping 464 */ 466 grouping timeouts { 467 description 468 "Configure values of various timeouts."; 470 leaf udp-timeouts { 471 type uint32; 472 default 300; 473 description 474 "UDP inactivity timeout."; 475 } 477 leaf tcp-idle-timeout { 478 type uint32; 479 default 7440; 480 description 481 "TCP Idle timeout, as per RFC 5382 should be no 482 2 hours and 4 minutes."; 483 } 485 leaf tcp-trans-open-timeout { 486 type uint32; 487 default 240; 488 description 489 "The value of the transitory open connection 490 idle-timeout."; 491 } 493 leaf tcp-trans-close-timeout { 494 type uint32; 495 default 240; 496 description 497 "The value of the transitory close connection 498 idle-timeout."; 499 } 501 leaf tcp-in-syn-timeout { 502 type uint32; 503 default 6; 504 description 505 "6 seconds, as defined in [RFC5382]."; 506 } 508 leaf fragment-min-timeout { 509 type uint32; 510 default 2; 511 description 512 "As long as the NAT has available resources, 513 the NAT allows the fragments to arrive 514 over fragment-min-timeout interval. 515 The default value is inspired from RFC6146."; 516 } 518 leaf icmp-timeout { 519 type uint32; 520 default 60; 521 description 522 "60 seconds, as defined in [RFC5508]."; 523 } 524 } 526 // port numbers: single or port range 528 grouping port-number { 529 description 530 "Individual port or a range of ports."; 532 choice port-type { 533 default single-port-number; 534 description 535 "Port type: single or port-range."; 537 case single-port-number { 538 leaf single-port-number { 539 type inet:port-number; 540 description 541 "Used for single port numbers."; 542 } 543 } 545 case port-range { 546 leaf start-port-number { 547 type inet:port-number; 548 description 549 "Begining of the port range."; 550 } 552 leaf end-port-number { 553 type inet:port-number; 554 description 555 "End of the port range."; 556 } 557 } 558 } 559 } 561 grouping mapping-entry { 562 description 563 "NAT mapping entry."; 565 leaf index { 566 type uint32; 567 description 568 "A unique identifier of a mapping entry."; 569 } 571 leaf type { 572 type enumeration { 573 enum "static" { 574 description 575 "The mapping entry is manually configured."; 576 } 577 enum "dynamic" { 578 description 579 "This mapping is created by an outgoing 580 packet."; 581 } 582 } 583 description 584 "Indicates the type of a mapping entry. E.g., 585 a mapping can be: static or dynamic"; 586 } 588 leaf internal-src-address { 589 type inet:ip-address; 590 mandatory true; 591 description 592 "Corresponds to the source IPv4/IPv6 address 593 of the IPv4 packet"; 594 } 596 container internal-src-port { 597 description 598 "Corresponds to the source port of the 599 IPv4 packet."; 600 uses port-number; 601 } 603 leaf external-src-address { 604 type inet:ipv4-address; 605 mandatory true; 606 description 607 "External IPv4 address assigned by NAT"; 608 } 610 container external-src-port { 611 description 612 "External source port number assigned by NAT."; 613 uses port-number; 614 } 616 leaf transport-protocol { 617 type uint8; 618 mandatory true; 619 description 620 "Upper-layer protocol associated with this mapping. 621 Values are taken from the IANA protocol registry. 622 For example, this field contains 6 (TCP) for a TCP 623 mapping or 17 (UDP) for a UDP mapping."; 624 } 625 leaf internal-dst-address { 626 type inet:ipv4-prefix; 627 description 628 "Corresponds to the destination IPv4 address 629 of the IPv4 packet, for example, some NAT 630 implementation support translating both source 631 and destination address and ports referred to as 632 Twice NAT"; 633 } 635 container internal-dst-port { 636 description 637 "Corresponds to the destination port of the 638 IPv4 packet."; 639 uses port-number; 640 } 642 leaf external-dst-address { 643 type inet:ipv4-address; 644 description 645 "External destination IPv4 address"; 646 } 648 container external-dst-port { 649 description 650 "External source port number."; 651 uses port-number; 652 } 654 leaf lifetime { 655 type uint32; 656 mandatory true; 657 description 658 "Lifetime of the mapping."; 659 } 660 } 662 grouping nat-parameters { 663 description 664 "NAT parameters for a given instance"; 666 list external-ip-address-pool { 667 key pool-id; 669 description 670 "Pool of external IP addresses used to service 671 internal hosts. 673 Both contiguous and non-contiguous pools 674 can be configured for NAT."; 676 leaf pool-id { 677 type uint32; 678 description 679 "An identifier of the address pool."; 680 } 682 leaf external-ip-pool { 683 type inet:ipv4-prefix; 684 description 685 "An IPv4 prefix used for NAT purposes."; 686 } 687 } 689 leaf subscriber-mask-v6 { 690 type uint8 { 691 range "0 .. 128"; 692 } 693 description 694 "The subscriber-mask is an integer that indicates 695 the length of significant bits to be applied on 696 the source IP address (internal side) to 697 unambiguously identify a CPE. 699 Subscriber-mask is a system-wide configuration 700 parameter that is used to enforce generic 701 per-subscriberpolicies (e.g., port-quota). 703 The enforcement of these generic policies does not 704 require the configuration of every subscriber's 705 prefix. 707 Example: suppose the 2001:db8:100:100::/56 prefix 708 is assigned to a NAT64 serviced CPE. Suppose also 709 that 2001:db8:100:100::1 is the IPv6 address used 710 by the client that resides in that CPE. When the 711 NAT64 receives a packet from this client, 712 it applies the subscriber-mask (e.g., 56) on 713 the source IPv6 address to compute the associated 714 prefix for this client (2001:db8:100:100::/56). 715 Then, the NAT64 enforces policies based on that 716 prefix (2001:db8:100:100::/56), not on the exact 717 source IPv6 address."; 718 } 719 list subscriber-mask-v4 { 721 key sub-mask-id; 723 description 724 "IPv4 subscriber mask."; 726 leaf sub-mask-id { 727 type uint32; 728 description 729 "An identifier of the subscriber masks."; 730 } 731 leaf sub-mask { 732 type inet:ipv4-prefix; 733 mandatory true; 734 description 735 "The IP address subnets that matches 736 should be translated. E.g., If the 737 private realms that are to be translated 738 by NAT would be 192.0.2.0/24"; 739 } 740 } 742 leaf paired-address-pooling { 743 type boolean; 744 default true; 745 description 746 "Paired address pooling is indicating to NAT 747 that all the flows from an internal IP 748 address must be assigned the same external 749 address. This is defined in RFC 4007."; 750 } 752 leaf nat-mapping-type { 753 type enumeration { 754 enum "eim" { 755 description 756 "endpoint-independent-mapping. 757 Refer section 4 of RFC 4787."; 758 } 760 enum "adm" { 761 description 762 "address-dependent-mapping. 763 Refer section 4 of RFC 4787."; 764 } 766 enum "edm" { 767 description 768 "address-and-port-dependent-mapping. 769 Refer section 4 of RFC 4787."; 770 } 771 } 772 description 773 "Indicates the type of a NAT mapping."; 774 } 775 leaf nat-filtering-type { 776 type enumeration { 777 enum "eif" { 778 description 779 "endpoint-independent- filtering. 780 Refer section 5 of RFC 4787."; 781 } 783 enum "adf" { 784 description 785 "address-dependent- filtering. 786 Refer section 5 of RFC 4787."; 787 } 789 enum "edf" { 790 description 791 "address-and-port-dependent- filtering. 792 Refer section 5 of RFC 4787."; 793 } 794 } 795 description 796 "Indicates the type of a NAT filtering."; 797 } 799 leaf port-quota { 800 type uint16; 801 description 802 "Configures a port quota to be assigned per 803 subscriber."; 804 } 806 container port-set { 807 description 808 "Manages port-set assignments."; 810 leaf port-set-enable { 811 type boolean; 812 description 813 "Enable/Disable port set assignment."; 814 } 815 leaf port-set-size { 816 type uint16; 817 description 818 "Indicates the size of assigned port 819 sets."; 820 } 822 leaf port-set-timeout { 823 type uint32; 824 description 825 "Inactivty timeout for port sets."; 826 } 827 } 829 leaf port-randomization-enable { 830 type boolean; 831 description 832 "Enable/disable port randomization 833 feature."; 834 } 836 leaf port-preservation-enable { 837 type boolean; 838 description 839 "Indicates whether the PCP server should 840 preserve the internal port number."; 841 } 843 leaf port-range-preservation-enable { 844 type boolean; 845 description 846 "Indicates whether the NAT device should 847 preserve the internal port range."; 848 } 850 leaf port-parity-preservation-enable { 851 type boolean; 852 description 853 "Indicates whether the PCP server should 854 preserve the port parity of the 855 internal port number."; 856 } 857 leaf address-roundrobin-enable { 858 type boolean; 859 description 860 "Enable/disable address allocation 861 round robin."; 862 } 864 uses timeouts; 865 container logging-info { 866 description 867 "Information about Logging NAT events"; 869 leaf destination-address { 870 type inet:ipv4-prefix; 871 mandatory true; 872 description 873 "Address of the collector that receives 874 the logs"; 875 } 876 leaf destination-port { 877 type inet:port-number; 878 mandatory true; 879 description 880 "Destination port of the collector."; 881 } 883 } 884 container connection-limit { 885 description 886 "Information on the config parameters that 887 rate limit the translations based on various 888 criteria"; 890 leaf limit-per-subscriber { 891 type uint32; 892 description 893 "Maximum number of NAT mappings per 894 subscriber."; 895 } 896 leaf limit-per-vrf { 897 type uint32; 898 description 899 "Maximum number of NAT mappings per 900 VLAN/VRF."; 901 } 902 leaf limit-per-subnet { 903 type inet:ipv4-prefix; 904 description 905 "Maximum number of NAT mappings per 906 subnet."; 907 } 908 leaf limit-per-instance { 909 type uint32; 910 mandatory true; 911 description 912 "Maximum number of NAT mappings per 913 instance."; 914 } 915 } 916 container mapping-limit { 917 description 918 "Information on the config parameters that 919 rate limit the mappings based on various 920 criteria"; 922 leaf limit-per-subscriber { 923 type uint32; 924 description 925 "Maximum number of NAT mappings per 926 subscriber."; 927 } 928 leaf limit-per-vrf { 929 type uint32; 930 description 931 "Maximum number of NAT mappings per 932 VLAN/VRF."; 933 } 934 leaf limit-per-subnet { 935 type inet:ipv4-prefix; 936 description 937 "Maximum number of NAT mappings per 938 subnet."; 939 } 940 leaf limit-per-instance { 941 type uint32; 942 mandatory true; 943 description 944 "Maximum number of NAT mappings per 945 instance."; 946 } 947 } 948 leaf ftp-alg-enable { 949 type boolean; 950 description 951 "Enable/Disable FTP ALG"; 952 } 954 leaf dns-alg-enable { 955 type boolean; 956 description 957 "Enable/Disable DNSALG"; 958 } 959 leaf tftp-alg-enable { 960 type boolean; 961 description 962 "Enable/Disable TFTP ALG"; 963 } 965 leaf msrpc-alg-enable { 966 type boolean; 967 description 968 "Enable/Disable MS-RPC ALG"; 969 } 971 leaf netbios-alg-enable { 972 type boolean; 973 description 974 "Enable/Disable NetBIOS ALG"; 975 } 977 leaf rcmd-alg-enable { 978 type boolean; 979 description 980 "Enable/Disable rcmd ALG"; 981 } 983 leaf ldap-alg-enable { 984 type boolean; 985 description 986 "Enable/Disable LDAP ALG"; 987 } 989 leaf sip-alg-enable { 990 type boolean; 991 description 992 "Enable/Disable SIP ALG"; 993 } 995 leaf rtsp-alg-enable { 996 type boolean; 997 description 998 "Enable/Disable RTSP ALG"; 999 } 1001 leaf h323-alg-enable { 1002 type boolean; 1003 description 1004 "Enable/Disable H323 ALG"; 1005 } 1006 leaf all-algs-enable { 1007 type boolean; 1008 description 1009 "Enable/Disable all the ALGs"; 1010 } 1012 container notify-pool-usage { 1013 description 1014 "Notification of Pool usage when certain criteria 1015 is met"; 1017 leaf pool-id { 1018 type uint32; 1019 description 1020 "Pool-ID for which the notification 1021 criteria is defined"; 1022 } 1024 leaf notify-pool-hi-threshold { 1025 type percent; 1026 mandatory true; 1027 description 1028 "Notification must be generated when the 1029 defined high threshold is reached. 1030 For example, if a notification is 1031 required when the pool utilization reaches 1032 90%, this configuration parameter must 1033 be set to 90%"; 1034 } 1036 leaf notify-pool-low-threshold { 1037 type percent; 1038 description 1039 "Notification must be generated when the defined 1040 low threshold is reached. 1041 For example, if a notification is required when 1042 the pool utilization reaches below 10%, 1043 this configuration parameter must be set to 1044 10%"; 1045 } 1046 } 1047 list nat64-prefixes { 1048 key nat64-prefix-id; 1050 description 1051 "Provides one or a list of NAT64 prefixes 1052 With or without a list of destination IPv4 prefixes. 1054 Destination-based Pref64::/n is discussed in 1055 Section 5.1 of [RFC7050]). For example: 1056 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 1057 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 1059 leaf nat64-prefix-id { 1060 type uint32; 1061 description 1062 "An identifier of the NAT64 prefix."; 1063 } 1065 leaf nat64-prefix { 1066 type inet:ipv6-prefix; 1067 default "64:ff9b::/96"; 1068 description 1069 "A NAT64 prefix. Can be NSP or WKP [RFC6052]."; 1070 } 1072 list destination-ipv4-prefix { 1074 key ipv4-prefix-id; 1076 description 1077 "An IPv4 prefix/address."; 1079 leaf ipv4-prefix-id { 1080 type uint32; 1081 description 1082 "An identifier of the IPv4 prefix/address."; 1083 } 1085 leaf ipv4-prefix { 1086 type inet:ipv4-prefix; 1087 description 1088 "An IPv4 address/prefix. "; 1089 } 1090 } 1091 } 1092 } //nat-parameters group 1094 container nat-config { 1095 description 1096 "NAT"; 1098 container nat-instances { 1099 description 1100 "nat instances"; 1102 list nat-instance { 1104 key "id"; 1106 description 1107 "A NAT instance."; 1109 leaf id { 1110 type uint32; 1111 description 1112 "NAT instance identifier."; 1113 } 1115 leaf enable { 1116 type boolean; 1117 description 1118 "Status of the the NAT instance."; 1119 } 1121 uses nat-parameters; 1123 container mapping-table { 1124 description 1125 "NAT dynamic mapping table used to track 1126 sessions"; 1128 list mapping-entry { 1129 key "index"; 1130 description 1131 "NAT mapping entry."; 1132 uses mapping-entry; 1133 } 1134 } 1135 } 1136 } 1137 } 1139 /* 1140 * NAT State 1141 */ 1143 container nat-state { 1145 config false; 1147 description 1148 "nat-state"; 1150 container nat-instances { 1151 description 1152 "nat instances"; 1154 list nat-instance { 1155 key "id"; 1157 description 1158 "nat instance"; 1160 leaf id { 1161 type int32; 1162 description 1163 "The identifier of the nat instance."; 1164 } 1166 container nat-capabilities { 1167 description 1168 "NAT Capabilities"; 1170 leaf nat44-support { 1171 type boolean; 1172 description 1173 "Indicates NAT44 support"; 1174 } 1176 leaf nat64-support { 1177 type boolean; 1178 description 1179 "Indicates NAT64 support"; 1180 } 1182 leaf static-mapping-support { 1183 type boolean; 1184 description 1185 "Indicates whether static mappings are 1186 supported."; 1187 } 1189 leaf port-set-support { 1190 type boolean; 1191 description 1192 "Indicates port set assignment 1193 support "; 1194 } 1196 leaf port-randomization-support { 1197 type boolean; 1198 description 1199 "Indicates whether port randomization is 1200 supported."; 1201 } 1203 leaf port-range-preservation-support { 1204 type boolean; 1205 description 1206 "Indicates whether port range 1207 preservation is supported."; 1208 } 1210 leaf port-preservation-suport { 1211 type boolean; 1212 description 1213 "Indicates whether port preservation 1214 is supported."; 1215 } 1217 leaf port-parity-preservation-support { 1218 type boolean; 1219 description 1220 "Indicates whether port parity 1221 preservation is supported."; 1222 } 1224 leaf address-roundrobin-support { 1225 type boolean; 1226 description 1227 "Indicates whether address allocation 1228 round robin is supported."; 1229 } 1231 leaf ftp-alg-support { 1232 type boolean; 1233 description 1234 "Indicates whether FTP ALG is supported"; 1235 } 1237 leaf dns-alg-support { 1238 type boolean; 1239 description 1240 "Indicates whether DNSALG is supported"; 1241 } 1243 leaf tftp-support { 1244 type boolean; 1245 description 1246 "Indicates whether TFTP ALG is supported"; 1247 } 1249 leaf msrpc-alg-support { 1250 type boolean; 1251 description 1252 "Indicates whether MS-RPC ALG is supported"; 1253 } 1255 leaf netbios-alg-support { 1256 type boolean; 1257 description 1258 "Indicates whether NetBIOS ALG is supported"; 1259 } 1261 leaf rcmd-alg-support { 1262 type boolean; 1263 description 1264 "Indicates whether rcmd ALG is supported"; 1265 } 1267 leaf ldap-alg-support { 1268 type boolean; 1269 description 1270 "Indicates whether LDAP ALG is supported"; 1271 } 1273 leaf sip-alg-support { 1274 type boolean; 1275 description 1276 "Indicates whether SIP ALG is supported"; 1277 } 1279 leaf rtsp-alg-support { 1280 type boolean; 1281 description 1282 "Indicates whether RTSP ALG is supported"; 1283 } 1285 leaf h323-alg-support { 1286 type boolean; 1287 description 1288 "Indicates whether H323 ALG is supported"; 1289 } 1291 leaf paired-address-pooling-support { 1292 type boolean; 1293 description 1294 "Indicates whether paired-address-pooling is 1295 supported"; 1296 } 1298 leaf endpoint-independent-mapping-support { 1299 type boolean; 1300 description 1301 "Indicates whether endpoint-independent-mapping 1302 in Section 4 of RFC 4787 is supported."; 1303 } 1305 leaf address-dependent-mapping-support { 1306 type boolean; 1307 description 1308 "Indicates whether endpoint-independent-mapping 1309 in Section 4 of RFC 4787 is supported."; 1310 } 1312 leaf address-and-port-dependent-mapping-support { 1313 type boolean; 1314 description 1315 "Indicates whether endpoint-independent-mapping in 1316 section 4 of RFC 4787 is supported."; 1317 } 1319 leaf endpoint-independent-filtering-support { 1320 type boolean; 1321 description 1322 "Indicates whether endpoint-independent-mapping in 1323 section 5 of RFC 4787 is supported."; 1324 } 1326 leaf address-dependent-filtering { 1327 type boolean; 1328 description 1329 "Indicates whether endpoint-independent-mapping in 1330 section 5 of RFC 4787 is supported."; 1331 } 1333 leaf address-and-port-dependent-filtering { 1334 type boolean; 1335 description 1336 "Indicates whether endpoint-independent-mapping in 1337 section 5 of RFC 4787 is supported."; 1338 } 1340 leaf stealth-mode-support { 1341 type boolean; 1342 description 1343 "Indicates whether to respond for unsolicited 1344 traffic."; 1345 } 1347 } 1349 container nat-current-config { 1350 description 1351 "current config"; 1353 uses nat-parameters; 1354 } 1356 container mapping-table { 1357 description 1358 "Mapping table"; 1359 list mapping-entry { 1360 key "index"; 1361 description 1362 "mapping entry"; 1363 uses mapping-entry; 1364 } 1365 } 1367 container statistics { 1368 description 1369 "Statistics related to the NAT instance"; 1371 leaf total-mappings { 1372 type uint32; 1373 description 1374 "Total number of NAT Mappings present 1375 at the time. This includes all the 1376 static and dynamic mappings"; 1377 } 1378 leaf total-tcp-mappings { 1379 type uint32; 1380 description 1381 "Total number of TCP Mappings present 1382 at the time."; 1383 } 1384 leaf total-udp-mappings { 1385 type uint32; 1386 description 1387 "Total number of UDP Mappings present 1388 at the time."; 1389 } 1390 leaf total-icmp-mappings { 1391 type uint32; 1392 description 1393 "Total number of ICMP Mappings present 1394 at the time."; 1395 } 1396 container pool-stats { 1397 description 1398 "Statistics related to Pool usage"; 1399 leaf pool-id { 1400 type uint32; 1401 description 1402 "Unique Identifier that represents 1403 a pool"; 1404 } 1405 leaf address-allocated { 1406 type uint32; 1407 description 1408 "Number of allocated addresses in 1409 the pool"; 1410 } 1411 leaf address-free { 1412 type uint32; 1413 description 1414 "Number of free addresses in 1415 the pool.The sum of free 1416 addresses and allocated 1417 addresses are the total 1418 addresses in the pool"; 1419 } 1420 container port-stats { 1421 description 1422 "Statistics related to port 1423 usage."; 1425 leaf ports-allocated { 1426 type uint32; 1427 description 1428 "Number of allocated ports 1429 in the pool"; 1430 } 1432 leaf ports-free { 1433 type uint32; 1434 description 1435 "Number of free addresses 1436 in the pool"; 1437 } 1439 } 1440 } 1441 } //statistics 1442 } //nat-instance 1443 } //nat-instances 1444 } //nat-state 1445 /* 1446 * Notifications 1447 */ 1448 notification nat-event { 1449 description 1450 "Notifications must be generated when the defined 1451 high/low threshold is reached. Related configuration 1452 parameters must be provided to trigger 1453 the notifications."; 1455 leaf id { 1456 type leafref { 1457 path 1458 "/nat-state/nat-instances/" 1459 + "nat-instance/id"; 1460 } 1461 description 1462 "NAT instance ID."; 1463 } 1465 leaf notify-pool-threshold { 1466 type percent; 1467 mandatory true; 1468 description 1469 "A treshhold has been fired."; 1470 } 1471 } 1472 } //module nat 1473 1475 4. Security Considerations 1477 The YANG module defined in this memo is designed to be accessed via 1478 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 1479 secure transport layer and the support of SSH is mandatory to 1480 implement secure transport [RFC6242]. The NETCONF access control 1481 model [RFC6536] provides means to restrict access for particular 1482 NETCONF users to a pre-configured subset of all available NETCONF 1483 protocol operations and contents. 1485 All data nodes defined in the YANG module which can be created, 1486 modified and deleted (i.e., config true, which is the default). 1487 These data nodes are considered sensitive. Write operations (e.g., 1488 edit-config) applied to these data nodes without proper protection 1489 can negatively affect network operations. 1491 5. IANA Considerations 1493 This document requests IANA to register the following URI in the 1494 "IETF XML Registry" [RFC3688]: 1496 URI: urn:ietf:params:xml:ns:yang:ietf-nat 1497 Registrant Contact: The IESG. 1498 XML: N/A; the requested URI is an XML namespace. 1500 This document requests IANA to register the following YANG module in 1501 the "YANG Module Names" registry [RFC6020]. 1503 name: ietf-nat 1504 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 1505 prefix: nat 1506 reference: RFC XXXX 1508 6. References 1510 6.1. Normative References 1512 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1513 Requirement Levels", BCP 14, RFC 2119, 1514 DOI 10.17487/RFC2119, March 1997, 1515 . 1517 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1518 DOI 10.17487/RFC3688, January 2004, 1519 . 1521 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 1522 Translation (NAT) Behavioral Requirements for Unicast 1523 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 1524 2007, . 1526 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 1527 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 1528 RFC 5382, DOI 10.17487/RFC5382, October 2008, 1529 . 1531 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 1532 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 1533 DOI 10.17487/RFC5508, April 2009, 1534 . 1536 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1537 the Network Configuration Protocol (NETCONF)", RFC 6020, 1538 DOI 10.17487/RFC6020, October 2010, 1539 . 1541 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1542 NAT64: Network Address and Protocol Translation from IPv6 1543 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 1544 April 2011, . 1546 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1547 and A. Bierman, Ed., "Network Configuration Protocol 1548 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1549 . 1551 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1552 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1553 . 1555 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1556 Protocol (NETCONF) Access Control Model", RFC 6536, 1557 DOI 10.17487/RFC6536, March 2012, 1558 . 1560 6.2. Informative References 1562 [I-D.boucadair-pcp-yang] 1563 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 1564 Vinapamula, "YANG Data Models for the Port Control 1565 Protocol (PCP)", draft-boucadair-pcp-yang-02 (work in 1566 progress), June 2016. 1568 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 1569 Translator (NAT) Terminology and Considerations", 1570 RFC 2663, DOI 10.17487/RFC2663, August 1999, 1571 . 1573 [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 1574 "Logging Recommendations for Internet-Facing Servers", 1575 BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, 1576 . 1578 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1579 A., and H. Ashida, "Common Requirements for Carrier-Grade 1580 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1581 April 2013, . 1583 Authors' Addresses 1585 Senthil Sivakumar 1586 Cisco Systems 1587 7100-8 Kit Creek Road 1588 Research Triangle Park, North Carolina 27709 1589 USA 1591 Phone: +1 919 392 5158 1592 Email: ssenthil@cisco.com 1594 Mohamed Boucadair 1595 France Telecom 1596 Rennes 35000 1597 France 1599 Email: mohamed.boucadair@orange.com 1601 Suresh Vinapamula 1602 Juniper Networks 1603 1133 Innovation Way 1604 Sunnyvale 94089 1605 USA