idnits 2.17.1 draft-sivakumar-yang-nat-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 28 instances of too long lines in the document, the longest one being 9 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 169 has weird spacing: '...mask-id uin...' == Line 190 has weird spacing: '...timeout ine...' == Line 193 has weird spacing: '...address ine...' == Line 228 has weird spacing: '...efix-id uin...' == Line 234 has weird spacing: '...address ine...' == (8 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (July 3, 2017) is 2488 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC7659' is defined on line 1740, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6536 (Obsoleted by RFC 8341) == Outdated reference: A later version (-05) exists of draft-boucadair-pcp-yang-04 Summary: 2 errors (**), 0 flaws (~~), 10 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Sivakumar 3 Internet-Draft Cisco Systems 4 Intended status: Standards Track M. Boucadair 5 Expires: January 4, 2018 Orange 6 S. Vinapamula 7 Juniper Networks 8 July 3, 2017 10 YANG Data Model for Network Address Translation (NAT) 11 draft-sivakumar-yang-nat-07 13 Abstract 15 For the sake of network automation and the need for programming NAT 16 function in particular, a data model for configuring and managing the 17 NAT device is essential. This document defines a YANG data model for 18 the NAT function. Both the NAT44 and NAT64 are covered in this 19 document. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on January 4, 2018. 38 Copyright Notice 40 Copyright (c) 2017 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 57 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 3 59 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 9 60 4. Sample Examples . . . . . . . . . . . . . . . . . . . . . . . 34 61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 34 62 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 63 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 65 8.1. Normative References . . . . . . . . . . . . . . . . . . 35 66 8.2. Informative References . . . . . . . . . . . . . . . . . 36 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37 69 1. Introduction 71 This document defines a data model for Network Address Translation 72 (NAT) using the YANG data modeling language [RFC6020]. Traditional 73 NAT is defined in [RFC2663] and Carrier Grade NAT is defined in 74 [RFC6888]. This document covers the NAT features in both documents. 75 This document also covers the NAT64 as defined in [RFC6146]. 77 This document assumes [RFC4787][RFC5382][RFC5508] are enabled by 78 default. 80 1.1. Requirements Language 82 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 83 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 84 document are to be interpreted as described in [RFC2119]. 86 The usage of the term "NAT device" in this document refer to any 87 NAT44 and NAT64 devices. This document uses the term "Session" as it 88 is defined in [RFC2663] and the term BIB as it is defined in 89 [RFC6146]. 91 1.2. Tree Diagrams 93 The meaning of the symbols in these diagrams is as follows: 95 o Brackets "[" and "]" enclose list keys. 97 o Curly braces "{" and "}" contain names of optional features that 98 make the corresponding node conditional. 100 o Abbreviations before data node names: "rw" means configuration 101 (read-write), "ro" state data (read-only). 103 o Symbols after data node names: "?" means an optional node, "!" a 104 container with presence, and "*" denotes a "list" or "leaf-list". 106 o Parentheses enclose choice and case nodes, and case nodes are also 107 marked with a colon (":"). 109 o Ellipsis ("...") stands for contents of subtrees that are not 110 shown. 112 2. Overview of the NAT YANG Data Model 114 The NAT data model is designed to cover both configuration and state 115 retrieval, nevertheless this document covers dynamic (implicit) 116 mapping while PCP-related functionality to instruct dynamic explicit 117 mapping is defined in [I-D.boucadair-pcp-yang]. 119 In order to cover, in particular, both NAT64 and NAT44 flavors, the 120 NAT mapping structure allows to include an IPv4 or IPv6 address as an 121 internal IP address. Remaining fields are common to both NAT 122 schemes. NPTv6 is also in scope [RFC6296]. 124 This document assumes [RFC4787][RFC5382][RFC5508] are enabled by 125 default. Also, the data model relies on the recommendations in 126 [RFC6888] and [RFC7857]. 128 A single NAT device can have multiple NAT instances; each responsible 129 to service a group of internal hosts. This document does make any 130 assumption how internal hosts are attached to a given NAT instance. 132 The data model assumes that each NAT instance can: be enable/ 133 disabled, be provisioned with a dedicated configuration data, and 134 maintain its own mapping table. 136 This data model assumes that blocks of IP global addresses can be 137 provisioned to the NAT function. These blocks may be contiguous or 138 non-contiguous [RFC6888]. 140 A NAT function can either assign individual port numbers or port sets 141 (e.g., [RFC7753]). Both features are supported in the YANG data 142 model. 144 To accommodate deployments where [RFC6302] is not enabled, this YANG 145 model allows to instruct a NAT function to log the destination port 146 number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] 147 which provides the templates to log the destination ports. 149 This document does not cover the following functionalities: 151 o Dynamic explicit mappings. 152 o DSCP-related operations. 153 o Deterministic NAT assignment scheme [RFC7422]. 155 The tree structure of the NAT data model is provided below: 157 module: ietf-nat 158 +--rw nat-config 159 | +--rw nat-instances 160 | +--rw nat-instance* [id] 161 | +--rw id uint32 162 | +--rw name? string 163 | +--rw enable? boolean 164 | +--rw external-ip-address-pool* [pool-id] 165 | | +--rw pool-id uint32 166 | | +--rw external-ip-pool? inet:ipv4-prefix 167 | +--rw subscriber-mask-v6? uint8 168 | +--rw subscriber-mask-v4* [sub-mask-id] 169 | | +--rw sub-mask-id uint32 170 | | +--rw sub-mask inet:ipv4-prefix 171 | +--rw paired-address-pooling? boolean 172 | +--rw nat-mapping-type? enumeration 173 | +--rw nat-filtering-type? enumeration 174 | +--rw port-quota? uint16 175 | +--rw port-set 176 | | +--rw port-set-enable? boolean 177 | | +--rw port-set-size? uint16 178 | | +--rw port-set-timeout? uint32 179 | +--rw port-allocation-type? enumeration 180 | +--rw address-roundrobin-enable? boolean 181 | +--rw udp-timeout? uint32 182 | +--rw tcp-idle-timeout? uint32 183 | +--rw tcp-trans-open-timeout? uint32 184 | +--rw tcp-trans-close-timeout? uint32 185 | +--rw tcp-in-syn-timeout? uint32 186 | +--rw fragment-min-timeout? uint32 187 | +--rw icmp-timeout? uint32 188 | +--rw per-port-timeout* [port-number] 189 | | +--rw port-number inet:port-number 190 | | +--rw port-timeout inet:port-number 191 | +--rw hold-down-timeout? uint32 192 | +--rw logging-info 193 | | +--rw destination-address inet:ipv4-prefix 194 | | +--rw destination-port inet:port-number 195 | +--rw connection-limit 196 | | +--rw limit-per-subscriber? uint32 197 | | +--rw limit-per-vrf? uint32 198 | | +--rw limit-per-subnet? inet:ipv4-prefix 199 | | +--rw limit-per-instance uint32 200 | | +--rw limit-per-udp uint32 201 | | +--rw limit-per-tcp uint32 202 | | +--rw limit-per-icmp uint32 203 | +--rw mapping-limit 204 | | +--rw limit-per-subscriber? uint32 205 | | +--rw limit-per-vrf? uint32 206 | | +--rw limit-per-subnet? inet:ipv4-prefix 207 | | +--rw limit-per-instance uint32 208 | | +--rw limit-per-transport uint8 209 | +--rw ftp-alg-enable? boolean 210 | +--rw dns-alg-enable? boolean 211 | +--rw tftp-alg-enable? boolean 212 | +--rw msrpc-alg-enable? boolean 213 | +--rw netbios-alg-enable? boolean 214 | +--rw rcmd-alg-enable? boolean 215 | +--rw ldap-alg-enable? boolean 216 | +--rw sip-alg-enable? boolean 217 | +--rw rtsp-alg-enable? boolean 218 | +--rw h323-alg-enable? boolean 219 | +--rw all-algs-enable? boolean 220 | +--rw notify-pool-usage 221 | | +--rw pool-id? uint32 222 | | +--rw notify-pool-hi-threshold percent 223 | | +--rw notify-pool-low-threshold? percent 224 | +--rw nat64-prefixes* [nat64-prefix-id] 225 | | +--rw nat64-prefix-id uint32 226 | | +--rw nat64-prefix? inet:ipv6-prefix 227 | | +--rw destination-ipv4-prefix* [ipv4-prefix-id] 228 | | +--rw ipv4-prefix-id uint32 229 | | +--rw ipv4-prefix? inet:ipv4-prefix 230 | +--rw mapping-table 231 | +--rw mapping-entry* [index] 232 | +--rw index uint32 233 | +--rw type? enumeration 234 | +--rw internal-src-address inet:ip-address 235 | +--rw internal-src-port 236 | | +--rw (port-type)? 237 | | +--:(single-port-number) 238 | | | +--rw single-port-number? inet:port-number 239 | | +--:(port-range) 240 | | +--rw start-port-number? inet:port-number 241 | | +--rw end-port-number? inet:port-number 242 | +--rw external-src-address inet:ipv4-address 243 | +--rw external-src-port 244 | | +--rw (port-type)? 245 | | +--:(single-port-number) 246 | | | +--rw single-port-number? inet:port-number 247 | | +--:(port-range) 248 | | +--rw start-port-number? inet:port-number 249 | | +--rw end-port-number? inet:port-number 250 | +--rw transport-protocol uint8 251 | +--rw internal-dst-address? inet:ipv4-prefix 252 | +--rw internal-dst-port 253 | | +--rw (port-type)? 254 | | +--:(single-port-number) 255 | | | +--rw single-port-number? inet:port-number 256 | | +--:(port-range) 257 | | +--rw start-port-number? inet:port-number 258 | | +--rw end-port-number? inet:port-number 259 | +--rw external-dst-address? inet:ipv4-address 260 | +--rw external-dst-port 261 | | +--rw (port-type)? 262 | | +--:(single-port-number) 263 | | | +--rw single-port-number? inet:port-number 264 | | +--:(port-range) 265 | | +--rw start-port-number? inet:port-number 266 | | +--rw end-port-number? inet:port-number 267 | +--rw lifetime uint32 268 +--ro nat-state 269 +--ro nat-instances 270 +--ro nat-instance* [id] 271 +--ro id int32 272 +--ro nat-capabilities 273 | +--ro nat44-support? boolean 274 | +--ro nat64-support? boolean 275 | +--ro nptv6-support? boolean 276 | +--ro static-mapping-support? boolean 277 | +--ro port-set-support? boolean 278 | +--ro port-randomization-support? boolean 279 | +--ro port-range-preservation-support? boolean 280 | +--ro port-preservation-suport? boolean 281 | +--ro port-parity-preservation-support? boolean 282 | +--ro address-roundrobin-support? boolean 283 | +--ro ftp-alg-support? boolean 284 | +--ro dns-alg-support? boolean 285 | +--ro tftp-support? boolean 286 | +--ro msrpc-alg-support? boolean 287 | +--ro netbios-alg-support? boolean 288 | +--ro rcmd-alg-support? boolean 289 | +--ro ldap-alg-support? boolean 290 | +--ro sip-alg-support? boolean 291 | +--ro rtsp-alg-support? boolean 292 | +--ro h323-alg-support? boolean 293 | +--ro paired-address-pooling-support? boolean 294 | +--ro endpoint-independent-mapping-support? boolean 295 | +--ro address-dependent-mapping-support? boolean 296 | +--ro address-and-port-dependent-mapping-support? boolean 297 | +--ro endpoint-independent-filtering-support? boolean 298 | +--ro address-dependent-filtering? boolean 299 | +--ro address-and-port-dependent-filtering? boolean 300 +--ro nat-current-config 301 | +--ro external-ip-address-pool* [pool-id] 302 | | +--ro pool-id uint32 303 | | +--ro external-ip-pool? inet:ipv4-prefix 304 | +--ro subscriber-mask-v6? uint8 305 | +--ro subscriber-mask-v4* [sub-mask-id] 306 | | +--ro sub-mask-id uint32 307 | | +--ro sub-mask inet:ipv4-prefix 308 | +--ro paired-address-pooling? boolean 309 | +--ro nat-mapping-type? enumeration 310 | +--ro nat-filtering-type? enumeration 311 | +--ro port-quota? uint16 312 | +--ro port-set 313 | | +--ro port-set-enable? boolean 314 | | +--ro port-set-size? uint16 315 | | +--ro port-set-timeout? uint32 316 | +--ro port-allocation-type? enumeration 317 | +--ro address-roundrobin-enable? boolean 318 | +--ro udp-timeout? uint32 319 | +--ro tcp-idle-timeout? uint32 320 | +--ro tcp-trans-open-timeout? uint32 321 | +--ro tcp-trans-close-timeout? uint32 322 | +--ro tcp-in-syn-timeout? uint32 323 | +--ro fragment-min-timeout? uint32 324 | +--ro icmp-timeout? uint32 325 | +--ro per-port-timeout* [port-number] 326 | | +--ro port-number inet:port-number 327 | | +--ro port-timeout inet:port-number 328 | +--ro hold-down-timeout? uint32 329 | +--ro logging-info 330 | | +--ro destination-address inet:ipv4-prefix 331 | | +--ro destination-port inet:port-number 332 | +--ro connection-limit 333 | | +--ro limit-per-subscriber? uint32 334 | | +--ro limit-per-vrf? uint32 335 | | +--ro limit-per-subnet? inet:ipv4-prefix 336 | | +--ro limit-per-instance uint32 337 | | +--ro limit-per-udp uint32 338 | | +--ro limit-per-tcp uint32 339 | | +--ro limit-per-icmp uint32 340 | +--ro mapping-limit 341 | | +--ro limit-per-subscriber? uint32 342 | | +--ro limit-per-vrf? uint32 343 | | +--ro limit-per-subnet? inet:ipv4-prefix 344 | | +--ro limit-per-instance uint32 345 | | +--ro limit-per-transport uint8 346 | +--ro ftp-alg-enable? boolean 347 | +--ro dns-alg-enable? boolean 348 | +--ro tftp-alg-enable? boolean 349 | +--ro msrpc-alg-enable? boolean 350 | +--ro netbios-alg-enable? boolean 351 | +--ro rcmd-alg-enable? boolean 352 | +--ro ldap-alg-enable? boolean 353 | +--ro sip-alg-enable? boolean 354 | +--ro rtsp-alg-enable? boolean 355 | +--ro h323-alg-enable? boolean 356 | +--ro all-algs-enable? boolean 357 | +--ro notify-pool-usage 358 | | +--ro pool-id? uint32 359 | | +--ro notify-pool-hi-threshold percent 360 | | +--ro notify-pool-low-threshold? percent 361 | +--ro nat64-prefixes* [nat64-prefix-id] 362 | +--ro nat64-prefix-id uint32 363 | +--ro nat64-prefix? inet:ipv6-prefix 364 | +--ro destination-ipv4-prefix* [ipv4-prefix-id] 365 | +--ro ipv4-prefix-id uint32 366 | +--ro ipv4-prefix? inet:ipv4-prefix 367 +--ro mapping-table 368 | +--ro mapping-entry* [index] 369 | +--ro index uint32 370 | +--ro type? enumeration 371 | +--ro internal-src-address inet:ip-address 372 | +--ro internal-src-port 373 | | +--ro (port-type)? 374 | | +--:(single-port-number) 375 | | | +--ro single-port-number? inet:port-number 376 | | +--:(port-range) 377 | | +--ro start-port-number? inet:port-number 378 | | +--ro end-port-number? inet:port-number 379 | +--ro external-src-address inet:ipv4-address 380 | +--ro external-src-port 381 | | +--ro (port-type)? 382 | | +--:(single-port-number) 383 | | | +--ro single-port-number? inet:port-number 384 | | +--:(port-range) 385 | | +--ro start-port-number? inet:port-number 386 | | +--ro end-port-number? inet:port-number 387 | +--ro transport-protocol uint8 388 | +--ro internal-dst-address? inet:ipv4-prefix 389 | +--ro internal-dst-port 390 | | +--ro (port-type)? 391 | | +--:(single-port-number) 392 | | | +--ro single-port-number? inet:port-number 393 | | +--:(port-range) 394 | | +--ro start-port-number? inet:port-number 395 | | +--ro end-port-number? inet:port-number 396 | +--ro external-dst-address? inet:ipv4-address 397 | +--ro external-dst-port 398 | | +--ro (port-type)? 399 | | +--:(single-port-number) 400 | | | +--ro single-port-number? inet:port-number 401 | | +--:(port-range) 402 | | +--ro start-port-number? inet:port-number 403 | | +--ro end-port-number? inet:port-number 404 | +--ro lifetime uint32 405 +--ro statistics 406 +--ro total-mappings? uint32 407 +--ro total-tcp-mappings? uint32 408 +--ro total-udp-mappings? uint32 409 +--ro total-icmp-mappings? uint32 410 +--ro pool-stats 411 +--ro pool-id? uint32 412 +--ro address-allocated? uint32 413 +--ro address-free? uint32 414 +--ro port-stats 415 +--ro ports-allocated? uint32 416 +--ro ports-free? uint32 418 notifications: 419 +---n nat-event 420 +--ro id? -> /nat-state/nat-instances/nat-instance/id 421 +--ro notify-pool-threshold percent 423 3. NAT YANG Module 425 file "ietf-nat@2017-07-03.yang" 427 module ietf-nat { 428 namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; 429 //namespace to be assigned by IANA 430 prefix "nat"; 431 import ietf-inet-types { 432 prefix "inet"; 433 } 434 organization "IETF NetMod Working Group"; 435 contact 436 "Senthil Sivakumar 437 Mohamed Boucadair 438 Suresh Vinapamula "; 440 description 441 "This module is a YANG module for NAT implementations 442 (including both NAT44 and NAT64 flavors). 444 Copyright (c) 2017 IETF Trust and the persons identified as 445 authors of the code. All rights reserved. 447 Redistribution and use in source and binary forms, with or 448 without modification, is permitted pursuant to, and subject 449 to the license terms contained in, the Simplified BSD License 450 set forth in Section 4.c of the IETF Trust's Legal Provisions 451 Relating to IETF Documents 452 (http://trustee.ietf.org/license-info). 454 This version of this YANG module is part of RFC XXXX; see 455 the RFC itself for full legal notices."; 457 revision 2017-07-03 { 458 description "Integrates comments from D. Wing and T. Zhou."; 459 reference "-06"; 460 } 462 revision 2015-09-08 { 463 description "Fixes few YANG errors."; 464 reference "-02"; 465 } 467 revision 2015-09-07 { 468 description "Completes the NAT64 model."; 469 reference "01"; 470 } 472 revision 2015-08-29 { 473 description "Initial version."; 474 reference "00"; 475 } 477 typedef percent { 478 type uint8 { 479 range "0 .. 100"; 480 } 481 description 482 "Percentage"; 483 } 485 /* 486 * Grouping 487 */ 489 grouping timeouts { 490 description 491 "Configure values of various timeouts."; 493 leaf udp-timeout { 494 type uint32; 495 default 300; 496 description 497 "UDP inactivity timeout."; 498 } 500 leaf tcp-idle-timeout { 501 type uint32; 502 default 7440; 503 description 504 "TCP Idle timeout, as per RFC 5382 should be no 505 2 hours and 4 minutes."; 506 } 508 leaf tcp-trans-open-timeout { 509 type uint32; 510 units "seconds"; 511 default 240; 512 description 513 "The value of the transitory open connection 514 idle-timeout. 515 Section 2.1 of [RFC7857] clarifies that a NAT 516 should provide different configurable 517 parameters for configuring the open and 518 closing idle timeouts. 519 To accommodate deployments that consider 520 a partially open timeout of 4 minutes as being 521 excessive from a security standpoint, a NAT may 522 allow the configured timeout to be less than 523 4 minutes. 524 However, a minimum default transitory connection 525 idle-timeout of 4 minutes is recommended."; 527 } 529 leaf tcp-trans-close-timeout { 530 type uint32; 531 units "seconds"; 532 default 240; 533 description 534 "The value of the transitory close connection 535 idle-timeout. 536 Section 2.1 of [RFC7857] clarifies that a NAT 537 should provide different configurable 538 parameters for configuring the open and 539 closing idle timeouts."; 540 } 542 leaf tcp-in-syn-timeout { 543 type uint32; 544 default 6; 545 description 546 "6 seconds, as defined in [RFC5382]."; 547 } 549 leaf fragment-min-timeout { 550 type uint32; 551 default 2; 552 description 553 "As long as the NAT has available resources, 554 the NAT allows the fragments to arrive 555 over fragment-min-timeout interval. 556 The default value is inspired from RFC6146."; 557 } 559 leaf icmp-timeout { 560 type uint32; 561 default 60; 562 description 563 "60 seconds, as defined in [RFC5508]."; 564 } 566 list per-port-timeout { 567 key port-number; 569 description 570 "Some NATs are configurable with short timeouts 571 for some ports, e.g., as 10 seconds on 572 port 53 (DNS) and NTP (123) and longer timeouts 573 on other ports."; 574 leaf port-number { 575 type inet:port-number; 576 description 577 " A port number."; 578 } 580 leaf port-timeout { 581 type inet:port-number; 582 mandatory true; 583 description 584 "Timeout for this port"; 585 } 586 } 588 leaf hold-down-timeout { 589 type uint32; 590 units "seconds"; 591 default 120; 592 description 593 "Hold down timer. Ports in the 594 hold down pool are not reassigned until 595 this timer expires. 596 The length of time and the maximum 597 number of ports in this state must be 598 configurable by the administrator 599 [RFC6888]. This is necessary in order 600 to prevent collisions between old 601 and new mappings and sessions. It ensures 602 that all established sessions are broken 603 instead of redirected to a different peer. 604 The default value is defined in REQ#8 605 from [RFC6888]."; 606 } 607 } 609 // port numbers: single or port range 611 grouping port-number { 612 description 613 "Individual port or a range of ports."; 615 choice port-type { 616 default single-port-number; 617 description 618 "Port type: single or port-range."; 620 case single-port-number { 621 leaf single-port-number { 622 type inet:port-number; 623 description 624 "Used for single port numbers."; 625 } 626 } 628 case port-range { 629 leaf start-port-number { 630 type inet:port-number; 631 description 632 "Begining of the port range."; 633 } 635 leaf end-port-number { 636 type inet:port-number; 637 description 638 "End of the port range."; 639 } 640 } 641 } 642 } 644 grouping mapping-entry { 645 description 646 "NAT mapping entry."; 648 leaf index { 649 type uint32; 650 description 651 "A unique identifier of a mapping entry."; 652 } 654 leaf type { 655 type enumeration { 656 enum "static" { 657 description 658 "The mapping entry is manually configured."; 659 } 661 enum "dynamic" { 662 description 663 "This mapping is created by an outgoing 664 packet."; 665 } 666 } 667 description 668 "Indicates the type of a mapping entry. E.g., 669 a mapping can be: static or dynamic"; 671 } 673 leaf internal-src-address { 674 type inet:ip-address; 675 mandatory true; 676 description 677 "Corresponds to the source IPv4/IPv6 address 678 of the IPv4 packet"; 679 } 681 container internal-src-port { 682 description 683 "Corresponds to the source port of the 684 IPv4 packet."; 685 uses port-number; 686 } 688 leaf external-src-address { 689 type inet:ipv4-address; 690 mandatory true; 691 description 692 "External IPv4 address assigned by NAT"; 693 } 695 container external-src-port { 696 description 697 "External source port number assigned by NAT."; 698 uses port-number; 699 } 701 leaf transport-protocol { 702 type uint8; 703 mandatory true; 704 description 705 "Upper-layer protocol associated with this mapping. 706 Values are taken from the IANA protocol registry. 707 For example, this field contains 6 (TCP) for a TCP 708 mapping or 17 (UDP) for a UDP mapping."; 709 } 711 leaf internal-dst-address { 712 type inet:ipv4-prefix; 713 description 714 "Corresponds to the destination IPv4 address 715 of the IPv4 packet, for example, some NAT 716 implementation support translating both source 717 and destination address and ports referred to as 718 Twice NAT"; 720 } 722 container internal-dst-port { 723 description 724 "Corresponds to the destination port of the 725 IPv4 packet."; 726 uses port-number; 727 } 729 leaf external-dst-address { 730 type inet:ipv4-address; 731 description 732 "External destination IPv4 address"; 733 } 735 container external-dst-port { 736 description 737 "External source port number."; 738 uses port-number; 739 } 741 leaf lifetime { 742 type uint32; 743 mandatory true; 744 description 745 "Lifetime of the mapping. 746 Tracks the connection that is 747 fully-formed (e.g., 3WHS TCP 748 is completd."; 749 } 750 } 752 grouping nat-parameters { 753 description 754 "NAT parameters for a given instance"; 756 list external-ip-address-pool { 757 key pool-id; 759 description 760 "Pool of external IP addresses used to service 761 internal hosts. 762 Both contiguous and non-contiguous pools 763 can be configured for NAT."; 765 leaf pool-id { 766 type uint32; 767 description 768 "An identifier of the address pool."; 769 } 771 leaf external-ip-pool { 772 type inet:ipv4-prefix; 773 description 774 "An IPv4 prefix used for NAT purposes."; 775 } 776 } 778 leaf subscriber-mask-v6 { 779 type uint8 { 780 range "0 .. 128"; 781 } 782 description 783 "The subscriber-mask is an integer that indicates 784 the length of significant bits to be applied on 785 the source IP address (internal side) to 786 unambiguously identify a CPE. 788 Subscriber-mask is a system-wide configuration 789 parameter that is used to enforce generic 790 per-subscriberpolicies (e.g., port-quota). 792 The enforcement of these generic policies does not 793 require the configuration of every subscriber's 794 prefix. 796 Example: suppose the 2001:db8:100:100::/56 prefix 797 is assigned to a NAT64 serviced CPE. Suppose also 798 that 2001:db8:100:100::1 is the IPv6 address used 799 by the client that resides in that CPE. When the 800 NAT64 receives a packet from this client, 801 it applies the subscriber-mask (e.g., 56) on 802 the source IPv6 address to compute the associated 803 prefix for this client (2001:db8:100:100::/56). 804 Then, the NAT64 enforces policies based on that 805 prefix (2001:db8:100:100::/56), not on the exact 806 source IPv6 address."; 807 } 809 list subscriber-mask-v4 { 811 key sub-mask-id; 813 description 814 "IPv4 subscriber mask."; 816 leaf sub-mask-id { 817 type uint32; 818 description 819 "An identifier of the subscriber masks."; 820 } 821 leaf sub-mask { 822 type inet:ipv4-prefix; 823 mandatory true; 824 description 825 "The IP address subnets that matches 826 should be translated. E.g., If the 827 private realms that are to be translated 828 by NAT would be 192.0.2.0/24"; 829 } 830 } 832 leaf paired-address-pooling { 833 type boolean; 834 default true; 835 description 836 "Paired address pooling is indicating to NAT 837 that all the flows from an internal IP 838 address must be assigned the same external 839 address. This is defined in RFC 4007."; 840 } 842 leaf nat-mapping-type { 843 type enumeration { 844 enum "eim" { 845 description 846 "endpoint-independent-mapping. 847 Refer section 4 of RFC 4787."; 848 } 850 enum "adm" { 851 description 852 "address-dependent-mapping. 853 Refer section 4 of RFC 4787."; 854 } 856 enum "edm" { 857 description 858 "address-and-port-dependent-mapping. 859 Refer section 4 of RFC 4787."; 860 } 861 } 863 description 864 "Indicates the type of a NAT mapping."; 865 } 866 leaf nat-filtering-type { 867 type enumeration { 868 enum "eif" { 869 description 870 "endpoint-independent- filtering. 871 Refer section 5 of RFC 4787."; 872 } 874 enum "adf" { 875 description 876 "address-dependent- filtering. 877 Refer section 5 of RFC 4787."; 878 } 880 enum "edf" { 881 description 882 "address-and-port-dependent- filtering. 883 Refer section 5 of RFC 4787."; 884 } 885 } 886 description 887 "Indicates the type of a NAT filtering."; 888 } 890 leaf port-quota { 891 type uint16; 892 description 893 "Configures a port quota to be assigned per 894 subscriber. It corresponds to the maximum 895 number of ports to be used by a subscriber."; 896 } 898 container port-set { 899 description 900 "Manages port-set assignments."; 902 leaf port-set-enable { 903 type boolean; 904 description 905 "Enable/Disable port set assignment."; 906 } 908 leaf port-set-size { 909 type uint16; 910 description 911 "Indicates the size of assigned port 912 sets."; 913 } 915 leaf port-set-timeout { 916 type uint32; 917 description 918 "Inactivty timeout for port sets."; 919 } 920 } 922 leaf port-allocation-type { 923 type enumeration { 924 enum "random" { 925 description 926 "Port port randomization."; 927 } 929 enum "port-preservation" { 930 description 931 "Indicates whether the PCP server should 932 preserve the internal port number."; 933 } 935 enum "port-range-preservation" { 936 description 937 "Indicates whether the NAT device should 938 preserve the internal port range."; 939 } 941 enum "port-parity-preservation" { 942 description 943 "Indicates whether the PCP server should 944 preserve the port parity of the 945 internal port number."; 946 } 947 } 948 description 949 "Indicates the type of a NAT mapping."; 950 } 952 leaf address-roundrobin-enable { 953 type boolean; 954 description 955 "Enable/disable address allocation 956 round robin."; 957 } 959 uses timeouts; 960 container logging-info { 961 description 962 "Information about Logging NAT events"; 964 leaf destination-address { 965 type inet:ipv4-prefix; 966 mandatory true; 967 description 968 "Address of the collector that receives 969 the logs"; 970 } 971 leaf destination-port { 972 type inet:port-number; 973 mandatory true; 974 description 975 "Destination port of the collector."; 976 } 978 } 979 container connection-limit { 980 description 981 "Information on the config parameters that 982 rate limit the translations based on various 983 criteria"; 985 leaf limit-per-subscriber { 986 type uint32; 987 description 988 "Maximum number of NAT mappings per 989 subscriber."; 990 } 991 leaf limit-per-vrf { 992 type uint32; 993 description 994 "Maximum number of NAT mappings per 995 VLAN/VRF."; 996 } 997 leaf limit-per-subnet { 998 type inet:ipv4-prefix; 999 description 1000 "Maximum number of NAT mappings per 1001 subnet."; 1002 } 1003 leaf limit-per-instance { 1004 type uint32; 1005 mandatory true; 1006 description 1007 "Maximum number of NAT mappings per 1008 instance."; 1009 } 1010 leaf limit-per-udp { 1011 type uint32; 1012 mandatory true; 1013 description 1014 "Maximum number of UDP NAT mappings per 1015 instance."; 1016 } 1017 leaf limit-per-tcp { 1018 type uint32; 1019 mandatory true; 1020 description 1021 "Maximum number of TCP NAT mappings per 1022 instance."; 1023 } 1024 leaf limit-per-icmp { 1025 type uint32; 1026 mandatory true; 1027 description 1028 "Maximum number of ICMP NAT mappings per 1029 instance."; 1030 } 1032 } 1033 container mapping-limit { 1034 description 1035 "Information on the config parameters that 1036 rate limit the mappings based on various 1037 criteria"; 1039 leaf limit-per-subscriber { 1040 type uint32; 1041 description 1042 "Maximum number of NAT mappings per 1043 subscriber."; 1044 } 1045 leaf limit-per-vrf { 1046 type uint32; 1047 description 1048 "Maximum number of NAT mappings per 1049 VLAN/VRF."; 1050 } 1051 leaf limit-per-subnet { 1052 type inet:ipv4-prefix; 1053 description 1054 "Maximum number of NAT mappings per 1055 subnet."; 1056 } 1057 leaf limit-per-instance { 1058 type uint32; 1059 mandatory true; 1060 description 1061 "Maximum number of NAT mappings per 1062 instance."; 1063 } 1065 leaf limit-per-transport { 1066 type uint32; 1067 mandatory true; 1068 description 1069 "Maximum number of NAT mappings per 1070 transport protocol."; 1071 } 1072 } 1073 leaf ftp-alg-enable { 1074 type boolean; 1075 description 1076 "Enable/Disable FTP ALG"; 1077 } 1079 leaf dns-alg-enable { 1080 type boolean; 1081 description 1082 "Enable/Disable DNSALG"; 1083 } 1085 leaf tftp-alg-enable { 1086 type boolean; 1087 description 1088 "Enable/Disable TFTP ALG"; 1089 } 1091 leaf msrpc-alg-enable { 1092 type boolean; 1093 description 1094 "Enable/Disable MS-RPC ALG"; 1095 } 1097 leaf netbios-alg-enable { 1098 type boolean; 1099 description 1100 "Enable/Disable NetBIOS ALG"; 1101 } 1102 leaf rcmd-alg-enable { 1103 type boolean; 1104 description 1105 "Enable/Disable rcmd ALG"; 1106 } 1108 leaf ldap-alg-enable { 1109 type boolean; 1110 description 1111 "Enable/Disable LDAP ALG"; 1112 } 1114 leaf sip-alg-enable { 1115 type boolean; 1116 description 1117 "Enable/Disable SIP ALG"; 1118 } 1120 leaf rtsp-alg-enable { 1121 type boolean; 1122 description 1123 "Enable/Disable RTSP ALG"; 1124 } 1126 leaf h323-alg-enable { 1127 type boolean; 1128 description 1129 "Enable/Disable H323 ALG"; 1130 } 1132 leaf all-algs-enable { 1133 type boolean; 1134 description 1135 "Enable/Disable all the ALGs"; 1136 } 1138 container notify-pool-usage { 1139 description 1140 "Notification of Pool usage when certain criteria 1141 is met"; 1143 leaf pool-id { 1144 type uint32; 1145 description 1146 "Pool-ID for which the notification 1147 criteria is defined"; 1148 } 1149 leaf notify-pool-hi-threshold { 1150 type percent; 1151 mandatory true; 1152 description 1153 "Notification must be generated when the 1154 defined high threshold is reached. 1155 For example, if a notification is 1156 required when the pool utilization reaches 1157 90%, this configuration parameter must 1158 be set to 90%"; 1159 } 1161 leaf notify-pool-low-threshold { 1162 type percent; 1163 description 1164 "Notification must be generated when the defined 1165 low threshold is reached. 1166 For example, if a notification is required when 1167 the pool utilization reaches below 10%, 1168 this configuration parameter must be set to 1169 10%"; 1170 } 1171 } 1172 list nat64-prefixes { 1173 key nat64-prefix-id; 1175 description 1176 "Provides one or a list of NAT64 prefixes 1177 With or without a list of destination IPv4 prefixes. 1179 Destination-based Pref64::/n is discussed in 1180 Section 5.1 of [RFC7050]). For example: 1181 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 1182 198.51.100.0/24 is mapped to 2001:db8:122::/48."; 1184 leaf nat64-prefix-id { 1185 type uint32; 1186 description 1187 "An identifier of the NAT64 prefix."; 1188 } 1190 leaf nat64-prefix { 1191 type inet:ipv6-prefix; 1192 default "64:ff9b::/96"; 1193 description 1194 "A NAT64 prefix. Can be NSP or WKP [RFC6052]."; 1195 } 1196 list destination-ipv4-prefix { 1198 key ipv4-prefix-id; 1200 description 1201 "An IPv4 prefix/address."; 1203 leaf ipv4-prefix-id { 1204 type uint32; 1205 description 1206 "An identifier of the IPv4 prefix/address."; 1207 } 1209 leaf ipv4-prefix { 1210 type inet:ipv4-prefix; 1211 description 1212 "An IPv4 address/prefix. "; 1213 } 1214 } 1215 } 1216 } //nat-parameters group 1218 container nat-config { 1219 description 1220 "NAT"; 1222 container nat-instances { 1223 description 1224 "nat instances"; 1226 list nat-instance { 1228 key "id"; 1230 description 1231 "A NAT instance."; 1233 leaf id { 1234 type uint32; 1235 description 1236 "NAT instance identifier [RFC7659]."; 1237 } 1239 leaf name { 1240 type string; 1241 description 1242 "A name associated with the NAT instance."; 1243 } 1244 leaf enable { 1245 type boolean; 1246 description 1247 "Status of the the NAT instance."; 1248 } 1250 uses nat-parameters; 1252 container mapping-table { 1253 description 1254 "NAT dynamic mapping table used to track 1255 sessions"; 1257 list mapping-entry { 1258 key "index"; 1259 description 1260 "NAT mapping entry."; 1261 uses mapping-entry; 1262 } 1263 } 1264 } 1265 } 1266 } 1268 /* 1269 * NAT State 1270 */ 1272 container nat-state { 1274 config false; 1276 description 1277 "nat-state"; 1279 container nat-instances { 1280 description 1281 "nat instances"; 1283 list nat-instance { 1284 key "id"; 1286 description 1287 "nat instance"; 1289 leaf id { 1290 type int32; 1291 description 1292 "The identifier of the nat instance."; 1293 } 1295 container nat-capabilities { 1296 description 1297 "NAT Capabilities"; 1299 leaf nat44-support { 1300 type boolean; 1301 description 1302 "Indicates NAT44 support"; 1303 } 1305 leaf nat64-support { 1306 type boolean; 1307 description 1308 "Indicates NAT64 support"; 1309 } 1311 leaf nptv6-support { 1312 type boolean; 1313 description 1314 "Indicates NPTv6 support"; 1315 } 1317 leaf static-mapping-support { 1318 type boolean; 1319 description 1320 "Indicates whether static mappings are 1321 supported."; 1322 } 1324 leaf port-set-support { 1325 type boolean; 1326 description 1327 "Indicates port set assignment 1328 support "; 1329 } 1331 leaf port-randomization-support { 1332 type boolean; 1333 description 1334 "Indicates whether port randomization is 1335 supported."; 1336 } 1338 leaf port-range-preservation-support { 1339 type boolean; 1340 description 1341 "Indicates whether port range 1342 preservation is supported."; 1343 } 1345 leaf port-preservation-suport { 1346 type boolean; 1347 description 1348 "Indicates whether port preservation 1349 is supported."; 1350 } 1352 leaf port-parity-preservation-support { 1353 type boolean; 1354 description 1355 "Indicates whether port parity 1356 preservation is supported."; 1357 } 1359 leaf address-roundrobin-support { 1360 type boolean; 1361 description 1362 "Indicates whether address allocation 1363 round robin is supported."; 1364 } 1366 leaf ftp-alg-support { 1367 type boolean; 1368 description 1369 "Indicates whether FTP ALG is supported"; 1370 } 1372 leaf dns-alg-support { 1373 type boolean; 1374 description 1375 "Indicates whether DNSALG is supported"; 1376 } 1378 leaf tftp-support { 1379 type boolean; 1380 description 1381 "Indicates whether TFTP ALG is supported"; 1382 } 1384 leaf msrpc-alg-support { 1385 type boolean; 1386 description 1387 "Indicates whether MS-RPC ALG is supported"; 1389 } 1391 leaf netbios-alg-support { 1392 type boolean; 1393 description 1394 "Indicates whether NetBIOS ALG is supported"; 1395 } 1397 leaf rcmd-alg-support { 1398 type boolean; 1399 description 1400 "Indicates whether rcmd ALG is supported"; 1401 } 1403 leaf ldap-alg-support { 1404 type boolean; 1405 description 1406 "Indicates whether LDAP ALG is supported"; 1407 } 1409 leaf sip-alg-support { 1410 type boolean; 1411 description 1412 "Indicates whether SIP ALG is supported"; 1413 } 1415 leaf rtsp-alg-support { 1416 type boolean; 1417 description 1418 "Indicates whether RTSP ALG is supported"; 1419 } 1421 leaf h323-alg-support { 1422 type boolean; 1423 description 1424 "Indicates whether H323 ALG is supported"; 1425 } 1427 leaf paired-address-pooling-support { 1428 type boolean; 1429 description 1430 "Indicates whether paired-address-pooling is 1431 supported"; 1432 } 1434 leaf endpoint-independent-mapping-support { 1435 type boolean; 1436 description 1437 "Indicates whether endpoint-independent-mapping 1438 in Section 4 of RFC 4787 is supported."; 1439 } 1441 leaf address-dependent-mapping-support { 1442 type boolean; 1443 description 1444 "Indicates whether endpoint-independent-mapping 1445 in Section 4 of RFC 4787 is supported."; 1446 } 1448 leaf address-and-port-dependent-mapping-support { 1449 type boolean; 1450 description 1451 "Indicates whether endpoint-independent-mapping in 1452 section 4 of RFC 4787 is supported."; 1453 } 1455 leaf endpoint-independent-filtering-support { 1456 type boolean; 1457 description 1458 "Indicates whether endpoint-independent-mapping in 1459 section 5 of RFC 4787 is supported."; 1460 } 1462 leaf address-dependent-filtering { 1463 type boolean; 1464 description 1465 "Indicates whether endpoint-independent-mapping in 1466 section 5 of RFC 4787 is supported."; 1467 } 1469 leaf address-and-port-dependent-filtering { 1470 type boolean; 1471 description 1472 "Indicates whether endpoint-independent-mapping in 1473 section 5 of RFC 4787 is supported."; 1474 } 1476 } 1478 container nat-current-config { 1479 description 1480 "current config"; 1482 uses nat-parameters; 1483 } 1484 container mapping-table { 1485 description 1486 "Mapping table"; 1487 list mapping-entry { 1488 key "index"; 1489 description 1490 "mapping entry"; 1491 uses mapping-entry; 1492 } 1493 } 1495 container statistics { 1496 description 1497 "Statistics related to the NAT instance"; 1499 leaf total-mappings { 1500 type uint32; 1501 description 1502 "Total number of NAT Mappings present 1503 at the time. This includes all the 1504 static and dynamic mappings"; 1505 } 1506 leaf total-tcp-mappings { 1507 type uint32; 1508 description 1509 "Total number of TCP Mappings present 1510 at the time."; 1511 } 1512 leaf total-udp-mappings { 1513 type uint32; 1514 description 1515 "Total number of UDP Mappings present 1516 at the time."; 1517 } 1518 leaf total-icmp-mappings { 1519 type uint32; 1520 description 1521 "Total number of ICMP Mappings present 1522 at the time."; 1523 } 1524 container pool-stats { 1525 description 1526 "Statistics related to Pool usage"; 1527 leaf pool-id { 1528 type uint32; 1529 description 1530 "Unique Identifier that represents 1531 a pool"; 1533 } 1534 leaf address-allocated { 1535 type uint32; 1536 description 1537 "Number of allocated addresses in 1538 the pool"; 1539 } 1540 leaf address-free { 1541 type uint32; 1542 description 1543 "Number of free addresses in 1544 the pool.The sum of free 1545 addresses and allocated 1546 addresses are the total 1547 addresses in the pool"; 1548 } 1549 container port-stats { 1550 description 1551 "Statistics related to port 1552 usage."; 1554 leaf ports-allocated { 1555 type uint32; 1556 description 1557 "Number of allocated ports 1558 in the pool"; 1559 } 1561 leaf ports-free { 1562 type uint32; 1563 description 1564 "Number of free addresses 1565 in the pool"; 1566 } 1567 } 1568 } 1569 } //statistics 1570 } //nat-instance 1571 } //nat-instances 1572 } //nat-state 1573 /* 1574 * Notifications 1575 */ 1576 notification nat-event { 1577 description 1578 "Notifications must be generated when the defined 1579 high/low threshold is reached. Related configuration 1580 parameters must be provided to trigger 1581 the notifications."; 1583 leaf id { 1584 type leafref { 1585 path 1586 "/nat-state/nat-instances/" 1587 + "nat-instance/id"; 1588 } 1589 description 1590 "NAT instance ID."; 1591 } 1593 leaf notify-pool-threshold { 1594 type percent; 1595 mandatory true; 1596 description 1597 "A treshhold has been fired."; 1598 } 1599 } 1600 } //module nat 1601 1603 4. Sample Examples 1605 TBC 1607 5. Security Considerations 1609 The YANG module defined in this memo is designed to be accessed via 1610 the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the 1611 secure transport layer and the support of SSH is mandatory to 1612 implement secure transport [RFC6242]. The NETCONF access control 1613 model [RFC6536] provides means to restrict access for particular 1614 NETCONF users to a pre-configured subset of all available NETCONF 1615 protocol operations and contents. 1617 All data nodes defined in the YANG module which can be created, 1618 modified and deleted (i.e., config true, which is the default). 1619 These data nodes are considered sensitive. Write operations (e.g., 1620 edit-config) applied to these data nodes without proper protection 1621 can negatively affect network operations. 1623 6. IANA Considerations 1625 This document requests IANA to register the following URI in the 1626 "IETF XML Registry" [RFC3688]: 1628 URI: urn:ietf:params:xml:ns:yang:ietf-nat 1629 Registrant Contact: The IESG. 1630 XML: N/A; the requested URI is an XML namespace. 1632 This document requests IANA to register the following YANG module in 1633 the "YANG Module Names" registry [RFC6020]. 1635 name: ietf-nat 1636 namespace: urn:ietf:params:xml:ns:yang:ietf-nat 1637 prefix: nat 1638 reference: RFC XXXX 1640 7. Acknowledgements 1642 Many thanks to Dan Wing and Tianran Zhou for the review. 1644 8. References 1646 8.1. Normative References 1648 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1649 Requirement Levels", BCP 14, RFC 2119, 1650 DOI 10.17487/RFC2119, March 1997, 1651 . 1653 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1654 DOI 10.17487/RFC3688, January 2004, 1655 . 1657 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 1658 Translation (NAT) Behavioral Requirements for Unicast 1659 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 1660 2007, . 1662 [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. 1663 Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, 1664 RFC 5382, DOI 10.17487/RFC5382, October 2008, 1665 . 1667 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 1668 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 1669 DOI 10.17487/RFC5508, April 2009, 1670 . 1672 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1673 the Network Configuration Protocol (NETCONF)", RFC 6020, 1674 DOI 10.17487/RFC6020, October 2010, 1675 . 1677 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 1678 NAT64: Network Address and Protocol Translation from IPv6 1679 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 1680 April 2011, . 1682 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1683 and A. Bierman, Ed., "Network Configuration Protocol 1684 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1685 . 1687 [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure 1688 Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, 1689 . 1691 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1692 Protocol (NETCONF) Access Control Model", RFC 6536, 1693 DOI 10.17487/RFC6536, March 2012, 1694 . 1696 [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, 1697 A., and H. Ashida, "Common Requirements for Carrier-Grade 1698 NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, 1699 April 2013, . 1701 [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, 1702 S., and K. Naito, "Updates to Network Address Translation 1703 (NAT) Behavioral Requirements", BCP 127, RFC 7857, 1704 DOI 10.17487/RFC7857, April 2016, 1705 . 1707 8.2. Informative References 1709 [I-D.boucadair-pcp-yang] 1710 Boucadair, M., Jacquenet, C., Sivakumar, S., and S. 1711 Vinapamula, "YANG Data Models for the Port Control 1712 Protocol (PCP)", draft-boucadair-pcp-yang-04 (work in 1713 progress), May 2017. 1715 [I-D.ietf-behave-ipfix-nat-logging] 1716 Sivakumar, S. and R. Penno, "IPFIX Information Elements 1717 for logging NAT Events", draft-ietf-behave-ipfix-nat- 1718 logging-13 (work in progress), January 2017. 1720 [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address 1721 Translator (NAT) Terminology and Considerations", 1722 RFC 2663, DOI 10.17487/RFC2663, August 1999, 1723 . 1725 [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix 1726 Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, 1727 . 1729 [RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard, 1730 "Logging Recommendations for Internet-Facing Servers", 1731 BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011, 1732 . 1734 [RFC7422] Donley, C., Grundemann, C., Sarawat, V., Sundaresan, K., 1735 and O. Vautrin, "Deterministic Address Mapping to Reduce 1736 Logging in Carrier-Grade NAT Deployments", RFC 7422, 1737 DOI 10.17487/RFC7422, December 2014, 1738 . 1740 [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, 1741 "Definitions of Managed Objects for Network Address 1742 Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, 1743 October 2015, . 1745 [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., 1746 and S. Perreault, "Port Control Protocol (PCP) Extension 1747 for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, 1748 February 2016, . 1750 Authors' Addresses 1752 Senthil Sivakumar 1753 Cisco Systems 1754 7100-8 Kit Creek Road 1755 Research Triangle Park, North Carolina 27709 1756 USA 1758 Phone: +1 919 392 5158 1759 Email: ssenthil@cisco.com 1761 Mohamed Boucadair 1762 Orange 1763 Rennes 35000 1764 France 1766 Email: mohamed.boucadair@orange.com 1767 Suresh Vinapamula 1768 Juniper Networks 1769 1133 Innovation Way 1770 Sunnyvale 94089 1771 USA