draft-ietf-opsawg-nat-yang-00.txt   draft-ietf-opsawg-nat-yang-01.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: February 19, 2018 Cisco Systems Expires: February 22, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
August 18, 2017 August 21, 2017
A YANG Data Model for Network Address Translation (NAT) and Network A YANG Data Model for Network Address Translation (NAT) and Network
Prefix Translation (NPT) Prefix Translation (NPT)
draft-ietf-opsawg-nat-yang-00 draft-ietf-opsawg-nat-yang-01
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG data model for the NAT function. NAT44, document defines a YANG data model for the NAT function.
NAT64, and NPTv6 are covered in this document.
NAT44, Network Address and Protocol Translation from IPv6 Clients to
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit
Address Mappings for Stateless IP/ICMP Translation (SIIT EIM), and
IPv6 Network Prefix Translation (NPTv6) are covered in this document.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 19, 2018. This Internet-Draft will expire on February 22, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 28
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 5 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 5
2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 5 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 6 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 6
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 6 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 9 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 9
2.10. Tree Structure . . . . . . . . . . . . . . . . . . . . . 9 2.10. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 13 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14
4. Security Considerations . . . . . . . . . . . . . . . . . . . 50 4. Security Considerations . . . . . . . . . . . . . . . . . . . 52
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 53
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 51 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 53
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 53
7.1. Normative References . . . . . . . . . . . . . . . . . . 51 7.1. Normative References . . . . . . . . . . . . . . . . . . 53
7.2. Informative References . . . . . . . . . . . . . . . . . 52 7.2. Informative References . . . . . . . . . . . . . . . . . 55
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 54 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 57
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 54 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 57
A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 59 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 61
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 60 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 62
A.5. Static Mappings with Port Ranges . . . . . . . . . . . . 60 A.5. Explicit Address Mappings for Stateless IP/ICMP
A.6. Static Mappings with IP Prefixes . . . . . . . . . . . . 61 Translation . . . . . . . . . . . . . . . . . . . . . . . 62
A.7. Destination NAT . . . . . . . . . . . . . . . . . . . . . 62 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 66
A.8. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 65 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 66
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 66 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 67
A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 70
A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 72
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the (NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC6020]. YANG data modeling language [RFC6020].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
a domain: a CGN is not managed by end users, but by service providers a domain: a CGN is not managed by end users, but by service providers
instead. This document covers both traditional NATs and CGNs. instead. This document covers both traditional NATs and CGNs.
This document also covers the NAT64 [RFC6146] and IPv6 Network Prefix This document also covers NAT64 [RFC6146], customer-side translator
Translation (NPTv6) [RFC6296]. (CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP
Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation
(NPTv6) [RFC6296].
Sample examples are provided in Appendix A. Sample examples are provided in Appendix A.
1.1. Terminology 1.1. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o Basic NAT44: translation is limited to IP addresses alone o Basic NAT44: translation is limited to IP addresses alone
(Section 2.1 of [RFC3022]). (Section 2.1 of [RFC3022]).
skipping to change at page 5, line 34 skipping to change at page 5, line 37
To accommodate deployments where [RFC6302] is not enabled, this YANG To accommodate deployments where [RFC6302] is not enabled, this YANG
model allows to instruct a NAT function to log the destination port model allows to instruct a NAT function to log the destination port
number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging]
which provides the templates to log the destination ports. which provides the templates to log the destination ports.
2.2. Various NAT Flavors 2.2. Various NAT Flavors
The following modes are supported: The following modes are supported:
1. Basic NAT44 1. Basic NAT44
2. NAPT 2. NAPT
3. Destination NAT 3. Destination NAT
4. Port-restricted NAT 4. Port-restricted NAT
5. NAT64 5. NAT64
6. NPTv6 6. EAM SIIT
7. Combination of Basic NAT/NAPT and Destination NAT 7. CLAT
8. Combination of port-restricted and Destination NAT 8. NPTv6
9. Combination of Basic NAT/NAPT and Destination NAT
10. Combination of port-restricted and Destination NAT
11. Combination of NAT64 and EAM
[I-D.ietf-softwire-dslite-yang] specifies an extension to support DS- [I-D.ietf-softwire-dslite-yang] specifies an extension to support DS-
Lite. Lite.
2.3. TCP, UDP and ICMP NAT Behavioral Requirements 2.3. TCP, UDP and ICMP NAT Behavioral Requirements
This document assumes [RFC4787][RFC5382][RFC5508] are enabled by This document assumes [RFC4787][RFC5382][RFC5508] are enabled by
default. default.
Furthermore, the data model relies upon the recommendations detailed Furthermore, the data model relies upon the recommendations detailed
skipping to change at page 8, line 26 skipping to change at page 8, line 32
In order to cover both NAT64 and NAT44 flavors in particular, the NAT In order to cover both NAT64 and NAT44 flavors in particular, the NAT
mapping structure allows to include an IPv4 or an IPv6 address as an mapping structure allows to include an IPv4 or an IPv6 address as an
internal IP address. Remaining fields are common to both NAT internal IP address. Remaining fields are common to both NAT
schemes. schemes.
For example, the mapping that will be created by a NAT64 upon receipt For example, the mapping that will be created by a NAT64 upon receipt
of a TCP SYN from source address 2001:db8:aaaa::1 and source port of a TCP SYN from source address 2001:db8:aaaa::1 and source port
number 25636 to destination IP address 2001:db8:1234::198.51.100.1 number 25636 to destination IP address 2001:db8:1234::198.51.100.1
and destination port number 8080 is characterized as follows: and destination port number 8080 is characterized as follows:
o type: dynamically implicit mapping. o type: dynamic implicit mapping.
o transport-protocol: TCP (6) o transport-protocol: TCP (6)
o internal-src-address: 2001:db8:aaaa::1 o internal-src-address: 2001:db8:aaaa::1
o internal-src-port: 25636 o internal-src-port: 25636
o external-src-address: T (an IPv4 address configured on the NAT64) o external-src-address: T (an IPv4 address configured on the NAT64)
o external-src-port: t (a port number that is chosen by the NAT64) o external-src-port: t (a port number that is chosen by the NAT64)
o internal-dst-address: 2001:db8:1234::198.51.100.1 o internal-dst-address: 2001:db8:1234::198.51.100.1
o internal-dst-port: 8080 o internal-dst-port: 8080
o external-dst-address: 198.51.100.1 o external-dst-address: 198.51.100.1
o external-dst-port: 8080 o external-dst-port: 8080
The mapping that will be created by a NAT44 upon receipt of an ICMP The mapping that will be created by a NAT44 upon receipt of an ICMP
request from source address 198.51.100.1 and ICMP identifier (ID1) to request from source address 198.51.100.1 and ICMP identifier (ID1) to
destination IP address 198.51.100.11 is characterized as follows: destination IP address 198.51.100.11 is characterized as follows:
o type: dynamically implicit mapping. o type: dynamic implicit mapping.
o transport-protocol: ICMP (1) o transport-protocol: ICMP (1)
o internal-src-address: 198.51.100.1 o internal-src-address: 198.51.100.1
o internal-src-port: ID1 o internal-src-port: ID1
o external-src-address: T (an IPv4 address configured on the NAT44) o external-src-address: T (an IPv4 address configured on the NAT44)
o external-src-port: ID2 (an ICMP identifier that is chosen by the o external-src-port: ID2 (an ICMP identifier that is chosen by the
NAT44) NAT44)
o internal-dst-address: 198.51.100.11 o internal-dst-address: 198.51.100.11
The mapping that will be created by a NAT64 upon receipt of an ICMP The mapping that will be created by a NAT64 upon receipt of an ICMP
request from source address 2001:db8:aaaa::1 and ICMP identifier request from source address 2001:db8:aaaa::1 and ICMP identifier
(ID1) to destination IP address 2001:db8:1234::198.51.100.1 is (ID1) to destination IP address 2001:db8:1234::198.51.100.1 is
characterized as follows: characterized as follows:
o type: dynamically implicit mapping. o type: dynamic implicit mapping.
o transport-protocol: ICMPv6 (58) o transport-protocol: ICMPv6 (58)
o internal-src-address: 2001:db8:aaaa::1 o internal-src-address: 2001:db8:aaaa::1
o internal-src-port: ID1 o internal-src-port: ID1
o external-src-address: T (an IPv4 address configured on the NAT64) o external-src-address: T (an IPv4 address configured on the NAT64)
o external-src-port: ID2 (an ICMP identifier that is chosen by the o external-src-port: ID2 (an ICMP identifier that is chosen by the
NAT64) NAT64)
o internal-dst-address: 2001:db8:1234::198.51.100.1 o internal-dst-address: 2001:db8:1234::198.51.100.1
o external-dst-address: 198.51.100.1 o external-dst-address: 198.51.100.1
Note that a mapping table is maintained only for stateless NAT Note that a mapping table is maintained only for stateful NAT
functions. Obviously, no mapping table is maintained for NPTv6 given functions. Particularly:
that it is stateless and transport-agnostic.
o No mapping table is maintained for NPTv6 given that it is
stateless and transport-agnostic.
o The double translations are stateless in CLAT if a dedicated IPv6
prefix is provided for CLAT. If not, a stateful NAT44 will be
required.
o No per-flow mapping is maintained for EAM [RFC7757].
2.9. Resource Limits 2.9. Resource Limits
In order to comply with CGN deployments in particular, the data model In order to comply with CGN deployments in particular, the data model
allows limiting the number of external ports per subscriber (port- allows limiting the number of external ports per subscriber (port-
quota) and the amount of state memory allocated per mapping and per quota) and the amount of state memory allocated per mapping and per
subscriber (mapping-limit and connection-limit). According to subscriber (mapping-limit and connection-limit). According to
[RFC6888], the model allows for the following: [RFC6888], the model allows for the following:
o Per-subscriber limits are configurable by the NAT administrator. o Per-subscriber limits are configurable by the NAT administrator.
skipping to change at page 10, line 40 skipping to change at page 11, line 5
| +--rw psid uint16 | +--rw psid uint16
+--rw dst-nat-enable? boolean +--rw dst-nat-enable? boolean
+--rw dst-ip-address-pool* [pool-id] +--rw dst-ip-address-pool* [pool-id]
| +--rw pool-id uint32 | +--rw pool-id uint32
| +--rw dst-in-ip-pool? inet:ip-prefix | +--rw dst-in-ip-pool? inet:ip-prefix
| +--rw dst-out-ip-pool? inet:ip-prefix | +--rw dst-out-ip-pool? inet:ip-prefix
+--rw nat64-prefixes* [nat64-prefix] +--rw nat64-prefixes* [nat64-prefix]
| +--rw nat64-prefix inet:ipv6-prefix | +--rw nat64-prefix inet:ipv6-prefix
| +--rw destination-ipv4-prefix* [ipv4-prefix] | +--rw destination-ipv4-prefix* [ipv4-prefix]
| +--rw ipv4-prefix inet:ipv4-prefix | +--rw ipv4-prefix inet:ipv4-prefix
+--rw clat-ipv6-prefixes* [clat-ipv6-prefix]
| +--rw clat-ipv6-prefix inet:ipv6-prefix
+--rw clat-ipv4-prefixes* [clat-ipv4-prefix]
| +--rw clat-ipv4-prefix inet:ipv4-prefix
+--rw nptv6-prefixes* [pool-id] +--rw nptv6-prefixes* [pool-id]
| +--rw pool-id uint32 | +--rw pool-id uint32
| +--rw internal-ipv6-prefix? inet:ipv6-prefix | +--rw internal-ipv6-prefix? inet:ipv6-prefix
| +--rw external-ipv6-prefix? inet:ipv6-prefix | +--rw external-ipv6-prefix? inet:ipv6-prefix
+--rw supported-transport-protocols* [transport-protocol-id] +--rw supported-transport-protocols* [transport-protocol-id]
| +--rw transport-protocol-id uint8 | +--rw transport-protocol-id uint8
| +--rw transport-protocol-name? string | +--rw transport-protocol-name? string
+--rw subscriber-mask-v6? uint8 +--rw subscriber-mask-v6? uint8
+--rw subscriber-match* [sub-match-id] +--rw subscriber-match* [sub-match-id]
| +--rw sub-match-id uint32 | +--rw sub-match-id uint32
skipping to change at page 12, line 23 skipping to change at page 12, line 40
| +--:(ftp) | +--:(ftp)
| +--rw ftp? boolean | +--rw ftp? boolean
+--rw notify-pool-usage +--rw notify-pool-usage
| +--rw pool-id? uint32 | +--rw pool-id? uint32
| +--rw notify-pool-hi-threshold percent | +--rw notify-pool-hi-threshold percent
| +--rw notify-pool-low-threshold? percent | +--rw notify-pool-low-threshold? percent
+--rw mapping-table +--rw mapping-table
| +--rw mapping-entry* [index] | +--rw mapping-entry* [index]
| +--rw index uint32 | +--rw index uint32
| +--rw type? enumeration | +--rw type? enumeration
| +--rw transport-protocol uint8 | +--rw transport-protocol? uint8
| +--rw internal-src-address inet:ip-prefix | +--rw internal-src-address? inet:ip-prefix
| +--rw internal-src-port | +--rw internal-src-port
| | +--rw (port-type)? | | +--rw (port-type)?
| | +--:(single-port-number) | | +--:(single-port-number)
| | | +--rw single-port-number? inet:port-number | | | +--rw single-port-number? inet:port-number
| | +--:(port-range) | | +--:(port-range)
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw external-src-address inet:ip-prefix | +--rw external-src-address? inet:ip-prefix
| +--rw external-src-port | +--rw external-src-port
| | +--rw (port-type)? | | +--rw (port-type)?
| | +--:(single-port-number) | | +--:(single-port-number)
| | | +--rw single-port-number? inet:port-number | | | +--rw single-port-number? inet:port-number
| | +--:(port-range) | | +--:(port-range)
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw internal-dst-address? inet:ip-prefix | +--rw internal-dst-address? inet:ip-prefix
| +--rw internal-dst-port | +--rw internal-dst-port
| | +--rw (port-type)? | | +--rw (port-type)?
skipping to change at page 13, line 39 skipping to change at page 14, line 9
notifications: notifications:
+---n nat-event +---n nat-event
+--ro id? -> /nat-module/nat-instances/nat-instance/id +--ro id? -> /nat-module/nat-instances/nat-instance/id
+--ro notify-pool-threshold percent +--ro notify-pool-threshold percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2017-08-03.yang" <CODE BEGINS> file "ietf-nat@2017-08-03.yang"
module ietf-nat { module ietf-nat {
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
//namespace to be assigned by IANA //namespace to be assigned by IANA
prefix "nat"; prefix "nat";
import ietf-inet-types { prefix inet; } import ietf-inet-types { prefix inet; }
import ietf-yang-types { prefix yang; } import ietf-yang-types { prefix yang; }
organization "IETF OPSAWG Working Group"; organization "IETF OPSAWG Working Group";
skipping to change at page 14, line 27 skipping to change at page 14, line 44
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-08-21 {
description " Includes CLAT (Lee/Jordi).";
reference "-ietf-01";
}
revision 2017-08-03 { revision 2017-08-03 {
description "Integrates comments from OPSAWG CFA."; description "Integrates comments from OPSAWG CFA.";
reference "-08"; reference "-ietf-00";
} }
revision 2017-07-03 { revision 2017-07-03 {
description "Integrates comments from D. Wing and T. Zhou."; description "Integrates comments from D. Wing and T. Zhou.";
reference "-07"; reference "-07";
} }
revision 2015-09-08 { revision 2015-09-08 {
description "Fixes few YANG errors."; description "Fixes few YANG errors.";
reference "-02"; reference "-02";
} }
skipping to change at page 15, line 31 skipping to change at page 16, line 4
description description
"Base identity for nat type."; "Base identity for nat type.";
} }
identity nat44 { identity nat44 {
base nat:nat-type; base nat:nat-type;
description description
"Identity for traditional NAT support."; "Identity for traditional NAT support.";
reference reference
"RFC 3022."; "RFC 3022.";
} }
identity basic-nat { identity basic-nat {
//base nat:nat-type; //base nat:nat-type;
base nat:nat44; base nat:nat44;
description description
"Identity for Basic NAT support."; "Identity for Basic NAT support.";
reference reference
"RFC 3022."; "RFC 3022.";
} }
identity napt { identity napt {
//base nat:nat-type; //base nat:nat-type;
base nat:nat44; base nat:nat44;
description description
"Identity for NAPT support."; "Identity for NAPT support.";
reference reference
"RFC 3022."; "RFC 3022.";
} }
identity restricted-nat { identity restricted-nat {
//base nat:nat-type; //base nat:nat-type;
base nat:nat44; base nat:nat44;
description description
"Identity for Port-Restricted NAT support."; "Identity for Port-Restricted NAT support.";
reference reference
"RFC 7596."; "RFC 7596.";
} }
identity dst-nat { identity dst-nat {
base nat:nat-type; base nat:nat-type;
description description
"Identity for Destination NAT support."; "Identity for Destination NAT support.";
} }
identity nat64 { identity nat64 {
base nat:nat-type; base nat:nat-type;
description description
"Identity for NAT64 support."; "Identity for NAT64 support.";
reference reference
"RFC 6146."; "RFC 6146.";
}
identity clat {
base nat:nat-type;
description
"Identity for CLAT support.";
reference
"RFC 6877.";
}
identity eam {
base nat:nat-type;
description
"Identity for EAM support.";
reference
"RFC 7757.";
} }
identity nptv6 { identity nptv6 {
base nat:nat-type; base nat:nat-type;
description description
"Identity for NPTv6 support."; "Identity for NPTv6 support.";
reference reference
"RFC 6296."; "RFC 6296.";
} }
skipping to change at page 23, line 15 skipping to change at page 24, line 4
// Mapping Entry // Mapping Entry
grouping mapping-entry { grouping mapping-entry {
description description
"NAT mapping entry."; "NAT mapping entry.";
leaf index { leaf index {
type uint32; type uint32;
description description
"A unique identifier of a mapping entry."; "A unique identifier of a mapping entry.";
} }
leaf type { leaf type {
type enumeration { type enumeration {
enum "static" { enum "static" {
description description
"The mapping entry is manually configured."; "The mapping entry is manually configured.";
} }
enum "dynamic-explicit" { enum "dynamic-explicit" {
description description
"This mapping is created by an outgoing "This mapping is created by an outgoing
packet."; packet.";
} }
enum "dynamic-implicit" { enum "dynamic-implicit" {
description description
"This mapping is created by an explicit "This mapping is created by an explicit
dynamic message."; dynamic message.";
} }
} }
description description
"Indicates the type of a mapping entry. E.g., "Indicates the type of a mapping entry. E.g.,
a mapping can be: static, impliict dynamic or explicit dynamic."; a mapping can be: static, implicit dynamic
or explicit dynamic.";
} }
leaf transport-protocol { leaf transport-protocol {
type uint8; type uint8;
mandatory true;
description description
"Upper-layer protocol associated with this mapping. "Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry. Values are taken from the IANA protocol registry.
For example, this field contains 6 (TCP) for a TCP For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping."; mapping or 17 (UDP) for a UDP mapping. No transport
protocol is indicated if a mapping applies for any
protocol.";
} }
leaf internal-src-address { leaf internal-src-address {
type inet:ip-prefix; type inet:ip-prefix;
mandatory true;
description description
"Corresponds to the source IPv4/IPv6 address/prefix "Corresponds to the source IPv4/IPv6 address/prefix
of the packet received on an internal of the packet received on an internal
interface."; interface.";
} }
container internal-src-port { container internal-src-port {
description description
"Corresponds to the source port of the "Corresponds to the source port of the
packet received on an internal interface. packet received on an internal interface.
It is used also to carry the internal It is used also to carry the internal
source ICMP identifier."; source ICMP identifier.";
uses port-number; uses port-number;
} }
leaf external-src-address { leaf external-src-address {
type inet:ip-prefix; type inet:ip-prefix;
mandatory true;
description description
"Source IP address/prefix of the packet sent "Source IP address/prefix of the packet sent
on an external interface of the NAT."; on an external interface of the NAT.";
} }
container external-src-port { container external-src-port {
description description
"Source port of the packet sent "Source port of the packet sent
on an external interafce of the NAT. on an external interafce of the NAT.
skipping to change at page 26, line 4 skipping to change at page 26, line 46
alive. Static mappings may not be associated with a alive. Static mappings may not be associated with a
lifetime. If no lifetime is associated with a lifetime. If no lifetime is associated with a
static mapping, an explicit action is requried to static mapping, an explicit action is requried to
remove that mapping."; remove that mapping.";
} }
} }
grouping nat-parameters { grouping nat-parameters {
description description
"NAT parameters for a given instance"; "NAT parameters for a given instance";
list external-ip-address-pool { list external-ip-address-pool {
key pool-id; key pool-id;
description description
"Pool of external IP addresses used to service "Pool of external IP addresses used to
internal hosts. service internal hosts.
Both contiguous and non-contiguous pools Both contiguous and non-contiguous pools
can be configured for NAT purposes."; can be configured for NAT purposes.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"An identifier of the address pool."; "An identifier of the address pool.";
} }
leaf external-ip-pool { leaf external-ip-pool {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description
description
"An IPv4 prefix used for NAT purposes."; "An IPv4 prefix used for NAT purposes.";
} }
} }
container port-set-restrict { container port-set-restrict {
when "../nat-capabilities/restricted-port-support = 'true' "; when "../nat-capabilities/restricted-port-support = 'true' ";
description description
"Configures contiguous and non-contiguous port ranges"; "Configures contiguous and non-contiguous port ranges.";
uses port-set; uses port-set;
} }
leaf dst-nat-enable { leaf dst-nat-enable {
type boolean; type boolean;
default false; default false;
description description
"Enable/Disable destination NAT. "Enable/Disable destination NAT.
A NAT44 may be configured to enable Destination NAT, too."; A NAT44 may be configured to enable
Destination NAT, too.";
} }
list dst-ip-address-pool { list dst-ip-address-pool {
//if-feature dst-nat; //if-feature dst-nat;
when "../nat-capabilities/nat-flavor = 'dst-nat' "; when "../nat-capabilities/nat-flavor = 'dst-nat' ";
key pool-id; key pool-id;
description description
"Pool of IP addresses used for destination NAT."; "Pool of IP addresses used for destination NAT.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description
"An identifier of the address pool."; description
"An identifier of the address pool.";
} }
leaf dst-in-ip-pool { leaf dst-in-ip-pool {
type inet:ip-prefix; type inet:ip-prefix;
description
"Internal IP prefix/address"; description
"Internal IP prefix/address";
} }
leaf dst-out-ip-pool { leaf dst-out-ip-pool {
type inet:ip-prefix; type inet:ip-prefix;
description
"IP address/prefix used for destination NAT."; description
"IP address/prefix used for destination NAT.";
} }
} }
list nat64-prefixes { list nat64-prefixes {
//if-feature nat64; when "../nat-capabilities/nat-flavor = 'nat64' " +
when "../nat-capabilities/nat-flavor = 'nat64' "; " or ../nat-capabilities/nat-flavor = 'clat'";
key nat64-prefix; key nat64-prefix;
description description
"Provides one or a list of NAT64 prefixes "Provides one or a list of NAT64 prefixes
with or without a list of destination IPv4 prefixes. with or without a list of destination IPv4 prefixes.
Destination-based Pref64::/n is discussed in Destination-based Pref64::/n is discussed in
Section 5.1 of [RFC7050]). For example: Section 5.1 of [RFC7050]). For example:
192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
skipping to change at page 28, line 26 skipping to change at page 29, line 24
"An IPv4 prefix/address."; "An IPv4 prefix/address.";
leaf ipv4-prefix { leaf ipv4-prefix {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"An IPv4 address/prefix."; "An IPv4 address/prefix.";
} }
} }
} }
list nptv6-prefixes { list clat-ipv6-prefixes {
//if-feature nptv6; when "../nat-capabilities/nat-flavor = 'clat' ";
key clat-ipv6-prefix;
description
"464XLAT double translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.";
reference
"RFC 6877.";
leaf clat-ipv6-prefix {
type inet:ipv6-prefix;
description
"An IPv6 prefix used for CLAT.";
}
}
list clat-ipv4-prefixes {
when "../nat-capabilities/nat-flavor = 'clat'";
key clat-ipv4-prefix;
description
"Pool of IPv4 addresses used for CLAT.
192.0.0.0/29 is the IPv4 service continuity
prefix.";
reference
"RFC 7335.";
leaf clat-ipv4-prefix {
type inet:ipv4-prefix;
description
"464XLAT double translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
reference
"RFC 6877.";
}
}
list nptv6-prefixes {
when "../nat-capabilities/nat-flavor = 'nptv6' "; when "../nat-capabilities/nat-flavor = 'nptv6' ";
key pool-id; key pool-id;
description description
"Provides one or a list of (internal IPv6 prefix, "Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6. external IPv6 prefix) required for NPTv6.
In its simplest form, NPTv6 interconnects two network In its simplest form, NPTv6 interconnects two network
skipping to change at page 29, line 11 skipping to change at page 31, line 24
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"An identifier of the NPTv6 prefixs."; "An identifier of the NPTv6 prefixs.";
} }
leaf internal-ipv6-prefix { leaf internal-ipv6-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
description description
"An IPv6 prefix used by an internal interface of "An IPv6 prefix used by an internal interface
NPTv6."; of NPTv6.";
reference reference
"RFC 6296."; "RFC 6296.";
} }
leaf external-ipv6-prefix { leaf external-ipv6-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
description description
"An IPv6 prefix used by the external interface of "An IPv6 prefix used by the external interface
NPTv6."; of NPTv6.";
reference reference
"RFC 6296."; "RFC 6296.";
} }
} }
list supported-transport-protocols { list supported-transport-protocols {
key transport-protocol-id; key transport-protocol-id;
skipping to change at page 46, line 4 skipping to change at page 48, line 14
leaf address-and-port-dependent-filtering { leaf address-and-port-dependent-filtering {
type boolean; type boolean;
description description
"Indicates whether address-and-port-dependent "Indicates whether address-and-port-dependent
is supported."; is supported.";
} }
} }
uses nat-parameters; uses nat-parameters;
container mapping-table { container mapping-table {
when "../nat-capabilities/nat-flavor = "+ when "../nat-capabilities/nat-flavor = "+
"'nat44' or "+ "'nat44' or "+
"../nat-capabilities/nat-flavor = "+ "../nat-capabilities/nat-flavor = "+
"'nat64'or "+ "'nat64'or "+
"../nat-capabilities/nat-flavor = "+
"'clat'or "+
"../nat-capabilities/nat-flavor = 'dst-nat'"; "../nat-capabilities/nat-flavor = 'dst-nat'";
description description
"NAT mapping table used to track "NAT mapping table. Applicable for functions which
sessions. Only applicable if NAT44, maintains static and/or dynamic mappings such as NAT44,
Destination NAT, or nat64 is supported."; Destination NAT, NAT64, CLAT, or EAM.";
list mapping-entry { list mapping-entry {
key "index"; key "index";
description description
"NAT mapping entry."; "NAT mapping entry.";
uses mapping-entry; uses mapping-entry;
} }
} }
container statistics { container statistics {
config false; config false;
description description
"Statistics related to the NAT instance. "Statistics related to the NAT instance.";
Only applicable if nat44, dst-nat or nat64 is
supported.";
container traffic-statistics { container traffic-statistics {
description description
"Generic traffic statistics."; "Generic traffic statistics.";
leaf sent-packet { leaf sent-packet {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of packets sent."; "Number of packets sent.";
skipping to change at page 51, line 24 skipping to change at page 53, line 35
prefix: nat prefix: nat
reference: RFC XXXX reference: RFC XXXX
6. Acknowledgements 6. Acknowledgements
Many thanks to Dan Wing and Tianran Zhou for the review. Many thanks to Dan Wing and Tianran Zhou for the review.
Thanks to Juergen Schoenwaelder for the comments on the YANG Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. structure and the suggestion to use NMDA.
Thanks to Lee Howard and Jordi Palet for the CLAT comments.
Special thanks to Maros Marsalek and Marek Gradzki for sharing their
comments based on the FD.io implementation.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, <https://www.rfc- DOI 10.17487/RFC3688, January 2004, <https://www.rfc-
editor.org/info/rfc3688>. editor.org/info/rfc3688>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast Translation (NAT) Behavioral Requirements for Unicast
skipping to change at page 52, line 24 skipping to change at page 54, line 39
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536, Protocol (NETCONF) Access Control Model", RFC 6536,
DOI 10.17487/RFC6536, March 2012, <https://www.rfc- DOI 10.17487/RFC6536, March 2012, <https://www.rfc-
editor.org/info/rfc6536>. editor.org/info/rfc6536>.
[RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
Combination of Stateful and Stateless Translation",
RFC 6877, DOI 10.17487/RFC6877, April 2013,
<https://www.rfc-editor.org/info/rfc6877>.
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
A., and H. Ashida, "Common Requirements for Carrier-Grade A., and H. Ashida, "Common Requirements for Carrier-Grade
NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
April 2013, <https://www.rfc-editor.org/info/rfc6888>. April 2013, <https://www.rfc-editor.org/info/rfc6888>.
[RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address
Mappings for Stateless IP/ICMP Translation", RFC 7757,
DOI 10.17487/RFC7757, February 2016, <https://www.rfc-
editor.org/info/rfc7757>.
[RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar,
S., and K. Naito, "Updates to Network Address Translation S., and K. Naito, "Updates to Network Address Translation
(NAT) Behavioral Requirements", BCP 127, RFC 7857, (NAT) Behavioral Requirements", BCP 127, RFC 7857,
DOI 10.17487/RFC7857, April 2016, <https://www.rfc- DOI 10.17487/RFC7857, April 2016, <https://www.rfc-
editor.org/info/rfc7857>. editor.org/info/rfc7857>.
7.2. Informative References 7.2. Informative References
[I-D.boucadair-pcp-yang] [I-D.boucadair-pcp-yang]
Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Boucadair, M., Jacquenet, C., Sivakumar, S., and S.
skipping to change at page 54, line 5 skipping to change at page 56, line 29
[RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo,
"Diameter Network Address and Port Translation Control "Diameter Network Address and Port Translation Control
Application", RFC 6736, DOI 10.17487/RFC6736, October Application", RFC 6736, DOI 10.17487/RFC6736, October
2012, <https://www.rfc-editor.org/info/rfc6736>. 2012, <https://www.rfc-editor.org/info/rfc6736>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013, <https://www.rfc- DOI 10.17487/RFC6887, April 2013, <https://www.rfc-
editor.org/info/rfc6887>. editor.org/info/rfc6887>.
[RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335,
DOI 10.17487/RFC7335, August 2014, <https://www.rfc-
editor.org/info/rfc7335>.
[RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I.
Farrer, "Lightweight 4over6: An Extension to the Dual- Farrer, "Lightweight 4over6: An Extension to the Dual-
Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596,
July 2015, <https://www.rfc-editor.org/info/rfc7596>. July 2015, <https://www.rfc-editor.org/info/rfc7596>.
[RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S.,
Murakami, T., and T. Taylor, Ed., "Mapping of Address and Murakami, T., and T. Taylor, Ed., "Mapping of Address and
Port with Encapsulation (MAP-E)", RFC 7597, Port with Encapsulation (MAP-E)", RFC 7597,
DOI 10.17487/RFC7597, July 2015, <https://www.rfc- DOI 10.17487/RFC7597, July 2015, <https://www.rfc-
editor.org/info/rfc7597>. editor.org/info/rfc7597>.
skipping to change at page 60, line 44 skipping to change at page 62, line 44
<nat64-prefix> <nat64-prefix>
2001:db8:122::/48 2001:db8:122::/48
</nat64-prefix> </nat64-prefix>
<destination-ipv4-prefix> <destination-ipv4-prefix>
<ipv4-prefix> <ipv4-prefix>
198.51.100.0/24 198.51.100.0/24
</ipv4-prefix> </ipv4-prefix>
</destination-ipv4-prefix> </destination-ipv4-prefix>
</nat64-prefixes> </nat64-prefixes>
A.5. Static Mappings with Port Ranges A.5. Explicit Address Mappings for Stateless IP/ICMP Translation
As specified in [RFC7757], an EAM consists of an IPv4 prefix and an
IPv6 prefix. Let's consider the set of EAM examples in Figure 2.
+---+----------------+----------------------+
| # | IPv4 Prefix | IPv6 Prefix |
+---+----------------+----------------------+
| 1 | 192.0.2.1 | 2001:db8:aaaa:: |
| 2 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 |
| 3 | 192.0.2.16/28 | 2001:db8:cccc::/124 |
| 4 | 192.0.2.128/26 | 2001:db8:dddd::/64 |
| 5 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 |
| 6 | 192.0.2.224/31 | 64:ff9b::/127 |
+---+----------------+----------------------+
Figure 2: EAM Examples (RFC7757)
The following XML excerpt illustrates how these EAMs can be
configured using the YANG NAT module:
<mapping-table>
<mapping-entry>
<index>1</index>
<type>static</type>
<internal-dst-address>
192.0.2.1
</internal-dst-address>
<external-dst-address>
2001:db8:aaaa::
</external-dst-address>
</mapping-entry>
<mapping-entry>
<index>2</index>
<type>static</type>
<internal-dst-address>
192.0.2.2/32
</internal-dst-address>
<external-dst-address>
2001:db8:bbbb::b/128
</external-dst-address>
</mapping-entry>
<mapping-entry>
<index>3</index>
<type>static</type>
<internal-dst-address>
192.0.2.16/28
</internal-dst-address>
<external-dst-address>
2001:db8:cccc::/124
</external-dst-address>
</mapping-entry>
<mapping-entry>
<index>4</index>
<type>static</type>
<internal-dst-address>
192.0.2.128/26
</internal-dst-address>
<external-dst-address>
2001:db8:dddd::/64
</external-dst-address>
</mapping-entry>
<mapping-entry>
<index>5</index>
<type>static</type>
<internal-dst-address>
192.0.2.192/29
</internal-dst-address>
<external-dst-address>
2001:db8:eeee:8::/62
</external-dst-address>
</mapping-entry>
<mapping-entry>
<index>6</index>
<type>static</type>
<internal-dst-address>
192.0.2.224/31
</internal-dst-address>
<external-dst-address>
64:ff9b::/127
</external-dst-address>
</mapping-entry>
</mapping-table>
EAMs may be enabled jointly with statefull NAT64. This example shows
a NAT64 fucntion that supports static mappings:
<nat-capabilities
<nat-flavor>
nat64
</nat44-flavor>
<static-mapping-support>
true
</static-mapping-support>
<port-randomization-support>
true
</port-randomization-support>
<port-range-allocation-support>
true
</port-range-allocation-support>
<port-preservation-suport>
true
</port-preservation-suport>
<port-parity-preservation-support>
false
</port-parity-preservation-support>
<address-roundrobin-support>
true
</address-roundrobin-support>
<paired-address-pooling-support>
true
</paired-address-pooling-support>
<endpoint-independent-mapping-support>
true
</endpoint-independent-mapping-support>
<address-dependent-mapping-support>
false
</address-dependent-mapping-support>
<address-and-port-dependent-mapping-support>
false
</address-and-port-dependent-mapping-support>
<endpoint-independent-filtering-support>
true
</endpoint-independent-filtering-support>
<address-dependent-filtering>
false
</address-dependent-filtering>
<address-and-port-dependent-filtering>
false
</address-and-port-dependent-filtering>
</nat-capabilities>
A.6. Static Mappings with Port Ranges
The following example shows a static mapping that instructs a NAT to The following example shows a static mapping that instructs a NAT to
translate packets issued from 192.0.2.1 and with source ports in the translate packets issued from 192.0.2.1 and with source ports in the
100-500 range to 198.51.100.1:1100-1500. 100-500 range to 198.51.100.1:1100-1500.
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-src-address> <internal-src-address>
skipping to change at page 61, line 38 skipping to change at page 66, line 44
1100 1100
</start-port-number> </start-port-number>
<end-port-number> <end-port-number>
1500 1500
</end-port-number> </end-port-number>
</port-range> </port-range>
</external-dst-port> </external-dst-port>
... ...
</mapping-entry> </mapping-entry>
A.6. Static Mappings with IP Prefixes A.7. Static Mappings with IP Prefixes
The following example shows a static mapping that instructs a NAT to The following example shows a static mapping that instructs a NAT to
translate packets issued from 192.0.2.1/24 to 198.51.100.1/24. translate packets issued from 192.0.2.1/24 to 198.51.100.1/24.
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-src-address> <internal-src-address>
192.0.2.1/24 192.0.2.1/24
</internal-dst-address> </internal-dst-address>
<external-src-address> <external-src-address>
198.51.100.1/24 198.51.100.1/24
</external-dst-address> </external-dst-address>
... ...
</mapping-entry> </mapping-entry>
A.7. Destination NAT A.8. Destination NAT
The following XML snippet shows an example a destination NAT that is The following XML snippet shows an example a destination NAT that is
instructed to translate packets having 192.0.2.1 as a destination IP instructed to translate packets having 192.0.2.1 as a destination IP
address to 198.51.100.1. address to 198.51.100.1.
<dst-ip-address-pool> <dst-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<dst-in-ip-pool> <dst-in-ip-pool>
192.0.2.1 192.0.2.1
</dst-in-ip-pool> </dst-in-ip-pool>
skipping to change at page 65, line 16 skipping to change at page 70, line 16
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
198.51.100.0/24 198.51.100.0/24
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
Instead of providing an external IP address to share, the NAT may be Instead of providing an external IP address to share, the NAT may be
configured with static mapping entries that modifies the internal IP configured with static mapping entries that modifies the internal IP
address and/or port number. address and/or port number.
A.8. NPTv6 A.9. CLAT
The following XML snippet shows the example of a CLAT that is
configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and
2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also
provided with 192.0.0.1/32 (which is selected from the IPv4 service
continuity prefix defined in [RFC7335]).
<nat64-prefixes>
<nat64-prefix>
2001:db8:1234::/96
</nat64-prefix>
</nat64-prefixes>
<clat-ipv6-prefixes>
<clat-ipv6-prefix>
2001:db8:aaaa::/96
</clat-ipv6-prefix>
</clat-ipv6-prefixes>
<clat-ipv4-prefixes>
<clat-ipv4-prefix>
192.0.0.1/32
</clat-ipv4-prefix>
</clat-ipv4-prefixes>
A.10. NPTv6
Let's consider the example of a NPTv6 translator that should rewrite Let's consider the example of a NPTv6 translator that should rewrite
packets with the source prefix (fd01:203:405:/48) with the external packets with the source prefix (fd01:203:405:/48) with the external
prefix (2001:db8:1:/48). prefix (2001:db8:1:/48).
External Network: Prefix = 2001:db8:1:/48 External Network: Prefix = 2001:db8:1:/48
-------------------------------------- --------------------------------------
| |
| |
+-------------+ +-------------+
skipping to change at page 65, line 50 skipping to change at page 71, line 33
<nptv6-prefixes> <nptv6-prefixes>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:203:405:/48 fd01:203:405:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:1:/48 2001:db8:1:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
Figure 2 shows an example of an NPTv6 that interconnects two internal Figure 3 shows an example of an NPTv6 that interconnects two internal
networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is
translated using a dedicated prefix (2001:db8:1:/48 and translated using a dedicated prefix (2001:db8:1:/48 and
2001:db8:6666:/48, respectively). 2001:db8:6666:/48, respectively).
Internal Prefix = fd01:4444:5555:/48 Internal Prefix = fd01:4444:5555:/48
-------------------------------------- --------------------------------------
V | External Prefix V | External Prefix
V | 2001:db8:1:/48 V | 2001:db8:1:/48
V +---------+ ^ V +---------+ ^
V | NPTv6 | ^ V | NPTv6 | ^
V | Device | ^ V | Device | ^
V +---------+ ^ V +---------+ ^
External Prefix | ^ External Prefix | ^
2001:db8:6666:/48 | ^ 2001:db8:6666:/48 | ^
-------------------------------------- --------------------------------------
Internal Prefix = fd01:203:405:/48 Internal Prefix = fd01:203:405:/48
Figure 2: Connecting two Peer Networks (RFC6296) Figure 3: Connecting two Peer Networks (RFC6296)
To that aim, the following configuration is provided to the NPTv6: To that aim, the following configuration is provided to the NPTv6:
<nptv6-prefixes> <nptv6-prefixes>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:203:405:/48 fd01:203:405:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:1:/48 2001:db8:1:/48
 End of changes. 65 change blocks. 
98 lines changed or deleted 390 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/