draft-ietf-opsawg-nat-yang-01.txt   draft-ietf-opsawg-nat-yang-02.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: February 22, 2018 Cisco Systems Expires: February 24, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
August 21, 2017 August 23, 2017
A YANG Data Model for Network Address Translation (NAT) and Network A YANG Data Model for Network Address Translation (NAT) and Network
Prefix Translation (NPT) Prefix Translation (NPT)
draft-ietf-opsawg-nat-yang-01 draft-ietf-opsawg-nat-yang-02
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG data model for the NAT function. document defines a YANG data model for the NAT function.
NAT44, Network Address and Protocol Translation from IPv6 Clients to NAT44, Network Address and Protocol Translation from IPv6 Clients to
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 22, 2018. This Internet-Draft will expire on February 24, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 35 skipping to change at page 2, line 35
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 5 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 5
2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 6 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 6
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 9 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 9
2.10. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10 2.10. Binding the NAT Function to an Interface . . . . . . . . 10
2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14
4. Security Considerations . . . . . . . . . . . . . . . . . . . 52 4. Security Considerations . . . . . . . . . . . . . . . . . . . 54
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 53 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 53 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 55
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 55
7.1. Normative References . . . . . . . . . . . . . . . . . . 53 7.1. Normative References . . . . . . . . . . . . . . . . . . 55
7.2. Informative References . . . . . . . . . . . . . . . . . 55 7.2. Informative References . . . . . . . . . . . . . . . . . 56
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 57 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 58
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 57 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 59
A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 61 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 63
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 62 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 64
A.5. Explicit Address Mappings for Stateless IP/ICMP A.5. Explicit Address Mappings for Stateless IP/ICMP
Translation . . . . . . . . . . . . . . . . . . . . . . . 62 Translation . . . . . . . . . . . . . . . . . . . . . . . 64
A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 66 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 68
A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 66 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 68
A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 67 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 69
A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 70 A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 72
A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 70 A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 74
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the (NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC6020]. YANG data modeling language [RFC6020].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
skipping to change at page 10, line 5 skipping to change at page 10, line 7
o Per-subscriber limits are configurable by the NAT administrator. o Per-subscriber limits are configurable by the NAT administrator.
o Per-subscriber limits are configurable independently per transport o Per-subscriber limits are configurable independently per transport
protocol. protocol.
o Administrator-adjustable thresholds to prevent a single subscriber o Administrator-adjustable thresholds to prevent a single subscriber
from consuming excessive CPU resources from the NAT (e.g., rate- from consuming excessive CPU resources from the NAT (e.g., rate-
limit the subscriber's creation of new mappings) can be limit the subscriber's creation of new mappings) can be
configured. configured.
2.10. Tree Structure 2.10. Binding the NAT Function to an Interface
The model allows to specify the interface(s) on which the NAT
function must be applied (external-interfaces). The model allows
also to specify internal interfaces (interfaces-interfaces).
If no interface is provided, this assumes that the system is able to
determine the external interface(s) on which the NAT will be applied.
Typically, the WAN and LAN interfaces of a CPE is determined by the
CPE.
2.11. Tree Structure
The tree structure of the NAT data model is provided below: The tree structure of the NAT data model is provided below:
module: ietf-nat module: ietf-nat
+--rw nat-module +--rw nat-module
+--rw nat-instances +--rw nat-instances
+--rw nat-instance* [id] +--rw nat-instance* [id]
+--rw id uint32 +--rw id uint32
+--rw name? string +--rw name? string
+--rw enable? boolean +--rw enable? boolean
skipping to change at page 10, line 33 skipping to change at page 10, line 46
| +--ro port-preservation-suport? boolean | +--ro port-preservation-suport? boolean
| +--ro port-parity-preservation-support? boolean | +--ro port-parity-preservation-support? boolean
| +--ro address-roundrobin-support? boolean | +--ro address-roundrobin-support? boolean
| +--ro paired-address-pooling-support? boolean | +--ro paired-address-pooling-support? boolean
| +--ro endpoint-independent-mapping-support? boolean | +--ro endpoint-independent-mapping-support? boolean
| +--ro address-dependent-mapping-support? boolean | +--ro address-dependent-mapping-support? boolean
| +--ro address-and-port-dependent-mapping-support? boolean | +--ro address-and-port-dependent-mapping-support? boolean
| +--ro endpoint-independent-filtering-support? boolean | +--ro endpoint-independent-filtering-support? boolean
| +--ro address-dependent-filtering? boolean | +--ro address-dependent-filtering? boolean
| +--ro address-and-port-dependent-filtering? boolean | +--ro address-and-port-dependent-filtering? boolean
+--rw internal-interfaces* [internal-interface]
| +--rw internal-interface if:interface-ref
+--rw external-interfaces* [external-interface]
| +--rw external-interface if:interface-ref
+--rw external-ip-address-pool* [pool-id] +--rw external-ip-address-pool* [pool-id]
| +--rw pool-id uint32 | +--rw pool-id uint32
| +--rw external-ip-pool? inet:ipv4-prefix | +--rw external-ip-pool? inet:ipv4-prefix
+--rw port-set-restrict +--rw port-set-restrict
| +--rw (port-type)? | +--rw (port-type)?
| +--:(port-range) | +--:(port-range)
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--:(port-set-algo) | +--:(port-set-algo)
| +--rw psid-offset? uint8 | +--rw psid-offset? uint8
skipping to change at page 11, line 9 skipping to change at page 11, line 27
| +--rw dst-in-ip-pool? inet:ip-prefix | +--rw dst-in-ip-pool? inet:ip-prefix
| +--rw dst-out-ip-pool? inet:ip-prefix | +--rw dst-out-ip-pool? inet:ip-prefix
+--rw nat64-prefixes* [nat64-prefix] +--rw nat64-prefixes* [nat64-prefix]
| +--rw nat64-prefix inet:ipv6-prefix | +--rw nat64-prefix inet:ipv6-prefix
| +--rw destination-ipv4-prefix* [ipv4-prefix] | +--rw destination-ipv4-prefix* [ipv4-prefix]
| +--rw ipv4-prefix inet:ipv4-prefix | +--rw ipv4-prefix inet:ipv4-prefix
+--rw clat-ipv6-prefixes* [clat-ipv6-prefix] +--rw clat-ipv6-prefixes* [clat-ipv6-prefix]
| +--rw clat-ipv6-prefix inet:ipv6-prefix | +--rw clat-ipv6-prefix inet:ipv6-prefix
+--rw clat-ipv4-prefixes* [clat-ipv4-prefix] +--rw clat-ipv4-prefixes* [clat-ipv4-prefix]
| +--rw clat-ipv4-prefix inet:ipv4-prefix | +--rw clat-ipv4-prefix inet:ipv4-prefix
+--rw nptv6-prefixes* [pool-id] +--rw nptv6-prefixes* [translation-id]
| +--rw pool-id uint32 | +--rw translation-id uint32
| +--rw internal-ipv6-prefix? inet:ipv6-prefix | +--rw internal-ipv6-prefix? inet:ipv6-prefix
| +--rw external-ipv6-prefix? inet:ipv6-prefix | +--rw external-ipv6-prefix? inet:ipv6-prefix
+--rw supported-transport-protocols* [transport-protocol-id] +--rw supported-transport-protocols* [transport-protocol-id]
| +--rw transport-protocol-id uint8 | +--rw transport-protocol-id uint8
| +--rw transport-protocol-name? string | +--rw transport-protocol-name? string
+--rw subscriber-mask-v6? uint8 +--rw subscriber-mask-v6? uint8
+--rw subscriber-match* [sub-match-id] +--rw subscriber-match* [sub-match-id]
| +--rw sub-match-id uint32 | +--rw sub-match-id uint32
| +--rw sub-mask inet:ip-prefix | +--rw sub-mask inet:ip-prefix
+--rw nat-pass-through* [nat-pass-through-id] +--rw nat-pass-through* [nat-pass-through-id]
skipping to change at page 14, line 7 skipping to change at page 14, line 24
+--ro ports-allocated? uint32 +--ro ports-allocated? uint32
+--ro ports-free? uint32 +--ro ports-free? uint32
notifications: notifications:
+---n nat-event +---n nat-event
+--ro id? -> /nat-module/nat-instances/nat-instance/id +--ro id? -> /nat-module/nat-instances/nat-instance/id
+--ro notify-pool-threshold percent +--ro notify-pool-threshold percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2017-08-03.yang" <CODE BEGINS> file "ietf-nat@2017-08-23.yang"
module ietf-nat {
namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
//namespace to be assigned by IANA
prefix "nat";
import ietf-inet-types { prefix inet; }
import ietf-yang-types { prefix yang; }
organization "IETF OPSAWG Working Group"; module ietf-nat {
namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
contact //namespace to be assigned by IANA
"Mohamed Boucadair <mohamed.boucadair@orange.com> prefix "nat";
Senthil Sivakumar <ssenthil@cisco.com>
Chritsian Jacquenet <christian.jacquenet@orange.com>
Suresh Vinapamula <sureshk@juniper.net>
Qin Wu <bill.wu@huawei.com>";
description import ietf-inet-types { prefix inet; }
"This module is a YANG module for NAT implementations import ietf-yang-types { prefix yang; }
(including NAT44 and NAT64 flavors).
Copyright (c) 2017 IETF Trust and the persons identified as import ietf-interfaces { prefix if; }
authors of the code. All rights reserved. //import iana-if-type { prefix ianaift; }
Redistribution and use in source and binary forms, with or organization "IETF OPSAWG Working Group";
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see contact
the RFC itself for full legal notices."; "Mohamed Boucadair <mohamed.boucadair@orange.com>
Senthil Sivakumar <ssenthil@cisco.com>
Chritsian Jacquenet <christian.jacquenet@orange.com>
Suresh Vinapamula <sureshk@juniper.net>
Qin Wu <bill.wu@huawei.com>";
revision 2017-08-21 { description
description " Includes CLAT (Lee/Jordi)."; "This module is a YANG module for NAT implementations
reference "-ietf-01"; (including NAT44 and NAT64 flavors).
}
revision 2017-08-03 { Copyright (c) 2017 IETF Trust and the persons identified as
description "Integrates comments from OPSAWG CFA."; authors of the code. All rights reserved.
reference "-ietf-00";
}
revision 2017-07-03 {
description "Integrates comments from D. Wing and T. Zhou.";
reference "-07";
}
revision 2015-09-08 { Redistribution and use in source and binary forms, with or
description "Fixes few YANG errors."; without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
reference "-02"; This version of this YANG module is part of RFC XXXX; see
} the RFC itself for full legal notices.";
revision 2015-09-07 { revision 2017-08-23 {
description "Completes the NAT64 model."; description "Comments from F. Baker about NPTv6.";
reference "01"; reference "-ietf-02";
} }
revision 2015-08-29 { revision 2017-08-21 {
description "Initial version."; description " Includes CLAT (Lee/Jordi).";
reference "00"; reference "-ietf-01";
} }
/* revision 2017-08-03 {
* Definitions description "Integrates comments from OPSAWG CFA.";
*/ reference "-ietf-00";
}
typedef percent { revision 2017-07-03 {
type uint8 { description "Integrates comments from D. Wing and T. Zhou.";
range "0 .. 100"; reference "-07";
} }
description
"Percentage";
}
/* revision 2015-09-08 {
* Identities description "Fixes few YANG errors.";
*/
identity nat-type { reference "-02";
description }
"Base identity for nat type.";
}
identity nat44 { revision 2015-09-07 {
base nat:nat-type; description "Completes the NAT64 model.";
description reference "01";
"Identity for traditional NAT support."; }
reference revision 2015-08-29 {
"RFC 3022."; description "Initial version.";
} reference "00";
}
/*
* Definitions
*/
identity basic-nat { typedef percent {
//base nat:nat-type; type uint8 {
base nat:nat44; range "0 .. 100";
description }
"Identity for Basic NAT support."; description
"Percentage";
}
reference /*
"RFC 3022."; * Identities
} */
identity napt { identity nat-type {
//base nat:nat-type; description
base nat:nat44; "Base identity for nat type.";
description }
"Identity for NAPT support.";
reference identity nat44 {
"RFC 3022."; base nat:nat-type;
} description
"Identity for traditional NAT support.";
identity restricted-nat { reference
//base nat:nat-type; "RFC 3022.";
base nat:nat44; }
description
"Identity for Port-Restricted NAT support.";
reference identity basic-nat {
"RFC 7596."; //base nat:nat-type;
} base nat:nat44;
description
"Identity for Basic NAT support.";
identity dst-nat { reference
base nat:nat-type; "RFC 3022.";
description }
"Identity for Destination NAT support.";
}
identity nat64 { identity napt {
base nat:nat-type; //base nat:nat-type;
description base nat:nat44;
"Identity for NAT64 support."; description
"Identity for NAPT support.";
reference reference
"RFC 6146."; "RFC 3022.";
}
identity clat {
base nat:nat-type;
description
"Identity for CLAT support.";
reference }
"RFC 6877.";
}
identity eam { identity restricted-nat {
base nat:nat-type; //base nat:nat-type;
description base nat:nat44;
"Identity for EAM support."; description
"Identity for Port-Restricted NAT support.";
reference reference
"RFC 7757."; "RFC 7596.";
} }
identity nptv6 { identity dst-nat {
base nat:nat-type; base nat:nat-type;
description description
"Identity for NPTv6 support."; "Identity for Destination NAT support.";
}
reference identity nat64 {
"RFC 6296."; base nat:nat-type;
} description
"Identity for NAT64 support.";
/* reference
* Grouping "RFC 6146.";
*/ }
// Timers identity clat {
base nat:nat-type;
description
"Identity for CLAT support.";
grouping timeouts { reference
description "RFC 6877.";
"Configure values of various timeouts."; }
leaf udp-timeout { identity eam {
type uint32; base nat:nat-type;
units "seconds"; description
default 300; "Identity for EAM support.";
description
"UDP inactivity timeout. That is the time a mapping
will stay active without packets traversing the NAT.";
reference reference
"RFC 4787."; "RFC 7757.";
} }
leaf tcp-idle-timeout { identity nptv6 {
type uint32; base nat:nat-type;
units "seconds"; description
default 7440; "Identity for NPTv6 support.";
description
"TCP Idle timeout should be
2 hours and 4 minutes.";
reference reference
"RFC 5382."; "RFC 6296.";
} }
leaf tcp-trans-open-timeout { /*
type uint32; * Grouping
units "seconds"; */
default 240;
description
"The value of the transitory open connection
idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable
parameters for configuring the open and // Timers
closing idle timeouts.
To accommodate deployments that consider
a partially open timeout of 4 minutes as being
excessive from a security standpoint, a NAT may
allow the configured timeout to be less than
4 minutes.
However, a minimum default transitory connection
idle-timeout of 4 minutes is recommended.";
reference grouping timeouts {
"RFC 7857."; description
} "Configure values of various timeouts.";
leaf tcp-trans-close-timeout { leaf udp-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 240; default 300;
description description
"The value of the transitory close connection "UDP inactivity timeout. That is the time a mapping
idle-timeout. will stay active without packets traversing the NAT.";
Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable
parameters for configuring the open and
closing idle timeouts.";
reference reference
"RFC 7857."; "RFC 4787.";
} }
leaf tcp-in-syn-timeout { leaf tcp-idle-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 6; default 7440;
description description
"A NAT must not respond to an unsolicited "TCP Idle timeout should be
inbound SYN packet for at least 6 seconds 2 hours and 4 minutes.";
after the packet is received. If during
this interval the NAT receives and translates
an outbound SYN for the connection the NAT
must silently drop the original unsolicited
inbound SYN packet.";
reference reference
"RFC 5382."; "RFC 5382.";
} }
leaf fragment-min-timeout { leaf tcp-trans-open-timeout {
type uint32;
units "seconds";
default 240;
description
"The value of the transitory open connection
idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable
type uint32; parameters for configuring the open and
units "seconds"; closing idle timeouts.
default 2; To accommodate deployments that consider
description a partially open timeout of 4 minutes as being
"As long as the NAT has available resources, excessive from a security standpoint, a NAT may
the NAT allows the fragments to arrive allow the configured timeout to be less than
over fragment-min-timeout interval. 4 minutes.
The default value is inspired from RFC6146."; However, a minimum default transitory connection
} idle-timeout of 4 minutes is recommended.";
leaf icmp-timeout { reference
type uint32; "RFC 7857.";
units "seconds"; }
default 60;
description
"An ICMP Query session timer must not expire
in less than 60 seconds. It is recommended
that the ICMP Query session timer be made
configurable";
reference leaf tcp-trans-close-timeout {
"RFC 5508."; type uint32;
units "seconds";
default 240;
description
"The value of the transitory close connection
idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable
parameters for configuring the open and
closing idle timeouts.";
} reference
"RFC 7857.";
}
list per-port-timeout { leaf tcp-in-syn-timeout {
key port-number; type uint32;
units "seconds";
default 6;
description
"A NAT must not respond to an unsolicited
inbound SYN packet for at least 6 seconds
after the packet is received. If during
this interval the NAT receives and translates
an outbound SYN for the connection the NAT
must silently drop the original unsolicited
inbound SYN packet.";
description reference
"Some NATs are configurable with short timeouts "RFC 5382.";
for some ports, e.g., as 10 seconds on }
port 53 (DNS) and NTP (123) and longer timeouts
on other ports.";
leaf port-number { leaf fragment-min-timeout {
type inet:port-number;
description
"A port number.";
}
leaf port-timeout { type uint32;
type inet:port-number; units "seconds";
mandatory true; default 2;
description description
"Timeout for this port"; "As long as the NAT has available resources,
} the NAT allows the fragments to arrive
} over fragment-min-timeout interval.
The default value is inspired from RFC6146.";
}
leaf hold-down-timeout { leaf icmp-timeout {
type uint32;
units "seconds";
default 60;
description
"An ICMP Query session timer must not expire
in less than 60 seconds. It is recommended
that the ICMP Query session timer be made
configurable";
type uint32; reference
units "seconds"; "RFC 5508.";
default 120; }
description
"Hold down timer. Ports in the
hold down pool are not reassigned until
this timer expires.
The length of time and the maximum
number of ports in this state must be
configurable by the administrator
[RFC6888]. This is necessary in order
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
reference list per-port-timeout {
"REQ#8 of RFC 6888."; key port-number;
}
leaf hold-down-max { description
type uint32; "Some NATs are configurable with short timeouts
for some ports, e.g., as 10 seconds on
port 53 (DNS) and NTP (123) and longer timeouts
on other ports.";
description leaf port-number {
"Maximum ports in the Hold down timer pool. type inet:port-number;
Ports in the hold down pool are not reassigned description
until hold-down-timeout expires. "A port number.";
The length of time and the maximum }
number of ports in this state must be
configurable by the administrator
[RFC6888]. This is necessary in order
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
reference leaf port-timeout {
"REQ#8 of RFC 6888."; type inet:port-number;
} mandatory true;
} description
"Timeout for this port";
}
}
// Set of ports leaf hold-down-timeout {
grouping port-set { type uint32;
description units "seconds";
"Indicates a set of ports. default 120;
It may be a simple port range, or use the PSID algorithm
to represent a range of transport layer
ports which will be used by a NAPT.";
choice port-type { description
default port-range; "Hold down timer. Ports in the
description hold down pool are not reassigned until
"Port type: port-range or port-set-algo."; this timer expires.
The length of time and the maximum
number of ports in this state must be
configurable by the administrator
[RFC6888]. This is necessary in order
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
case port-range { reference
leaf start-port-number { "REQ#8 of RFC 6888.";
type inet:port-number; }
description
"Begining of the port range.";
reference leaf hold-down-max {
"Section 3.2.9 of RFC 8045.";
}
leaf end-port-number { type uint32;
type inet:port-number;
description
"End of the port range.";
reference description
"Section 3.2.10 of RFC 8045."; "Maximum ports in the Hold down timer pool.
} Ports in the hold down pool are not reassigned
} until hold-down-timeout expires.
The length of time and the maximum
number of ports in this state must be
configurable by the administrator
[RFC6888]. This is necessary in order
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
case port-set-algo { reference
"REQ#8 of RFC 6888.";
}
}
leaf psid-offset { // Set of ports
type uint8 {
range 0..16;
}
description
"The number of offset bits. In Lightweight 4over6,
the default value is 0 for assigning one contiguous
port range. In MAP-E/T, the default value is 6,
which excludes system ports by default and assigns
port ranges distributed across the entire port space.";
}
leaf psid-len { grouping port-set {
type uint8 { description
range 0..15; "Indicates a set of ports.
} It may be a simple port range, or use the PSID algorithm
mandatory true; to represent a range of transport layer
description ports which will be used by a NAPT.";
"The length of PSID, representing the sharing ratio for an
IPv4 address.";
}
leaf psid { choice port-type {
type uint16; default port-range;
mandatory true; description
description "Port type: port-range or port-set-algo.";
"Port Set Identifier (PSID) value, which identifies a set
of ports algorithmically.";
}
}
} case port-range {
} leaf start-port-number {
type inet:port-number;
description
"Begining of the port range.";
// port numbers: single or port-range reference
"Section 3.2.9 of RFC 8045.";
}
grouping port-number { leaf end-port-number {
description
"Individual port or a range of ports.";
choice port-type { type inet:port-number;
default single-port-number; description
description "End of the port range.";
"Port type: single or port-range.";
case single-port-number { reference
leaf single-port-number { "Section 3.2.10 of RFC 8045.";
type inet:port-number; }
description }
"Used for single port numbers.";
}
}
case port-range { case port-set-algo {
leaf start-port-number {
type inet:port-number;
description
"Begining of the port range.";
reference leaf psid-offset {
"Section 3.2.9 of RFC 8045."; type uint8 {
range 0..16;
}
description
"The number of offset bits. In Lightweight 4over6,
the default value is 0 for assigning one contiguous
port range. In MAP-E/T, the default value is 6,
which excludes system ports by default and assigns
port ranges distributed across the entire port
space.";
} }
leaf end-port-number { leaf psid-len {
type inet:port-number; type uint8 {
description range 0..15;
"End of the port range."; }
mandatory true;
reference description
"Section 3.2.10 of RFC 8045."; "The length of PSID, representing the sharing
ratio for an IPv4 address.";
} }
leaf psid {
type uint16;
mandatory true;
description
"Port Set Identifier (PSID) value, which
identifies a set of ports algorithmically.";
}
} }
}
}
} }
// Mapping Entry // port numbers: single or port-range
grouping mapping-entry { grouping port-number {
description description
"NAT mapping entry."; "Individual port or a range of ports.";
leaf index { choice port-type {
type uint32; default single-port-number;
description description
"A unique identifier of a mapping entry."; "Port type: single or port-range.";
}
leaf type { case single-port-number {
type enumeration { leaf single-port-number {
enum "static" { type inet:port-number;
description description
"The mapping entry is manually configured."; "Used for single port numbers.";
} }
}
enum "dynamic-explicit" { case port-range {
leaf start-port-number {
type inet:port-number;
description description
"This mapping is created by an outgoing "Begining of the port range.";
packet.";
}
enum "dynamic-implicit" { reference
description "Section 3.2.9 of RFC 8045.";
"This mapping is created by an explicit }
dynamic message.";
}
}
description
"Indicates the type of a mapping entry. E.g.,
a mapping can be: static, implicit dynamic
or explicit dynamic.";
}
leaf transport-protocol { leaf end-port-number {
type uint8; type inet:port-number;
description
"End of the port range.";
description reference
"Upper-layer protocol associated with this mapping. "Section 3.2.10 of RFC 8045.";
Values are taken from the IANA protocol registry. }
For example, this field contains 6 (TCP) for a TCP }
mapping or 17 (UDP) for a UDP mapping. No transport
protocol is indicated if a mapping applies for any
protocol.";
} }
}
leaf internal-src-address { // Mapping Entry
type inet:ip-prefix;
description grouping mapping-entry {
"Corresponds to the source IPv4/IPv6 address/prefix description
of the packet received on an internal "NAT mapping entry.";
interface.";
}
container internal-src-port {
description leaf index {
"Corresponds to the source port of the type uint32;
packet received on an internal interface. description
It is used also to carry the internal "A unique identifier of a mapping entry.";
source ICMP identifier."; }
uses port-number; leaf type {
} type enumeration {
enum "static" {
description
"The mapping entry is manually
configured.";
}
leaf external-src-address { enum "dynamic-explicit" {
type inet:ip-prefix; description
"This mapping is created by an
outgoing packet.";
}
description enum "dynamic-implicit" {
"Source IP address/prefix of the packet sent description
on an external interface of the NAT."; "This mapping is created by an
} explicit dynamic message.";
container external-src-port { }
}
description
"Indicates the type of a mapping entry. E.g.,
a mapping can be: static, implicit dynamic
or explicit dynamic.";
}
description leaf transport-protocol {
"Source port of the packet sent type uint8;
on an external interafce of the NAT.
It is used also to carry the external
source ICMP identifier.";
uses port-number; description
} "Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry.
For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping. No transport
protocol is indicated if a mapping applies for any
protocol.";
}
leaf internal-dst-address { leaf internal-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the source IPv4/IPv6 address/prefix
of the packet received on an internal interface of the NAT. of the packet received on an internal
For example, some NAT implementations support the translation of interface.";
both source and destination addresses and ports, }
sometimes referred to as 'Twice NAT'.";
}
container internal-dst-port { container internal-src-port {
description description
"Corresponds to the destination port of the "Corresponds to the source port of the
IP packet received on the internal interface. packet received on an internal interface.
It is used also to carry the internal
source ICMP identifier.";
It is used also to carry the internal uses port-number;
destination ICMP identifier."; }
uses port-number; leaf external-src-address {
} type inet:ip-prefix;
leaf external-dst-address { description
type inet:ip-prefix; "Source IP address/prefix of the packet sent
on an external interface of the NAT.";
}
container external-src-port {
description description
"Corresponds to the destination IP address/prefix "Source port of the packet sent
of the packet sent on an external interface of the NAT."; on an external interafce of the NAT.
} It is used also to carry the external
source ICMP identifier.";
container external-dst-port { uses port-number;
}
description leaf internal-dst-address {
"Corresponds to the destination port number of type inet:ip-prefix;
the packet sent on the external interface of the NAT.
It is used also to carry the external
destination ICMP identifier.";
uses port-number; description
} "Corresponds to the destination IP address/prefix
of the packet received on an internal interface
of the NAT.
For example, some NAT implementations support
the translation of both source and destination
addresses and ports, sometimes referred to
as 'Twice NAT'.";
}
leaf lifetime { container internal-dst-port {
type uint32;
//mandatory true;
description description
"When specified, it tracks the connection that is "Corresponds to the destination port of the
fully-formed (e.g., once the 3WHS TCP is completed) IP packet received on the internal interface.
or the duration for maintaining an explicit mapping
alive. Static mappings may not be associated with a
lifetime. If no lifetime is associated with a
static mapping, an explicit action is requried to
remove that mapping.";
}
}
grouping nat-parameters { It is used also to carry the internal
description destination ICMP identifier.";
"NAT parameters for a given instance";
list external-ip-address-pool { uses port-number;
key pool-id; }
description leaf external-dst-address {
"Pool of external IP addresses used to type inet:ip-prefix;
service internal hosts.
Both contiguous and non-contiguous pools
can be configured for NAT purposes.";
leaf pool-id { description
type uint32; "Corresponds to the destination IP address/prefix
of the packet sent on an external interface
of the NAT.";
}
description container external-dst-port {
"An identifier of the address pool.";
}
leaf external-ip-pool { description
type inet:ipv4-prefix; "Corresponds to the destination port number of
the packet sent on the external interface
of the NAT.
It is used also to carry the external
destination ICMP identifier.";
description uses port-number;
"An IPv4 prefix used for NAT purposes."; }
}
}
container port-set-restrict { leaf lifetime {
type uint32;
//mandatory true;
when "../nat-capabilities/restricted-port-support = 'true' "; description
"When specified, it tracks the connection that is
fully-formed (e.g., once the 3WHS TCP is completed)
or the duration for maintaining an explicit mapping
alive. Static mappings may not be associated with a
lifetime. If no lifetime is associated with a
static mapping, an explicit action is requried to
remove that mapping.";
}
}
description grouping nat-parameters {
"Configures contiguous and non-contiguous port ranges."; description
"NAT parameters for a given instance";
uses port-set; list external-ip-address-pool {
} key pool-id;
leaf dst-nat-enable { description
type boolean; "Pool of external IP addresses used to
default false; service internal hosts.
Both contiguous and non-contiguous pools
can be configured for NAT purposes.";
description leaf pool-id {
"Enable/Disable destination NAT. type uint32;
A NAT44 may be configured to enable
Destination NAT, too.";
}
list dst-ip-address-pool { description
//if-feature dst-nat; "An identifier of the address pool.";
when "../nat-capabilities/nat-flavor = 'dst-nat' "; }
key pool-id; leaf external-ip-pool {
type inet:ipv4-prefix;
description description
"Pool of IP addresses used for destination NAT."; "An IPv4 prefix used for NAT purposes.";
}
}
leaf pool-id { container port-set-restrict {
type uint32;
description when "../nat-capabilities/restricted-port-support = 'true'";
"An identifier of the address pool.";
}
leaf dst-in-ip-pool { description
type inet:ip-prefix; "Configures contiguous and non-contiguous port ranges.";
description uses port-set;
"Internal IP prefix/address"; }
}
leaf dst-out-ip-pool { leaf dst-nat-enable {
type inet:ip-prefix; type boolean;
default false;
description description
"IP address/prefix used for destination NAT."; "Enable/Disable destination NAT.
} A NAT44 may be configured to enable
Destination NAT, too.";
} }
list nat64-prefixes { list dst-ip-address-pool {
//if-feature dst-nat;
when "../nat-capabilities/nat-flavor = 'dst-nat' ";
when "../nat-capabilities/nat-flavor = 'nat64' " + key pool-id;
" or ../nat-capabilities/nat-flavor = 'clat'";
key nat64-prefix; description
"Pool of IP addresses used for destination NAT.";
description leaf pool-id {
"Provides one or a list of NAT64 prefixes type uint32;
with or without a list of destination IPv4 prefixes.
Destination-based Pref64::/n is discussed in description
Section 5.1 of [RFC7050]). For example: "An identifier of the address pool.";
192.0.2.0/24 is mapped to 2001:db8:122:300::/56. }
198.51.100.0/24 is mapped to 2001:db8:122::/48.";
reference leaf dst-in-ip-pool {
"Section 5.1 of RFC7050."; type inet:ip-prefix;
leaf nat64-prefix { description
type inet:ipv6-prefix; "Internal IP prefix/address";
//default "64:ff9b::/96"; }
description leaf dst-out-ip-pool {
"A NAT64 prefix. Can be NSP or a Well-Known type inet:ip-prefix;
Prefix (WKP).";
reference description
"RFC 6052."; "IP address/prefix used for destination NAT.";
}
} }
list destination-ipv4-prefix { list nat64-prefixes {
key ipv4-prefix; when "../nat-capabilities/nat-flavor = 'nat64' " +
" or ../nat-capabilities/nat-flavor = 'clat'";
description key nat64-prefix;
"An IPv4 prefix/address.";
leaf ipv4-prefix { description
type inet:ipv4-prefix; "Provides one or a list of NAT64 prefixes
description with or without a list of destination IPv4 prefixes.
"An IPv4 address/prefix.";
}
}
}
list clat-ipv6-prefixes { Destination-based Pref64::/n is discussed in
Section 5.1 of [RFC7050]). For example:
192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
198.51.100.0/24 is mapped to 2001:db8:122::/48.";
when "../nat-capabilities/nat-flavor = 'clat' "; reference
"Section 5.1 of RFC7050.";
key clat-ipv6-prefix; leaf nat64-prefix {
type inet:ipv6-prefix;
//default "64:ff9b::/96";
description description
"464XLAT double translation treatment is "A NAT64 prefix. Can be NSP or a Well-Known
stateless when a dedicated /64 is available Prefix (WKP).";
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.";
reference reference
"RFC 6877."; "RFC 6052.";
}
leaf clat-ipv6-prefix { list destination-ipv4-prefix {
type inet:ipv6-prefix;
description key ipv4-prefix;
"An IPv6 prefix used for CLAT.";
}
}
list clat-ipv4-prefixes { description
when "../nat-capabilities/nat-flavor = 'clat'"; "An IPv4 prefix/address.";
key clat-ipv4-prefix; leaf ipv4-prefix {
type inet:ipv4-prefix;
description
"An IPv4 address/prefix.";
}
}
}
list clat-ipv6-prefixes {
when "../nat-capabilities/nat-flavor = 'clat' ";
key clat-ipv6-prefix;
description description
"Pool of IPv4 addresses used for CLAT. "464XLAT double translation treatment is
192.0.0.0/29 is the IPv4 service continuity stateless when a dedicated /64 is available
prefix."; for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.";
reference reference
"RFC 7335."; "RFC 6877.";
leaf clat-ipv4-prefix { leaf clat-ipv6-prefix {
type inet:ipv4-prefix; type inet:ipv6-prefix;
description description
"464XLAT double translation treatment is "An IPv6 prefix used for CLAT.";
stateless when a dedicated /64 is available }
for translation on the CLAT. Otherwise, the }
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
reference list clat-ipv4-prefixes {
"RFC 6877.";
}
}
list nptv6-prefixes { when "../nat-capabilities/nat-flavor = 'clat'";
when "../nat-capabilities/nat-flavor = 'nptv6' "; key clat-ipv4-prefix;
key pool-id; description
"Pool of IPv4 addresses used for CLAT.
192.0.0.0/29 is the IPv4 service continuity
prefix.";
description reference
"Provides one or a list of (internal IPv6 prefix, "RFC 7335.";
external IPv6 prefix) required for NPTv6.
In its simplest form, NPTv6 interconnects two network leaf clat-ipv4-prefix {
links, one of which is an 'internal' network link attached type inet:ipv4-prefix;
to a leaf network within a single administrative domain
and the other of which is an 'external' network with
connectivity to the global Internet.";
reference description
"RFC 6296."; "464XLAT double translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
leaf pool-id { reference
type uint32; "RFC 6877.";
description }
"An identifier of the NPTv6 prefixs."; }
}
leaf internal-ipv6-prefix { list nptv6-prefixes {
type inet:ipv6-prefix;
description when "../nat-capabilities/nat-flavor = 'nptv6' ";
"An IPv6 prefix used by an internal interface
of NPTv6.";
reference key translation-id;
"RFC 6296.";
}
leaf external-ipv6-prefix { description
type inet:ipv6-prefix; "Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6.
In its simplest form, NPTv6 interconnects two network
links, one of which is an 'internal' network link
attachedto a leaf network within a single
administrative domain and the other of which is an
'external' network with connectivity to the global
Internet.";
reference
"RFC 6296.";
leaf translation-id {
type uint32;
description description
"An IPv6 prefix used by the external interface "An identifier of the NPTv6 prefixs.";
of NPTv6."; }
reference leaf internal-ipv6-prefix {
"RFC 6296."; type inet:ipv6-prefix;
}
}
list supported-transport-protocols { description
"An IPv6 prefix used by an internal interface
of NPTv6.";
key transport-protocol-id; reference
"RFC 6296.";
}
description leaf external-ipv6-prefix {
"Supported transport protocols. type inet:ipv6-prefix;
TCP and UDP are supported by default.";
leaf transport-protocol-id { description
type uint8; "An IPv6 prefix used by the external interface
mandatory true; of NPTv6.";
description reference
"Upper-layer protocol associated with this mapping. "RFC 6296.";
Values are taken from the IANA protocol registry. }
For example, this field contains 6 (TCP) for a TCP }
mapping or 17 (UDP) for a UDP mapping.";
}
leaf transport-protocol-name { list supported-transport-protocols {
type string;
description
"For example, TCP, UDP, DCCP, and SCTP.";
}
}
leaf subscriber-mask-v6 { key transport-protocol-id;
type uint8 {
range "0 .. 128";
}
description description
"The subscriber-mask is an integer that indicates "Supported transport protocols.
the length of significant bits to be applied on TCP and UDP are supported by default.";
the source IP address (internal side) to
unambiguously identify a CPE.
Subscriber-mask is a system-wide configuration leaf transport-protocol-id {
parameter that is used to enforce generic type uint8;
per-subscriber policies (e.g., port-quota). mandatory true;
The enforcement of these generic policies does not description
require the configuration of every subscriber's "Upper-layer protocol associated with this mapping.
prefix. Values are taken from the IANA protocol registry.
For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping.";
}
Example: suppose the 2001:db8:100:100::/56 prefix leaf transport-protocol-name {
is assigned to a NAT64 serviced CPE. Suppose also type string;
that 2001:db8:100:100::1 is the IPv6 address used description
by the client that resides in that CPE. When the "For example, TCP, UDP, DCCP, and SCTP.";
NAT64 receives a packet from this client, }
it applies the subscriber-mask (e.g., 56) on }
the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56).
Then, the NAT64 enforces policies based on that
prefix (2001:db8:100:100::/56), not on the exact
source IPv6 address.";
}
list subscriber-match {
key sub-match-id; leaf subscriber-mask-v6 {
type uint8 {
range "0 .. 128";
}
description description
"IP prefix match."; "The subscriber-mask is an integer that indicates
the length of significant bits to be applied on
the source IP address (internal side) to
unambiguously identify a CPE.
leaf sub-match-id { Subscriber-mask is a system-wide configuration
type uint32; parameter that is used to enforce generic
description per-subscriber policies (e.g., port-quota).
"An identifier of the subscriber masck.";
}
leaf sub-mask { The enforcement of these generic policies does not
type inet:ip-prefix; require the configuration of every subscriber's
mandatory true; prefix.
description
"The IP address subnets that match
should be translated. E.g., all addresses
that belong to the 192.0.2.0/24 prefix must
be processed by the NAT.";
}
Example: suppose the 2001:db8:100:100::/56 prefix
is assigned to a NAT64 serviced CPE. Suppose also
that 2001:db8:100:100::1 is the IPv6 address used
by the client that resides in that CPE. When the
NAT64 receives a packet from this client,
it applies the subscriber-mask (e.g., 56) on
the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56).
Then, the NAT64 enforces policies based on that
prefix (2001:db8:100:100::/56), not on the exact
source IPv6 address.";
} }
list nat-pass-through { list subscriber-match {
key nat-pass-through-id;
description key sub-match-id;
"IP prefix NAT pass through.";
leaf nat-pass-through-id { description
type uint32; "IP prefix match.";
description
"An identifier of the IP prefix pass through.";
}
leaf nat-pass-through-pref { leaf sub-match-id {
type inet:ip-prefix; type uint32;
description description
"The IP address subnets that match "An identifier of the subscriber masck.";
should not be translated. According to REQ#6 }
of RFC6888, it must be possible to leaf sub-mask {
administratively turn off translation type inet:ip-prefix;
for specific destination addresses mandatory true;
and/or ports."; description
"The IP address subnets that match
should be translated. E.g., all addresses
that belong to the 192.0.2.0/24 prefix must
be processed by the NAT.";
}
} }
leaf nat-pass-through-port { list nat-pass-through {
type inet:port-number;
key nat-pass-through-id;
description
"IP prefix NAT pass through.";
leaf nat-pass-through-id {
type uint32;
description description
"The IP address subnets that match "An identifier of the IP prefix pass
should not be translated. According to REQ#6 through.";
of RFC6888, it must be possible to }
administratively turn off translation
for specific destination addresses
and/or ports.";
}
}
leaf paired-address-pooling { leaf nat-pass-through-pref {
type boolean; type inet:ip-prefix;
default true; description
"The IP address subnets that match
should not be translated. According to
REQ#6 of RFC6888, it must be possible
to administratively turn off translation
for specific destination addresses
and/or ports.";
}
description leaf nat-pass-through-port {
"Paired address pooling informs the NAT type inet:port-number;
that all the flows from an internal IP description
address must be assigned the same external "The IP address subnets that match
address."; should not be translated. According to
REQ#6 of RFC6888, it must be possible to
administratively turn off translation
for specific destination addresses
and/or ports.";
}
reference }
"RFC 4007.";
}
leaf nat-mapping-type { leaf paired-address-pooling {
type enumeration { type boolean;
enum "eim" { default true;
description
"endpoint-independent-mapping.";
reference description
"Section 4 of RFC 4787."; "Paired address pooling informs the NAT
} that all the flows from an internal IP
address must be assigned the same external
address.";
enum "adm" { reference
description "RFC 4007.";
"address-dependent-mapping."; }
leaf nat-mapping-type {
type enumeration {
enum "eim" {
description
"endpoint-independent-mapping.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
} }
enum "edm" { enum "adm" {
description description
"address-and-port-dependent-mapping."; "address-dependent-mapping.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
} }
}
description
"Indicates the type of a NAT mapping.";
}
leaf nat-filtering-type {
type enumeration {
enum "eif" {
description enum "edm" {
"endpoint-independent- filtering."; description
"address-and-port-dependent-mapping.";
reference reference
"Section 5 of RFC 4787."; "Section 4 of RFC 4787.";
} }
}
description
"Indicates the type of a NAT mapping.";
}
enum "adf" { leaf nat-filtering-type {
description type enumeration {
"address-dependent-filtering."; enum "eif" {
reference description
"Section 5 of RFC 4787."; "endpoint-independent- filtering.";
}
enum "edf" { reference
description "Section 5 of RFC 4787.";
"address-and-port-dependent-filtering"; }
reference enum "adf" {
"Section 5 of RFC 4787."; description
} "address-dependent-filtering.";
}
description
"Indicates the type of a NAT filtering.";
}
list port-quota { reference
when "../nat-capabilities/nat44-flavor = "+ "Section 5 of RFC 4787.";
"'napt' or "+ }
"../nat-capabilities/nat-flavor = "+
"'nat64'";
key quota-type; enum "edf" {
description
"address-and-port-dependent-filtering";
description reference
"Configures a port quota to be assigned per "Section 5 of RFC 4787.";
subscriber. It corresponds to the maximum }
number of ports to be used by a subscriber."; }
description
"Indicates the type of a NAT filtering.";
}
leaf port-limit { list port-quota {
when "../nat-capabilities/nat44-flavor = "+
"'napt' or "+
"../nat-capabilities/nat-flavor = "+
"'nat64'";
type uint16; key quota-type;
description description
"Configures a port quota to be assigned per "Configures a port quota to be assigned per
subscriber. It corresponds to the maximum subscriber. It corresponds to the maximum
number of ports to be used by a subscriber."; number of ports to be used by a subscriber.";
reference leaf port-limit {
"REQ-4 of RFC 6888.";
}
leaf quota-type { type uint16;
type enumeration { description
enum "all" { "Configures a port quota to be assigned per
subscriber. It corresponds to the maximum
number of ports to be used by a subscriber.";
description reference
"The limit applies to all protocols."; "REQ-4 of RFC 6888.";
}
reference leaf quota-type {
"REQ-4 of RFC 6888."; type enumeration {
} enum "all" {
enum "tcp" { description
description "The limit applies to all protocols.";
"TCP quota.";
reference reference
"REQ-4 of RFC 6888."; "REQ-4 of RFC 6888.";
} }
enum "udp" { enum "tcp" {
description description
"UDP quota."; "TCP quota.";
reference reference
"REQ-4 of RFC 6888."; "REQ-4 of RFC 6888.";
} }
enum "icmp" {
description
"ICMP quota.";
reference enum "udp" {
"REQ-4 of RFC 6888."; description
} "UDP quota.";
}
description
"Indicates whether the port quota applies to
all protocols or to a specific transport.";
}
}
leaf port-allocation-type { reference
type enumeration { "REQ-4 of RFC 6888.";
enum "random" { }
description
"Port randomization is enabled.";
}
enum "port-preservation" { enum "icmp" {
description description
"Indicates whether the NAT should "ICMP quota.";
preserve the internal port number.";
}
enum "port-parity-preservation" { reference
description "REQ-4 of RFC 6888.";
"Indicates whether the NAT should }
preserve the port parity of the
internal port number.";
} }
description
"Indicates whether the port quota applies to
all protocols or to a specific transport.";
}
enum "port-range-allocation" { }
description
"Indicates whether the NAT assigns a range
of ports for an internal host.";
}
} leaf port-allocation-type {
description type enumeration {
"Indicates the type of a port allocation."; enum "random" {
} description
"Port randomization is enabled.";
}
leaf address-roundrobin-enable { enum "port-preservation" {
type boolean; description
description "Indicates whether the NAT should
"Enable/disable address allocation preserve the internal port number.";
round robin."; }
}
container port-set { enum "port-parity-preservation" {
when "../port-allocation-type = 'port-range-allocation'"; description
"Indicates whether the NAT should
preserve the port parity of the
internal port number.";
}
description enum "port-range-allocation" {
"Manages port-set assignments."; description
"Indicates whether the NAT assigns a
range of ports for an internal host.";
}
leaf port-set-size { }
type uint16; description
description "Indicates the type of a port allocation.";
"Indicates the size of assigned port }
sets.";
}
leaf port-set-timeout { leaf address-roundrobin-enable {
type uint32; type boolean;
description
"Inactivty timeout for port sets.";
}
}
uses timeouts; description
"Enable/disable address allocation
round robin.";
}
container mapping-limit { container port-set {
when "../port-allocation-type='port-range-allocation'";
description description
"Information about the configuration parameters that "Manages port-set assignments.";
limits the mappings based upon various criteria.";
leaf limit-per-subscriber { leaf port-set-size {
type uint32; type uint16;
description
"Indicates the size of assigned port
sets.";
}
description leaf port-set-timeout {
"Maximum number of NAT mappings per type uint32;
subscriber."; description
} "Inactivty timeout for port sets.";
}
}
leaf limit-per-vrf { uses timeouts;
type uint32;
description container mapping-limit {
"Maximum number of NAT mappings per
VLAN/VRF.";
} description
"Information about the configuration parameters that
limits the mappings based upon various criteria.";
leaf limit-per-subnet { leaf limit-per-subscriber {
type inet:ip-prefix; type uint32;
description description
"Maximum number of NAT mappings per "Maximum number of NAT mappings per
subnet."; subscriber.";
} }
leaf limit-per-instance { leaf limit-per-vrf {
type uint32; type uint32;
mandatory true;
description description
"Maximum number of NAT mappings per
VLAN/VRF.";
}
leaf limit-per-subnet {
type inet:ip-prefix;
description
"Maximum number of NAT mappings per "Maximum number of NAT mappings per
instance."; subnet.";
} }
leaf limit-per-udp { leaf limit-per-instance {
type uint32; type uint32;
mandatory true; mandatory true;
description description
"Maximum number of UDP NAT mappings per "Maximum number of NAT mappings per
subscriber."; instance.";
} }
leaf limit-per-tcp { leaf limit-per-udp {
type uint32; type uint32;
mandatory true; mandatory true;
description description
"Maximum number of TCP NAT mappings per "Maximum number of UDP NAT mappings per
subscriber."; subscriber.";
}
} leaf limit-per-tcp {
type uint32;
mandatory true;
leaf limit-per-icmp { description
type uint32; "Maximum number of TCP NAT mappings per
mandatory true; subscriber.";
description }
"Maximum number of ICMP NAT mappings per
subscriber.";
}
}
container connection-limit {
description leaf limit-per-icmp {
"Information about the configuration parameters that type uint32;
rate limit the translation based upon various mandatory true;
criteria.";
leaf limit-per-subscriber { description
type uint32; "Maximum number of ICMP NAT mappings per
subscriber.";
}
}
description container connection-limit {
"Rate-limit the number of new mappings and sessions
per subscriber.";
}
leaf limit-per-vrf { description
type uint32; "Information about the configuration parameters that
rate limit the translation based upon various
criteria.";
description leaf limit-per-subscriber {
"Rate-limit the number of new mappings and sessions type uint32;
per VLAN/VRF.";
}
leaf limit-per-subnet { description
type inet:ip-prefix; "Rate-limit the number of new mappings
and sessions per subscriber.";
}
description leaf limit-per-vrf {
"Rate-limit the number of new mappings and sessions type uint32;
per subnet.";
}
leaf limit-per-instance { description
type uint32; "Rate-limit the number of new mappings
mandatory true; and sessions per VLAN/VRF.";
}
description leaf limit-per-subnet {
"Rate-limit the number of new mappings and sessions type inet:ip-prefix;
per instance.";
}
leaf limit-per-udp { description
type uint32; "Rate-limit the number of new mappings
mandatory true; and sessions per subnet.";
}
description leaf limit-per-instance {
"Rate-limit the number of new UDP mappings and sessions type uint32;
per subscriber."; mandatory true;
}
leaf limit-per-tcp {
type uint32;
mandatory true;
description description
"Rate-limit the number of new TCP mappings and sessions "Rate-limit the number of new mappings
per subscriber."; and sessions per instance.";
}
} leaf limit-per-udp {
type uint32;
mandatory true;
leaf limit-per-icmp { description
type uint32; "Rate-limit the number of new UDP mappings
mandatory true; and sessions per subscriber.";
}
description leaf limit-per-tcp {
"Rate-limit the number of new ICMP mappings and sessions type uint32;
per subscriber."; mandatory true;
}
}
list algs { description
"Rate-limit the number of new TCP mappings
and sessions per subscriber.";
key alg-name; }
leaf limit-per-icmp {
type uint32;
mandatory true;
description description
"ALG-related features."; "Rate-limit the number of new ICMP mappings
and sessions per subscriber.";
}
}
leaf alg-name { list algs {
type string;
description key alg-name;
"The name of the ALG";
}
leaf alg-transport-protocol { description
type uint32; "ALG-related features.";
description leaf alg-name {
"The transport protocol used by the ALG."; type string;
}
leaf alg-transport-port { description
type inet:port-number; "The name of the ALG";
}
description leaf alg-transport-protocol {
"The port number used by the ALG."; type uint32;
}
leaf alg-status {
type boolean;
description description
"Enable/disable the ALG."; "The transport protocol used by the ALG.";
} }
}
leaf all-algs-enable { leaf alg-transport-port {
type boolean; type inet:port-number;
description description
"Enable/disable all ALGs."; "The port number used by the ALG.";
} }
container logging-info { leaf alg-status {
description type boolean;
"Information about logging NAT events";
leaf logging-enable { description
type boolean; "Enable/disable the ALG.";
}
}
description leaf all-algs-enable {
"Enable logging features as per Section 2.3 type boolean;
of [RFC6908].";
}
leaf destination-address { description
type inet:ip-prefix; "Enable/disable all ALGs.";
mandatory true; }
description container logging-info {
"Address of the collector that receives description
the logs"; "Information about logging NAT events";
}
leaf destination-port { leaf logging-enable {
type inet:port-number; type boolean;
mandatory true;
description description
"Destination port of the collector."; "Enable logging features as per Section 2.3
} of [RFC6908].";
}
choice protocol { leaf destination-address {
type inet:ip-prefix;
mandatory true;
description description
"Enable the protocol to be used for "Address of the collector that receives
the retrieval of logging entries."; the logs";
}
case syslog { leaf destination-port {
leaf syslog { type inet:port-number;
type boolean; mandatory true;
description description
"If SYSLOG is in use."; "Destination port of the collector.";
} }
}
case ipfix { choice protocol {
leaf ipfix {
type boolean;
description description
"If IPFIX is in use."; "Enable the protocol to be used for
} the retrieval of logging entries.";
}
case ftp { case syslog {
leaf ftp { leaf syslog {
type boolean;
description
"If SYSLOG is in use.";
}
}
case ipfix {
leaf ipfix {
type boolean; type boolean;
description description
"If FTP is in use."; "If IPFIX is in use.";
} }
} }
}
}
container notify-pool-usage { case ftp {
description leaf ftp {
"Notification of pool usage when certain criteria type boolean;
are met.";
leaf pool-id { description
type uint32; "If FTP is in use.";
}
}
}
}
description container notify-pool-usage {
"Pool-ID for which the notification description
criteria is defined"; "Notification of pool usage when certain criteria
} are met.";
leaf notify-pool-hi-threshold { leaf pool-id {
type percent; type uint32;
mandatory true;
description
"Notification must be generated when the
defined high threshold is reached.
For example, if a notification is
required when the pool utilization reaches
90%, this configuration parameter must
be set to 90%.";
}
leaf notify-pool-low-threshold { description
type percent; "Pool-ID for which the notification
criteria is defined";
}
description leaf notify-pool-hi-threshold {
"Notification must be generated when the defined type percent;
low threshold is reached. mandatory true;
For example, if a notification is required when
the pool utilization reaches below 10%,
this configuration parameter must be set to
10%.";
}
}
} //nat-parameters group description
"Notification must be generated when the
defined high threshold is reached.
For example, if a notification is
required when the pool utilization reaches
90%, this configuration parameter must
be set to 90%.";
}
leaf notify-pool-low-threshold {
type percent;
container nat-module { description
description "Notification must be generated when the defined
"NAT"; low threshold is reached.
For example, if a notification is required when
the pool utilization reaches below 10%,
this configuration parameter must be set to
10%.";
}
}
container nat-instances { } //nat-parameters group
description
"NAT instances";
list nat-instance { container nat-module {
description
"NAT";
key "id"; container nat-instances {
description
"NAT instances";
description list nat-instance {
"A NAT instance.";
leaf id { key "id";
type uint32;
description description
"NAT instance identifier."; "A NAT instance.";
reference leaf id {
"RFC 7659."; type uint32;
}
leaf name { description
type string; "NAT instance identifier.";
description reference
"A name associated with the NAT instance."; "RFC 7659.";
} }
leaf enable { leaf name {
type boolean; type string;
description description
"Status of the the NAT instance."; "A name associated with the NAT instance.";
} }
container nat-capabilities { leaf enable {
config false; type boolean;
description description
"NAT capabilities"; "Status of the the NAT instance.";
}
leaf-list nat-flavor { container nat-capabilities {
type identityref { config false;
base nat-type;
}
description
"Type of NAT.";
}
leaf-list nat44-flavor { description
"NAT capabilities";
when "../nat-flavor = 'nat44'"; leaf-list nat-flavor {
type identityref {
base nat-type;
}
description
"Type of NAT.";
}
type identityref { leaf-list nat44-flavor {
base nat44;
when "../nat-flavor = 'nat44'";
type identityref {
base nat44;
}
description
"Type of NAT44: Basic NAT or NAPT.";
}
leaf restricted-port-support {
type boolean;
description
"Indicates source port NAT restriction
support.";
} }
description
"Type of NAT44: Basic NAT or NAPT.";
}
leaf restricted-port-support { leaf static-mapping-support {
type boolean; type boolean;
description description
"Indicates source port NAT restriction "Indicates whether static mappings are
support."; supported.";
} }
leaf static-mapping-support { leaf port-randomization-support {
type boolean; type boolean;
description description
"Indicates whether static mappings are "Indicates whether port randomization is
supported."; supported.";
} }
leaf port-randomization-support { leaf port-range-allocation-support {
type boolean;
description
"Indicates whether port range
allocation is supported.";
}
leaf port-preservation-suport {
type boolean;
description
"Indicates whether port preservation
is supported.";
}
leaf port-parity-preservation-support {
type boolean;
description
"Indicates whether port parity
preservation is supported.";
}
leaf address-roundrobin-support {
type boolean;
description
"Indicates whether address allocation
round robin is supported.";
}
leaf paired-address-pooling-support {
type boolean;
description
"Indicates whether paired-address-pooling is
supported";
}
leaf endpoint-independent-mapping-support {
type boolean; type boolean;
description description
"Indicates whether port randomization is "Indicates whether endpoint-independent-
supported."; mapping in Section 4 of RFC 4787 is
} supported.";
}
leaf port-range-allocation-support { leaf address-dependent-mapping-support {
type boolean; type boolean;
description description
"Indicates whether port range "Indicates whether address-dependent-
allocation is supported."; mapping is supported.";
} }
leaf port-preservation-suport { leaf address-and-port-dependent-mapping-support
type boolean; {
type boolean;
description description
"Indicates whether port preservation "Indicates whether address-and-port-
is supported."; dependent-mapping is supported.";
} }
leaf port-parity-preservation-support { leaf endpoint-independent-filtering-support
type boolean; {
type boolean;
description description
"Indicates whether port parity "Indicates whether endpoint-independent
preservation is supported."; -filtering is supported.";
} }
leaf address-roundrobin-support { leaf address-dependent-filtering {
type boolean; type boolean;
description description
"Indicates whether address allocation "Indicates whether address-dependent
round robin is supported."; -filtering is supported.";
} }
leaf paired-address-pooling-support { leaf address-and-port-dependent-filtering {
type boolean; type boolean;
description
"Indicates whether paired-address-pooling is
supported";
}
leaf endpoint-independent-mapping-support { description
type boolean; "Indicates whether address-and-port
-dependent is supported.";
}
}
description list internal-interfaces {
"Indicates whether endpoint-independent-mapping
in Section 4 of RFC 4787 is supported.";
}
leaf address-dependent-mapping-support { key internal-interface;
type boolean;
description description
"Indicates whether address-dependent-mapping "List of internal interfaces.";
is supported.";
}
leaf address-and-port-dependent-mapping-support { leaf internal-interface {
type boolean; type if:interface-ref;
description
"Name of an internal interface.";
}
}
description list external-interfaces {
"Indicates whether address-and-port-dependent-mapping
is supported.";
}
leaf endpoint-independent-filtering-support { key external-interface;
type boolean;
description description
"Indicates whether endpoint-independent-filtering "List of external interfaces.";
is supported.";
}
leaf address-dependent-filtering { leaf external-interface {
type boolean; type if:interface-ref;
description
"Name of an external interface.";
}
}
description uses nat-parameters;
"Indicates whether address-dependent-filtering
is supported.";
}
leaf address-and-port-dependent-filtering {
type boolean;
description container mapping-table {
"Indicates whether address-and-port-dependent
is supported.";
}
}
uses nat-parameters; when "../nat-capabilities/nat-flavor = "+
"'nat44' or "+
"../nat-capabilities/nat-flavor = "+
"'nat64'or "+
"../nat-capabilities/nat-flavor = "+
"'clat'or "+
"../nat-capabilities/nat-flavor = 'dst-nat'";
container mapping-table { description
"NAT mapping table. Applicable for functions
which maintains static and/or dynamic mappings,
such as NAT44, Destination NAT, NAT64, CLAT,
or EAM.";
when "../nat-capabilities/nat-flavor = "+ list mapping-entry {
"'nat44' or "+ key "index";
"../nat-capabilities/nat-flavor = "+
"'nat64'or "+
"../nat-capabilities/nat-flavor = "+
"'clat'or "+
"../nat-capabilities/nat-flavor = 'dst-nat'";
description description
"NAT mapping table. Applicable for functions which "NAT mapping entry.";
maintains static and/or dynamic mappings such as NAT44,
Destination NAT, NAT64, CLAT, or EAM.";
list mapping-entry { uses mapping-entry;
key "index"; }
}
description container statistics {
"NAT mapping entry.";
uses mapping-entry; config false;
}
}
container statistics { description
"Statistics related to the NAT instance.";
config false; container traffic-statistics {
description
"Generic traffic statistics.";
description leaf sent-packet {
"Statistics related to the NAT instance."; type yang:zero-based-counter64;
container traffic-statistics { description
description "Number of packets sent.";
"Generic traffic statistics."; }
leaf sent-packet { leaf sent-byte {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of packets sent."; "Counter for sent traffic in bytes.";
} }
leaf sent-byte { leaf rcvd-packet {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Counter for sent traffic in bytes."; "Number of received packets.";
} }
leaf rcvd-packet { leaf rcvd-byte {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of received packets."; "Counter for received traffic
} in bytes.";
}
leaf rcvd-byte { leaf dropped-packet {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Counter for received traffic "Number of dropped packets.";
in bytes."; }
}
leaf dropped-packet { leaf dropped-byte {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets."; "Counter for dropped traffic in
} bytes.";
}
}
leaf dropped-byte { container mapping-statistics {
type yang:zero-based-counter64;
description when "../../nat-capabilities/nat-flavor = "+
"Counter for dropped traffic in "'nat44' or "+
bytes."; "../../nat-capabilities/nat-flavor = "+
} "'nat64'or "+
} "../../nat-capabilities/nat-flavor = 'dst-nat'";
container mapping-statistics { description
when "../../nat-capabilities/nat-flavor = "+ "Mapping statistics.";
"'nat44' or "+
"../../nat-capabilities/nat-flavor = "+
"'nat64'or "+
"../../nat-capabilities/nat-flavor = 'dst-nat'";
description leaf total-mappings {
"Mapping statistics."; type uint32;
leaf total-mappings { description
type uint32; "Total number of NAT mappings present
at a given time. This variable includes
all the static and dynamic mappings.";
}
description leaf total-tcp-mappings {
"Total number of NAT mappings present type uint32;
at a given time. This variable includes description
all the static and dynamic mappings."; "Total number of TCP mappings present
} at a given time.";
}
leaf total-tcp-mappings { leaf total-udp-mappings {
type uint32; type uint32;
description description
"Total number of TCP mappings present "Total number of UDP mappings present
at a given time."; at a given time.";
} }
leaf total-udp-mappings { leaf total-icmp-mappings {
type uint32; type uint32;
description description
"Total number of UDP mappings present "Total number of ICMP mappings present
at a given time."; at a given time.";
} }
leaf total-icmp-mappings { }
type uint32;
description
"Total number of ICMP mappings present
at a given time.";
}
} container pool-stats {
container pool-stats { when "../../nat-capabilities/nat-flavor = "+
"'nat44' or "+
"../../nat-capabilities/nat-flavor = "+
"'nat64'";
when "../../nat-capabilities/nat-flavor = "+ description
"'nat44' or "+ "Statistics related to address/prefix
"../../nat-capabilities/nat-flavor = "+ pool usage";
"'nat64'";
description leaf pool-id {
"Statistics related to address/prefix type uint32;
pool usage"; description
"Unique Identifier that represents
a pool of addresses/prefixes.";
}
leaf pool-id { leaf address-allocated {
type uint32; type uint32;
description description
"Unique Identifier that represents "Number of allocated addresses in
a pool of addresses/prefixes."; the pool";
} }
leaf address-allocated { leaf address-free {
type uint32; type uint32;
description description
"Number of allocated addresses in "Number of unallocated addresses in
the pool"; the pool at a given time.The sum of
} unallocated and allocated
addresses is the total number of
addresses of the pool.";
}
leaf address-free { container port-stats {
type uint32;
description
"Number of unallocated addresses in
the pool at a given time.The sum of
unallocated and allocated
addresses is the total number of
addresses of the pool.";
}
container port-stats { description
"Statistics related to port
usage.";
description leaf ports-allocated {
"Statistics related to port type uint32;
usage.";
leaf ports-allocated { description
type uint32; "Number of allocated ports
description in the pool.";
"Number of allocated ports }
in the pool.";
}
leaf ports-free { leaf ports-free {
type uint32; type uint32;
description
"Number of unallocated addresses
in the pool.";
} description
} "Number of unallocated addresses
} in the pool.";
} //statistics }
} }
} }
} } //statistics
}
}
}
/* /*
* Notifications * Notifications
*/ */
notification nat-event { notification nat-event {
description description
"Notifications must be generated when the defined "Notifications must be generated when the defined
high/low threshold is reached. Related high/low threshold is reached. Related
configuration parameters must be provided to configuration parameters must be provided to
trigger the notifications."; trigger the notifications.";
leaf id { leaf id {
type leafref { type leafref {
path path
"/nat-module/nat-instances/" "/nat-module/nat-instances/"
+ "nat-instance/id"; + "nat-instance/id";
} }
description description
"NAT instance ID."; "NAT instance ID.";
} }
leaf notify-pool-threshold { leaf notify-pool-threshold {
type percent; type percent;
mandatory true; mandatory true;
description description
"A treshhold has been fired."; "A treshhold has been fired.";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4. Security Considerations 4. Security Considerations
The YANG module defined in this memo is designed to be accessed via The YANG module defined in this memo is designed to be accessed via
the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the
secure transport layer and the support of SSH is mandatory to secure transport layer and the support of SSH is mandatory to
implement secure transport [RFC6242]. The NETCONF access control implement secure transport [RFC6242]. The NETCONF access control
model [RFC6536] provides means to restrict access by some users to a model [RFC6536] provides means to restrict access by some users to a
pre-configured subset of all available NETCONF protocol operations pre-configured subset of all available NETCONF protocol operations
and data. and data.
skipping to change at page 53, line 35 skipping to change at page 55, line 17
prefix: nat prefix: nat
reference: RFC XXXX reference: RFC XXXX
6. Acknowledgements 6. Acknowledgements
Many thanks to Dan Wing and Tianran Zhou for the review. Many thanks to Dan Wing and Tianran Zhou for the review.
Thanks to Juergen Schoenwaelder for the comments on the YANG Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. structure and the suggestion to use NMDA.
Thanks to Lee Howard and Jordi Palet for the CLAT comments. Thanks to Lee Howard and Jordi Palet for the CLAT comments and to
Fred Baker for the NPTv6 comments.
Special thanks to Maros Marsalek and Marek Gradzki for sharing their Special thanks to Maros Marsalek and Marek Gradzki for sharing their
comments based on the FD.io implementation. comments based on the FD.io implementation.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, <https://www.rfc- DOI 10.17487/RFC3688, January 2004, <https://www.rfc-
skipping to change at page 55, line 27 skipping to change at page 57, line 13
progress), May 2017. progress), May 2017.
[I-D.ietf-behave-ipfix-nat-logging] [I-D.ietf-behave-ipfix-nat-logging]
Sivakumar, S. and R. Penno, "IPFIX Information Elements Sivakumar, S. and R. Penno, "IPFIX Information Elements
for logging NAT Events", draft-ietf-behave-ipfix-nat- for logging NAT Events", draft-ietf-behave-ipfix-nat-
logging-13 (work in progress), January 2017. logging-13 (work in progress), January 2017.
[I-D.ietf-softwire-dslite-yang] [I-D.ietf-softwire-dslite-yang]
Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data
Models for the DS-Lite", draft-ietf-softwire-dslite- Models for the DS-Lite", draft-ietf-softwire-dslite-
yang-05 (work in progress), August 2017. yang-06 (work in progress), August 2017.
[I-D.ietf-tsvwg-natsupp] [I-D.ietf-tsvwg-natsupp]
Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control
Transmission Protocol (SCTP) Network Address Translation Transmission Protocol (SCTP) Network Address Translation
Support", draft-ietf-tsvwg-natsupp-11 (work in progress), Support", draft-ietf-tsvwg-natsupp-11 (work in progress),
July 2017. July 2017.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", Translator (NAT) Terminology and Considerations",
RFC 2663, DOI 10.17487/RFC2663, August 1999, RFC 2663, DOI 10.17487/RFC2663, August 1999,
skipping to change at page 70, line 44 skipping to change at page 72, line 44
<clat-ipv4-prefixes> <clat-ipv4-prefixes>
<clat-ipv4-prefix> <clat-ipv4-prefix>
192.0.0.1/32 192.0.0.1/32
</clat-ipv4-prefix> </clat-ipv4-prefix>
</clat-ipv4-prefixes> </clat-ipv4-prefixes>
A.10. NPTv6 A.10. NPTv6
Let's consider the example of a NPTv6 translator that should rewrite Let's consider the example of a NPTv6 translator that should rewrite
packets with the source prefix (fd01:203:405:/48) with the external packets with the source prefix (fd01:203:405:/48) with the external
prefix (2001:db8:1:/48). prefix (2001:db8:1:/48). The internal interface is "eth0" while the
external interface is "eth1".
External Network: Prefix = 2001:db8:1:/48 External Network: Prefix = 2001:db8:1:/48
-------------------------------------- --------------------------------------
| |
| |eth1
+-------------+ +-------------+
| NPTv6 | eth4| NPTv6 |eth2
| Translator | ...-----| |------...
+-------------+ +-------------+
| |eth0
| |
-------------------------------------- --------------------------------------
Internal Network: Prefix = fd01:203:405:/48 Internal Network: Prefix = fd01:203:405:/48
Example of NPTv6 (RFC6296) Example of NPTv6 (RFC6296)
The XML snippet to configure NPTv6 prefixes in such case is depicted The XML snippet to configure NPTv6 prefixes in such case is depicted
below: below:
<internal-interfaces>
</internal-interface>
eth0
<internal-interface>
</internal-interfaces>
<external-interfaces>
<external-interface>
eth1
</external-interface>
</external-interfaces>
...
<nptv6-prefixes> <nptv6-prefixes>
<pool-id>1</pool-id> <translation-id>1</translation-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:203:405:/48 fd01:203:405:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:1:/48 2001:db8:1:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
Figure 3 shows an example of an NPTv6 that interconnects two internal Figure 3 shows an example of an NPTv6 that interconnects two internal
networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is
translated using a dedicated prefix (2001:db8:1:/48 and translated using a dedicated prefix (2001:db8:1:/48 and
2001:db8:6666:/48, respectively). 2001:db8:6666:/48, respectively).
Internal Prefix = fd01:4444:5555:/48 Internal Prefix = fd01:4444:5555:/48
-------------------------------------- --------------------------------------
V | External Prefix V | External Prefix
V | 2001:db8:1:/48 V | 2001:db8:1:/48
V +---------+ ^ V +---------+ ^
V | NPTv6 | ^ V | NPTv6 | ^
V | Device | ^ V | | ^
V +---------+ ^ V +---------+ ^
External Prefix | ^ External Prefix | ^
2001:db8:6666:/48 | ^ 2001:db8:6666:/48 | ^
-------------------------------------- --------------------------------------
Internal Prefix = fd01:203:405:/48 Internal Prefix = fd01:203:405:/48
Figure 3: Connecting two Peer Networks (RFC6296) Figure 3: Connecting two Peer Networks (RFC6296)
To that aim, the following configuration is provided to the NPTv6: To that aim, the following configuration is provided to the NPTv6:
<nptv6-prefixes> <nptv6-prefixes>
<pool-id>1</pool-id> <translation-id>1</translation-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:203:405:/48 fd01:203:405:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:1:/48 2001:db8:1:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
<nptv6-prefixes> <nptv6-prefixes>
<pool-id>2</pool-id> <translation-id>2</translation-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:4444:5555:/48 fd01:4444:5555:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:6666:/48 2001:db8:6666:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
Authors' Addresses Authors' Addresses
Mohamed Boucadair Mohamed Boucadair
Orange Orange
Rennes 35000 Rennes 35000
France France
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
 End of changes. 433 change blocks. 
1445 lines changed or deleted 1533 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/