draft-ietf-opsawg-nat-yang-03.txt   draft-ietf-opsawg-nat-yang-04.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: March 22, 2018 Cisco Systems Expires: April 1, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
September 18, 2017 September 28, 2017
A YANG Data Model for Network Address Translation (NAT) and Network A YANG Data Model for Network Address Translation (NAT) and Network
Prefix Translation (NPT) Prefix Translation (NPT)
draft-ietf-opsawg-nat-yang-03 draft-ietf-opsawg-nat-yang-04
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG data model for the NAT function. document defines a YANG module for the NAT function.
NAT44, Network Address and Protocol Translation from IPv6 Clients to NAT44, Network Address and Protocol Translation from IPv6 Clients to
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit
Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and
IPv6 Network Prefix Translation (NPTv6) are covered in this document. IPv6 Network Prefix Translation (NPTv6) are covered in this document.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 22, 2018. This Internet-Draft will expire on April 1, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 31 skipping to change at page 2, line 31
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 5 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 5
2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 6 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 9 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 9
2.10. Binding the NAT Function to an Interface . . . . . . . . 10 2.10. Binding the NAT Function to an External Interface or VRF 10
2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10 2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14
4. Security Considerations . . . . . . . . . . . . . . . . . . . 55 4. Security Considerations . . . . . . . . . . . . . . . . . . . 57
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 55 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 58
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 56 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 58
7.1. Normative References . . . . . . . . . . . . . . . . . . 56 7.1. Normative References . . . . . . . . . . . . . . . . . . 58
7.2. Informative References . . . . . . . . . . . . . . . . . 57 7.2. Informative References . . . . . . . . . . . . . . . . . 59
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 59 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 62
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 59 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 62
A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 64 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 66
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 65 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 67
A.5. Explicit Address Mappings for Stateless IP/ICMP A.5. Explicit Address Mappings for Stateless IP/ICMP
Translation . . . . . . . . . . . . . . . . . . . . . . . 65 Translation . . . . . . . . . . . . . . . . . . . . . . . 67
A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 69 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 71
A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 69 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 71
A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 70 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 72
A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 73 A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 75
A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 73 A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 78
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the (NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC6020]. YANG data modeling language [RFC6020].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
a domain: a CGN is not managed by end users, but by service providers a domain: a CGN is not managed by end users, but by service providers
instead. This document covers both traditional NATs and CGNs. instead. This document covers both traditional NATs and CGNs.
This document also covers NAT64 [RFC6146], customer-side translator This document also covers NAT64 [RFC6146], customer-side translator
(CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP (CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP
Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation
(NPTv6) [RFC6296]. (NPTv6) [RFC6296].
Sample examples are provided in Appendix A. Sample examples are provided in Appendix A. These examples are not
intended to be exhaustive.
1.1. Terminology 1.1. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o Basic NAT44: translation is limited to IP addresses alone o Basic NAT44: translation is limited to IP addresses alone
(Section 2.1 of [RFC3022]). (Section 2.1 of [RFC3022]).
o Network Address/Port Translator (NAPT): translation in NAPT is o Network Address/Port Translator (NAPT): translation in NAPT is
extended to include IP addresses and transport identifiers (such extended to include IP addresses and transport identifiers (such
skipping to change at page 5, line 15 skipping to change at page 5, line 15
o Parentheses enclose choice and case nodes, and case nodes are also o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":"). marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not o Ellipsis ("...") stands for contents of subtrees that are not
shown. shown.
2. Overview of the NAT YANG Data Model 2. Overview of the NAT YANG Data Model
2.1. Overview 2.1. Overview
The NAT YANG data model is designed to cover dynamic implicit The NAT YANG module is designed to cover dynamic implicit mappings
mappings and static explicit mappings. The required functionality to and static explicit mappings. The required functionality to instruct
instruct dynamic explicit mappings is defined in separate documents dynamic explicit mappings is defined in separate documents such as
such as [I-D.boucadair-pcp-yang]. Considerations about instructing [I-D.boucadair-pcp-yang]. Considerations about instructing explicit
explicit dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of
out of scope. scope.
A single NAT device can have multiple NAT instances; each of these A single NAT device can have multiple NAT instances (nat-instance);
instances is responsible for serving a group of internal hosts. This each of these instances can be provided with its own policies (e.g.,
document does not make any assumption about how internal hosts are be responsible for serving a group of hosts). This document does not
associated with a given NAT instance. make any assumption about how internal hosts or flows are associated
with a given NAT instance.
The data model assumes that each NAT instance can be enabled/ The NAT YANG module assumes that each NAT instance can be enabled/
disabled, be provisioned with a specific set of configuration data, disabled, be provisioned with a specific set of configuration data,
and maintains its own mapping tables. and maintains its own mapping tables.
Further, the NAT YANG module allows for a NAT instance to be provided
with multiple NAT policies (nat-policy). The document does not make
any assumption about how flows are associated with a given NAT policy
of a given NAT instance. Classification filters are out of scope.
Defining multiple NAT instances or configuring multiple NAT policies
within one single NAT instance is implementation- and deployment-
specific.
To accommodate deployments where [RFC6302] is not enabled, this YANG To accommodate deployments where [RFC6302] is not enabled, this YANG
model allows to instruct a NAT function to log the destination port module allows to instruct a NAT function to log the destination port
number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging]
which provides the templates to log the destination ports. which provides the templates to log the destination ports.
2.2. Various NAT Flavors 2.2. Various NAT Flavors
The following modes are supported: The following modes are supported:
1. Basic NAT44 1. Basic NAT44
2. NAPT 2. NAPT
3. Destination NAT 3. Destination NAT
skipping to change at page 6, line 13 skipping to change at page 6, line 21
11. Combination of NAT64 and EAM 11. Combination of NAT64 and EAM
[I-D.ietf-softwire-dslite-yang] specifies an extension to support DS- [I-D.ietf-softwire-dslite-yang] specifies an extension to support DS-
Lite. Lite.
2.3. TCP, UDP and ICMP NAT Behavioral Requirements 2.3. TCP, UDP and ICMP NAT Behavioral Requirements
This document assumes [RFC4787][RFC5382][RFC5508] are enabled by This document assumes [RFC4787][RFC5382][RFC5508] are enabled by
default. default.
Furthermore, the data model relies upon the recommendations detailed Furthermore, the NAT YANG module relies upon the recommendations
in [RFC6888] and [RFC7857]. detailed in [RFC6888] and [RFC7857].
2.4. Other Transport Protocols 2.4. Other Transport Protocols
The module is structured to support other protocols than UDP, TCP, The module is structured to support other protocols than UDP, TCP,
and ICMP. The mapping table is designed so that it can indicate any and ICMP. The mapping table is designed so that it can indicate any
transport protocol. For example, this module may be used to manage a transport protocol. For example, this module may be used to manage a
DCCP-capable NAT that adheres to [RFC5597]. DCCP-capable NAT that adheres to [RFC5597].
Future extensions can be defined to cover NAT-related considerations Future extensions can be defined to cover NAT-related considerations
that are specific to other transport protocols such as SCTP that are specific to other transport protocols such as SCTP
[I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be
extended to record two optional SCTP-specific parameters: Internal extended to record two optional SCTP-specific parameters: Internal
Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag).
2.5. IP Addresses Used for Translation 2.5. IP Addresses Used for Translation
This data model assumes that blocks of IP external addresses The NAT YANG module assumes that blocks of IP external addresses
(external-ip-address-pool) can be provisioned to the NAT function. (external-ip-address-pool) can be provisioned to the NAT function.
These blocks may be contiguous or not. These blocks may be contiguous or not.
This behavior is aligned with [RFC6888] which specifies that a NAT This behavior is aligned with [RFC6888] which specifies that a NAT
function should not have any limitations on the size or the function should not have any limitations on the size or the
contiguity of the external address pool. In particular, the NAT contiguity of the external address pool. In particular, the NAT
function must be configurable with contiguous or non-contiguous function must be configurable with contiguous or non-contiguous
external IPv4 address ranges. external IPv4 address ranges.
Likewise, one or multiple IP address pools may be configured for Likewise, one or multiple IP address pools may be configured for
Destination NAT (dst-ip-address-pool). Destination NAT (dst-ip-address-pool).
2.6. Port Set Assignment 2.6. Port Set Assignment
Port numbers can be assigned by a NAT individually (that is, a single Port numbers can be assigned by a NAT individually (that is, a single
port is a assigned on a per session basis). Nevertheless, this port port is a assigned on a per session basis). Nevertheless, this port
allocation scheme may not be optimal for logging purposes. allocation scheme may not be optimal for logging purposes.
Therefore, a NAT function should be able to assign port sets (e.g., Therefore, a NAT function should be able to assign port sets (e.g.,
[RFC7753]) to optimize the volume of the logging data (REQ-14 of [RFC7753]) to optimize the volume of the logging data (REQ-14 of
[RFC6888]). Both features are supported in the NAT YANG data model. [RFC6888]). Both features are supported in the NAT YANG module.
When port set assignment is activated (i.e., port-allocation- When port set assignment is activated (i.e., port-allocation-
type==port-range-allocation), the NAT can be provided with the size type==port-range-allocation), the NAT can be provided with the size
of the port set to be assigned (port-set-size). of the port set to be assigned (port-set-size).
2.7. Port-Restricted IP Addresses 2.7. Port-Restricted IP Addresses
Some NATs require to restrict the port numbers (e.g., Lightweight Some NATs require to restrict the port numbers (e.g., Lightweight
4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port set 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port set
assignments (port-set-restrict) are supported in this document: assignments (port-set-restrict) are supported in this document:
skipping to change at page 7, line 37 skipping to change at page 7, line 46
internal-dst-port) <=> (external-src-address, external-src-port) internal-dst-port) <=> (external-src-address, external-src-port)
(external-dst-address, external-dst-port) (external-dst-address, external-dst-port)
An ICMP mapping entry maintains an association between the following An ICMP mapping entry maintains an association between the following
information: information:
(internal-src-address, internal-dst-address, internal ICMP/ICMPv6 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6
identifier) <=> (external-src-address, external-dst-address, identifier) <=> (external-src-address, external-dst-address,
external ICMP/ICMPv6 identifier) external ICMP/ICMPv6 identifier)
To cover TCP, UDP, and ICMP, the NAT YANG model assumes the following To cover TCP, UDP, and ICMP, the NAT YANG module assumes the
structure of a mapping entry: following structure of a mapping entry:
type: Indicates how the mapping was instantiated. For example, it type: Indicates how the mapping was instantiated. For example, it
may indicate whether a mapping is dynamically instantiated by a may indicate whether a mapping is dynamically instantiated by a
packet or statically configured. packet or statically configured.
transport-protocol: Indicates the transport protocol (e.g., UDP, transport-protocol: Indicates the transport protocol (e.g., UDP,
TCP, ICMP) of a given mapping. TCP, ICMP) of a given mapping.
internal-src-address: Indicates the source IP address as used by an internal-src-address: Indicates the source IP address as used by an
internal host. internal host.
skipping to change at page 9, line 39 skipping to change at page 9, line 48
stateless and transport-agnostic. stateless and transport-agnostic.
o The double translations are stateless in CLAT if a dedicated IPv6 o The double translations are stateless in CLAT if a dedicated IPv6
prefix is provided for CLAT. If not, a stateful NAT44 will be prefix is provided for CLAT. If not, a stateful NAT44 will be
required. required.
o No per-flow mapping is maintained for EAM [RFC7757]. o No per-flow mapping is maintained for EAM [RFC7757].
2.9. Resource Limits 2.9. Resource Limits
In order to comply with CGN deployments in particular, the data model In order to comply with CGN deployments in particular, the NAT YANG
allows limiting the number of external ports per subscriber (port- module allows limiting the number of external ports per subscriber
quota) and the amount of state memory allocated per mapping and per (port-quota) and the amount of state memory allocated per mapping and
subscriber (mapping-limit and connection-limit). According to per subscriber (mapping-limit and connection-limit). According to
[RFC6888], the model allows for the following: [RFC6888], the model allows for the following:
o Per-subscriber limits are configurable by the NAT administrator. o Per-subscriber limits are configurable by the NAT administrator.
o Per-subscriber limits are configurable independently per transport o Per-subscriber limits are configurable independently per transport
protocol. protocol.
o Administrator-adjustable thresholds to prevent a single subscriber o Administrator-adjustable thresholds to prevent a single subscriber
from consuming excessive CPU resources from the NAT (e.g., rate- from consuming excessive CPU resources from the NAT (e.g., rate-
limit the subscriber's creation of new mappings) can be limit the subscriber's creation of new mappings) can be
configured. configured.
2.10. Binding the NAT Function to an Interface 2.10. Binding the NAT Function to an External Interface or VRF
The model allows to specify the interface(s) on which the NAT The model allows to specify the interface or Virtual Routing and
function must be applied (external-interfaces). The model allows Forwarding (VRF) instance on which the NAT function must be applied
also to specify internal interfaces (interfaces-interfaces). (external-realm). Distinct interfaces/VRFs can be provided as a
function of the NAT policy (see for example, Section 4 of [RFC7289]).
If no interface is provided, this assumes that the system is able to If no external interface/VRF is provided, this assumes that the
determine the external interface(s) on which the NAT will be applied. system is able to determine the external interface/VRF instance on
Typically, the WAN and LAN interfaces of a CPE is determined by the which the NAT will be applied. Typically, the WAN and LAN interfaces
CPE. of a CPE is determined by the CPE.
2.11. Tree Structure 2.11. Tree Structure
The tree structure of the NAT data model is provided below: The tree structure of the NAT YANG module is provided below:
module: ietf-nat module: ietf-nat
+--rw nat-module +--rw nat-module
+--rw nat-instances +--rw nat-instances
+--rw nat-instance* [id] +--rw nat-instance* [id]
+--rw id uint32 +--rw id uint32
+--rw name? string +--rw name? string
+--rw enable? boolean +--rw enable? boolean
+--rw nat-capabilities +--rw nat-capabilities
| +--rw nat-flavor* identityref | +--rw nat-flavor* identityref
| +--rw nat44-flavor* identityref | +--rw nat44-flavor* identityref
| +--rw restricted-port-support? boolean | +--rw restricted-port-support? boolean
| +--rw static-mapping-support? boolean | +--rw static-mapping-support? boolean
| +--rw port-randomization-support? boolean | +--rw port-randomization-support? boolean
| +--rw port-range-allocation-support? boolean | +--rw port-range-allocation-support? boolean
| +--rw port-preservation-suport? boolean | +--rw port-preservation-suport? boolean
| +--rw port-parity-preservation-support? boolean | +--rw port-parity-preservation-support? boolean
| +--rw address-roundrobin-support? boolean | +--rw address-roundrobin-support? boolean
| +--rw paired-address-pooling-support? boolean | +--rw paired-address-pooling-support? boolean
| +--rw endpoint-independent-mapping-support? boolean | +--rw endpoint-independent-mapping-support? boolean
| +--rw address-dependent-mapping-support? boolean | +--rw address-dependent-mapping-support? boolean
| +--rw address-and-port-dependent-mapping-support? boolean | +--rw address-and-port-dependent-mapping-support? boolean
| +--rw endpoint-independent-filtering-support? boolean | +--rw endpoint-independent-filtering-support? boolean
| +--rw address-dependent-filtering? boolean | +--rw address-dependent-filtering? boolean
| +--rw address-and-port-dependent-filtering? boolean | +--rw address-and-port-dependent-filtering? boolean
+--rw internal-interfaces* [internal-interface] +--rw nat-pass-through* [nat-pass-through-id]
| +--rw internal-interface if:interface-ref | +--rw nat-pass-through-id uint32
+--rw external-interfaces* [external-interface] | +--rw nat-pass-through-pref? inet:ip-prefix
| +--rw external-interface if:interface-ref | +--rw nat-pass-through-port? inet:port-number
+--rw external-ip-address-pool* [pool-id] +--rw nat-policy* [policy-id]
| +--rw pool-id uint32 | +--rw policy-id uint32
| +--rw external-ip-pool? inet:ipv4-prefix | +--rw clat-parameters
+--rw port-set-restrict | | +--rw clat-ipv6-prefixes* [clat-ipv6-prefix]
| +--rw (port-type)? | | | +--rw clat-ipv6-prefix inet:ipv6-prefix
| +--:(port-range) | | +--rw clat-ipv4-prefixes* [clat-ipv4-prefix]
| | +--rw start-port-number? inet:port-number | | +--rw clat-ipv4-prefix inet:ipv4-prefix
| | +--rw end-port-number? inet:port-number | +--rw nptv6-prefixes* [translation-id]
| +--:(port-set-algo) | | +--rw translation-id uint32
| +--rw psid-offset? uint8 | | +--rw internal-ipv6-prefix? inet:ipv6-prefix
| +--rw psid-len uint8 | | +--rw external-ipv6-prefix? inet:ipv6-prefix
| +--rw psid uint16 | +--rw eam* [eam-ipv4-prefix]
+--rw dst-nat-enable? boolean | | +--rw eam-ipv4-prefix inet:ipv4-prefix
+--rw dst-ip-address-pool* [pool-id] | | +--rw eam-ipv6-prefix? inet:ipv6-prefix
| +--rw pool-id uint32 | +--rw nat64-prefixes* [nat64-prefix]
| +--rw dst-in-ip-pool? inet:ip-prefix | | +--rw nat64-prefix inet:ipv6-prefix
| +--rw dst-out-ip-pool? inet:ip-prefix | | +--rw destination-ipv4-prefix* [ipv4-prefix]
+--rw nat64-prefixes* [nat64-prefix] | | +--rw ipv4-prefix inet:ipv4-prefix
| +--rw nat64-prefix inet:ipv6-prefix | +--rw external-ip-address-pool* [pool-id]
| +--rw destination-ipv4-prefix* [ipv4-prefix] | | +--rw pool-id uint32
| +--rw ipv4-prefix inet:ipv4-prefix | | +--rw external-ip-pool? inet:ipv4-prefix
+--rw clat-ipv6-prefixes* [clat-ipv6-prefix] | +--rw port-set-restrict
| +--rw clat-ipv6-prefix inet:ipv6-prefix | | +--rw (port-type)?
+--rw clat-ipv4-prefixes* [clat-ipv4-prefix] | | +--:(port-range)
| +--rw clat-ipv4-prefix inet:ipv4-prefix | | | +--rw start-port-number? inet:port-number
+--rw nptv6-prefixes* [translation-id] | | | +--rw end-port-number? inet:port-number
| +--rw translation-id uint32 | | +--:(port-set-algo)
| +--rw internal-ipv6-prefix? inet:ipv6-prefix | | +--rw psid-offset? uint8
| +--rw external-ipv6-prefix? inet:ipv6-prefix | | +--rw psid-len uint8
+--rw eam* [eam-ipv4-prefix] | | +--rw psid uint16
| +--rw eam-ipv4-prefix inet:ipv4-prefix | +--rw dst-nat-enable? boolean
| +--rw eam-ipv6-prefix? inet:ipv6-prefix | +--rw dst-ip-address-pool* [pool-id]
+--rw supported-transport-protocols* [transport-protocol-id] | | +--rw pool-id uint32
| +--rw transport-protocol-id uint8 | | +--rw dst-in-ip-pool? inet:ip-prefix
| +--rw transport-protocol-name? string | | +--rw dst-out-ip-pool? inet:ip-prefix
+--rw subscriber-mask-v6? uint8 | +--rw supported-transport-protocols* [transport-protocol-id]
+--rw subscriber-match* [sub-match-id] | | +--rw transport-protocol-id uint8
| +--rw sub-match-id uint32 | | +--rw transport-protocol-name? string
| +--rw sub-mask inet:ip-prefix | +--rw subscriber-mask-v6? uint8
+--rw nat-pass-through* [nat-pass-through-id] | +--rw subscriber-match* [sub-match-id]
| +--rw nat-pass-through-id uint32 | | +--rw sub-match-id uint32
| +--rw nat-pass-through-pref? inet:ip-prefix | | +--rw sub-mask inet:ip-prefix
| +--rw nat-pass-through-port? inet:port-number | +--rw paired-address-pooling? boolean
+--rw paired-address-pooling? boolean | +--rw nat-mapping-type? enumeration
+--rw nat-mapping-type? enumeration | +--rw nat-filtering-type? enumeration
+--rw nat-filtering-type? enumeration | +--rw port-quota* [quota-type]
+--rw port-quota* [quota-type] | | +--rw port-limit? uint16
| +--rw port-limit? uint16 | | +--rw quota-type enumeration
| +--rw quota-type enumeration | +--rw port-allocation-type? enumeration
+--rw port-allocation-type? enumeration | +--rw address-roundrobin-enable? boolean
+--rw address-roundrobin-enable? boolean | +--rw port-set
+--rw port-set | | +--rw port-set-size? uint16
| +--rw port-set-size? uint16 | | +--rw port-set-timeout? uint32
| +--rw port-set-timeout? uint32 | +--rw timers
+--rw udp-timeout? uint32 | | +--rw udp-timeout? uint32
+--rw tcp-idle-timeout? uint32 | | +--rw tcp-idle-timeout? uint32
+--rw tcp-trans-open-timeout? uint32 | | +--rw tcp-trans-open-timeout? uint32
+--rw tcp-trans-close-timeout? uint32 | | +--rw tcp-trans-close-timeout? uint32
+--rw tcp-in-syn-timeout? uint32 | | +--rw tcp-in-syn-timeout? uint32
+--rw fragment-min-timeout? uint32 | | +--rw fragment-min-timeout? uint32
+--rw icmp-timeout? uint32 | | +--rw icmp-timeout? uint32
+--rw per-port-timeout* [port-number] | | +--rw per-port-timeout* [port-number]
| +--rw port-number inet:port-number | | | +--rw port-number inet:port-number
| +--rw port-timeout inet:port-number | | | +--rw port-timeout inet:port-number
+--rw hold-down-timeout? uint32 | | +--rw hold-down-timeout? uint32
+--rw hold-down-max? uint32 | | +--rw hold-down-max? uint32
+--rw mapping-limit | +--rw algs* [alg-name]
| +--rw limit-per-subscriber? uint32 | | +--rw alg-name string
| +--rw limit-per-vrf? uint32 | | +--rw alg-transport-protocol? uint32
| +--rw limit-per-subnet? inet:ip-prefix | | +--rw alg-transport-port? inet:port-number
| +--rw limit-per-instance uint32 | | +--rw alg-status? boolean
| +--rw limit-per-udp uint32 | +--rw all-algs-enable? boolean
| +--rw limit-per-tcp uint32 | +--rw notify-pool-usage
| +--rw limit-per-icmp uint32 | | +--rw pool-id? uint32
+--rw connection-limit | | +--rw notify-pool-hi-threshold percent
| +--rw limit-per-subscriber? uint32 | | +--rw notify-pool-low-threshold? percent
| +--rw limit-per-vrf? uint32 | +--rw external-realm
| +--rw limit-per-subnet? inet:ip-prefix | +--rw (realm-type)?
| +--rw limit-per-instance uint32 | +--:(interface)
| +--rw limit-per-udp uint32 | | +--rw external-interface? if:interface-ref
| +--rw limit-per-tcp uint32 | +--:(vrf)
| +--rw limit-per-icmp uint32 | +--rw external-vrf-instance? identityref
+--rw algs* [alg-name] +--rw mapping-limit
| +--rw alg-name string | +--rw limit-per-subscriber? uint32
| +--rw alg-transport-protocol? uint32 | +--rw limit-per-vrf? uint32
| +--rw alg-transport-port? inet:port-number | +--rw limit-per-subnet? inet:ip-prefix
| +--rw alg-status? boolean | +--rw limit-per-instance uint32
+--rw all-algs-enable? boolean | +--rw limit-per-udp uint32
+--rw logging-info | +--rw limit-per-tcp uint32
| +--rw logging-enable? boolean | +--rw limit-per-icmp uint32
| +--rw destination-address inet:ip-prefix +--rw connection-limit
| +--rw destination-port inet:port-number | +--rw limit-per-subscriber? uint32
| +--rw (protocol)? | +--rw limit-per-vrf? uint32
| +--:(syslog) | +--rw limit-per-subnet? inet:ip-prefix
| | +--rw syslog? boolean | +--rw limit-per-instance uint32
| +--:(ipfix) | +--rw limit-per-udp uint32
| | +--rw ipfix? boolean | +--rw limit-per-tcp uint32
| +--:(ftp) | +--rw limit-per-icmp uint32
| +--rw ftp? boolean +--rw logging-info
+--rw notify-pool-usage | +--rw logging-enable? boolean
| +--rw pool-id? uint32 | +--rw destination-address inet:ip-prefix
| +--rw notify-pool-hi-threshold percent | +--rw destination-port inet:port-number
| +--rw notify-pool-low-threshold? percent | +--rw (protocol)?
+--rw mapping-table | +--:(syslog)
| +--rw mapping-entry* [index] | | +--rw syslog? boolean
| +--rw index uint32 | +--:(ipfix)
| +--rw type? enumeration | | +--rw ipfix? boolean
| +--rw transport-protocol? uint8 | +--:(ftp)
| +--rw internal-src-address? inet:ip-prefix | +--rw ftp? boolean
| +--rw internal-src-port +--rw mapping-table
| | +--rw (port-type)? | +--rw mapping-entry* [index]
| | +--:(single-port-number) | +--rw index uint32
| | | +--rw single-port-number? inet:port-number | +--rw type? enumeration
| | +--:(port-range) | +--rw transport-protocol? uint8
| | +--rw start-port-number? inet:port-number | +--rw internal-src-address? inet:ip-prefix
| | +--rw end-port-number? inet:port-number | +--rw internal-src-port
| +--rw external-src-address? inet:ip-prefix | | +--rw (port-type)?
| +--rw external-src-port | | +--:(single-port-number)
| | +--rw (port-type)? | | | +--rw single-port-number? inet:port-number
| | +--:(single-port-number) | | +--:(port-range)
| | | +--rw single-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--:(port-range) | | +--rw end-port-number? inet:port-number
| | +--rw start-port-number? inet:port-number | +--rw external-src-address? inet:ip-prefix
| | +--rw end-port-number? inet:port-number | +--rw external-src-port
| +--rw internal-dst-address? inet:ip-prefix | | +--rw (port-type)?
| +--rw internal-dst-port | | +--:(single-port-number)
| | +--rw (port-type)? | | | +--rw single-port-number? inet:port-number
| | +--:(single-port-number) | | +--:(port-range)
| | | +--rw single-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--:(port-range) | | +--rw end-port-number? inet:port-number
| | +--rw start-port-number? inet:port-number | +--rw internal-dst-address? inet:ip-prefix
| | +--rw end-port-number? inet:port-number | +--rw internal-dst-port
| +--rw external-dst-address? inet:ip-prefix | | +--rw (port-type)?
| +--rw external-dst-port | | +--:(single-port-number)
| | +--rw (port-type)? | | | +--rw single-port-number? inet:port-number
| | +--:(single-port-number) | | +--:(port-range)
| | | +--rw single-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--:(port-range) | | +--rw end-port-number? inet:port-number
| | +--rw start-port-number? inet:port-number | +--rw external-dst-address? inet:ip-prefix
| | +--rw end-port-number? inet:port-number | +--rw external-dst-port
| +--rw lifetime? uint32 | | +--rw (port-type)?
+--ro statistics | | +--:(single-port-number)
+--ro traffic-statistics | | | +--rw single-port-number? inet:port-number
| +--ro sent-packet? yang:zero-based-counter64 | | +--:(port-range)
| +--ro sent-byte? yang:zero-based-counter64 | | +--rw start-port-number? inet:port-number
| +--ro rcvd-packet? yang:zero-based-counter64 | | +--rw end-port-number? inet:port-number
| +--ro rcvd-byte? yang:zero-based-counter64 | +--rw lifetime? uint32
| +--ro dropped-packet? yang:zero-based-counter64 +--ro statistics
| +--ro dropped-byte? yang:zero-based-counter64 +--ro traffic-statistics
+--ro mapping-statistics | +--ro sent-packet? yang:zero-based-counter64
| +--ro total-mappings? uint32 | +--ro sent-byte? yang:zero-based-counter64
| +--ro total-tcp-mappings? uint32 | +--ro rcvd-packet? yang:zero-based-counter64
| +--ro total-udp-mappings? uint32 | +--ro rcvd-byte? yang:zero-based-counter64
| +--ro total-icmp-mappings? uint32 | +--ro dropped-packet? yang:zero-based-counter64
+--ro pool-stats | +--ro dropped-byte? yang:zero-based-counter64
+--ro pool-id? uint32 +--ro mapping-statistics
+--ro address-allocated? uint32 | +--ro total-mappings? uint32
+--ro address-free? uint32 | +--ro total-tcp-mappings? uint32
+--ro port-stats | +--ro total-udp-mappings? uint32
+--ro ports-allocated? uint32 | +--ro total-icmp-mappings? uint32
+--ro ports-free? uint32 +--ro pool-stats
+--ro pool-id? uint32
notifications: +--ro address-allocated? uint32
+---n nat-event +--ro address-free? uint32
+--ro id? -> /nat-module/nat-instances/nat-instance/id +--ro port-stats
+--ro notify-pool-threshold percent +--ro ports-allocated? uint32
+--ro ports-free? uint32
notifications:
+---n nat-event
+--ro id? -> /nat-module/nat-instances/nat-instance/id
+--ro policy-id? -> /nat-module/nat-instances/nat-instance/nat-policy/policy-id
+--ro pool-id? -> /nat-module/nat-instances/nat-instance/nat-policy/external-ip-address-pool/pool-id
+--ro notify-pool-threshold percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2017-09-18.yang" <CODE BEGINS> file "ietf-nat@2017-09-28.yang"
module ietf-nat {
namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
//namespace to be assigned by IANA
prefix "nat";
import ietf-inet-types { prefix inet; }
import ietf-yang-types { prefix yang; }
import ietf-interfaces { prefix if; }
//import iana-if-type { prefix ianaift; }
organization "IETF OPSAWG Working Group";
contact
"Mohamed Boucadair <mohamed.boucadair@orange.com>
Senthil Sivakumar <ssenthil@cisco.com>
Chritsian Jacquenet <christian.jacquenet@orange.com>
Suresh Vinapamula <sureshk@juniper.net>
Qin Wu <bill.wu@huawei.com>";
description
"This module is a YANG module for NAT implementations
(including NAT44 and NAT64 flavors).
Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision 2017-09-18 {
description "Comments from Tore Anderson about EAM-SIIT.";
reference "-ietf-03";
}
revision 2017-08-23 {
description "Comments from F. Baker about NPTv6.";
reference "-ietf-02";
}
revision 2017-08-21 { module ietf-nat {
description " Includes CLAT (Lee/Jordi)."; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
reference "-ietf-01";
}
revision 2017-08-03 { //namespace to be assigned by IANA
description "Integrates comments from OPSAWG CFA."; prefix "nat";
reference "-ietf-00";
}
revision 2017-07-03 { import ietf-inet-types { prefix inet; }
description "Integrates comments from D. Wing and T. Zhou."; import ietf-yang-types { prefix yang; }
reference "-07";
}
revision 2015-09-08 { import ietf-interfaces { prefix if; }
description "Fixes few YANG errors."; //import iana-if-type { prefix ianaift; }
reference "-02"; organization "IETF OPSAWG Working Group";
}
revision 2015-09-07 { contact
description "Completes the NAT64 model."; "Mohamed Boucadair <mohamed.boucadair@orange.com>
reference "01"; Senthil Sivakumar <ssenthil@cisco.com>
} Chritsian Jacquenet <christian.jacquenet@orange.com>
Suresh Vinapamula <sureshk@juniper.net>
Qin Wu <bill.wu@huawei.com>";
revision 2015-08-29 { description
description "Initial version."; "This module is a YANG module for NAT implementations
reference "00"; (including NAT44 and NAT64 flavors).
}
/* Copyright (c) 2017 IETF Trust and the persons identified as
* Definitions authors of the code. All rights reserved.
*/
typedef percent { Redistribution and use in source and binary forms, with or
type uint8 { without modification, is permitted pursuant to, and subject
range "0 .. 100"; to the license terms contained in, the Simplified BSD License
} set forth in Section 4.c of the IETF Trust's Legal Provisions
description Relating to IETF Documents
"Percentage"; (http://trustee.ietf.org/license-info).
}
/* This version of this YANG module is part of RFC XXXX; see
* Identities the RFC itself for full legal notices.";
*/
identity nat-type { revision 2017-09-27 {
description description "Comments from Kris Poscic about NAT44, mainly:
"Base identity for nat type."; - Allow for multiple NAT policies within the same instance.
- asociate an external interface/vrf per NAT policy.";
reference "-ietf-04";
} }
identity nat44 { revision 2017-09-18 {
base nat:nat-type; description "Comments from Tore Anderson about EAM-SIIT.";
description reference "-ietf-03";
"Identity for traditional NAT support.";
reference
"RFC 3022.";
} }
identity basic-nat { revision 2017-08-23 {
//base nat:nat-type; description "Comments from F. Baker about NPTv6.";
base nat:nat44; reference "-ietf-02";
description
"Identity for Basic NAT support.";
reference
"RFC 3022.";
} }
identity napt {
//base nat:nat-type;
base nat:nat44;
description
"Identity for NAPT support.";
reference revision 2017-08-21 {
"RFC 3022."; description " Includes CLAT (Lee/Jordi).";
reference "-ietf-01";
} }
identity restricted-nat { revision 2017-08-03 {
//base nat:nat-type; description "Integrates comments from OPSAWG CFA.";
base nat:nat44; reference "-ietf-00";
description
"Identity for Port-Restricted NAT support.";
reference
"RFC 7596.";
} }
identity dst-nat { revision 2017-07-03 {
base nat:nat-type; description "Integrates comments from D. Wing and T. Zhou.";
description reference "-07";
"Identity for Destination NAT support.";
} }
identity nat64 { revision 2015-09-08 {
base nat:nat-type; description "Fixes few YANG errors.";
description
"Identity for NAT64 support.";
reference reference "-02";
"RFC 6146.";
} }
identity clat { revision 2015-09-07 {
base nat:nat-type; description "Completes the NAT64 model.";
description reference "01";
"Identity for CLAT support.";
reference
"RFC 6877.";
} }
identity eam { revision 2015-08-29 {
base nat:nat-type; description "Initial version.";
description reference "00";
"Identity for EAM support.";
reference
"RFC 7757.";
} }
identity nptv6 { /*
base nat:nat-type; * Definitions
description */
"Identity for NPTv6 support.";
reference typedef percent {
"RFC 6296."; type uint8 {
range "0 .. 100";
}
description
"Percentage";
} }
/* /*
* Grouping * Identities
*/ */
// Timers identity nat-type {
description
"Base identity for nat type.";
}
grouping timeouts { identity nat44 {
description base nat:nat-type;
"Configure values of various timeouts."; description
"Identity for traditional NAT support.";
leaf udp-timeout { reference
type uint32; "RFC 3022.";
units "seconds"; }
default 300;
description
"UDP inactivity timeout. That is the time a mapping
will stay active without packets traversing the NAT.";
reference identity basic-nat {
"RFC 4787."; //base nat:nat-type;
} base nat:nat44;
description
"Identity for Basic NAT support.";
leaf tcp-idle-timeout { reference
type uint32; "RFC 3022.";
units "seconds"; }
default 7440;
description
"TCP Idle timeout should be
2 hours and 4 minutes.";
reference identity napt {
"RFC 5382."; //base nat:nat-type;
} base nat:nat44;
description
"Identity for NAPT support.";
leaf tcp-trans-open-timeout { reference
type uint32; "RFC 3022.";
units "seconds"; }
default 240;
description
"The value of the transitory open connection
idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable
parameters for configuring the open and identity restricted-nat {
closing idle timeouts. //base nat:nat-type;
To accommodate deployments that consider base nat:nat44;
a partially open timeout of 4 minutes as being description
excessive from a security standpoint, a NAT may "Identity for Port-Restricted NAT support.";
allow the configured timeout to be less than
4 minutes.
However, a minimum default transitory connection
idle-timeout of 4 minutes is recommended.";
reference reference
"RFC 7857."; "RFC 7596.";
} }
leaf tcp-trans-close-timeout { identity dst-nat {
type uint32; base nat:nat-type;
units "seconds"; description
default 240; "Identity for Destination NAT support.";
description }
"The value of the transitory close connection
idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable
parameters for configuring the open and
closing idle timeouts.";
reference identity nat64 {
"RFC 7857."; base nat:nat-type;
} description
"Identity for NAT64 support.";
leaf tcp-in-syn-timeout { reference
type uint32; "RFC 6146.";
units "seconds"; }
default 6;
description
"A NAT must not respond to an unsolicited
inbound SYN packet for at least 6 seconds
after the packet is received. If during
this interval the NAT receives and translates
an outbound SYN for the connection the NAT
must silently drop the original unsolicited
inbound SYN packet.";
reference identity clat {
"RFC 5382."; base nat:nat-type;
} description
"Identity for CLAT support.";
leaf fragment-min-timeout { reference
"RFC 6877.";
}
type uint32; identity eam {
units "seconds"; base nat:nat-type;
default 2; description
description "Identity for EAM support.";
"As long as the NAT has available resources,
the NAT allows the fragments to arrive
over fragment-min-timeout interval.
The default value is inspired from RFC6146.";
}
leaf icmp-timeout { reference
type uint32; "RFC 7757.";
units "seconds"; }
default 60;
description
"An ICMP Query session timer must not expire
in less than 60 seconds. It is recommended
that the ICMP Query session timer be made
configurable";
reference identity nptv6 {
"RFC 5508."; base nat:nat-type;
} description
"Identity for NPTv6 support.";
list per-port-timeout { reference
key port-number; "RFC 6296.";
}
description identity vrf-routing-instance {
"Some NATs are configurable with short timeouts
for some ports, e.g., as 10 seconds on
port 53 (DNS) and NTP (123) and longer timeouts
on other ports.";
leaf port-number { description
type inet:port-number; "This identity represents a VRF routing instance.";
description
"A port number.";
} reference
"Section 8.9 of RFC 4026.";
leaf port-timeout { }
type inet:port-number;
mandatory true;
description
"Timeout for this port";
}
}
leaf hold-down-timeout { /*
* Grouping
*/
type uint32; // Set of ports
units "seconds";
default 120;
grouping port-set {
description description
"Hold down timer. Ports in the "Indicates a set of ports.
hold down pool are not reassigned until It may be a simple port range, or use the PSID algorithm
this timer expires. to represent a range of transport layer
The length of time and the maximum ports which will be used by a NAPT.";
number of ports in this state must be
configurable by the administrator
[RFC6888]. This is necessary in order
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
reference choice port-type {
"REQ#8 of RFC 6888."; default port-range;
} description
"Port type: port-range or port-set-algo.";
leaf hold-down-max { case port-range {
leaf start-port-number {
type inet:port-number;
description
"Begining of the port range.";
type uint32; reference
"Section 3.2.9 of RFC 8045.";
}
description leaf end-port-number {
"Maximum ports in the Hold down timer pool.
Ports in the hold down pool are not reassigned
until hold-down-timeout expires.
The length of time and the maximum
number of ports in this state must be
configurable by the administrator
[RFC6888]. This is necessary in order
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
reference type inet:port-number;
"REQ#8 of RFC 6888."; description
} "End of the port range.";
}
// Set of ports reference
"Section 3.2.10 of RFC 8045.";
}
}
grouping port-set { case port-set-algo {
description
"Indicates a set of ports.
It may be a simple port range, or use the PSID algorithm
to represent a range of transport layer
ports which will be used by a NAPT.";
choice port-type { leaf psid-offset {
default port-range; type uint8 {
description range 0..16;
"Port type: port-range or port-set-algo.";
case port-range { }
leaf start-port-number { description
type inet:port-number; "The number of offset bits. In Lightweight 4over6,
description the default value is 0 for assigning one contiguous
"Begining of the port range."; port range. In MAP-E/T, the default value is 6,
which excludes system ports by default and assigns
port ranges distributed across the entire port
space.";
}
reference leaf psid-len {
"Section 3.2.9 of RFC 8045."; type uint8 {
range 0..15;
} }
mandatory true;
description
"The length of PSID, representing the sharing
ratio for an IPv4 address.";
}
leaf end-port-number { leaf psid {
type uint16;
mandatory true;
description
"Port Set Identifier (PSID) value, which
identifies a set of ports algorithmically.";
}
}
type inet:port-number; }
description }
"End of the port range.";
reference // port numbers: single or port-range
"Section 3.2.10 of RFC 8045.";
}
}
case port-set-algo { grouping port-number {
description
"Individual port or a range of ports.";
choice port-type {
default single-port-number;
description
"Port type: single or port-range.";
case single-port-number {
leaf single-port-number {
type inet:port-number;
description
"Used for single port numbers.";
leaf psid-offset {
type uint8 {
range 0..16;
}
description
"The number of offset bits. In Lightweight 4over6,
the default value is 0 for assigning one contiguous
port range. In MAP-E/T, the default value is 6,
which excludes system ports by default and assigns
port ranges distributed across the entire port
space.";
} }
}
leaf psid-len { case port-range {
type uint8 { leaf start-port-number {
range 0..15; type inet:port-number;
} description
mandatory true; "Begining of the port range.";
description
"The length of PSID, representing the sharing reference
ratio for an IPv4 address."; "Section 3.2.9 of RFC 8045.";
} }
leaf psid { leaf end-port-number {
type uint16; type inet:port-number;
mandatory true; description
description "End of the port range.";
"Port Set Identifier (PSID) value, which
identifies a set of ports algorithmically.";
}
}
} reference
"Section 3.2.10 of RFC 8045.";
}
}
}
} }
// port numbers: single or port-range // Mapping Entry
grouping port-number { grouping mapping-entry {
description description
"Individual port or a range of ports."; "NAT mapping entry.";
choice port-type { leaf index {
default single-port-number; type uint32;
description description
"Port type: single or port-range."; "A unique identifier of a mapping entry.";
}
case single-port-number { leaf type {
leaf single-port-number { type enumeration {
type inet:port-number; enum "static" {
description description
"Used for single port numbers."; "The mapping entry is manually
} configured.";
} }
case port-range { enum "dynamic-explicit" {
leaf start-port-number {
type inet:port-number;
description description
"Begining of the port range."; "This mapping is created by an
outgoing packet.";
reference }
"Section 3.2.9 of RFC 8045.";
}
leaf end-port-number { enum "dynamic-implicit" {
type inet:port-number;
description description
"End of the port range."; "This mapping is created by an
explicit dynamic message.";
reference }
"Section 3.2.10 of RFC 8045."; }
} description
} "Indicates the type of a mapping entry. E.g.,
a mapping can be: static, implicit dynamic
or explicit dynamic.";
} }
}
// Mapping Entry
grouping mapping-entry { leaf transport-protocol {
description type uint8;
"NAT mapping entry.";
leaf index { description
type uint32; "Upper-layer protocol associated with this mapping.
description Values are taken from the IANA protocol registry.
"A unique identifier of a mapping entry."; For example, this field contains 6 (TCP) for a TCP
} mapping or 17 (UDP) for a UDP mapping. No transport
protocol is indicated if a mapping applies for any
protocol.";
}
leaf type { leaf internal-src-address {
type enumeration { type inet:ip-prefix;
enum "static" {
description
"The mapping entry is manually
configured.";
}
enum "dynamic-explicit" { description
description "Corresponds to the source IPv4/IPv6 address/prefix
"This mapping is created by an of the packet received on an internal
outgoing packet."; interface.";
} }
enum "dynamic-implicit" { container internal-src-port {
description
"This mapping is created by an
explicit dynamic message.";
}
}
description
"Indicates the type of a mapping entry. E.g.,
a mapping can be: static, implicit dynamic
or explicit dynamic.";
}
leaf transport-protocol { description
type uint8; "Corresponds to the source port of the
packet received on an internal interface.
It is used also to carry the internal
source ICMP identifier.";
description uses port-number;
"Upper-layer protocol associated with this mapping. }
Values are taken from the IANA protocol registry.
For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping. No transport
protocol is indicated if a mapping applies for any
protocol.";
}
leaf internal-src-address { leaf external-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the source IPv4/IPv6 address/prefix "Source IP address/prefix of the packet sent
of the packet received on an internal on an external interface of the NAT.";
interface."; }
}
container internal-src-port { container external-src-port {
description description
"Corresponds to the source port of the "Source port of the packet sent
packet received on an internal interface. on an external interafce of the NAT.
It is used also to carry the internal It is used also to carry the external
source ICMP identifier."; source ICMP identifier.";
uses port-number; uses port-number;
} }
leaf external-src-address {
type inet:ip-prefix;
description leaf internal-dst-address {
"Source IP address/prefix of the packet sent type inet:ip-prefix;
on an external interface of the NAT.";
}
container external-src-port { description
"Corresponds to the destination IP address/prefix
of the packet received on an internal interface
of the NAT.
For example, some NAT implementations support
the translation of both source and destination
addresses and ports, sometimes referred to
as 'Twice NAT'.";
}
container internal-dst-port {
description description
"Source port of the packet sent "Corresponds to the destination port of the
on an external interafce of the NAT. IP packet received on the internal interface.
It is used also to carry the external
source ICMP identifier.";
uses port-number; It is used also to carry the internal
} destination ICMP identifier.";
leaf internal-dst-address { uses port-number;
}
leaf external-dst-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the destination IP address/prefix
of the packet received on an internal interface of the packet sent on an external interface
of the NAT. of the NAT.";
For example, some NAT implementations support }
the translation of both source and destination
addresses and ports, sometimes referred to
as 'Twice NAT'.";
}
container internal-dst-port { container external-dst-port {
description description
"Corresponds to the destination port of the "Corresponds to the destination port number of
IP packet received on the internal interface. the packet sent on the external interface
of the NAT.
It is used also to carry the external
destination ICMP identifier.";
It is used also to carry the internal uses port-number;
destination ICMP identifier."; }
uses port-number; leaf lifetime {
} type uint32;
//mandatory true;
leaf external-dst-address { description
type inet:ip-prefix; "When specified, it tracks the connection that is
fully-formed (e.g., once the 3WHS TCP is completed)
or the duration for maintaining an explicit mapping
alive. Static mappings may not be associated with a
lifetime. If no lifetime is associated with a
static mapping, an explicit action is requried to
remove that mapping.";
}
}
description /*
"Corresponds to the destination IP address/prefix * NAT Module
of the packet sent on an external interface */
of the NAT.";
}
container external-dst-port { container nat-module {
description
"NAT";
description container nat-instances {
"Corresponds to the destination port number of description
the packet sent on the external interface "NAT instances";
of the NAT.
It is used also to carry the external
destination ICMP identifier.";
uses port-number; list nat-instance {
}
leaf lifetime { key "id";
type uint32;
//mandatory true;
description description
"When specified, it tracks the connection that is "A NAT instance.";
fully-formed (e.g., once the 3WHS TCP is completed)
or the duration for maintaining an explicit mapping
alive. Static mappings may not be associated with a
lifetime. If no lifetime is associated with a
static mapping, an explicit action is requried to
remove that mapping.";
}
}
grouping nat-parameters { leaf id {
description type uint32;
"NAT parameters for a given instance";
list external-ip-address-pool { description
key pool-id; "NAT instance identifier.";
description reference
"Pool of external IP addresses used to "RFC7659.";
service internal hosts. }
Both contiguous and non-contiguous pools
can be configured for NAT purposes.";
leaf pool-id { leaf name {
type uint32; type string;
description
"An identifier of the address pool.";
}
leaf external-ip-pool { description
type inet:ipv4-prefix; "A name associated with the NAT instance.";
}
description leaf enable {
"An IPv4 prefix used for NAT purposes."; type boolean;
}
}
container port-set-restrict { description
"Status of the the NAT instance.";
}
when "../nat-capabilities/restricted-port-support = 'true'"; container nat-capabilities {
// config false;
description description
"Configures contiguous and non-contiguous port ranges."; "NAT capabilities";
uses port-set; leaf-list nat-flavor {
} type identityref {
base nat-type;
}
description
"Type of NAT.";
}
leaf dst-nat-enable { leaf-list nat44-flavor {
type boolean;
default false;
description when "../nat-flavor = 'nat44'";
"Enable/Disable destination NAT.
A NAT44 may be configured to enable
Destination NAT, too.";
}
list dst-ip-address-pool { type identityref {
//if-feature dst-nat; base nat44;
when "../nat-capabilities/nat-flavor = 'dst-nat' "; }
key pool-id; description
"Type of NAT44: Basic NAT or NAPT.";
}
description leaf restricted-port-support {
"Pool of IP addresses used for destination NAT."; type boolean;
leaf pool-id { description
type uint32; "Indicates source port NAT restriction
support.";
}
description leaf static-mapping-support {
"An identifier of the address pool."; type boolean;
} description
"Indicates whether static mappings are
supported.";
}
leaf dst-in-ip-pool { leaf port-randomization-support {
type inet:ip-prefix; type boolean;
description description
"Internal IP prefix/address"; "Indicates whether port randomization is
} supported.";
}
leaf dst-out-ip-pool { leaf port-range-allocation-support {
type inet:ip-prefix; type boolean;
description description
"IP address/prefix used for destination NAT."; "Indicates whether port range
} allocation is supported.";
} }
list nat64-prefixes { leaf port-preservation-suport {
type boolean;
when "../nat-capabilities/nat-flavor = 'nat64' " + description
" or ../nat-capabilities/nat-flavor = 'clat'"; "Indicates whether port preservation
is supported.";
}
key nat64-prefix; leaf port-parity-preservation-support {
type boolean;
description description
"Provides one or a list of NAT64 prefixes "Indicates whether port parity
with or without a list of destination IPv4 prefixes. preservation is supported.";
}
Destination-based Pref64::/n is discussed in leaf address-roundrobin-support {
Section 5.1 of [RFC7050]). For example: type boolean;
192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
198.51.100.0/24 is mapped to 2001:db8:122::/48.";
reference description
"Section 5.1 of RFC7050."; "Indicates whether address allocation
round robin is supported.";
}
leaf nat64-prefix { leaf paired-address-pooling-support {
type inet:ipv6-prefix; type boolean;
//default "64:ff9b::/96";
description description
"A NAT64 prefix. Can be NSP or a Well-Known "Indicates whether paired-address-pooling is
Prefix (WKP)."; supported";
}
reference leaf endpoint-independent-mapping-support {
"RFC 6052."; type boolean;
}
list destination-ipv4-prefix {
key ipv4-prefix; description
"Indicates whether endpoint-independent-
mapping in Section 4 of RFC 4787 is
supported.";
}
description leaf address-dependent-mapping-support {
"An IPv4 prefix/address."; type boolean;
leaf ipv4-prefix {
type inet:ipv4-prefix;
description description
"An IPv4 address/prefix."; "Indicates whether address-dependent-
} mapping is supported.";
} }
}
list clat-ipv6-prefixes { leaf address-and-port-dependent-mapping-support
{
type boolean;
when "../nat-capabilities/nat-flavor = 'clat' "; description
"Indicates whether address-and-port-
dependent-mapping is supported.";
}
key clat-ipv6-prefix; leaf endpoint-independent-filtering-support
{
type boolean;
description
"Indicates whether endpoint-independent
-filtering is supported.";
}
leaf address-dependent-filtering {
type boolean;
description
"Indicates whether address-dependent
-filtering is supported.";
}
leaf address-and-port-dependent-filtering {
type boolean;
description
"Indicates whether address-and-port
-dependent is supported.";
}
}
// Parameters for NAT pass through
list nat-pass-through {
key nat-pass-through-id;
description
"IP prefix NAT pass through.";
leaf nat-pass-through-id {
type uint32;
description description
"464XLAT double translation treatment is "An identifier of the IP prefix pass
stateless when a dedicated /64 is available through.";
for translation on the CLAT. Otherwise, the }
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.";
reference leaf nat-pass-through-pref {
"RFC 6877."; type inet:ip-prefix;
leaf clat-ipv6-prefix { description
type inet:ipv6-prefix; "The IP address subnets that match
should not be translated. According to
REQ#6 of RFC6888, it must be possible
to administratively turn off translation
for specific destination addresses
and/or ports.";
}
description leaf nat-pass-through-port {
"An IPv6 prefix used for CLAT."; type inet:port-number;
}
description
"The IP address subnets that match
should not be translated. According to
REQ#6 of RFC6888, it must be possible to
administratively turn off translation
for specific destination addresses
and/or ports.";
}
} }
list clat-ipv4-prefixes { // NAT Policies: Multiple policies per NAT instance
when "../nat-capabilities/nat-flavor = 'clat'"; list nat-policy {
key clat-ipv4-prefix; key policy-id;
description
"Pool of IPv4 addresses used for CLAT.
192.0.0.0/29 is the IPv4 service continuity
prefix.";
reference description
"RFC 7335."; "NAT parameters for a given instance";
leaf clat-ipv4-prefix { leaf policy-id {
type inet:ipv4-prefix; type uint32;
description description
"464XLAT double translation treatment is "An identifier of the NAT policy.";
stateless when a dedicated /64 is available }
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
reference // CLAT Parameters
"RFC 6877.";
}
}
list nptv6-prefixes { container clat-parameters {
when "../nat-capabilities/nat-flavor = 'nptv6' "; description
"CLAT parameters.";
key translation-id; list clat-ipv6-prefixes {
description when "../../../nat-capabilities/nat-flavor = 'clat' ";
"Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6.
In its simplest form, NPTv6 interconnects two network key clat-ipv6-prefix;
links, one of which is an 'internal' network link description
attachedto a leaf network within a single "464XLAT double translation treatment is
administrative domain and the other of which is an stateless when a dedicated /64 is available
'external' network with connectivity to the global for translation on the CLAT. Otherwise, the
Internet."; CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.";
reference reference
"RFC 6296."; "RFC 6877.";
leaf translation-id { leaf clat-ipv6-prefix {
type uint32; type inet:ipv6-prefix;
description
"An identifier of the NPTv6 prefixs.";
}
leaf internal-ipv6-prefix { description
type inet:ipv6-prefix; "An IPv6 prefix used for CLAT.";
}
}
description list clat-ipv4-prefixes {
"An IPv6 prefix used by an internal interface
of NPTv6.";
reference when "../../../nat-capabilities/nat-flavor = 'clat'";
"RFC 6296.";
}
leaf external-ipv6-prefix { key clat-ipv4-prefix;
type inet:ipv6-prefix;
description description
"An IPv6 prefix used by the external interface "Pool of IPv4 addresses used for CLAT.
of NPTv6."; 192.0.0.0/29 is the IPv4 service continuity
prefix.";
reference reference
"RFC 6296."; "RFC 7335.";
}
}
list eam { leaf clat-ipv4-prefix {
type inet:ipv4-prefix;
when "../nat-capabilities/nat-flavor = 'eam' "; description
"464XLAT double translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
key eam-ipv4-prefix; reference
"RFC 6877.";
}
}
}
description // NPTv6 Parameters
"The Explicit Address Mapping Table, a conceptual
table in which each row represents an EAM.
Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses.";
reference "Section 3.1 of RFC 7757."; list nptv6-prefixes {
leaf eam-ipv4-prefix { when "../../nat-capabilities/nat-flavor = 'nptv6' ";
type inet:ipv4-prefix;
description key translation-id;
"The IPv4 prefix of an EAM.";
reference description
"Section 3.2 of RFC 7757."; "Provides one or a list of (internal IPv6 prefix,
} external IPv6 prefix) required for NPTv6.
leaf eam-ipv6-prefix { In its simplest form, NPTv6 interconnects two network
type inet:ipv6-prefix; links, one of which is an 'internal' network link
attachedto a leaf network within a single
administrative domain and the other of which is an
'external' network with connectivity to the global
Internet.";
description reference
"The IPv6 prefix of an EAM."; "RFC 6296.";
reference leaf translation-id {
"Section 3.2 of RFC 7757."; type uint32;
description
"An identifier of the NPTv6 prefixs.";
} }
}
list supported-transport-protocols { leaf internal-ipv6-prefix {
type inet:ipv6-prefix;
key transport-protocol-id; description
"An IPv6 prefix used by an internal interface
of NPTv6.";
description reference
"Supported transport protocols. "RFC 6296.";
TCP and UDP are supported by default."; }
leaf transport-protocol-id { leaf external-ipv6-prefix {
type uint8; type inet:ipv6-prefix;
mandatory true;
description description
"Upper-layer protocol associated with this mapping. "An IPv6 prefix used by the external interface
Values are taken from the IANA protocol registry. of NPTv6.";
For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping."; reference
"RFC 6296.";
} }
}
leaf transport-protocol-name { // EAM SIIT Parameters
type string;
description list eam {
"For example, TCP, UDP, DCCP, and SCTP.";
when "../../nat-capabilities/nat-flavor = 'eam' ";
key eam-ipv4-prefix;
description
"The Explicit Address Mapping Table, a conceptual
table in which each row represents an EAM.
Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses.";
reference "Section 3.1 of RFC 7757.";
leaf eam-ipv4-prefix {
type inet:ipv4-prefix;
description
"The IPv4 prefix of an EAM.";
reference
"Section 3.2 of RFC 7757.";
} }
}
leaf subscriber-mask-v6 { leaf eam-ipv6-prefix {
type uint8 { type inet:ipv6-prefix;
range "0 .. 128";
}
description description
"The subscriber-mask is an integer that indicates "The IPv6 prefix of an EAM.";
the length of significant bits to be applied on
the source IP address (internal side) to
unambiguously identify a CPE.
Subscriber-mask is a system-wide configuration reference
parameter that is used to enforce generic "Section 3.2 of RFC 7757.";
per-subscriber policies (e.g., port-quota). }
}
The enforcement of these generic policies does not //NAT64 IPv6 Prefixes
require the configuration of every subscriber's
prefix.
Example: suppose the 2001:db8:100:100::/56 prefix list nat64-prefixes {
is assigned to a NAT64 serviced CPE. Suppose also
that 2001:db8:100:100::1 is the IPv6 address used when "../../nat-capabilities/nat-flavor = 'nat64' " +
by the client that resides in that CPE. When the " or ../../nat-capabilities/nat-flavor = 'clat'";
NAT64 receives a packet from this client,
it applies the subscriber-mask (e.g., 56) on key nat64-prefix;
the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56). description
Then, the NAT64 enforces policies based on that "Provides one or a list of NAT64 prefixes
prefix (2001:db8:100:100::/56), not on the exact with or without a list of destination IPv4 prefixes.
source IPv6 address.";
Destination-based Pref64::/n is discussed in
Section 5.1 of [RFC7050]). For example:
192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
198.51.100.0/24 is mapped to 2001:db8:122::/48.";
reference
"Section 5.1 of RFC7050.";
leaf nat64-prefix {
type inet:ipv6-prefix;
//default "64:ff9b::/96";
description
"A NAT64 prefix. Can be NSP or a Well-Known
Prefix (WKP).";
reference
"RFC 6052.";
} }
list subscriber-match { list destination-ipv4-prefix {
key sub-match-id; key ipv4-prefix;
description description
"IP prefix match."; "An IPv4 prefix/address.";
leaf sub-match-id { leaf ipv4-prefix {
type uint32; type inet:ipv4-prefix;
description description
"An identifier of the subscriber masck."; "An IPv4 address/prefix.";
} }
}
}
leaf sub-mask { list external-ip-address-pool {
type inet:ip-prefix; key pool-id;
mandatory true;
description
"The IP address subnets that match
should be translated. E.g., all addresses
that belong to the 192.0.2.0/24 prefix must
be processed by the NAT.";
}
} description
"Pool of external IP addresses used to
service internal hosts.
Both contiguous and non-contiguous pools
can be configured for NAT purposes.";
list nat-pass-through { leaf pool-id {
type uint32;
key nat-pass-through-id; description
"An identifier of the address pool.";
}
description leaf external-ip-pool {
"IP prefix NAT pass through."; type inet:ipv4-prefix;
leaf nat-pass-through-id {
type uint32;
description description
"An identifier of the IP prefix pass "An IPv4 prefix used for NAT purposes.";
through.";
} }
}
leaf nat-pass-through-pref { container port-set-restrict {
type inet:ip-prefix;
description
"The IP address subnets that match
should not be translated. According to
REQ#6 of RFC6888, it must be possible
to administratively turn off translation
for specific destination addresses
and/or ports.";
}
leaf nat-pass-through-port { when "../../nat-capabilities/restricted-port-support = 'true'";
type inet:port-number;
description
"The IP address subnets that match
should not be translated. According to
REQ#6 of RFC6888, it must be possible to
administratively turn off translation
for specific destination addresses
and/or ports.";
}
}
leaf paired-address-pooling { description
type boolean; "Configures contiguous and non-contiguous port ranges.";
default true;
description uses port-set;
"Paired address pooling informs the NAT }
that all the flows from an internal IP
address must be assigned the same external
address.";
reference leaf dst-nat-enable {
"RFC 4007."; type boolean;
} default false;
leaf nat-mapping-type { description
type enumeration { "Enable/Disable destination NAT.
enum "eim" { A NAT44 may be configured to enable
description Destination NAT, too.";
"endpoint-independent-mapping.";
reference }
"Section 4 of RFC 4787.";
}
enum "adm" { list dst-ip-address-pool {
description //if-feature dst-nat;
"address-dependent-mapping."; when "../../nat-capabilities/nat-flavor = 'dst-nat' ";
reference key pool-id;
"Section 4 of RFC 4787.";
}
enum "edm" { description
description "Pool of IP addresses used for destination NAT.";
"address-and-port-dependent-mapping.";
leaf pool-id {
type uint32;
reference
"Section 4 of RFC 4787.";
}
}
description description
"Indicates the type of a NAT mapping."; "An identifier of the address pool.";
} }
leaf nat-filtering-type { leaf dst-in-ip-pool {
type enumeration { type inet:ip-prefix;
enum "eif" {
description description
"endpoint-independent- filtering."; "Internal IP prefix/address";
}
reference leaf dst-out-ip-pool {
"Section 5 of RFC 4787."; type inet:ip-prefix;
}
enum "adf" { description
description "IP address/prefix used for destination NAT.";
"address-dependent-filtering."; }
}
reference list supported-transport-protocols {
"Section 5 of RFC 4787.";
}
enum "edf" { key transport-protocol-id;
description
"address-and-port-dependent-filtering";
reference description
"Section 5 of RFC 4787."; "Supported transport protocols.
} TCP and UDP are supported by default.";
}
description
"Indicates the type of a NAT filtering.";
}
list port-quota { leaf transport-protocol-id {
when "../nat-capabilities/nat44-flavor = "+ type uint8;
"'napt' or "+ mandatory true;
"../nat-capabilities/nat-flavor = "+
"'nat64'";
key quota-type; description
"Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry.
For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping.";
}
description leaf transport-protocol-name {
"Configures a port quota to be assigned per type string;
subscriber. It corresponds to the maximum description
number of ports to be used by a subscriber."; "For example, TCP, UDP, DCCP, and SCTP.";
}
}
leaf port-limit { leaf subscriber-mask-v6 {
type uint8 {
range "0 .. 128";
}
type uint16; description
"The subscriber-mask is an integer that indicates
the length of significant bits to be applied on
the source IP address (internal side) to
unambiguously identify a CPE.
description Subscriber-mask is a system-wide configuration
"Configures a port quota to be assigned per parameter that is used to enforce generic
subscriber. It corresponds to the maximum per-subscriber policies (e.g., port-quota).
number of ports to be used by a subscriber.";
reference The enforcement of these generic policies does not
"REQ-4 of RFC 6888."; require the configuration of every subscriber's
prefix.
Example: suppose the 2001:db8:100:100::/56 prefix
is assigned to a NAT64 serviced CPE. Suppose also
that 2001:db8:100:100::1 is the IPv6 address used
by the client that resides in that CPE. When the
NAT64 receives a packet from this client,
it applies the subscriber-mask (e.g., 56) on
the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56).
Then, the NAT64 enforces policies based on that
prefix (2001:db8:100:100::/56), not on the exact
source IPv6 address.";
}
list subscriber-match {
key sub-match-id;
description
"IP prefix match.";
leaf sub-match-id {
type uint32;
description
"An identifier of the subscriber masck.";
} }
leaf quota-type { leaf sub-mask {
type enumeration { type inet:ip-prefix;
enum "all" { mandatory true;
description description
"The limit applies to all protocols."; "The IP address subnets that match
should be translated. E.g., all addresses
that belong to the 192.0.2.0/24 prefix must
be processed by the NAT.";
}
reference }
"REQ-4 of RFC 6888.";
}
enum "tcp" { leaf paired-address-pooling {
description type boolean;
"TCP quota."; default true;
reference description
"REQ-4 of RFC 6888."; "Paired address pooling informs the NAT
} that all the flows from an internal IP
address must be assigned the same external
address.";
enum "udp" { reference
description "RFC 4007.";
"UDP quota."; }
leaf nat-mapping-type {
type enumeration {
enum "eim" {
description
"endpoint-independent-mapping.";
reference
"Section 4 of RFC 4787.";
}
enum "adm" {
description
"address-dependent-mapping.";
reference reference
"REQ-4 of RFC 6888."; "Section 4 of RFC 4787.";
} }
enum "icmp" { enum "edm" {
description description
"ICMP quota."; "address-and-port-dependent-mapping.";
reference reference
"REQ-4 of RFC 6888."; "Section 4 of RFC 4787.";
}
} }
description }
"Indicates whether the port quota applies to description
all protocols or to a specific transport."; "Indicates the type of a NAT mapping.";
} }
}
leaf port-allocation-type { leaf nat-filtering-type {
type enumeration { type enumeration {
enum "random" { enum "eif" {
description
"Port randomization is enabled.";
}
enum "port-preservation" { description
description "endpoint-independent- filtering.";
"Indicates whether the NAT should
preserve the internal port number.";
}
enum "port-parity-preservation" { reference
description "Section 5 of RFC 4787.";
"Indicates whether the NAT should }
preserve the port parity of the
internal port number.";
}
enum "port-range-allocation" { enum "adf" {
description description
"Indicates whether the NAT assigns a "address-dependent-filtering.";
range of ports for an internal host.";
}
} reference
description "Section 5 of RFC 4787.";
"Indicates the type of a port allocation."; }
}
leaf address-roundrobin-enable { enum "edf" {
type boolean; description
"address-and-port-dependent-filtering";
description reference
"Enable/disable address allocation "Section 5 of RFC 4787.";
round robin."; }
} }
description
"Indicates the type of a NAT filtering.";
}
list port-quota {
when "../../nat-capabilities/nat44-flavor = "+
"'napt' or "+
"../../nat-capabilities/nat-flavor = "+
"'nat64'";
container port-set { key quota-type;
when "../port-allocation-type='port-range-allocation'";
description description
"Manages port-set assignments."; "Configures a port quota to be assigned per
subscriber. It corresponds to the maximum
number of ports to be used by a subscriber.";
leaf port-set-size { leaf port-limit {
type uint16;
description type uint16;
"Indicates the size of assigned port
sets."; description
} "Configures a port quota to be assigned per
leaf port-set-timeout { subscriber. It corresponds to the maximum
type uint32; number of ports to be used by a subscriber.";
description
"Inactivty timeout for port sets."; reference
"REQ-4 of RFC 6888.";
} }
}
uses timeouts; leaf quota-type {
type enumeration {
enum "all" {
container mapping-limit { description
"The limit applies to all protocols.";
description reference
"Information about the configuration parameters that "REQ-4 of RFC 6888.";
limits the mappings based upon various criteria."; }
leaf limit-per-subscriber { enum "tcp" {
type uint32; description
"TCP quota.";
description reference
"Maximum number of NAT mappings per "REQ-4 of RFC 6888.";
subscriber."; }
}
leaf limit-per-vrf { enum "udp" {
type uint32; description
"UDP quota.";
description reference
"Maximum number of NAT mappings per "REQ-4 of RFC 6888.";
VLAN/VRF."; }
}
leaf limit-per-subnet { enum "icmp" {
type inet:ip-prefix; description
"ICMP quota.";
description reference
"Maximum number of NAT mappings per "REQ-4 of RFC 6888.";
subnet."; }
} }
description
"Indicates whether the port quota applies to
all protocols or to a specific transport.";
}
}
leaf limit-per-instance { leaf port-allocation-type {
type uint32; type enumeration {
mandatory true; enum "random" {
description
"Port randomization is enabled.";
}
description enum "port-preservation" {
"Maximum number of NAT mappings per description
instance."; "Indicates whether the NAT should
} preserve the internal port number.";
leaf limit-per-udp { }
type uint32;
mandatory true;
description enum "port-parity-preservation" {
"Maximum number of UDP NAT mappings per description
subscriber."; "Indicates whether the NAT should
} preserve the port parity of the
internal port number.";
}
leaf limit-per-tcp { enum "port-range-allocation" {
type uint32; description
mandatory true; "Indicates whether the NAT assigns a
range of ports for an internal host.";
}
description }
"Maximum number of TCP NAT mappings per
subscriber.";
} description
"Indicates the type of a port allocation.";
}
leaf limit-per-icmp { leaf address-roundrobin-enable {
type uint32; type boolean;
mandatory true;
description description
"Maximum number of ICMP NAT mappings per "Enable/disable address allocation
subscriber."; round robin.";
} }
}
container connection-limit { container port-set {
when "../port-allocation-type='port-range-allocation'";
description description
"Information about the configuration parameters that "Manages port-set assignments.";
rate limit the translation based upon various
criteria.";
leaf limit-per-subscriber { leaf port-set-size {
type uint32; type uint16;
description
"Indicates the size of assigned port
sets.";
}
description leaf port-set-timeout {
"Rate-limit the number of new mappings type uint32;
and sessions per subscriber."; description
} "Inactivty timeout for port sets.";
}
}
leaf limit-per-vrf { container timers {
type uint32; description
description "Configure values of various timeouts.";
"Rate-limit the number of new mappings
and sessions per VLAN/VRF.";
}
leaf limit-per-subnet { leaf udp-timeout {
type inet:ip-prefix; type uint32;
units "seconds";
default 300;
description
"UDP inactivity timeout. That is the time a mapping
will stay active without packets traversing the NAT.";
description reference
"Rate-limit the number of new mappings "RFC 4787.";
and sessions per subnet.";
}
leaf limit-per-instance { }
type uint32;
mandatory true;
description leaf tcp-idle-timeout {
"Rate-limit the number of new mappings type uint32;
and sessions per instance."; units "seconds";
} default 7440;
description
"TCP Idle timeout should be
2 hours and 4 minutes.";
leaf limit-per-udp { reference
type uint32; "RFC 5382.";
mandatory true; }
description leaf tcp-trans-open-timeout {
"Rate-limit the number of new UDP mappings type uint32;
and sessions per subscriber."; units "seconds";
} default 240;
description
"The value of the transitory open connection
idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable
leaf limit-per-tcp { parameters for configuring the open and
type uint32; closing idle timeouts.
mandatory true; To accommodate deployments that consider
a partially open timeout of 4 minutes as being
excessive from a security standpoint, a NAT may
allow the configured timeout to be less than
4 minutes.
However, a minimum default transitory connection
idle-timeout of 4 minutes is recommended.";
description reference
"Rate-limit the number of new TCP mappings "RFC 7857.";
and sessions per subscriber."; }
} leaf tcp-trans-close-timeout {
type uint32;
units "seconds";
default 240;
description
"The value of the transitory close connection
idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable
parameters for configuring the open and
closing idle timeouts.";
leaf limit-per-icmp { reference
type uint32; "RFC 7857.";
mandatory true; }
description leaf tcp-in-syn-timeout {
"Rate-limit the number of new ICMP mappings type uint32;
and sessions per subscriber."; units "seconds";
default 6;
description
"A NAT must not respond to an unsolicited
inbound SYN packet for at least 6 seconds
after the packet is received. If during
this interval the NAT receives and translates
an outbound SYN for the connection the NAT
must silently drop the original unsolicited
inbound SYN packet.";
} reference
} "RFC 5382.";
}
list algs { leaf fragment-min-timeout {
key alg-name; type uint32;
units "seconds";
default 2;
description
"As long as the NAT has available resources,
the NAT allows the fragments to arrive
over fragment-min-timeout interval.
The default value is inspired from RFC6146.";
}
description leaf icmp-timeout {
"ALG-related features."; type uint32;
units "seconds";
default 60;
description
"An ICMP Query session timer must not expire
in less than 60 seconds. It is recommended
that the ICMP Query session timer be made
configurable";
leaf alg-name { reference
type string; "RFC 5508.";
}
description list per-port-timeout {
"The name of the ALG"; key port-number;
}
leaf alg-transport-protocol { description
type uint32; "Some NATs are configurable with short timeouts
for some ports, e.g., as 10 seconds on
port 53 (DNS) and NTP (123) and longer timeouts
on other ports.";
description leaf port-number {
"The transport protocol used by the ALG."; type inet:port-number;
} description
"A port number.";
}
leaf alg-transport-port { leaf port-timeout {
type inet:port-number; type inet:port-number;
mandatory true;
description
"Timeout for this port";
}
}
description leaf hold-down-timeout {
"The port number used by the ALG.";
}
leaf alg-status { type uint32;
type boolean; units "seconds";
default 120;
description description
"Enable/disable the ALG."; "Hold down timer. Ports in the
} hold down pool are not reassigned until
} this timer expires.
The length of time and the maximum
number of ports in this state must be
configurable by the administrator
[RFC6888]. This is necessary in order
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
leaf all-algs-enable { reference
type boolean; "REQ#8 of RFC 6888.";
}
description leaf hold-down-max {
"Enable/disable all ALGs."; type uint32;
}
container logging-info { description
description "Maximum ports in the Hold down timer pool.
"Information about logging NAT events"; Ports in the hold down pool are not reassigned
until hold-down-timeout expires.
The length of time and the maximum
number of ports in this state must be
configurable by the administrator
[RFC6888]. This is necessary in order
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
leaf logging-enable { reference
type boolean; "REQ#8 of RFC 6888.";
}
}
description list algs {
"Enable logging features as per Section 2.3
of [RFC6908].";
}
leaf destination-address { key alg-name;
type inet:ip-prefix;
mandatory true;
description description
"Address of the collector that receives "ALG-related features.";
the logs";
}
leaf destination-port { leaf alg-name {
type inet:port-number; type string;
mandatory true;
description description
"Destination port of the collector."; "The name of the ALG";
} }
choice protocol { leaf alg-transport-protocol {
type uint32;
description description
"Enable the protocol to be used for "The transport protocol used by the ALG.";
the retrieval of logging entries."; }
case syslog { leaf alg-transport-port {
leaf syslog { type inet:port-number;
type boolean;
description description
"If SYSLOG is in use."; "The port number used by the ALG.";
} }
} leaf alg-status {
type boolean;
case ipfix { description
leaf ipfix { "Enable/disable the ALG.";
type boolean; }
}
description leaf all-algs-enable {
"If IPFIX is in use."; type boolean;
}
description
"Enable/disable all ALGs.";
} }
case ftp { container notify-pool-usage {
leaf ftp { description
type boolean; "Notification of pool usage when certain criteria
are met.";
description leaf pool-id {
"If FTP is in use."; type uint32;
}
} description
"Pool-ID for which the notification
criteria is defined";
}
leaf notify-pool-hi-threshold {
type percent;
mandatory true;
description
"Notification must be generated when the
defined high threshold is reached.
For example, if a notification is
required when the pool utilization reaches
90%, this configuration parameter must
be set to 90%.";
}
leaf notify-pool-low-threshold {
type percent;
description
"Notification must be generated when the defined
low threshold is reached.
For example, if a notification is required when
the pool utilization reaches below 10%,
this configuration parameter must be set to
10%.";
}
} }
}
container notify-pool-usage { container external-realm {
description
"Notification of pool usage when certain criteria
are met.";
leaf pool-id { description
type uint32; "Identifies the external realm of
the NAT.";
description choice realm-type {
"Pool-ID for which the notification
criteria is defined";
}
leaf notify-pool-hi-threshold { description
type percent; "Interface or VRF.";
mandatory true;
case interface {
description description
"Notification must be generated when the "External interface.";
defined high threshold is reached.
For example, if a notification is
required when the pool utilization reaches
90%, this configuration parameter must
be set to 90%.";
}
leaf notify-pool-low-threshold { leaf external-interface {
type percent; type if:interface-ref;
description description
"Notification must be generated when the defined "Name of an external interface.";
low threshold is reached. }
For example, if a notification is required when }
the pool utilization reaches below 10%,
this configuration parameter must be set to
10%.";
}
}
} //nat-parameters group case vrf {
container nat-module { description
description "External VRF instance.";
"NAT";
container nat-instances { leaf external-vrf-instance {
description type identityref {
"NAT instances"; base vrf-routing-instance;
}
list nat-instance { description
"A VRF instance.";
}
}
}
}
key "id"; } //nat-policy
container mapping-limit {
description description
"A NAT instance."; "Information about the configuration parameters that
limits the mappings based upon various criteria.";
leaf id { leaf limit-per-subscriber {
type uint32; type uint32;
description description
"NAT instance identifier."; "Maximum number of NAT mappings per
subscriber.";
}
reference leaf limit-per-vrf {
"RFC7659."; type uint32;
}
leaf name { description
type string; "Maximum number of NAT mappings per
VLAN/VRF.";
}
leaf limit-per-subnet {
type inet:ip-prefix;
description description
"A name associated with the NAT instance."; "Maximum number of NAT mappings per
} subnet.";
}
leaf enable { leaf limit-per-instance {
type boolean; type uint32;
mandatory true;
description description
"Status of the the NAT instance."; "Maximum number of NAT mappings per
} instance.";
}
container nat-capabilities { leaf limit-per-udp {
// config false; type uint32;
mandatory true;
description description
"NAT capabilities"; "Maximum number of UDP NAT mappings per
subscriber.";
}
leaf limit-per-tcp {
type uint32;
mandatory true;
leaf-list nat-flavor { description
type identityref { "Maximum number of TCP NAT mappings per
base nat-type; subscriber.";
}
description
"Type of NAT.";
}
leaf-list nat44-flavor { }
when "../nat-flavor = 'nat44'"; leaf limit-per-icmp {
type uint32;
mandatory true;
type identityref { description
base nat44; "Maximum number of ICMP NAT mappings per
} subscriber.";
description }
"Type of NAT44: Basic NAT or NAPT."; }
}
leaf restricted-port-support { container connection-limit {
type boolean;
description description
"Indicates source port NAT restriction "Information about the configuration parameters that
support."; rate limit the translation based upon various
} criteria.";
leaf static-mapping-support { leaf limit-per-subscriber {
type boolean; type uint32;
description description
"Indicates whether static mappings are "Rate-limit the number of new mappings
supported."; and sessions per subscriber.";
} }
leaf port-randomization-support { leaf limit-per-vrf {
type boolean; type uint32;
description description
"Indicates whether port randomization is "Rate-limit the number of new mappings
supported."; and sessions per VLAN/VRF.";
} }
leaf port-range-allocation-support {
type boolean;
description leaf limit-per-subnet {
"Indicates whether port range type inet:ip-prefix;
allocation is supported.";
}
leaf port-preservation-suport { description
type boolean; "Rate-limit the number of new mappings
and sessions per subnet.";
}
description leaf limit-per-instance {
"Indicates whether port preservation type uint32;
is supported."; mandatory true;
}
leaf port-parity-preservation-support { description
type boolean; "Rate-limit the number of new mappings
and sessions per instance.";
}
description leaf limit-per-udp {
"Indicates whether port parity type uint32;
preservation is supported."; mandatory true;
}
leaf address-roundrobin-support { description
type boolean; "Rate-limit the number of new UDP mappings
and sessions per subscriber.";
}
description leaf limit-per-tcp {
"Indicates whether address allocation type uint32;
round robin is supported."; mandatory true;
}
leaf paired-address-pooling-support { description
type boolean; "Rate-limit the number of new TCP mappings
and sessions per subscriber.";
description }
"Indicates whether paired-address-pooling is
supported";
}
leaf endpoint-independent-mapping-support { leaf limit-per-icmp {
type boolean; type uint32;
mandatory true;
description description
"Indicates whether endpoint-independent- "Rate-limit the number of new ICMP mappings
mapping in Section 4 of RFC 4787 is and sessions per subscriber.";
supported."; }
} }
leaf address-dependent-mapping-support { container logging-info {
type boolean; description
"Information about logging NAT events";
description leaf logging-enable {
"Indicates whether address-dependent- type boolean;
mapping is supported."; description
} "Enable logging features as per Section 2.3
of [RFC6908].";
}
leaf address-and-port-dependent-mapping-support leaf destination-address {
{ type inet:ip-prefix;
type boolean; mandatory true;
description description
"Indicates whether address-and-port- "Address of the collector that receives
dependent-mapping is supported."; the logs";
} }
leaf endpoint-independent-filtering-support leaf destination-port {
{ type inet:port-number;
type boolean; mandatory true;
description description
"Indicates whether endpoint-independent "Destination port of the collector.";
-filtering is supported."; }
}
leaf address-dependent-filtering { choice protocol {
type boolean;
description description
"Indicates whether address-dependent "Enable the protocol to be used for
-filtering is supported."; the retrieval of logging entries.";
}
leaf address-and-port-dependent-filtering { case syslog {
type boolean; leaf syslog {
type boolean;
description description
"Indicates whether address-and-port "If SYSLOG is in use.";
-dependent is supported."; }
} }
}
list internal-interfaces { case ipfix {
leaf ipfix {
type boolean;
key internal-interface; description
description "If IPFIX is in use.";
"List of internal interfaces."; }
}
leaf internal-interface { case ftp {
type if:interface-ref; leaf ftp {
description type boolean;
"Name of an internal interface.";
}
}
list external-interfaces { description
"If FTP is in use.";
}
}
}
}
key external-interface; container mapping-table {
description when "../nat-capabilities/nat-flavor = "+
"List of external interfaces."; "'nat44' or "+
"../nat-capabilities/nat-flavor = "+
"'nat64'or "+
"../nat-capabilities/nat-flavor = "+
"'clat'or "+
"../nat-capabilities/nat-flavor = 'dst-nat'";
leaf external-interface { description
type if:interface-ref; "NAT mapping table. Applicable for functions
description which maintains static and/or dynamic mappings,
"Name of an external interface."; such as NAT44, Destination NAT, NAT64, or CLAT.";
}
}
uses nat-parameters; list mapping-entry {
key "index";
container mapping-table { description
"NAT mapping entry.";
when "../nat-capabilities/nat-flavor = "+ uses mapping-entry;
"'nat44' or "+ }
"../nat-capabilities/nat-flavor = "+ }
"'nat64'or "+
"../nat-capabilities/nat-flavor = "+
"'clat'or "+
"../nat-capabilities/nat-flavor = 'dst-nat'";
description container statistics {
"NAT mapping table. Applicable for functions
which maintains static and/or dynamic mappings,
such as NAT44, Destination NAT, NAT64, or CLAT.";
list mapping-entry { config false;
key "index";
description description
"NAT mapping entry."; "Statistics related to the NAT instance.";
uses mapping-entry; container traffic-statistics {
} description
} "Generic traffic statistics.";
container statistics { leaf sent-packet {
type yang:zero-based-counter64;
description
"Number of packets sent.";
}
config false; leaf sent-byte {
type yang:zero-based-counter64;
description description
"Statistics related to the NAT instance."; "Counter for sent traffic in bytes.";
}
container traffic-statistics { leaf rcvd-packet {
description type yang:zero-based-counter64;
"Generic traffic statistics.";
leaf sent-packet { description
type yang:zero-based-counter64; "Number of received packets.";
}
description leaf rcvd-byte {
"Number of packets sent."; type yang:zero-based-counter64;
}
leaf sent-byte { description
type yang:zero-based-counter64; "Counter for received traffic
in bytes.";
}
description leaf dropped-packet {
"Counter for sent traffic in bytes."; type yang:zero-based-counter64;
}
leaf rcvd-packet { description
type yang:zero-based-counter64; "Number of dropped packets.";
}
description leaf dropped-byte {
"Number of received packets."; type yang:zero-based-counter64;
}
leaf rcvd-byte { description
type yang:zero-based-counter64; "Counter for dropped traffic in
bytes.";
}
}
description container mapping-statistics {
"Counter for received traffic
in bytes.";
}
leaf dropped-packet { when "../../nat-capabilities/nat-flavor = "+
type yang:zero-based-counter64; "'nat44' or "+
description "../../nat-capabilities/nat-flavor = "+
"Number of dropped packets."; "'nat64'or "+
} "../../nat-capabilities/nat-flavor = 'dst-nat'";
leaf dropped-byte { description
type yang:zero-based-counter64; "Mapping statistics.";
description leaf total-mappings {
"Counter for dropped traffic in type uint32;
bytes.";
}
}
container mapping-statistics { description
"Total number of NAT mappings present
at a given time. This variable includes
all the static and dynamic mappings.";
}
when "../../nat-capabilities/nat-flavor = "+ leaf total-tcp-mappings {
"'nat44' or "+ type uint32;
"../../nat-capabilities/nat-flavor = "+
"'nat64'or "+
"../../nat-capabilities/nat-flavor = 'dst-nat'";
description description
"Mapping statistics."; "Total number of TCP mappings present
at a given time.";
}
leaf total-mappings { leaf total-udp-mappings {
type uint32; type uint32;
description description
"Total number of NAT mappings present "Total number of UDP mappings present
at a given time. This variable includes at a given time.";
all the static and dynamic mappings."; }
}
leaf total-tcp-mappings { leaf total-icmp-mappings {
type uint32; type uint32;
description
"Total number of TCP mappings present
at a given time.";
}
leaf total-udp-mappings { description
type uint32; "Total number of ICMP mappings present
description at a given time.";
"Total number of UDP mappings present }
at a given time.";
}
leaf total-icmp-mappings {
type uint32;
description
"Total number of ICMP mappings present
at a given time.";
}
} }
container pool-stats { container pool-stats {
when "../../nat-capabilities/nat-flavor = "+ when "../../nat-capabilities/nat-flavor = "+
"'nat44' or "+ "'nat44' or "+
"../../nat-capabilities/nat-flavor = "+ "../../nat-capabilities/nat-flavor = "+
"'nat64'"; "'nat64'";
description
"Statistics related to address/prefix
pool usage";
description leaf pool-id {
"Statistics related to address/prefix type uint32;
pool usage";
leaf pool-id { description
type uint32; "Unique Identifier that represents
description a pool of addresses/prefixes.";
"Unique Identifier that represents }
a pool of addresses/prefixes.";
}
leaf address-allocated { leaf address-allocated {
type uint32; type uint32;
description
"Number of allocated addresses in
the pool";
}
leaf address-free { description
type uint32; "Number of allocated addresses in
the pool";
}
description leaf address-free {
"Number of unallocated addresses in type uint32;
the pool at a given time.The sum of
unallocated and allocated
addresses is the total number of
addresses of the pool.";
}
container port-stats { description
description "Number of unallocated addresses in
"Statistics related to port the pool at a given time.The sum of
usage."; unallocated and allocated
addresses is the total number of
addresses of the pool.";
}
leaf ports-allocated { container port-stats {
type uint32;
description description
"Number of allocated ports "Statistics related to port
in the pool."; usage.";
}
leaf ports-free { leaf ports-allocated {
type uint32; type uint32;
description description
"Number of unallocated addresses "Number of allocated ports
in the pool."; in the pool.";
} }
}
} leaf ports-free {
} //statistics type uint32;
} description
"Number of unallocated addresses
in the pool.";
}
}
}
} //statistics
}
}
}
/*
* Notifications
*/
notification nat-event {
description
"Notifications must be generated when the defined
high/low threshold is reached. Related
configuration parameters must be provided to
trigger the notifications.";
leaf id {
type leafref {
path
"/nat-module/nat-instances/"
+ "nat-instance/id";
}
description
"NAT instance ID.";
} }
}
/* leaf policy-id {
* Notifications type leafref {
*/ path
"/nat-module/nat-instances/"
+ "nat-instance/nat-policy/policy-id";
}
notification nat-event { description
description "Policy ID.";
"Notifications must be generated when the defined }
high/low threshold is reached. Related
configuration parameters must be provided to
trigger the notifications.";
leaf id { leaf pool-id {
type leafref { type leafref {
path path
"/nat-module/nat-instances/" "/nat-module/nat-instances/"
+ "nat-instance/id";
}
description
"NAT instance ID.";
}
leaf notify-pool-threshold { + "nat-instance/nat-policy/"
type percent; + "external-ip-address-pool/pool-id";
mandatory true; }
description description
"A treshhold has been fired."; "Pool ID.";
} }
}
} leaf notify-pool-threshold {
<CODE ENDS> type percent;
mandatory true;
description
"A treshhold has been fired.";
}
}
}
<CODE ENDS>
4. Security Considerations 4. Security Considerations
The YANG module defined in this memo is designed to be accessed via The YANG module defined in this memo is designed to be accessed via
the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the
secure transport layer and the support of SSH is mandatory to secure transport layer and the support of SSH is mandatory to
implement secure transport [RFC6242]. The NETCONF access control implement secure transport [RFC6242]. The NETCONF access control
model [RFC6536] provides means to restrict access by some users to a model [RFC6536] provides means to restrict access by some users to a
pre-configured subset of all available NETCONF protocol operations pre-configured subset of all available NETCONF protocol operations
and data. and data.
skipping to change at page 56, line 9 skipping to change at page 58, line 18
reference: RFC XXXX reference: RFC XXXX
6. Acknowledgements 6. Acknowledgements
Many thanks to Dan Wing and Tianran Zhou for the review. Many thanks to Dan Wing and Tianran Zhou for the review.
Thanks to Juergen Schoenwaelder for the comments on the YANG Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. structure and the suggestion to use NMDA.
Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
Baker for the NPTv6 comments, and Tore Anderson for EAM SIIT review. Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
Kristian Poscic for the CGN review.
Special thanks to Maros Marsalek and Marek Gradzki for sharing their Special thanks to Maros Marsalek and Marek Gradzki for sharing their
comments based on the FD.io implementation. comments based on the FD.io implementation of an earlier version of
this module.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
skipping to change at page 59, line 5 skipping to change at page 61, line 15
[RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo,
"Diameter Network Address and Port Translation Control "Diameter Network Address and Port Translation Control
Application", RFC 6736, DOI 10.17487/RFC6736, October Application", RFC 6736, DOI 10.17487/RFC6736, October
2012, <https://www.rfc-editor.org/info/rfc6736>. 2012, <https://www.rfc-editor.org/info/rfc6736>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013, DOI 10.17487/RFC6887, April 2013,
<https://www.rfc-editor.org/info/rfc6887>. <https://www.rfc-editor.org/info/rfc6887>.
[RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT
(CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289,
DOI 10.17487/RFC7289, June 2014,
<https://www.rfc-editor.org/info/rfc7289>.
[RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335,
DOI 10.17487/RFC7335, August 2014, DOI 10.17487/RFC7335, August 2014,
<https://www.rfc-editor.org/info/rfc7335>. <https://www.rfc-editor.org/info/rfc7335>.
[RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I.
Farrer, "Lightweight 4over6: An Extension to the Dual- Farrer, "Lightweight 4over6: An Extension to the Dual-
Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596,
July 2015, <https://www.rfc-editor.org/info/rfc7596>. July 2015, <https://www.rfc-editor.org/info/rfc7596>.
[RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S.,
skipping to change at page 73, line 24 skipping to change at page 75, line 24
address and/or port number. address and/or port number.
A.9. CLAT A.9. CLAT
The following XML snippet shows the example of a CLAT that is The following XML snippet shows the example of a CLAT that is
configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and
2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also
provided with 192.0.0.1/32 (which is selected from the IPv4 service provided with 192.0.0.1/32 (which is selected from the IPv4 service
continuity prefix defined in [RFC7335]). continuity prefix defined in [RFC7335]).
<nat64-prefixes>
<nat64-prefix>
2001:db8:1234::/96
</nat64-prefix>
</nat64-prefixes>
<clat-ipv6-prefixes> <clat-ipv6-prefixes>
<clat-ipv6-prefix> <clat-ipv6-prefix>
2001:db8:aaaa::/96 2001:db8:aaaa::/96
</clat-ipv6-prefix> </clat-ipv6-prefix>
</clat-ipv6-prefixes> </clat-ipv6-prefixes>
<clat-ipv4-prefixes> <clat-ipv4-prefixes>
<clat-ipv4-prefix> <clat-ipv4-prefix>
192.0.0.1/32 192.0.0.1/32
</clat-ipv4-prefix> </clat-ipv4-prefix>
</clat-ipv4-prefixes> </clat-ipv4-prefixes>
<nat64-prefixes>
<nat64-prefix>
2001:db8:1234::/96
</nat64-prefix>
</nat64-prefixes>
A.10. NPTv6 A.10. NPTv6
Let's consider the example of a NPTv6 translator that should rewrite Let's consider the example of a NPTv6 translator that should rewrite
packets with the source prefix (fd01:203:405:/48) with the external packets with the source prefix (fd01:203:405:/48) with the external
prefix (2001:db8:1:/48). The internal interface is "eth0" while the prefix (2001:db8:1:/48). The internal interface is "eth0" while the
external interface is "eth1". external interface is "eth1".
External Network: Prefix = 2001:db8:1:/48 External Network: Prefix = 2001:db8:1:/48
-------------------------------------- --------------------------------------
skipping to change at page 74, line 23 skipping to change at page 76, line 23
|eth0 |eth0
| |
-------------------------------------- --------------------------------------
Internal Network: Prefix = fd01:203:405:/48 Internal Network: Prefix = fd01:203:405:/48
Example of NPTv6 (RFC6296) Example of NPTv6 (RFC6296)
The XML snippet to configure NPTv6 prefixes in such case is depicted The XML snippet to configure NPTv6 prefixes in such case is depicted
below: below:
<internal-interfaces>
</internal-interface>
eth0
<internal-interface>
</internal-interfaces>
<external-interfaces>
<external-interface>
eth1
</external-interface>
</external-interfaces>
...
<nptv6-prefixes> <nptv6-prefixes>
<translation-id>1</translation-id> <translation-id>1</translation-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:203:405:/48 fd01:203:405:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:1:/48 2001:db8:1:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
...
<external-interfaces>
<external-interface>
eth1
</external-interface>
</external-interfaces>
Figure 3 shows an example of an NPTv6 that interconnects two internal Figure 3 shows an example of an NPTv6 that interconnects two internal
networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is
translated using a dedicated prefix (2001:db8:1:/48 and translated using a dedicated prefix (2001:db8:1:/48 and
2001:db8:6666:/48, respectively). 2001:db8:6666:/48, respectively).
Internal Prefix = fd01:4444:5555:/48 Internal Prefix = fd01:4444:5555:/48
-------------------------------------- --------------------------------------
V | External Prefix V | External Prefix
V | 2001:db8:1:/48 V |eth1 2001:db8:1:/48
V +---------+ ^ V +---------+ ^
V | NPTv6 | ^ V | NPTv6 | ^
V | | ^ V | | ^
V +---------+ ^ V +---------+ ^
External Prefix | ^ External Prefix |eth0 ^
2001:db8:6666:/48 | ^ 2001:db8:6666:/48 | ^
-------------------------------------- --------------------------------------
Internal Prefix = fd01:203:405:/48 Internal Prefix = fd01:203:405:/48
Figure 3: Connecting two Peer Networks (RFC6296) Figure 3: Connecting two Peer Networks (RFC6296)
To that aim, the following configuration is provided to the NPTv6: To that aim, the following configuration is provided to the NPTv6:
<nptv6-prefixes> <nat-policy>
<policy-id>1</policy-id>
<nptv6-prefixes>
<translation-id>1</translation-id> <translation-id>1</translation-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:203:405:/48 fd01:203:405:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:1:/48 2001:db8:1:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
<nptv6-prefixes> <external-interface>
eth1
</external-interface>
</nat-policy>
<nat-policy>
<policy-id>2</policy-id>
<nptv6-prefixes>
<translation-id>2</translation-id> <translation-id>2</translation-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:4444:5555:/48 fd01:4444:5555:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:6666:/48 2001:db8:6666:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
<external-interface>
eth0
</external-interface>
</nat-policy>
Authors' Addresses Authors' Addresses
Mohamed Boucadair Mohamed Boucadair
Orange Orange
Rennes 35000 Rennes 35000
France France
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
Senthil Sivakumar Senthil Sivakumar
Cisco Systems Cisco Systems
7100-8 Kit Creek Road 7100-8 Kit Creek Road
Research Triangle Park, North Carolina 27709 Research Triangle Park, North Carolina 27709
USA USA
Phone: +1 919 392 5158 Phone: +1 919 392 5158
Email: ssenthil@cisco.com Email: ssenthil@cisco.com
Christian Jacquenet Christian Jacquenet
 End of changes. 468 change blocks. 
1747 lines changed or deleted 1877 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/