draft-ietf-opsawg-nat-yang-05.txt   draft-ietf-opsawg-nat-yang-06.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: April 4, 2018 Cisco Systems Expires: April 14, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
October 1, 2017 October 11, 2017
A YANG Data Model for Network Address Translation (NAT) and Network A YANG Data Model for Network Address Translation (NAT) and Network
Prefix Translation (NPT) Prefix Translation (NPT)
draft-ietf-opsawg-nat-yang-05 draft-ietf-opsawg-nat-yang-06
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG module for the NAT function. document defines a YANG module for the NAT function.
NAT44, Network Address and Protocol Translation from IPv6 Clients to NAT44, Network Address and Protocol Translation from IPv6 Clients to
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit
Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and
IPv6 Network Prefix Translation (NPTv6) are covered in this document. IPv6 Network Prefix Translation (NPTv6) are covered in this document.
Editorial Note (To be removed by RFC Editor)
Please update this statement with the RFC number to be assigned to
ths document:
"This version of this YANG module is part of RFC XXXX;"
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 4, 2018. This Internet-Draft will expire on April 14, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 37 skipping to change at page 2, line 41
2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 6 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 6
2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 10 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 10
2.10. Binding the NAT Function to an External Interface or VRF 10 2.10. Binding the NAT Function to an External Interface or VRF 10
2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10 2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 15 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14
4. Security Considerations . . . . . . . . . . . . . . . . . . . 58 4. Security Considerations . . . . . . . . . . . . . . . . . . . 56
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 58 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 58 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 57
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 58
7.1. Normative References . . . . . . . . . . . . . . . . . . 59 7.1. Normative References . . . . . . . . . . . . . . . . . . 58
7.2. Informative References . . . . . . . . . . . . . . . . . 60 7.2. Informative References . . . . . . . . . . . . . . . . . 59
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 62 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 61
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 62 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 61
A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 67 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 66
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 68 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 67
A.5. Explicit Address Mappings for Stateless IP/ICMP A.5. Explicit Address Mappings for Stateless IP/ICMP
Translation . . . . . . . . . . . . . . . . . . . . . . . 69 Translation . . . . . . . . . . . . . . . . . . . . . . . 68
A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 72 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 71
A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 72 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 71
A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 73 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 72
A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 76 A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 75
A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 76 A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 78
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the (NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC6020]. YANG data modeling language [RFC7950].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
a domain: a CGN is not managed by end users, but by service providers a domain: a CGN is not managed by end users, but by service providers
instead. This document covers both traditional NATs and CGNs. instead. This document covers both traditional NATs and CGNs.
This document also covers NAT64 [RFC6146], customer-side translator This document also covers NAT64 [RFC6146], customer-side translator
(CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP (CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP
Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation
skipping to change at page 10, line 45 skipping to change at page 10, line 45
If no external interface/VRF is provided, this assumes that the If no external interface/VRF is provided, this assumes that the
system is able to determine the external interface/VRF instance on system is able to determine the external interface/VRF instance on
which the NAT will be applied. Typically, the WAN and LAN interfaces which the NAT will be applied. Typically, the WAN and LAN interfaces
of a CPE is determined by the CPE. of a CPE is determined by the CPE.
2.11. Tree Structure 2.11. Tree Structure
The tree structure of the NAT YANG module is provided below: The tree structure of the NAT YANG module is provided below:
module: ietf-nat module: ietf-nat
+--rw nat-module +--rw nat-module
+--rw nat-instances +--rw nat-instances
+--rw nat-instance* [id] +--rw nat-instance* [id]
+--rw id uint32 +--rw id uint32
+--rw name? string +--rw name? string
+--rw enable? boolean +--rw enable? boolean
+--rw nat-capabilities +--rw nat-capabilities
| +--rw nat-flavor* identityref | +--rw nat-flavor* identityref
| +--rw nat44-flavor* identityref | +--rw nat44-flavor* identityref
| +--rw restricted-port-support? boolean | +--rw restricted-port-support? boolean
| +--rw static-mapping-support? boolean | +--rw static-mapping-support? boolean
| +--rw port-randomization-support? boolean | +--rw port-randomization-support? boolean
| +--rw port-range-allocation-support? boolean | +--rw port-range-allocation-support? boolean
| +--rw port-preservation-suport? boolean | +--rw port-preservation-suport? boolean
| +--rw port-parity-preservation-support? boolean | +--rw port-parity-preservation-support? boolean
| +--rw address-roundrobin-support? boolean | +--rw address-roundrobin-support? boolean
| +--rw paired-address-pooling-support? boolean | +--rw paired-address-pooling-support? boolean
| +--rw endpoint-independent-mapping-support? boolean | +--rw endpoint-independent-mapping-support? boolean
| +--rw address-dependent-mapping-support? boolean | +--rw address-dependent-mapping-support? boolean
| +--rw address-and-port-dependent-mapping-support? boolean | +--rw address-and-port-dependent-mapping-support? boolean
| +--rw endpoint-independent-filtering-support? boolean | +--rw endpoint-independent-filtering-support? boolean
| +--rw address-dependent-filtering? boolean | +--rw address-dependent-filtering? boolean
| +--rw address-and-port-dependent-filtering? boolean | +--rw address-and-port-dependent-filtering? boolean
+--rw nat-pass-through* [nat-pass-through-id] +--rw nat-pass-through* [nat-pass-through-id]
| +--rw nat-pass-through-id uint32 | +--rw nat-pass-through-id uint32
| +--rw nat-pass-through-pref? inet:ip-prefix | +--rw nat-pass-through-pref? inet:ip-prefix
| +--rw nat-pass-through-port? inet:port-number | +--rw nat-pass-through-port? inet:port-number
+--rw nat-policy* [policy-id] +--rw nat-policy* [policy-id]
| +--rw policy-id uint32 | +--rw policy-id uint32
| +--rw clat-parameters | +--rw clat-parameters
| | +--rw clat-ipv6-prefixes* [clat-ipv6-prefix] | | +--rw clat-ipv6-prefixes* [clat-ipv6-prefix]
| | | +--rw clat-ipv6-prefix inet:ipv6-prefix | | | +--rw clat-ipv6-prefix inet:ipv6-prefix
| | +--rw clat-ipv4-prefixes* [clat-ipv4-prefix] | | +--rw clat-ipv4-prefixes* [clat-ipv4-prefix]
| | +--rw clat-ipv4-prefix inet:ipv4-prefix | | +--rw clat-ipv4-prefix inet:ipv4-prefix
| +--rw nptv6-prefixes* [translation-id] | +--rw nptv6-prefixes* [translation-id]
| | +--rw translation-id uint32 | | +--rw translation-id uint32
| | +--rw internal-ipv6-prefix? inet:ipv6-prefix | | +--rw internal-ipv6-prefix? inet:ipv6-prefix
| | +--rw external-ipv6-prefix? inet:ipv6-prefix | | +--rw external-ipv6-prefix? inet:ipv6-prefix
| +--rw eam* [eam-ipv4-prefix] | +--rw eam* [eam-ipv4-prefix]
| | +--rw eam-ipv4-prefix inet:ipv4-prefix | | +--rw eam-ipv4-prefix inet:ipv4-prefix
| | +--rw eam-ipv6-prefix? inet:ipv6-prefix | | +--rw eam-ipv6-prefix? inet:ipv6-prefix
| +--rw nat64-prefixes* [nat64-prefix] | +--rw nat64-prefixes* [nat64-prefix]
| | +--rw nat64-prefix inet:ipv6-prefix | | +--rw nat64-prefix inet:ipv6-prefix
| | +--rw destination-ipv4-prefix* [ipv4-prefix] | | +--rw destination-ipv4-prefix* [ipv4-prefix]
| | | +--rw ipv4-prefix inet:ipv4-prefix | | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw stateless-enable? boolean | | +--rw stateless-enable? boolean
| +--rw external-ip-address-pool* [pool-id] | +--rw external-ip-address-pool* [pool-id]
| | +--rw pool-id uint32 | | +--rw pool-id uint32
| | +--rw external-ip-pool? inet:ipv4-prefix | | +--rw external-ip-pool? inet:ipv4-prefix
| +--rw port-set-restrict | +--rw port-set-restrict
| | +--rw (port-type)? | | +--rw (port-type)?
| | +--:(port-range) | | +--:(port-range)
| | | +--rw start-port-number? inet:port-number | | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number | | | +--rw end-port-number? inet:port-number
| | +--:(port-set-algo) | | +--:(port-set-algo)
| | +--rw psid-offset? uint8 | | +--rw psid-offset? uint8
| | +--rw psid-len uint8 | | +--rw psid-len uint8
| | +--rw psid uint16 | | +--rw psid uint16
| +--rw dst-nat-enable? boolean | +--rw dst-nat-enable? boolean
| +--rw dst-ip-address-pool* [pool-id] | +--rw dst-ip-address-pool* [pool-id]
| | +--rw pool-id uint32 | | +--rw pool-id uint32
| | +--rw dst-in-ip-pool? inet:ip-prefix | | +--rw dst-in-ip-pool? inet:ip-prefix
| | +--rw dst-out-ip-pool? inet:ip-prefix | | +--rw dst-out-ip-pool? inet:ip-prefix
| +--rw supported-transport-protocols* [transport-protocol-id] | +--rw supported-transport-protocols* [transport-protocol-id]
| | +--rw transport-protocol-id uint8 | | +--rw transport-protocol-id uint8
| | +--rw transport-protocol-name? string | | +--rw transport-protocol-name? string
| +--rw subscriber-mask-v6? uint8 | +--rw subscriber-mask-v6? uint8
| +--rw subscriber-match* [sub-match-id] | +--rw subscriber-match* [sub-match-id]
| | +--rw sub-match-id uint32 | | +--rw sub-match-id uint32
| | +--rw sub-mask inet:ip-prefix | | +--rw sub-mask inet:ip-prefix
| +--rw paired-address-pooling? boolean | +--rw paired-address-pooling? boolean
| +--rw nat-mapping-type? enumeration | +--rw nat-mapping-type? enumeration
| +--rw nat-filtering-type? enumeration | +--rw nat-filtering-type? enumeration
| +--rw port-quota* [quota-type] | +--rw port-quota* [quota-type]
| | +--rw port-limit? uint16 | | +--rw port-limit? uint16
| | +--rw quota-type enumeration | | +--rw quota-type enumeration
| +--rw port-allocation-type? enumeration | +--rw port-allocation-type? enumeration
| +--rw address-roundrobin-enable? boolean | +--rw address-roundrobin-enable? boolean
| +--rw port-set | +--rw port-set
| | +--rw port-set-size? uint16 | | +--rw port-set-size? uint16
| | +--rw port-set-timeout? uint32 | | +--rw port-set-timeout? uint32
| +--rw timers | +--rw timers
| | +--rw udp-timeout? uint32 | | +--rw udp-timeout? uint32
| | +--rw tcp-idle-timeout? uint32 | | +--rw tcp-idle-timeout? uint32
| | +--rw tcp-trans-open-timeout? uint32 | | +--rw tcp-trans-open-timeout? uint32
| | +--rw tcp-trans-close-timeout? uint32 | | +--rw tcp-trans-close-timeout? uint32
| | +--rw tcp-in-syn-timeout? uint32 | | +--rw tcp-in-syn-timeout? uint32
| | +--rw fragment-min-timeout? uint32 | | +--rw fragment-min-timeout? uint32
| | +--rw icmp-timeout? uint32 | | +--rw icmp-timeout? uint32
| | +--rw per-port-timeout* [port-number] | | +--rw per-port-timeout* [port-number]
| | | +--rw port-number inet:port-number | | | +--rw port-number inet:port-number
| | | +--rw port-timeout inet:port-number | | | +--rw port-timeout inet:port-number
| | +--rw hold-down-timeout? uint32 | | +--rw hold-down-timeout? uint32
| | +--rw hold-down-max? uint32 | | +--rw hold-down-max? uint32
| +--rw algs* [alg-name] | +--rw algs* [alg-name]
| | +--rw alg-name string | | +--rw alg-name string
| | +--rw alg-transport-protocol? uint32 | | +--rw alg-transport-protocol? uint32
| | +--rw alg-transport-port? inet:port-number | | +--rw alg-transport-port? inet:port-number
| | +--rw alg-status? boolean | | +--rw alg-status? boolean
| +--rw all-algs-enable? boolean | +--rw all-algs-enable? boolean
| +--rw notify-pool-usage | +--rw notify-pool-usage
| | +--rw pool-id? uint32 | | +--rw pool-id? uint32
| | +--rw notify-pool-hi-threshold percent | | +--rw notify-pool-hi-threshold percent
| | +--rw notify-pool-low-threshold? percent | | +--rw notify-pool-low-threshold? percent
| +--rw external-realm | +--rw external-realm
| +--rw (realm-type)? | +--rw (realm-type)?
| +--:(interface) | +--:(interface)
| | +--rw external-interface? if:interface-ref | | +--rw external-interface? if:interface-ref
| +--:(vrf) | +--:(vrf)
| +--rw external-vrf-instance? identityref | +--rw external-vrf-instance? identityref
+--rw mapping-limit +--rw mapping-limit
| +--rw limit-per-subscriber? uint32 | +--rw limit-per-subscriber? uint32
| +--rw limit-per-vrf? uint32 | +--rw limit-per-vrf? uint32
| +--rw limit-per-subnet? inet:ip-prefix | +--rw limit-per-subnet? inet:ip-prefix
| +--rw limit-per-instance uint32 | +--rw limit-per-instance uint32
| +--rw limit-per-udp uint32 | +--rw limit-per-udp uint32
| +--rw limit-per-tcp uint32 | +--rw limit-per-tcp uint32
| +--rw limit-per-icmp uint32 | +--rw limit-per-icmp uint32
+--rw connection-limit +--rw connection-limit
| +--rw limit-per-subscriber? uint32 | +--rw limit-per-subscriber? uint32
| +--rw limit-per-vrf? uint32 | +--rw limit-per-vrf? uint32
| +--rw limit-per-subnet? inet:ip-prefix | +--rw limit-per-subnet? inet:ip-prefix
| +--rw limit-per-instance uint32 | +--rw limit-per-instance uint32
| +--rw limit-per-udp uint32 | +--rw limit-per-udp uint32
| +--rw limit-per-tcp uint32 | +--rw limit-per-tcp uint32
| +--rw limit-per-icmp uint32 | +--rw limit-per-icmp uint32
+--rw logging-info +--rw logging-info
| +--rw logging-enable? boolean | +--rw logging-enable? boolean
| +--rw destination-address inet:ip-prefix | +--rw destination-address inet:ip-prefix
| +--rw destination-port inet:port-number | +--rw destination-port inet:port-number
| +--rw (protocol)? | +--rw (protocol)?
| +--:(syslog) | +--:(syslog)
| | +--rw syslog? boolean | | +--rw syslog? boolean
| +--:(ipfix) | +--:(ipfix)
| | +--rw ipfix? boolean | | +--rw ipfix? boolean
| +--:(ftp) | +--:(ftp)
| +--rw ftp? boolean | +--rw ftp? boolean
+--rw mapping-table +--rw mapping-table
| +--rw mapping-entry* [index] | +--rw mapping-entry* [index]
| +--rw index uint32 | +--rw index uint32
| +--rw type? enumeration | +--rw type? enumeration
| +--rw transport-protocol? uint8 | +--rw transport-protocol? uint8
| +--rw internal-src-address? inet:ip-prefix | +--rw internal-src-address? inet:ip-prefix
| +--rw internal-src-port | +--rw internal-src-port
| | +--rw (port-type)? | | +--rw start-port-number? inet:port-number
| | +--:(single-port-number) | | +--rw end-port-number? inet:port-number
| | | +--rw single-port-number? inet:port-number | +--rw external-src-address? inet:ip-prefix
| | +--:(port-range) | +--rw external-src-port
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw external-src-address? inet:ip-prefix | +--rw internal-dst-address? inet:ip-prefix
| +--rw external-src-port | +--rw internal-dst-port
| | +--rw (port-type)? | | +--rw start-port-number? inet:port-number
| | +--:(single-port-number) | | +--rw end-port-number? inet:port-number
| | | +--rw single-port-number? inet:port-number | +--rw external-dst-address? inet:ip-prefix
| | +--:(port-range) | +--rw external-dst-port
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw internal-dst-address? inet:ip-prefix | +--rw lifetime? uint32
| +--rw internal-dst-port +--ro statistics
| | +--rw (port-type)? +--ro traffic-statistics
| | +--:(single-port-number) | +--ro sent-packet? yang:zero-based-counter64
| | | +--rw single-port-number? inet:port-number | +--ro sent-byte? yang:zero-based-counter64
| | +--:(port-range) | +--ro rcvd-packet? yang:zero-based-counter64
| | +--rw start-port-number? inet:port-number | +--ro rcvd-byte? yang:zero-based-counter64
| | +--rw end-port-number? inet:port-number | +--ro dropped-packet? yang:zero-based-counter64
| +--rw external-dst-address? inet:ip-prefix | +--ro dropped-byte? yang:zero-based-counter64
| +--rw external-dst-port +--ro mapping-statistics
| | +--rw (port-type)? | +--ro total-mappings? uint32
| | +--:(single-port-number) | +--ro total-tcp-mappings? uint32
| | | +--rw single-port-number? inet:port-number | +--ro total-udp-mappings? uint32
| | +--:(port-range) | +--ro total-icmp-mappings? uint32
| | +--rw start-port-number? inet:port-number +--ro pool-stats
| | +--rw end-port-number? inet:port-number +--ro pool-id? uint32
| +--rw lifetime? uint32 +--ro address-allocated? uint32
+--ro statistics +--ro address-free? uint32
+--ro traffic-statistics +--ro port-stats
| +--ro sent-packet? yang:zero-based-counter64 +--ro ports-allocated? uint32
| +--ro sent-byte? yang:zero-based-counter64 +--ro ports-free? uint32
| +--ro rcvd-packet? yang:zero-based-counter64
| +--ro rcvd-byte? yang:zero-based-counter64
| +--ro dropped-packet? yang:zero-based-counter64
| +--ro dropped-byte? yang:zero-based-counter64
+--ro mapping-statistics
| +--ro total-mappings? uint32
| +--ro total-tcp-mappings? uint32
| +--ro total-udp-mappings? uint32
| +--ro total-icmp-mappings? uint32
+--ro pool-stats
+--ro pool-id? uint32
+--ro address-allocated? uint32
+--ro address-free? uint32
+--ro port-stats
+--ro ports-allocated? uint32
+--ro ports-free? uint32
notifications:
+---n nat-event
+--ro id? -> /nat-module/nat-instances/nat-instance/id
+--ro policy-id? -> /nat-module/nat-instances/nat-instance/nat-policy/policy-id
+--ro pool-id? -> /nat-module/nat-instances/nat-instance/nat-policy/external-ip-address-pool/pool-id
+--ro notify-pool-threshold percent
3. NAT YANG Module notifications:
+---n nat-event
+--ro id? -> /nat-module/nat-instances/nat-instance/id
+--ro policy-id? -> /nat-module/nat-instances/nat-instance/nat-policy/policy-id
+--ro pool-id? -> /nat-module/nat-instances/nat-instance/nat-policy/external-ip-address-pool/pool-id
+--ro notify-pool-threshold percent
<CODE BEGINS> file "ietf-nat@2017-10-02.yang" 3. NAT YANG Module
module ietf-nat { <CODE BEGINS> file "ietf-nat@2017-10-12.yang"
namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
//namespace to be assigned by IANA module ietf-nat {
prefix "nat"; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
import ietf-inet-types { prefix inet; } //namespace to be assigned by IANA
import ietf-yang-types { prefix yang; } prefix "nat";
import ietf-interfaces { prefix if; } import ietf-inet-types { prefix inet; }
//import iana-if-type { prefix ianaift; } import ietf-yang-types { prefix yang; }
import ietf-interfaces { prefix if; }
organization "IETF OPSAWG Working Group"; organization "IETF OPSAWG Working Group";
contact contact
"Mohamed Boucadair <mohamed.boucadair@orange.com> "Mohamed Boucadair <mohamed.boucadair@orange.com>
Senthil Sivakumar <ssenthil@cisco.com> Senthil Sivakumar <ssenthil@cisco.com>
Chritsian Jacquenet <christian.jacquenet@orange.com> Chritsian Jacquenet <christian.jacquenet@orange.com>
Suresh Vinapamula <sureshk@juniper.net> Suresh Vinapamula <sureshk@juniper.net>
Qin Wu <bill.wu@huawei.com>"; Qin Wu <bill.wu@huawei.com>";
description description
"This module is a YANG module for NAT implementations "This module is a YANG module for NAT implementations
(including NAT44 and NAT64 flavors). (including NAT44 and NAT64 flavors).
Copyright (c) 2017 IETF Trust and the persons identified as Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-10-02 { revision 2017-10-12 {
description "Comments from Rajiv Asati to call out description "Comments from Mahesh Jethanandani.";
explicitly stateless NAT64."; reference "-ietf-05";
}
reference "-ietf-04"; revision 2017-10-02 {
} description "Comments from Rajiv Asati to call out
explicitly stateless NAT64.";
reference "-ietf-04";
}
revision 2017-09-27 { revision 2017-09-27 {
description "Comments from Kris Poscic about NAT44, mainly: description "Comments from Kris Poscic about NAT44, mainly:
- Allow for multiple NAT policies within the same instance. - Allow for multiple NAT policies within the same instance.
- Associate an external interface/vrf per NAT policy."; - Associate an external interface/vrf per NAT policy.";
reference "-ietf-04"; reference "-ietf-04";
} }
revision 2017-09-18 { revision 2017-09-18 {
description "Comments from Tore Anderson about EAM-SIIT."; description "Comments from Tore Anderson about EAM-SIIT.";
reference "-ietf-03"; reference "-ietf-03";
} }
revision 2017-08-23 { revision 2017-08-23 {
description "Comments from F. Baker about NPTv6."; description "Comments from F. Baker about NPTv6.";
reference "-ietf-02"; reference "-ietf-02";
} }
revision 2017-08-21 { revision 2017-08-21 {
description " Includes CLAT (Lee/Jordi)."; description " Includes CLAT (Lee/Jordi).";
reference "-ietf-01"; reference "-ietf-01";
} }
revision 2017-08-03 { revision 2017-08-03 {
description "Integrates comments from OPSAWG CFA."; description "Integrates comments from OPSAWG CFA.";
reference "-ietf-00"; reference "-ietf-00";
} }
revision 2017-07-03 { revision 2017-07-03 {
description "Integrates comments from D. Wing and T. Zhou."; description "Integrates comments from D. Wing and T. Zhou.";
reference "-07"; reference "-07";
} }
revision 2015-09-08 { revision 2015-09-08 {
description "Fixes few YANG errors."; description "Fixes few YANG errors.";
reference "-02"; reference "-02";
} }
revision 2015-09-07 { revision 2015-09-07 {
description "Completes the NAT64 model."; description "Completes the NAT64 model.";
reference "01"; reference "01";
} }
revision 2015-08-29 { revision 2015-08-29 {
description "Initial version."; description "Initial version.";
reference "00"; reference "00";
} }
/* /*
* Definitions * Definitions
*/ */
typedef percent { typedef percent {
type uint8 { type uint8 {
range "0 .. 100"; range "0 .. 100";
} }
description description
"Percentage"; "Percentage";
} }
/* /*
* Identities * Identities
*/ */
identity nat-type { identity nat-type {
description description
"Base identity for nat type."; "Base identity for nat type.";
} }
identity nat44 { identity nat44 {
base nat:nat-type; base nat:nat-type;
description
description
"Identity for traditional NAT support."; "Identity for traditional NAT support.";
reference reference
"RFC 3022."; "RFC 3022.";
} }
identity basic-nat { identity basic-nat {
//base nat:nat-type; base nat:nat44;
base nat:nat44;
description description
"Identity for Basic NAT support."; "Identity for Basic NAT support.";
reference reference
"RFC 3022."; "RFC 3022.";
} }
identity napt { identity napt {
//base nat:nat-type; base nat:nat44;
base nat:nat44;
description
"Identity for NAPT support.";
reference
"RFC 3022.";
}
identity restricted-nat { description
//base nat:nat-type; "Identity for NAPT support.";
base nat:nat44;
description
"Identity for Port-Restricted NAT support.";
reference reference
"RFC 7596."; "RFC 3022.";
} }
identity dst-nat { identity restricted-nat {
base nat:nat-type; base nat:nat44;
description
"Identity for Destination NAT support.";
}
identity nat64 { description
base nat:nat-type; "Identity for Port-Restricted NAT support.";
description
"Identity for NAT64 support.";
reference reference
"RFC 6146."; "RFC 7596.";
} }
identity clat { identity dst-nat {
base nat:nat-type; base nat:nat-type;
description
"Identity for CLAT support.";
reference description
"RFC 6877."; "Identity for Destination NAT support.";
} }
identity eam { identity nat64 {
base nat:nat-type; base nat:nat-type;
description
"Identity for EAM support.";
reference description
"RFC 7757."; "Identity for NAT64 support.";
}
identity nptv6 { reference
base nat:nat-type; "RFC 6146.";
description }
"Identity for NPTv6 support.";
reference identity clat {
"RFC 6296."; base nat:nat-type;
}
identity vrf-routing-instance { description
"Identity for CLAT support.";
description reference
"This identity represents a VRF routing instance."; "RFC 6877.";
}
reference identity eam {
"Section 8.9 of RFC 4026."; base nat:nat-type;
}
/* description
* Grouping "Identity for EAM support.";
*/
// Set of ports reference
"RFC 7757.";
}
grouping port-set { identity nptv6 {
description base nat:nat-type;
"Indicates a set of ports.
It may be a simple port range, or use the PSID algorithm
to represent a range of transport layer
ports which will be used by a NAPT.";
choice port-type { description
default port-range; "Identity for NPTv6 support.";
description
"Port type: port-range or port-set-algo.";
case port-range { reference
leaf start-port-number { "RFC 6296.";
type inet:port-number; }
description
"Begining of the port range.";
reference identity vrf-routing-instance {
"Section 3.2.9 of RFC 8045."; description
} "This identity represents a VRF routing instance.";
leaf end-port-number {
type inet:port-number; reference
description "Section 8.9 of RFC 4026.";
"End of the port range."; }
reference /*
"Section 3.2.10 of RFC 8045."; * Grouping
} */
}
case port-set-algo { // port numbers: single or port-range
leaf psid-offset { grouping port-number {
type uint8 { description
range 0..16; "Individual port or a range of ports.
} When only start-port-numbert is present,
description it represents a single port.";
"The number of offset bits. In Lightweight 4over6,
the default value is 0 for assigning one contiguous
port range. In MAP-E/T, the default value is 6,
which excludes system ports by default and assigns
port ranges distributed across the entire port
space.";
}
leaf psid-len { leaf start-port-number {
type uint8 { type inet:port-number;
range 0..15;
}
mandatory true;
description
"The length of PSID, representing the sharing
ratio for an IPv4 address.";
}
leaf psid { description
type uint16; "Begining of the port range.";
mandatory true;
description
"Port Set Identifier (PSID) value, which
identifies a set of ports algorithmically.";
}
}
} reference
"Section 3.2.9 of RFC 8045.";
} }
// port numbers: single or port-range
grouping port-number { leaf end-port-number {
description type inet:port-number;
"Individual port or a range of ports.";
choice port-type { must ". >= ../start-port-number"
default single-port-number; {
description error-message
"Port type: single or port-range."; "The end-port-number must be greater than or
equal to start-port-number.";
}
description
"End of the port range.";
case single-port-number { reference
leaf single-port-number { "Section 3.2.10 of RFC 8045.";
type inet:port-number; }
description
"Used for single port numbers.";
}
}
case port-range { }
leaf start-port-number {
type inet:port-number;
description
"Begining of the port range.";
reference // Set of ports
"Section 3.2.9 of RFC 8045.";
}
leaf end-port-number { grouping port-set {
type inet:port-number; description
description "Indicates a set of ports.
"End of the port range."; It may be a simple port range, or use the PSID algorithm
to represent a range of transport layer
ports which will be used by a NAPT.";
reference choice port-type {
"Section 3.2.10 of RFC 8045."; default port-range;
}
}
}
}
// Mapping Entry description
"Port type: port-range or port-set-algo.";
grouping mapping-entry { case port-range {
/*leaf start-port-number {
type inet:port-number;
description description
"NAT mapping entry."; "Begining of the port range.";
leaf index {
type uint32;
description
"A unique identifier of a mapping entry.";
}
leaf type { reference
type enumeration { "Section 3.2.9 of RFC 8045.";
enum "static" { }
description
"The mapping entry is manually
configured.";
}
enum "dynamic-explicit" { leaf end-port-number {
description type inet:port-number;
"This mapping is created by an
outgoing packet.";
}
enum "dynamic-implicit" { description
description "End of the port range.";
"This mapping is created by an
explicit dynamic message.";
}
}
description
"Indicates the type of a mapping entry. E.g.,
a mapping can be: static, implicit dynamic
or explicit dynamic.";
}
leaf transport-protocol { reference
type uint8; "Section 3.2.10 of RFC 8045.";
}*/
uses port-number;
}
description case port-set-algo {
"Upper-layer protocol associated with this mapping. leaf psid-offset {
Values are taken from the IANA protocol registry. type uint8 {
For example, this field contains 6 (TCP) for a TCP range 0..16;
mapping or 17 (UDP) for a UDP mapping. No transport
protocol is indicated if a mapping applies for any
protocol.";
} }
leaf internal-src-address { description
type inet:ip-prefix; "The number of offset bits. In Lightweight 4over6,
the default value is 0 for assigning one contiguous
port range. In MAP-E/T, the default value is 6,
which excludes system ports by default and assigns
port ranges distributed across the entire port
space.";
}
description leaf psid-len {
"Corresponds to the source IPv4/IPv6 address/prefix type uint8 {
of the packet received on an internal range 0..15;
interface.";
} }
mandatory true;
container internal-src-port { description
"The length of PSID, representing the sharing
ratio for an IPv4 address.";
}
description leaf psid {
"Corresponds to the source port of the type uint16;
packet received on an internal interface. mandatory true;
It is used also to carry the internal
source ICMP identifier.";
uses port-number; description
} "Port Set Identifier (PSID) value, which
identifies a set of ports algorithmically.";
}
}
}
}
leaf external-src-address { // Mapping Entry
type inet:ip-prefix;
description grouping mapping-entry {
"Source IP address/prefix of the packet sent description
on an external interface of the NAT."; "NAT mapping entry.";
}
container external-src-port { leaf index {
type uint32;
description description
"Source port of the packet sent "A unique identifier of a mapping entry.";
on an external interafce of the NAT. }
It is used also to carry the external
source ICMP identifier.";
uses port-number; leaf type {
} type enumeration {
enum "static" {
description
"The mapping entry is manually
configured.";
leaf internal-dst-address { }
type inet:ip-prefix;
description enum "dynamic-explicit" {
"Corresponds to the destination IP address/prefix description
of the packet received on an internal interface "This mapping is created by an
of the NAT. outgoing packet.";
For example, some NAT implementations support }
the translation of both source and destination
addresses and ports, sometimes referred to
as 'Twice NAT'.";
}
container internal-dst-port { enum "dynamic-implicit" {
description description
"Corresponds to the destination port of the "This mapping is created by an
IP packet received on the internal interface. explicit dynamic message.";
}
}
description
"Indicates the type of a mapping entry. E.g.,
a mapping can be: static, implicit dynamic
or explicit dynamic.";
}
It is used also to carry the internal leaf transport-protocol {
destination ICMP identifier."; type uint8;
uses port-number; description
} "Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry.
For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping. No transport
protocol is indicated if a mapping applies for any
protocol.";
}
leaf external-dst-address { leaf internal-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the source IPv4/IPv6 address/prefix
of the packet sent on an external interface of the packet received on an internal
of the NAT."; interface.";
} }
container external-dst-port { container internal-src-port {
description
"Corresponds to the source port of the
packet received on an internal interface.
description It is used also to carry the internal
"Corresponds to the destination port number of source ICMP identifier.";
the packet sent on the external interface
of the NAT.
It is used also to carry the external
destination ICMP identifier.";
uses port-number; uses port-number;
} }
leaf lifetime { leaf external-src-address {
type uint32; type inet:ip-prefix;
//mandatory true;
description description
"When specified, it tracks the connection that is "Source IP address/prefix of the packet sent
fully-formed (e.g., once the 3WHS TCP is completed) on an external interface of the NAT.";
or the duration for maintaining an explicit mapping }
alive. Static mappings may not be associated with a
lifetime. If no lifetime is associated with a
static mapping, an explicit action is requried to
remove that mapping.";
}
}
/* container external-src-port {
* NAT Module description
*/ "Source port of the packet sent
on an external interafce of the NAT.
container nat-module { It is used also to carry the external
description source ICMP identifier.";
"NAT"; uses port-number;
}
container nat-instances { leaf internal-dst-address {
description type inet:ip-prefix;
"NAT instances";
list nat-instance { description
"Corresponds to the destination IP address/prefix
of the packet received on an internal interface
of the NAT.
key "id"; For example, some NAT implementations support
the translation of both source and destination
addresses and ports, sometimes referred to
as 'Twice NAT'.";
}
description container internal-dst-port {
"A NAT instance."; description
"Corresponds to the destination port of the
IP packet received on the internal interface.
leaf id { It is used also to carry the internal
type uint32; destination ICMP identifier.";
description uses port-number;
"NAT instance identifier."; }
reference leaf external-dst-address {
"RFC7659."; type inet:ip-prefix;
} description
"Corresponds to the destination IP address/prefix
of the packet sent on an external interface
of the NAT.";
}
leaf name { container external-dst-port {
type string; description
"Corresponds to the destination port number of
the packet sent on the external interface
of the NAT.
description It is used also to carry the external
"A name associated with the NAT instance."; destination ICMP identifier.";
}
leaf enable { uses port-number;
type boolean; }
description leaf lifetime {
"Status of the the NAT instance."; type uint32;
}
container nat-capabilities { description
// config false; "When specified, it tracks the connection that is
fully-formed (e.g., once the 3WHS TCP is completed)
or the duration for maintaining an explicit mapping
alive. Static mappings may not be associated with a
lifetime. If no lifetime is associated with a
static mapping, an explicit action is requried to
remove that mapping.";
}
}
description /*
"NAT capabilities"; * NAT Module
*/
leaf-list nat-flavor { container nat-module {
type identityref { description
base nat-type; "NAT module";
}
description
"Type of NAT.";
}
leaf-list nat44-flavor { container nat-instances {
description
"NAT instances";
when "../nat-flavor = 'nat44'"; list nat-instance {
key "id";
type identityref { description
base nat44; "A NAT instance.";
}
description
"Type of NAT44: Basic NAT or NAPT.";
}
leaf restricted-port-support { leaf id {
type boolean; type uint32;
description description
"Indicates source port NAT restriction "NAT instance identifier.";
support.";
}
leaf static-mapping-support { reference
type boolean; "RFC 7659.";
}
description leaf name {
"Indicates whether static mappings are type string;
supported.";
}
leaf port-randomization-support { description
type boolean; "A name associated with the NAT instance.";
}
description leaf enable {
"Indicates whether port randomization is type boolean;
supported.";
}
leaf port-range-allocation-support { description
type boolean; "Status of the the NAT instance.";
}
description container nat-capabilities {
"Indicates whether port range description
allocation is supported."; "NAT capabilities";
}
leaf port-preservation-suport { leaf-list nat-flavor {
type boolean; type identityref {
base nat-type;
}
description
"Type of NAT.";
}
description leaf-list nat44-flavor {
"Indicates whether port preservation when "../nat-flavor = 'nat44'";
is supported.";
}
leaf port-parity-preservation-support { type identityref {
type boolean; base nat44;
}
description
"Type of NAT44: Basic NAT or NAPT.";
}
leaf restricted-port-support {
type boolean;
description description
"Indicates whether port parity "Indicates source port NAT restriction
preservation is supported."; support.";
} }
leaf address-roundrobin-support { leaf static-mapping-support {
type boolean; type boolean;
description description
"Indicates whether address allocation "Indicates whether static mappings are supported.";
round robin is supported."; }
}
leaf paired-address-pooling-support { leaf port-randomization-support {
type boolean; type boolean;
description description
"Indicates whether paired-address-pooling is "Indicates whether port randomization is supported.";
supported"; }
}
leaf endpoint-independent-mapping-support { leaf port-range-allocation-support {
type boolean; type boolean;
description description
"Indicates whether endpoint-independent- "Indicates whether port range allocation is supported.";
mapping in Section 4 of RFC 4787 is }
supported.";
}
leaf address-dependent-mapping-support { leaf port-preservation-suport {
type boolean; type boolean;
description description
"Indicates whether address-dependent- "Indicates whether port preservation is supported.";
mapping is supported."; }
}
leaf address-and-port-dependent-mapping-support leaf port-parity-preservation-support {
{ type boolean;
type boolean;
description description
"Indicates whether address-and-port- "Indicates whether port parity preservation is supported.";
dependent-mapping is supported."; }
}
leaf endpoint-independent-filtering-support leaf address-roundrobin-support {
{ type boolean;
type boolean;
description description
"Indicates whether endpoint-independent "Indicates whether address allocation round robin is supported.";
-filtering is supported.";
}
leaf address-dependent-filtering { }
type boolean;
description leaf paired-address-pooling-support {
"Indicates whether address-dependent type boolean;
-filtering is supported.";
}
leaf address-and-port-dependent-filtering { description
type boolean; "Indicates whether paired-address-pooling is supported";
}
description leaf endpoint-independent-mapping-support {
"Indicates whether address-and-port type boolean;
-dependent is supported.";
}
}
// Parameters for NAT pass through description
"Indicates whether endpoint-independent-
mapping in Section 4 of RFC 4787 is
supported.";
}
list nat-pass-through { leaf address-dependent-mapping-support {
type boolean;
key nat-pass-through-id; description
"Indicates whether address-dependent-mapping is supported.";
}
description leaf address-and-port-dependent-mapping-support {
"IP prefix NAT pass through."; type boolean;
leaf nat-pass-through-id { description
type uint32; "Indicates whether address-and-port-dependent-mapping is supported.";
}
description leaf endpoint-independent-filtering-support {
"An identifier of the IP prefix pass type boolean;
through.";
}
leaf nat-pass-through-pref { description
type inet:ip-prefix; "Indicates whether endpoint-independent-filtering is supported.";
}
description leaf address-dependent-filtering {
"The IP address subnets that match type boolean;
should not be translated. According to
REQ#6 of RFC6888, it must be possible
to administratively turn off translation
for specific destination addresses
and/or ports.";
}
leaf nat-pass-through-port { description
type inet:port-number; "Indicates whether address-dependent-filtering is supported.";
}
description leaf address-and-port-dependent-filtering {
"The IP address subnets that match type boolean;
should not be translated. According to description
REQ#6 of RFC6888, it must be possible to "Indicates whether address-and-port-dependent is supported.";
administratively turn off translation }
for specific destination addresses }
and/or ports.";
}
}
// NAT Policies: Multiple policies per NAT instance // Parameters for NAT pass through
list nat-policy { list nat-pass-through {
key nat-pass-through-id;
key policy-id; description
"IP prefix NAT pass through.";
leaf nat-pass-through-id {
type uint32;
description description
"NAT parameters for a given instance"; "An identifier of the IP prefix pass
through.";
}
leaf policy-id { leaf nat-pass-through-pref {
type uint32; type inet:ip-prefix;
description description
"An identifier of the NAT policy."; "The IP address subnets that match
} should not be translated. According to
REQ#6 of RFC6888, it must be possible
to administratively turn off translation
for specific destination addresses
and/or ports.";
// CLAT Parameters reference
"REQ#6 of RFC6888.";
}
container clat-parameters { leaf nat-pass-through-port {
type inet:port-number;
description description
"CLAT parameters."; "The IP address subnets that match
should not be translated. According to
REQ#6 of RFC6888, it must be possible to
administratively turn off translation
for specific destination addresses
and/or ports.";
list clat-ipv6-prefixes { reference
"REQ#6 of RFC6888.";
}
}
when "../../../nat-capabilities/nat-flavor = 'clat' "; // NAT Policies: Multiple policies per NAT instance
key clat-ipv6-prefix; list nat-policy {
key policy-id;
description description
"464XLAT double translation treatment is "NAT parameters for a given instance";
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.";
reference leaf policy-id {
"RFC 6877."; type uint32;
leaf clat-ipv6-prefix { description
type inet:ipv6-prefix; "An identifier of the NAT policy.";
}
description // CLAT Parameters
"An IPv6 prefix used for CLAT."; container clat-parameters {
} description
} "CLAT parameters.";
list clat-ipv4-prefixes { list clat-ipv6-prefixes {
when "../../../nat-capabilities/nat-flavor = 'clat' ";
when "../../../nat-capabilities/nat-flavor = 'clat'"; key clat-ipv6-prefix;
key clat-ipv4-prefix; description
"464XLAT double translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.";
description reference
"Pool of IPv4 addresses used for CLAT. "RFC 6877.";
192.0.0.0/29 is the IPv4 service continuity
prefix.";
reference leaf clat-ipv6-prefix {
"RFC 7335."; type inet:ipv6-prefix;
leaf clat-ipv4-prefix { description
type inet:ipv4-prefix; "An IPv6 prefix used for CLAT.";
}
}
list clat-ipv4-prefixes {
when "../../../nat-capabilities/nat-flavor = 'clat'";
description key clat-ipv4-prefix;
"464XLAT double translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
reference description
"RFC 6877."; "Pool of IPv4 addresses used for CLAT.
} 192.0.0.0/29 is the IPv4 service continuity
} prefix.";
}
// NPTv6 Parameters reference
"RFC 7335.";
list nptv6-prefixes { leaf clat-ipv4-prefix {
type inet:ipv4-prefix;
when "../../nat-capabilities/nat-flavor = 'nptv6' "; description
"464XLAT double translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
key translation-id; An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
description reference
"Provides one or a list of (internal IPv6 prefix, "RFC 6877.";
external IPv6 prefix) required for NPTv6. }
}
}
In its simplest form, NPTv6 interconnects two network // NPTv6 Parameters
links, one of which is an 'internal' network link
attachedto a leaf network within a single
administrative domain and the other of which is an
'external' network with connectivity to the global
Internet.";
reference list nptv6-prefixes {
"RFC 6296."; when "../../nat-capabilities/nat-flavor = 'nptv6' ";
leaf translation-id { key translation-id;
type uint32; description
description "Provides one or a list of (internal IPv6 prefix,
"An identifier of the NPTv6 prefixs."; external IPv6 prefix) required for NPTv6.
}
leaf internal-ipv6-prefix { In its simplest form, NPTv6 interconnects two network
type inet:ipv6-prefix; links, one of which is an 'internal' network link
attachedto a leaf network within a single
administrative domain and the other of which is an
'external' network with connectivity to the global
Internet.";
description reference
"An IPv6 prefix used by an internal interface "RFC 6296.";
of NPTv6.";
reference leaf translation-id {
"RFC 6296."; type uint32;
}
leaf external-ipv6-prefix { description
type inet:ipv6-prefix; "An identifier of the NPTv6 prefixs.";
}
description leaf internal-ipv6-prefix {
"An IPv6 prefix used by the external interface type inet:ipv6-prefix;
of NPTv6.";
reference description
"RFC 6296."; "An IPv6 prefix used by an internal interface
} of NPTv6.";
}
// EAM SIIT Parameters reference
"RFC 6296.";
}
list eam { leaf external-ipv6-prefix {
type inet:ipv6-prefix;
when "../../nat-capabilities/nat-flavor = 'eam' "; description
"An IPv6 prefix used by the external interface
of NPTv6.";
key eam-ipv4-prefix; reference
"RFC 6296.";
}
}
description // EAM SIIT Parameters
"The Explicit Address Mapping Table, a conceptual
table in which each row represents an EAM.
Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses.";
reference "Section 3.1 of RFC 7757."; list eam {
when "../../nat-capabilities/nat-flavor = 'eam' ";
key eam-ipv4-prefix;
leaf eam-ipv4-prefix { description
type inet:ipv4-prefix; "The Explicit Address Mapping Table, a conceptual
description table in which each row represents an EAM.
"The IPv4 prefix of an EAM.";
reference Each EAM describes a mapping between IPv4 and IPv6
"Section 3.2 of RFC 7757."; prefixes/addresses.";
}
leaf eam-ipv6-prefix { reference
type inet:ipv6-prefix; "Section 3.1 of RFC 7757.";
description leaf eam-ipv4-prefix {
"The IPv6 prefix of an EAM."; type inet:ipv4-prefix;
reference description
"Section 3.2 of RFC 7757."; "The IPv4 prefix of an EAM.";
}
}
//NAT64 IPv6 Prefixes reference
"Section 3.2 of RFC 7757.";
}
list nat64-prefixes { leaf eam-ipv6-prefix {
type inet:ipv6-prefix;
when "../../nat-capabilities/nat-flavor = 'nat64' " + description
" or ../../nat-capabilities/nat-flavor = 'clat'"; "The IPv6 prefix of an EAM.";
key nat64-prefix; reference
"Section 3.2 of RFC 7757.";
}
}
description //NAT64 IPv6 Prefixes
"Provides one or a list of NAT64 prefixes
with or without a list of destination IPv4 prefixes.
Destination-based Pref64::/n is discussed in list nat64-prefixes {
Section 5.1 of [RFC7050]). For example: when "../../nat-capabilities/nat-flavor = 'nat64' " +
192.0.2.0/24 is mapped to 2001:db8:122:300::/56. " or ../../nat-capabilities/nat-flavor = 'clat'";
198.51.100.0/24 is mapped to 2001:db8:122::/48.";
reference key nat64-prefix;
"Section 5.1 of RFC7050.";
leaf nat64-prefix { description
type inet:ipv6-prefix; "Provides one or a list of NAT64 prefixes
//default "64:ff9b::/96"; with or without a list of destination IPv4 prefixes.
description Destination-based Pref64::/n is discussed in
"A NAT64 prefix. Can be NSP or a Well-Known Section 5.1 of [RFC7050]). For example:
Prefix (WKP). 192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
Organizations deploying stateless IPv4/IPv6 198.51.100.0/24 is mapped to 2001:db8:122::/48.";
translation should assign a Network-Specific
Prefix to their IPv4/IPv6 translation service.
For stateless NAT64, IPv4-translatable IPv6 reference
addresses must use the selected Network-Specific "Section 5.1 of RFC7050.";
Prefix. Both IPv4-translatable IPv6 addresses
and IPv4-converted IPv6 addresses should use
the same prefix.";
reference leaf nat64-prefix {
"Sections 3.3 and 3.4 of RFC 6052."; type inet:ipv6-prefix;
} //default "64:ff9b::/96";
list destination-ipv4-prefix { description
"A NAT64 prefix. Can be NSP or a Well-Known
Prefix (WKP).
key ipv4-prefix; Organizations deploying stateless IPv4/IPv6
translation should assign a Network-Specific
Prefix to their IPv4/IPv6 translation service.
description For stateless NAT64, IPv4-translatable IPv6
"An IPv4 prefix/address."; addresses must use the selected Network-Specific
Prefix. Both IPv4-translatable IPv6 addresses
and IPv4-converted IPv6 addresses should use
the same prefix.";
leaf ipv4-prefix { reference
type inet:ipv4-prefix; "Sections 3.3 and 3.4 of RFC 6052.";
description }
"An IPv4 address/prefix.";
}
}
leaf stateless-enable { list destination-ipv4-prefix {
type boolean; key ipv4-prefix;
description description
"Enable explicitly statless NAT64."; "An IPv4 prefix/address.";
} leaf ipv4-prefix {
type inet:ipv4-prefix;
description
"An IPv4 address/prefix.";
}
} }
list external-ip-address-pool { leaf stateless-enable {
key pool-id; type boolean;
description description
"Pool of external IP addresses used to "Enable explicitly statless NAT64.";
service internal hosts. }
Both contiguous and non-contiguous pools }
can be configured for NAT purposes."; list external-ip-address-pool {
key pool-id;
leaf pool-id { description
type uint32; "Pool of external IP addresses used to
service internal hosts.
description Both contiguous and non-contiguous pools
"An identifier of the address pool."; can be configured for NAT purposes.";
}
leaf external-ip-pool { leaf pool-id {
type inet:ipv4-prefix; type uint32;
description description
"An IPv4 prefix used for NAT purposes."; "An identifier of the address pool.";
} }
}
container port-set-restrict { leaf external-ip-pool {
type inet:ipv4-prefix;
description
"An IPv4 prefix used for NAT purposes.";
}
}
container port-set-restrict {
when "../../nat-capabilities/restricted-port-support = 'true'"; when "../../nat-capabilities/restricted-port-support = 'true'";
description description
"Configures contiguous and non-contiguous port ranges."; "Configures contiguous and non-contiguous port ranges.";
uses port-set;
}
leaf dst-nat-enable { uses port-set;
type boolean; }
default false;
description leaf dst-nat-enable {
"Enable/Disable destination NAT. type boolean;
A NAT44 may be configured to enable default false;
Destination NAT, too.";
}
list dst-ip-address-pool { description
//if-feature dst-nat; "Enable/Disable destination NAT.
when "../../nat-capabilities/nat-flavor = 'dst-nat' "; A NAT44 may be configured to enable
Destination NAT, too.";
}
key pool-id; list dst-ip-address-pool {
when "../../nat-capabilities/nat-flavor = 'dst-nat' ";
description key pool-id;
"Pool of IP addresses used for destination NAT."; description
"Pool of IP addresses used for destination NAT.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description
"An identifier of the address pool.";
}
leaf dst-in-ip-pool { description
type inet:ip-prefix; "An identifier of the address pool.";
}
description leaf dst-in-ip-pool {
"Internal IP prefix/address"; type inet:ip-prefix;
}
leaf dst-out-ip-pool { description
type inet:ip-prefix; "Internal IP prefix/address";
}
description leaf dst-out-ip-pool {
"IP address/prefix used for destination NAT."; type inet:ip-prefix;
}
}
list supported-transport-protocols { description
"IP address/prefix used for destination NAT.";
}
}
key transport-protocol-id; list supported-transport-protocols {
key transport-protocol-id;
description description
"Supported transport protocols. "Supported transport protocols.
TCP and UDP are supported by default."; TCP and UDP are supported by default.";
leaf transport-protocol-id { leaf transport-protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol associated with this mapping. "Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry. Values are taken from the IANA protocol registry.
For example, this field contains 6 (TCP) for a TCP For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping."; mapping or 17 (UDP) for a UDP mapping.";
} }
leaf transport-protocol-name { leaf transport-protocol-name {
type string; type string;
description description
"For example, TCP, UDP, DCCP, and SCTP."; "For example, TCP, UDP, DCCP, and SCTP.";
}
} }
leaf subscriber-mask-v6 { }
type uint8 {
range "0 .. 128";
} leaf subscriber-mask-v6 {
type uint8 {
range "0 .. 128";
}
description description
"The subscriber-mask is an integer that indicates "The subscriber-mask is an integer that indicates
the length of significant bits to be applied on the length of significant bits to be applied on
the source IP address (internal side) to the source IP address (internal side) to
unambiguously identify a CPE. unambiguously identify a CPE.
Subscriber-mask is a system-wide configuration Subscriber-mask is a system-wide configuration
parameter that is used to enforce generic parameter that is used to enforce generic
per-subscriber policies (e.g., port-quota). per-subscriber policies (e.g., port-quota).
The enforcement of these generic policies does not The enforcement of these generic policies does not
require the configuration of every subscriber's require the configuration of every subscriber's
prefix. prefix.
Example: suppose the 2001:db8:100:100::/56 prefix Example: suppose the 2001:db8:100:100::/56 prefix
is assigned to a NAT64 serviced CPE. Suppose also is assigned to a NAT64 serviced CPE. Suppose also
that 2001:db8:100:100::1 is the IPv6 address used that 2001:db8:100:100::1 is the IPv6 address used
by the client that resides in that CPE. When the by the client that resides in that CPE. When the
NAT64 receives a packet from this client, NAT64 receives a packet from this client,
it applies the subscriber-mask (e.g., 56) on it applies the subscriber-mask (e.g., 56) on
the source IPv6 address to compute the associated the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56). prefix for this client (2001:db8:100:100::/56).
Then, the NAT64 enforces policies based on that Then, the NAT64 enforces policies based on that
prefix (2001:db8:100:100::/56), not on the exact prefix (2001:db8:100:100::/56), not on the exact
source IPv6 address."; source IPv6 address.";
} }
list subscriber-match { list subscriber-match {
key sub-match-id;
key sub-match-id; description
"IP prefix match.";
description leaf sub-match-id {
"IP prefix match."; type uint32;
leaf sub-match-id { description
type uint32; "An identifier of the subscriber masck.";
description }
"An identifier of the subscriber masck.";
}
leaf sub-mask { leaf sub-mask {
type inet:ip-prefix; type inet:ip-prefix;
mandatory true; mandatory true;
description description
"The IP address subnets that match "The IP address subnets that match
should be translated. E.g., all addresses should be translated. E.g., all addresses
that belong to the 192.0.2.0/24 prefix must that belong to the 192.0.2.0/24 prefix must
be processed by the NAT."; be processed by the NAT.";
} }
}
} leaf paired-address-pooling {
type boolean;
default true;
leaf paired-address-pooling { description
type boolean; "Paired address pooling informs the NAT
default true; that all the flows from an internal IP
address must be assigned the same external
address.";
description reference
"Paired address pooling informs the NAT "RFC 4007.";
that all the flows from an internal IP }
address must be assigned the same external
address.";
reference leaf nat-mapping-type {
"RFC 4007."; type enumeration {
} enum "eim" {
description
"endpoint-independent-mapping.";
leaf nat-mapping-type { reference
type enumeration { "Section 4 of RFC 4787.";
enum "eim" { }
description
"endpoint-independent-mapping.";
reference enum "adm" {
"Section 4 of RFC 4787."; description
} "address-dependent-mapping.";
enum "adm" { reference
description "Section 4 of RFC 4787.";
"address-dependent-mapping."; }
reference enum "edm" {
"Section 4 of RFC 4787."; description
} "address-and-port-dependent-mapping.";
enum "edm" { reference
description "Section 4 of RFC 4787.";
"address-and-port-dependent-mapping."; }
}
description
"Indicates the type of a NAT mapping.";
}
reference leaf nat-filtering-type {
"Section 4 of RFC 4787."; type enumeration {
} enum "eif" {
} description
description "endpoint-independent- filtering.";
"Indicates the type of a NAT mapping.";
}
leaf nat-filtering-type { reference
type enumeration { "Section 5 of RFC 4787.";
enum "eif" { }
description enum "adf" {
"endpoint-independent- filtering."; description
"address-dependent-filtering.";
reference reference
"Section 5 of RFC 4787."; "Section 5 of RFC 4787.";
} }
enum "adf" { enum "edf" {
description description
"address-dependent-filtering."; "address-and-port-dependent-filtering";
reference reference
"Section 5 of RFC 4787."; "Section 5 of RFC 4787.";
} }
}
description
"Indicates the type of a NAT filtering.";
}
enum "edf" { list port-quota {
description when "../../nat-capabilities/nat44-flavor = "+
"address-and-port-dependent-filtering"; "'napt' or "+
"../../nat-capabilities/nat-flavor = "+
"'nat64'";
reference key quota-type;
"Section 5 of RFC 4787.";
}
}
description
"Indicates the type of a NAT filtering.";
}
list port-quota { description
when "../../nat-capabilities/nat44-flavor = "+ "Configures a port quota to be assigned per
"'napt' or "+ subscriber. It corresponds to the maximum
"../../nat-capabilities/nat-flavor = "+ number of ports to be used by a subscriber.";
"'nat64'";
key quota-type; leaf port-limit {
type uint16;
description description
"Configures a port quota to be assigned per "Configures a port quota to be assigned per
subscriber. It corresponds to the maximum subscriber. It corresponds to the maximum
number of ports to be used by a subscriber."; number of ports to be used by a subscriber.";
leaf port-limit { reference
"REQ-4 of RFC 6888.";
}
type uint16; leaf quota-type {
type enumeration {
enum "all" {
description
"The limit applies to all protocols.";
description reference
"Configures a port quota to be assigned per "REQ-4 of RFC 6888.";
subscriber. It corresponds to the maximum }
number of ports to be used by a subscriber.";
reference enum "tcp" {
"REQ-4 of RFC 6888."; description
} "TCP quota.";
leaf quota-type { reference
type enumeration { "REQ-4 of RFC 6888.";
enum "all" { }
description enum "udp" {
"The limit applies to all protocols."; description
"UDP quota.";
reference reference
"REQ-4 of RFC 6888."; "REQ-4 of RFC 6888.";
} }
enum "tcp" { enum "icmp" {
description description
"TCP quota."; "ICMP quota.";
reference reference
"REQ-4 of RFC 6888."; "REQ-4 of RFC 6888.";
} }
}
description
"Indicates whether the port quota applies to
all protocols or to a specific transport.";
}
}
enum "udp" { leaf port-allocation-type {
description type enumeration {
"UDP quota."; enum "random" {
description
"Port randomization is enabled.";
}
reference enum "port-preservation" {
"REQ-4 of RFC 6888."; description
} "Indicates whether the NAT should
preserve the internal port number.";
}
enum "icmp" { enum "port-parity-preservation" {
description description
"ICMP quota."; "Indicates whether the NAT should
preserve the port parity of the
internal port number.";
}
reference enum "port-range-allocation" {
"REQ-4 of RFC 6888."; description
} "Indicates whether the NAT assigns a
} range of ports for an internal host.";
}
}
description
"Indicates the type of a port allocation.";
}
description leaf address-roundrobin-enable {
"Indicates whether the port quota applies to type boolean;
all protocols or to a specific transport.";
}
}
leaf port-allocation-type { description
type enumeration { "Enable/disable address allocation
enum "random" { round robin.";
description }
"Port randomization is enabled.";
}
enum "port-preservation" { container port-set {
description when "../port-allocation-type='port-range-allocation'";
"Indicates whether the NAT should
preserve the internal port number.";
}
enum "port-parity-preservation" { description
description "Manages port-set assignments.";
"Indicates whether the NAT should
preserve the port parity of the
internal port number.";
}
enum "port-range-allocation" { leaf port-set-size {
description type uint16;
"Indicates whether the NAT assigns a description
range of ports for an internal host."; "Indicates the size of assigned port
} sets.";
}
} leaf port-set-timeout {
description type uint32;
"Indicates the type of a port allocation."; description
} "Inactivty timeout for port sets.";
}
}
leaf address-roundrobin-enable { container timers {
type boolean; description
"Configure values of various timeouts.";
description leaf udp-timeout {
"Enable/disable address allocation type uint32;
round robin."; units "seconds";
} default 300;
container port-set { description
when "../port-allocation-type='port-range-allocation'"; "UDP inactivity timeout. That is the time a mapping
description will stay active without packets traversing the NAT.";
"Manages port-set assignments.";
leaf port-set-size { reference
type uint16; "RFC 4787.";
description }
"Indicates the size of assigned port
sets.";
}
leaf port-set-timeout { leaf tcp-idle-timeout {
type uint32; type uint32;
description units "seconds";
"Inactivty timeout for port sets."; default 7440;
}
}
container timers { description
description "TCP Idle timeout should be
"Configure values of various timeouts."; 2 hours and 4 minutes.";
leaf udp-timeout { reference
type uint32; "RFC 5382.";
units "seconds"; }
default 300;
description
"UDP inactivity timeout. That is the time a mapping
will stay active without packets traversing the NAT.";
reference leaf tcp-trans-open-timeout {
"RFC 4787."; type uint32;
} units "seconds";
default 240;
leaf tcp-idle-timeout { description
type uint32; "The value of the transitory open connection
units "seconds"; idle-timeout.
default 7440;
description
"TCP Idle timeout should be
2 hours and 4 minutes.";
reference Section 2.1 of [RFC7857] clarifies that a NAT
"RFC 5382."; should provide different configurable
}
leaf tcp-trans-open-timeout { parameters for configuring the open and
type uint32; closing idle timeouts.
units "seconds";
default 240;
description
"The value of the transitory open connection
idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable
parameters for configuring the open and To accommodate deployments that consider
closing idle timeouts. a partially open timeout of 4 minutes as being
To accommodate deployments that consider excessive from a security standpoint, a NAT may
a partially open timeout of 4 minutes as being allow the configured timeout to be less than
excessive from a security standpoint, a NAT may 4 minutes.
allow the configured timeout to be less than
4 minutes.
However, a minimum default transitory connection
idle-timeout of 4 minutes is recommended.";
reference However, a minimum default transitory connection
"RFC 7857."; idle-timeout of 4 minutes is recommended.";
}
leaf tcp-trans-close-timeout { reference
type uint32; "Section 2.1 of RFC 7857.";
units "seconds"; }
default 240;
description
"The value of the transitory close connection
idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable
parameters for configuring the open and
closing idle timeouts.";
reference leaf tcp-trans-close-timeout {
"RFC 7857."; type uint32;
} units "seconds";
default 240;
leaf tcp-in-syn-timeout { description
"The value of the transitory close connection
idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable
parameters for configuring the open and
closing idle timeouts.";
reference
"Section 2.1 of RFC 7857.";
}
leaf tcp-in-syn-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 6; default 6;
description description
"A NAT must not respond to an unsolicited "A NAT must not respond to an unsolicited
inbound SYN packet for at least 6 seconds inbound SYN packet for at least 6 seconds
after the packet is received. If during after the packet is received. If during
this interval the NAT receives and translates this interval the NAT receives and translates
an outbound SYN for the connection the NAT an outbound SYN for the connection the NAT
must silently drop the original unsolicited must silently drop the original unsolicited
inbound SYN packet."; inbound SYN packet.";
reference reference
"RFC 5382."; "RFC 5382.";
} }
leaf fragment-min-timeout {
leaf fragment-min-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 2; default 2;
description description
"As long as the NAT has available resources, "As long as the NAT has available resources,
the NAT allows the fragments to arrive the NAT allows the fragments to arrive
over fragment-min-timeout interval. over fragment-min-timeout interval.
The default value is inspired from RFC6146."; The default value is inspired from RFC6146.";
} }
leaf icmp-timeout { leaf icmp-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 60; default 60;
description description
"An ICMP Query session timer must not expire "An ICMP Query session timer must not expire
in less than 60 seconds. It is recommended in less than 60 seconds. It is recommended
that the ICMP Query session timer be made that the ICMP Query session timer be made
configurable"; configurable";
reference reference
"RFC 5508."; "RFC 5508.";
} }
list per-port-timeout { list per-port-timeout {
key port-number; key port-number;
description description
"Some NATs are configurable with short timeouts "Some NATs are configurable with short timeouts
for some ports, e.g., as 10 seconds on for some ports, e.g., as 10 seconds on
port 53 (DNS) and NTP (123) and longer timeouts port 53 (DNS) and NTP (123) and longer timeouts
on other ports."; on other ports.";
leaf port-number { leaf port-number {
type inet:port-number; type inet:port-number;
description
"A port number.";
}
leaf port-timeout {
type inet:port-number;
mandatory true;
description
"Timeout for this port";
}
}
leaf hold-down-timeout { description
"A port number.";
}
type uint32; leaf port-timeout {
units "seconds"; type inet:port-number;
default 120; mandatory true;
description description
"Hold down timer. Ports in the "Timeout for this port";
hold down pool are not reassigned until }
this timer expires. }
The length of time and the maximum
number of ports in this state must be
configurable by the administrator
[RFC6888]. This is necessary in order
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
reference leaf hold-down-timeout {
"REQ#8 of RFC 6888."; type uint32;
} units "seconds";
default 120;
leaf hold-down-max { description
"Hold down timer.
type uint32; Ports in the hold down pool are not reassigned
until hold-down-timeout expires.
description The length of time and the maximum
"Maximum ports in the Hold down timer pool. number of ports in this state must be
Ports in the hold down pool are not reassigned configurable by the administrator.
until hold-down-timeout expires. This is necessary in order
The length of time and the maximum to prevent collisions between old
number of ports in this state must be and new mappings and sessions. It ensures
configurable by the administrator that all established sessions are broken
[RFC6888]. This is necessary in order instead of redirected to a different peer.";
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
reference reference
"REQ#8 of RFC 6888."; "REQ#8 of RFC 6888.";
} }
}
list algs {
key alg-name; leaf hold-down-max {
type uint32;
description description
"ALG-related features."; "Maximum ports in the Hold down timer pool.
leaf alg-name { Ports in the hold down pool are not reassigned
type string; until hold-down-timeout expires.
description The length of time and the maximum
"The name of the ALG"; number of ports in this state must be
} configurable by the administrator.
This is necessary in order
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
leaf alg-transport-protocol { reference
type uint32; "REQ#8 of RFC 6888.";
}
}
description list algs {
"The transport protocol used by the ALG.";
}
leaf alg-transport-port { key alg-name;
type inet:port-number;
description description
"The port number used by the ALG."; "ALG-related features.";
}
leaf alg-status { leaf alg-name {
type boolean; type string;
description description
"Enable/disable the ALG."; "The name of the ALG";
} }
}
leaf all-algs-enable { leaf alg-transport-protocol {
type boolean; type uint32;
description description
"Enable/disable all ALGs."; "The transport protocol used by the ALG.";
} }
container notify-pool-usage {
description
"Notification of pool usage when certain criteria
are met.";
leaf pool-id { leaf alg-transport-port {
type uint32; type inet:port-number;
description description
"Pool-ID for which the notification "The port number used by the ALG.";
criteria is defined"; }
}
leaf notify-pool-hi-threshold { leaf alg-status {
type percent; type boolean;
mandatory true;
description description
"Notification must be generated when the "Enable/disable the ALG.";
defined high threshold is reached. }
For example, if a notification is }
required when the pool utilization reaches
90%, this configuration parameter must
be set to 90%.";
}
leaf notify-pool-low-threshold { leaf all-algs-enable {
type percent; type boolean;
description description
"Notification must be generated when the defined "Enable/disable all ALGs.";
low threshold is reached.
For example, if a notification is required when
the pool utilization reaches below 10%,
this configuration parameter must be set to
10%.";
}
} }
container external-realm { container notify-pool-usage {
description
"Notification of pool usage when certain criteria
are met.";
description leaf pool-id {
"Identifies the external realm of type uint32;
the NAT.";
choice realm-type { description
"Pool-ID for which the notification
criteria is defined";
}
description leaf notify-pool-hi-threshold {
"Interface or VRF."; type percent;
mandatory true;
case interface { description
"Notification must be generated when the
defined high threshold is reached.
description For example, if a notification is
"External interface."; required when the pool utilization reaches
90%, this configuration parameter must
be set to 90%.";
}
leaf external-interface { leaf notify-pool-low-threshold {
type if:interface-ref; type percent;
description description
"Name of an external interface."; "Notification must be generated when the defined
} low threshold is reached.
}
case vrf { For example, if a notification is required when
the pool utilization reaches below 10%,
this configuration parameter must be set to
10%.";
}
}
description container external-realm {
"External VRF instance."; description
"Identifies the external realm of the NAT.";
leaf external-vrf-instance { choice realm-type {
type identityref { description
base vrf-routing-instance; "Interface or VRF.";
}
description case interface {
"A VRF instance."; description
} "External interface.";
}
}
}
} //nat-policy leaf external-interface {
type if:interface-ref;
container mapping-limit { description
"Name of an external interface.";
}
}
description case vrf {
"Information about the configuration parameters that description
limits the mappings based upon various criteria."; "External VRF instance.";
leaf limit-per-subscriber { leaf external-vrf-instance {
type uint32; type identityref {
base vrf-routing-instance;
}
description
"A VRF instance.";
}
}
}
}
} //nat-policy
description container mapping-limit {
"Maximum number of NAT mappings per description
subscriber."; "Information about the configuration parameters that
} limits the mappings based upon various criteria.";
leaf limit-per-vrf {
type uint32;
description leaf limit-per-subscriber {
"Maximum number of NAT mappings per type uint32;
VLAN/VRF."; description
} "Maximum number of NAT mappings per subscriber.";
}
leaf limit-per-subnet { leaf limit-per-vrf {
type inet:ip-prefix; type uint32;
description description
"Maximum number of NAT mappings per "Maximum number of NAT mappings per VLAN/VRF.";
subnet."; }
}
leaf limit-per-instance { leaf limit-per-subnet {
type uint32; type inet:ip-prefix;
mandatory true;
description description
"Maximum number of NAT mappings per "Maximum number of NAT mappings per subnet.";
instance."; }
}
leaf limit-per-udp { leaf limit-per-instance {
type uint32; type uint32;
mandatory true; mandatory true;
description description
"Maximum number of UDP NAT mappings per "Maximum number of NAT mappings per instance.";
subscriber."; }
}
leaf limit-per-tcp { leaf limit-per-udp {
type uint32; type uint32;
mandatory true; mandatory true;
description description
"Maximum number of TCP NAT mappings per "Maximum number of UDP NAT mappings per subscriber.";
subscriber."; }
} leaf limit-per-tcp {
type uint32;
mandatory true;
leaf limit-per-icmp { description
type uint32; "Maximum number of TCP NAT mappings per subscriber.";
mandatory true;
description
"Maximum number of ICMP NAT mappings per
subscriber.";
}
} }
container connection-limit { leaf limit-per-icmp {
type uint32;
description mandatory true;
"Information about the configuration parameters that
rate limit the translation based upon various
criteria.";
leaf limit-per-subscriber { description
type uint32; "Maximum number of ICMP NAT mappings per subscriber.";
description }
"Rate-limit the number of new mappings }
and sessions per subscriber.";
}
leaf limit-per-vrf { container connection-limit {
type uint32; description
"Information about the configuration parameters that
rate limit the translation based upon various
criteria.";
description leaf limit-per-subscriber {
"Rate-limit the number of new mappings type uint32;
and sessions per VLAN/VRF.";
}
leaf limit-per-subnet { description
type inet:ip-prefix; "Rate-limit the number of new mappings
and sessions per subscriber.";
}
description leaf limit-per-vrf {
"Rate-limit the number of new mappings type uint32;
and sessions per subnet.";
}
leaf limit-per-instance { description
type uint32; "Rate-limit the number of new mappings
mandatory true; and sessions per VLAN/VRF.";
}
description leaf limit-per-subnet {
"Rate-limit the number of new mappings type inet:ip-prefix;
and sessions per instance.";
}
leaf limit-per-udp { description
type uint32; "Rate-limit the number of new mappings
mandatory true; and sessions per subnet.";
}
description leaf limit-per-instance {
"Rate-limit the number of new UDP mappings type uint32;
and sessions per subscriber."; mandatory true;
}
leaf limit-per-tcp { description
type uint32; "Rate-limit the number of new mappings
mandatory true; and sessions per instance.";
}
description leaf limit-per-udp {
"Rate-limit the number of new TCP mappings type uint32;
and sessions per subscriber."; mandatory true;
} description
"Rate-limit the number of new UDP mappings
and sessions per subscriber.";
}
leaf limit-per-icmp { leaf limit-per-tcp {
type uint32; type uint32;
mandatory true; mandatory true;
description description
"Rate-limit the number of new ICMP mappings "Rate-limit the number of new TCP mappings
and sessions per subscriber."; and sessions per subscriber.";
}
} }
container logging-info { leaf limit-per-icmp {
description type uint32;
"Information about logging NAT events"; mandatory true;
leaf logging-enable { description
type boolean; "Rate-limit the number of new ICMP mappings
and sessions per subscriber.";
}
}
description container logging-info {
"Enable logging features as per Section 2.3 description
of [RFC6908]."; "Information about logging NAT events";
}
leaf destination-address { leaf logging-enable {
type inet:ip-prefix; type boolean;
mandatory true;
description description
"Address of the collector that receives "Enable logging features.";
the logs";
}
leaf destination-port {
type inet:port-number;
mandatory true;
description reference
"Destination port of the collector."; "Section 2.3 of RFC 6908.";
} }
choice protocol { leaf destination-address {
type inet:ip-prefix;
mandatory true;
description description
"Enable the protocol to be used for "Address of the collector that receives
the retrieval of logging entries."; the logs";
}
case syslog { leaf destination-port {
leaf syslog { type inet:port-number;
type boolean; mandatory true;
description
"Destination port of the collector.";
}
description choice protocol {
"If SYSLOG is in use.";
}
}
case ipfix { description
leaf ipfix { "Enable the protocol to be used for
the retrieval of logging entries.";
case syslog {
leaf syslog {
type boolean; type boolean;
description description
"If IPFIX is in use."; "If SYSLOG is in use.";
}
} }
}
case ftp { case ipfix {
leaf ftp { leaf ipfix {
type boolean; type boolean;
description
"If FTP is in use.";
}
}
}
}
container mapping-table {
when "../nat-capabilities/nat-flavor = "+ description
"'nat44' or "+ "If IPFIX is in use.";
"../nat-capabilities/nat-flavor = "+ }
"'nat64'or "+ }
"../nat-capabilities/nat-flavor = "+
"'clat'or "+
"../nat-capabilities/nat-flavor = 'dst-nat'";
description case ftp {
"NAT mapping table. Applicable for functions leaf ftp {
which maintains static and/or dynamic mappings, type boolean;
such as NAT44, Destination NAT, NAT64, or CLAT.";
list mapping-entry { description
key "index"; "If FTP is in use.";
}
}
}
}
description container mapping-table {
"NAT mapping entry."; when "../nat-capabilities/nat-flavor = "+
"'nat44' or "+
"../nat-capabilities/nat-flavor = "+
"'nat64'or "+
"../nat-capabilities/nat-flavor = "+
"'clat'or "+
"../nat-capabilities/nat-flavor = 'dst-nat'";
uses mapping-entry; description
} "NAT mapping table. Applicable for functions
} which maintains static and/or dynamic mappings,
such as NAT44, Destination NAT, NAT64, or CLAT.";
container statistics { list mapping-entry {
key "index";
config false; description
"NAT mapping entry.";
description uses mapping-entry;
"Statistics related to the NAT instance."; }
}
container traffic-statistics { container statistics {
description
"Generic traffic statistics.";
leaf sent-packet { config false;
type yang:zero-based-counter64;
description description
"Number of packets sent."; "Statistics related to the NAT instance.";
}
leaf sent-byte { container traffic-statistics {
type yang:zero-based-counter64; description
"Generic traffic statistics.";
description leaf sent-packet {
"Counter for sent traffic in bytes."; type yang:zero-based-counter64;
}
leaf rcvd-packet { description
type yang:zero-based-counter64; "Number of packets sent.";
description }
"Number of received packets.";
}
leaf rcvd-byte { leaf sent-byte {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Counter for received traffic "Counter for sent traffic in bytes.";
in bytes."; }
}
leaf dropped-packet { leaf rcvd-packet {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets."; "Number of received packets.";
} }
leaf dropped-byte { leaf rcvd-byte {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Counter for dropped traffic in "Counter for received traffic
bytes."; in bytes.";
} }
}
container mapping-statistics { leaf dropped-packet {
type yang:zero-based-counter64;
when "../../nat-capabilities/nat-flavor = "+ description
"'nat44' or "+ "Number of dropped packets.";
"../../nat-capabilities/nat-flavor = "+ }
"'nat64'or "+
"../../nat-capabilities/nat-flavor = 'dst-nat'";
description leaf dropped-byte {
"Mapping statistics."; type yang:zero-based-counter64;
leaf total-mappings { description
type uint32; "Counter for dropped traffic in
bytes.";
}
}
description container mapping-statistics {
"Total number of NAT mappings present when "../../nat-capabilities/nat-flavor = "+
at a given time. This variable includes "'nat44' or "+
all the static and dynamic mappings."; "../../nat-capabilities/nat-flavor = "+
} "'nat64'or "+
leaf total-tcp-mappings { "../../nat-capabilities/nat-flavor = 'dst-nat'";
type uint32;
description description
"Total number of TCP mappings present "Mapping statistics.";
at a given time.";
}
leaf total-udp-mappings { leaf total-mappings {
type uint32; type uint32;
description description
"Total number of UDP mappings present "Total number of NAT mappings present
at a given time."; at a given time. This variable includes
} all the static and dynamic mappings.";
}
leaf total-icmp-mappings { leaf total-tcp-mappings {
type uint32; type uint32;
description description
"Total number of ICMP mappings present "Total number of TCP mappings present
at a given time."; at a given time.";
}
} }
container pool-stats { leaf total-udp-mappings {
type uint32;
when "../../nat-capabilities/nat-flavor = "+ description
"'nat44' or "+ "Total number of UDP mappings present
"../../nat-capabilities/nat-flavor = "+ at a given time.";
"'nat64'"; }
description leaf total-icmp-mappings {
"Statistics related to address/prefix type uint32;
pool usage";
leaf pool-id { description
type uint32; "Total number of ICMP mappings present
at a given time.";
}
}
description container pool-stats {
"Unique Identifier that represents
a pool of addresses/prefixes.";
}
leaf address-allocated { when "../../nat-capabilities/nat-flavor = "+
type uint32; "'nat44' or "+
"../../nat-capabilities/nat-flavor = "+
"'nat64'";
description description
"Number of allocated addresses in "Statistics related to address/prefix
the pool"; pool usage";
}
leaf address-free { leaf pool-id {
type uint32; type uint32;
description description
"Number of unallocated addresses in "Unique Identifier that represents
the pool at a given time.The sum of a pool of addresses/prefixes.";
unallocated and allocated }
addresses is the total number of
addresses of the pool.";
}
container port-stats { leaf address-allocated {
type uint32;
description description
"Statistics related to port "Number of allocated addresses in
usage."; the pool";
}
leaf ports-allocated { leaf address-free {
type uint32; type uint32;
description
"Number of unallocated addresses in
the pool at a given time.The sum of
unallocated and allocated
addresses is the total number of
addresses of the pool.";
}
description container port-stats {
"Number of allocated ports
in the pool.";
}
leaf ports-free { description
type uint32; "Statistics related to port
usage.";
description leaf ports-allocated {
"Number of unallocated addresses type uint32;
in the pool.";
}
}
}
} //statistics
}
}
}
/* description
* Notifications "Number of allocated ports
*/ in the pool.";
}
notification nat-event { leaf ports-free {
description type uint32;
"Notifications must be generated when the defined
high/low threshold is reached. Related
configuration parameters must be provided to
trigger the notifications.";
leaf id {
type leafref {
path
"/nat-module/nat-instances/"
+ "nat-instance/id";
}
description description
"NAT instance ID."; "Number of unallocated addresses
in the pool.";
}
}
} }
}//statistics
}
}
}
leaf policy-id { /*
type leafref { * Notifications
path */
"/nat-module/nat-instances/"
+ "nat-instance/nat-policy/policy-id";
}
description notification nat-event {
"Policy ID."; description
} "Notifications must be generated when the defined
high/low threshold is reached. Related
configuration parameters must be provided to
trigger the notifications.";
leaf pool-id { leaf id {
type leafref { type leafref {
path path
"/nat-module/nat-instances/" "/nat-module/nat-instances/"
+ "nat-instance/nat-policy/" + "nat-instance/id";
+ "external-ip-address-pool/pool-id";
} }
description description
"Pool ID."; "NAT instance ID.";
} }
leaf notify-pool-threshold { leaf policy-id {
type percent; type leafref {
mandatory true; path
"/nat-module/nat-instances/"
+ "nat-instance/nat-policy/policy-id";
}
description description
"A treshhold has been fired."; "Policy ID.";
}
} leaf pool-id {
} type leafref {
path
"/nat-module/nat-instances/"
+ "nat-instance/nat-policy/"
+ "external-ip-address-pool/pool-id";
}
description
"Pool ID.";
}
leaf notify-pool-threshold {
type percent;
mandatory true;
description
"A treshhold has been fired.";
}
}
} }
<CODE ENDS> <CODE ENDS>
4. Security Considerations 4. Security Considerations
The YANG module defined in this memo is designed to be accessed via The YANG module defined in this memo is designed to be accessed via
the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the
secure transport layer and the support of SSH is mandatory to secure transport layer and the support of SSH is mandatory to
implement secure transport [RFC6242]. The NETCONF access control implement secure transport [RFC6242]. The NETCONF access control
model [RFC6536] provides means to restrict access by some users to a model [RFC6536] provides means to restrict access by some users to a
skipping to change at page 58, line 36 skipping to change at page 57, line 24
5. IANA Considerations 5. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-nat URI: urn:ietf:params:xml:ns:yang:ietf-nat
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC6020]. the "YANG Module Names" registry [RFC7950].
name: ietf-nat name: ietf-nat
namespace: urn:ietf:params:xml:ns:yang:ietf-nat namespace: urn:ietf:params:xml:ns:yang:ietf-nat
prefix: nat prefix: nat
reference: RFC XXXX reference: RFC XXXX
6. Acknowledgements 6. Acknowledgements
Many thanks to Dan Wing and Tianran Zhou for the review. Many thanks to Dan Wing and Tianran Zhou for the review.
skipping to change at page 59, line 39 skipping to change at page 58, line 28
[RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P.
Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
RFC 5382, DOI 10.17487/RFC5382, October 2008, RFC 5382, DOI 10.17487/RFC5382, October 2008,
<https://www.rfc-editor.org/info/rfc5382>. <https://www.rfc-editor.org/info/rfc5382>.
[RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
Behavioral Requirements for ICMP", BCP 148, RFC 5508, Behavioral Requirements for ICMP", BCP 148, RFC 5508,
DOI 10.17487/RFC5508, April 2009, DOI 10.17487/RFC5508, April 2009,
<https://www.rfc-editor.org/info/rfc5508>. <https://www.rfc-editor.org/info/rfc5508>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6 NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
April 2011, <https://www.rfc-editor.org/info/rfc6146>. April 2011, <https://www.rfc-editor.org/info/rfc6146>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
skipping to change at page 60, line 35 skipping to change at page 59, line 21
Mappings for Stateless IP/ICMP Translation", RFC 7757, Mappings for Stateless IP/ICMP Translation", RFC 7757,
DOI 10.17487/RFC7757, February 2016, DOI 10.17487/RFC7757, February 2016,
<https://www.rfc-editor.org/info/rfc7757>. <https://www.rfc-editor.org/info/rfc7757>.
[RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar,
S., and K. Naito, "Updates to Network Address Translation S., and K. Naito, "Updates to Network Address Translation
(NAT) Behavioral Requirements", BCP 127, RFC 7857, (NAT) Behavioral Requirements", BCP 127, RFC 7857,
DOI 10.17487/RFC7857, April 2016, DOI 10.17487/RFC7857, April 2016,
<https://www.rfc-editor.org/info/rfc7857>. <https://www.rfc-editor.org/info/rfc7857>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>.
7.2. Informative References 7.2. Informative References
[I-D.boucadair-pcp-yang] [I-D.boucadair-pcp-yang]
Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Boucadair, M., Jacquenet, C., Sivakumar, S., and S.
Vinapamula, "YANG Data Models for the Port Control Vinapamula, "YANG Data Models for the Port Control
Protocol (PCP)", draft-boucadair-pcp-yang-04 (work in Protocol (PCP)", draft-boucadair-pcp-yang-04 (work in
progress), May 2017. progress), May 2017.
[I-D.ietf-behave-ipfix-nat-logging] [I-D.ietf-behave-ipfix-nat-logging]
Sivakumar, S. and R. Penno, "IPFIX Information Elements Sivakumar, S. and R. Penno, "IPFIX Information Elements
for logging NAT Events", draft-ietf-behave-ipfix-nat- for logging NAT Events", draft-ietf-behave-ipfix-nat-
logging-13 (work in progress), January 2017. logging-13 (work in progress), January 2017.
[I-D.ietf-softwire-dslite-yang] [I-D.ietf-softwire-dslite-yang]
Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data
Models for the DS-Lite", draft-ietf-softwire-dslite- Modules for the DS-Lite", draft-ietf-softwire-dslite-
yang-06 (work in progress), August 2017. yang-07 (work in progress), October 2017.
[I-D.ietf-tsvwg-natsupp] [I-D.ietf-tsvwg-natsupp]
Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control
Transmission Protocol (SCTP) Network Address Translation Transmission Protocol (SCTP) Network Address Translation
Support", draft-ietf-tsvwg-natsupp-11 (work in progress), Support", draft-ietf-tsvwg-natsupp-11 (work in progress),
July 2017. July 2017.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", Translator (NAT) Terminology and Considerations",
RFC 2663, DOI 10.17487/RFC2663, August 1999, RFC 2663, DOI 10.17487/RFC2663, August 1999,
skipping to change at page 64, line 17 skipping to change at page 63, line 17
<type> <type>
dynamic-explicit dynamic-explicit
</type> </type>
<transport-protocol> <transport-protocol>
17 17
</transport-protocol> </transport-protocol>
<internal-src-address> <internal-src-address>
192.0.2.1 192.0.2.1
</internal-dst-address> </internal-dst-address>
<internal-src-port> <internal-src-port>
<single-port-number> <start-port-number>
1568 1568
</single-port-number> </start-port-number>
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.1 198.51.100.1
</external-dst-address> </external-dst-address>
<external-dst-port> <external-dst-port>
<single-port-number> <start-port-number>
15000 15000
</single-port-number> </start-port-number>
</external-dst-port> </external-dst-port>
<lifetime> <lifetime>
300 300
</lifetime> </lifetime>
</mapping-entry> </mapping-entry>
A.2. CGN A.2. CGN
The following XML snippet shows the example of the capabilities The following XML snippet shows the example of the capabilities
supported by a CGN as retrieved using NETCONF. supported by a CGN as retrieved using NETCONF.
skipping to change at page 72, line 19 skipping to change at page 71, line 19
100-500 range to 198.51.100.1:1100-1500. 100-500 range to 198.51.100.1:1100-1500.
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-src-address> <internal-src-address>
192.0.2.1 192.0.2.1
</internal-dst-address> </internal-dst-address>
<internal-dst-port> <internal-dst-port>
<port-range> <start-port-number>
<start-port-number> 100
100 </start-port-number>
</start-port-number> <end-port-number>
<end-port-number> 500
500 </end-port-number>
</end-port-number>
</port-range>
</internal-dst-port> </internal-dst-port>
<external-src-address> <external-src-address>
198.51.100.1 198.51.100.1
</external-dst-address> </external-dst-address>
<external-src-port> <external-src-port>
<port-range> <start-port-number>
<start-port-number> 1100
1100 </start-port-number>
</start-port-number> <end-port-number>
<end-port-number> 1500
1500 </end-port-number>
</end-port-number>
</port-range>
</external-dst-port> </external-dst-port>
... ...
</mapping-entry> </mapping-entry>
A.7. Static Mappings with IP Prefixes A.7. Static Mappings with IP Prefixes
The following example shows a static mapping that instructs a NAT to The following example shows a static mapping that instructs a NAT to
translate packets issued from 192.0.2.1/24 to 198.51.100.1/24. translate packets issued from 192.0.2.1/24 to 198.51.100.1/24.
<mapping-entry> <mapping-entry>
skipping to change at page 74, line 13 skipping to change at page 73, line 13
the static mapping to be configured on the NAT: the static mapping to be configured on the NAT:
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-dst-address> <internal-dst-address>
192.0.2.1 192.0.2.1
</internal-dst-address> </internal-dst-address>
<internal-dst-port> <internal-dst-port>
<single-port-number>80</single-port-number> <start-port-number>80</start-port-number>
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.1 198.51.100.1
</external-dst-address> </external-dst-address>
<external-dst-port> <external-dst-port>
<single-port-number>8080</single-port-number> <start-port-number>8080</start-port-number>
</external-dst-port> </external-dst-port>
</mapping-entry> </mapping-entry>
In order to instruct a NAT to translate TCP packets destined to In order to instruct a NAT to translate TCP packets destined to
192.0.2.1:80 (http traffic) to 198.51.100.1 and 192.0.2.1:22 (ssh 192.0.2.1:80 (http traffic) to 198.51.100.1 and 192.0.2.1:22 (ssh
traffic) to 198.51.100.2, the following XML snippet shows the static traffic) to 198.51.100.2, the following XML snippet shows the static
mappings to be configured on the NAT: mappings to be configured on the NAT:
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-dst-address> <internal-dst-address>
192.0.2.1 192.0.2.1
</internal-dst-address> </internal-dst-address>
<internal-dst-port> <internal-dst-port>
<single-port-number> <start-port-number>
80 80
</single-port-number> </start-port-number>
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.1 198.51.100.1
</external-dst-address> </external-dst-address>
... ...
</mapping-entry> </mapping-entry>
<mapping-entry> <mapping-entry>
<index>2</index> <index>2</index>
<type>static</type> <type>static</type>
<transport-protocol> <transport-protocol>
6 6
</transport-protocol> </transport-protocol>
<internal-dst-address> <internal-dst-address>
192.0.2.1 192.0.2.1
</internal-dst-address> </internal-dst-address>
<internal-dst-port> <internal-dst-port>
<single-port-number> <start-port-number>
22 22
</single-port-number> </start-port-number>
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.2 198.51.100.2
</external-dst-address> </external-dst-address>
... ...
</mapping-entry> </mapping-entry>
The NAT may also be instructed to proceed with both source and The NAT may also be instructed to proceed with both source and
destination NAT. To do so, in addition to the above sample to destination NAT. To do so, in addition to the above sample to
configure destination NAT, the NAT may be provided, for example with configure destination NAT, the NAT may be provided, for example with
skipping to change at page 79, line 36 skipping to change at page 78, line 36
France France
Email: christian.jacquenet@orange.com Email: christian.jacquenet@orange.com
Suresh Vinapamula Suresh Vinapamula
Juniper Networks Juniper Networks
1133 Innovation Way 1133 Innovation Way
Sunnyvale 94089 Sunnyvale 94089
USA USA
Email: sureshk@juniper.net
Qin Wu Qin Wu
Huawei Huawei
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012 Nanjing, Jiangsu 210012
China China
Email: bill.wu@huawei.com Email: bill.wu@huawei.com
 End of changes. 500 change blocks. 
1793 lines changed or deleted 1763 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/