draft-ietf-opsawg-nat-yang-07.txt   draft-ietf-opsawg-nat-yang-08.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: May 3, 2018 Cisco Systems Expires: May 16, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
October 30, 2017 November 12, 2017
A YANG Data Model for Network Address Translation (NAT) and Network A YANG Data Model for Network Address Translation (NAT) and Network
Prefix Translation (NPT) Prefix Translation (NPT)
draft-ietf-opsawg-nat-yang-07 draft-ietf-opsawg-nat-yang-08
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG module for the NAT function. document defines a YANG module for the NAT function.
NAT44, Network Address and Protocol Translation from IPv6 Clients to NAT44, Network Address and Protocol Translation from IPv6 Clients to
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/
Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/
IPv6 Network Prefix Translation (NPTv6) are covered in this document. ICMP Translation (SIIT EAM), and IPv6 Network Prefix Translation
(NPTv6) are covered in this document.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
Please update these statements with the RFC number to be assigned to Please update these statements with the RFC number to be assigned to
this document: this document:
"This version of this YANG module is part of RFC XXXX;" "This version of this YANG module is part of RFC XXXX;"
"RFC XXXX: A YANG Data Model for Network Address Translation (NAT) "RFC XXXX: A YANG Data Model for Network Address Translation (NAT)
and Network Prefix Translation (NPT)"; and Network Prefix Translation (NPT)";
skipping to change at page 2, line 12 skipping to change at page 2, line 15
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 3, 2018. This Internet-Draft will expire on May 16, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 36 skipping to change at page 2, line 39
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 5
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 6 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6
2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 8
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 8
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 7 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 9
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 9
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 10 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12
2.10. Binding the NAT Function to an External Interface or VRF 10 2.10. Binding the NAT Function to an External Interface . . . . 15
2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 11 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 15 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16
4. Security Considerations . . . . . . . . . . . . . . . . . . . 52 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 20
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 53 4. Security Considerations . . . . . . . . . . . . . . . . . . . 68
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 53 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 69
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 54 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 70
7.1. Normative References . . . . . . . . . . . . . . . . . . 54 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.2. Informative References . . . . . . . . . . . . . . . . . 55 7.1. Normative References . . . . . . . . . . . . . . . . . . 70
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 57 7.2. Informative References . . . . . . . . . . . . . . . . . 72
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 58 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 74
A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 74
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 62 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 75
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 63 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 78
A.5. Explicit Address Mappings for Stateless IP/ICMP A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Translation . . . . . . . . . . . . . . . . . . . . . . . 64 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 79
A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 67 A.6. Explicit Address Mappings for Stateless IP/ICMP
A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 67 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 80
A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 68 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 84
A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 71 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 84
A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 71 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 85
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 74 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 88
A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 88
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the (NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC7950]. YANG data modeling language [RFC7950].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
a domain: a CGN is not managed by end users, but by service providers a domain: a CGN is not managed by end users, but by service providers
instead. This document covers both traditional NATs and CGNs. instead. This document covers both traditional NATs and CGNs.
This document also covers NAT64 [RFC6146], customer-side translator This document also covers NAT64 [RFC6146], customer-side translator
(CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP (CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915],
Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation Explicit Address Mappings for Stateless IP/ICMP Translation (EAM)
(NPTv6) [RFC6296]. The full set of translation schemes that are in [RFC7757], and IPv6 Network Prefix Translation (NPTv6) [RFC6296].
scope is included in Section 2.2. The full set of translation schemes that are in scope is included in
Section 2.2.
Sample examples are provided in Appendix A. These examples are not Sample examples are provided in Appendix A. These examples are not
intended to be exhaustive. intended to be exhaustive.
1.1. Terminology 1.1. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o Basic NAT44: translation is limited to IP addresses alone o Basic NAT44: translation is limited to IP addresses alone
(Section 2.1 of [RFC3022]). (Section 2.1 of [RFC3022]).
skipping to change at page 4, line 45 skipping to change at page 4, line 50
this mapping. this mapping.
o Dynamic explicit mapping: is created as a result of an explicit o Dynamic explicit mapping: is created as a result of an explicit
request, e.g., PCP message [RFC6887]. A validity lifetime is request, e.g., PCP message [RFC6887]. A validity lifetime is
associated with this mapping. associated with this mapping.
o Static explicit mapping: is created using, e.g., a CLI interface. o Static explicit mapping: is created using, e.g., a CLI interface.
This mapping is likely to be maintained by the NAT function till This mapping is likely to be maintained by the NAT function till
an explicit action is executed to remove it. an explicit action is executed to remove it.
The usage of the term NAT in this document refers to any NAT flavor The usage of the term NAT in this document refers to any translation
(NAT44, NAT64, etc.) indifferently. flavor (NAT44, NAT64, etc.) indifferently.
This document uses the term "session" as defined in [RFC2663] and This document uses the term "session" as defined in [RFC2663] and
[RFC6146] for NAT64. [RFC6146] for NAT64.
1.2. Tree Diagrams 1.2. Tree Diagrams
The meaning of the symbols in these diagrams is as follows: The meaning of the symbols in these diagrams is as follows:
o Brackets "[" and "]" enclose list keys. o Brackets "[" and "]" enclose list keys.
skipping to change at page 5, line 35 skipping to change at page 5, line 38
2. Overview of the NAT YANG Data Model 2. Overview of the NAT YANG Data Model
2.1. Overview 2.1. Overview
The NAT YANG module is designed to cover dynamic implicit mappings The NAT YANG module is designed to cover dynamic implicit mappings
and static explicit mappings. The required functionality to instruct and static explicit mappings. The required functionality to instruct
dynamic explicit mappings is defined in separate documents such as dynamic explicit mappings is defined in separate documents such as
[I-D.boucadair-pcp-yang]. Considerations about instructing explicit [I-D.boucadair-pcp-yang]. Considerations about instructing explicit
dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of
scope. scope. As a reminder, REQ-9 of [RFC6888] requires that a CGN must
implement a protocol giving subscribers explicit control over NAT
mappings; that protocol should be the Port Control Protocol
[RFC6887].
A single NAT device can have multiple NAT instances; each of these A single NAT device can have multiple NAT instances; each of these
instances can be provided with its own policies (e.g., be responsible instances can be provided with its own policies (e.g., be responsible
for serving a group of hosts). This document does not make any for serving a group of hosts). This document does not make any
assumption about how internal hosts or flows are associated with a assumption about how internal hosts or flows are associated with a
given NAT instance. given NAT instance.
The NAT YANG module assumes that each NAT instance can be enabled/ The NAT YANG module assumes that each NAT instance can be enabled/
disabled, be provisioned with a specific set of configuration data, disabled, be provisioned with a specific set of configuration data,
and maintains its own mapping tables. and maintains its own mapping tables.
Further, the NAT YANG module allows for a NAT instance to be provided The NAT YANG module allows for a NAT instance to be provided with
with multiple NAT policies (policy). The document does not make any multiple NAT policies (/nat/instances/instance/policy). The document
assumption about how flows are associated with a given NAT policy of does not make any assumption about how flows are associated with a
a given NAT instance. Classification filters are out of scope. given NAT policy of a given NAT instance. Classification filters are
out of scope.
Defining multiple NAT instances or configuring multiple NAT policies Defining multiple NAT instances or configuring multiple NAT policies
within one single NAT instance is implementation- and deployment- within one single NAT instance is implementation- and deployment-
specific. specific.
To accommodate deployments where [RFC6302] is not enabled, this YANG This YANG module allows to instruct a NAT function to enable the
module allows to instruct a NAT function to log the destination port logging feature. Nevertheless, configuration parameters specific to
number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] logging protocols are out of the scope of this document.
which provides the templates to log the destination ports.
2.2. Various NAT Flavors 2.2. Various Translation Flavors
The following modes are supported: The following translation modes are supported:
1. Basic NAT44 o Basic NAT44
2. NAPT o NAPT
3. Destination NAT o Destination NAT
4. Port-restricted NAT o Port-restricted NAT
5. Stateful and stateless NAT64 o Stateful NAT64
6. EAM SIIT o SIIT
7. CLAT o CLAT
8. NPTv6 o EAM
9. Combination of Basic NAT/NAPT and Destination NAT o NPTv6
10. Combination of port-restricted and Destination NAT o Combination of Basic NAT/NAPT and Destination NAT
11. Combination of NAT64 and EAM o Combination of port-restricted and Destination NAT
o Combination of NAT64 and EAM
o Stateful and Stateless NAT64
[I-D.ietf-softwire-dslite-yang] specifies an extension to support DS- [I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT
Lite. YANG module to support DS-Lite.
2.3. TCP, UDP and ICMP NAT Behavioral Requirements The YANG "feature" statement is used to indicate which of the
different translation modes is relevant for a specific data node.
Table 1 lists defined features:
This document assumes [RFC4787][RFC5382][RFC5508] are enabled by +---------------------------------+--------------+
default. | Translation Mode | YANG Feature |
+---------------------------------+--------------+
| Basic NAT44 | basic-nat44 |
| NAPT | napt44 |
| Destination NAT | dst-nat |
| Stateful NAT64 | nat64 |
| Stateless IPv4/IPv6 translation | siit |
| CLAT | clat |
| EAM | eam |
| NPTv6 | nptv6 |
+---------------------------------+--------------+
Table 1: YANG NAT Features
The following translation modes do not require defining dedicated
features:
o Port-restricted NAT: This mode corresponds to supplying port
restriction policies to a NAPT or NAT64 (port-set-restrict).
o Combination of Basic NAT/NAPT and Destination NAT: This mode
corresponds to setting 'dst-nat-enable' for Basic NAT44 or NAPT.
o Combination of port-restricted and Destination NAT: This mode can
be achieved by configuring a NAPT with port restriction policies
(port-set-restrict) together with a destination IP address pool
(dst-ip-address-pool).
o Combination of NAT64 and EAM: This mode corresponds to configuring
static mappings for NAT64.
o Stateful and stateless NAT64: A NAT64 implementation can be
instructed to behave in the stateless mode for a given prefix by
setting the parameter (nat64-prefixes/stateless-enable). A NAT64
implementation may behave in both stateful and stateless modes if,
in addition to appropriately setting the parameter (nat64-
prefixes/stateless-enable), an external IPv4 address pool is
configured.
The NAT YANG module allows to retrieve the capabilities of a NAT
instance (including, list of supported translation modes, list of
supported protocols, port restriction support status, supported NAT
mapping types, supported NAT filtering types, port range allocation
support status, port parity preservation support status, port
preservation support status, the behavior for handling fragments
(all, out-of-order, in-order)).
2.3. TCP/UDP/ICMP NAT Behavioral Requirements
This document assumes NAT behavioral recommendations for UDP
[RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default.
Furthermore, the NAT YANG module relies upon the recommendations Furthermore, the NAT YANG module relies upon the recommendations
detailed in [RFC6888] and [RFC7857]. detailed in [RFC6888] and [RFC7857].
2.4. Other Transport Protocols 2.4. Other Transport Protocols
The module is structured to support other protocols than UDP, TCP, The module is structured to support other protocols than UDP, TCP,
and ICMP. The mapping table is designed so that it can indicate any and ICMP. The mapping table is designed so that it can indicate any
transport protocol. For example, this module may be used to manage a transport protocol. For example, this module may be used to manage a
DCCP-capable NAT that adheres to [RFC5597]. DCCP-capable NAT that adheres to [RFC5597].
Future extensions can be defined to cover NAT-related considerations Future extensions can be defined to cover NAT-related considerations
that are specific to other transport protocols such as SCTP that are specific to other transport protocols such as SCTP
[I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be
extended to record two optional SCTP-specific parameters: Internal extended to record two optional SCTP-specific parameters: Internal
Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag).
Also, the module allows to enable translation for these protocols
when required (/nat/instances/instance/policy/transport-protocols).
2.5. IP Addresses Used for Translation 2.5. IP Addresses Used for Translation
The NAT YANG module assumes that blocks of IP external addresses The NAT YANG module assumes that blocks of IP external addresses
(external-ip-address-pool) can be provisioned to the NAT function. (external-ip-address-pool) can be provisioned to the NAT function.
These blocks may be contiguous or not. These blocks may be contiguous or not.
This behavior is aligned with [RFC6888] which specifies that a NAT This behavior is aligned with [RFC6888] which specifies that a NAT
function should not have any limitations on the size or the function should not have any limitations on the size or the
contiguity of the external address pool. In particular, the NAT contiguity of the external address pool. In particular, the NAT
function must be configurable with contiguous or non-contiguous function must be configurable with contiguous or non-contiguous
external IPv4 address ranges. external IPv4 address ranges. To accommodate traditional NAT, the
module allows for a single IP address to be configured for external-
ip-address-pool.
Likewise, one or multiple IP address pools may be configured for Likewise, one or multiple IP address pools may be configured for
Destination NAT (dst-ip-address-pool). Destination NAT (dst-ip-address-pool).
2.6. Port Set Assignment 2.6. Port Set Assignment
Port numbers can be assigned by a NAT individually (that is, a single Port numbers can be assigned by a NAT individually (that is, a single
port is a assigned on a per session basis). Nevertheless, this port port is assigned on a per session basis). Nevertheless, this port
allocation scheme may not be optimal for logging purposes. allocation scheme may not be optimal for logging purposes (Section 12
Therefore, a NAT function should be able to assign port sets (e.g., of [RFC6269]). Therefore, a NAT function should be able to assign
[RFC7753]) to optimize the volume of the logging data (REQ-14 of port sets (e.g., [RFC7753]) to optimize the volume of the logging
[RFC6888]). Both features are supported in the NAT YANG module. data (REQ-14 of [RFC6888]). Both allocation schemes are supported in
the NAT YANG module.
When port set assignment is activated (i.e., port-allocation- When port set assignment is activated (i.e., port-allocation-
type==port-range-allocation), the NAT can be provided with the size type==port-range-allocation), the NAT can be provided with the size
of the port set to be assigned (port-set-size). of the port set to be assigned (port-set-size).
2.7. Port-Restricted IP Addresses 2.7. Port-Restricted IP Addresses
Some NATs require to restrict the port numbers (e.g., Lightweight Some NATs require to restrict the source port numbers (e.g.,
4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port set Lightweight 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port
assignments (port-set-restrict) are supported in this document: set assignments (port-set-restrict) are supported in this document:
o Simple port range: is defined by two port values, the start and o Simple port range: is defined by two port values, the start and
the end of the port range [RFC8045]. the end of the port range [RFC8045].
o Algorithmic: an algorithm is defined in [RFC7597] to characterize o Algorithmic: an algorithm is defined in [RFC7597] to characterize
the set of ports that can be used. the set of ports that can be used.
2.8. NAT Mapping Entries 2.8. NAT Mapping Entries
A TCP/UDP mapping entry maintains an association between the A TCP/UDP mapping entry maintains an association between the
skipping to change at page 8, line 12 skipping to change at page 9, line 39
internal-dst-port) <=> (external-src-address, external-src-port) internal-dst-port) <=> (external-src-address, external-src-port)
(external-dst-address, external-dst-port) (external-dst-address, external-dst-port)
An ICMP mapping entry maintains an association between the following An ICMP mapping entry maintains an association between the following
information: information:
(internal-src-address, internal-dst-address, internal ICMP/ICMPv6 (internal-src-address, internal-dst-address, internal ICMP/ICMPv6
identifier) <=> (external-src-address, external-dst-address, identifier) <=> (external-src-address, external-dst-address,
external ICMP/ICMPv6 identifier) external ICMP/ICMPv6 identifier)
As a reminder, all the ICMP Query messages contain an 'Identifier'
field, which is referred to in this document as the 'ICMP
Identifier'.
To cover TCP, UDP, and ICMP, the NAT YANG module assumes the To cover TCP, UDP, and ICMP, the NAT YANG module assumes the
following structure of a mapping entry: following structure of a mapping entry:
type: Indicates how the mapping was instantiated. For example, it type: Indicates how the mapping was instantiated. For example, it
may indicate whether a mapping is dynamically instantiated by a may indicate whether a mapping is dynamically instantiated by a
packet or statically configured. packet or statically configured.
transport-protocol: Indicates the transport protocol (e.g., UDP, transport-protocol: Indicates the transport protocol (e.g., UDP,
TCP, ICMP) of a given mapping. TCP, ICMP) of a given mapping.
internal-src-address: Indicates the source IP address as used by an internal-src-address: Indicates the source IP address/prefix as used
internal host. by an internal host.
internal-src-port: Indicates the source port number (or ICMP internal-src-port: Indicates the source port number (or ICMP
identifier) as used by an internal host. identifier) as used by an internal host.
external-src-address: Indicates the source IP address as assigned external-src-address: Indicates the source IP address/prefix as
by the NAT. assigned by the NAT.
external-src-port: Indicates the source port number (or ICMP external-src-port: Indicates the source port number (or ICMP
identifier) as assigned by the NAT. identifier) as assigned by the NAT.
internal-dst-address: Indicates the destination IP address as used internal-dst-address: Indicates the destination IP address/prefix as
by an internal host when sending a packet to a remote host. used by an internal host when sending a packet to a remote host.
internal-dst-port: Indicates the destination IP address as used by internal-dst-port: Indicates the destination port number as used by
an internal host when sending a packet to a remote host. an internal host when sending a packet to a remote host.
external-dst-address: Indicates the destination IP address used by a external-dst-address: Indicates the destination IP address/prefix
NAT when processing a packet issued by an internal host towards a used by a NAT when processing a packet issued by an internal host
remote host. towards a remote host.
external-dst-port: Indicates the destination port number used by a external-dst-port: Indicates the destination port number used by a
NAT when processing a packet issued by an internal host towards a NAT when processing a packet issued by an internal host towards a
remote host. remote host.
In order to cover both NAT64 and NAT44 flavors in particular, the NAT In order to cover both NAT64 and NAT44 flavors in particular, the NAT
mapping structure allows to include an IPv4 or an IPv6 address as an mapping structure allows to include an IPv4 or an IPv6 address as an
internal IP address. Remaining fields are common to both NAT internal IP address. Remaining fields are common to both NAT
schemes. schemes.
For example, the mapping that will be created by a NAT64 upon receipt For example, the mapping that will be created by a NAT64 upon receipt
of a TCP SYN from source address 2001:db8:aaaa::1 and source port of a TCP SYN from source address 2001:db8:aaaa::1 and source port
number 25636 to destination IP address 2001:db8:1234::198.51.100.1 number 25636 to destination IP address 2001:db8:1234::198.51.100.1
and destination port number 8080 is characterized as follows: and destination port number 8080 is shown in Table 2. This example
assumes EDM (Endpoint-Dependent Mapping).
o type: dynamic implicit mapping. +-----------------------+-------------------------------------------+
o transport-protocol: TCP (6) | Mapping Entry | Value |
o internal-src-address: 2001:db8:aaaa::1 | Attribute | |
o internal-src-port: 25636 +-----------------------+-------------------------------------------+
o external-src-address: T (an IPv4 address configured on the NAT64) | type | dynamic implicit mapping |
o external-src-port: t (a port number that is chosen by the NAT64) | transport-protocol | 6 (TCP) |
o internal-dst-address: 2001:db8:1234::198.51.100.1 | internal-src-address | 2001:db8:aaaa::1 |
o internal-dst-port: 8080 | internal-src-port | 25636 |
o external-dst-address: 198.51.100.1 | external-src-address | T (an IPv4 address configured on the |
o external-dst-port: 8080 | | NAT64) |
| external-src-port | t (a port number that is chosen by the |
| | NAT64) |
| internal-dst-address | 2001:db8:1234::198.51.100.1 |
| internal-dst-port | 8080 |
| external-dst-address | 198.51.100.1 |
| external-dst-port | 8080 |
+-----------------------+-------------------------------------------+
The mapping that will be created by a NAT44 upon receipt of an ICMP Table 2: Example of an EDM NAT64 Mapping
The mappings that will be created by a NAT44 upon receipt of an ICMP
request from source address 198.51.100.1 and ICMP identifier (ID1) to request from source address 198.51.100.1 and ICMP identifier (ID1) to
destination IP address 198.51.100.11 is characterized as follows: destination IP address 198.51.100.11 is depicted in Table 3. This
example assumes EIM (Endpoint-Independent Mapping).
o type: dynamic implicit mapping. +----------------------+--------------------------------------------+
o transport-protocol: ICMP (1) | Mapping Entry | Value |
o internal-src-address: 198.51.100.1 | Attribute | |
o internal-src-port: ID1 +----------------------+--------------------------------------------+
o external-src-address: T (an IPv4 address configured on the NAT44) | type | dynamic implicit mapping |
o external-src-port: ID2 (an ICMP identifier that is chosen by the | transport-protocol | 1 (ICMP) |
NAT44) | internal-src-address | 198.51.100.1 |
o internal-dst-address: 198.51.100.11 | internal-src-port | ID1 |
| external-src-address | T (an IPv4 address configured on the |
| | NAT44) |
| external-src-port | ID2 (an ICMP identifier that is chosen by |
| | the NAT44) |
+----------------------+--------------------------------------------+
The mapping that will be created by a NAT64 upon receipt of an ICMP Table 3: Example of an EIM NAT44 Mapping Entry
request from source address 2001:db8:aaaa::1 and ICMP identifier
(ID1) to destination IP address 2001:db8:1234::198.51.100.1 is
characterized as follows:
o type: dynamic implicit mapping. The mapping that will be created by a NAT64 (EIM mode) upon receipt
o transport-protocol: ICMPv6 (58) of an ICMP request from source address 2001:db8:aaaa::1 and ICMP
o internal-src-address: 2001:db8:aaaa::1 identifier (ID1) to destination IP address
o internal-src-port: ID1 2001:db8:1234::198.51.100.1 is shown in Table 4.
o external-src-address: T (an IPv4 address configured on the NAT64)
o external-src-port: ID2 (an ICMP identifier that is chosen by the +----------------------+--------------------------------------------+
NAT64) | Mapping Entry | Value |
o internal-dst-address: 2001:db8:1234::198.51.100.1 | Attribute | |
o external-dst-address: 198.51.100.1 +----------------------+--------------------------------------------+
| type | dynamic implicit mapping |
| transport-protocol | 58 (ICMPv6) |
| internal-src-address | 2001:db8:aaaa::1 |
| internal-src-port | ID1 |
| external-src-address | T (an IPv4 address configured on the |
| | NAT64) |
| external-src-port | ID2 (an ICMP identifier that is chosen by |
| | the NAT64) |
+----------------------+--------------------------------------------+
Table 4: Example of an EIM NAT64 Mapping Entry
Note that a mapping table is maintained only for stateful NAT Note that a mapping table is maintained only for stateful NAT
functions. Particularly: functions. Particularly:
o No mapping table is maintained for NPTv6 given that it is o No mapping table is maintained for NPTv6 given that it is
stateless and transport-agnostic. stateless and transport-agnostic.
o The double translations are stateless in CLAT if a dedicated IPv6 o The double translations are stateless in CLAT if a dedicated IPv6
prefix is provided for CLAT. If not, a stateful NAT44 will be prefix is provided for CLAT. If not, a stateful NAT44 will be
required. required.
o No per-flow mapping is maintained for EAM [RFC7757]. o No per-flow mapping is maintained for EAM [RFC7757].
o No mapping table is maintained for stateless NAT64. As a o No mapping table is maintained for Stateless IPv4/IPv6
reminder, in such deployments internal IPv6 nodes are addressed translation. As a reminder, in such deployments internal IPv6
using IPv4-translatable IPv6 addresses, which enable them to be nodes are addressed using IPv4-translatable IPv6 addresses, which
accessed by IPv4 nodes [RFC6052]. enable them to be accessed by IPv4 nodes [RFC6052].
2.9. Resource Limits 2.9. Resource Limits
In order to comply with CGN deployments in particular, the NAT YANG In order to comply with CGN deployments in particular, the NAT YANG
module allows limiting the number of external ports per subscriber module allows limiting the number of external ports per subscriber
(port-quota) and the amount of state memory allocated per mapping and (port-quota) and the amount of state memory allocated per mapping and
per subscriber (mapping-limit and connection-limit). According to per subscriber (mapping-limits and connection-limits). According to
[RFC6888], the model allows for the following: [RFC6888], the model allows for the following:
o Per-subscriber limits are configurable by the NAT administrator. o Per-subscriber limits are configurable by the NAT administrator.
o Per-subscriber limits are configurable independently per transport o Per-subscriber limits are configurable independently per transport
protocol. protocol.
o Administrator-adjustable thresholds to prevent a single subscriber o Administrator-adjustable thresholds to prevent a single subscriber
from consuming excessive CPU resources from the NAT (e.g., rate- from consuming excessive CPU resources from the NAT (e.g., rate-
limit the subscriber's creation of new mappings) can be limit the subscriber's creation of new mappings) can be
configured. configured.
2.10. Binding the NAT Function to an External Interface or VRF Table 5 lists the various limits that can be set using the NAT YANG
module. Once a limit is reached, packets that would normally trigger
new port mappings or be translated because they match existing
mappings, are dropped by the translator.
The model allows to specify the interface or Virtual Routing and +-------------------+-----------------------------------------------+
Forwarding (VRF) instance on which the NAT function must be applied | Limit | Description |
(external-realm). Distinct interfaces/VRFs can be provided as a +-------------------+-----------------------------------------------+
function of the NAT policy (see for example, Section 4 of [RFC7289]). | port-quota | Specifies a port quota to be assigned per |
| | subscriber. It corresponds to the maximum |
| | number of ports to be used by a subscriber. |
| | The port quota can be configured to apply to |
| | all protocols or to a specific protocol. |
| | Distinct port quota may be configured per |
| | protocol. |
+-------------------+-----------------------------------------------+
| fragments-limit | In order to prevent denial of service attacks |
| | that can be caused by fragments, this |
| | parameter is used to limit the number of out- |
| | of-order fragments that can be handled by a |
| | translator. |
+-------------------+-----------------------------------------------+
| mapping-limits | This parameter can be used to control the |
| | maximum number of subscribers that can be |
| | serviced by a NAT instance (limit-subscriber) |
| | and the maximum number of address and/or port |
| | mappings that can be maintained by a NAT |
| | instance (limit-address-mapings and limit- |
| | port-mappings). Also, limits specific to |
| | protocols (e.g., TCP, UDP, ICMP) can also be |
| | specified (limit-per-protocol). |
+-------------------+-----------------------------------------------+
| connection-limits | In order to prevent exhausting the resources |
| | of a NAT implementation and to ensure |
| | fairness usage among subscribers, various |
| | rate-limits can be specified. Rate-limiting |
| | can be enforced per subscriber ((limit- |
| | subscriber), per NAT instance (limit-per- |
| | instance), and/or be specified for each |
| | supported protocol (limit-per-protocol). |
+-------------------+-----------------------------------------------+
If no external interface/VRF is provided, this assumes that the Table 5: NAT Limits
system is able to determine the external interface/VRF instance on
Table 6 describes limits, that once exceeded, will trigger
notifications to be generated:
+------------------------+------------------------------------------+
| Notification Threshold | Description |
+------------------------+------------------------------------------+
| high-threshold | Used to notify high address utilization |
| | of a given pool. When exceeded, a nat- |
| | pool-event notification will be |
| | generated. |
+------------------------+------------------------------------------+
| low-threshold | Used to notify low address utilization |
| | of a given pool. An administrator is |
| | supposed to configure low-threshold so |
| | that it can reflect an abnormal usage of |
| | NAT resources. When exceeded, a nat- |
| | pool-event notification will be |
| | generated. |
+------------------------+------------------------------------------+
| notify-addresses-usage | Used to notify high address utilization |
| | of all pools configured to a NAT |
| | instance. When exceeded, a nat-instance- |
| | event will be generated. |
+------------------------+------------------------------------------+
| notify-ports-usage | Used to notify high port allocation |
| | taking into account all pools configured |
| | to a NAT instance. When exceeded, a nat- |
| | instance-event notification will be |
| | generated. |
+------------------------+------------------------------------------+
Table 6: Notification Thresholds
In order to prevent from generating frequent notifications, the NAT
YANG module supports the following limits (Table 7) used to control
how frequent notifications can be generated. That is, notifications
are subject to rate-limiting imposed by these intervals.
+-------------------------------------+-----------------------------+
| Interval | Description |
+-------------------------------------+-----------------------------+
| notify-pool-usage/notify-interval | Indicates the minimum |
| | number of seconds between |
| | successive notifications |
| | for a given address pool. |
+-------------------------------------+-----------------------------+
| notification-limits/notify-interval | Indicates the minimum |
| | number of seconds between |
| | successive notifications |
| | for a NAT instance. |
+-------------------------------------+-----------------------------+
Table 7: Notification Intervals
2.10. Binding the NAT Function to an External Interface
The model is designed to specify an external realm on which the NAT
function must be applied (external-realm). The module supports
indicating an interface as an external realm, but the module is
extensible so that other choices can be indicated in the future
(e.g., Virtual Routing and Forwarding (VRF) instance).
Distinct external realms can be provided as a function of the NAT
policy (see for example, Section 4 of [RFC7289]).
If no external realm is provided, this assumes that the system is
able to determine the external interface (VRF instance, etc.) on
which the NAT will be applied. Typically, the WAN and LAN interfaces which the NAT will be applied. Typically, the WAN and LAN interfaces
of a CPE is determined by the CPE. of a CPE are determined by the CPE.
2.11. Tree Structure 2.11. Relationship to NATV2-MIB
Section of 5.1 of [RFC7659] indicates that the NATV2-MIB assumes that
the following information is configured on the NAT by some means, not
specified in [RFC7659]:
o The set of address realms to which the device connect.
o For the CGN case, per-subscriber information including subscriber
index, address realm, assigned prefix or address, and (possibly)
policies regarding address pool selection in the various possible
address realms to which the subscriber may connect.
o The set of NAT instances running on the device, identified by NAT
instance index and name.
o The port mapping, filtering, pooling, and fragment behavior for
each NAT instance.
o The set of protocols supported by each NAT instance.
o Address pools for each NAT instance, including for each pool the
pool index, address realm, and minimum and maximum port number.
o Static address and port mapping entries.
All the above parameters can be configured by means of the NAT YANG
module.
Unlike the NATV2-MIB, the NAT YANG module allows to configure
multiple policies per NAT instance.
2.12. Tree Structure
The tree structure of the NAT YANG module is provided below: The tree structure of the NAT YANG module is provided below:
module: ietf-nat module: ietf-nat
+--rw nat +--rw nat
+--rw instances +--rw instances
+--rw instance* [id] +--rw instance* [id]
+--rw id uint32 +--rw id uint32
+--rw name? string +--rw name? string
+--rw enable? boolean +--rw enable? boolean
+--rw capabilities +--ro capabilities
| +--rw nat-flavor* identityref | +--ro nat-flavor* identityref
| +--rw nat44-flavor* identityref | +--ro transport-protocols* [protocol-id]
| +--rw restricted-port-support? boolean | | +--ro protocol-id uint8
| +--rw static-mapping-support? boolean | | +--ro protocol-name? string
| +--rw port-randomization-support? boolean | +--ro restricted-port-support? boolean
| +--rw port-range-allocation-support? boolean | +--ro static-mapping-support? boolean
| +--rw port-preservation-suport? boolean | +--ro port-randomization-support? boolean
| +--rw port-parity-preservation-support? boolean | +--ro port-range-allocation-support? boolean
| +--rw address-roundrobin-support? boolean | +--ro port-preservation-suport? boolean
| +--rw paired-address-pooling-support? boolean | +--ro port-parity-preservation-support? boolean
| +--rw endpoint-independent-mapping-support? boolean | +--ro address-roundrobin-support? boolean
| +--rw address-dependent-mapping-support? boolean | +--ro paired-address-pooling-support? boolean
| +--rw address-and-port-dependent-mapping-support? boolean | +--ro endpoint-independent-mapping-support? boolean
| +--rw endpoint-independent-filtering-support? boolean | +--ro address-dependent-mapping-support? boolean
| +--rw address-dependent-filtering? boolean | +--ro address-and-port-dependent-mapping-support? boolean
| +--rw address-and-port-dependent-filtering? boolean | +--ro endpoint-independent-filtering-support? boolean
+--rw nat-pass-through* [id] | +--ro address-dependent-filtering? boolean
| +--ro address-and-port-dependent-filtering? boolean
| +--ro fragment-behavior? enumeration
+--rw nat-pass-through* [id] {basic-nat44 or napt44 or dst-nat}?
| +--rw id uint32 | +--rw id uint32
| +--rw prefix? inet:ip-prefix | +--rw prefix inet:ip-prefix
| +--rw port? inet:port-number | +--rw port? inet:port-number
+--rw policy* [id] +--rw policy* [id]
| +--rw id uint32 | +--rw id uint32
| +--rw clat-parameters | +--rw clat-parameters {clat}?
| | +--rw clat-ipv6-prefixes* [ipv6-prefix] | | +--rw clat-ipv6-prefixes* [ipv6-prefix]
| | | +--rw ipv6-prefix inet:ipv6-prefix | | | +--rw ipv6-prefix inet:ipv6-prefix
| | +--rw ipv4-prefixes* [ipv4-prefix] | | +--rw ipv4-prefixes* [ipv4-prefix]
| | +--rw ipv4-prefix inet:ipv4-prefix | | +--rw ipv4-prefix inet:ipv4-prefix
| +--rw nptv6-prefixes* [translation-id] | +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}?
| | +--rw translation-id uint32 | | +--rw internal-ipv6-prefix inet:ipv6-prefix
| | +--rw internal-ipv6-prefix? inet:ipv6-prefix | | +--rw external-ipv6-prefix inet:ipv6-prefix
| | +--rw external-ipv6-prefix? inet:ipv6-prefix | +--rw eam* [ipv4-prefix] {eam}?
| +--rw eam* [ipv4-prefix]
| | +--rw ipv4-prefix inet:ipv4-prefix | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw ipv6-prefix? inet:ipv6-prefix | | +--rw ipv6-prefix inet:ipv6-prefix
| +--rw nat64-prefixes* [nat64-prefix] | +--rw nat64-prefixes* [nat64-prefix] {siit or nat64 or clat}?
| | +--rw nat64-prefix inet:ipv6-prefix | | +--rw nat64-prefix inet:ipv6-prefix
| | +--rw destination-ipv4-prefix* [ipv4-prefix] | | +--rw destination-ipv4-prefix* [ipv4-prefix]
| | | +--rw ipv4-prefix inet:ipv4-prefix | | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw stateless-enable? boolean | | +--rw stateless-enable? boolean
| +--rw external-ip-address-pool* [pool-id] | +--rw external-ip-address-pool* [pool-id] {basic-nat44 or napt44 or nat64}?
| | +--rw pool-id uint32 | | +--rw pool-id uint32
| | +--rw external-ip-pool? inet:ipv4-prefix | | +--rw external-ip-pool inet:ipv4-prefix
| +--rw port-set-restrict | +--rw port-set-restrict {napt44 or nat64}?
| | +--rw (port-type)? | | +--rw (port-type)?
| | +--:(port-range) | | +--:(port-range)
| | | +--rw start-port-number? inet:port-number | | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number | | | +--rw end-port-number? inet:port-number
| | +--:(port-set-algo) | | +--:(port-set-algo)
| | +--rw psid-offset? uint8 | | +--rw psid-offset? uint8
| | +--rw psid-len uint8 | | +--rw psid-len uint8
| | +--rw psid uint16 | | +--rw psid uint16
| +--rw dst-nat-enable? boolean | +--rw dst-nat-enable? boolean {basic-nat44 or napt44}?
| +--rw dst-ip-address-pool* [pool-id] | +--rw dst-ip-address-pool* [pool-id] {dst-nat}?
| | +--rw pool-id uint32 | | +--rw pool-id uint32
| | +--rw dst-in-ip-pool? inet:ip-prefix | | +--rw dst-in-ip-pool? inet:ip-prefix
| | +--rw dst-out-ip-pool? inet:ip-prefix | | +--rw dst-out-ip-pool inet:ip-prefix
| +--rw supported-transport-protocols* [transport-protocol-id] | +--rw transport-protocols* [protocol-id] {napt44 or nat64 or dst-nat}?
| | +--rw transport-protocol-id uint8 | | +--rw protocol-id uint8
| | +--rw transport-protocol-name? string | | +--rw protocol-name? string
| +--rw subscriber-mask-v6? uint8 | +--rw subscriber-mask-v6? uint8
| +--rw subscriber-match* [sub-match-id] | +--rw subscriber-match* [match-id] {basic-nat44 or napt44 or dst-nat}?
| | +--rw sub-match-id uint32 | | +--rw match-id uint32
| | +--rw sub-mask inet:ip-prefix | | +--rw subnet inet:ip-prefix
| +--rw paired-address-pooling? boolean | +--rw address-allocation-type? enumeration
| +--rw mapping-type? enumeration | +--rw port-allocation-type? enumeration {napt44 or nat64}?
| +--rw filtering-type? enumeration | +--rw mapping-type? enumeration {napt44 or nat64}?
| +--rw port-quota* [quota-type] | +--rw filtering-type? enumeration {napt44 or nat64}?
| +--rw fragment-behavior? enumeration {napt44 or nat64}?
| +--rw port-quota* [quota-type] {napt44 or nat64}?
| | +--rw port-limit? uint16 | | +--rw port-limit? uint16
| | +--rw quota-type uint8 | | +--rw quota-type uint8
| +--rw port-allocation-type? enumeration | +--rw port-set {napt44 or nat64}?
| +--rw address-roundrobin-enable? boolean | | +--rw port-set-size uint16
| +--rw port-set
| | +--rw port-set-size? uint16
| | +--rw port-set-timeout? uint32 | | +--rw port-set-timeout? uint32
| +--rw timers | +--rw timers {napt44 or nat64}?
| | +--rw udp-timeout? uint32 | | +--rw udp-timeout? uint32
| | +--rw tcp-idle-timeout? uint32 | | +--rw tcp-idle-timeout? uint32
| | +--rw tcp-trans-open-timeout? uint32 | | +--rw tcp-trans-open-timeout? uint32
| | +--rw tcp-trans-close-timeout? uint32 | | +--rw tcp-trans-close-timeout? uint32
| | +--rw tcp-in-syn-timeout? uint32 | | +--rw tcp-in-syn-timeout? uint32
| | +--rw fragment-min-timeout? uint32 | | +--rw fragment-min-timeout? uint32
| | +--rw icmp-timeout? uint32 | | +--rw icmp-timeout? uint32
| | +--rw per-port-timeout* [port-number] | | +--rw per-port-timeout* [port-number]
| | | +--rw port-number inet:port-number | | | +--rw port-number inet:port-number
| | | +--rw port-timeout uint32 | | | +--rw timeout uint32
| | +--rw hold-down-timeout? uint32 | | +--rw hold-down-timeout? uint32
| | +--rw hold-down-max? uint32 | | +--rw hold-down-max? uint32
| +--rw fragments-limit? uint32
| +--rw algs* [name] | +--rw algs* [name]
| | +--rw name string | | +--rw name string
| | +--rw transport-protocol? uint32 | | +--rw transport-protocol? uint32
| | +--rw transport-port? inet:port-number | | +--rw dst-transport-port
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--rw src-transport-port
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--rw status? boolean | | +--rw status? boolean
| +--rw all-algs-enable? boolean | +--rw all-algs-enable? boolean
| +--rw notify-pool-usage | +--rw notify-pool-usage {basic-nat44 or napt44 or nat64}?
| | +--rw pool-id? uint32 | | +--rw pool-id? uint32
| | +--rw high-threshold percent | | +--rw high-threshold? percent
| | +--rw low-threshold? percent | | +--rw low-threshold? percent
| | +--rw notify-interval? uint32
| +--rw external-realm | +--rw external-realm
| +--rw (realm-type)? | +--rw (realm-type)?
| +--:(interface) | +--:(interface)
| | +--rw external-interface? if:interface-ref | +--rw external-interface? if:interface-ref
| +--:(vrf) +--rw mapping-limits {napt44 or nat64}?
| +--rw external-vrf-instance? identityref | +--rw limit-subscribers? uint32
+--rw mapping-limit | +--rw limit-address-mapings? uint32
| +--rw limit-per-subscriber? uint32 | +--rw limit-port-mappings? uint32
| +--rw limit-per-vrf? uint32 | +--rw limit-per-protocol* [protocol-id] {napt44 or nat64 or dst-nat}?
| +--rw limit-per-instance uint32 | +--rw protocol-id uint8
| +--rw limit-per-udp uint32 | +--rw limit? uint32
| +--rw limit-per-tcp uint32 +--rw connection-limits {basic-nat44 or napt44 or nat64}?
| +--rw limit-per-icmp uint32
+--rw connection-limit
| +--rw limit-per-subscriber? uint32 | +--rw limit-per-subscriber? uint32
| +--rw limit-per-vrf? uint32
| +--rw limit-per-instance uint32 | +--rw limit-per-instance uint32
| +--rw limit-per-udp uint32 | +--rw limit-per-protocol* [protocol-id] {napt44 or nat64}?
| +--rw limit-per-tcp uint32 | +--rw protocol-id uint8
| +--rw limit-per-icmp uint32 | +--rw limit? uint32
+--rw logging-info +--rw notification-limits
| +--rw logging-enable? boolean | +--rw notify-interval? uint32 {basic-nat44 or napt44 or nat64}?
| +--rw destination-address inet:ip-prefix | +--rw notify-addresses-usage? percent {basic-nat44 or napt44 or nat64}?
| +--rw destination-port inet:port-number | +--rw notify-ports-usage? percent {napt44 or nat64}?
| +--rw (protocol)? +--rw logging-enable? boolean {basic-nat44 or napt44 or nat64}?
| +--:(syslog) +--rw mapping-table {basic-nat44 or napt44 or nat64 or clat or dst-nat}?
| | +--rw syslog? boolean
| +--:(ipfix)
| | +--rw ipfix? boolean
| +--:(ftp)
| +--rw ftp? boolean
+--rw mapping-table
| +--rw mapping-entry* [index] | +--rw mapping-entry* [index]
| +--rw index uint32 | +--rw index uint32
| +--rw type? enumeration | +--rw type? enumeration
| +--rw transport-protocol? uint8 | +--rw transport-protocol? uint8
| +--rw internal-src-address? inet:ip-prefix | +--rw internal-src-address? inet:ip-prefix
| +--rw internal-src-port | +--rw internal-src-port
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw external-src-address? inet:ip-prefix | +--rw external-src-address? inet:ip-prefix
| +--rw external-src-port | +--rw external-src-port
skipping to change at page 14, line 23 skipping to change at page 19, line 39
| +--rw internal-dst-address? inet:ip-prefix | +--rw internal-dst-address? inet:ip-prefix
| +--rw internal-dst-port | +--rw internal-dst-port
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw external-dst-address? inet:ip-prefix | +--rw external-dst-address? inet:ip-prefix
| +--rw external-dst-port | +--rw external-dst-port
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw lifetime? uint32 | +--rw lifetime? uint32
+--ro statistics +--ro statistics
+--ro discontinuity-time yang:date-and-time
+--ro traffic-statistics +--ro traffic-statistics
| +--ro sent-packets? yang:zero-based-counter64 | +--ro sent-packets? yang:zero-based-counter64
| +--ro sent-bytes? yang:zero-based-counter64 | +--ro sent-bytes? yang:zero-based-counter64
| +--ro rcvd-packets? yang:zero-based-counter64 | +--ro rcvd-packets? yang:zero-based-counter64
| +--ro rcvd-bytes? yang:zero-based-counter64 | +--ro rcvd-bytes? yang:zero-based-counter64
| +--ro dropped-packets? yang:zero-based-counter64 | +--ro dropped-packets? yang:zero-based-counter64
| +--ro dropped-bytes? yang:zero-based-counter64 | +--ro dropped-bytes? yang:zero-based-counter64
+--ro mapping-statistics | +--ro dropped-fragments? yang:zero-based-counter64 {napt44 or nat64}?
| +--ro total-mappings? yang:gauge32 | +--ro dropped-address-limit-packets? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}?
| +--ro total-tcp-mappings? yang:gauge32 | +--ro dropped-address-limit-bytes? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}?
| +--ro total-udp-mappings? yang:gauge32 | +--ro dropped-address-packets? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}?
| +--ro total-icmp-mappings? yang:gauge32 | +--ro dropped-address-bytes? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}?
+--ro pool-stats | +--ro dropped-port-limit-packets? yang:zero-based-counter64 {napt44 or nat64}?
+--ro pool-id? uint32 | +--ro dropped-port-limit-bytes? yang:zero-based-counter64 {napt44 or nat64}?
| +--ro dropped-port-packets? yang:zero-based-counter64 {napt44 or nat64}?
| +--ro dropped-port-bytes? yang:zero-based-counter64 {napt44 or nat64}?
| +--ro dropped-subscriber-packets? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}?
| +--ro dropped-subscriber-bytes? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}?
+--ro mappings-statistics
| +--ro total-address-mappings? yang:gauge32 {basic-nat44 or napt44 or nat64 or clat or dst-nat}?
| +--ro total-port-mappings? yang:gauge32 {napt44 or nat64}?
| +--ro total-per-protocol* [protocol-id] {napt44 or nat64}?
| +--ro protocol-id uint8
| +--ro total? yang:gauge32
+--ro pools-stats {basic-nat44 or napt44 or nat64}?
+--ro addresses-allocated? yang:gauge32 +--ro addresses-allocated? yang:gauge32
+--ro addresses-free? yang:gauge32 +--ro addresses-free? yang:gauge32
+--ro port-stats +--ro ports-stats {napt44 or nat64}?
+--ro ports-allocated? yang:gauge32 | +--ro ports-allocated? yang:gauge32
+--ro ports-free? yang:gauge32 | +--ro ports-free? yang:gauge32
+--ro per-pool-stats* [pool-id] {basic-nat44 or napt44 or nat64}?
+--ro pool-id uint32
+--ro discontinuity-time yang:date-and-time
+--ro pool-stats
| +--ro addresses-allocated? yang:gauge32
| +--ro addresses-free? yang:gauge32
+--ro port-stats {napt44 or nat64}?
+--ro ports-allocated? yang:gauge32
+--ro ports-free? yang:gauge32
notifications: notifications:
+---n nat-event +---n nat-pool-event {basic-nat44 or napt44 or nat64}?
+--ro id? -> /nat/instances/instance/id | +--ro id -> /nat/instances/instance/id
+--ro policy-id? -> /nat/instances/instance/policy/id | +--ro policy-id? -> /nat/instances/instance/policy/id
+--ro pool-id? -> /nat/instances/instance/policy/external-ip-address-pool/pool-id | +--ro pool-id -> /nat/instances/instance/policy/external-ip-address-pool/pool-id
+--ro notify-pool-threshold percent | +--ro notify-pool-threshold percent
+---n nat-instance-event {basic-nat44 or napt44 or nat64}?
+--ro id -> /nat/instances/instance/id
+--ro notify-addresses-threshold? percent
+--ro notify-ports-threshold? percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2017-10-30.yang" <CODE BEGINS> file "ietf-nat@2017-11-13.yang"
module ietf-nat { module ietf-nat {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
//namespace to be assigned by IANA //namespace to be assigned by IANA
prefix "nat"; prefix "nat";
import ietf-inet-types { prefix inet; } import ietf-inet-types { prefix inet; }
import ietf-yang-types { prefix yang; } import ietf-yang-types { prefix yang; }
import ietf-interfaces { prefix if; } import ietf-interfaces { prefix if; }
organization "IETF OPSAWG (Operations and Management Area Working Group)"; organization
"IETF OPSAWG (Operations and Management Area Working Group)";
contact contact
"WG Web: <https://datatracker.ietf.org/wg/opsawg/> "WG Web: <https://datatracker.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org> WG List: <mailto:opsawg@ietf.org>
WG Chair: Ignas Bagdonas WG Chair: Ignas Bagdonas
<mailto:ibagdona@gmail.com> <mailto:ibagdona@gmail.com>
WG Chair: Joe Clarke WG Chair: Joe Clarke
skipping to change at page 15, line 42 skipping to change at page 21, line 33
WG Chair: Tianran Zhou WG Chair: Tianran Zhou
<mailto:zhoutianran@huawei.com> <mailto:zhoutianran@huawei.com>
Editor: Mohamed Boucadair Editor: Mohamed Boucadair
<mailto:mohamed.boucadair@orange.com> <mailto:mohamed.boucadair@orange.com>
Editor: Senthil Sivakumar Editor: Senthil Sivakumar
<mailto:ssenthil@cisco.com> <mailto:ssenthil@cisco.com>
Editor: Chritsian Jacquenet Editor: Christian Jacquenet
<mailto:christian.jacquenet@orange.com> <mailto:christian.jacquenet@orange.com>
Editor: Suresh Vinapamula Editor: Suresh Vinapamula
<mailto:sureshk@juniper.net> <mailto:sureshk@juniper.net>
Editor: Qin Wu Editor: Qin Wu
<mailto:bill.wu@huawei.com>"; <mailto:bill.wu@huawei.com>";
description description
"This module is a YANG module for NAT implementations "This module is a YANG module for NAT implementations
skipping to change at page 16, line 22 skipping to change at page 22, line 11
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-10-30 { revision 2017-11-13 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for Network Address Translation "RFC XXXX: A YANG Data Model for Network Address Translation
(NAT) and Network Prefix Translation (NPT)"; (NAT) and Network Prefix Translation (NPT)";
} }
/* /*
* Definitions * Definitions
*/ */
typedef percent { typedef percent {
type uint8 { type uint8 {
range "0 .. 100"; range "0 .. 100";
} }
description description
"Percentage"; "Percentage";
} }
/* /*
* Identities * Features
*/ */
identity nat-type { feature basic-nat44{
description description
"Base identity for nat type."; "Basic NAT44 translation is limited to IP addresses alone.";
reference
"RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)";
} }
identity nat44 { feature napt44 {
base nat:nat-type;
description description
"Identity for traditional NAT support."; "Network Address/Port Translator (NAPT): translation is
extended to include IP addresses and transport identifiers
(such as a TCP/UDP port or ICMP query ID).";
reference reference
"RFC 3022: Traditional IP Network Address Translator "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)"; (Traditional NAT)";
} }
identity basic-nat { feature dst-nat {
base nat:nat44; description
"Destination NAT is a translation that acts on the destination
IP address and/or destination port number. This flavor is
usually deployed in load balancers or at devices
in front of public servers.";
}
feature nat64 {
description
"NAT64 translation allows IPv6-only clients to contact IPv4
servers using unicast UDP, TCP, or ICMP. One or more
public IPv4 addresses assigned to a NAT64 translator are
shared among several IPv6-only clients.";
reference
"RFC 6146: Stateful NAT64: Network Address and Protocol
Translation from IPv6 Clients to IPv4 Servers";
}
feature siit {
description
"The Stateless IP/ICMP Translation Algorithm (SIIT), which
translates between IPv4 and IPv6 packet headers (including
ICMP headers).
In the stateless mode, an IP/ICMP translator converts IPv4
addresses to IPv6 and vice versa solely based on the
configuration of the stateless IP/ICMP translator and
information contained within the packet being translated.
The translator must support the stateless address mapping
algorithm defined in RFC6052, which is the default behavior.";
reference
"RFC 7915: IP/ICMP Translation Algorithm";
}
feature clat {
description
"CLAT is customer-side translator that algorithmically
translates 1:1 private IPv4 addresses to global IPv6 addresses,
and vice versa.
When a dedicated /64 prefix is not available for translation
from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4 packets appear
from a single IPv4 address and are then statelessly translated
to one interface IPv6 address that is claimed by the CLAT via
the Neighbor Discovery Protocol (NDP) and defended with
Duplicate Address Detection.";
reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation";
}
feature eam {
description
"Explicit Address Mapping (EAM) is a bidirectional coupling
between an IPv4 Prefix and an IPv6 Prefix.";
reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation";
}
feature nptv6 {
description
"NPTv6 is a stateless transport-agnostic IPv6-to-IPv6
prefix translation.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
/*
* Identities
*/
identity nat-type {
description
"Base identity for nat type.";
}
identity basic-nat44 {
base nat:nat-type;
description description
"Identity for Basic NAT support."; "Identity for Basic NAT support.";
reference reference
"RFC 3022: Traditional IP Network Address Translator "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)"; (Traditional NAT)";
} }
identity napt { identity napt44 {
base nat:nat44; base nat:nat-type;
description description
"Identity for NAPT support."; "Identity for NAPT support.";
reference reference
"RFC 3022: Traditional IP Network Address Translator "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)"; (Traditional NAT)";
} }
identity dst-nat { identity dst-nat {
base nat:nat-type; base nat:nat-type;
description description
"Identity for Destination NAT support."; "Identity for Destination NAT support.";
} }
identity nat64 { identity nat64 {
base nat:nat-type; base nat:nat-type;
skipping to change at page 17, line 44 skipping to change at page 25, line 22
identity nat64 { identity nat64 {
base nat:nat-type; base nat:nat-type;
description description
"Identity for NAT64 support."; "Identity for NAT64 support.";
reference reference
"RFC 6146: Stateful NAT64: Network Address and Protocol "RFC 6146: Stateful NAT64: Network Address and Protocol
Translation from IPv6 Clients to IPv4 Servers"; Translation from IPv6 Clients to IPv4 Servers";
} }
identity siit {
base nat:nat-type;
description
"Identity for SIIT support.";
reference
"RFC 7915: IP/ICMP Translation Algorithm";
}
identity clat { identity clat {
base nat:nat-type; base nat:nat-type;
description description
"Identity for CLAT support."; "Identity for CLAT support.";
reference reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless "RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation"; Translation";
} }
identity eam { identity eam {
base nat:nat-type; base nat:nat-type;
description description
"Identity for EAM support."; "Identity for EAM support.";
reference reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation"; Translation";
} }
identity nptv6 { identity nptv6 {
skipping to change at page 18, line 21 skipping to change at page 26, line 7
} }
identity nptv6 { identity nptv6 {
base nat:nat-type; base nat:nat-type;
description description
"Identity for NPTv6 support."; "Identity for NPTv6 support.";
reference reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
identity vrf-routing-instance {
description
"This identity represents a VRF routing instance.";
reference
"Section 8.9 of RFC 4026.";
}
/* /*
* Grouping * Grouping
*/ */
grouping port-number { grouping port-number {
description description
"Individual port or a range of ports. "Individual port or a range of ports.
When only start-port-number is present, When only start-port-number is present,
it represents a single port."; it represents a single port.";
skipping to change at page 20, line 36 skipping to change at page 28, line 15
} }
} }
reference reference
"Section 7597: Mapping of Address and Port with "Section 7597: Mapping of Address and Port with
Encapsulation (MAP-E)"; Encapsulation (MAP-E)";
} }
} }
grouping mapping-entry { grouping mapping-entry {
description description
"NAT mapping entry."; "NAT mapping entry.
If an attribute is not stored in the mapping/session table,
this means the corresponding fields of a packet that
matches this entry is not rewritten by the NAT or this
information is not required for NAT filtering purposes.";
leaf index { leaf index {
type uint32; type uint32;
description description
"A unique identifier of a mapping entry."; "A unique identifier of a mapping entry. This identifier can be
automatically assigned by the NAT instance or be explicitly
configured.";
} }
leaf type { leaf type {
type enumeration { type enumeration {
enum "static" { enum "static" {
description description
"The mapping entry is explicitly configrued "The mapping entry is explicitly configured
(e.g., via command-line interface)."; (e.g., via command-line interface).";
} }
enum "dynamic-implicit" { enum "dynamic-implicit" {
description description
"This mapping is created implicitely as a side effect "This mapping is created implicitly as a side effect
of processing a packet that requires a new mapping."; of processing a packet that requires a new mapping.";
} }
enum "dynamic-explicit" { enum "dynamic-explicit" {
description description
"This mapping is created as a result of an explicit "This mapping is created as a result of an explicit
request, e.g., a PCP message."; request, e.g., a PCP message.";
} }
skipping to change at page 21, line 33 skipping to change at page 29, line 18
leaf transport-protocol { leaf transport-protocol {
type uint8; type uint8;
description description
"Upper-layer protocol associated with this mapping. "Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry. Values are taken from the IANA protocol registry.
For example, this field contains 6 (TCP) for a TCP For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping. mapping or 17 (UDP) for a UDP mapping.
If this leaf is not instantiated, then the mapping If this leaf is not instantiated, then the mapping
applies to any protocol."; applies to any protocol.";
} }
leaf internal-src-address { leaf internal-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the source IPv4/IPv6 address/prefix "Corresponds to the source IPv4/IPv6 address/prefix
of the packet received on an internal of the packet received on an internal
interface."; interface.";
} }
container internal-src-port { container internal-src-port {
description description
"Corresponds to the source port of the "Corresponds to the source port of the packet received
packet received on an internal interface. on an internal interface.
It is used also to indicate the internal It is used also to indicate the internal source ICMP
source ICMP identifier. identifier.
As a reminder, all the ICMP Query messages contain As a reminder, all the ICMP Query messages contain
an 'Identifier' field, which is referred to in this an 'Identifier' field, which is referred to in this
document as the 'ICMP Identifier'."; document as the 'ICMP Identifier'.";
uses port-number; uses port-number;
} }
leaf external-src-address { leaf external-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Source IP address/prefix of the packet sent "Source IP address/prefix of the packet sent on an
on an external interface of the NAT."; external interface of the NAT.";
} }
container external-src-port { container external-src-port {
description description
"Source port of the packet sent "Source port of the packet sent on an external
on an external interafce of the NAT. interface of the NAT.
It is used also to indicate the external It is used also to indicate the external source ICMP
source ICMP identifier."; identifier.";
uses port-number; uses port-number;
} }
leaf internal-dst-address { leaf internal-dst-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the destination IP address/prefix
of the packet received on an internal interface of the packet received on an internal interface
of the NAT. of the NAT.
skipping to change at page 23, line 39 skipping to change at page 31, line 26
fully-formed (e.g., once the three-way handshake fully-formed (e.g., once the three-way handshake
TCP is completed) or the duration for maintaining TCP is completed) or the duration for maintaining
an explicit mapping alive. The mapping entry will be an explicit mapping alive. The mapping entry will be
removed by the NAT instance once this lifetime is expired. removed by the NAT instance once this lifetime is expired.
When reported in a get operation, the lifetime indicates When reported in a get operation, the lifetime indicates
the remaining validity lifetime. the remaining validity lifetime.
Static mappings may not be associated with a Static mappings may not be associated with a
lifetime. If no lifetime is associated with a lifetime. If no lifetime is associated with a
static mapping, an explicit action is requried to static mapping, an explicit action is required to
remove that mapping."; remove that mapping.";
} }
} }
/* /*
* NAT Module * NAT Module
*/ */
container nat { container nat {
description description
"NAT module"; "NAT module";
container instances { container instances {
description description
"NAT instances"; "NAT instances";
list instance { list instance {
key "id"; key "id";
description description
"A NAT instance."; "A NAT instance. This identifier can be automatically assigned
or explicitly configured.";
leaf id { leaf id {
type uint32; type uint32;
must ". >= 1";
description description
"NAT instance identifier."; "NAT instance identifier.
The identifier must be greater than zero as per RFC 7659.";
reference reference
"RFC 7659."; "RFC 7659: Definitions of Managed Objects for Network
Address Translators (NATs)";
} }
leaf name { leaf name {
type string; type string;
description description
"A name associated with the NAT instance."; "A name associated with the NAT instance.";
reference
"RFC 7659: Definitions of Managed Objects for Network
Address Translators (NATs)";
} }
leaf enable { leaf enable {
type boolean; type boolean;
description description
"Status of the the NAT instance."; "Status of the the NAT instance.";
} }
container capabilities { container capabilities {
config false;
description description
"NAT capabilities"; "NAT capabilities";
leaf-list nat-flavor { leaf-list nat-flavor {
type identityref { type identityref {
base nat-type; base nat-type;
} }
description description
"Type of NAT."; "Type of NAT.";
} }
leaf-list nat44-flavor { list transport-protocols {
when "../nat-flavor = 'nat44'"; key protocol-id;
type identityref {
base nat44;
}
description description
"Type of NAT44: Basic NAT or NAPT."; "List of supported protocols.";
leaf protocol-id {
type uint8;
mandatory true;
description
"Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping.";
}
leaf protocol-name {
type string;
description
"The name of the Upper-layer protocol associated
with this mapping.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, TCP, UDP, DCCP, and SCTP.";
}
} }
leaf restricted-port-support { leaf restricted-port-support {
type boolean; type boolean;
description description
"Indicates source port NAT restriction "Indicates source port NAT restriction support.";
support.";
reference reference
"RFC 7596: Lightweight 4over6: An Extension to "RFC 7596: Lightweight 4over6: An Extension to
the Dual-Stack Lite Architecture."; the Dual-Stack Lite Architecture.";
} }
leaf static-mapping-support { leaf static-mapping-support {
type boolean; type boolean;
description description
"Indicates whether static mappings are supported."; "Indicates whether static mappings are supported.";
} }
leaf port-randomization-support { leaf port-randomization-support {
type boolean; type boolean;
skipping to change at page 25, line 50 skipping to change at page 34, line 22
type boolean; type boolean;
description description
"Indicates whether port preservation is supported."; "Indicates whether port preservation is supported.";
reference reference
"Section 4.2.1. of RFC 4787."; "Section 4.2.1. of RFC 4787.";
} }
leaf port-parity-preservation-support { leaf port-parity-preservation-support {
type boolean; type boolean;
description description
"Indicates whether port parity preservation is supported."; "Indicates whether port parity preservation is
supported.";
reference reference
"Section 8 of RFC 7857."; "Section 8 of RFC 7857.";
} }
leaf address-roundrobin-support { leaf address-roundrobin-support {
type boolean; type boolean;
description description
"Indicates whether address allocation round robin is supported."; "Indicates whether address allocation round robin is
supported.";
} }
leaf paired-address-pooling-support { leaf paired-address-pooling-support {
type boolean; type boolean;
description description
"Indicates whether paired-address-pooling is supported"; "Indicates whether paired-address-pooling is
supported";
reference reference
"REQ-2 of RFC 4787."; "REQ-2 of RFC 4787.";
} }
leaf endpoint-independent-mapping-support { leaf endpoint-independent-mapping-support {
type boolean; type boolean;
description description
"Indicates whether endpoint-independent- "Indicates whether endpoint-independent-
mapping in Section 4 of RFC 4787 is mapping in Section 4 of RFC 4787 is
supported."; supported.";
skipping to change at page 26, line 29 skipping to change at page 35, line 4
} }
leaf endpoint-independent-mapping-support { leaf endpoint-independent-mapping-support {
type boolean; type boolean;
description description
"Indicates whether endpoint-independent- "Indicates whether endpoint-independent-
mapping in Section 4 of RFC 4787 is mapping in Section 4 of RFC 4787 is
supported."; supported.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
} }
leaf address-dependent-mapping-support { leaf address-dependent-mapping-support {
type boolean; type boolean;
description description
"Indicates whether address-dependent-mapping is supported."; "Indicates whether address-dependent-mapping is
supported.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
} }
leaf address-and-port-dependent-mapping-support { leaf address-and-port-dependent-mapping-support {
type boolean; type boolean;
description description
"Indicates whether address-and-port-dependent-mapping is supported."; "Indicates whether address-and-port-dependent-mapping is
supported.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
} }
leaf endpoint-independent-filtering-support { leaf endpoint-independent-filtering-support {
type boolean; type boolean;
description description
"Indicates whether endpoint-independent-filtering is supported."; "Indicates whether endpoint-independent-filtering is
supported.";
reference reference
"Section 5 of RFC 4787."; "Section 5 of RFC 4787.";
} }
leaf address-dependent-filtering { leaf address-dependent-filtering {
type boolean; type boolean;
description description
"Indicates whether address-dependent-filtering is supported."; "Indicates whether address-dependent-filtering is
supported.";
reference reference
"Section 5 of RFC 4787."; "Section 5 of RFC 4787.";
} }
leaf address-and-port-dependent-filtering { leaf address-and-port-dependent-filtering {
type boolean; type boolean;
description description
"Indicates whether address-and-port-dependent is supported."; "Indicates whether address-and-port-dependent is
supported.";
reference reference
"Section 5 of RFC 4787."; "Section 5 of RFC 4787.";
} }
leaf fragment-behavior {
type enumeration {
enum "unsupported" {
description
"No capability to translate incoming fragments.
All received fragments are dropped.";
}
enum "in-order" {
description
"The NAT instance is able to translate fragments only if
they are received in order. That is, in particular the
header is in the first packet. Fragments received
out of order are dropped. ";
}
enum "out-of-order" {
description
"The NAT instance is able to translate a fragment even
if it is received out of order.
This behavior is the one recommended in RFC4787.";
reference
"REQ-14 of RFC 4787";
}
}
description
"The fragment behavior is the NAT instance's capability to
translate fragments received on the external interface of
the NAT.";
}
} }
list nat-pass-through { list nat-pass-through {
if-feature "basic-nat44 or napt44 or dst-nat";
key id; key id;
description description
"IP prefix NAT pass through."; "IP prefix NAT pass through.";
leaf id { leaf id {
type uint32; type uint32;
description description
"An identifier of the IP prefix pass "An identifier of the IP prefix pass through.";
through.";
} }
leaf prefix { leaf prefix {
type inet:ip-prefix; type inet:ip-prefix;
mandatory true;
description description
"The IP addresses that match "The IP addresses that match should not be translated.
should not be translated. According to
REQ#6 of RFC6888, it must be possible According to REQ#6 of RFC6888, it must be possible to
to administratively turn off translation administratively turn off translation for specific
for specific destination addresses destination addresses and/or ports.";
and/or ports.";
reference reference
"REQ#6 of RFC6888."; "REQ#6 of RFC6888.";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
description description
"According to REQ#6 of RFC6888, it must "According to REQ#6 of RFC6888, it must be possible to
be possible to administratively turn off administratively turn off translation for specific
translation for specific destination addresses destination addresses and/or ports.
and/or ports.
If no prefix is defined, the NAT pass through If no prefix is defined, the NAT pass through bound
bound to a given port applies for any destination to a given port applies for any destination address.";
address.";
reference reference
"REQ#6 of RFC6888."; "REQ#6 of RFC6888.";
} }
} }
list policy { list policy {
key id; key id;
description description
"NAT parameters for a given instance"; "NAT parameters for a given instance";
leaf id { leaf id {
type uint32; type uint32;
description description
"An identifier of the NAT policy."; "An identifier of the NAT policy.
it must be unique within the NAT instance.";
} }
container clat-parameters { container clat-parameters {
if-feature clat;
description description
"CLAT parameters."; "CLAT parameters.";
list clat-ipv6-prefixes { list clat-ipv6-prefixes {
when "../../../capabilities/nat-flavor = 'clat' ";
key ipv6-prefix; key ipv6-prefix;
description description
"464XLAT double translation treatment is "464XLAT double translation treatment is stateless when a
stateless when a dedicated /64 is available dedicated /64 is available for translation on the CLAT.
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless Otherwise, the CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to since it requires NAT44 from the LAN to a single IPv4
a single IPv4 address and then stateless address and then stateless translation to a single
translation to a single IPv6 address."; IPv6 address.";
reference reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless "RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation"; Translation";
leaf ipv6-prefix { leaf ipv6-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
description description
"An IPv6 prefix used for CLAT."; "An IPv6 prefix used for CLAT.";
} }
} }
list ipv4-prefixes { list ipv4-prefixes {
when "../../../capabilities/nat-flavor = 'clat'";
key ipv4-prefix; key ipv4-prefix;
description description
"Pool of IPv4 addresses used for CLAT. "Pool of IPv4 addresses used for CLAT.
192.0.0.0/29 is the IPv4 service continuity 192.0.0.0/29 is the IPv4 service continuity prefix.";
prefix.";
reference reference
"RFC 7335: IPv4 Service Continuity Prefix"; "RFC 7335: IPv4 Service Continuity Prefix";
leaf ipv4-prefix { leaf ipv4-prefix {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"464XLAT double translation treatment is "464XLAT double translation treatment is
stateless when a dedicated /64 is available stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless CLAT will have both stateful and stateless
skipping to change at page 29, line 43 skipping to change at page 39, line 4
the CLAT. the CLAT.
An IPv4 address from this pool is also An IPv4 address from this pool is also
provided to an application that makes provided to an application that makes
use of literals."; use of literals.";
reference reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless "RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation"; Translation";
} }
} }
} }
list nptv6-prefixes { list nptv6-prefixes {
when "../../capabilities/nat-flavor = 'nptv6' "; if-feature nptv6;
key translation-id; key internal-ipv6-prefix ;
description description
"Provides one or a list of (internal IPv6 prefix, "Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6. external IPv6 prefix) required for NPTv6.
In its simplest form, NPTv6 interconnects two network In its simplest form, NPTv6 interconnects two network
links, one of which is an 'internal' network link links, one of which is an 'internal' network link
attached to a leaf network within a single attached to a leaf network within a single
administrative domain and the other of which is an administrative domain and the other of which is an
'external' network with connectivity to the global 'external' network with connectivity to the global
Internet."; Internet.";
reference reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
leaf translation-id {
type uint32;
description
"An identifier of the NPTv6 prefixes.";
}
leaf internal-ipv6-prefix { leaf internal-ipv6-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
mandatory true;
description description
"An IPv6 prefix used by an internal interface "An IPv6 prefix used by an internal interface of NPTv6.";
of NPTv6.";
reference reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
leaf external-ipv6-prefix { leaf external-ipv6-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
mandatory true;
description description
"An IPv6 prefix used by the external interface "An IPv6 prefix used by the external interface of NPTv6.";
of NPTv6.";
reference reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
} }
list eam { list eam {
when "../../capabilities/nat-flavor = 'eam' "; if-feature eam;
key ipv4-prefix; key ipv4-prefix;
description description
"The Explicit Address Mapping Table, a conceptual "The Explicit Address Mapping Table, a conceptual
table in which each row represents an EAM. table in which each row represents an EAM.
Each EAM describes a mapping between IPv4 and IPv6 Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses."; prefixes/addresses.";
reference reference
"Section 3.1 of RFC 7757."; "Section 3.1 of RFC 7757.";
leaf ipv4-prefix { leaf ipv4-prefix {
type inet:ipv4-prefix; type inet:ipv4-prefix;
mandatory true;
description description
"The IPv4 prefix of an EAM."; "The IPv4 prefix of an EAM.";
reference reference
"Section 3.2 of RFC 7757."; "Section 3.2 of RFC 7757.";
} }
leaf ipv6-prefix { leaf ipv6-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
mandatory true;
description description
"The IPv6 prefix of an EAM."; "The IPv6 prefix of an EAM.";
reference reference
"Section 3.2 of RFC 7757."; "Section 3.2 of RFC 7757.";
} }
} }
list nat64-prefixes { list nat64-prefixes {
when "../../capabilities/nat-flavor = 'nat64' " + if-feature "siit or nat64 or clat";
" or ../../capabilities/nat-flavor = 'clat'";
key nat64-prefix; key nat64-prefix;
description description
"Provides one or a list of NAT64 prefixes "Provides one or a list of NAT64 prefixes
with or without a list of destination IPv4 prefixes. with or without a list of destination IPv4 prefixes.
Destination-based Pref64::/n is discussed in Destination-based Pref64::/n is discussed in
Section 5.1 of [RFC7050]). For example: Section 5.1 of [RFC7050]). For example:
192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
198.51.100.0/24 is mapped to 2001:db8:122::/48."; 198.51.100.0/24 is mapped to 2001:db8:122::/48.";
reference reference
"Section 5.1 of RFC7050."; "Section 5.1 of RFC7050.";
leaf nat64-prefix { leaf nat64-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
mandatory true;
description description
"A NAT64 prefix. Can be NSP or a Well-Known "A NAT64 prefix. Can be Network-Specific Prefix (NSP) or
Prefix (WKP). Well-Known Prefix (WKP).
Organizations deploying stateless IPv4/IPv6 Organizations deploying stateless IPv4/IPv6 translation
translation should assign a Network-Specific should assign a Network-Specific Prefix to their
Prefix to their IPv4/IPv6 translation service. IPv4/IPv6 translation service.
For stateless NAT64, IPv4-translatable IPv6 For stateless NAT64, IPv4-translatable IPv6 addresses
addresses must use the selected Network-Specific must use the selected Network-Specific Prefix.
Prefix. Both IPv4-translatable IPv6 addresses
and IPv4-converted IPv6 addresses should use Both IPv4-translatable IPv6 addresses and IPv4-converted
the same prefix."; IPv6 addresses should use the same prefix.";
reference reference
"Sections 3.3 and 3.4 of RFC 6052."; "Sections 3.3 and 3.4 of RFC 6052.";
} }
list destination-ipv4-prefix { list destination-ipv4-prefix {
key ipv4-prefix; key ipv4-prefix;
description description
"An IPv4 prefix/address."; "An IPv4 prefix/address.";
leaf ipv4-prefix { leaf ipv4-prefix {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"An IPv4 address/prefix."; "An IPv4 address/prefix.";
} }
skipping to change at page 32, line 18 skipping to change at page 41, line 25
leaf ipv4-prefix { leaf ipv4-prefix {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"An IPv4 address/prefix."; "An IPv4 address/prefix.";
} }
} }
leaf stateless-enable { leaf stateless-enable {
type boolean; type boolean;
default false;
description description
"Enable explicitly statless NAT64."; "Enable explicitly stateless NAT64.";
} }
} }
list external-ip-address-pool { list external-ip-address-pool {
if-feature "basic-nat44 or napt44 or nat64";
key pool-id; key pool-id;
description description
"Pool of external IP addresses used to "Pool of external IP addresses used to service internal
service internal hosts. hosts.
A pool is a set of IP prefixes."; A pool is a set of IP prefixes.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
must ". >= 1";
description description
"An identifier of the address pool."; "An identifier that uniquely identifies the address pool
within a NAT instance.
The identifier must be greater than zero as per
RFC 7659.";
reference
"RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
} }
leaf external-ip-pool { leaf external-ip-pool {
type inet:ipv4-prefix; type inet:ipv4-prefix;
mandatory true;
description description
"An IPv4 prefix used for NAT purposes."; "An IPv4 prefix used for NAT purposes.";
} }
} }
container port-set-restrict { container port-set-restrict {
when "../../capabilities/restricted-port-support = 'true'"; if-feature "napt44 or nat64";
description description
"Configures contiguous and non-contiguous port ranges."; "Configures contiguous and non-contiguous port ranges.
uses port-set; The port set is used to restrict the external source
port numbers used by the translator.";
uses port-set;
} }
leaf dst-nat-enable { leaf dst-nat-enable {
if-feature "basic-nat44 or napt44";
type boolean; type boolean;
default false; default false;
description description
"Enable/Disable destination NAT. "Enable/Disable destination NAT.
A NAT44 may be configured to enable
Destination NAT, too."; A NAT44 may be configured to enable Destination
NAT, too.";
} }
list dst-ip-address-pool { list dst-ip-address-pool {
when "../../capabilities/nat-flavor = 'dst-nat' "; if-feature dst-nat;
key pool-id; key pool-id;
description description
"Pool of IP addresses used for destination NAT."; "Pool of IP addresses used for destination NAT.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"An identifier of the address pool."; "An identifier of the address pool.";
} }
leaf dst-in-ip-pool { leaf dst-in-ip-pool {
skipping to change at page 33, line 33 skipping to change at page 42, line 52
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"An identifier of the address pool."; "An identifier of the address pool.";
} }
leaf dst-in-ip-pool { leaf dst-in-ip-pool {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Internal IP prefix/address"; "Is used to identify an internal IP prefix/address
to be translated.";
} }
leaf dst-out-ip-pool { leaf dst-out-ip-pool {
type inet:ip-prefix; type inet:ip-prefix;
mandatory true;
description description
"IP address/prefix used for destination NAT."; "IP address/prefix used for destination NAT.";
} }
} }
list supported-transport-protocols { list transport-protocols {
key transport-protocol-id; if-feature "napt44 or nat64 or dst-nat";
key protocol-id;
description description
"Supported transport protocols. "Configure the transport protocols to be handled by
the translator.
TCP and UDP are supported by default."; TCP and UDP are supported by default.";
leaf transport-protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol associated with this mapping. "Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, this field contains 6 (TCP) for a TCP For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping."; mapping or 17 (UDP) for a UDP mapping.";
} }
leaf transport-protocol-name { leaf protocol-name {
type string; type string;
description description
"For example, TCP, UDP, DCCP, and SCTP."; "The name of the Upper-layer protocol associated
with this mapping.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, TCP, UDP, DCCP, and SCTP.";
} }
} }
leaf subscriber-mask-v6 { leaf subscriber-mask-v6 {
type uint8 { type uint8 {
range "0 .. 128"; range "0 .. 128";
} }
description description
"The subscriber-mask is an integer that indicates "The subscriber-mask is an integer that indicates
the length of significant bits to be applied on the length of significant bits to be applied on
the source IPv6 address (internal side) to the source IPv6 address (internal side) to
unambiguously identify a CPE. unambiguously identify a CPE.
skipping to change at page 34, line 48 skipping to change at page 44, line 34
is assigned to a NAT64 serviced CPE. Suppose also is assigned to a NAT64 serviced CPE. Suppose also
that 2001:db8:100:100::1 is the IPv6 address used that 2001:db8:100:100::1 is the IPv6 address used
by the client that resides in that CPE. When the by the client that resides in that CPE. When the
NAT64 receives a packet from this client, NAT64 receives a packet from this client,
it applies the subscriber-mask (e.g., 56) on it applies the subscriber-mask (e.g., 56) on
the source IPv6 address to compute the associated the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56). prefix for this client (2001:db8:100:100::/56).
Then, the NAT64 enforces policies based on that Then, the NAT64 enforces policies based on that
prefix (2001:db8:100:100::/56), not on the exact prefix (2001:db8:100:100::/56), not on the exact
source IPv6 address."; source IPv6 address.";
} }
list subscriber-match { list subscriber-match {
key sub-match-id; if-feature "basic-nat44 or napt44 or dst-nat";
key match-id;
description description
"IP prefix match."; "IP prefix match.
A subscriber is identified by a subnet.";
leaf sub-match-id { leaf match-id {
type uint32; type uint32;
description description
"An identifier of the subscriber mask."; "An identifier of the subscriber match.";
} }
leaf sub-mask { leaf subnet {
type inet:ip-prefix; type inet:ip-prefix;
mandatory true; mandatory true;
description description
"The IP address subnets that match "The IP address subnets that match
should be translated. E.g., all addresses should be translated. E.g., all addresses
that belong to the 192.0.2.0/24 prefix must that belong to the 192.0.2.0/24 prefix must
be processed by the NAT."; be processed by the NAT.";
} }
} }
leaf paired-address-pooling { leaf address-allocation-type {
type boolean; type enumeration {
default true; enum "arbitrary" {
if-feature "basic-nat44 or napt44 or nat64";
description
"Arbitrary pooling behavior means that the NAT
instance may create the new port mapping using any
address in the pool that has a free port for the
protocol concerned.";
}
enum "roundrobin" {
if-feature "basic-nat44 or napt44 or nat64";
description
"Round robin allocation.";
}
enum "paired" {
if-feature "napt44 or nat64";
description
"Paired address pooling informs the NAT
that all the flows from an internal IP
address must be assigned the same external
address. This is the recommended behavior for
NAPT/NAT64.";
reference
"RFC 4787: Network Address Translation (NAT)
Behavioral Requirements for Unicast UDP";
}
}
description description
"Paired address pooling informs the NAT "Specifies how external IP addresses are allocated.";
that all the flows from an internal IP }
address must be assigned the same external
address.";
reference leaf port-allocation-type {
"RFC 4787: Network Address Translation (NAT) Behavioral Requirements if-feature "napt44 or nat64";
for Unicast UDP"; type enumeration {
enum "random" {
description
"Port randomization is enabled. A NAT port allocation
scheme should make it hard for attackers to guess
port numbers";
reference
"REQ-15 of RFC 6888";
}
enum "port-preservation" {
description
"Indicates whether the NAT should preserve the internal
port number.";
}
enum "port-parity-preservation" {
description
"Indicates whether the NAT should preserve the port
parity of the internal port number.";
}
enum "port-range-allocation" {
description
"Indicates whether the NAT assigns a range of ports
for an internal host. This scheme allows to minimize
log volume.";
reference
"REQ-14 of RFC 6888";
}
}
description
"Indicates the type of port allocation.";
} }
leaf mapping-type { leaf mapping-type {
if-feature "napt44 or nat64";
type enumeration { type enumeration {
enum "eim" { enum "eim" {
description description
"endpoint-independent-mapping."; "endpoint-independent-mapping.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
} }
enum "adm" { enum "adm" {
description description
skipping to change at page 36, line 21 skipping to change at page 47, line 16
"address-and-port-dependent-mapping."; "address-and-port-dependent-mapping.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
} }
} }
description description
"Indicates the type of a NAT mapping."; "Indicates the type of a NAT mapping.";
} }
leaf filtering-type { leaf filtering-type {
if-feature "napt44 or nat64";
type enumeration { type enumeration {
enum "eif" { enum "eif" {
description description
"endpoint-independent-filtering."; "endpoint-independent-filtering.";
reference reference
"Section 5 of RFC 4787."; "Section 5 of RFC 4787.";
} }
enum "adf" { enum "adf" {
description description
skipping to change at page 36, line 47 skipping to change at page 47, line 43
description description
"address-and-port-dependent-filtering"; "address-and-port-dependent-filtering";
reference reference
"Section 5 of RFC 4787."; "Section 5 of RFC 4787.";
} }
} }
description description
"Indicates the type of a NAT filtering."; "Indicates the type of a NAT filtering.";
} }
list port-quota { leaf fragment-behavior {
when "../../capabilities/nat44-flavor = "+ if-feature "napt44 or nat64";
"'napt' or "+ type enumeration {
"../../capabilities/nat-flavor = "+ enum "drop-all" {
"'nat64'"; description
"All received fragments are dropped.";
}
enum "in-order" {
description
"Translate fragments only if they are received
in order.";
}
enum "out-of-order" {
description
"Translate a fragment even if it is received out
of order.
This behavior is the recommended behavior.";
reference
"REQ-14 of RFC 4787";
}
}
description
"The fragment behavior instructs the NAT about the
behavior to follow to translate fragments received
on the external interface of the NAT.";
}
list port-quota {
if-feature "napt44 or nat64";
key quota-type; key quota-type;
description description
"Configures a port quota to be assigned per "Configures a port quota to be assigned per subscriber.
subscriber. It corresponds to the maximum It corresponds to the maximum number of ports to be
number of ports to be used by a subscriber."; used by a subscriber.";
leaf port-limit { leaf port-limit {
type uint16; type uint16;
description description
"Configures a port quota to be assigned per "Configures a port quota to be assigned per subscriber.
subscriber. It corresponds to the maximum It corresponds to the maximum number of ports to be
number of ports to be used by a subscriber."; used by a subscriber.";
reference reference
"REQ-4 of RFC 6888."; "REQ-4 of RFC 6888.";
} }
leaf quota-type { leaf quota-type {
type uint8; type uint8;
description description
"Indicates whether the port quota applies to "Indicates whether the port quota applies to
all protocols (0) or to a specific transport."; all protocols (0) or to a specific protocol.";
} }
} }
leaf port-allocation-type { container port-set {
type enumeration { when "../port-allocation-type = 'port-range-allocation'";
enum "random" {
description
"Port randomization is enabled.";
}
enum "port-preservation" {
description
"Indicates whether the NAT should
preserve the internal port number.";
}
enum "port-parity-preservation" {
description
"Indicates whether the NAT should
preserve the port parity of the
internal port number.";
}
enum "port-range-allocation" {
description
"Indicates whether the NAT assigns a
range of ports for an internal host.";
}
}
description
"Indicates the type of a port allocation.";
}
leaf address-roundrobin-enable { if-feature "napt44 or nat64";
type boolean; description
"Manages port-set assignments.";
leaf port-set-size {
type uint16;
mandatory true;
description description
"Enable/disable address allocation "Indicates the size of assigned port sets.";
round robin.";
} }
container port-set { leaf port-set-timeout {
when "../port-allocation-type='port-range-allocation'"; type uint32;
units "seconds";
description description
"Manages port-set assignments."; "inactivity timeout for port sets.";
leaf port-set-size {
type uint16;
description
"Indicates the size of assigned port
sets.";
}
leaf port-set-timeout {
type uint32;
units "seconds";
description
"Inactivty timeout for port sets.";
}
} }
}
container timers { container timers {
description if-feature "napt44 or nat64";
"Configure values of various timeouts."; description
"Configure values of various timeouts.";
leaf udp-timeout { leaf udp-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 300; default 300;
description description
"UDP inactivity timeout. That is the time a mapping "UDP inactivity timeout. That is the time a mapping
will stay active without packets traversing the NAT."; will stay active without packets traversing the NAT.";
reference reference
"RFC 4787: Network Address Translation (NAT) Behavioral "RFC 4787: Network Address Translation (NAT)
Requirements for Unicast UDP"; Behavioral Requirements for Unicast UDP";
} }
leaf tcp-idle-timeout { leaf tcp-idle-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 7440; default 7440;
description description
"TCP Idle timeout should be "TCP Idle timeout should be 2 hours and 4 minutes.";
2 hours and 4 minutes.";
reference reference
"RFC 5382: NAT Behavioral Requirements for TCP"; "RFC 5382: NAT Behavioral Requirements for TCP";
} }
leaf tcp-trans-open-timeout { leaf tcp-trans-open-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 240; default 240;
description description
"The value of the transitory open connection "The value of the transitory open connection
idle-timeout. idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable should provide different configurable
skipping to change at page 40, line 30 skipping to change at page 51, line 14
after the packet is received. If during after the packet is received. If during
this interval the NAT receives and translates this interval the NAT receives and translates
an outbound SYN for the connection the NAT an outbound SYN for the connection the NAT
must silently drop the original unsolicited must silently drop the original unsolicited
inbound SYN packet."; inbound SYN packet.";
reference reference
"RFC 5382 NAT Behavioral Requirements for TCP"; "RFC 5382 NAT Behavioral Requirements for TCP";
} }
leaf fragment-min-timeout { leaf fragment-min-timeout {
when "../../fragment-behavior='out-of-order'";
type uint32; type uint32;
units "seconds"; units "seconds";
default 2; default 2;
description description
"As long as the NAT has available resources, "As long as the NAT has available resources,
the NAT allows the fragments to arrive the NAT allows the fragments to arrive
over fragment-min-timeout interval. over fragment-min-timeout interval.
The default value is inspired from RFC6146."; The default value is inspired from RFC6146.";
} }
skipping to change at page 41, line 17 skipping to change at page 52, line 4
"Some NATs are configurable with short timeouts "Some NATs are configurable with short timeouts
for some ports, e.g., as 10 seconds on for some ports, e.g., as 10 seconds on
port 53 (DNS) and NTP (123) and longer timeouts port 53 (DNS) and NTP (123) and longer timeouts
on other ports."; on other ports.";
leaf port-number { leaf port-number {
type inet:port-number; type inet:port-number;
description description
"A port number."; "A port number.";
} }
leaf timeout {
leaf port-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
mandatory true; mandatory true;
description description
"Timeout for this port"; "Timeout for this port number";
} }
} }
leaf hold-down-timeout { leaf hold-down-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 120; default 120;
description description
"Hold down timer. "Hold down timer.
Ports in the hold down pool are not reassigned Ports in the hold down pool are not reassigned until
until hold-down-timeout expires. hold-down-timeout expires.
The length of time and the maximum The length of time and the maximum number of ports in
number of ports in this state must be this state must be configurable by the administrator.
configurable by the administrator.
This is necessary in order This is necessary in order to prevent collisions
to prevent collisions between old between old and new mappings and sessions. It ensures
and new mappings and sessions. It ensures that all established sessions are broken instead of
that all established sessions are broken redirected to a different peer.";
instead of redirected to a different peer.";
reference reference
"REQ#8 of RFC 6888."; "REQ#8 of RFC 6888.";
} }
leaf hold-down-max { leaf hold-down-max {
type uint32; type uint32;
description description
"Maximum ports in the Hold down timer pool. "Maximum ports in the Hold down timer pool.
Ports in the hold down pool are not reassigned Ports in the hold down pool are not reassigned
skipping to change at page 42, line 19 skipping to change at page 53, line 4
The length of time and the maximum The length of time and the maximum
number of ports in this state must be number of ports in this state must be
configurable by the administrator. configurable by the administrator.
This is necessary in order This is necessary in order
to prevent collisions between old to prevent collisions between old
and new mappings and sessions. It ensures and new mappings and sessions. It ensures
that all established sessions are broken that all established sessions are broken
instead of redirected to a different peer."; instead of redirected to a different peer.";
reference reference
"REQ#8 of RFC 6888."; "REQ#8 of RFC 6888.";
} }
} }
leaf fragments-limit{
when "../fragment-behavior='out-of-order'";
type uint32;
description
"Limits the number of out of order fragments that can
be handled.";
reference
"Section 11 of RFC 4787.";
}
list algs { list algs {
key name; key name;
description description
"ALG-related features."; "ALG-related features.";
leaf name { leaf name {
type string; type string;
description description
"The name of the ALG"; "The name of the ALG.";
} }
leaf transport-protocol { leaf transport-protocol {
type uint32; type uint32;
description description
"The transport protocol used by the ALG."; "The transport protocol used by the ALG
(e.g., TCP, UDP).";
} }
leaf transport-port { container dst-transport-port {
type inet:port-number; uses port-number;
description description
"The port number used by the ALG."; "The destination port number(s) used by the ALG.
For example,
- 21 for the FTP ALG
- 53 for the DNS ALG.";
}
container src-transport-port {
uses port-number;
description
"The source port number(s) used by the ALG.";
} }
leaf status { leaf status {
type boolean; type boolean;
description description
"Enable/disable the ALG."; "Enable/disable the ALG.";
} }
} }
leaf all-algs-enable { leaf all-algs-enable {
type boolean; type boolean;
description description
"Enable/disable all ALGs. "Enable/disable all ALGs.
When specified, this parameter overrides the one When specified, this parameter overrides the one
that may be indicated, eventually, by the 'status' that may be indicated, eventually, by the 'status'
of an individual ALG."; of an individual ALG.";
} }
skipping to change at page 43, line 15 skipping to change at page 54, line 20
type boolean; type boolean;
description description
"Enable/disable all ALGs. "Enable/disable all ALGs.
When specified, this parameter overrides the one When specified, this parameter overrides the one
that may be indicated, eventually, by the 'status' that may be indicated, eventually, by the 'status'
of an individual ALG."; of an individual ALG.";
} }
container notify-pool-usage { container notify-pool-usage {
if-feature "basic-nat44 or napt44 or nat64";
description description
"Notification of pool usage when certain criteria "Notification of pool usage when certain criteria
are met."; are met.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"Pool-ID for which the notification "Pool-ID for which the notification criteria
criteria is defined"; is defined";
} }
leaf high-threshold { leaf high-threshold {
type percent; type percent;
mandatory true;
description description
"Notification must be generated when the "Notification must be generated when the defined high
defined high threshold is reached. threshold is reached.
For example, if a notification is For example, if a notification is required when the
required when the pool utilization reaches pool utilization reaches 90%, this configuration
90%, this configuration parameter must parameter must be set to 90.
be set to 90%.";
0% indicates that no high threshold is enabled.";
} }
leaf low-threshold { leaf low-threshold {
type percent; type percent;
must ". >= ../high-threshold" {
error-message
"The upper port number must be greater than or
equal to lower port number.";
}
description description
"Notification must be generated when the defined "Notification must be generated when the defined low
low threshold is reached. threshold is reached.
For example, if a notification is required when For example, if a notification is required when the
the pool utilization reaches below 10%, pool utilization reaches below 10%, this
this configuration parameter must be set to configuration parameter must be set to 10";
10%."; }
leaf notify-interval {
type uint32 {
range "1 .. 3600";
}
units "seconds";
default '20';
description
"Minimum number of seconds between successive
notifications for this pool.";
reference
"RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
} }
} }
container external-realm { container external-realm {
description description
"Identifies the external realm of the NAT."; "Identifies the external realm of the NAT instance.";
choice realm-type { choice realm-type {
description description
"Interface or VRF."; "Can be an interface, VRF instance, etc.";
case interface { case interface {
description description
"External interface."; "External interface.";
leaf external-interface { leaf external-interface {
type if:interface-ref; type if:interface-ref;
description description
"Name of an external interface."; "Name of the external interface.";
}
}
case vrf {
description
"External VRF instance.";
leaf external-vrf-instance {
type identityref {
base vrf-routing-instance;
}
description
"A VRF instance.";
} }
} }
} }
} }
} }
container mapping-limit { container mapping-limits {
if-feature "napt44 or nat64";
description description
"Information about the configuration parameters that "Information about the configuration parameters that
limits the mappings based upon various criteria."; limits the mappings based upon various criteria.";
leaf limit-per-subscriber { leaf limit-subscribers {
type uint32; type uint32;
description description
"Maximum number of NAT mappings per subscriber. "Maximum number of subscribers that can be serviced
by a NAT instance.
A subscriber is identifier by a given prefix."; A subscriber is identified by a given prefix.";
} reference
leaf limit-per-vrf { "RFC 7659: Definitions of Managed Objects for
type uint32; Network Address Translators (NATs)";
description
"Maximum number of NAT mappings per VLAN/VRF.";
} }
leaf limit-per-instance { leaf limit-address-mapings {
type uint32; type uint32;
mandatory true;
description description
"Maximum number of NAT mappings per instance."; "Maximum number of address mappings that can be
} handled by a NAT instance.
leaf limit-per-udp { When this limit is reached, packets that would
type uint32; normally trigger translation, will be dropped.";
mandatory true; reference
description "RFC 7659: Definitions of Managed Objects
"Maximum number of UDP NAT mappings per subscriber."; for Network Address Translators
(NATs)";
} }
leaf limit-per-tcp { leaf limit-port-mappings {
type uint32; type uint32;
mandatory true;
description description
"Maximum number of TCP NAT mappings per subscriber."; "Maximum number of port mappings that can be handled
by a NAT instance.
When this limit is reached, packets that would
normally trigger translation, will be dropped.";
reference
"RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
} }
leaf limit-per-icmp { list limit-per-protocol {
type uint32; if-feature "napt44 or nat64 or dst-nat";
mandatory true; key protocol-id;
description description
"Maximum number of ICMP NAT mappings per subscriber."; "Configure limits per transport protocol";
leaf protocol-id {
type uint8;
mandatory true;
description
"Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping.";
}
leaf limit {
type uint32;
description
"Maximum number of protocol-specific NAT mappings
per instance.";
}
} }
} }
container connection-limit { container connection-limits {
if-feature "basic-nat44 or napt44 or nat64";
description description
"Information about the configuration parameters that "Information about the configuration parameters that
rate limit the translation based upon various rate limit the translation based upon various criteria.";
criteria.";
leaf limit-per-subscriber { leaf limit-per-subscriber {
type uint32; type uint32;
units "bits/second"; units "bits/second";
description description
"Rate-limit the number of new mappings "Rate-limit the number of new mappings and sessions
and sessions per subscriber."; per subscriber.";
} }
leaf limit-per-vrf {
type uint32;
units "bits/second";
description
"Rate-limit the number of new mappings
and sessions per VLAN/VRF.";
}
leaf limit-per-instance { leaf limit-per-instance {
type uint32; type uint32;
units "bits/second"; units "bits/second";
mandatory true; mandatory true;
description description
"Rate-limit the number of new mappings "Rate-limit the number of new mappings and sessions
and sessions per instance."; per instance.";
} }
list limit-per-protocol {
leaf limit-per-udp { if-feature "napt44 or nat64";
type uint32; key protocol-id;
units "bits/second";
mandatory true;
description description
"Rate-limit the number of new UDP mappings "Configure limits per transport protocol";
and sessions per subscriber.";
}
leaf limit-per-tcp { leaf protocol-id {
type uint32; type uint8;
units "bits/second"; mandatory true;
mandatory true; description
description "Upper-layer protocol associated with this mapping.
"Rate-limit the number of new TCP mappings
and sessions per subscriber.";
}
leaf limit-per-icmp { Values are taken from the IANA protocol registry:
type uint32; https://www.iana.org/assignments/protocol-numbers/
units "bits/second"; protocol-numbers.xhtml
mandatory true;
description For example, this field contains 6 (TCP) for a TCP
"Rate-limit the number of new ICMP mappings mapping or 17 (UDP) for a UDP mapping.";
and sessions per subscriber."; }
leaf limit {
type uint32;
description
"Rate-limit the number of protocol-specific mappings
and sessions per instance.";
}
} }
} }
container logging-info { container notification-limits {
description description "Sets notification limits.";
"Information about logging NAT events";
leaf logging-enable { leaf notify-interval {
type boolean; if-feature "basic-nat44 or napt44 or nat64";
type uint32 {
range "1 .. 3600";
}
units "seconds";
default '10';
description description
"Enable logging features."; "Minimum number of seconds between successive
notifications for this NAT instance.";
reference reference
"Section 2.3 of RFC 6908."; "RFC 7659: Definitions of Managed Objects
} for Network Address Translators (NATs)";
}
leaf destination-address { leaf notify-addresses-usage {
type inet:ip-prefix; if-feature "basic-nat44 or napt44 or nat64";
mandatory true; type percent;
description description
"Address of the collector that receives "Notification of address mappings usage over
the logs"; the whole NAT instance.
}
leaf destination-port { Notification must be generated when the defined
type inet:port-number; threshold is reached.
mandatory true;
description
"Destination port of the collector.";
}
choice protocol { For example, if a notification is required when
the address mappings utilization reaches 90%,
this configuration parameter must be set
to 90.";
}
leaf notify-ports-usage {
if-feature "napt44 or nat64";
type percent;
description description
"Enable the protocol to be used for "Notification of port mappings usage over the
the retrieval of logging entries."; whole NAT instance.
case syslog { Notification must be generated when the defined
leaf syslog { threshold is reached.
type boolean;
description
"If SYSLOG is in use.";
}
}
case ipfix { For example, if a notification is required when
leaf ipfix { the port mappings utilization reaches 90%, this
type boolean; configuration parameter must be set to 90.";
description }
"If IPFIX is in use."; }
}
}
case ftp { leaf logging-enable {
leaf ftp { if-feature "basic-nat44 or napt44 or nat64";
type boolean; type boolean;
description description
"If FTP is in use."; "Enable logging features.";
} reference
} "Section 2.3 of RFC 6908 and REQ-12 of RFC6888.";
}
} }
container mapping-table { container mapping-table {
when "../capabilities/nat-flavor = "+ if-feature "basic-nat44 or napt44 " +
"'nat44' or "+ "or nat64 or clat or dst-nat";
"../capabilities/nat-flavor = "+
"'nat64'or "+
"../capabilities/nat-flavor = "+
"'clat'or "+
"../capabilities/nat-flavor = 'dst-nat'";
description description
"NAT mapping table. Applicable for functions "NAT mapping table. Applicable for functions which maintain
which maintains static and/or dynamic mappings, static and/or dynamic mappings, such as NAT44, Destination
such as NAT44, Destination NAT, NAT64, or CLAT."; NAT, NAT64, or CLAT.";
list mapping-entry { list mapping-entry {
key "index"; key "index";
description description "NAT mapping entry.";
"NAT mapping entry.";
uses mapping-entry; uses mapping-entry;
} }
} }
container statistics { container statistics {
config false; config false;
description description
"Statistics related to the NAT instance."; "Statistics related to the NAT instance.";
leaf discontinuity-time {
type yang:date-and-time;
mandatory true;
description
"The time on the most recent occasion at which the NAT
instance suffered a discontinuity. This must be
initialized when the NAT instance is configured
or rebooted.";
}
container traffic-statistics { container traffic-statistics {
description description
"Generic traffic statistics."; "Generic traffic statistics.";
leaf sent-packets { leaf sent-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of packets sent."; "Number of packets sent.";
} }
leaf sent-bytes { leaf sent-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes';
description description
"Counter for sent traffic in bytes."; "Counter for sent traffic in bytes.";
} }
leaf rcvd-packets { leaf rcvd-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of received packets."; "Number of received packets.";
} }
leaf rcvd-bytes { leaf rcvd-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes';
description description
"Counter for received traffic "Counter for received traffic in bytes.";
in bytes.";
} }
leaf dropped-packets { leaf dropped-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets."; "Number of dropped packets.";
} }
leaf dropped-bytes { leaf dropped-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes';
description description
"Counter for dropped traffic in "Counter for dropped traffic in bytes.";
bytes.";
} }
}
container mapping-statistics { leaf dropped-fragments {
when "../../capabilities/nat-flavor = "+ if-feature "napt44 or nat64";
"'nat44' or "+ type yang:zero-based-counter64;
"../../capabilities/nat-flavor = "+ description
"'nat64'or "+ "Number of dropped fragments on the external realm.";
"../../capabilities/nat-flavor = 'dst-nat'"; }
description leaf dropped-address-limit-packets {
"Mapping statistics."; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64;
description
"Number of dropped packets because an address limit
is reached.";
}
leaf total-mappings { leaf dropped-address-limit-bytes {
type yang:gauge32; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64;
units 'bytes';
description description
"Total number of NAT mappings present "Counter of dropped packets because an address limit
at a given time. This variable includes is reached, in bytes.";
all the static and dynamic mappings.";
} }
leaf total-tcp-mappings {
type yang:gauge32; leaf dropped-address-packets {
if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64;
description description
"Total number of TCP mappings present "Number of dropped packets because no address is
at a given time."; available for allocation.";
} }
leaf total-udp-mappings { leaf dropped-address-bytes {
type yang:gauge32; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64;
units 'bytes';
description description
"Total number of UDP mappings present "Counter of dropped packets because no address is
at a given time."; available for allocation, in bytes.";
} }
leaf total-icmp-mappings { leaf dropped-port-limit-packets {
type yang:gauge32; if-feature "napt44 or nat64";
type yang:zero-based-counter64;
description description
"Total number of ICMP mappings present "Number of dropped packets because a port limit
at a given time."; is reached.";
} }
}
container pool-stats { leaf dropped-port-limit-bytes {
if-feature "napt44 or nat64";
type yang:zero-based-counter64;
units 'bytes';
description
"Counter of dropped packets because a port limit
is reached, in bytes.";
}
when "../../capabilities/nat-flavor = "+ leaf dropped-port-packets {
"'nat44' or "+ if-feature "napt44 or nat64";
"../../capabilities/nat-flavor = "+ type yang:zero-based-counter64;
"'nat64'"; description
"Number of dropped packets because no port is
available for allocation.";
}
description leaf dropped-port-bytes {
"Statistics related to address/prefix if-feature "napt44 or nat64";
pool usage"; type yang:zero-based-counter64;
units 'bytes';
description
"Counter of dropped packets because no port is
available for allocation, in bytes.";
}
leaf pool-id { leaf dropped-subscriber-packets {
type uint32; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64;
description description
"Unique Identifier that represents "Number of dropped packets because the subscriber
a pool of addresses/prefixes."; limit per instance is reached.";
}
leaf dropped-subscriber-bytes {
if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64;
units 'bytes';
description
"Counter of dropped packets because the subscriber
limit per instance is reached, in bytes.";
}
}
container mappings-statistics {
description
"Mappings statistics.";
leaf total-address-mappings {
if-feature "basic-nat44 or napt44 " +
"or nat64 or clat or dst-nat";
type yang:gauge32;
description
"Total number of address mappings present at a given
time. It includes both static and dynamic mappings.";
reference
"Section 3.3.8 of RFC 7659";
}
leaf total-port-mappings {
if-feature "napt44 or nat64";
type yang:gauge32;
description
"Total number of NAT port mappings present at
a given time. It includes both static and dynamic
mappings.";
reference
"Section 3.3.9 of RFC 7659";
}
list total-per-protocol {
if-feature "napt44 or nat64";
key protocol-id;
description
"Total mappings for each enabled/supported protocol.";
leaf protocol-id {
type uint8;
mandatory true;
description
"Upper-layer protocol associated with this mapping.
For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping.";
}
leaf total {
type yang:gauge32;
description
"Total number of a protocol-specific mappings present
at a given time. The protocol is identified by
protocol-id.";
}
} }
}
container pools-stats {
if-feature "basic-nat44 or napt44 or nat64";
description
"Statistics related to address/prefix pools
usage";
leaf addresses-allocated { leaf addresses-allocated {
type yang:gauge32; type yang:gauge32;
description description
"Number of allocated addresses in "Number of all allocated addresses.";
the pool";
} }
leaf addresses-free { leaf addresses-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of unallocated addresses in "Number of unallocated addresses of all pools at
the pool at a given time.The sum of a given time. The sum of unallocated and allocated
unallocated and allocated addresses is the total number of addresses of
addresses is the total number of the pools.";
addresses of the pool.";
} }
container port-stats { container ports-stats {
if-feature "napt44 or nat64";
description description
"Statistics related to port "Statistics related to port numbers usage.";
usage.";
leaf ports-allocated { leaf ports-allocated {
type yang:gauge32; type yang:gauge32;
description description
"Number of allocated ports "Number of allocated ports from all pools.";
in the pool.";
} }
leaf ports-free { leaf ports-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of unallocated addresses "Number of unallocated addresses from all pools.";
in the pool."; }
}
list per-pool-stats {
if-feature "basic-nat44 or napt44 or nat64";
key "pool-id";
description
"Statistics related to address/prefix pool usage";
leaf pool-id {
type uint32;
description
"Unique Identifier that represents a pool of
addresses/prefixes.";
}
leaf discontinuity-time {
type yang:date-and-time;
mandatory true;
description
"The time on the most recent occasion at which this
pool counters suffered a discontinuity. This must
be initialized when the address pool is
configured.";
}
container pool-stats {
description
"Statistics related to address/prefix pool usage";
leaf addresses-allocated {
type yang:gauge32;
description
"Number of allocated addresses from this pool.";
}
leaf addresses-free {
type yang:gauge32;
description
"Number of unallocated addresses in this pool.";
}
}
container port-stats {
if-feature "napt44 or nat64";
description
"Statistics related to port numbers usage.";
leaf ports-allocated {
type yang:gauge32;
description
"Number of allocated ports from this pool.";
}
leaf ports-free {
type yang:gauge32;
description
"Number of unallocated addresses from this pool.";
} }
} }
} }
} }
} }
} }
} }
}
/* /*
* Notifications * Notifications
*/ */
notification nat-event { notification nat-pool-event {
if-feature "basic-nat44 or napt44 or nat64";
description description
"Notifications must be generated when the defined "Notifications must be generated when the defined high/low
high/low threshold is reached. Related threshold is reached. Related configuration parameters
configuration parameters must be provided to must be provided to trigger the notifications.";
trigger the notifications.";
leaf id { leaf id {
type leafref { type leafref {
path path "/nat/instances/instance/id";
"/nat/instances/" }
+ "instance/id"; mandatory true;
}
description description
"NAT instance ID."; "NAT instance Identifier.";
} }
leaf policy-id { leaf policy-id {
type leafref { type leafref {
path path "/nat/instances/instance/policy/id";
"/nat/instances/"
+ "instance/policy/id";
} }
description description
"Policy ID."; "Policy Identifier.";
} }
leaf pool-id { leaf pool-id {
type leafref { type leafref {
path path
"/nat/instances/" "/nat/instances/instance/policy/"
+ "instance/policy/"
+ "external-ip-address-pool/pool-id"; + "external-ip-address-pool/pool-id";
} }
mandatory true;
description description
"Pool ID."; "Pool Identifier.";
} }
leaf notify-pool-threshold { leaf notify-pool-threshold {
type percent; type percent;
mandatory true; mandatory true;
description description
"A treshhold has been fired."; "A threshold (high-threshold or low-threshold) has
been fired.";
}
}
notification nat-instance-event {
if-feature "basic-nat44 or napt44 or nat64";
description
"Notifications must be generated when notify-addresses-usage
and/or notify-ports-usagethreshold are reached.";
leaf id {
type leafref {
path "/nat/instances/instance/id";
}
mandatory true;
description
"NAT instance Identifier.";
}
leaf notify-addresses-threshold {
type percent;
description
"The notify-addresses-usage threshold has been fired.";
}
leaf notify-ports-threshold {
type percent;
description
"The notify-ports-usage threshold has been fired.";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4. Security Considerations 4. Security Considerations
Security considerations related to address and prefix translation are
discussed in [RFC6888], [RFC6146], [RFC6877], [RFC7757], and
[RFC6296].
The YANG module defined in this document is designed to be accessed The YANG module defined in this document is designed to be accessed
via network management protocols such as NETCONF [RFC6241] or via network management protocols such as NETCONF [RFC6241] or
RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport
layer, and the mandatory-to-implement secure transport is Secure layer, and the mandatory-to-implement secure transport is Secure
Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the
mandatory-to-implement secure transport is TLS [RFC5246]. mandatory-to-implement secure transport is TLS [RFC5246].
The NETCONF access control model [RFC6536] provides the means to The NETCONF access control model [RFC6536] provides the means to
restrict access for particular NETCONF or RESTCONF users to a restrict access for particular NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content. operations and content.
All data nodes defined in the YANG module which can be created, All data nodes defined in the YANG module which can be created,
modified and deleted (i.e., config true, which is the default). modified and deleted (i.e., config true, which is the default) are
These data nodes are considered sensitive. Write operations (e.g., considered sensitive. Write operations (e.g., edit-config) applied
edit-config) applied to these data nodes without proper protection to these data nodes without proper protection can negatively affect
can negatively affect network operations. network operations. The NAT YANG module allows to set parameters to
prevent a user from aggressively using NAT resources (port-quota),
rate-limit connections as a guard against Denial-of-Service, or to
enable notifications so that appropriate measures are enforced to
anticipate traffic drops. Nevertheless, an attacker who is able to
access to the NAT can undertake various attacks, such as:
Security considerations related to address and prefix translation are o Set a high or low resource limit to cause a DoS attack:
discussed in [RFC6888], [RFC6146], [RFC6877], [RFC7757], and
[RFC6296]. * /nat/instances/instance/policy/port-quota
* /nat/instances/instance/policy/fragments-limit
* /nat/instances/instance/mapping-limits
* /nat/instances/instance/connection-limits
o Set a low notification threshold to cause useless notifications to
be generated:
* /nat/instances/instance/policy/notify-pool-usage/high-threshold
* /nat/instances/instance/notification-limits/notify-addresses-
usage
* /nat/instances/instance/notification-limits/notify-ports-usage
o Set an arbitrarily high threshold, which may lead to the
deactivation of notifications:
* /nat/instances/instance/policy/notify-pool-usage/high-threshold
* /nat/instances/instance/notification-limits/notify-addresses-
usage
* /nat/instances/instance/notification-limits/notify-ports-usage
o Set a low notification interval and a low notification threshold
to induce useless notifications to be generated:
* /nat/instances/instance/policy/notify-pool-usage/notify-
interval
* /nat/instances/instance/notification-limits/notify-interval
o Access to privacy data maintained in the mapping table. Such data
can be misused to track the activity of a host:
* /nat/instances/instance/mapping-table
5. IANA Considerations 5. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-nat URI: urn:ietf:params:xml:ns:yang:ietf-nat
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
skipping to change at page 54, line 39 skipping to change at page 71, line 10
[RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P.
Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
RFC 5382, DOI 10.17487/RFC5382, October 2008, RFC 5382, DOI 10.17487/RFC5382, October 2008,
<https://www.rfc-editor.org/info/rfc5382>. <https://www.rfc-editor.org/info/rfc5382>.
[RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
Behavioral Requirements for ICMP", BCP 148, RFC 5508, Behavioral Requirements for ICMP", BCP 148, RFC 5508,
DOI 10.17487/RFC5508, April 2009, DOI 10.17487/RFC5508, April 2009,
<https://www.rfc-editor.org/info/rfc5508>. <https://www.rfc-editor.org/info/rfc5508>.
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
DOI 10.17487/RFC6052, October 2010,
<https://www.rfc-editor.org/info/rfc6052>.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6 NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
April 2011, <https://www.rfc-editor.org/info/rfc6146>. April 2011, <https://www.rfc-editor.org/info/rfc6146>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
<https://www.rfc-editor.org/info/rfc6296>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536, Protocol (NETCONF) Access Control Model", RFC 6536,
DOI 10.17487/RFC6536, March 2012, DOI 10.17487/RFC6536, March 2012,
<https://www.rfc-editor.org/info/rfc6536>. <https://www.rfc-editor.org/info/rfc6536>.
[RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
Combination of Stateful and Stateless Translation", Combination of Stateful and Stateless Translation",
RFC 6877, DOI 10.17487/RFC6877, April 2013, RFC 6877, DOI 10.17487/RFC6877, April 2013,
<https://www.rfc-editor.org/info/rfc6877>. <https://www.rfc-editor.org/info/rfc6877>.
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
A., and H. Ashida, "Common Requirements for Carrier-Grade A., and H. Ashida, "Common Requirements for Carrier-Grade
NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
April 2013, <https://www.rfc-editor.org/info/rfc6888>. April 2013, <https://www.rfc-editor.org/info/rfc6888>.
[RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I.
Farrer, "Lightweight 4over6: An Extension to the Dual-
Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596,
July 2015, <https://www.rfc-editor.org/info/rfc7596>.
[RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S.,
Murakami, T., and T. Taylor, Ed., "Mapping of Address and
Port with Encapsulation (MAP-E)", RFC 7597,
DOI 10.17487/RFC7597, July 2015,
<https://www.rfc-editor.org/info/rfc7597>.
[RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address
Mappings for Stateless IP/ICMP Translation", RFC 7757, Mappings for Stateless IP/ICMP Translation", RFC 7757,
DOI 10.17487/RFC7757, February 2016, DOI 10.17487/RFC7757, February 2016,
<https://www.rfc-editor.org/info/rfc7757>. <https://www.rfc-editor.org/info/rfc7757>.
[RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar,
S., and K. Naito, "Updates to Network Address Translation S., and K. Naito, "Updates to Network Address Translation
(NAT) Behavioral Requirements", BCP 127, RFC 7857, (NAT) Behavioral Requirements", BCP 127, RFC 7857,
DOI 10.17487/RFC7857, April 2016, DOI 10.17487/RFC7857, April 2016,
<https://www.rfc-editor.org/info/rfc7857>. <https://www.rfc-editor.org/info/rfc7857>.
[RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont,
"IP/ICMP Translation Algorithm", RFC 7915,
DOI 10.17487/RFC7915, June 2016,
<https://www.rfc-editor.org/info/rfc7915>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
7.2. Informative References 7.2. Informative References
[I-D.boucadair-pcp-yang] [I-D.boucadair-pcp-yang]
Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Boucadair, M., Jacquenet, C., Sivakumar, S., and S.
Vinapamula, "YANG Modules for the Port Control Protocol Vinapamula, "YANG Modules for the Port Control Protocol
(PCP)", draft-boucadair-pcp-yang-05 (work in progress), (PCP)", draft-boucadair-pcp-yang-05 (work in progress),
October 2017. October 2017.
[I-D.ietf-behave-ipfix-nat-logging]
Sivakumar, S. and R. Penno, "IPFIX Information Elements
for logging NAT Events", draft-ietf-behave-ipfix-nat-
logging-13 (work in progress), January 2017.
[I-D.ietf-softwire-dslite-yang] [I-D.ietf-softwire-dslite-yang]
Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data
Modules for the DS-Lite", draft-ietf-softwire-dslite- Modules for the DS-Lite", draft-ietf-softwire-dslite-
yang-07 (work in progress), October 2017. yang-07 (work in progress), October 2017.
[I-D.ietf-tsvwg-natsupp] [I-D.ietf-tsvwg-natsupp]
Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control
Transmission Protocol (SCTP) Network Address Translation Transmission Protocol (SCTP) Network Address Translation
Support", draft-ietf-tsvwg-natsupp-11 (work in progress), Support", draft-ietf-tsvwg-natsupp-11 (work in progress),
July 2017. July 2017.
skipping to change at page 56, line 32 skipping to change at page 73, line 21
Address Translator (Traditional NAT)", RFC 3022, Address Translator (Traditional NAT)", RFC 3022,
DOI 10.17487/RFC3022, January 2001, DOI 10.17487/RFC3022, January 2001,
<https://www.rfc-editor.org/info/rfc3022>. <https://www.rfc-editor.org/info/rfc3022>.
[RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT)
Behavioral Requirements for the Datagram Congestion Behavioral Requirements for the Datagram Congestion
Control Protocol", BCP 150, RFC 5597, Control Protocol", BCP 150, RFC 5597,
DOI 10.17487/RFC5597, September 2009, DOI 10.17487/RFC5597, September 2009,
<https://www.rfc-editor.org/info/rfc5597>. <https://www.rfc-editor.org/info/rfc5597>.
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6052, October 2010, DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6052>. <https://www.rfc-editor.org/info/rfc6269>.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
<https://www.rfc-editor.org/info/rfc6296>.
[RFC6302] Durand, A., Gashinsky, I., Lee, D., and S. Sheppard,
"Logging Recommendations for Internet-Facing Servers",
BCP 162, RFC 6302, DOI 10.17487/RFC6302, June 2011,
<https://www.rfc-editor.org/info/rfc6302>.
[RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo,
"Diameter Network Address and Port Translation Control "Diameter Network Address and Port Translation Control
Application", RFC 6736, DOI 10.17487/RFC6736, October Application", RFC 6736, DOI 10.17487/RFC6736, October
2012, <https://www.rfc-editor.org/info/rfc6736>. 2012, <https://www.rfc-editor.org/info/rfc6736>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013, DOI 10.17487/RFC6887, April 2013,
<https://www.rfc-editor.org/info/rfc6887>. <https://www.rfc-editor.org/info/rfc6887>.
[RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT
(CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289,
DOI 10.17487/RFC7289, June 2014, DOI 10.17487/RFC7289, June 2014,
<https://www.rfc-editor.org/info/rfc7289>. <https://www.rfc-editor.org/info/rfc7289>.
[RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335,
DOI 10.17487/RFC7335, August 2014, DOI 10.17487/RFC7335, August 2014,
<https://www.rfc-editor.org/info/rfc7335>. <https://www.rfc-editor.org/info/rfc7335>.
[RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I.
Farrer, "Lightweight 4over6: An Extension to the Dual-
Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596,
July 2015, <https://www.rfc-editor.org/info/rfc7596>.
[RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S.,
Murakami, T., and T. Taylor, Ed., "Mapping of Address and
Port with Encapsulation (MAP-E)", RFC 7597,
DOI 10.17487/RFC7597, July 2015,
<https://www.rfc-editor.org/info/rfc7597>.
[RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor,
"Definitions of Managed Objects for Network Address "Definitions of Managed Objects for Network Address
Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659, Translators (NATs)", RFC 7659, DOI 10.17487/RFC7659,
October 2015, <https://www.rfc-editor.org/info/rfc7659>. October 2015, <https://www.rfc-editor.org/info/rfc7659>.
[RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T.,
and S. Perreault, "Port Control Protocol (PCP) Extension and S. Perreault, "Port Control Protocol (PCP) Extension
for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753,
February 2016, <https://www.rfc-editor.org/info/rfc7753>. February 2016, <https://www.rfc-editor.org/info/rfc7753>.
skipping to change at page 58, line 37 skipping to change at page 75, line 4
.... ....
<mapping-table> <mapping-table>
.... ....
<external-src-address> <external-src-address>
192.0.2.1 192.0.2.1
</external-src-address> </external-src-address>
.... ....
<mapping-table> <mapping-table>
</instance> </instance>
</instances> </instances>
The following shows the XML excerpt depicting a dynamic UDP mapping The following shows the XML excerpt depicting a dynamic UDP mapping
entry maintained by a traditional NAT44. In reference to this entry maintained by a traditional NAPT44. In reference to this
example, the UDP packet received with a source IPv4 address example, the UDP packet received with a source IPv4 address
(192.0.2.1) and source port number (1568) is translated into a UDP (192.0.2.1) and source port number (1568) is translated into a UDP
packet having a source IPv4 address (198.51.100.1) and source port packet having a source IPv4 address (198.51.100.1) and source port
(15000). The lifetime of this mapping is 300 seconds. (15000). The remaining lifetime of this mapping is 300 seconds.
<mapping-entry> <mapping-entry>
<index>15</index> <index>15</index>
<type> <type>
dynamic-explicit dynamic-explicit
</type> </type>
<transport-protocol> <transport-protocol>
17 17
</transport-protocol> </transport-protocol>
<internal-src-address> <internal-src-address>
192.0.2.1 192.0.2.1
</internal-dst-address> </internal-src-address>
<internal-src-port> <internal-src-port>
<start-port-number> <start-port-number>
1568 1568
</start-port-number> </start-port-number>
</internal-dst-port> </internal-src-port>
<external-dst-address> <external-src-address>
198.51.100.1 198.51.100.1
</external-dst-address> </external-src-address>
<external-dst-port> <external-src-port>
<start-port-number> <start-port-number>
15000 15000
</start-port-number> </start-port-number>
</external-dst-port> </external-src-port>
<lifetime> <lifetime>
300 300
</lifetime> </lifetime>
</mapping-entry> </mapping-entry>
A.2. CGN A.2. Carrier Grade NAT (CGN)
The following XML snippet shows the example of the capabilities The following XML snippet shows the example of the capabilities
supported by a CGN as retrieved using NETCONF. supported by a CGN as retrieved using NETCONF.
<capabilities <capabilities
<nat-flavor> <nat-flavor>
nat44 napt44
</nat44-flavor> </nat-flavor>
<restricted-port-support> <restricted-port-support>
false false
</restricted-port-support> </restricted-port-support>
<static-mapping-support> <static-mapping-support>
true true
</static-mapping-support> </static-mapping-support>
<port-randomization-support> <port-randomization-support>
true true
</port-randomization-support> </port-randomization-support>
<port-range-allocation-support> <port-range-allocation-support>
skipping to change at page 63, line 28 skipping to change at page 79, line 28
2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052].
The XML snippet to configure the NAT64 prefix in such case is The XML snippet to configure the NAT64 prefix in such case is
depicted below: depicted below:
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:122:300::/56 2001:db8:122:300::/56
</nat64-prefix> </nat64-prefix>
</nat64-prefixes> </nat64-prefixes>
A NAT64 can be instructed to behave in the stateless mode by
providing the following configuration. The same NAT64 prefix is used
for constructing both IPv4- translatable IPv6 addresses and
IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]).
<nat64-prefixes>
<nat64-prefix>
2001:db8:122:300::/56
</nat64-prefix>
<stateless-enable>
true
</stateless-enable>
</nat64-prefixes>
Let's now consider the example of a NAT64 that should use Let's now consider the example of a NAT64 that should use
2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if
the destination address matches 198.51.100.0/24. The XML snippet to the destination address matches 198.51.100.0/24. The XML snippet to
configure the NAT64 prefix in such case is shown below: configure the NAT64 prefix in such case is shown below:
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:122::/48 2001:db8:122::/48
</nat64-prefix> </nat64-prefix>
<destination-ipv4-prefix> <destination-ipv4-prefix>
<ipv4-prefix> <ipv4-prefix>
198.51.100.0/24 198.51.100.0/24
</ipv4-prefix> </ipv4-prefix>
</destination-ipv4-prefix> </destination-ipv4-prefix>
</nat64-prefixes> </nat64-prefixes>
A.5. Explicit Address Mappings for Stateless IP/ICMP Translation A.5. Stateless IP/ICMP Translation (SIIT)
Let's consider the example of a stateless translator that is
configured with 2001:db8:100::/40 to perform IPv6 address synthesis
[RFC6052]. Similar to the NAT64 case, the XML snippet to configure
the NAT64 prefix in such case is depicted below:
<nat64-prefixes>
<nat64-prefix>
2001:db8:100::/40
</nat64-prefix>
</nat64-prefixes>
When the translator receives an IPv6 packet, for example, with a
source address (2001:db8:1c0:2:21::) and destination address
(2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses
following RFC6052 rules with 2001:db8:100::/40 as the NSP:
o 192.0.2.33 is extracted from 2001:db8:1c0:2:21::
o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2::
The translator transforms the IPv6 header into an IPv4 header using
the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will
include 192.0.2.33 as the source address and 198.51.100.2 as the
destination address.
Alos, a NAT64 can be instructed to behave in the stateless mode by
providing the following configuration. The same NAT64 prefix is used
for constructing both IPv4-translatable IPv6 addresses and
IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]).
<nat64-prefixes>
<nat64-prefix>
2001:db8:122:300::/56
</nat64-prefix>
<stateless-enable>
true
</stateless-enable>
</nat64-prefixes>
A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM
SIIT)
As specified in [RFC7757], an EAM consists of an IPv4 prefix and an As specified in [RFC7757], an EAM consists of an IPv4 prefix and an
IPv6 prefix. Let's consider the set of EAM examples in Figure 2. IPv6 prefix. Let's consider the set of EAM examples in Figure 2.
+---+----------------+----------------------+ +----------------+----------------------+
| # | IPv4 Prefix | IPv6 Prefix | | IPv4 Prefix | IPv6 Prefix |
+---+----------------+----------------------+ +----------------+----------------------+
| 1 | 192.0.2.1 | 2001:db8:aaaa:: | | 192.0.2.1 | 2001:db8:aaaa:: |
| 2 | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | | 192.0.2.2/32 | 2001:db8:bbbb::b/128 |
| 3 | 192.0.2.16/28 | 2001:db8:cccc::/124 | | 192.0.2.16/28 | 2001:db8:cccc::/124 |
| 4 | 192.0.2.128/26 | 2001:db8:dddd::/64 | | 192.0.2.128/26 | 2001:db8:dddd::/64 |
| 5 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | | 192.0.2.192/29 | 2001:db8:eeee:8::/62 |
| 6 | 192.0.2.224/31 | 64:ff9b::/127 | | 192.0.2.224/31 | 64:ff9b::/127 |
+---+----------------+----------------------+ +----------------+----------------------+
Figure 2: EAM Examples (RFC7757) Figure 2: EAM Examples (RFC7757)
The following XML excerpt illustrates how these EAMs can be The following XML excerpt illustrates how these EAMs can be
configured using the YANG NAT module: configured using the YANG NAT module:
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.1 192.0.2.1
</ipv4-prefix> </ipv4-prefix>
skipping to change at page 66, line 5 skipping to change at page 83, line 5
</eam> </eam>
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.224/31 192.0.2.224/31
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
64:ff9b::/127 64:ff9b::/127
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
EAMs may be enabled jointly with statefull NAT64. This example shows EAMs may be enabled jointly with statefull NAT64. This example shows
a NAT64 fucntion that supports static mappings: a NAT64 function that supports static mappings:
<capabilities <capabilities
<nat-flavor> <nat-flavor>
nat64 nat64
</nat44-flavor> </nat44-flavor>
<static-mapping-support> <static-mapping-support>
true true
</static-mapping-support> </static-mapping-support>
<port-randomization-support> <port-randomization-support>
true true
skipping to change at page 67, line 5 skipping to change at page 84, line 5
true true
</endpoint-independent-filtering-support> </endpoint-independent-filtering-support>
<address-dependent-filtering> <address-dependent-filtering>
false false
</address-dependent-filtering> </address-dependent-filtering>
<address-and-port-dependent-filtering> <address-and-port-dependent-filtering>
false false
</address-and-port-dependent-filtering> </address-and-port-dependent-filtering>
</capabilities> </capabilities>
A.6. Static Mappings with Port Ranges A.7. Static Mappings with Port Ranges
The following example shows a static mapping that instructs a NAT to The following example shows a static mapping that instructs a NAT to
translate packets issued from 192.0.2.1 and with source ports in the translate packets issued from 192.0.2.1 and with source ports in the
100-500 range to 198.51.100.1:1100-1500. 100-500 range to 198.51.100.1:1100-1500.
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-src-address> <internal-src-address>
192.0.2.1 192.0.2.1
</internal-dst-address> </internal-src-address>
<internal-dst-port> <internal-src-port>
<start-port-number> <start-port-number>
100 100
</start-port-number> </start-port-number>
<end-port-number> <end-port-number>
500 500
</end-port-number> </end-port-number>
</internal-dst-port> </internal-dst-port>
<external-src-address> <external-src-address>
198.51.100.1 198.51.100.1
</external-dst-address> </external-src-address>
<external-src-port> <external-src-port>
<start-port-number> <start-port-number>
1100 1100
</start-port-number> </start-port-number>
<end-port-number> <end-port-number>
1500 1500
</end-port-number> </end-port-number>
</external-dst-port> </external-src-port>
... ...
</mapping-entry> </mapping-entry>
A.7. Static Mappings with IP Prefixes A.8. Static Mappings with IP Prefixes
The following example shows a static mapping that instructs a NAT to The following example shows a static mapping that instructs a NAT to
translate packets issued from 192.0.2.1/24 to 198.51.100.1/24. translate TCP packets issued from 192.0.2.1/24 to 198.51.100.1/24.
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-src-address> <internal-src-address>
192.0.2.1/24 192.0.2.1/24
</internal-dst-address> </internal-src-address>
<external-src-address> <external-src-address>
198.51.100.1/24 198.51.100.1/24
</external-dst-address> </external-src-address>
... ...
</mapping-entry> </mapping-entry>
A.8. Destination NAT A.9. Destination NAT
The following XML snippet shows an example a destination NAT that is The following XML snippet shows an example of a destination NAT that
instructed to translate packets having 192.0.2.1 as a destination IP is instructed to translate all packets having 192.0.2.1 as a
address to 198.51.100.1. destination IP address to 198.51.100.1.
<dst-ip-address-pool> <dst-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<dst-in-ip-pool> <dst-in-ip-pool>
192.0.2.1 192.0.2.1
</dst-in-ip-pool> </dst-in-ip-pool>
<dst-out-ip-pool> <dst-out-ip-pool>
198.51.100.1 198.51.100.1
</dst-out-ip-pool> </dst-out-ip-pool>
</dst-ip-address-pool> </dst-ip-address-pool>
In order to instruct a NAT to translate TCP packets destined to In order to instruct a NAT to translate TCP packets destined to
192.0.2.1:80 to 198.51.100.1:8080, the following XML snippet shows '192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet
the static mapping to be configured on the NAT: shows the static mapping to be configured on the NAT:
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-dst-address> <internal-dst-address>
192.0.2.1 192.0.2.1
</internal-dst-address> </internal-dst-address>
<internal-dst-port> <internal-dst-port>
<start-port-number>80</start-port-number> <start-port-number>80</start-port-number>
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.1 198.51.100.1
</external-dst-address> </external-dst-address>
<external-dst-port> <external-dst-port>
<start-port-number>8080</start-port-number> <start-port-number>8080</start-port-number>
</external-dst-port> </external-dst-port>
</mapping-entry> </mapping-entry>
In order to instruct a NAT to translate TCP packets destined to In order to instruct a NAT to translate TCP packets destined to
192.0.2.1:80 (http traffic) to 198.51.100.1 and 192.0.2.1:22 (ssh '192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh
traffic) to 198.51.100.2, the following XML snippet shows the static traffic) to 198.51.100.2, the following XML snippet shows the static
mappings to be configured on the NAT: mappings to be configured on the NAT:
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-dst-address> <internal-dst-address>
192.0.2.1 192.0.2.1
</internal-dst-address> </internal-dst-address>
skipping to change at page 71, line 16 skipping to change at page 88, line 16
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
198.51.100.0/24 198.51.100.0/24
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
Instead of providing an external IP address to share, the NAT may be Instead of providing an external IP address to share, the NAT may be
configured with static mapping entries that modifies the internal IP configured with static mapping entries that modifies the internal IP
address and/or port number. address and/or port number.
A.9. CLAT A.10. Customer-side Translator (CLAT)
The following XML snippet shows the example of a CLAT that is The following XML snippet shows the example of a CLAT that is
configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and
2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also
provided with 192.0.0.1/32 (which is selected from the IPv4 service provided with 192.0.0.1/32 (which is selected from the IPv4 service
continuity prefix defined in [RFC7335]). continuity prefix defined in [RFC7335]).
<clat-ipv6-prefixes> <clat-ipv6-prefixes>
<ipv6-prefix> <ipv6-prefix>
2001:db8:aaaa::/96 2001:db8:aaaa::/96
skipping to change at page 71, line 40 skipping to change at page 88, line 40
<ipv4-prefix> <ipv4-prefix>
192.0.0.1/32 192.0.0.1/32
</ipv4-prefix> </ipv4-prefix>
</clat-ipv4-prefixes> </clat-ipv4-prefixes>
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:1234::/96 2001:db8:1234::/96
</nat64-prefix> </nat64-prefix>
</nat64-prefixes> </nat64-prefixes>
A.10. NPTv6 A.11. IPv6 Network Prefix Translation (NPTv6)
Let's consider the example of a NPTv6 translator that should rewrite Let's consider the example of a NPTv6 translator that should rewrite
packets with the source prefix (fd01:203:405:/48) with the external packets with the source prefix (fd01:203:405:/48) with the external
prefix (2001:db8:1:/48). The internal interface is "eth0" while the prefix (2001:db8:1:/48). The internal interface is "eth0" while the
external interface is "eth1". external interface is "eth1".
External Network: Prefix = 2001:db8:1:/48 External Network: Prefix = 2001:db8:1:/48
-------------------------------------- --------------------------------------
| |
|eth1 |eth1
skipping to change at page 72, line 24 skipping to change at page 89, line 24
| |
-------------------------------------- --------------------------------------
Internal Network: Prefix = fd01:203:405:/48 Internal Network: Prefix = fd01:203:405:/48
Example of NPTv6 (RFC6296) Example of NPTv6 (RFC6296)
The XML snippet to configure NPTv6 prefixes in such case is depicted The XML snippet to configure NPTv6 prefixes in such case is depicted
below: below:
<nptv6-prefixes> <nptv6-prefixes>
<translation-id>1</translation-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:203:405:/48 fd01:203:405:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:1:/48 2001:db8:1:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
... ...
<external-interfaces> <external-realm>
<external-interface> <external-interface>
eth1 eth1
</external-interface> </external-interface>
</external-interfaces> </external-realm>
Figure 3 shows an example of an NPTv6 that interconnects two internal Figure 3 shows an example of an NPTv6 that interconnects two internal
networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is
translated using a dedicated prefix (2001:db8:1:/48 and translated using a dedicated prefix (2001:db8:1:/48 and
2001:db8:6666:/48, respectively). 2001:db8:6666:/48, respectively).
Internal Prefix = fd01:4444:5555:/48 Internal Prefix = fd01:4444:5555:/48
-------------------------------------- --------------------------------------
V | External Prefix V | External Prefix
V |eth1 2001:db8:1:/48 V |eth1 2001:db8:1:/48
skipping to change at page 73, line 25 skipping to change at page 91, line 8
-------------------------------------- --------------------------------------
Internal Prefix = fd01:203:405:/48 Internal Prefix = fd01:203:405:/48
Figure 3: Connecting two Peer Networks (RFC6296) Figure 3: Connecting two Peer Networks (RFC6296)
To that aim, the following configuration is provided to the NPTv6: To that aim, the following configuration is provided to the NPTv6:
<policy> <policy>
<id>1</id> <id>1</id>
<nptv6-prefixes> <nptv6-prefixes>
<translation-id>1</translation-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:203:405:/48 fd01:203:405:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:1:/48 2001:db8:1:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
<external-realm>
<external-interface> <external-interface>
eth1 eth1
</external-interface> </external-interface>
</external-realm>
</policy> </policy>
<policy> <policy>
<id>2</id> <id>2</id>
<nptv6-prefixes> <nptv6-prefixes>
<translation-id>2</translation-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:4444:5555:/48 fd01:4444:5555:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:6666:/48 2001:db8:6666:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
<external-interface> <external-realm>
<external-interface>
eth0 eth0
</external-interface> </external-interface>
</external-realm>
</policy> </policy>
Authors' Addresses Authors' Addresses
Mohamed Boucadair Mohamed Boucadair
Orange Orange
Rennes 35000 Rennes 35000
France France
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
 End of changes. 341 change blocks. 
816 lines changed or deleted 1611 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/