draft-ietf-opsawg-nat-yang-08.txt   draft-ietf-opsawg-nat-yang-09.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: May 16, 2018 Cisco Systems Expires: May 19, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
November 12, 2017 November 15, 2017
A YANG Data Model for Network Address Translation (NAT) and Network A YANG Data Model for Network Address Translation (NAT) and Network
Prefix Translation (NPT) Prefix Translation (NPT)
draft-ietf-opsawg-nat-yang-08 draft-ietf-opsawg-nat-yang-09
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG module for the NAT function. document defines a YANG module for the NAT function.
NAT44, Network Address and Protocol Translation from IPv6 Clients to NAT44, Network Address and Protocol Translation from IPv6 Clients to
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/ IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/
skipping to change at page 2, line 15 skipping to change at page 2, line 15
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 16, 2018. This Internet-Draft will expire on May 19, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 5
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6
2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 8 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 8 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 9 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 9 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12
2.10. Binding the NAT Function to an External Interface . . . . 15 2.10. Binding the NAT Function to an External Interface . . . . 15
2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15
2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 20 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22
4. Security Considerations . . . . . . . . . . . . . . . . . . . 68 4. Security Considerations . . . . . . . . . . . . . . . . . . . 72
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 69 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 70 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 70 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74
7.1. Normative References . . . . . . . . . . . . . . . . . . 70 7.1. Normative References . . . . . . . . . . . . . . . . . . 74
7.2. Informative References . . . . . . . . . . . . . . . . . 72 7.2. Informative References . . . . . . . . . . . . . . . . . 76
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 74 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 74 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 78
A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 75 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 78 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 79 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84
A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 79 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84
A.6. Explicit Address Mappings for Stateless IP/ICMP A.6. Explicit Address Mappings for Stateless IP/ICMP
Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 80 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85
A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 84 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 89
A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 84 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89
A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 85 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90
A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 88 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93
A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 88 A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 93
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the (NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC7950]. YANG data modeling language [RFC7950].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
skipping to change at page 4, line 8 skipping to change at page 4, line 8
1.1. Terminology 1.1. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o Basic NAT44: translation is limited to IP addresses alone o Basic NAT44: translation is limited to IP addresses alone
(Section 2.1 of [RFC3022]). (Section 2.1 of [RFC3022]).
o Network Address/Port Translator (NAPT): translation in NAPT is o Network Address/Port Translator (NAPT): translation in NAPT is
extended to include IP addresses and transport identifiers (such extended to include IP addresses and transport identifiers (such
as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of
[RFC3022]. [RFC3022]. A NAPT my use an extra identifier, in addition to the
five transport tuple, to disambiguate bindings [RFC6619].
o Destination NAT: is a translation that acts on the destination IP o Destination NAT: is a translation that acts on the destination IP
address and/or destination port number. This flavor is usually address and/or destination port number. This flavor is usually
deployed in load balancers or at devices in front of public deployed in load balancers or at devices in front of public
servers. servers.
o Port-restricted IPv4 address: An IPv4 address with a restricted o Port-restricted IPv4 address: An IPv4 address with a restricted
port set. Multiple hosts may share the same IPv4 address; port set. Multiple hosts may share the same IPv4 address;
however, their port sets must not overlap [RFC7596]. however, their port sets must not overlap [RFC7596].
skipping to change at page 5, line 8 skipping to change at page 5, line 8
o Static explicit mapping: is created using, e.g., a CLI interface. o Static explicit mapping: is created using, e.g., a CLI interface.
This mapping is likely to be maintained by the NAT function till This mapping is likely to be maintained by the NAT function till
an explicit action is executed to remove it. an explicit action is executed to remove it.
The usage of the term NAT in this document refers to any translation The usage of the term NAT in this document refers to any translation
flavor (NAT44, NAT64, etc.) indifferently. flavor (NAT44, NAT64, etc.) indifferently.
This document uses the term "session" as defined in [RFC2663] and This document uses the term "session" as defined in [RFC2663] and
[RFC6146] for NAT64. [RFC6146] for NAT64.
1.2. Tree Diagrams The meaning of the symbols in tree diagrams is defined in
[I-D.ietf-netmod-yang-tree-diagrams].
The meaning of the symbols in these diagrams is as follows:
o Brackets "[" and "]" enclose list keys.
o Curly braces "{" and "}" contain names of optional features that
make the corresponding node conditional.
o Abbreviations before data node names: "rw" means configuration
(read-write), "ro" state data (read-only).
o Symbols after data node names: "?" means an optional node, "!" a
container with presence, and "*" denotes a "list" or "leaf-list".
o Parentheses enclose choice and case nodes, and case nodes are also
marked with a colon (":").
o Ellipsis ("...") stands for contents of subtrees that are not
shown.
2. Overview of the NAT YANG Data Model 2. Overview of the NAT YANG Data Model
2.1. Overview 2.1. Overview
The NAT YANG module is designed to cover dynamic implicit mappings The NAT YANG module is designed to cover dynamic implicit mappings
and static explicit mappings. The required functionality to instruct and static explicit mappings. The required functionality to instruct
dynamic explicit mappings is defined in separate documents such as dynamic explicit mappings is defined in separate documents such as
[I-D.boucadair-pcp-yang]. Considerations about instructing explicit [I-D.boucadair-pcp-yang]. Considerations about instructing explicit
dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of
skipping to change at page 14, line 8 skipping to change at page 14, line 5
| | subscriber), per NAT instance (limit-per- | | | subscriber), per NAT instance (limit-per- |
| | instance), and/or be specified for each | | | instance), and/or be specified for each |
| | supported protocol (limit-per-protocol). | | | supported protocol (limit-per-protocol). |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
Table 5: NAT Limits Table 5: NAT Limits
Table 6 describes limits, that once exceeded, will trigger Table 6 describes limits, that once exceeded, will trigger
notifications to be generated: notifications to be generated:
+------------------------+------------------------------------------+ +--------------------------+----------------------------------------+
| Notification Threshold | Description | | Notification Threshold | Description |
+------------------------+------------------------------------------+ +--------------------------+----------------------------------------+
| high-threshold | Used to notify high address utilization | | high-threshold | Used to notify high address |
| | of a given pool. When exceeded, a nat- | | | utilization of a given pool. When |
| | pool-event notification will be | | | exceeded, a nat-pool-event |
| | generated. | | | notification will be generated. |
+------------------------+------------------------------------------+ +--------------------------+----------------------------------------+
| low-threshold | Used to notify low address utilization | | low-threshold | Used to notify low address utilization |
| | of a given pool. An administrator is | | | of a given pool. An administrator is |
| | supposed to configure low-threshold so | | | supposed to configure low-threshold so |
| | that it can reflect an abnormal usage of | | | that it can reflect an abnormal usage |
| | NAT resources. When exceeded, a nat- | | | of NAT resources. When exceeded, a |
| | pool-event notification will be | | | nat-pool-event notification will be |
| | generated. | | | generated. |
+------------------------+------------------------------------------+ +--------------------------+----------------------------------------+
| notify-addresses-usage | Used to notify high address utilization | | notify-addresses-usage | Used to notify high address |
| | of all pools configured to a NAT | | | utilization of all pools configured to |
| | instance. When exceeded, a nat-instance- | | | a NAT instance. When exceeded, a nat- |
| | event will be generated. | | | instance-event will be generated. |
+------------------------+------------------------------------------+ +--------------------------+----------------------------------------+
| notify-ports-usage | Used to notify high port allocation | | notify-ports-usage | Used to notify high port allocation |
| | taking into account all pools configured | | | taking into account all pools |
| | to a NAT instance. When exceeded, a nat- | | | configured to a NAT instance. When |
| | instance-event notification will be | | | exceeded, a nat-instance-event |
| | generated. | | | notification will be generated. |
+------------------------+------------------------------------------+ +--------------------------+----------------------------------------+
| notify-subscribers-limit | Used to notify a high number of active |
| | subscribers that are serviced by a NAT |
| | instance. When exceeded, a nat- |
| | instance-event notification will be |
| | generated. |
+--------------------------+----------------------------------------+
Table 6: Notification Thresholds Table 6: Notification Thresholds
In order to prevent from generating frequent notifications, the NAT In order to prevent from generating frequent notifications, the NAT
YANG module supports the following limits (Table 7) used to control YANG module supports the following limits (Table 7) used to control
how frequent notifications can be generated. That is, notifications how frequent notifications can be generated. That is, notifications
are subject to rate-limiting imposed by these intervals. are subject to rate-limiting imposed by these intervals.
+-------------------------------------+-----------------------------+ +-------------------------------------+-----------------------------+
| Interval | Description | | Interval | Description |
skipping to change at page 16, line 29 skipping to change at page 16, line 29
multiple policies per NAT instance. multiple policies per NAT instance.
2.12. Tree Structure 2.12. Tree Structure
The tree structure of the NAT YANG module is provided below: The tree structure of the NAT YANG module is provided below:
module: ietf-nat module: ietf-nat
+--rw nat +--rw nat
+--rw instances +--rw instances
+--rw instance* [id] +--rw instance* [id]
+--rw id uint32 +--rw id uint32
+--rw name? string +--rw name? string
+--rw enable? boolean +--rw enable? boolean
+--ro capabilities +--ro capabilities
| +--ro nat-flavor* identityref | +--ro nat-flavor*
| | identityref
| +--ro per-interface-binding*
| | enumeration
| +--ro transport-protocols* [protocol-id] | +--ro transport-protocols* [protocol-id]
| | +--ro protocol-id uint8 | | +--ro protocol-id uint8
| | +--ro protocol-name? string | | +--ro protocol-name? string
| +--ro restricted-port-support? boolean | +--ro restricted-port-support?
| +--ro static-mapping-support? boolean | | boolean
| +--ro port-randomization-support? boolean | +--ro static-mapping-support?
| +--ro port-range-allocation-support? boolean | | boolean
| +--ro port-preservation-suport? boolean | +--ro port-randomization-support?
| +--ro port-parity-preservation-support? boolean | | boolean
| +--ro address-roundrobin-support? boolean | +--ro port-range-allocation-support?
| +--ro paired-address-pooling-support? boolean | | boolean
| +--ro endpoint-independent-mapping-support? boolean | +--ro port-preservation-suport?
| +--ro address-dependent-mapping-support? boolean | | boolean
| +--ro address-and-port-dependent-mapping-support? boolean | +--ro port-parity-preservation-support?
| +--ro endpoint-independent-filtering-support? boolean | | boolean
| +--ro address-dependent-filtering? boolean | +--ro address-roundrobin-support?
| +--ro address-and-port-dependent-filtering? boolean | | boolean
| +--ro fragment-behavior? enumeration | +--ro paired-address-pooling-support?
+--rw nat-pass-through* [id] {basic-nat44 or napt44 or dst-nat}? | | boolean
| +--ro endpoint-independent-mapping-support?
| | boolean
| +--ro address-dependent-mapping-support?
| | boolean
| +--ro address-and-port-dependent-mapping-support?
| | boolean
| +--ro endpoint-independent-filtering-support?
| | boolean
| +--ro address-dependent-filtering?
| | boolean
| +--ro address-and-port-dependent-filtering?
| | boolean
| +--ro fragment-behavior?
| enumeration
+--rw type? identityref
+--rw per-interface-binding? enumeration
+--rw nat-pass-through* [id]
| {basic-nat44 or napt44 or dst-nat}?
| +--rw id uint32 | +--rw id uint32
| +--rw prefix inet:ip-prefix | +--rw prefix inet:ip-prefix
| +--rw port? inet:port-number | +--rw port? inet:port-number
+--rw policy* [id] +--rw policy* [id]
| +--rw id uint32 | +--rw id uint32
| +--rw clat-parameters {clat}? | +--rw clat-parameters {clat}?
| | +--rw clat-ipv6-prefixes* [ipv6-prefix] | | +--rw clat-ipv6-prefixes* [ipv6-prefix]
| | | +--rw ipv6-prefix inet:ipv6-prefix | | | +--rw ipv6-prefix inet:ipv6-prefix
| | +--rw ipv4-prefixes* [ipv4-prefix] | | +--rw ipv4-prefixes* [ipv4-prefix]
| | +--rw ipv4-prefix inet:ipv4-prefix | | +--rw ipv4-prefix inet:ipv4-prefix
| +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}? | +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}?
| | +--rw internal-ipv6-prefix inet:ipv6-prefix | | +--rw internal-ipv6-prefix inet:ipv6-prefix
| | +--rw external-ipv6-prefix inet:ipv6-prefix | | +--rw external-ipv6-prefix inet:ipv6-prefix
| +--rw eam* [ipv4-prefix] {eam}? | +--rw eam* [ipv4-prefix] {eam}?
| | +--rw ipv4-prefix inet:ipv4-prefix | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw ipv6-prefix inet:ipv6-prefix | | +--rw ipv6-prefix inet:ipv6-prefix
| +--rw nat64-prefixes* [nat64-prefix] {siit or nat64 or clat}? | +--rw nat64-prefixes* [nat64-prefix]
| | {siit or nat64 or clat}?
| | +--rw nat64-prefix inet:ipv6-prefix | | +--rw nat64-prefix inet:ipv6-prefix
| | +--rw destination-ipv4-prefix* [ipv4-prefix] | | +--rw destination-ipv4-prefix* [ipv4-prefix]
| | | +--rw ipv4-prefix inet:ipv4-prefix | | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw stateless-enable? boolean | | +--rw stateless-enable? boolean
| +--rw external-ip-address-pool* [pool-id] {basic-nat44 or napt44 or nat64}? | +--rw external-ip-address-pool* [pool-id]
| | {basic-nat44 or napt44 or nat64}?
| | +--rw pool-id uint32 | | +--rw pool-id uint32
| | +--rw external-ip-pool inet:ipv4-prefix | | +--rw external-ip-pool inet:ipv4-prefix
| +--rw port-set-restrict {napt44 or nat64}? | +--rw port-set-restrict {napt44 or nat64}?
| | +--rw (port-type)? | | +--rw (port-type)?
| | +--:(port-range) | | +--:(port-range)
| | | +--rw start-port-number? inet:port-number | | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number | | | +--rw end-port-number? inet:port-number
| | +--:(port-set-algo) | | +--:(port-set-algo)
| | +--rw psid-offset? uint8 | | +--rw psid-offset? uint8
| | +--rw psid-len uint8 | | +--rw psid-len uint8
| | +--rw psid uint16 | | +--rw psid uint16
| +--rw dst-nat-enable? boolean {basic-nat44 or napt44}? | +--rw dst-nat-enable? boolean
| | {basic-nat44 or napt44}?
| +--rw dst-ip-address-pool* [pool-id] {dst-nat}? | +--rw dst-ip-address-pool* [pool-id] {dst-nat}?
| | +--rw pool-id uint32 | | +--rw pool-id uint32
| | +--rw dst-in-ip-pool? inet:ip-prefix | | +--rw dst-in-ip-pool? inet:ip-prefix
| | +--rw dst-out-ip-pool inet:ip-prefix | | +--rw dst-out-ip-pool inet:ip-prefix
| +--rw transport-protocols* [protocol-id] {napt44 or nat64 or dst-nat}? | +--rw transport-protocols* [protocol-id]
| | {napt44 or nat64 or dst-nat}?
| | +--rw protocol-id uint8 | | +--rw protocol-id uint8
| | +--rw protocol-name? string | | +--rw protocol-name? string
| +--rw subscriber-mask-v6? uint8 | +--rw subscriber-mask-v6? uint8
| +--rw subscriber-match* [match-id] {basic-nat44 or napt44 or dst-nat}? | +--rw subscriber-match* [match-id]
| | {basic-nat44 or napt44 or dst-nat}?
| | +--rw match-id uint32 | | +--rw match-id uint32
| | +--rw subnet inet:ip-prefix | | +--rw subnet inet:ip-prefix
| +--rw address-allocation-type? enumeration | +--rw address-allocation-type? enumeration
| +--rw port-allocation-type? enumeration {napt44 or nat64}? | +--rw port-allocation-type? enumeration
| +--rw mapping-type? enumeration {napt44 or nat64}? | | {napt44 or nat64}?
| +--rw filtering-type? enumeration {napt44 or nat64}? | +--rw mapping-type? enumeration
| +--rw fragment-behavior? enumeration {napt44 or nat64}? | | {napt44 or nat64}?
| +--rw filtering-type? enumeration
| | {napt44 or nat64}?
| +--rw fragment-behavior? enumeration
| | {napt44 or nat64}?
| +--rw port-quota* [quota-type] {napt44 or nat64}? | +--rw port-quota* [quota-type] {napt44 or nat64}?
| | +--rw port-limit? uint16 | | +--rw port-limit? uint16
| | +--rw quota-type uint8 | | +--rw quota-type uint8
| +--rw port-set {napt44 or nat64}? | +--rw port-set {napt44 or nat64}?
| | +--rw port-set-size uint16 | | +--rw port-set-size uint16
| | +--rw port-set-timeout? uint32 | | +--rw port-set-timeout? uint32
| +--rw timers {napt44 or nat64}? | +--rw timers {napt44 or nat64}?
| | +--rw udp-timeout? uint32 | | +--rw udp-timeout? uint32
| | +--rw tcp-idle-timeout? uint32 | | +--rw tcp-idle-timeout? uint32
| | +--rw tcp-trans-open-timeout? uint32 | | +--rw tcp-trans-open-timeout? uint32
skipping to change at page 18, line 37 skipping to change at page 19, line 19
| | +--rw name string | | +--rw name string
| | +--rw transport-protocol? uint32 | | +--rw transport-protocol? uint32
| | +--rw dst-transport-port | | +--rw dst-transport-port
| | | +--rw start-port-number? inet:port-number | | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number | | | +--rw end-port-number? inet:port-number
| | +--rw src-transport-port | | +--rw src-transport-port
| | | +--rw start-port-number? inet:port-number | | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number | | | +--rw end-port-number? inet:port-number
| | +--rw status? boolean | | +--rw status? boolean
| +--rw all-algs-enable? boolean | +--rw all-algs-enable? boolean
| +--rw notify-pool-usage {basic-nat44 or napt44 or nat64}? | +--rw notify-pool-usage
| | {basic-nat44 or napt44 or nat64}?
| | +--rw pool-id? uint32 | | +--rw pool-id? uint32
| | +--rw high-threshold? percent | | +--rw high-threshold? percent
| | +--rw low-threshold? percent | | +--rw low-threshold? percent
| | +--rw notify-interval? uint32 | | +--rw notify-interval? uint32
| +--rw external-realm | +--rw external-realm
| +--rw (realm-type)? | +--rw (realm-type)?
| +--:(interface) | +--:(interface)
| +--rw external-interface? if:interface-ref | +--rw external-interface? if:interface-ref
+--rw mapping-limits {napt44 or nat64}? +--rw mapping-limits {napt44 or nat64}?
| +--rw limit-subscribers? uint32 | +--rw limit-subscribers? uint32
| +--rw limit-address-mapings? uint32 | +--rw limit-address-mapings? uint32
| +--rw limit-port-mappings? uint32 | +--rw limit-port-mappings? uint32
| +--rw limit-per-protocol* [protocol-id] {napt44 or nat64 or dst-nat}? | +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64 or dst-nat}?
| +--rw protocol-id uint8 | +--rw protocol-id uint8
| +--rw limit? uint32 | +--rw limit? uint32
+--rw connection-limits {basic-nat44 or napt44 or nat64}? +--rw connection-limits
| {basic-nat44 or napt44 or nat64}?
| +--rw limit-per-subscriber? uint32 | +--rw limit-per-subscriber? uint32
| +--rw limit-per-instance uint32 | +--rw limit-per-instance uint32
| +--rw limit-per-protocol* [protocol-id] {napt44 or nat64}? | +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64}?
| +--rw protocol-id uint8 | +--rw protocol-id uint8
| +--rw limit? uint32 | +--rw limit? uint32
+--rw notification-limits +--rw notification-limits
| +--rw notify-interval? uint32 {basic-nat44 or napt44 or nat64}? | +--rw notify-interval? uint32
| +--rw notify-addresses-usage? percent {basic-nat44 or napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| +--rw notify-ports-usage? percent {napt44 or nat64}? | +--rw notify-addresses-usage? percent
+--rw logging-enable? boolean {basic-nat44 or napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
+--rw mapping-table {basic-nat44 or napt44 or nat64 or clat or dst-nat}? | +--rw notify-ports-usage? percent
| | {napt44 or nat64}?
| +--rw notify-subscribers-limit? uint32
| {basic-nat44 or napt44 or nat64}?
+--rw logging-enable? boolean
| {basic-nat44 or napt44 or nat64}?
+--rw mapping-table
| {basic-nat44 or napt44 or nat64 or clat or dst-nat}?
| +--rw mapping-entry* [index] | +--rw mapping-entry* [index]
| +--rw index uint32 | +--rw index uint32
| +--rw type? enumeration | +--rw type? enumeration
| +--rw transport-protocol? uint8 | +--rw transport-protocol? uint8
| +--rw internal-src-address? inet:ip-prefix | +--rw internal-src-address? inet:ip-prefix
| +--rw internal-src-port | +--rw internal-src-port
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw external-src-address? inet:ip-prefix | +--rw external-src-address? inet:ip-prefix
| +--rw external-src-port | +--rw external-src-port
skipping to change at page 19, line 41 skipping to change at page 20, line 34
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw external-dst-address? inet:ip-prefix | +--rw external-dst-address? inet:ip-prefix
| +--rw external-dst-port | +--rw external-dst-port
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw lifetime? uint32 | +--rw lifetime? uint32
+--ro statistics +--ro statistics
+--ro discontinuity-time yang:date-and-time +--ro discontinuity-time yang:date-and-time
+--ro traffic-statistics +--ro traffic-statistics
| +--ro sent-packets? yang:zero-based-counter64 | +--ro sent-packets?
| +--ro sent-bytes? yang:zero-based-counter64 | | yang:zero-based-counter64
| +--ro rcvd-packets? yang:zero-based-counter64 | +--ro sent-bytes?
| +--ro rcvd-bytes? yang:zero-based-counter64 | | yang:zero-based-counter64
| +--ro dropped-packets? yang:zero-based-counter64 | +--ro rcvd-packets?
| +--ro dropped-bytes? yang:zero-based-counter64 | | yang:zero-based-counter64
| +--ro dropped-fragments? yang:zero-based-counter64 {napt44 or nat64}? | +--ro rcvd-bytes?
| +--ro dropped-address-limit-packets? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}? | | yang:zero-based-counter64
| +--ro dropped-address-limit-bytes? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}? | +--ro dropped-packets?
| +--ro dropped-address-packets? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}? | | yang:zero-based-counter64
| +--ro dropped-address-bytes? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}? | +--ro dropped-bytes?
| +--ro dropped-port-limit-packets? yang:zero-based-counter64 {napt44 or nat64}? | | yang:zero-based-counter64
| +--ro dropped-port-limit-bytes? yang:zero-based-counter64 {napt44 or nat64}? | +--ro dropped-fragments?
| +--ro dropped-port-packets? yang:zero-based-counter64 {napt44 or nat64}? | | yang:zero-based-counter64
| +--ro dropped-port-bytes? yang:zero-based-counter64 {napt44 or nat64}? | | {napt44 or nat64}?
| +--ro dropped-subscriber-packets? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}? | +--ro dropped-address-limit-packets?
| +--ro dropped-subscriber-bytes? yang:zero-based-counter64 {basic-nat44 or napt44 or nat64}? | | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-limit-bytes?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-packets?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-bytes?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-port-limit-packets?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-port-limit-bytes?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-port-packets?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-port-bytes?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-subscriber-limit-packets?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-subscriber-limit-bytes?
| yang:zero-based-counter64
| {basic-nat44 or napt44 or nat64}?
+--ro mappings-statistics +--ro mappings-statistics
| +--ro total-address-mappings? yang:gauge32 {basic-nat44 or napt44 or nat64 or clat or dst-nat}? | +--ro total-active-subscribers? yang:gauge32
| +--ro total-port-mappings? yang:gauge32 {napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| +--ro total-per-protocol* [protocol-id] {napt44 or nat64}? | +--ro total-address-mappings? yang:gauge32
| | {basic-nat44 or napt44 or nat64 or clat or dst-nat}?
| +--ro total-port-mappings? yang:gauge32
| | {napt44 or nat64}?
| +--ro total-per-protocol* [protocol-id]
| {napt44 or nat64}?
| +--ro protocol-id uint8 | +--ro protocol-id uint8
| +--ro total? yang:gauge32 | +--ro total? yang:gauge32
+--ro pools-stats {basic-nat44 or napt44 or nat64}? +--ro pools-stats {basic-nat44 or napt44 or nat64}?
+--ro addresses-allocated? yang:gauge32 +--ro addresses-allocated? yang:gauge32
+--ro addresses-free? yang:gauge32 +--ro addresses-free? yang:gauge32
+--ro ports-stats {napt44 or nat64}? +--ro ports-stats {napt44 or nat64}?
| +--ro ports-allocated? yang:gauge32 | +--ro ports-allocated? yang:gauge32
| +--ro ports-free? yang:gauge32 | +--ro ports-free? yang:gauge32
+--ro per-pool-stats* [pool-id] {basic-nat44 or napt44 or nat64}? +--ro per-pool-stats* [pool-id]
{basic-nat44 or napt44 or nat64}?
+--ro pool-id uint32 +--ro pool-id uint32
+--ro discontinuity-time yang:date-and-time +--ro discontinuity-time yang:date-and-time
+--ro pool-stats +--ro pool-stats
| +--ro addresses-allocated? yang:gauge32 | +--ro addresses-allocated? yang:gauge32
| +--ro addresses-free? yang:gauge32 | +--ro addresses-free? yang:gauge32
+--ro port-stats {napt44 or nat64}? +--ro port-stats {napt44 or nat64}?
+--ro ports-allocated? yang:gauge32 +--ro ports-allocated? yang:gauge32
+--ro ports-free? yang:gauge32 +--ro ports-free? yang:gauge32
notifications: notifications:
+---n nat-pool-event {basic-nat44 or napt44 or nat64}? +---n nat-pool-event {basic-nat44 or napt44 or nat64}?
| +--ro id -> /nat/instances/instance/id | +--ro id -> /nat/instances/instance/id
| +--ro policy-id? -> /nat/instances/instance/policy/id | +--ro policy-id?
| +--ro pool-id -> /nat/instances/instance/policy/external-ip-address-pool/pool-id | | -> /nat/instances/instance/policy/id
| +--ro pool-id leafref
| +--ro notify-pool-threshold percent | +--ro notify-pool-threshold percent
+---n nat-instance-event {basic-nat44 or napt44 or nat64}? +---n nat-instance-event {basic-nat44 or napt44 or nat64}?
+--ro id -> /nat/instances/instance/id +--ro id
+--ro notify-addresses-threshold? percent | -> /nat/instances/instance/id
+--ro notify-ports-threshold? percent +--ro notify-subscribers-threshold? uint32
+--ro notify-addresses-threshold? percent
+--ro notify-ports-threshold? percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2017-11-13.yang" <CODE BEGINS> file "ietf-nat@2017-11-16.yang"
module ietf-nat { module ietf-nat {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
//namespace to be assigned by IANA //namespace to be assigned by IANA
prefix "nat"; prefix "nat";
import ietf-inet-types { prefix inet; } import ietf-inet-types { prefix inet; }
import ietf-yang-types { prefix yang; } import ietf-yang-types { prefix yang; }
import ietf-interfaces { prefix if; } import ietf-interfaces { prefix if; }
organization organization
"IETF OPSAWG (Operations and Management Area Working Group)"; "IETF OPSAWG (Operations and Management Area Working Group)";
contact contact
"WG Web: <https://datatracker.ietf.org/wg/opsawg/> "WG Web: <https://datatracker.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org> WG List: <mailto:opsawg@ietf.org>
WG Chair: Ignas Bagdonas
<mailto:ibagdona@gmail.com>
WG Chair: Joe Clarke
<mailto:jclarke@cisco.com>
WG Chair: Tianran Zhou
<mailto:zhoutianran@huawei.com>
Editor: Mohamed Boucadair Editor: Mohamed Boucadair
<mailto:mohamed.boucadair@orange.com> <mailto:mohamed.boucadair@orange.com>
Editor: Senthil Sivakumar Editor: Senthil Sivakumar
<mailto:ssenthil@cisco.com> <mailto:ssenthil@cisco.com>
Editor: Christian Jacquenet Editor: Christian Jacquenet
<mailto:christian.jacquenet@orange.com> <mailto:christian.jacquenet@orange.com>
Editor: Suresh Vinapamula Editor: Suresh Vinapamula
<mailto:sureshk@juniper.net> <mailto:sureshk@juniper.net>
Editor: Qin Wu Editor: Qin Wu
<mailto:bill.wu@huawei.com>"; <mailto:bill.wu@huawei.com>";
description description
"This module is a YANG module for NAT implementations "This module is a YANG module for NAT implementations.
(including NAT44 and NAT64 flavors).
NAT44, Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT),
Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings
for Stateless IP/ICMP Translation (SIIT EAM), and IPv6 Network
Prefix Translation (NPTv6) are covered.
Copyright (c) 2017 IETF Trust and the persons identified as Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-11-13 { revision 2017-11-16 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for Network Address Translation "RFC XXXX: A YANG Data Model for Network Address Translation
(NAT) and Network Prefix Translation (NPT)"; (NAT) and Network Prefix Translation (NPT)";
} }
/* /*
* Definitions * Definitions
*/ */
skipping to change at page 22, line 47 skipping to change at page 24, line 26
"Basic NAT44 translation is limited to IP addresses alone."; "Basic NAT44 translation is limited to IP addresses alone.";
reference reference
"RFC 3022: Traditional IP Network Address Translator "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)"; (Traditional NAT)";
} }
feature napt44 { feature napt44 {
description description
"Network Address/Port Translator (NAPT): translation is "Network Address/Port Translator (NAPT): translation is
extended to include IP addresses and transport identifiers extended to include IP addresses and transport identifiers
(such as a TCP/UDP port or ICMP query ID)."; (such as a TCP/UDP port or ICMP query ID).
If the internal IP address is not sufficient to uniquely
disambiguate NAPT44 mappings, an additional attribute is
required. For example, that additional attribute may
be an IPv6 address (a.k.a., DS-Lite (RFC 6333)) or
a Layer 2 identifier (a.k.a., Per-Interface NAT
(RFC 6619))";
reference reference
"RFC 3022: Traditional IP Network Address Translator "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)"; (Traditional NAT)";
} }
feature dst-nat { feature dst-nat {
description description
"Destination NAT is a translation that acts on the destination "Destination NAT is a translation that acts on the destination
IP address and/or destination port number. This flavor is IP address and/or destination port number. This flavor is
usually deployed in load balancers or at devices usually deployed in load balancers or at devices
in front of public servers."; in front of public servers.";
} }
feature nat64 { feature nat64 {
description description
"NAT64 translation allows IPv6-only clients to contact IPv4 "NAT64 translation allows IPv6-only clients to contact IPv4
skipping to change at page 31, line 43 skipping to change at page 33, line 28
*/ */
container nat { container nat {
description description
"NAT module"; "NAT module";
container instances { container instances {
description description
"NAT instances"; "NAT instances";
list instance { list instance {
key "id"; key "id";
description
"A NAT instance. This identifier can be automatically assigned
or explicitly configured.";
leaf id {
type uint32;
must ". >= 1";
description description
"NAT instance identifier. "A NAT instance. This identifier can be automatically assigned
or explicitly configured.";
The identifier must be greater than zero as per RFC 7659."; leaf id {
reference type uint32;
"RFC 7659: Definitions of Managed Objects for Network must ". >= 1";
description
"NAT instance identifier.
The identifier must be greater than zero as per RFC 7659.";
reference
"RFC 7659: Definitions of Managed Objects for Network
Address Translators (NATs)"; Address Translators (NATs)";
} }
leaf name { leaf name {
type string; type string;
description description
"A name associated with the NAT instance."; "A name associated with the NAT instance.";
reference reference
"RFC 7659: Definitions of Managed Objects for Network "RFC 7659: Definitions of Managed Objects for Network
Address Translators (NATs)"; Address Translators (NATs)";
} }
leaf enable { leaf enable {
type boolean; type boolean;
description description
"Status of the the NAT instance."; "Status of the NAT instance.";
} }
container capabilities { container capabilities {
config false; config false;
description description
"NAT capabilities"; "NAT capabilities";
leaf-list nat-flavor { leaf-list nat-flavor {
type identityref { type identityref {
base nat-type; base nat-type;
}
description
"Supported translation type(s).";
}
leaf-list per-interface-binding {
type enumeration {
enum "unsupported" {
description
"No capability to associate a NAT binding with
an extra identifier.";
}
enum "layer-2" {
description
"The NAT instance is able to associate a mapping with
a layer-2 identifier.";
}
enum "dslite" {
description
"The NAT instance is able to associate a mapping with
an IPv6 address (a.k.a., DS-Lite).";
}
} }
description description
"Type of NAT."; "Indicates the capability of a NAT to associate a particular
NAT session not only with the five tuples used for the
transport connection on both sides of the NAT but also with
the internal interface on which the user device is
connected to the NAT.";
reference
"Section 4 of RFC 6619";
} }
list transport-protocols { list transport-protocols {
key protocol-id; key protocol-id;
description description
"List of supported protocols."; "List of supported protocols.";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
skipping to change at page 33, line 48 skipping to change at page 36, line 15
type boolean; type boolean;
description description
"Indicates whether static mappings are supported."; "Indicates whether static mappings are supported.";
} }
leaf port-randomization-support { leaf port-randomization-support {
type boolean; type boolean;
description description
"Indicates whether port randomization is supported."; "Indicates whether port randomization is supported.";
reference reference
"Section 4.2.1. of RFC 4787."; "Section 4.2.1 of RFC 4787.";
} }
leaf port-range-allocation-support { leaf port-range-allocation-support {
type boolean; type boolean;
description description
"Indicates whether port range allocation is supported."; "Indicates whether port range allocation is supported.";
reference reference
"Section 1.1 of RFC 7753."; "Section 1.1 of RFC 7753.";
} }
leaf port-preservation-suport { leaf port-preservation-suport {
type boolean; type boolean;
description description
"Indicates whether port preservation is supported."; "Indicates whether port preservation is supported.";
reference reference
"Section 4.2.1. of RFC 4787."; "Section 4.2.1 of RFC 4787.";
} }
leaf port-parity-preservation-support { leaf port-parity-preservation-support {
type boolean; type boolean;
description description
"Indicates whether port parity preservation is "Indicates whether port parity preservation is
supported."; supported.";
reference reference
"Section 8 of RFC 7857."; "Section 8 of RFC 7857.";
} }
skipping to change at page 36, line 34 skipping to change at page 38, line 49
This behavior is the one recommended in RFC4787."; This behavior is the one recommended in RFC4787.";
reference reference
"REQ-14 of RFC 4787"; "REQ-14 of RFC 4787";
} }
} }
description description
"The fragment behavior is the NAT instance's capability to "The fragment behavior is the NAT instance's capability to
translate fragments received on the external interface of translate fragments received on the external interface of
the NAT."; the NAT.";
} }
}
leaf type {
type identityref {
base nat-type;
}
description
"Specify the translation type. Particularly useful when
multiple translation flavors are supported.
If one type is supported by a NAT, this parameter is by
default set to that type.";
}
leaf per-interface-binding {
type enumeration {
enum "disabled" {
description
"Disable the capability to associate an extra identifier
with NAT mappings.";
}
enum "layer-2" {
description
"The NAT instance is able to associate a mapping with
a layer-2 identifier.";
}
enum "dslite" {
description
"The NAT instance is able to associate a mapping with
an IPv6 address (a.k.a., DS-Lite).";
}
}
description
"A NAT that associates a particular NAT session not only with
the five tuples used for the transport connection on both
sides of the NAT but also with the internal interface on
which the user device is connected to the NAT.
If supported, this mode of operation should be configurable,
and it should be disabled by default in general-purpose NAT
devices.
If one single per-interface binding behavior is supported by
a NAT, this parameter is by default set to that behavior.";
reference
"Section 4 of RFC 6619";
} }
list nat-pass-through { list nat-pass-through {
if-feature "basic-nat44 or napt44 or dst-nat"; if-feature "basic-nat44 or napt44 or dst-nat";
key id; key id;
description description
"IP prefix NAT pass through."; "IP prefix NAT pass through.";
leaf id { leaf id {
skipping to change at page 37, line 38 skipping to change at page 41, line 4
} }
list policy { list policy {
key id; key id;
description description
"NAT parameters for a given instance"; "NAT parameters for a given instance";
leaf id { leaf id {
type uint32; type uint32;
description description
"An identifier of the NAT policy. "An identifier of the NAT policy. It must be unique
it must be unique within the NAT instance."; within the NAT instance.";
} }
container clat-parameters { container clat-parameters {
if-feature clat; if-feature clat;
description description
"CLAT parameters."; "CLAT parameters.";
list clat-ipv6-prefixes { list clat-ipv6-prefixes {
key ipv6-prefix; key ipv6-prefix;
description description
skipping to change at page 44, line 4 skipping to change at page 47, line 17
"The name of the Upper-layer protocol associated "The name of the Upper-layer protocol associated
with this mapping. with this mapping.
Values are taken from the IANA protocol registry: Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/ https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml protocol-numbers.xhtml
For example, TCP, UDP, DCCP, and SCTP."; For example, TCP, UDP, DCCP, and SCTP.";
} }
} }
leaf subscriber-mask-v6 { leaf subscriber-mask-v6 {
type uint8 { type uint8 {
range "0 .. 128"; range "0 .. 128";
} }
description description
"The subscriber-mask is an integer that indicates "The subscriber mask is an integer that indicates
the length of significant bits to be applied on the length of significant bits to be applied on
the source IPv6 address (internal side) to the source IPv6 address (internal side) to
unambiguously identify a CPE. unambiguously identify a user device (e.g., CPE).
Subscriber-mask is a system-wide configuration Subscriber mask is a system-wide configuration
parameter that is used to enforce generic parameter that is used to enforce generic
per-subscriber policies (e.g., port-quota). per-subscriber policies (e.g., port-quota).
The enforcement of these generic policies does not The enforcement of these generic policies does not
require the configuration of every subscriber's require the configuration of every subscriber's
prefix. prefix.
Example: suppose the 2001:db8:100:100::/56 prefix Example: suppose the 2001:db8:100:100::/56 prefix
is assigned to a NAT64 serviced CPE. Suppose also is assigned to a NAT64 serviced CPE. Suppose also
that 2001:db8:100:100::1 is the IPv6 address used that 2001:db8:100:100::1 is the IPv6 address used
by the client that resides in that CPE. When the by the client that resides in that CPE. When the
NAT64 receives a packet from this client, NAT64 receives a packet from this client,
it applies the subscriber-mask (e.g., 56) on it applies the subscriber-mask-v6 (e.g., 56) on
the source IPv6 address to compute the associated the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56). prefix for this client (2001:db8:100:100::/56).
Then, the NAT64 enforces policies based on that Then, the NAT64 enforces policies based on that
prefix (2001:db8:100:100::/56), not on the exact prefix (2001:db8:100:100::/56), not on the exact
source IPv6 address."; source IPv6 address.";
} }
list subscriber-match { list subscriber-match {
if-feature "basic-nat44 or napt44 or dst-nat"; if-feature "basic-nat44 or napt44 or dst-nat";
key match-id; key match-id;
skipping to change at page 51, line 37 skipping to change at page 55, line 4
units "seconds"; units "seconds";
default 60; default 60;
description description
"An ICMP Query session timer must not expire "An ICMP Query session timer must not expire
in less than 60 seconds. It is recommended in less than 60 seconds. It is recommended
that the ICMP Query session timer be made that the ICMP Query session timer be made
configurable"; configurable";
reference reference
"RFC 5508: NAT Behavioral Requirements for ICMP"; "RFC 5508: NAT Behavioral Requirements for ICMP";
} }
list per-port-timeout { list per-port-timeout {
key port-number; key port-number;
description description
"Some NATs are configurable with short timeouts "Some NATs are configurable with short timeouts
for some ports, e.g., as 10 seconds on for some ports, e.g., as 10 seconds on
port 53 (DNS) and NTP (123) and longer timeouts port 53 (DNS) and 123 (NTP) and longer timeouts
on other ports."; on other ports.";
leaf port-number { leaf port-number {
type inet:port-number; type inet:port-number;
description description
"A port number."; "A port number.";
} }
leaf timeout { leaf timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
mandatory true; mandatory true;
description description
"Timeout for this port number"; "Timeout for this port number";
} }
} }
leaf hold-down-timeout { leaf hold-down-timeout {
skipping to change at page 59, line 33 skipping to change at page 62, line 47
"Notification of port mappings usage over the "Notification of port mappings usage over the
whole NAT instance. whole NAT instance.
Notification must be generated when the defined Notification must be generated when the defined
threshold is reached. threshold is reached.
For example, if a notification is required when For example, if a notification is required when
the port mappings utilization reaches 90%, this the port mappings utilization reaches 90%, this
configuration parameter must be set to 90."; configuration parameter must be set to 90.";
} }
leaf notify-subscribers-limit {
if-feature "basic-nat44 or napt44 or nat64";
type uint32;
description
"Notification of active subscribers per NAT
instance.
Notification must be generated when the defined
threshold is reached.";
}
} }
leaf logging-enable { leaf logging-enable {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type boolean; type boolean;
description description
"Enable logging features."; "Enable logging features.";
reference reference
"Section 2.3 of RFC 6908 and REQ-12 of RFC6888."; "Section 2.3 of RFC 6908 and REQ-12 of RFC6888.";
} }
skipping to change at page 62, line 50 skipping to change at page 66, line 26
leaf dropped-port-bytes { leaf dropped-port-bytes {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units 'bytes';
description description
"Counter of dropped packets because no port is "Counter of dropped packets because no port is
available for allocation, in bytes."; available for allocation, in bytes.";
} }
leaf dropped-subscriber-packets { leaf dropped-subscriber-limit-packets {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because the subscriber "Number of dropped packets because the subscriber
limit per instance is reached."; limit per instance is reached.";
} }
leaf dropped-subscriber-bytes { leaf dropped-subscriber-limit-bytes {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units 'bytes';
description description
"Counter of dropped packets because the subscriber "Counter of dropped packets because the subscriber
limit per instance is reached, in bytes."; limit per instance is reached, in bytes.";
} }
} }
container mappings-statistics { container mappings-statistics {
description description
"Mappings statistics."; "Mappings statistics.";
leaf total-address-mappings { leaf total-active-subscribers {
if-feature "basic-nat44 or napt44 or nat64";
type yang:gauge32;
description
"Total number of active subscribers (that is, subscribers
for which the NAT maintains active mappings.
A subscriber is identified by a subnet, subscriber-mask,
etc.";
}
leaf total-address-mappings {
if-feature "basic-nat44 or napt44 " + if-feature "basic-nat44 or napt44 " +
"or nat64 or clat or dst-nat"; "or nat64 or clat or dst-nat";
type yang:gauge32; type yang:gauge32;
description description
"Total number of address mappings present at a given "Total number of address mappings present at a given
time. It includes both static and dynamic mappings."; time. It includes both static and dynamic mappings.";
reference reference
"Section 3.3.8 of RFC 7659"; "Section 3.3.8 of RFC 7659";
} }
leaf total-port-mappings { leaf total-port-mappings {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:gauge32; type yang:gauge32;
description description
"Total number of NAT port mappings present at "Total number of NAT port mappings present at
a given time. It includes both static and dynamic a given time. It includes both static and dynamic
mappings."; mappings.";
reference reference
"Section 3.3.9 of RFC 7659"; "Section 3.3.9 of RFC 7659";
} }
list total-per-protocol { list total-per-protocol {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
key protocol-id; key protocol-id;
description description
"Total mappings for each enabled/supported protocol."; "Total mappings for each enabled/supported protocol.";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol associated with this mapping. "Upper-layer protocol associated with this mapping.
For example, this field contains 6 (TCP) for a TCP For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping."; mapping or 17 (UDP) for a UDP mapping.";
} }
leaf total { leaf total {
type yang:gauge32; type yang:gauge32;
description description
"Total number of a protocol-specific mappings present "Total number of a protocol-specific mappings present
at a given time. The protocol is identified by at a given time. The protocol is identified by
protocol-id."; protocol-id.";
} }
} }
} }
container pools-stats { container pools-stats {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Statistics related to address/prefix pools "Statistics related to address/prefix pools
usage"; usage";
leaf addresses-allocated { leaf addresses-allocated {
skipping to change at page 65, line 14 skipping to change at page 68, line 50
"Number of allocated ports from all pools."; "Number of allocated ports from all pools.";
} }
leaf ports-free { leaf ports-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of unallocated addresses from all pools."; "Number of unallocated addresses from all pools.";
} }
} }
list per-pool-stats { list per-pool-stats {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
key "pool-id"; key "pool-id";
description
"Statistics related to address/prefix pool usage";
leaf pool-id {
type uint32;
description
"Unique Identifier that represents a pool of
addresses/prefixes.";
}
leaf discontinuity-time {
type yang:date-and-time;
mandatory true;
description
"The time on the most recent occasion at which this
pool counters suffered a discontinuity. This must
be initialized when the address pool is
configured.";
}
container pool-stats {
description description
"Statistics related to address/prefix pool usage"; "Statistics related to address/prefix pool usage";
leaf addresses-allocated { leaf pool-id {
type yang:gauge32; type uint32;
description description
"Number of allocated addresses from this pool."; "Unique Identifier that represents a pool of
addresses/prefixes.";
} }
leaf addresses-free { leaf discontinuity-time {
type yang:gauge32; type yang:date-and-time;
mandatory true;
description description
"Number of unallocated addresses in this pool."; "The time on the most recent occasion at which this
pool counters suffered a discontinuity. This must
be initialized when the address pool is
configured.";
} }
} container pool-stats {
description
"Statistics related to address/prefix pool usage";
container port-stats { leaf addresses-allocated {
if-feature "napt44 or nat64"; type yang:gauge32;
description description
"Statistics related to port numbers usage."; "Number of allocated addresses from this pool.";
}
leaf ports-allocated { leaf addresses-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of allocated ports from this pool."; "Number of unallocated addresses in this pool.";
}
} }
leaf ports-free { container port-stats {
type yang:gauge32; if-feature "napt44 or nat64";
description description
"Number of unallocated addresses from this pool."; "Statistics related to port numbers usage.";
leaf ports-allocated {
type yang:gauge32;
description
"Number of allocated ports from this pool.";
}
leaf ports-free {
type yang:gauge32;
description
"Number of unallocated addresses from this pool.";
}
} }
} }
} }
} }
} }
} }
} }
}
/* /*
* Notifications * Notifications
*/ */
notification nat-pool-event { notification nat-pool-event {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Notifications must be generated when the defined high/low "Notifications must be generated when the defined high/low
threshold is reached. Related configuration parameters threshold is reached. Related configuration parameters
skipping to change at page 67, line 35 skipping to change at page 71, line 22
description description
"A threshold (high-threshold or low-threshold) has "A threshold (high-threshold or low-threshold) has
been fired."; been fired.";
} }
} }
notification nat-instance-event { notification nat-instance-event {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Notifications must be generated when notify-addresses-usage "Notifications must be generated when notify-addresses-usage
and/or notify-ports-usagethreshold are reached."; and/or notify-ports-usage threshold are reached.";
leaf id { leaf id {
type leafref { type leafref {
path "/nat/instances/instance/id"; path "/nat/instances/instance/id";
} }
mandatory true; mandatory true;
description description
"NAT instance Identifier."; "NAT instance Identifier.";
} }
leaf notify-subscribers-threshold {
type uint32;
description
"The notify-subscribers-limit threshold has been fired.";
}
leaf notify-addresses-threshold { leaf notify-addresses-threshold {
type percent; type percent;
description description
"The notify-addresses-usage threshold has been fired."; "The notify-addresses-usage threshold has been fired.";
} }
leaf notify-ports-threshold { leaf notify-ports-threshold {
type percent; type percent;
description description
"The notify-ports-usage threshold has been fired."; "The notify-ports-usage threshold has been fired.";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4. Security Considerations 4. Security Considerations
skipping to change at page 69, line 15 skipping to change at page 73, line 7
o Set a low notification threshold to cause useless notifications to o Set a low notification threshold to cause useless notifications to
be generated: be generated:
* /nat/instances/instance/policy/notify-pool-usage/high-threshold * /nat/instances/instance/policy/notify-pool-usage/high-threshold
* /nat/instances/instance/notification-limits/notify-addresses- * /nat/instances/instance/notification-limits/notify-addresses-
usage usage
* /nat/instances/instance/notification-limits/notify-ports-usage * /nat/instances/instance/notification-limits/notify-ports-usage
* /nat/instances/instance/notification-limits/notify-subscribers-
limit
o Set an arbitrarily high threshold, which may lead to the o Set an arbitrarily high threshold, which may lead to the
deactivation of notifications: deactivation of notifications:
* /nat/instances/instance/policy/notify-pool-usage/high-threshold * /nat/instances/instance/policy/notify-pool-usage/high-threshold
* /nat/instances/instance/notification-limits/notify-addresses- * /nat/instances/instance/notification-limits/notify-addresses-
usage usage
* /nat/instances/instance/notification-limits/notify-ports-usage * /nat/instances/instance/notification-limits/notify-ports-usage
* /nat/instances/instance/notification-limits/notify-subscribers-
limit
o Set a low notification interval and a low notification threshold o Set a low notification interval and a low notification threshold
to induce useless notifications to be generated: to induce useless notifications to be generated:
* /nat/instances/instance/policy/notify-pool-usage/notify- * /nat/instances/instance/policy/notify-pool-usage/notify-
interval interval
* /nat/instances/instance/notification-limits/notify-interval * /nat/instances/instance/notification-limits/notify-interval
o Access to privacy data maintained in the mapping table. Such data o Access to privacy data maintained in the mapping table. Such data
can be misused to track the activity of a host: can be misused to track the activity of a host:
skipping to change at page 70, line 15 skipping to change at page 74, line 10
name: ietf-nat name: ietf-nat
namespace: urn:ietf:params:xml:ns:yang:ietf-nat namespace: urn:ietf:params:xml:ns:yang:ietf-nat
prefix: nat prefix: nat
reference: RFC XXXX reference: RFC XXXX
6. Acknowledgements 6. Acknowledgements
Many thanks to Dan Wing and Tianran Zhou for the review. Many thanks to Dan Wing and Tianran Zhou for the review.
Thanks to Juergen Schoenwaelder for the comments on the YANG Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. structure and the suggestion to use NMDA. Mahesh Jethanandani
provided useful comments.
Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
Kristian Poscic for the CGN review. Kristian Poscic for the CGN review.
Special thanks to Maros Marsalek and Marek Gradzki for sharing their Special thanks to Maros Marsalek and Marek Gradzki for sharing their
comments based on the FD.io implementation of an earlier version of comments based on the FD.io implementation of an earlier version of
this module. this module.
Rajiv Asati suggested to clarify how the module applies for both Rajiv Asati suggested to clarify how the module applies for both
skipping to change at page 71, line 38 skipping to change at page 75, line 38
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
<https://www.rfc-editor.org/info/rfc6296>. <https://www.rfc-editor.org/info/rfc6296>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536, Protocol (NETCONF) Access Control Model", RFC 6536,
DOI 10.17487/RFC6536, March 2012, DOI 10.17487/RFC6536, March 2012,
<https://www.rfc-editor.org/info/rfc6536>. <https://www.rfc-editor.org/info/rfc6536>.
[RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable
Operation of Address Translators with Per-Interface
Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012,
<https://www.rfc-editor.org/info/rfc6619>.
[RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
Combination of Stateful and Stateless Translation", Combination of Stateful and Stateless Translation",
RFC 6877, DOI 10.17487/RFC6877, April 2013, RFC 6877, DOI 10.17487/RFC6877, April 2013,
<https://www.rfc-editor.org/info/rfc6877>. <https://www.rfc-editor.org/info/rfc6877>.
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
A., and H. Ashida, "Common Requirements for Carrier-Grade A., and H. Ashida, "Common Requirements for Carrier-Grade
NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
April 2013, <https://www.rfc-editor.org/info/rfc6888>. April 2013, <https://www.rfc-editor.org/info/rfc6888>.
skipping to change at page 72, line 43 skipping to change at page 76, line 48
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
7.2. Informative References 7.2. Informative References
[I-D.boucadair-pcp-yang] [I-D.boucadair-pcp-yang]
Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Boucadair, M., Jacquenet, C., Sivakumar, S., and S.
Vinapamula, "YANG Modules for the Port Control Protocol Vinapamula, "YANG Modules for the Port Control Protocol
(PCP)", draft-boucadair-pcp-yang-05 (work in progress), (PCP)", draft-boucadair-pcp-yang-05 (work in progress),
October 2017. October 2017.
[I-D.ietf-netmod-yang-tree-diagrams]
Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft-
ietf-netmod-yang-tree-diagrams-02 (work in progress),
October 2017.
[I-D.ietf-softwire-dslite-yang] [I-D.ietf-softwire-dslite-yang]
Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data
Modules for the DS-Lite", draft-ietf-softwire-dslite- Modules for Dual-Stack Lite (DS-Lite)", draft-ietf-
yang-07 (work in progress), October 2017. softwire-dslite-yang-09 (work in progress), November 2017.
[I-D.ietf-tsvwg-natsupp] [I-D.ietf-tsvwg-natsupp]
Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control
Transmission Protocol (SCTP) Network Address Translation Transmission Protocol (SCTP) Network Address Translation
Support", draft-ietf-tsvwg-natsupp-11 (work in progress), Support", draft-ietf-tsvwg-natsupp-11 (work in progress),
July 2017. July 2017.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", Translator (NAT) Terminology and Considerations",
RFC 2663, DOI 10.17487/RFC2663, August 1999, RFC 2663, DOI 10.17487/RFC2663, August 1999,
skipping to change at page 80, line 25 skipping to change at page 85, line 25
o 192.0.2.33 is extracted from 2001:db8:1c0:2:21:: o 192.0.2.33 is extracted from 2001:db8:1c0:2:21::
o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2:: o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2::
The translator transforms the IPv6 header into an IPv4 header using The translator transforms the IPv6 header into an IPv4 header using
the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will
include 192.0.2.33 as the source address and 198.51.100.2 as the include 192.0.2.33 as the source address and 198.51.100.2 as the
destination address. destination address.
Alos, a NAT64 can be instructed to behave in the stateless mode by Also, a NAT64 can be instructed to behave in the stateless mode by
providing the following configuration. The same NAT64 prefix is used providing the following configuration. The same NAT64 prefix is used
for constructing both IPv4-translatable IPv6 addresses and for constructing both IPv4-translatable IPv6 addresses and
IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]). IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]).
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:122:300::/56 2001:db8:122:300::/56
</nat64-prefix> </nat64-prefix>
<stateless-enable> <stateless-enable>
true true
skipping to change at page 83, line 10 skipping to change at page 88, line 10
<ipv6-prefix> <ipv6-prefix>
64:ff9b::/127 64:ff9b::/127
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
EAMs may be enabled jointly with statefull NAT64. This example shows EAMs may be enabled jointly with statefull NAT64. This example shows
a NAT64 function that supports static mappings: a NAT64 function that supports static mappings:
<capabilities <capabilities
<nat-flavor> <nat-flavor>
nat64 nat64
</nat44-flavor> </nat-flavor>
<static-mapping-support> <static-mapping-support>
true true
</static-mapping-support> </static-mapping-support>
<port-randomization-support> <port-randomization-support>
true true
</port-randomization-support> </port-randomization-support>
<port-range-allocation-support> <port-range-allocation-support>
true true
</port-range-allocation-support> </port-range-allocation-support>
<port-preservation-suport> <port-preservation-suport>
 End of changes. 94 change blocks. 
291 lines changed or deleted 482 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/