draft-ietf-opsawg-nat-yang-11.txt   draft-ietf-opsawg-nat-yang-12.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: August 10, 2018 Cisco Systems Expires: August 11, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
February 6, 2018 February 7, 2018
A YANG Module for Network Address Translation (NAT) A YANG Module for Network Address Translation (NAT)
draft-ietf-opsawg-nat-yang-11 draft-ietf-opsawg-nat-yang-12
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG module for the NAT function. document defines a YANG module for the NAT function.
NAT44, Network Address and Protocol Translation from IPv6 Clients to NAT44, Network Address and Protocol Translation from IPv6 Clients to
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/ IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/
skipping to change at page 2, line 12 skipping to change at page 2, line 12
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 10, 2018. This Internet-Draft will expire on August 11, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 49 skipping to change at page 3, line 49
1.1. Terminology 1.1. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o Basic NAT44: translation is limited to IP addresses alone o Basic NAT44: translation is limited to IP addresses alone
(Section 2.1 of [RFC3022]). (Section 2.1 of [RFC3022]).
o Network Address/Port Translator (NAPT): translation in NAPT is o Network Address/Port Translator (NAPT): translation in NAPT is
extended to include IP addresses and transport identifiers (such extended to include IP addresses and transport identifiers (such
as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of
[RFC3022]. A NAPT my use an extra identifier, in addition to the [RFC3022]. A NAPT may use an extra identifier, in addition to the
five transport tuple, to disambiguate bindings [RFC6619]. five transport tuple, to disambiguate bindings [RFC6619].
o Destination NAT: is a translation that acts on the destination IP o Destination NAT: is a translation that acts on the destination IP
address and/or destination port number. This flavor is usually address and/or destination port number. This flavor is usually
deployed in load balancers or at devices in front of public deployed in load balancers or at devices in front of public
servers. servers.
o Port-restricted IPv4 address: An IPv4 address with a restricted o Port-restricted IPv4 address: An IPv4 address with a restricted
port set. Multiple hosts may share the same IPv4 address; port set. Multiple hosts may share the same IPv4 address;
however, their port sets must not overlap [RFC7596]. however, their port sets must not overlap [RFC7596].
skipping to change at page 5, line 40 skipping to change at page 5, line 40
multiple NAT policies (/nat/instances/instance/policy). The document multiple NAT policies (/nat/instances/instance/policy). The document
does not make any assumption about how flows are associated with a does not make any assumption about how flows are associated with a
given NAT policy of a given NAT instance. Classification filters are given NAT policy of a given NAT instance. Classification filters are
out of scope. out of scope.
Defining multiple NAT instances or configuring multiple NAT policies Defining multiple NAT instances or configuring multiple NAT policies
within one single NAT instance is implementation- and deployment- within one single NAT instance is implementation- and deployment-
specific. specific.
This YANG module allows to instruct a NAT function to enable the This YANG module allows to instruct a NAT function to enable the
logging feature. Nevertheless, configuration parameters specific to logging feature (Section 2.3 of [RFC6908] and REQ-12 of [RFC6888]).
logging protocols are out of the scope of this document. Nevertheless, configuration parameters specific to logging protocols
are out of the scope of this document.
2.2. Various Translation Flavors 2.2. Various Translation Flavors
The following translation modes are supported: The following translation modes are supported:
o Basic NAT44 o Basic NAT44
o NAPT o NAPT
o Destination NAT o Destination NAT
o Port-restricted NAT o Port-restricted NAT
o Stateful NAT64 o Stateful NAT64 (including with destination-based Pref64::/n
[RFC7050])
o SIIT o SIIT
o CLAT o CLAT
o EAM o EAM
o Combination of Basic NAT/NAPT and Destination NAT o Combination of Basic NAT/NAPT and Destination NAT
o Combination of port-restricted and Destination NAT o Combination of port-restricted and Destination NAT
o Combination of NAT64 and EAM o Combination of NAT64 and EAM
o Stateful and Stateless NAT64 o Stateful and Stateless NAT64
[I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT [I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT
YANG module to support DS-Lite. YANG module to support DS-Lite.
skipping to change at page 23, line 24 skipping to change at page 23, line 24
feature napt44 { feature napt44 {
description description
"Network Address/Port Translator (NAPT): translation is "Network Address/Port Translator (NAPT): translation is
extended to include IP addresses and transport identifiers extended to include IP addresses and transport identifiers
(such as a TCP/UDP port or ICMP query ID). (such as a TCP/UDP port or ICMP query ID).
If the internal IP address is not sufficient to uniquely If the internal IP address is not sufficient to uniquely
disambiguate NAPT44 mappings, an additional attribute is disambiguate NAPT44 mappings, an additional attribute is
required. For example, that additional attribute may required. For example, that additional attribute may
be an IPv6 address (a.k.a., DS-Lite (RFC 6333)) or be an IPv6 address (a.k.a., DS-Lite) or
a Layer 2 identifier (a.k.a., Per-Interface NAT a Layer 2 identifier (a.k.a., Per-Interface NAT)";
(RFC 6619))";
reference reference
"RFC 3022: Traditional IP Network Address Translator "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)"; (Traditional NAT)";
} }
feature dst-nat { feature dst-nat {
description description
"Destination NAT is a translation that acts on the destination "Destination NAT is a translation that acts on the destination
IP address and/or destination port number. This flavor is IP address and/or destination port number. This flavor is
usually deployed in load balancers or at devices usually deployed in load balancers or at devices
skipping to change at page 32, line 18 skipping to change at page 32, line 18
description description
"A NAT instance. This identifier can be automatically assigned "A NAT instance. This identifier can be automatically assigned
or explicitly configured."; or explicitly configured.";
leaf id { leaf id {
type uint32; type uint32;
must ". >= 1"; must ". >= 1";
description description
"NAT instance identifier. "NAT instance identifier.
The identifier must be greater than zero as per RFC 7659."; The identifier must be greater than zero.";
reference reference
"RFC 7659: Definitions of Managed Objects for Network "RFC 7659: Definitions of Managed Objects for Network
Address Translators (NATs)"; Address Translators (NATs)";
} }
leaf name { leaf name {
type string; type string;
description description
"A name associated with the NAT instance."; "A name associated with the NAT instance.";
reference reference
skipping to change at page 35, line 40 skipping to change at page 35, line 40
"Indicates whether paired-address-pooling is "Indicates whether paired-address-pooling is
supported"; supported";
reference reference
"REQ-2 of RFC 4787."; "REQ-2 of RFC 4787.";
} }
leaf endpoint-independent-mapping-support { leaf endpoint-independent-mapping-support {
type boolean; type boolean;
description description
"Indicates whether endpoint-independent- "Indicates whether endpoint-independent-
mapping in Section 4 of RFC 4787 is mapping is supported.";
supported.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
} }
leaf address-dependent-mapping-support { leaf address-dependent-mapping-support {
type boolean; type boolean;
description description
"Indicates whether address-dependent-mapping is "Indicates whether address-dependent-mapping is
supported."; supported.";
reference reference
skipping to change at page 37, line 16 skipping to change at page 37, line 15
they are received in order. That is, in particular the they are received in order. That is, in particular the
header is in the first packet. Fragments received header is in the first packet. Fragments received
out of order are dropped. "; out of order are dropped. ";
} }
enum "out-of-order" { enum "out-of-order" {
description description
"The NAT instance is able to translate a fragment even "The NAT instance is able to translate a fragment even
if it is received out of order. if it is received out of order.
This behavior is the one recommended in RFC4787."; This behavior is recommended.";
reference reference
"REQ-14 of RFC 4787"; "REQ-14 of RFC 4787";
} }
} }
description description
"The fragment behavior is the NAT instance's capability to "The fragment behavior is the NAT instance's capability to
translate fragments received on the external interface of translate fragments received on the external interface of
the NAT."; the NAT.";
} }
} }
skipping to change at page 38, line 48 skipping to change at page 38, line 45
description description
"An identifier of the IP prefix pass through."; "An identifier of the IP prefix pass through.";
} }
leaf prefix { leaf prefix {
type inet:ip-prefix; type inet:ip-prefix;
mandatory true; mandatory true;
description description
"The IP addresses that match should not be translated. "The IP addresses that match should not be translated.
According to REQ#6 of RFC6888, it must be possible to It must be possible to administratively turn
administratively turn off translation for specific off translation for specific destination addresses
destination addresses and/or ports."; and/or ports.";
reference reference
"REQ#6 of RFC6888."; "REQ#6 of RFC 6888.";
} }
leaf port { leaf port {
type inet:port-number; type inet:port-number;
description description
"According to REQ#6 of RFC6888, it must be possible to "It must be possible to administratively turn off
administratively turn off translation for specific translation for specific destination addresses
destination addresses and/or ports. and/or ports.
If no prefix is defined, the NAT pass through bound If no prefix is defined, the NAT pass through bound
to a given port applies for any destination address."; to a given port applies for any destination address.";
reference reference
"REQ#6 of RFC6888."; "REQ#6 of RFC 6888.";
} }
} }
list policy { list policy {
key id; key id;
description description
"NAT parameters for a given instance"; "NAT parameters for a given instance";
leaf id { leaf id {
type uint32; type uint32;
skipping to change at page 41, line 35 skipping to change at page 41, line 33
"Section 3.2 of RFC 7757."; "Section 3.2 of RFC 7757.";
} }
} }
list nat64-prefixes { list nat64-prefixes {
if-feature "siit or nat64 or clat"; if-feature "siit or nat64 or clat";
key nat64-prefix; key nat64-prefix;
description description
"Provides one or a list of NAT64 prefixes "Provides one or a list of NAT64 prefixes
with or without a list of destination IPv4 prefixes. with or without a list of destination IPv4 prefixes.
It allows mapping IPv4 address ranges to IPv6 prefixes.
Destination-based Pref64::/n is discussed in For example:
Section 5.1 of [RFC7050]). For example:
192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
198.51.100.0/24 is mapped to 2001:db8:122::/48."; 198.51.100.0/24 is mapped to 2001:db8:122::/48.";
reference reference
"Section 5.1 of RFC7050."; "Section 5.1 of RFC 7050.";
leaf nat64-prefix { leaf nat64-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
mandatory true; mandatory true;
description description
"A NAT64 prefix. Can be Network-Specific Prefix (NSP) or "A NAT64 prefix. Can be Network-Specific Prefix (NSP) or
Well-Known Prefix (WKP). Well-Known Prefix (WKP).
Organizations deploying stateless IPv4/IPv6 translation Organizations deploying stateless IPv4/IPv6 translation
should assign a Network-Specific Prefix to their should assign a Network-Specific Prefix to their
skipping to change at page 42, line 51 skipping to change at page 42, line 49
A pool is a set of IP prefixes."; A pool is a set of IP prefixes.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
must ". >= 1"; must ". >= 1";
description description
"An identifier that uniquely identifies the address pool "An identifier that uniquely identifies the address pool
within a NAT instance. within a NAT instance.
The identifier must be greater than zero as per The identifier must be greater than zero.";
RFC 7659.";
reference reference
"RFC 7659: Definitions of Managed Objects for "RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)"; Network Address Translators (NATs)";
} }
leaf external-ip-pool { leaf external-ip-pool {
type inet:ipv4-prefix; type inet:ipv4-prefix;
mandatory true; mandatory true;
description description
"An IPv4 prefix used for NAT purposes."; "An IPv4 prefix used for NAT purposes.";
skipping to change at page 49, line 19 skipping to change at page 49, line 18
description description
"Translate fragments only if they are received "Translate fragments only if they are received
in order."; in order.";
} }
enum "out-of-order" { enum "out-of-order" {
description description
"Translate a fragment even if it is received out "Translate a fragment even if it is received out
of order. of order.
This behavior is the recommended behavior."; This behavior is recommended.";
reference reference
"REQ-14 of RFC 4787"; "REQ-14 of RFC 4787";
} }
} }
description description
"The fragment behavior instructs the NAT about the "The fragment behavior instructs the NAT about the
behavior to follow to translate fragments received behavior to follow to translate fragments received
on the external interface of the NAT."; on the external interface of the NAT.";
} }
skipping to change at page 51, line 18 skipping to change at page 51, line 17
} }
leaf tcp-trans-open-timeout { leaf tcp-trans-open-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 240; default 240;
description description
"The value of the transitory open connection "The value of the transitory open connection
idle-timeout. idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT A NAT should provide different configurable
should provide different configurable
parameters for configuring the open and parameters for configuring the open and
closing idle timeouts. closing idle timeouts.
To accommodate deployments that consider To accommodate deployments that consider
a partially open timeout of 4 minutes as being a partially open timeout of 4 minutes as being
excessive from a security standpoint, a NAT may excessive from a security standpoint, a NAT may
allow the configured timeout to be less than allow the configured timeout to be less than
4 minutes. 4 minutes.
However, a minimum default transitory connection However, a minimum default transitory connection
skipping to change at page 51, line 43 skipping to change at page 51, line 41
} }
leaf tcp-trans-close-timeout { leaf tcp-trans-close-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 240; default 240;
description description
"The value of the transitory close connection "The value of the transitory close connection
idle-timeout. idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT A NAT should provide different configurable
should provide different configurable
parameters for configuring the open and parameters for configuring the open and
closing idle timeouts."; closing idle timeouts.";
reference reference
"Section 2.1 of RFC 7857."; "Section 2.1 of RFC 7857.";
} }
leaf tcp-in-syn-timeout { leaf tcp-in-syn-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 6; default 6;
skipping to change at page 61, line 4 skipping to change at page 60, line 45
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type uint32; type uint32;
description description
"Notification of active subscribers per NAT "Notification of active subscribers per NAT
instance. instance.
Notification must be generated when the defined Notification must be generated when the defined
threshold is reached."; threshold is reached.";
} }
} }
leaf logging-enable { leaf logging-enable {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type boolean; type boolean;
description description
"Enable logging features."; "Enable logging features.";
reference reference
"Section 2.3 of RFC 6908 and REQ-12 of RFC6888."; "Section 2.3 of RFC 6908 and REQ-12 of RFC 6888.";
} }
container mapping-table { container mapping-table {
description description
"NAT mapping table. Applicable for functions which maintain "NAT mapping table. Applicable for functions which maintain
static and/or dynamic mappings, such as NAT44, Destination static and/or dynamic mappings, such as NAT44, Destination
NAT, NAT64, or CLAT."; NAT, NAT64, or CLAT.";
list mapping-entry { list mapping-entry {
key "index"; key "index";
skipping to change at page 71, line 44 skipping to change at page 71, line 37
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC7950]. the "YANG Module Names" registry [RFC7950].
name: ietf-nat name: ietf-nat
namespace: urn:ietf:params:xml:ns:yang:ietf-nat namespace: urn:ietf:params:xml:ns:yang:ietf-nat
prefix: nat prefix: nat
reference: RFC XXXX reference: RFC XXXX
6. Acknowledgements 6. Acknowledgements
Many thanks to Dan Wing and Tianran Zhou for the review. Many thanks to Dan Wing, Tianran Zhou, and Tom Petch for the review.
Thanks to Juergen Schoenwaelder for the comments on the YANG Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. Mahesh Jethanandani structure and the suggestion to use NMDA. Mahesh Jethanandani
provided useful comments. provided useful comments.
Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
Kristian Poscic for the CGN review. Tim Chown proposed to publish Kristian Poscic for the CGN review. Tim Chown proposed to publish
the NPTv6 part of the YANG module as a separate document to avoid the the NPTv6 part of the YANG module as a separate document to avoid the
conflict between the intended status of this document and the one of conflict between the intended status of this document and the one of
skipping to change at page 75, line 42 skipping to change at page 75, line 36
[RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo,
"Diameter Network Address and Port Translation Control "Diameter Network Address and Port Translation Control
Application", RFC 6736, DOI 10.17487/RFC6736, October Application", RFC 6736, DOI 10.17487/RFC6736, October
2012, <https://www.rfc-editor.org/info/rfc6736>. 2012, <https://www.rfc-editor.org/info/rfc6736>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013, DOI 10.17487/RFC6887, April 2013,
<https://www.rfc-editor.org/info/rfc6887>. <https://www.rfc-editor.org/info/rfc6887>.
[RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M.
Boucadair, "Deployment Considerations for Dual-Stack
Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013,
<https://www.rfc-editor.org/info/rfc6908>.
[RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of
the IPv6 Prefix Used for IPv6 Address Synthesis",
RFC 7050, DOI 10.17487/RFC7050, November 2013,
<https://www.rfc-editor.org/info/rfc7050>.
[RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT
(CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289,
DOI 10.17487/RFC7289, June 2014, DOI 10.17487/RFC7289, June 2014,
<https://www.rfc-editor.org/info/rfc7289>. <https://www.rfc-editor.org/info/rfc7289>.
[RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335,
DOI 10.17487/RFC7335, August 2014, DOI 10.17487/RFC7335, August 2014,
<https://www.rfc-editor.org/info/rfc7335>. <https://www.rfc-editor.org/info/rfc7335>.
[RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor, [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor,
 End of changes. 28 change blocks. 
39 lines changed or deleted 43 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/