draft-ietf-opsawg-nat-yang-12.txt   draft-ietf-opsawg-nat-yang-13.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair, Ed.
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: August 11, 2018 Cisco Systems Expires: August 26, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
February 7, 2018 February 22, 2018
A YANG Module for Network Address Translation (NAT) A YANG Module for Network Address Translation (NAT) and Network Prefix
draft-ietf-opsawg-nat-yang-12 Translation (NPT)
draft-ietf-opsawg-nat-yang-13
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG module for the NAT function. document defines a YANG module for the NAT function.
NAT44, Network Address and Protocol Translation from IPv6 Clients to NAT44, Network Address and Protocol Translation from IPv6 Clients to
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/ IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/
ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/ ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/
ICMP Translation (SIIT EAM), and Destination NAT are covered in this ICMP Translation (SIIT EAM), IPv6 Network Prefix Translation (NPTv6),
document. and Destination NAT are covered in this document.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
Please update these statements with the RFC number to be assigned to Please update these statements with the RFC number to be assigned to
this document: this document:
"This version of this YANG module is part of RFC XXXX;" "This version of this YANG module is part of RFC XXXX;"
"RFC XXXX: A YANG Module for Network Address Translation (NAT)"; "RFC XXXX: A YANG Module for Network Address Translation (NAT) and
Network Prefix Translation (NPT)"
"reference: RFC XXXX" "reference: RFC XXXX"
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 11, 2018. This Internet-Draft will expire on August 26, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 35 skipping to change at page 2, line 38
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various Translation Flavors . . . . . . . . . . . . . . . 5 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6
2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 7 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 11 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12
2.10. Binding the NAT Function to an External Interface . . . . 14 2.10. Binding the NAT Function to an External Interface . . . . 15
2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 14 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15
2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 15 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 21 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22
4. Security Considerations . . . . . . . . . . . . . . . . . . . 69 4. Security Considerations . . . . . . . . . . . . . . . . . . . 72
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 71 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 71 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 72 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74
7.1. Normative References . . . . . . . . . . . . . . . . . . 72 7.1. Normative References . . . . . . . . . . . . . . . . . . 74
7.2. Informative References . . . . . . . . . . . . . . . . . 74 7.2. Informative References . . . . . . . . . . . . . . . . . 76
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 76 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 76 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 78
A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 78 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 81 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 82 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84
A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 82 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84
A.6. Explicit Address Mappings for Stateless IP/ICMP A.6. Explicit Address Mappings for Stateless IP/ICMP
Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 83 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85
A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 87 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 88
A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 87 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89
A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 88 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90
A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 91 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 93
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) capabilities using the YANG data modeling language [RFC7950]. (NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC7950].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
a domain: a CGN is not managed by end users, but by service providers a domain: a CGN is not managed by end users, but by service providers
instead. This document covers both traditional NATs and CGNs. instead. This document covers both traditional NATs and CGNs.
This document also covers NAT64 [RFC6146], customer-side translator This document also covers NAT64 [RFC6146], customer-side translator
(CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915], (CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915],
Explicit Address Mappings for Stateless IP/ICMP Translation (EAM) Explicit Address Mappings for Stateless IP/ICMP Translation (EAM)
[RFC7757], and Destination NAT. The full set of translation schemes [RFC7757], IPv6 Network Prefix Translation (NPTv6) [RFC6296], and
that are in scope is included in Section 2.2. Destination NAT. The full set of translation schemes that are in
scope is included in Section 2.2.
Sample examples are provided in Appendix A. These examples are not Sample examples are provided in Appendix A. These examples are not
intended to be exhaustive. intended to be exhaustive.
1.1. Terminology 1.1. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o Basic NAT44: translation is limited to IP addresses alone o Basic NAT44: translation is limited to IP addresses alone
(Section 2.1 of [RFC3022]). (Section 2.1 of [RFC3022]).
skipping to change at page 6, line 9 skipping to change at page 6, line 18
o Basic NAT44 o Basic NAT44
o NAPT o NAPT
o Destination NAT o Destination NAT
o Port-restricted NAT o Port-restricted NAT
o Stateful NAT64 (including with destination-based Pref64::/n o Stateful NAT64 (including with destination-based Pref64::/n
[RFC7050]) [RFC7050])
o SIIT o SIIT
o CLAT o CLAT
o EAM o EAM
o NPTv6
o Combination of Basic NAT/NAPT and Destination NAT o Combination of Basic NAT/NAPT and Destination NAT
o Combination of port-restricted and Destination NAT o Combination of port-restricted and Destination NAT
o Combination of NAT64 and EAM o Combination of NAT64 and EAM
o Stateful and Stateless NAT64 o Stateful and Stateless NAT64
[I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT [I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT
YANG module to support DS-Lite. YANG module to support DS-Lite.
The YANG "feature" statement is used to indicate which of the The YANG "feature" statement is used to indicate which of the
different translation modes is relevant for a specific data node. different translation modes is relevant for a specific data node.
skipping to change at page 6, line 31 skipping to change at page 6, line 41
+---------------------------------+--------------+ +---------------------------------+--------------+
| Translation Mode | YANG Feature | | Translation Mode | YANG Feature |
+---------------------------------+--------------+ +---------------------------------+--------------+
| Basic NAT44 | basic-nat44 | | Basic NAT44 | basic-nat44 |
| NAPT | napt44 | | NAPT | napt44 |
| Destination NAT | dst-nat | | Destination NAT | dst-nat |
| Stateful NAT64 | nat64 | | Stateful NAT64 | nat64 |
| Stateless IPv4/IPv6 translation | siit | | Stateless IPv4/IPv6 translation | siit |
| CLAT | clat | | CLAT | clat |
| EAM | eam | | EAM | eam |
| NPTv6 | nptv6 |
+---------------------------------+--------------+ +---------------------------------+--------------+
Table 1: YANG NAT Features Table 1: YANG NAT Features
The following translation modes do not require defining dedicated The following translation modes do not require defining dedicated
features: features:
o Port-restricted NAT: This mode corresponds to supplying port o Port-restricted NAT: This mode corresponds to supplying port
restriction policies to a NAPT or NAT64 (port-set-restrict). restriction policies to a NAPT or NAT64 (port-set-restrict).
o Combination of Basic NAT/NAPT and Destination NAT: This mode o Combination of Basic NAT/NAPT and Destination NAT: This mode
skipping to change at page 11, line 24 skipping to change at page 11, line 45
| | NAT64) | | | NAT64) |
| external-src-port | ID2 (an ICMP identifier that is chosen by | | external-src-port | ID2 (an ICMP identifier that is chosen by |
| | the NAT64) | | | the NAT64) |
+----------------------+--------------------------------------------+ +----------------------+--------------------------------------------+
Table 4: Example of an EIM NAT64 Mapping Entry Table 4: Example of an EIM NAT64 Mapping Entry
Note that a mapping table is maintained only for stateful NAT Note that a mapping table is maintained only for stateful NAT
functions. Particularly: functions. Particularly:
o No mapping table is maintained for NPTv6 given that it is
stateless and transport-agnostic.
o The double translations are stateless in CLAT if a dedicated IPv6 o The double translations are stateless in CLAT if a dedicated IPv6
prefix is provided for CLAT. If not, a stateful NAT44 will be prefix is provided for CLAT. If not, a stateful NAT44 will be
required. required.
o No per-flow mapping is maintained for EAM [RFC7757]. o No per-flow mapping is maintained for EAM [RFC7757].
o No mapping table is maintained for Stateless IPv4/IPv6 o No mapping table is maintained for Stateless IPv4/IPv6
translation. As a reminder, in such deployments internal IPv6 translation. As a reminder, in such deployments internal IPv6
nodes are addressed using IPv4-translatable IPv6 addresses, which nodes are addressed using IPv4-translatable IPv6 addresses, which
enable them to be accessed by IPv4 nodes [RFC6052]. enable them to be accessed by IPv4 nodes [RFC6052].
2.9. Resource Limits 2.9. Resource Limits
In order to comply with CGN deployments in particular, the NAT YANG In order to comply with CGN deployments in particular, the NAT YANG
module allows limiting the number of external ports per subscriber module allows limiting the number of external ports per subscriber
(port-quota) and the amount of state memory allocated per mapping and (port-quota) and the amount of state memory allocated per mapping and
per subscriber (mapping-limits and connection-limits). According to per subscriber (mapping-limits and connection-limits). According to
[RFC6888], the module allows for the following: [RFC6888], the module is designed to allow for the following:
o Per-subscriber limits are configurable by the NAT administrator. o Per-subscriber limits are configurable by the NAT administrator.
o Per-subscriber limits are configurable independently per transport o Per-subscriber limits are configurable independently per transport
protocol. protocol.
o Administrator-adjustable thresholds to prevent a single subscriber o Administrator-adjustable thresholds to prevent a single subscriber
from consuming excessive CPU resources from the NAT (e.g., rate- from consuming excessive CPU resources from the NAT (e.g., rate-
limit the subscriber's creation of new mappings) can be limit the subscriber's creation of new mappings) can be
configured. configured.
Table 5 lists the various limits that can be set using the NAT YANG Table 5 lists the various limits that can be set using the NAT YANG
module. Once a limit is reached, packets that would normally trigger module. Once a limit is reached, packets that would normally trigger
new port mappings or be translated because they match existing new port mappings or be translated because they match existing
mappings, are dropped by the translator. mappings, are dropped by the translator.
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| Limit | Description | | Limit | Description |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| port-quota | Specifies a port quota to be assigned per | | port-quota | Specifies a port quota to be assigned per |
| | subscriber. It corresponds to the maximum | | | subscriber. It corresponds to the |
| | number of ports to be used by a subscriber. | | | maximum number of ports to be used by a |
| | The port quota can be configured to apply to | | | subscriber. The port quota can be configured |
| | all protocols or to a specific protocol. | | | to apply to all protocols or to a |
| | Distinct port quota may be configured per | | | specific protocol. Distinct port quota may be |
| | protocol. | | | configured per protocol. |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| fragments-limit | In order to prevent denial of service attacks | | fragments-limit | In order to prevent denial of service attacks |
| | that can be caused by fragments, this | | | that can be caused by fragments, |
| | parameter is used to limit the number of out- | | | this parameter is used to limit the number of |
| | of-order fragments that can be handled by a | | | out-of-order fragments that can be handled by |
| | translator. | | | a translator. |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| mapping-limits | This parameter can be used to control the | | mapping-limits | This parameter can be used to control the |
| | maximum number of subscribers that can be | | | maximum number of subscribers that |
| | serviced by a NAT instance (limit-subscriber) | | | can be serviced by a NAT instance |
| | and the maximum number of address and/or port | | | (limit-subscriber) and the maximum number of |
| | mappings that can be maintained by a NAT | | | address and/or port mappings that |
| | instance (limit-address-mapings and limit- | | | can be maintained by a NAT instance |
| | port-mappings). Also, limits specific to | | | (limit-address-mappings and limit-port- |
| | mappings). Also, limits specific to |
| | protocols (e.g., TCP, UDP, ICMP) can also be | | | protocols (e.g., TCP, UDP, ICMP) can also be |
| | specified (limit-per-protocol). | | | specified (limit-per-protocol). |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| connection-limits | In order to prevent exhausting the resources | | connection-limits | In order to prevent exhausting the resources |
| | of a NAT implementation and to ensure | | | of a NAT implementation and to |
| | fairness usage among subscribers, various | | | ensure fairness usage among subscribers, |
| | rate-limits can be specified. Rate-limiting | | | various rate-limits can be specified. Rate- |
| | can be enforced per subscriber ((limit- | | | limiting can be enforced per |
| | subscriber), per NAT instance (limit-per- | | | subscriber ((limit-subscriber), per NAT |
| | instance), and/or be specified for each | | | instance (limit-per-instance), |
| | supported protocol (limit-per-protocol). | | | and/or be specified for each supported |
| | protocol (limit-per-protocol). |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
Table 5: NAT Limits Table 5: NAT Limits
Table 6 describes limits, that once exceeded, will trigger Table 6 describes limits, that once exceeded, will trigger
notifications to be generated: notifications to be generated:
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| Notification Threshold | Description | | Notification Threshold | Description |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| high-threshold | Used to notify high address | | high-threshold | Used to notify high address |
| | utilization of a given pool. When | | | utilization of a given pool. When |
| | exceeded, a nat-pool-event | | | exceeded, a nat-pool-event |
| | notification will be generated. | | | notification will be generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| low-threshold | Used to notify low address utilization | | low-threshold | Used to notify low address utilization |
| | of a given pool. An administrator is | | | of a given pool. An |
| | supposed to configure low-threshold so | | | administrator is supposed to configure |
| | that it can reflect an abnormal usage | | | low-threshold so that it can |
| | of NAT resources. When exceeded, a | | | reflect an abnormal usage of NAT |
| | resources. When exceeded, a |
| | nat-pool-event notification will be | | | nat-pool-event notification will be |
| | generated. | | | generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| notify-addresses-usage | Used to notify high address | | notify-addresses-usage | Used to notify high address |
| | utilization of all pools configured to | | | utilization of all pools configured |
| | a NAT instance. When exceeded, a nat- | | | to a NAT instance. When exceeded, a |
| | instance-event will be generated. | | | nat-instance-event will be |
| | generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| notify-ports-usage | Used to notify high port allocation | | notify-ports-usage | Used to notify high port allocation |
| | taking into account all pools | | | taking into account all pools |
| | configured to a NAT instance. When | | | configured to a NAT instance. When |
| | exceeded, a nat-instance-event | | | exceeded, a nat-instance-event |
| | notification will be generated. | | | notification will be generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| notify-subscribers-limit | Used to notify a high number of active | | notify-subscribers-limit | Used to notify a high number of active |
| | subscribers that are serviced by a NAT | | | subscribers that are |
| | instance. When exceeded, a nat- | | | serviced by a NAT instance. When |
| | instance-event notification will be | | | exceeded, a nat-instance-event |
| | generated. | | | notification will be generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
Table 6: Notification Thresholds Table 6: Notification Thresholds
In order to prevent from generating frequent notifications, the NAT In order to prevent from generating frequent notifications, the NAT
YANG module supports the following limits (Table 7) used to control YANG module supports the following limits (Table 7) used to control
how frequent notifications can be generated. That is, notifications how frequent notifications can be generated. That is, notifications
are subject to rate-limiting imposed by these intervals. are subject to rate-limiting imposed by these intervals.
+-------------------------------------+-----------------------------+ +-------------------------------------+-----------------------------+
| Interval | Description | | Interval | Description |
+-------------------------------------+-----------------------------+ +-------------------------------------+-----------------------------+
| notify-pool-usage/notify-interval | Indicates the minimum | | notify-pool-usage/notify-interval | Indicates the minimum |
| | number of seconds between | | | number of seconds between |
| | successive notifications | | | successive |
| | for a given address pool. | | | notifications for a given |
| | address pool. |
+-------------------------------------+-----------------------------+ +-------------------------------------+-----------------------------+
| notification-limits/notify-interval | Indicates the minimum | | notification-limits/notify-interval | Indicates the minimum |
| | number of seconds between | | | number of seconds between |
| | successive notifications | | | successive |
| | for a NAT instance. | | | notifications for a NAT |
| | instance. |
+-------------------------------------+-----------------------------+ +-------------------------------------+-----------------------------+
Table 7: Notification Intervals Table 7: Notification Intervals
2.10. Binding the NAT Function to an External Interface 2.10. Binding the NAT Function to an External Interface
The module is designed to specify an external realm on which the NAT The module is designed to specify an external realm on which the NAT
function must be applied (external-realm). The module supports function must be applied (external-realm). The module supports
indicating an interface as an external realm, but the module is indicating an interface as an external realm, but the module is
extensible so that other choices can be indicated in the future extensible so that other choices can be indicated in the future
skipping to change at page 15, line 25 skipping to change at page 16, line 28
All the above parameters can be configured by means of the NAT YANG All the above parameters can be configured by means of the NAT YANG
module. module.
Unlike the NATV2-MIB, the NAT YANG module allows to configure Unlike the NATV2-MIB, the NAT YANG module allows to configure
multiple policies per NAT instance. multiple policies per NAT instance.
2.12. Tree Structure 2.12. Tree Structure
The tree structure of the NAT YANG module is provided below: The tree structure of the NAT YANG module is provided below:
module: ietf-nat module: ietf-nat
+--rw nat +--rw nat
+--rw instances +--rw instances
+--rw instance* [id] +--rw instance* [id]
+--rw id uint32 +--rw id uint32
+--rw name? string +--rw name? string
+--rw enable? boolean +--rw enable? boolean
+--ro capabilities +--ro capabilities
| +--ro nat-flavor* | +--ro nat-flavor*
| | identityref | | identityref
| +--ro per-interface-binding* | +--ro per-interface-binding*
| | enumeration | | enumeration
| +--ro transport-protocols* [protocol-id] | +--ro transport-protocols* [protocol-id]
| | +--ro protocol-id uint8 | | +--ro protocol-id uint8
| | +--ro protocol-name? string | | +--ro protocol-name? string
| +--ro restricted-port-support? | +--ro restricted-port-support?
| | boolean | | boolean
| +--ro static-mapping-support? | +--ro static-mapping-support?
| | boolean | | boolean
| +--ro port-randomization-support? | +--ro port-randomization-support?
| | boolean | | boolean
| +--ro port-range-allocation-support? | +--ro port-range-allocation-support?
| | boolean | | boolean
| +--ro port-preservation-suport? | +--ro port-preservation-suport?
| | boolean | | boolean
| +--ro port-parity-preservation-support? | +--ro port-parity-preservation-support?
| | boolean | | boolean
| +--ro address-roundrobin-support? | +--ro address-roundrobin-support?
| | boolean | | boolean
| +--ro paired-address-pooling-support? | +--ro paired-address-pooling-support?
| | boolean | | boolean
| +--ro endpoint-independent-mapping-support? | +--ro endpoint-independent-mapping-support?
| | boolean | | boolean
| +--ro address-dependent-mapping-support? | +--ro address-dependent-mapping-support?
| | boolean | | boolean
| +--ro address-and-port-dependent-mapping-support? | +--ro address-and-port-dependent-mapping-support?
| | boolean | | boolean
| +--ro endpoint-independent-filtering-support? | +--ro endpoint-independent-filtering-support?
| | boolean | | boolean
| +--ro address-dependent-filtering? | +--ro address-dependent-filtering?
| | boolean | | boolean
| +--ro address-and-port-dependent-filtering? | +--ro address-and-port-dependent-filtering?
| | boolean | | boolean
| +--ro fragment-behavior? | +--ro fragment-behavior?
| enumeration | enumeration
+--rw type? identityref +--rw type? identityref
+--rw per-interface-binding? enumeration +--rw per-interface-binding? enumeration
+--rw nat-pass-through* [id] +--rw nat-pass-through* [id]
| {basic-nat44 or napt44 or dst-nat}? | {basic-nat44 or napt44 or dst-nat}?
| +--rw id uint32 | +--rw id uint32
| +--rw prefix inet:ip-prefix | +--rw prefix inet:ip-prefix
| +--rw port? inet:port-number | +--rw port? inet:port-number
+--rw policy* [id] +--rw policy* [id]
| +--rw id uint32 | +--rw id uint32
| +--rw clat-parameters {clat}? | +--rw clat-parameters {clat}?
| | +--rw clat-ipv6-prefixes* [ipv6-prefix] | | +--rw clat-ipv6-prefixes* [ipv6-prefix]
| | | +--rw ipv6-prefix inet:ipv6-prefix | | | +--rw ipv6-prefix inet:ipv6-prefix
| | +--rw ipv4-prefixes* [ipv4-prefix] | | +--rw ipv4-prefixes* [ipv4-prefix]
| | +--rw ipv4-prefix inet:ipv4-prefix | | +--rw ipv4-prefix inet:ipv4-prefix
| +--rw eam* [ipv4-prefix] {eam}? | +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}?
| | +--rw ipv4-prefix inet:ipv4-prefix | | +--rw internal-ipv6-prefix inet:ipv6-prefix
| | +--rw ipv6-prefix inet:ipv6-prefix | | +--rw external-ipv6-prefix inet:ipv6-prefix
| +--rw nat64-prefixes* [nat64-prefix] | +--rw eam* [ipv4-prefix] {eam}?
| | {siit or nat64 or clat}? | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw nat64-prefix inet:ipv6-prefix | | +--rw ipv6-prefix inet:ipv6-prefix
| | +--rw destination-ipv4-prefix* [ipv4-prefix] | +--rw nat64-prefixes* [nat64-prefix]
| | | +--rw ipv4-prefix inet:ipv4-prefix | | {siit or nat64 or clat}?
| | +--rw stateless-enable? boolean | | +--rw nat64-prefix inet:ipv6-prefix
| +--rw external-ip-address-pool* [pool-id] | | +--rw destination-ipv4-prefix* [ipv4-prefix]
| | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw stateless-enable? boolean
| +--rw external-ip-address-pool* [pool-id]
| | {basic-nat44 or napt44 or nat64}?
| | +--rw pool-id uint32
| | +--rw external-ip-pool inet:ipv4-prefix
| +--rw port-set-restrict {napt44 or nat64}?
| | +--rw (port-type)?
| | +--:(port-range)
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--:(port-set-algo)
| | +--rw psid-offset? uint8
| | +--rw psid-len uint8
| | +--rw psid uint16
| +--rw dst-nat-enable? boolean
| | {basic-nat44 or napt44}?
| +--rw dst-ip-address-pool* [pool-id] {dst-nat}?
| | +--rw pool-id uint32
| | +--rw dst-in-ip-pool? inet:ip-prefix
| | +--rw dst-out-ip-pool inet:ip-prefix
| +--rw transport-protocols* [protocol-id]
| | {napt44 or nat64 or dst-nat}?
| | +--rw protocol-id uint8
| | +--rw protocol-name? string
| +--rw subscriber-mask-v6? uint8
| +--rw subscriber-match* [match-id]
| | {basic-nat44 or napt44 or dst-nat}?
| | +--rw match-id uint32
| | +--rw subnet inet:ip-prefix
| +--rw address-allocation-type? enumeration
| +--rw port-allocation-type? enumeration
| | {napt44 or nat64}?
| +--rw mapping-type? enumeration
| | {napt44 or nat64}?
| +--rw filtering-type? enumeration
| | {napt44 or nat64}?
| +--rw fragment-behavior? enumeration
| | {napt44 or nat64}?
| +--rw port-quota* [quota-type] {napt44 or nat64}?
| | +--rw port-limit? uint16
| | +--rw quota-type uint8
| +--rw port-set {napt44 or nat64}?
| | +--rw port-set-size uint16
| | +--rw port-set-timeout? uint32
| +--rw timers {napt44 or nat64}?
| | +--rw udp-timeout? uint32
| | +--rw tcp-idle-timeout? uint32
| | +--rw tcp-trans-open-timeout? uint32
| | +--rw tcp-trans-close-timeout? uint32
| | +--rw tcp-in-syn-timeout? uint32
| | +--rw fragment-min-timeout? uint32
| | +--rw icmp-timeout? uint32
| | +--rw per-port-timeout* [port-number]
| | | +--rw port-number inet:port-number
| | | +--rw timeout uint32
| | +--rw hold-down-timeout? uint32
| | +--rw hold-down-max? uint32
| +--rw fragments-limit? uint32
| +--rw algs* [name]
| | +--rw name string
| | +--rw transport-protocol? uint32
| | +--rw dst-transport-port
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--rw src-transport-port
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--rw status? boolean
| +--rw all-algs-enable? boolean
| +--rw notify-pool-usage
| | {basic-nat44 or napt44 or nat64}?
| | +--rw pool-id? uint32
| | +--rw high-threshold? percent
| | +--rw low-threshold? percent
| | +--rw notify-interval? uint32
| +--rw external-realm
| +--rw (realm-type)?
| +--:(interface)
| +--rw external-interface? if:interface-ref
+--rw mapping-limits {napt44 or nat64}?
| +--rw limit-subscribers? uint32
| +--rw limit-address-mappings? uint32
| +--rw limit-port-mappings? uint32
| +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64 or dst-nat}?
| +--rw protocol-id uint8
| +--rw limit? uint32
+--rw connection-limits
| {basic-nat44 or napt44 or nat64}?
| +--rw limit-per-subscriber? uint32
| +--rw limit-per-instance uint32
| +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64}?
| +--rw protocol-id uint8
| +--rw limit? uint32
+--rw notification-limits
| +--rw notify-interval? uint32
| | {basic-nat44 or napt44 or nat64}?
| +--rw notify-addresses-usage? percent
| | {basic-nat44 or napt44 or nat64}?
| +--rw notify-ports-usage? percent
| | {napt44 or nat64}?
| +--rw notify-subscribers-limit? uint32
| {basic-nat44 or napt44 or nat64}?
+--rw logging-enable? boolean
| {basic-nat44 or napt44 or nat64}?
+--rw mapping-table
| |{basic-nat44 or napt44 or nat64 or clat or dst-nat}?
| +--rw mapping-entry* [index]
| +--rw index uint32
| +--rw type? enumeration
| +--rw transport-protocol? uint8
| +--rw internal-src-address? inet:ip-prefix
| +--rw internal-src-port
| | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number
| +--rw external-src-address? inet:ip-prefix
| +--rw external-src-port
| | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number
| +--rw internal-dst-address? inet:ip-prefix
| +--rw internal-dst-port
| | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number
| +--rw external-dst-address? inet:ip-prefix
| +--rw external-dst-port
| | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number
| +--rw lifetime? uint32
+--ro statistics
+--ro discontinuity-time yang:date-and-time
+--ro traffic-statistics
| +--ro sent-packets?
| | yang:zero-based-counter64
| +--ro sent-bytes?
| | yang:zero-based-counter64
| +--ro rcvd-packets?
| | yang:zero-based-counter64
| +--ro rcvd-bytes?
| | yang:zero-based-counter64
| +--ro dropped-packets?
| | yang:zero-based-counter64
| +--ro dropped-bytes?
| | yang:zero-based-counter64
| +--ro dropped-fragments?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-address-limit-packets?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| | +--rw pool-id uint32 | +--ro dropped-address-limit-bytes?
| | +--rw external-ip-pool inet:ipv4-prefix | | yang:zero-based-counter64
| +--rw port-set-restrict {napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| | +--rw (port-type)? | +--ro dropped-address-packets?
| | +--:(port-range) | | yang:zero-based-counter64
| | | +--rw start-port-number? inet:port-number | | {basic-nat44 or napt44 or nat64}?
| | | +--rw end-port-number? inet:port-number | +--ro dropped-address-bytes?
| | +--:(port-set-algo) | | yang:zero-based-counter64
| | +--rw psid-offset? uint8 | | {basic-nat44 or napt44 or nat64}?
| | +--rw psid-len uint8 | +--ro dropped-port-limit-packets?
| | +--rw psid uint16 | | yang:zero-based-counter64
| +--rw dst-nat-enable? boolean
| | {basic-nat44 or napt44}?
| +--rw dst-ip-address-pool* [pool-id] {dst-nat}?
| | +--rw pool-id uint32
| | +--rw dst-in-ip-pool? inet:ip-prefix
| | +--rw dst-out-ip-pool inet:ip-prefix
| +--rw transport-protocols* [protocol-id]
| | {napt44 or nat64 or dst-nat}?
| | +--rw protocol-id uint8
| | +--rw protocol-name? string
| +--rw subscriber-mask-v6? uint8
| +--rw subscriber-match* [match-id]
| | {basic-nat44 or napt44 or dst-nat}?
| | +--rw match-id uint32
| | +--rw subnet inet:ip-prefix
| +--rw address-allocation-type? enumeration
| +--rw port-allocation-type? enumeration
| | {napt44 or nat64}? | | {napt44 or nat64}?
| +--rw mapping-type? enumeration | +--ro dropped-port-limit-bytes?
| | yang:zero-based-counter64
| | {napt44 or nat64}? | | {napt44 or nat64}?
| +--rw filtering-type? enumeration | +--ro dropped-port-packets?
| | yang:zero-based-counter64
| | {napt44 or nat64}? | | {napt44 or nat64}?
| +--rw fragment-behavior? enumeration | +--ro dropped-port-bytes?
| | yang:zero-based-counter64
| | {napt44 or nat64}? | | {napt44 or nat64}?
| +--rw port-quota* [quota-type] {napt44 or nat64}? | +--ro dropped-subscriber-limit-packets?
| | +--rw port-limit? uint16 | | yang:zero-based-counter64
| | +--rw quota-type uint8
| +--rw port-set {napt44 or nat64}?
| | +--rw port-set-size uint16
| | +--rw port-set-timeout? uint32
| +--rw timers {napt44 or nat64}?
| | +--rw udp-timeout? uint32
| | +--rw tcp-idle-timeout? uint32
| | +--rw tcp-trans-open-timeout? uint32
| | +--rw tcp-trans-close-timeout? uint32
| | +--rw tcp-in-syn-timeout? uint32
| | +--rw fragment-min-timeout? uint32
| | +--rw icmp-timeout? uint32
| | +--rw per-port-timeout* [port-number]
| | | +--rw port-number inet:port-number
| | | +--rw timeout uint32
| | +--rw hold-down-timeout? uint32
| | +--rw hold-down-max? uint32
| +--rw fragments-limit? uint32
| +--rw algs* [name]
| | +--rw name string
| | +--rw transport-protocol? uint32
| | +--rw dst-transport-port
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--rw src-transport-port
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--rw status? boolean
| +--rw all-algs-enable? boolean
| +--rw notify-pool-usage
| | {basic-nat44 or napt44 or nat64}?
| | +--rw pool-id? uint32
| | +--rw high-threshold? percent
| | +--rw low-threshold? percent
| | +--rw notify-interval? uint32
| +--rw external-realm
| +--rw (realm-type)?
| +--:(interface)
| +--rw external-interface? if:interface-ref
+--rw mapping-limits {napt44 or nat64}?
| +--rw limit-subscribers? uint32
| +--rw limit-address-mapings? uint32
| +--rw limit-port-mappings? uint32
| +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64 or dst-nat}?
| +--rw protocol-id uint8
| +--rw limit? uint32
+--rw connection-limits
| {basic-nat44 or napt44 or nat64}?
| +--rw limit-per-subscriber? uint32
| +--rw limit-per-instance uint32
| +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64}?
| +--rw protocol-id uint8
| +--rw limit? uint32
+--rw notification-limits
| +--rw notify-interval? uint32
| | {basic-nat44 or napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| +--rw notify-addresses-usage? percent | +--ro dropped-subscriber-limit-bytes?
| yang:zero-based-counter64
| {basic-nat44 or napt44 or nat64}?
+--ro mappings-statistics
| +--ro total-active-subscribers? yang:gauge32
| | {basic-nat44 or napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| +--rw notify-ports-usage? percent | +--ro total-address-mappings? yang:gauge32
| |{basic-nat44 or napt44 or nat64 or clat or dst-nat}?
| +--ro total-port-mappings? yang:gauge32
| | {napt44 or nat64}? | | {napt44 or nat64}?
| +--rw notify-subscribers-limit? uint32 | +--ro total-per-protocol* [protocol-id]
| {basic-nat44 or napt44 or nat64}? | {napt44 or nat64}?
+--rw logging-enable? boolean | +--ro protocol-id uint8
| {basic-nat44 or napt44 or nat64}? | +--ro total? yang:gauge32
+--rw mapping-table +--ro pools-stats {basic-nat44 or napt44 or nat64}?
| +--rw mapping-entry* [index] +--ro addresses-allocated? yang:gauge32
| +--rw index uint32 +--ro addresses-free? yang:gauge32
| +--rw type? enumeration +--ro ports-stats {napt44 or nat64}?
| +--rw transport-protocol? uint8 | +--ro ports-allocated? yang:gauge32
| +--rw internal-src-address? inet:ip-prefix | +--ro ports-free? yang:gauge32
| +--rw internal-src-port +--ro per-pool-stats* [pool-id]
| | +--rw start-port-number? inet:port-number {basic-nat44 or napt44 or nat64}?
| | +--rw end-port-number? inet:port-number +--ro pool-id uint32
| +--rw external-src-address? inet:ip-prefix +--ro discontinuity-time yang:date-and-time
| +--rw external-src-port +--ro pool-stats
| | +--rw start-port-number? inet:port-number | +--ro addresses-allocated? yang:gauge32
| | +--rw end-port-number? inet:port-number | +--ro addresses-free? yang:gauge32
| +--rw internal-dst-address? inet:ip-prefix +--ro port-stats {napt44 or nat64}?
| +--rw internal-dst-port +--ro ports-allocated? yang:gauge32
| | +--rw start-port-number? inet:port-number +--ro ports-free? yang:gauge32
| | +--rw end-port-number? inet:port-number
| +--rw external-dst-address? inet:ip-prefix
| +--rw external-dst-port
| | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number
| +--rw lifetime? uint32
+--ro statistics
+--ro discontinuity-time yang:date-and-time
+--ro traffic-statistics
| +--ro sent-packets?
| | yang:zero-based-counter64
| +--ro sent-bytes?
| | yang:zero-based-counter64
| +--ro rcvd-packets?
| | yang:zero-based-counter64
| +--ro rcvd-bytes?
| | yang:zero-based-counter64
| +--ro dropped-packets?
| | yang:zero-based-counter64
| +--ro dropped-bytes?
| | yang:zero-based-counter64
| +--ro dropped-fragments?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-address-limit-packets?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-limit-bytes?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-packets?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-bytes?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-port-limit-packets?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-port-limit-bytes?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-port-packets?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-port-bytes?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-subscriber-limit-packets?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-subscriber-limit-bytes?
| yang:zero-based-counter64
| {basic-nat44 or napt44 or nat64}?
+--ro mappings-statistics
| +--ro total-active-subscribers? yang:gauge32
| | {basic-nat44 or napt44 or nat64}?
| +--ro total-address-mappings? yang:gauge32
| +--ro total-port-mappings? yang:gauge32
| | {napt44 or nat64}?
| +--ro total-per-protocol* [protocol-id]
| {napt44 or nat64}?
| +--ro protocol-id uint8
| +--ro total? yang:gauge32
+--ro pools-stats {basic-nat44 or napt44 or nat64}?
+--ro addresses-allocated? yang:gauge32
+--ro addresses-free? yang:gauge32
+--ro ports-stats {napt44 or nat64}?
| +--ro ports-allocated? yang:gauge32
| +--ro ports-free? yang:gauge32
+--ro per-pool-stats* [pool-id]
{basic-nat44 or napt44 or nat64}?
+--ro pool-id uint32
+--ro discontinuity-time yang:date-and-time
+--ro pool-stats
| +--ro addresses-allocated? yang:gauge32
| +--ro addresses-free? yang:gauge32
+--ro port-stats {napt44 or nat64}?
+--ro ports-allocated? yang:gauge32
+--ro ports-free? yang:gauge32
notifications: notifications:
+---n nat-pool-event {basic-nat44 or napt44 or nat64}? +---n nat-pool-event {basic-nat44 or napt44 or nat64}?
| +--ro id -> /nat/instances/instance/id | +--ro id -> /nat/instances/instance/id
| +--ro policy-id? | +--ro policy-id?
| | -> /nat/instances/instance/policy/id | | -> /nat/instances/instance/policy/id
| +--ro pool-id leafref | +--ro pool-id leafref
| +--ro notify-pool-threshold percent | +--ro notify-pool-threshold percent
+---n nat-instance-event {basic-nat44 or napt44 or nat64}? +---n nat-instance-event {basic-nat44 or napt44 or nat64}?
+--ro id +--ro id
| -> /nat/instances/instance/id | -> /nat/instances/instance/id
+--ro notify-subscribers-threshold? uint32 +--ro notify-subscribers-threshold? uint32
+--ro notify-addresses-threshold? percent +--ro notify-addresses-threshold? percent
+--ro notify-ports-threshold? percent +--ro notify-ports-threshold? percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2018-02-06.yang" <CODE BEGINS> file "ietf-nat@2018-02-23.yang"
module ietf-nat { module ietf-nat {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
//namespace to be assigned by IANA
prefix "nat"; prefix "nat";
import ietf-inet-types { prefix inet; } import ietf-inet-types { prefix inet; }
import ietf-yang-types { prefix yang; } import ietf-yang-types { prefix yang; }
import ietf-interfaces { prefix if; } import ietf-interfaces { prefix if; }
organization organization
"IETF OPSAWG (Operations and Management Area Working Group)"; "IETF OPSAWG (Operations and Management Area Working Group)";
contact contact
skipping to change at page 22, line 16 skipping to change at page 23, line 22
<mailto:sureshk@juniper.net> <mailto:sureshk@juniper.net>
Editor: Qin Wu Editor: Qin Wu
<mailto:bill.wu@huawei.com>"; <mailto:bill.wu@huawei.com>";
description description
"This module is a YANG module for NAT implementations. "This module is a YANG module for NAT implementations.
NAT44, Network Address and Protocol Translation from IPv6 NAT44, Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT),
Stateless IP/ICMP Translation (SIIT), and Explicit Address Mappings Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings
for Stateless IP/ICMP Translation (SIIT EAM) are covered. for Stateless IP/ICMP Translation (SIIT EAM), IPv6 Network
Prefix Translation (NPTv6), and Destination NAT are covered.
Copyright (c) 2018 IETF Trust and the persons identified as Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2018-02-06 { revision 2018-02-23 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Module for Network Address Translation "RFC XXXX: A YANG Module for Network Address Translation
(NAT)"; (NAT) and Network Prefix Translation (NPT)";
} }
/* /*
* Definitions * Definitions
*/ */
typedef percent { typedef percent {
type uint8 { type uint8 {
range "0 .. 100"; range "0 .. 100";
} }
skipping to change at page 24, line 45 skipping to change at page 26, line 4
} }
feature eam { feature eam {
description description
"Explicit Address Mapping (EAM) is a bidirectional coupling "Explicit Address Mapping (EAM) is a bidirectional coupling
between an IPv4 Prefix and an IPv6 Prefix."; between an IPv4 Prefix and an IPv6 Prefix.";
reference reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation"; Translation";
} }
feature nptv6 {
description
"NPTv6 is a stateless transport-agnostic IPv6-to-IPv6
prefix translation.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
/* /*
* Identities * Identities
*/ */
identity nat-type { identity nat-type {
description description
"Base identity for nat type."; "Base identity for nat type.";
} }
skipping to change at page 26, line 19 skipping to change at page 27, line 33
identity eam { identity eam {
base nat:nat-type; base nat:nat-type;
description description
"Identity for EAM support."; "Identity for EAM support.";
reference reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation"; Translation";
} }
identity nptv6 {
base nat:nat-type;
description
"Identity for NPTv6 support.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
/* /*
* Grouping * Grouping
*/ */
grouping port-number { grouping port-number {
description description
"Individual port or a range of ports. "Individual port or a range of ports.
When only start-port-number is present, When only start-port-number is present,
it represents a single port."; it represents a single port number.";
leaf start-port-number { leaf start-port-number {
type inet:port-number; type inet:port-number;
description description
"Begining of the port range."; "Beginning of the port range.";
reference reference
"Section 3.2.9 of RFC 8045."; "Section 3.2.9 of RFC 8045.";
} }
leaf end-port-number { leaf end-port-number {
type inet:port-number; type inet:port-number;
must ". >= ../start-port-number" must ". >= ../start-port-number"
{ {
error-message error-message
skipping to change at page 40, line 44 skipping to change at page 42, line 17
provided to an application that makes provided to an application that makes
use of literals."; use of literals.";
reference reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless "RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation"; Translation";
} }
} }
} }
list nptv6-prefixes {
if-feature nptv6;
key internal-ipv6-prefix ;
description
"Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6.
In its simplest form, NPTv6 interconnects two network
links, one of which is an 'internal' network link
attached to a leaf network within a single
administrative domain and the other of which is an
'external' network with connectivity to the global
Internet.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
leaf internal-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"An IPv6 prefix used by an internal interface of NPTv6.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
leaf external-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"An IPv6 prefix used by the external interface of NPTv6.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
}
list eam { list eam {
if-feature eam; if-feature eam;
key ipv4-prefix; key ipv4-prefix;
description description
"The Explicit Address Mapping Table, a conceptual "The Explicit Address Mapping Table, a conceptual
table in which each row represents an EAM. table in which each row represents an EAM.
Each EAM describes a mapping between IPv4 and IPv6 Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses."; prefixes/addresses.";
reference reference
"Section 3.1 of RFC 7757."; "Section 3.1 of RFC 7757.";
leaf ipv4-prefix { leaf ipv4-prefix {
type inet:ipv4-prefix; type inet:ipv4-prefix;
mandatory true; mandatory true;
description description
"The IPv4 prefix of an EAM."; "The IPv4 prefix of an EAM.";
reference reference
"Section 3.2 of RFC 7757."; "Section 3.2 of RFC 7757.";
skipping to change at page 57, line 22 skipping to change at page 59, line 31
description description
"Maximum number of subscribers that can be serviced "Maximum number of subscribers that can be serviced
by a NAT instance. by a NAT instance.
A subscriber is identified by a given prefix."; A subscriber is identified by a given prefix.";
reference reference
"RFC 7659: Definitions of Managed Objects for "RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)"; Network Address Translators (NATs)";
} }
leaf limit-address-mapings { leaf limit-address-mappings {
type uint32; type uint32;
description description
"Maximum number of address mappings that can be "Maximum number of address mappings that can be
handled by a NAT instance. handled by a NAT instance.
When this limit is reached, packets that would When this limit is reached, packets that would
normally trigger translation, will be dropped."; normally trigger translation, will be dropped.";
reference reference
"RFC 7659: Definitions of Managed Objects "RFC 7659: Definitions of Managed Objects
for Network Address Translators for Network Address Translators
skipping to change at page 61, line 8 skipping to change at page 63, line 20
leaf logging-enable { leaf logging-enable {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type boolean; type boolean;
description description
"Enable logging features."; "Enable logging features.";
reference reference
"Section 2.3 of RFC 6908 and REQ-12 of RFC 6888."; "Section 2.3 of RFC 6908 and REQ-12 of RFC 6888.";
} }
container mapping-table { container mapping-table {
if-feature "basic-nat44 or napt44 " +
"or nat64 or clat or dst-nat";
description description
"NAT mapping table. Applicable for functions which maintain "NAT mapping table. Applicable for functions which maintain
static and/or dynamic mappings, such as NAT44, Destination static and/or dynamic mappings, such as NAT44, Destination
NAT, NAT64, or CLAT."; NAT, NAT64, or CLAT.";
list mapping-entry { list mapping-entry {
key "index"; key "index";
description "NAT mapping entry."; description "NAT mapping entry.";
uses mapping-entry; uses mapping-entry;
} }
skipping to change at page 64, line 44 skipping to change at page 67, line 8
description description
"Total number of active subscribers (that is, "Total number of active subscribers (that is,
subscribers for which the NAT maintains active subscribers for which the NAT maintains active
mappings. mappings.
A subscriber is identified by a subnet, A subscriber is identified by a subnet,
subscriber-mask, etc."; subscriber-mask, etc.";
} }
leaf total-address-mappings { leaf total-address-mappings {
if-feature "basic-nat44 or napt44 " +
"or nat64 or clat or dst-nat";
type yang:gauge32; type yang:gauge32;
description description
"Total number of address mappings present at a given "Total number of address mappings present at a given
time. It includes both static and dynamic mappings."; time. It includes both static and dynamic mappings.";
reference reference
"Section 3.3.8 of RFC 7659"; "Section 3.3.8 of RFC 7659";
} }
leaf total-port-mappings { leaf total-port-mappings {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:gauge32; type yang:gauge32;
description description
"Total number of NAT port mappings present at "Total number of NAT port mappings present at
a given time. It includes both static and dynamic a given time. It includes both static and dynamic
mappings."; mappings.";
reference reference
"Section 3.3.9 of RFC 7659"; "Section 3.3.9 of RFC 7659";
} }
skipping to change at page 69, line 35 skipping to change at page 72, line 4
} }
leaf notify-ports-threshold { leaf notify-ports-threshold {
type percent; type percent;
description description
"The notify-ports-usage threshold has been fired."; "The notify-ports-usage threshold has been fired.";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4. Security Considerations 4. Security Considerations
Security considerations related to address and prefix translation are Security considerations related to address and prefix translation are
discussed in [RFC6888], [RFC6146], [RFC6877], and [RFC7757]. discussed in [RFC6888], [RFC6146], [RFC6877], [RFC6296], and
[RFC7757].
The YANG module defined in this document is designed to be accessed The YANG module defined in this document is designed to be accessed
via network management protocols such as NETCONF [RFC6241] or via network management protocols such as NETCONF [RFC6241] or
RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport
layer, and the mandatory-to-implement secure transport is Secure layer, and the mandatory-to-implement secure transport is Secure
Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the
mandatory-to-implement secure transport is TLS [RFC5246]. mandatory-to-implement secure transport is TLS [RFC5246].
The NETCONF access control model [RFC6536] provides the means to The NETCONF access control model [RFC6536] provides the means to
restrict access for particular NETCONF or RESTCONF users to a restrict access for particular NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content. operations and content.
All data nodes defined in the YANG module which can be created, All data nodes defined in the YANG module which can be created,
modified and deleted (i.e., config true, which is the default) are modified and deleted (i.e., config true, which is the default) are
considered sensitive. Write operations (e.g., edit-config) applied considered sensitive. Write operations (e.g., edit-config) applied
to these data nodes without proper protection can negatively affect to these data nodes without proper protection can negatively affect
network operations. The NAT YANG module allows to set parameters to network operations. The NAT YANG module allows to set parameters to
prevent a user from aggressively using NAT resources (port-quota), prevent a user from aggressively using NAT resources (port-quota),
skipping to change at page 71, line 45 skipping to change at page 74, line 15
6. Acknowledgements 6. Acknowledgements
Many thanks to Dan Wing, Tianran Zhou, and Tom Petch for the review. Many thanks to Dan Wing, Tianran Zhou, and Tom Petch for the review.
Thanks to Juergen Schoenwaelder for the comments on the YANG Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. Mahesh Jethanandani structure and the suggestion to use NMDA. Mahesh Jethanandani
provided useful comments. provided useful comments.
Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
Kristian Poscic for the CGN review. Tim Chown proposed to publish Kristian Poscic for the CGN review.
the NPTv6 part of the YANG module as a separate document to avoid the
conflict between the intended status of this document and the one of
the NPTv6 specification (Experimental).
Special thanks to Maros Marsalek and Marek Gradzki for sharing their Special thanks to Maros Marsalek and Marek Gradzki for sharing their
comments based on the FD.io implementation of an earlier version of comments based on the FD.io implementation of an earlier version of
this module. this module.
Rajiv Asati suggested to clarify how the module applies for both Rajiv Asati suggested to clarify how the module applies for both
stateless and stateful NAT64. stateless and stateful NAT64.
Juergen Schoenwaelder provided an early yandgoctors review. Many Juergen Schoenwaelder provided an early yandgoctors review. Many
thanks to him. thanks to him.
skipping to change at page 73, line 19 skipping to change at page 75, line 29
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
<https://www.rfc-editor.org/info/rfc6296>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536, Protocol (NETCONF) Access Control Model", RFC 6536,
DOI 10.17487/RFC6536, March 2012, DOI 10.17487/RFC6536, March 2012,
<https://www.rfc-editor.org/info/rfc6536>. <https://www.rfc-editor.org/info/rfc6536>.
[RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable
Operation of Address Translators with Per-Interface Operation of Address Translators with Per-Interface
Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012,
<https://www.rfc-editor.org/info/rfc6619>. <https://www.rfc-editor.org/info/rfc6619>.
skipping to change at page 74, line 39 skipping to change at page 76, line 50
7.2. Informative References 7.2. Informative References
[I-D.boucadair-pcp-yang] [I-D.boucadair-pcp-yang]
Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Boucadair, M., Jacquenet, C., Sivakumar, S., and S.
Vinapamula, "YANG Modules for the Port Control Protocol Vinapamula, "YANG Modules for the Port Control Protocol
(PCP)", draft-boucadair-pcp-yang-05 (work in progress), (PCP)", draft-boucadair-pcp-yang-05 (work in progress),
October 2017. October 2017.
[I-D.ietf-netmod-yang-tree-diagrams] [I-D.ietf-netmod-yang-tree-diagrams]
Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft- Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft-
ietf-netmod-yang-tree-diagrams-05 (work in progress), ietf-netmod-yang-tree-diagrams-06 (work in progress),
January 2018. February 2018.
[I-D.ietf-softwire-dslite-yang] [I-D.ietf-softwire-dslite-yang]
Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG
Data Module for Dual-Stack Lite (DS-Lite)", draft-ietf- Data Module for Dual-Stack Lite (DS-Lite)", draft-ietf-
softwire-dslite-yang-14 (work in progress), January 2018. softwire-dslite-yang-14 (work in progress), January 2018.
[I-D.ietf-tsvwg-natsupp] [I-D.ietf-tsvwg-natsupp]
Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control
Transmission Protocol (SCTP) Network Address Translation Transmission Protocol (SCTP) Network Address Translation
Support", draft-ietf-tsvwg-natsupp-11 (work in progress), Support", draft-ietf-tsvwg-natsupp-11 (work in progress),
skipping to change at page 77, line 5 skipping to change at page 79, line 5
Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the
same IPv4 address among hosts that are owned by the same subscriber. same IPv4 address among hosts that are owned by the same subscriber.
This is typically the NAT that is embedded in CPE devices. This is typically the NAT that is embedded in CPE devices.
This NAT is usually provided with one single external IPv4 address; This NAT is usually provided with one single external IPv4 address;
disambiguating connections is achieved by rewriting the source port disambiguating connections is achieved by rewriting the source port
number. The XML snippet to configure the external IPv4 address in number. The XML snippet to configure the external IPv4 address in
such case together with a mapping entry is depicted below: such case together with a mapping entry is depicted below:
<instances> <instances>
<instance> <instance>
<id>1</id> <id>1</id>
<name>NAT_Subscriber_A</name> <name>NAT_Subscriber_A</name>
.... ....
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
198.51.100.1/32 198.51.100.1/32
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
....
<mapping-table>
....
<external-src-address>
198.51.100.1/32
</external-src-address>
.... ....
<mapping-table> </mapping-table>
.... </instance>
<external-src-address> </instances>
198.51.100.1/32
</external-src-address>
....
</mapping-table>
</instance>
</instances>
The following shows the XML excerpt depicting a dynamic UDP mapping The following shows the XML excerpt depicting a dynamic UDP mapping
entry maintained by a traditional NAPT44. In reference to this entry maintained by a traditional NAPT44. In reference to this
example, the UDP packet received with a source IPv4 address example, the UDP packet received with a source IPv4 address
(192.0.2.1) and source port number (1568) is translated into a UDP (192.0.2.1) and source port number (1568) is translated into a UDP
packet having a source IPv4 address (198.51.100.1) and source port packet having a source IPv4 address (198.51.100.1) and source port
(15000). The remaining lifetime of this mapping is 300 seconds. (15000). The remaining lifetime of this mapping is 300 seconds.
<mapping-entry> <mapping-entry>
<index>15</index> <index>15</index>
skipping to change at page 79, line 6 skipping to change at page 80, line 40
300 300
</lifetime> </lifetime>
</mapping-entry> </mapping-entry>
A.2. Carrier Grade NAT (CGN) A.2. Carrier Grade NAT (CGN)
The following XML snippet shows the example of the capabilities The following XML snippet shows the example of the capabilities
supported by a CGN as retrieved using NETCONF. supported by a CGN as retrieved using NETCONF.
<capabilities <capabilities
<nat-flavor> <nat-flavor>napt44</nat-flavor>
napt44 <transport-protocols>
</nat-flavor> <protocol-id>1</protocol-id>
</transport-protocols>
<transport-protocols>
<protocol-id>6</protocol-id>
</transport-protocols>
<transport-protocols>
<protocol-id>17</protocol-id>
</transport-protocols>
<restricted-port-support> <restricted-port-support>
false false
</restricted-port-support> </restricted-port-support>
<static-mapping-support> <static-mapping-support>
true true
</static-mapping-support> </static-mapping-support>
<port-randomization-support> <port-randomization-support>
true true
</port-randomization-support> </port-randomization-support>
<port-range-allocation-support> <port-range-allocation-support>
true true
</port-range-allocation-support> </port-range-allocation-support>
skipping to change at page 79, line 37 skipping to change at page 81, line 29
<address-roundrobin-support> <address-roundrobin-support>
true true
</address-roundrobin-support> </address-roundrobin-support>
<paired-address-pooling-support> <paired-address-pooling-support>
true true
</paired-address-pooling-support> </paired-address-pooling-support>
<endpoint-independent-mapping-support> <endpoint-independent-mapping-support>
true true
</endpoint-independent-mapping-support> </endpoint-independent-mapping-support>
<address-dependent-mapping-support> <address-dependent-mapping-support>
false true
</address-dependent-mapping-support> </address-dependent-mapping-support>
<address-and-port-dependent-mapping-support> <address-and-port-dependent-mapping-support>
false true
</address-and-port-dependent-mapping-support> </address-and-port-dependent-mapping-support>
<endpoint-independent-filtering-support> <endpoint-independent-filtering-support>
true true
</endpoint-independent-filtering-support> </endpoint-independent-filtering-support>
<address-dependent-filtering> <address-dependent-filtering>
false true
</address-dependent-filtering> </address-dependent-filtering>
<address-and-port-dependent-filtering> <address-and-port-dependent-filtering>
false true
</address-and-port-dependent-filtering> </address-and-port-dependent-filtering>
</capabilities> </capabilities>
The following XML snippet shows the example of a CGN that is The following XML snippet shows the example of a CGN that is
provisioned with one contiguous pool of external IPv4 addresses provisioned with one contiguous pool of external IPv4 addresses
(198.51.100.0/24). Further, the CGN is instructed to limit the (198.51.100.0/24). Further, the CGN is instructed to limit the
number of allocated ports per subscriber to 1024. Ports can be number of allocated ports per subscriber to 1024. Ports can be
allocated by the CGN by assigning ranges of 256 ports (that is, a allocated by the CGN by assigning ranges of 256 ports (that is, a
subscriber can be allocated up to four port ranges of 256 ports subscriber can be allocated up to four port ranges of 256 ports
each). each).
<instances> <instances>
<instance> <instance>
<id>1</id> <id>1</id>
<name>myCGN</name> <name>myCGN</name>
.... ....
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
198.51.100.0/24 198.51.100.0/24
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
<port-quota> <port-quota>
<port-limit> <port-limit>
1024 1024
</port-limit> </port-limit>
<quota-type > <quota-type >
all all
</quota-type > </quota-type >
</port-quota> </port-quota>
<port-allocation-type> <port-allocation-type>
port-range-allocation port-range-allocation
</port-allocation-type> </port-allocation-type>
<port-set> <port-set>
<port-set-size> <port-set-size>
256 256
</port-set-size> </port-set-size>
</port-set> </port-set>
.... ....
</instance> </instance>
</instances> </instances>
An administrator may decide to allocate one single port range per An administrator may decide to allocate one single port range per
subscriber (port range of 1024 ports) as shown below: subscriber (e.g., port range of 1024 ports) as shown below:
<instances> <instances>
<instance> <instance>
<id>1</id> <id>1</id>
<name>myotherCGN</name> <name>myCGN</name>
.... ....
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
198.51.100.0/24 198.51.100.0/24
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
<port-quota> <port-quota>
<port-limit> <port-limit>
1024 1024
</port-limit> </port-limit>
<quota-type > <quota-type >
all all
</quota-type > </quota-type >
</port-quota> </port-quota>
<port-allocation-type> <port-allocation-type>
port-range-allocation port-range-allocation
</port-allocation-type> </port-allocation-type>
<port-set> <port-set>
<port-set-size> <port-set-size>
1024 1024
</port-set-size> </port-set-size>
.... </port-set>
</port-set> ....
.... </instance>
</instance> </instances>
</instances>
A.3. CGN Pass-Through A.3. CGN Pass-Through
Figure 1 illustrates an example of the CGN pass-through feature. Figure 1 illustrates an example of the CGN pass-through feature.
X1:x1 X1':x1' X2:x2 X1:x1 X1':x1' X2:x2
+---+from X1:x1 +---+from X1:x1 +---+ +---+from X1:x1 +---+from X1:x1 +---+
| C | to X2:x2 | | to X2:x2 | S | | C | to X2:x2 | | to X2:x2 | S |
| l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e |
| i | | G | | r | | i | | G | | r |
skipping to change at page 85, line 7 skipping to change at page 87, line 7
| 192.0.2.224/31 | 64:ff9b::/127 | | 192.0.2.224/31 | 64:ff9b::/127 |
+----------------+----------------------+ +----------------+----------------------+
Table 8: EAM Examples (RFC7757) Table 8: EAM Examples (RFC7757)
The following XML excerpt illustrates how these EAMs can be The following XML excerpt illustrates how these EAMs can be
configured using the YANG NAT module: configured using the YANG NAT module:
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.1 192.0.2.1/32
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
2001:db8:aaaa:: 2001:db8:aaaa::/128
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.2/32 192.0.2.2/32
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
2001:db8:bbbb::b/128 2001:db8:bbbb::b/128
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
skipping to change at page 86, line 23 skipping to change at page 88, line 23
</static-mapping-support> </static-mapping-support>
<port-randomization-support> <port-randomization-support>
true true
</port-randomization-support> </port-randomization-support>
<port-range-allocation-support> <port-range-allocation-support>
true true
</port-range-allocation-support> </port-range-allocation-support>
<port-preservation-suport> <port-preservation-suport>
true true
</port-preservation-suport> </port-preservation-suport>
<port-parity-preservation-support>
false
</port-parity-preservation-support>
<address-roundrobin-support> <address-roundrobin-support>
true true
</address-roundrobin-support> </address-roundrobin-support>
<paired-address-pooling-support> <paired-address-pooling-support>
true true
</paired-address-pooling-support> </paired-address-pooling-support>
<endpoint-independent-mapping-support> <endpoint-independent-mapping-support>
true true
</endpoint-independent-mapping-support> </endpoint-independent-mapping-support>
<address-dependent-mapping-support>
false
</address-dependent-mapping-support>
<address-and-port-dependent-mapping-support>
false
</address-and-port-dependent-mapping-support>
<endpoint-independent-filtering-support> <endpoint-independent-filtering-support>
true true
</endpoint-independent-filtering-support> </endpoint-independent-filtering-support>
<address-dependent-filtering>
false
</address-dependent-filtering>
<address-and-port-dependent-filtering>
false
</address-and-port-dependent-filtering>
</capabilities> </capabilities>
A.7. Static Mappings with Port Ranges A.7. Static Mappings with Port Ranges
The following example shows a static mapping that instructs a NAT to The following example shows a static mapping that instructs a NAT to
translate packets issued from 192.0.2.1 and with source ports in the translate packets issued from 192.0.2.1 and with source ports in the
100-500 range to 198.51.100.1:1100-1500. 100-500 range to 198.51.100.1:1100-1500.
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>
<transport-protocol>6</transport-protocol> static
</type>
<transport-protocol>
6
</transport-protocol>
<internal-src-address> <internal-src-address>
192.0.2.1/32 192.0.2.1/32
</internal-src-address> </internal-src-address>
<internal-src-port> <internal-src-port>
<start-port-number> <start-port-number>
100 100
</start-port-number> </start-port-number>
<end-port-number> <end-port-number>
500 500
</end-port-number> </end-port-number>
skipping to change at page 88, line 7 skipping to change at page 90, line 7
... ...
</mapping-entry> </mapping-entry>
A.8. Static Mappings with IP Prefixes A.8. Static Mappings with IP Prefixes
The following example shows a static mapping that instructs a NAT to The following example shows a static mapping that instructs a NAT to
translate TCP packets issued from 192.0.2.0/24 to 198.51.100.0/24. translate TCP packets issued from 192.0.2.0/24 to 198.51.100.0/24.
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>
<transport-protocol>6</transport-protocol> static
</type>
<transport-protocol>
6
</transport-protocol>
<internal-src-address> <internal-src-address>
192.0.2.0/24 192.0.2.0/24
</internal-src-address> </internal-src-address>
<external-src-address> <external-src-address>
198.51.100.0/24 198.51.100.0/24
</external-src-address> </external-src-address>
... ...
</mapping-entry> </mapping-entry>
A.9. Destination NAT A.9. Destination NAT
skipping to change at page 88, line 36 skipping to change at page 90, line 40
<dst-in-ip-pool> <dst-in-ip-pool>
192.0.2.1/32 192.0.2.1/32
</dst-in-ip-pool> </dst-in-ip-pool>
<dst-out-ip-pool> <dst-out-ip-pool>
198.51.100.1/32 198.51.100.1/32
</dst-out-ip-pool> </dst-out-ip-pool>
</dst-ip-address-pool> </dst-ip-address-pool>
In order to instruct a NAT to translate TCP packets destined to In order to instruct a NAT to translate TCP packets destined to
'192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet '192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet
shows the static mapping to be configured on the NAT: shows the static mapping configured on the NAT:
<mapping-entry> <mapping-entry>
<index>1</index> <index>1568</index>
<type>static</type> <type>
<transport-protocol>6</transport-protocol> static
</type>
<transport-protocol>
6
</transport-protocol>
<internal-dst-address> <internal-dst-address>
192.0.2.1/32 192.0.2.1/32
</internal-dst-address> </internal-dst-address>
<internal-dst-port> <internal-dst-port>
<start-port-number>80</start-port-number> <start-port-number>
80
</start-port-number>
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.1/32 198.51.100.1/32
</external-dst-address> </external-dst-address>
<external-dst-port> <external-dst-port>
<start-port-number>8080</start-port-number> <start-port-number>
8080
</start-port-number>
</external-dst-port> </external-dst-port>
</mapping-entry> </mapping-entry>
In order to instruct a NAT to translate TCP packets destined to In order to instruct a NAT to translate TCP packets destined to
'192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh '192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh
traffic) to 198.51.100.2, the following XML snippet shows the static traffic) to 198.51.100.2, the following XML snippet shows the static
mappings to be configured on the NAT: mappings configured on the NAT:
<mapping-entry> <mapping-entry>
<index>1</index> <index>123</index>
<type>static</type> <type>
<transport-protocol>6</transport-protocol> static
</type>
<transport-protocol>
6
</transport-protocol>
<internal-dst-address> <internal-dst-address>
192.0.2.1/32 192.0.2.1/32
</internal-dst-address> </internal-dst-address>
<internal-dst-port> <internal-dst-port>
<start-port-number> <start-port-number>
80 80
</start-port-number> </start-port-number>
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.1/32 198.51.100.1/32
</external-dst-address> </external-dst-address>
... ...
</mapping-entry> </mapping-entry>
<mapping-entry> <mapping-entry>
<index>2</index> <index>1236</index>
<type>static</type> <type>
static
</type>
<transport-protocol> <transport-protocol>
6 6
</transport-protocol> </transport-protocol>
<internal-dst-address> <internal-dst-address>
192.0.2.1/32 192.0.2.1/32
</internal-dst-address> </internal-dst-address>
<internal-dst-port> <internal-dst-port>
<start-port-number> <start-port-number>
22 22
</start-port-number> </start-port-number>
skipping to change at page 91, line 13 skipping to change at page 93, line 15
provided hereafter: provided hereafter:
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
198.51.100.0/24 198.51.100.0/24
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
Instead of providing an external IP address to share, the NAT may be Instead of providing an external IP address to share, the NAT may be
configured with static mapping entries that modifies the internal IP configured with static mapping entries that modify the internal IP
address and/or port number. address and/or port number.
A.10. Customer-side Translator (CLAT) A.10. Customer-side Translator (CLAT)
The following XML snippet shows the example of a CLAT that is The following XML snippet shows the example of a CLAT that is
configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and
2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also
provided with 192.0.0.1/32 (which is selected from the IPv4 service provided with 192.0.0.1/32 (which is selected from the IPv4 service
continuity prefix defined in [RFC7335]). continuity prefix defined in [RFC7335]).
skipping to change at page 91, line 40 skipping to change at page 93, line 42
<ipv4-prefix> <ipv4-prefix>
192.0.0.1/32 192.0.0.1/32
</ipv4-prefix> </ipv4-prefix>
</clat-ipv4-prefixes> </clat-ipv4-prefixes>
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:1234::/96 2001:db8:1234::/96
</nat64-prefix> </nat64-prefix>
</nat64-prefixes> </nat64-prefixes>
A.11. IPv6 Network Prefix Translation (NPTv6)
Let's consider the example of an NPTv6 translator that should rewrite
packets with the source prefix (fd03:c03a:ecab::/48) with the
external prefix (2001:db8:1::/48). The internal interface is "eth0"
while the external interface is "eth1" (Figure 2).
External Network: Prefix = 2001:db8:1::/48
--------------------------------------
|
|eth1
+-------------+
eth4| NPTv6 |eth2
...-----| |------...
+-------------+
|eth0
|
--------------------------------------
Internal Network: Prefix = fd03:c03a:ecab::/48
Figure 2: Example of NPTv6
The XML snippet to configure NPTv6 prefixes in such case is depicted
below:
<nptv6-prefixes>
<internal-ipv6-prefix>
fd03:c03a:ecab::/48
</internal-ipv6-prefix>
<external-ipv6-prefix>
2001:db8:1::/48
</external-ipv6-prefix>
</nptv6-prefixes>
...
<external-realm>
<external-interface>
eth1
</external-interface>
</external-realm>
Figure 3 shows an example of an NPTv6 translator that interconnects
two internal networks (fd03:c03a:ecab::/48 and fda8:d5cb:14f3::/48);
each is translated using a dedicated prefix (2001:db8:1::/48 and
2001:db8:6666::/48, respectively).
Internal Prefix = fda8:d5cb:14f3::/48
--------------------------------------
V | External Prefix
V |eth1 2001:db8:1::/48
V +---------+ ^
V | NPTv6 | ^
V | | ^
V +---------+ ^
External Prefix |eth0 ^
2001:db8:6666::/48 | ^
--------------------------------------
Internal Prefix = fd03:c03a:ecab::/48
Figure 3: Connecting two Peer Networks
To that aim, the following configuration is provided to the NPTv6
translator:
<policy>
<id>1</id>
<nptv6-prefixes>
<internal-ipv6-prefix>
fd03:c03a:ecab::/48
</internal-ipv6-prefix>
<external-ipv6-prefix>
2001:db8:1::/48
</external-ipv6-prefix>
</nptv6-prefixes>
<external-realm>
<external-interface>
eth1
</external-interface>
</external-realm>
</policy>
<policy>
<id>2</id>
<nptv6-prefixes>
<internal-ipv6-prefix>
fda8:d5cb:14f3::/48
</internal-ipv6-prefix>
<external-ipv6-prefix>
2001:db8:6666::/48
</external-ipv6-prefix>
</nptv6-prefixes>
<external-realm>
<external-interface>
eth0
</external-interface>
</external-realm>
</policy>
Authors' Addresses Authors' Addresses
Mohamed Boucadair Mohamed Boucadair (editor)
Orange Orange
Rennes 35000 Rennes 35000
France France
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
Senthil Sivakumar Senthil Sivakumar
Cisco Systems Cisco Systems
7100-8 Kit Creek Road 7100-8 Kit Creek Road
Research Triangle Park, North Carolina 27709 Research Triangle Park, North Carolina 27709
USA USA
 End of changes. 87 change blocks. 
496 lines changed or deleted 680 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/