draft-ietf-opsawg-nat-yang-13.txt   draft-ietf-opsawg-nat-yang-14.txt 
Network Working Group M. Boucadair, Ed. Network Working Group M. Boucadair, Ed.
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: August 26, 2018 Cisco Systems Expires: September 24, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
February 22, 2018 March 23, 2018
A YANG Module for Network Address Translation (NAT) and Network Prefix A YANG Module for Network Address Translation (NAT) and Network Prefix
Translation (NPT) Translation (NPT)
draft-ietf-opsawg-nat-yang-13 draft-ietf-opsawg-nat-yang-14
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG module for the NAT function. document defines a YANG module for the NAT function.
NAT44, Network Address and Protocol Translation from IPv6 Clients to Network Address Translation from IPv4 to IPv4 (NAT44), Network
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/ Address and Protocol Translation from IPv6 Clients to IPv4 Servers
ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/ (NAT64), Customer-side transLATor (CLAT), Stateless IP/ICMP
ICMP Translation (SIIT EAM), IPv6 Network Prefix Translation (NPTv6), Translation (SIIT), Explicit Address Mappings for Stateless IP/ICMP
and Destination NAT are covered in this document. Translation (SIIT EAM), IPv6 Network Prefix Translation (NPTv6), and
Destination NAT are covered in this document.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
Please update these statements with the RFC number to be assigned to Please update these statements with the RFC number to be assigned to
this document: this document:
"This version of this YANG module is part of RFC XXXX;" "This version of this YANG module is part of RFC XXXX;"
"RFC XXXX: A YANG Module for Network Address Translation (NAT) and "RFC XXXX: A YANG Module for Network Address Translation (NAT) and
Network Prefix Translation (NPT)" Network Prefix Translation (NPT)"
"reference: RFC XXXX" "reference: RFC XXXX"
Please update the "revision" date of the YANG module.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 26, 2018. This Internet-Draft will expire on September 24, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6
2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 8
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 8
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 9
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 9
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12
2.10. Binding the NAT Function to an External Interface . . . . 15 2.10. Binding the NAT Function to an External Interface . . . . 15
2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15
2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22
4. Security Considerations . . . . . . . . . . . . . . . . . . . 72 4. Security Considerations . . . . . . . . . . . . . . . . . . . 72
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74
7.1. Normative References . . . . . . . . . . . . . . . . . . 74 7.1. Normative References . . . . . . . . . . . . . . . . . . 74
7.2. Informative References . . . . . . . . . . . . . . . . . 76 7.2. Informative References . . . . . . . . . . . . . . . . . 77
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 78 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 79
A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84
A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84
A.6. Explicit Address Mappings for Stateless IP/ICMP A.6. Explicit Address Mappings for Stateless IP/ICMP
Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85
A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 88 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 88
A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89
A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90
A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93
skipping to change at page 3, line 48 skipping to change at page 4, line 9
Destination NAT. The full set of translation schemes that are in Destination NAT. The full set of translation schemes that are in
scope is included in Section 2.2. scope is included in Section 2.2.
Sample examples are provided in Appendix A. These examples are not Sample examples are provided in Appendix A. These examples are not
intended to be exhaustive. intended to be exhaustive.
1.1. Terminology 1.1. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o Basic NAT44: translation is limited to IP addresses alone o Basic Network Address Translation from IPv4 to IPv4 (NAT44):
(Section 2.1 of [RFC3022]). translation is limited to IP addresses alone (Section 2.1 of
[RFC3022]).
o Network Address/Port Translator (NAPT): translation in NAPT is o Network Address/Port Translator (NAPT): translation in NAPT is
extended to include IP addresses and transport identifiers (such extended to include IP addresses and transport identifiers (such
as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of
[RFC3022]. A NAPT may use an extra identifier, in addition to the [RFC3022]. A NAPT may use an extra identifier, in addition to the
five transport tuple, to disambiguate bindings [RFC6619]. five transport tuple, to disambiguate bindings [RFC6619].
o Destination NAT: is a translation that acts on the destination IP o Destination NAT: is a translation that acts on the destination IP
address and/or destination port number. This flavor is usually address and/or destination port number. This flavor is usually
deployed in load balancers or at devices in front of public deployed in load balancers or at devices in front of public
skipping to change at page 5, line 8 skipping to change at page 5, line 19
o Static explicit mapping: is created using, e.g., a CLI interface. o Static explicit mapping: is created using, e.g., a CLI interface.
This mapping is likely to be maintained by the NAT function till This mapping is likely to be maintained by the NAT function till
an explicit action is executed to remove it. an explicit action is executed to remove it.
The usage of the term NAT in this document refers to any translation The usage of the term NAT in this document refers to any translation
flavor (NAT44, NAT64, etc.) indifferently. flavor (NAT44, NAT64, etc.) indifferently.
This document uses the term "session" as defined in [RFC2663] and This document uses the term "session" as defined in [RFC2663] and
[RFC6146] for NAT64. [RFC6146] for NAT64.
The meaning of the symbols in tree diagrams is defined in This document follows the guidelines of [RFC6087], uses the common
[I-D.ietf-netmod-yang-tree-diagrams]. YANG types defined in [RFC6991], and adopts the Network Management
Datastore Architecture (NMDA). The meaning of the symbols in tree
diagrams is defined in [RFC8340].
2. Overview of the NAT YANG Data Model 2. Overview of the NAT YANG Data Model
2.1. Overview 2.1. Overview
The NAT YANG module is designed to cover dynamic implicit mappings The NAT YANG module is designed to cover dynamic implicit mappings
and static explicit mappings. The required functionality to instruct and static explicit mappings. The required functionality to instruct
dynamic explicit mappings is defined in separate documents such as dynamic explicit mappings is defined in separate documents such as
[I-D.boucadair-pcp-yang]. Considerations about instructing explicit [I-D.boucadair-pcp-yang]. Considerations about instructing explicit
dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of
skipping to change at page 5, line 45 skipping to change at page 6, line 9
The NAT YANG module allows for a NAT instance to be provided with The NAT YANG module allows for a NAT instance to be provided with
multiple NAT policies (/nat/instances/instance/policy). The document multiple NAT policies (/nat/instances/instance/policy). The document
does not make any assumption about how flows are associated with a does not make any assumption about how flows are associated with a
given NAT policy of a given NAT instance. Classification filters are given NAT policy of a given NAT instance. Classification filters are
out of scope. out of scope.
Defining multiple NAT instances or configuring multiple NAT policies Defining multiple NAT instances or configuring multiple NAT policies
within one single NAT instance is implementation- and deployment- within one single NAT instance is implementation- and deployment-
specific. specific.
This YANG module allows to instruct a NAT function to enable the This YANG module provides a method to instruct a NAT function to
logging feature (Section 2.3 of [RFC6908] and REQ-12 of [RFC6888]). enable the logging feature (Section 2.3 of [RFC6908] and REQ-12 of
Nevertheless, configuration parameters specific to logging protocols [RFC6888]). Nevertheless, configuration parameters specific to
are out of the scope of this document. logging protocols are out of the scope of this document.
2.2. Various Translation Flavors 2.2. Various Translation Flavors
The following translation modes are supported: The following translation modes are supported:
o Basic NAT44 o Basic NAT44
o NAPT o NAPT
o Destination NAT o Destination NAT
o Port-restricted NAT o Port-restricted NAT
o Stateful NAT64 (including with destination-based Pref64::/n o Stateful NAT64 (including with destination-based Pref64::/n
skipping to change at page 7, line 19 skipping to change at page 7, line 41
o Combination of NAT64 and EAM: This mode corresponds to configuring o Combination of NAT64 and EAM: This mode corresponds to configuring
static mappings for NAT64. static mappings for NAT64.
o Stateful and stateless NAT64: A NAT64 implementation can be o Stateful and stateless NAT64: A NAT64 implementation can be
instructed to behave in the stateless mode for a given prefix by instructed to behave in the stateless mode for a given prefix by
setting the parameter (nat64-prefixes/stateless-enable). A NAT64 setting the parameter (nat64-prefixes/stateless-enable). A NAT64
implementation may behave in both stateful and stateless modes if, implementation may behave in both stateful and stateless modes if,
in addition to appropriately setting the parameter (nat64- in addition to appropriately setting the parameter (nat64-
prefixes/stateless-enable), an external IPv4 address pool is prefixes/stateless-enable), an external IPv4 address pool is
configured. configured.
The NAT YANG module allows to retrieve the capabilities of a NAT The NAT YANG module provides a method to retrieve the capabilities of
instance (including, list of supported translation modes, list of a NAT instance (including, list of supported translation modes, list
supported protocols, port restriction support status, supported NAT of supported protocols, port restriction support status, supported
mapping types, supported NAT filtering types, port range allocation NAT mapping types, supported NAT filtering types, port range
support status, port parity preservation support status, port allocation support status, port parity preservation support status,
preservation support status, the behavior for handling fragments port preservation support status, the behavior for handling fragments
(all, out-of-order, in-order)). (all, out-of-order, in-order)).
2.3. TCP/UDP/ICMP NAT Behavioral Requirements 2.3. TCP/UDP/ICMP NAT Behavioral Requirements
This document assumes NAT behavioral recommendations for UDP This document assumes NAT behavioral recommendations for UDP
[RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default. [RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default.
Furthermore, the NAT YANG module relies upon the recommendations Furthermore, the NAT YANG module relies upon the recommendations
detailed in [RFC6888] and [RFC7857]. detailed in [RFC6888] and [RFC7857].
2.4. Other Transport Protocols 2.4. Other Transport Protocols
The module is structured to support other protocols than UDP, TCP, The module is structured to support protocols other than UDP, TCP,
and ICMP. The mapping table is designed so that it can indicate any and ICMP. The mapping table is designed so that it can indicate any
transport protocol. For example, this module may be used to manage a transport protocol. For example, this module may be used to manage a
DCCP-capable NAT that adheres to [RFC5597]. DCCP-capable NAT that adheres to [RFC5597].
Future extensions can be defined to cover NAT-related considerations Future extensions may be needed to cover NAT-related considerations
that are specific to other transport protocols such as SCTP that are specific to other transport protocols such as SCTP
[I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be [I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be
extended to record two optional SCTP-specific parameters: Internal extended to record two optional SCTP-specific parameters: Internal
Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag).
Also, the module allows to enable translation for these protocols Also, the module allows the operator to enable translation for these
when required (/nat/instances/instance/policy/transport-protocols). protocols when required (/nat/instances/instance/policy/transport-
protocols).
2.5. IP Addresses Used for Translation 2.5. IP Addresses Used for Translation
The NAT YANG module assumes that blocks of IP external addresses The NAT YANG module assumes that blocks of IP external addresses
(external-ip-address-pool) can be provisioned to the NAT function. (external-ip-address-pool) can be provisioned to the NAT function.
These blocks may be contiguous or not. These blocks may be contiguous or not.
This behavior is aligned with [RFC6888] which specifies that a NAT This behavior is aligned with [RFC6888] which specifies that a NAT
function should not have any limitations on the size or the function should not have any limitations on the size or the
contiguity of the external address pool. In particular, the NAT contiguity of the external address pool. In particular, the NAT
skipping to change at page 8, line 25 skipping to change at page 8, line 50
external IPv4 address ranges. To accommodate traditional NAT, the external IPv4 address ranges. To accommodate traditional NAT, the
module allows for a single IP address to be configured for external- module allows for a single IP address to be configured for external-
ip-address-pool. ip-address-pool.
Likewise, one or multiple IP address pools may be configured for Likewise, one or multiple IP address pools may be configured for
Destination NAT (dst-ip-address-pool). Destination NAT (dst-ip-address-pool).
2.6. Port Set Assignment 2.6. Port Set Assignment
Port numbers can be assigned by a NAT individually (that is, a single Port numbers can be assigned by a NAT individually (that is, a single
port is assigned on a per session basis). Nevertheless, this port port is assigned on a per session basis), but this port allocation
allocation scheme may not be optimal for logging purposes (Section 12 scheme may not be optimal for logging purposes (Section 12 of
of [RFC6269]). Therefore, a NAT function should be able to assign [RFC6269]). A NAT function should be able to assign port sets (e.g.,
port sets (e.g., [RFC7753]) to optimize the volume of the logging
data (REQ-14 of [RFC6888]). Both allocation schemes are supported in [RFC7753]) to optimize the volume of the logging data (REQ-14 of
the NAT YANG module. [RFC6888]). Both allocation schemes are supported in the NAT YANG
module.
When port set assignment is activated (i.e., port-allocation- When port set assignment is activated (i.e., port-allocation-
type==port-range-allocation), the NAT can be provided with the size type==port-range-allocation), the NAT can be provided with the size
of the port set to be assigned (port-set-size). of the port set to be assigned (port-set-size).
2.7. Port-Restricted IP Addresses 2.7. Port-Restricted IP Addresses
Some NATs require to restrict the source port numbers (e.g., Some NATs restrict the source port numbers (e.g., Lightweight 4over6
Lightweight 4over6 [RFC7596], MAP-E [RFC7597]). Two schemes of port [RFC7596], MAP-E [RFC7597]). Two schemes of port set assignments
set assignments (port-set-restrict) are supported in this document: (port-set-restrict) are supported in this document:
o Simple port range: is defined by two port values, the start and o Simple port range: is defined by two port values, the start and
the end of the port range [RFC8045]. the end of the port range [RFC8045].
o Algorithmic: an algorithm is defined in [RFC7597] to characterize o Algorithmic: an algorithm is defined in [RFC7597] to characterize
the set of ports that can be used. the set of ports that can be used.
2.8. NAT Mapping Entries 2.8. NAT Mapping Entries
A TCP/UDP mapping entry maintains an association between the A TCP/UDP mapping entry maintains an association between the
skipping to change at page 10, line 9 skipping to change at page 10, line 34
an internal host when sending a packet to a remote host. an internal host when sending a packet to a remote host.
external-dst-address: Indicates the destination IP address/prefix external-dst-address: Indicates the destination IP address/prefix
used by a NAT when processing a packet issued by an internal host used by a NAT when processing a packet issued by an internal host
towards a remote host. towards a remote host.
external-dst-port: Indicates the destination port number used by a external-dst-port: Indicates the destination port number used by a
NAT when processing a packet issued by an internal host towards a NAT when processing a packet issued by an internal host towards a
remote host. remote host.
In order to cover both NAT64 and NAT44 flavors in particular, the NAT In order to cover both NAT64 and NAT44 flavors, the NAT mapping
mapping structure allows to include an IPv4 or an IPv6 address as an structure allows for the inclusion of an IPv4 or an IPv6 address as
internal IP address. Remaining fields are common to both NAT an internal IP address. Remaining fields are common to both NAT
schemes. schemes.
For example, the mapping that will be created by a NAT64 upon receipt For example, the mapping that will be created by a NAT64 upon receipt
of a TCP SYN from source address 2001:db8:aaaa::1 and source port of a TCP SYN from source address 2001:db8:aaaa::1 and source port
number 25636 to destination IP address 2001:db8:1234::198.51.100.1 number 25636 to destination IP address 2001:db8:1234::198.51.100.1
and destination port number 8080 is shown in Table 2. This example and destination port number 8080 is shown in Table 2. This example
assumes EDM (Endpoint-Dependent Mapping). assumes EDM (Endpoint-Dependent Mapping).
+-----------------------+-------------------------------------------+ +-----------------------+-------------------------------------------+
| Mapping Entry | Value | | Mapping Entry | Value |
skipping to change at page 13, line 9 skipping to change at page 13, line 16
Table 5 lists the various limits that can be set using the NAT YANG Table 5 lists the various limits that can be set using the NAT YANG
module. Once a limit is reached, packets that would normally trigger module. Once a limit is reached, packets that would normally trigger
new port mappings or be translated because they match existing new port mappings or be translated because they match existing
mappings, are dropped by the translator. mappings, are dropped by the translator.
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| Limit | Description | | Limit | Description |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| port-quota | Specifies a port quota to be assigned per | | port-quota | Specifies a port quota to be assigned per |
| | subscriber. It corresponds to the | | | subscriber. It corresponds to the maximum |
| | maximum number of ports to be used by a | | | number of ports to be used by a subscriber. |
| | subscriber. The port quota can be configured | | | The port quota can be configured to apply to |
| | to apply to all protocols or to a | | | all protocols or to a specific protocol. |
| | specific protocol. Distinct port quota may be | | | Distinct port quota may be configured per |
| | configured per protocol. | | | protocol. |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| fragments-limit | In order to prevent denial of service attacks | | fragments-limit | In order to prevent denial of service attacks |
| | that can be caused by fragments, | | | that can be caused by fragments, this |
| | this parameter is used to limit the number of | | | parameter is used to limit the number of out- |
| | out-of-order fragments that can be handled by | | | of-order fragments that can be handled by a |
| | a translator. | | | translator. |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| mapping-limits | This parameter can be used to control the | | mapping-limits | This parameter can be used to control the |
| | maximum number of subscribers that | | | maximum number of subscribers that can be |
| | can be serviced by a NAT instance | | | serviced by a NAT instance (limit-subscriber) |
| | (limit-subscriber) and the maximum number of | | | and the maximum number of address and/or port |
| | address and/or port mappings that | | | mappings that can be maintained by a NAT |
| | can be maintained by a NAT instance | | | instance (limit-address-mappings and limit- |
| | (limit-address-mappings and limit-port- | | | port-mappings). Also, limits specific to |
| | mappings). Also, limits specific to |
| | protocols (e.g., TCP, UDP, ICMP) can also be | | | protocols (e.g., TCP, UDP, ICMP) can also be |
| | specified (limit-per-protocol). | | | specified (limit-per-protocol). |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| connection-limits | In order to prevent exhausting the resources | | connection-limits | In order to prevent exhausting the resources |
| | of a NAT implementation and to | | | of a NAT implementation and to ensure |
| | ensure fairness usage among subscribers, | | | fairness usage among subscribers, various |
| | various rate-limits can be specified. Rate- | | | rate-limits can be specified. Rate-limiting |
| | limiting can be enforced per | | | can be enforced per subscriber ((limit- |
| | subscriber ((limit-subscriber), per NAT | | | subscriber), per NAT instance (limit-per- |
| | instance (limit-per-instance), | | | instance), and/or be specified for each |
| | and/or be specified for each supported | | | supported protocol (limit-per-protocol). |
| | protocol (limit-per-protocol). |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
Table 5: NAT Limits Table 5: NAT Limits
Table 6 describes limits, that once exceeded, will trigger Table 6 describes limits, that once exceeded, will trigger
notifications to be generated: notifications to be generated:
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| Notification Threshold | Description | | Notification Threshold | Description |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| high-threshold | Used to notify high address | | high-threshold | Used to notify high address |
| | utilization of a given pool. When | | | utilization of a given pool. When |
| | exceeded, a nat-pool-event | | | exceeded, a nat-pool-event |
| | notification will be generated. | | | notification will be generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| low-threshold | Used to notify low address utilization | | low-threshold | Used to notify low address utilization |
| | of a given pool. An | | | of a given pool. An administrator is |
| | administrator is supposed to configure | | | supposed to configure low-threshold so |
| | low-threshold so that it can | | | that it can reflect an abnormal usage |
| | reflect an abnormal usage of NAT | | | of NAT resources. When exceeded, a |
| | resources. When exceeded, a |
| | nat-pool-event notification will be | | | nat-pool-event notification will be |
| | generated. | | | generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| notify-addresses-usage | Used to notify high address | | notify-addresses-usage | Used to notify high address |
| | utilization of all pools configured | | | utilization of all pools configured to |
| | to a NAT instance. When exceeded, a | | | a NAT instance. When exceeded, a nat- |
| | nat-instance-event will be | | | instance-event will be generated. |
| | generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| notify-ports-usage | Used to notify high port allocation | | notify-ports-usage | Used to notify high port allocation |
| | taking into account all pools | | | taking into account all pools |
| | configured to a NAT instance. When | | | configured to a NAT instance. When |
| | exceeded, a nat-instance-event | | | exceeded, a nat-instance-event |
| | notification will be generated. | | | notification will be generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| notify-subscribers-limit | Used to notify a high number of active | | notify-subscribers-limit | Used to notify a high number of active |
| | subscribers that are | | | subscribers that are serviced by a NAT |
| | serviced by a NAT instance. When | | | instance. When exceeded, a nat- |
| | exceeded, a nat-instance-event | | | instance-event notification will be |
| | notification will be generated. | | | generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
Table 6: Notification Thresholds Table 6: Notification Thresholds
In order to prevent from generating frequent notifications, the NAT In order to prevent a NAT implementation from generating frequent
YANG module supports the following limits (Table 7) used to control notifications, the NAT YANG module supports the following limits
how frequent notifications can be generated. That is, notifications (Table 7) used to control how frequent notifications can be
are subject to rate-limiting imposed by these intervals. generated. That is, notifications are subject to rate-limiting
imposed by these intervals.
+-------------------------------------+-----------------------------+ +-------------------------------------+-----------------------------+
| Interval | Description | | Interval | Description |
+-------------------------------------+-----------------------------+ +-------------------------------------+-----------------------------+
| notify-pool-usage/notify-interval | Indicates the minimum | | notify-pool-usage/notify-interval | Indicates the minimum |
| | number of seconds between | | | number of seconds between |
| | successive | | | successive notifications |
| | notifications for a given | | | for a given address pool. |
| | address pool. |
+-------------------------------------+-----------------------------+ +-------------------------------------+-----------------------------+
| notification-limits/notify-interval | Indicates the minimum | | notification-limits/notify-interval | Indicates the minimum |
| | number of seconds between | | | number of seconds between |
| | successive | | | successive notifications |
| | notifications for a NAT | | | for a NAT instance. |
| | instance. |
+-------------------------------------+-----------------------------+ +-------------------------------------+-----------------------------+
Table 7: Notification Intervals Table 7: Notification Intervals
2.10. Binding the NAT Function to an External Interface 2.10. Binding the NAT Function to an External Interface
The module is designed to specify an external realm on which the NAT The module is designed to specify an external realm on which the NAT
function must be applied (external-realm). The module supports function must be applied (external-realm). The module supports
indicating an interface as an external realm, but the module is indicating an interface as an external realm [RFC8343], but the
extensible so that other choices can be indicated in the future module is extensible so that other choices can be indicated in the
(e.g., Virtual Routing and Forwarding (VRF) instance). future (e.g., Virtual Routing and Forwarding (VRF) instance).
Distinct external realms can be provided as a function of the NAT Distinct external realms can be provided as a function of the NAT
policy (see for example, Section 4 of [RFC7289]). policy (see for example, Section 4 of [RFC7289]).
If no external realm is provided, this assumes that the system is If no external realm is provided, this assumes that the system is
able to determine the external interface (VRF instance, etc.) on able to determine the external interface (VRF instance, etc.) on
which the NAT will be applied. Typically, the WAN and LAN interfaces which the NAT will be applied. Typically, the WAN and LAN interfaces
of a CPE are determined by the CPE. of a CPE are determined by the CPE.
2.11. Relationship to NATV2-MIB 2.11. Relationship to NATV2-MIB
skipping to change at page 22, line 37 skipping to change at page 22, line 34
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2018-02-23.yang" <CODE BEGINS> file "ietf-nat@2018-02-23.yang"
module ietf-nat { module ietf-nat {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
prefix "nat"; prefix "nat";
import ietf-inet-types { prefix inet; } import ietf-inet-types {
import ietf-yang-types { prefix yang; } prefix inet;
import ietf-interfaces { prefix if; } reference
"Section 4 of RFC 6991";
}
import ietf-yang-types {
prefix yang;
reference
"Section 3 of RFC 6991";
}
import ietf-interfaces {
prefix if;
reference
"RFC 8343: A YANG Data Model for Interface Management";
}
organization organization
"IETF OPSAWG (Operations and Management Area Working Group)"; "IETF OPSAWG (Operations and Management Area Working Group)";
contact contact
"WG Web: <https://datatracker.ietf.org/wg/opsawg/> "WG Web: <https://datatracker.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org> WG List: <mailto:opsawg@ietf.org>
Editor: Mohamed Boucadair Editor: Mohamed Boucadair
<mailto:mohamed.boucadair@orange.com> <mailto:mohamed.boucadair@orange.com>
skipping to change at page 72, line 17 skipping to change at page 72, line 23
discussed in [RFC6888], [RFC6146], [RFC6877], [RFC6296], and discussed in [RFC6888], [RFC6146], [RFC6877], [RFC6296], and
[RFC7757]. [RFC7757].
The YANG module defined in this document is designed to be accessed The YANG module defined in this document is designed to be accessed
via network management protocols such as NETCONF [RFC6241] or via network management protocols such as NETCONF [RFC6241] or
RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport
layer, and the mandatory-to-implement secure transport is Secure layer, and the mandatory-to-implement secure transport is Secure
Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the
mandatory-to-implement secure transport is TLS [RFC5246]. mandatory-to-implement secure transport is TLS [RFC5246].
The NETCONF access control model [RFC6536] provides the means to The NETCONF access control model [RFC8341] provides the means to
restrict access for particular NETCONF or RESTCONF users to a restrict access for particular NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content. operations and content.
All data nodes defined in the YANG module which can be created, All data nodes defined in the YANG module which can be created,
modified and deleted (i.e., config true, which is the default) are modified and deleted (i.e., config true, which is the default) are
considered sensitive. Write operations (e.g., edit-config) applied considered sensitive. Write operations (e.g., edit-config) applied
to these data nodes without proper protection can negatively affect to these data nodes without proper protection can negatively affect
network operations. The NAT YANG module allows to set parameters to network operations. The NAT YANG module provides a method to set
prevent a user from aggressively using NAT resources (port-quota), parameters to prevent a user from aggressively using NAT resources
rate-limit connections as a guard against Denial-of-Service, or to (port-quota), rate-limit connections as a guard against Denial-of-
enable notifications so that appropriate measures are enforced to Service, or to enable notifications so that appropriate measures are
anticipate traffic drops. Nevertheless, an attacker who is able to enforced to anticipate traffic drops. Nevertheless, an attacker who
access to the NAT can undertake various attacks, such as: is able to access the NAT can undertake various attacks, such as:
o Set a high or low resource limit to cause a DoS attack: o Set a high or low resource limit to cause a DoS attack:
* /nat/instances/instance/policy/port-quota * /nat/instances/instance/policy/port-quota
* /nat/instances/instance/policy/fragments-limit * /nat/instances/instance/policy/fragments-limit
* /nat/instances/instance/mapping-limits * /nat/instances/instance/mapping-limits
* /nat/instances/instance/connection-limits * /nat/instances/instance/connection-limits
skipping to change at page 74, line 7 skipping to change at page 74, line 12
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC7950]. the "YANG Module Names" registry [RFC7950].
name: ietf-nat name: ietf-nat
namespace: urn:ietf:params:xml:ns:yang:ietf-nat namespace: urn:ietf:params:xml:ns:yang:ietf-nat
prefix: nat prefix: nat
reference: RFC XXXX reference: RFC XXXX
6. Acknowledgements 6. Acknowledgements
Many thanks to Dan Wing, Tianran Zhou, and Tom Petch for the review. Many thanks to Dan Wing, Tianran Zhou, Tom Petch, and Warren Kumari
for the review.
Thanks to Juergen Schoenwaelder for the comments on the YANG Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. Mahesh Jethanandani structure and the suggestion to use NMDA. Mahesh Jethanandani
provided useful comments. provided useful comments.
Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
Kristian Poscic for the CGN review. Kristian Poscic for the CGN review.
Special thanks to Maros Marsalek and Marek Gradzki for sharing their Special thanks to Maros Marsalek and Marek Gradzki for sharing their
skipping to change at page 75, line 33 skipping to change at page 75, line 38
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
<https://www.rfc-editor.org/info/rfc6296>. <https://www.rfc-editor.org/info/rfc6296>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536,
DOI 10.17487/RFC6536, March 2012,
<https://www.rfc-editor.org/info/rfc6536>.
[RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable
Operation of Address Translators with Per-Interface Operation of Address Translators with Per-Interface
Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012,
<https://www.rfc-editor.org/info/rfc6619>. <https://www.rfc-editor.org/info/rfc6619>.
[RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT: [RFC6877] Mawatari, M., Kawashima, M., and C. Byrne, "464XLAT:
Combination of Stateful and Stateless Translation", Combination of Stateful and Stateless Translation",
RFC 6877, DOI 10.17487/RFC6877, April 2013, RFC 6877, DOI 10.17487/RFC6877, April 2013,
<https://www.rfc-editor.org/info/rfc6877>. <https://www.rfc-editor.org/info/rfc6877>.
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
A., and H. Ashida, "Common Requirements for Carrier-Grade A., and H. Ashida, "Common Requirements for Carrier-Grade
NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
April 2013, <https://www.rfc-editor.org/info/rfc6888>. April 2013, <https://www.rfc-editor.org/info/rfc6888>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>.
[RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I.
Farrer, "Lightweight 4over6: An Extension to the Dual- Farrer, "Lightweight 4over6: An Extension to the Dual-
Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596,
July 2015, <https://www.rfc-editor.org/info/rfc7596>. July 2015, <https://www.rfc-editor.org/info/rfc7596>.
[RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S.,
Murakami, T., and T. Taylor, Ed., "Mapping of Address and Murakami, T., and T. Taylor, Ed., "Mapping of Address and
Port with Encapsulation (MAP-E)", RFC 7597, Port with Encapsulation (MAP-E)", RFC 7597,
DOI 10.17487/RFC7597, July 2015, DOI 10.17487/RFC7597, July 2015,
<https://www.rfc-editor.org/info/rfc7597>. <https://www.rfc-editor.org/info/rfc7597>.
skipping to change at page 76, line 40 skipping to change at page 76, line 44
<https://www.rfc-editor.org/info/rfc7915>. <https://www.rfc-editor.org/info/rfc7915>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>. <https://www.rfc-editor.org/info/rfc8040>.
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>.
[RFC8343] Bjorklund, M., "A YANG Data Model for Interface
Management", RFC 8343, DOI 10.17487/RFC8343, March 2018,
<https://www.rfc-editor.org/info/rfc8343>.
7.2. Informative References 7.2. Informative References
[I-D.boucadair-pcp-yang] [I-D.boucadair-pcp-yang]
Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Boucadair, M., Jacquenet, C., Sivakumar, S., and S.
Vinapamula, "YANG Modules for the Port Control Protocol Vinapamula, "YANG Modules for the Port Control Protocol
(PCP)", draft-boucadair-pcp-yang-05 (work in progress), (PCP)", draft-boucadair-pcp-yang-05 (work in progress),
October 2017. October 2017.
[I-D.ietf-netmod-yang-tree-diagrams]
Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft-
ietf-netmod-yang-tree-diagrams-06 (work in progress),
February 2018.
[I-D.ietf-softwire-dslite-yang] [I-D.ietf-softwire-dslite-yang]
Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG
Data Module for Dual-Stack Lite (DS-Lite)", draft-ietf- Data Module for Dual-Stack Lite (DS-Lite)", draft-ietf-
softwire-dslite-yang-14 (work in progress), January 2018. softwire-dslite-yang-15 (work in progress), February 2018.
[I-D.ietf-tsvwg-natsupp] [I-D.ietf-tsvwg-natsupp]
Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control
Transmission Protocol (SCTP) Network Address Translation Transmission Protocol (SCTP) Network Address Translation
Support", draft-ietf-tsvwg-natsupp-11 (work in progress), Support", draft-ietf-tsvwg-natsupp-11 (work in progress),
July 2017. July 2017.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", Translator (NAT) Terminology and Considerations",
RFC 2663, DOI 10.17487/RFC2663, August 1999, RFC 2663, DOI 10.17487/RFC2663, August 1999,
skipping to change at page 77, line 32 skipping to change at page 77, line 40
Address Translator (Traditional NAT)", RFC 3022, Address Translator (Traditional NAT)", RFC 3022,
DOI 10.17487/RFC3022, January 2001, DOI 10.17487/RFC3022, January 2001,
<https://www.rfc-editor.org/info/rfc3022>. <https://www.rfc-editor.org/info/rfc3022>.
[RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT)
Behavioral Requirements for the Datagram Congestion Behavioral Requirements for the Datagram Congestion
Control Protocol", BCP 150, RFC 5597, Control Protocol", BCP 150, RFC 5597,
DOI 10.17487/RFC5597, September 2009, DOI 10.17487/RFC5597, September 2009,
<https://www.rfc-editor.org/info/rfc5597>. <https://www.rfc-editor.org/info/rfc5597>.
[RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG
Data Model Documents", RFC 6087, DOI 10.17487/RFC6087,
January 2011, <https://www.rfc-editor.org/info/rfc6087>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269, P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011, DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6269>. <https://www.rfc-editor.org/info/rfc6269>.
[RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo,
"Diameter Network Address and Port Translation Control "Diameter Network Address and Port Translation Control
Application", RFC 6736, DOI 10.17487/RFC6736, October Application", RFC 6736, DOI 10.17487/RFC6736, October
2012, <https://www.rfc-editor.org/info/rfc6736>. 2012, <https://www.rfc-editor.org/info/rfc6736>.
skipping to change at page 78, line 34 skipping to change at page 78, line 44
[RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T., [RFC7753] Sun, Q., Boucadair, M., Sivakumar, S., Zhou, C., Tsou, T.,
and S. Perreault, "Port Control Protocol (PCP) Extension and S. Perreault, "Port Control Protocol (PCP) Extension
for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753, for Port-Set Allocation", RFC 7753, DOI 10.17487/RFC7753,
February 2016, <https://www.rfc-editor.org/info/rfc7753>. February 2016, <https://www.rfc-editor.org/info/rfc7753>.
[RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar,
"RADIUS Extensions for IP Port Configuration and "RADIUS Extensions for IP Port Configuration and
Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017,
<https://www.rfc-editor.org/info/rfc8045>. <https://www.rfc-editor.org/info/rfc8045>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>.
Appendix A. Sample Examples Appendix A. Sample Examples
This section provides a non-exhaustive set of examples to illustrate This section provides a non-exhaustive set of examples to illustrate
the use of the NAT YANG module. the use of the NAT YANG module.
A.1. Traditional NAT44 A.1. Traditional NAT44
Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the
same IPv4 address among hosts that are owned by the same subscriber. same IPv4 address among hosts that are owned by the same subscriber.
This is typically the NAT that is embedded in CPE devices. This is typically the NAT that is embedded in CPE devices.
 End of changes. 45 change blocks. 
120 lines changed or deleted 148 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/