draft-ietf-opsawg-nat-yang-14.txt   draft-ietf-opsawg-nat-yang-15.txt 
Network Working Group M. Boucadair, Ed. Network Working Group M. Boucadair, Ed.
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: September 24, 2018 Cisco Systems Expires: December 29, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
March 23, 2018 June 27, 2018
A YANG Module for Network Address Translation (NAT) and Network Prefix A YANG Module for Network Address Translation (NAT) and Network Prefix
Translation (NPT) Translation (NPT)
draft-ietf-opsawg-nat-yang-14 draft-ietf-opsawg-nat-yang-15
Abstract Abstract
For the sake of network automation and the need for programming This document defines a YANG module for the Network Address
Network Address Translation (NAT) function in particular, a data Translation (NAT) function.
model for configuring and managing the NAT is essential. This
document defines a YANG module for the NAT function.
Network Address Translation from IPv4 to IPv4 (NAT44), Network Network Address Translation from IPv4 to IPv4 (NAT44), Network
Address and Protocol Translation from IPv6 Clients to IPv4 Servers Address and Protocol Translation from IPv6 Clients to IPv4 Servers
(NAT64), Customer-side transLATor (CLAT), Stateless IP/ICMP (NAT64), Customer-side transLATor (CLAT), Stateless IP/ICMP
Translation (SIIT), Explicit Address Mappings for Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/ICMP
Translation (SIIT EAM), IPv6 Network Prefix Translation (NPTv6), and Translation (SIIT EAM), IPv6 Network Prefix Translation (NPTv6), and
Destination NAT are covered in this document. Destination NAT are covered in this document.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
Please update these statements with the RFC number to be assigned to Please update these statements within the document with the RFC
this document: number to be assigned to this document:
"This version of this YANG module is part of RFC XXXX;" "This version of this YANG module is part of RFC XXXX;"
"RFC XXXX: A YANG Module for Network Address Translation (NAT) and "RFC XXXX: A YANG Module for Network Address Translation (NAT) and
Network Prefix Translation (NPT)" Network Prefix Translation (NPT)"
"reference: RFC XXXX" "reference: RFC XXXX"
Please update the "revision" date of the YANG module. Please update the "revision" date of the YANG module.
skipping to change at page 2, line 20 skipping to change at page 2, line 15
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 24, 2018. This Internet-Draft will expire on December 29, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6
2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 8 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 8 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 9 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 9 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12
2.10. Binding the NAT Function to an External Interface . . . . 15 2.10. Binding the NAT Function to an External Interface . . . . 15
2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15
2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22
4. Security Considerations . . . . . . . . . . . . . . . . . . . 72 4. Security Considerations . . . . . . . . . . . . . . . . . . . 71
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 73
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74
7.1. Normative References . . . . . . . . . . . . . . . . . . 74 7.1. Normative References . . . . . . . . . . . . . . . . . . 74
7.2. Informative References . . . . . . . . . . . . . . . . . 77 7.2. Informative References . . . . . . . . . . . . . . . . . 76
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 79 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 78
A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84
A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84
A.6. Explicit Address Mappings for Stateless IP/ICMP A.6. Explicit Address Mappings for Stateless IP/ICMP
Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85
A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 88 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 88
A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89
A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90
A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93
skipping to change at page 6, line 9 skipping to change at page 5, line 47
The NAT YANG module allows for a NAT instance to be provided with The NAT YANG module allows for a NAT instance to be provided with
multiple NAT policies (/nat/instances/instance/policy). The document multiple NAT policies (/nat/instances/instance/policy). The document
does not make any assumption about how flows are associated with a does not make any assumption about how flows are associated with a
given NAT policy of a given NAT instance. Classification filters are given NAT policy of a given NAT instance. Classification filters are
out of scope. out of scope.
Defining multiple NAT instances or configuring multiple NAT policies Defining multiple NAT instances or configuring multiple NAT policies
within one single NAT instance is implementation- and deployment- within one single NAT instance is implementation- and deployment-
specific. specific.
This YANG module provides a method to instruct a NAT function to This YANG module does not provide any method to instruct a NAT
enable the logging feature (Section 2.3 of [RFC6908] and REQ-12 of function to enable the logging feature or to specify the information
[RFC6888]). Nevertheless, configuration parameters specific to to be logged for administrative or regulatory reasons (Section 2.3 of
logging protocols are out of the scope of this document. [RFC6908] and REQ-12 of [RFC6888]). Those considerations are out of
the scope of this document.
2.2. Various Translation Flavors 2.2. Various Translation Flavors
The following translation modes are supported: The following translation modes are supported:
o Basic NAT44 o Basic NAT44
o NAPT o NAPT
o Destination NAT o Destination NAT
o Port-restricted NAT o Port-restricted NAT
o Stateful NAT64 (including with destination-based Pref64::/n o Stateful NAT64 (including with destination-based Pref64::/n
skipping to change at page 19, line 40 skipping to change at page 19, line 40
| +--rw limit-subscribers? uint32 | +--rw limit-subscribers? uint32
| +--rw limit-address-mappings? uint32 | +--rw limit-address-mappings? uint32
| +--rw limit-port-mappings? uint32 | +--rw limit-port-mappings? uint32
| +--rw limit-per-protocol* [protocol-id] | +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64 or dst-nat}? | {napt44 or nat64 or dst-nat}?
| +--rw protocol-id uint8 | +--rw protocol-id uint8
| +--rw limit? uint32 | +--rw limit? uint32
+--rw connection-limits +--rw connection-limits
| {basic-nat44 or napt44 or nat64}? | {basic-nat44 or napt44 or nat64}?
| +--rw limit-per-subscriber? uint32 | +--rw limit-per-subscriber? uint32
| +--rw limit-per-instance uint32 | +--rw limit-per-instance? uint32
| +--rw limit-per-protocol* [protocol-id] | +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64}? | {napt44 or nat64}?
| +--rw protocol-id uint8 | +--rw protocol-id uint8
| +--rw limit? uint32 | +--rw limit? uint32
+--rw notification-limits +--rw notification-limits
| +--rw notify-interval? uint32 | +--rw notify-interval? uint32
| | {basic-nat44 or napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| +--rw notify-addresses-usage? percent | +--rw notify-addresses-usage? percent
| | {basic-nat44 or napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| +--rw notify-ports-usage? percent | +--rw notify-ports-usage? percent
| | {napt44 or nat64}? | | {napt44 or nat64}?
| +--rw notify-subscribers-limit? uint32 | +--rw notify-subscribers-limit? uint32
| {basic-nat44 or napt44 or nat64}? | {basic-nat44 or napt44 or nat64}?
+--rw logging-enable? boolean
| {basic-nat44 or napt44 or nat64}?
+--rw mapping-table +--rw mapping-table
| |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}?
| +--rw mapping-entry* [index] | +--rw mapping-entry* [index]
| +--rw index uint32 | +--rw index uint32
| +--rw type? enumeration | +--rw type? enumeration
| +--rw transport-protocol? uint8 | +--rw transport-protocol? uint8
| +--rw internal-src-address? inet:ip-prefix | +--rw internal-src-address? inet:ip-prefix
| +--rw internal-src-port | +--rw internal-src-port
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
skipping to change at page 22, line 27 skipping to change at page 22, line 25
| +--ro notify-pool-threshold percent | +--ro notify-pool-threshold percent
+---n nat-instance-event {basic-nat44 or napt44 or nat64}? +---n nat-instance-event {basic-nat44 or napt44 or nat64}?
+--ro id +--ro id
| -> /nat/instances/instance/id | -> /nat/instances/instance/id
+--ro notify-subscribers-threshold? uint32 +--ro notify-subscribers-threshold? uint32
+--ro notify-addresses-threshold? percent +--ro notify-addresses-threshold? percent
+--ro notify-ports-threshold? percent +--ro notify-ports-threshold? percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2018-02-23.yang" <CODE BEGINS> file "ietf-nat@2018-06-28.yang"
module ietf-nat { module ietf-nat {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
prefix "nat"; prefix "nat";
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
"Section 4 of RFC 6991"; "Section 4 of RFC 6991";
skipping to change at page 23, line 49 skipping to change at page 23, line 48
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2018-02-23 { revision 2018-06-28 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Module for Network Address Translation "RFC XXXX: A YANG Module for Network Address Translation
(NAT) and Network Prefix Translation (NPT)"; (NAT) and Network Prefix Translation (NPT)";
} }
/* /*
* Definitions * Definitions
*/ */
typedef percent { typedef percent {
skipping to change at page 61, line 18 skipping to change at page 61, line 16
type uint32; type uint32;
units "bits/second"; units "bits/second";
description description
"Rate-limit the number of new mappings and sessions "Rate-limit the number of new mappings and sessions
per subscriber."; per subscriber.";
} }
leaf limit-per-instance { leaf limit-per-instance {
type uint32; type uint32;
units "bits/second"; units "bits/second";
mandatory true;
description description
"Rate-limit the number of new mappings and sessions "Rate-limit the number of new mappings and sessions
per instance."; per instance.";
} }
list limit-per-protocol { list limit-per-protocol {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
key protocol-id; key protocol-id;
description description
"Configure limits per transport protocol"; "Configure limits per transport protocol";
skipping to change at page 63, line 17 skipping to change at page 63, line 14
type uint32; type uint32;
description description
"Notification of active subscribers per NAT "Notification of active subscribers per NAT
instance. instance.
Notification must be generated when the defined Notification must be generated when the defined
threshold is reached."; threshold is reached.";
} }
} }
leaf logging-enable {
if-feature "basic-nat44 or napt44 or nat64";
type boolean;
description
"Enable logging features.";
reference
"Section 2.3 of RFC 6908 and REQ-12 of RFC 6888.";
}
container mapping-table { container mapping-table {
if-feature "basic-nat44 or napt44 " + if-feature "basic-nat44 or napt44 " +
"or nat64 or clat or dst-nat"; "or nat64 or clat or dst-nat";
description description
"NAT mapping table. Applicable for functions which maintain "NAT mapping table. Applicable for functions which maintain
static and/or dynamic mappings, such as NAT44, Destination static and/or dynamic mappings, such as NAT44, Destination
NAT, NAT64, or CLAT."; NAT, NAT64, or CLAT.";
list mapping-entry { list mapping-entry {
key "index"; key "index";
skipping to change at page 74, line 24 skipping to change at page 74, line 14
Thanks to Juergen Schoenwaelder for the comments on the YANG Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. Mahesh Jethanandani structure and the suggestion to use NMDA. Mahesh Jethanandani
provided useful comments. provided useful comments.
Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
Kristian Poscic for the CGN review. Kristian Poscic for the CGN review.
Special thanks to Maros Marsalek and Marek Gradzki for sharing their Special thanks to Maros Marsalek and Marek Gradzki for sharing their
comments based on the FD.io implementation of an earlier version of comments based on the FD.io implementation of this module
this module. (https://git.fd.io/hc2vpp/tree/nat/nat-api/src/main/yang).
Rajiv Asati suggested to clarify how the module applies for both Rajiv Asati suggested to clarify how the module applies for both
stateless and stateful NAT64. stateless and stateful NAT64.
Juergen Schoenwaelder provided an early yandgoctors review. Many Juergen Schoenwaelder provided an early yandgoctors review. Many
thanks to him. thanks to him.
Thanks to Roni Even, Mach Chen, and Tim Chown for the directorates Thanks to Roni Even, Mach Chen, Tim Chown, and Stephen Farrel for the
review. Igor Ryzhov identified a nit in one example. directorates review. Igor Ryzhov identified a nit in one example.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
skipping to change at page 77, line 15 skipping to change at page 77, line 7
7.2. Informative References 7.2. Informative References
[I-D.boucadair-pcp-yang] [I-D.boucadair-pcp-yang]
Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Boucadair, M., Jacquenet, C., Sivakumar, S., and S.
Vinapamula, "YANG Modules for the Port Control Protocol Vinapamula, "YANG Modules for the Port Control Protocol
(PCP)", draft-boucadair-pcp-yang-05 (work in progress), (PCP)", draft-boucadair-pcp-yang-05 (work in progress),
October 2017. October 2017.
[I-D.ietf-softwire-dslite-yang] [I-D.ietf-softwire-dslite-yang]
Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG
Data Module for Dual-Stack Lite (DS-Lite)", draft-ietf- Data Model for Dual-Stack Lite (DS-Lite)", draft-ietf-
softwire-dslite-yang-15 (work in progress), February 2018. softwire-dslite-yang-17 (work in progress), May 2018.
[I-D.ietf-tsvwg-natsupp] [I-D.ietf-tsvwg-natsupp]
Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control
Transmission Protocol (SCTP) Network Address Translation Transmission Protocol (SCTP) Network Address Translation
Support", draft-ietf-tsvwg-natsupp-11 (work in progress), Support", draft-ietf-tsvwg-natsupp-11 (work in progress),
July 2017. July 2017.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", Translator (NAT) Terminology and Considerations",
RFC 2663, DOI 10.17487/RFC2663, August 1999, RFC 2663, DOI 10.17487/RFC2663, August 1999,
 End of changes. 24 change blocks. 
45 lines changed or deleted 31 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/