draft-ietf-opsawg-nat-yang-16.txt   draft-ietf-opsawg-nat-yang-17.txt 
Network Working Group M. Boucadair, Ed. Network Working Group M. Boucadair, Ed.
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: March 28, 2019 Cisco Systems Expires: March 31, 2019 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
September 24, 2018 September 27, 2018
A YANG Module for Network Address Translation (NAT) and Network Prefix A YANG Module for Network Address Translation (NAT) and Network Prefix
Translation (NPT) Translation (NPT)
draft-ietf-opsawg-nat-yang-16 draft-ietf-opsawg-nat-yang-17
Abstract Abstract
This document defines a YANG module for the Network Address This document defines a YANG module for the Network Address
Translation (NAT) function. Translation (NAT) function.
Network Address Translation from IPv4 to IPv4 (NAT44), Network Network Address Translation from IPv4 to IPv4 (NAT44), Network
Address and Protocol Translation from IPv6 Clients to IPv4 Servers Address and Protocol Translation from IPv6 Clients to IPv4 Servers
(NAT64), Customer-side transLATor (CLAT), Stateless IP/ICMP (NAT64), Customer-side transLATor (CLAT), Stateless IP/ICMP
Translation (SIIT), Explicit Address Mappings for Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/ICMP
skipping to change at page 2, line 15 skipping to change at page 2, line 15
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 28, 2019. This Internet-Draft will expire on March 31, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 50 skipping to change at page 2, line 50
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 9 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 9
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12
2.10. Binding the NAT Function to an External Interface . . . . 15 2.10. Binding the NAT Function to an External Interface . . . . 15
2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15
2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22
4. Security Considerations . . . . . . . . . . . . . . . . . . . 72 4. Security Considerations . . . . . . . . . . . . . . . . . . . 71
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 73
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74
7.1. Normative References . . . . . . . . . . . . . . . . . . 75 7.1. Normative References . . . . . . . . . . . . . . . . . . 74
7.2. Informative References . . . . . . . . . . . . . . . . . 77 7.2. Informative References . . . . . . . . . . . . . . . . . 77
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 79 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 79 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 79
A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 81 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 84 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 85 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84
A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 85 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84
A.6. Explicit Address Mappings for Stateless IP/ICMP A.6. Explicit Address Mappings for Stateless IP/ICMP
Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 86 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85
A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 89 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 88
A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 90 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89
A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 91 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90
A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 94 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93
A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 94 A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 93
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 97 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the (NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC7950]. YANG data modeling language [RFC7950].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
skipping to change at page 5, line 20 skipping to change at page 5, line 20
Datastore Architecture (NMDA). The meaning of the symbols in tree Datastore Architecture (NMDA). The meaning of the symbols in tree
diagrams is defined in [RFC8340]. diagrams is defined in [RFC8340].
2. Overview of the NAT YANG Data Model 2. Overview of the NAT YANG Data Model
2.1. Overview 2.1. Overview
The NAT YANG module is designed to cover dynamic implicit mappings The NAT YANG module is designed to cover dynamic implicit mappings
and static explicit mappings. The required functionality to instruct and static explicit mappings. The required functionality to instruct
dynamic explicit mappings is defined in separate documents such as dynamic explicit mappings is defined in separate documents such as
[I-D.boucadair-pcp-yang]. Considerations about instructing explicit [I-D.boucadair-pcp-yang]. Considerations about instructing by
dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of explicit dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are
scope. As a reminder, REQ-9 of [RFC6888] requires that a CGN must out of scope. As a reminder, REQ-9 of [RFC6888] requires that a CGN
implement a protocol giving subscribers explicit control over NAT must implement a protocol giving subscribers explicit control over
mappings; that protocol should be the Port Control Protocol NAT mappings; that protocol should be the Port Control Protocol
[RFC6887]. [RFC6887].
A single NAT device can have multiple NAT instances; each of these A single NAT device can have multiple NAT instances; each of these
instances can be provided with its own policies (e.g., be responsible instances can be provided with its own policies (e.g., be responsible
for serving a group of hosts). This document does not make any for serving a group of hosts). This document does not make any
assumption about how internal hosts or flows are associated with a assumption about how internal hosts or flows are associated with a
given NAT instance. given NAT instance.
The NAT YANG module assumes that each NAT instance can be enabled/ The NAT YANG module assumes that each NAT instance can be enabled/
disabled, be provisioned with a specific set of configuration data, disabled, be provisioned with a specific set of configuration data,
skipping to change at page 19, line 23 skipping to change at page 19, line 23
| | | +--rw start-port-number? inet:port-number | | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number | | | +--rw end-port-number? inet:port-number
| | +--rw src-transport-port | | +--rw src-transport-port
| | | +--rw start-port-number? inet:port-number | | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number | | | +--rw end-port-number? inet:port-number
| | +--rw status? boolean | | +--rw status? boolean
| +--rw all-algs-enable? boolean | +--rw all-algs-enable? boolean
| +--rw notify-pool-usage | +--rw notify-pool-usage
| | {basic-nat44 or napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| | +--rw pool-id? uint32 | | +--rw pool-id? uint32
| | +--rw high-threshold? percent | | +--rw low-threshold? percent
| | +--rw low-threshold? percent | | +--rw high-threshold? percent
| | +--rw notify-interval? uint32 | | +--rw notify-interval? uint32
| +--rw external-realm | +--rw external-realm
| +--rw (realm-type)? | +--rw (realm-type)?
| +--:(interface) | +--:(interface)
| +--rw external-interface? if:interface-ref | +--rw external-interface? if:interface-ref
+--rw mapping-limits {napt44 or nat64}? +--rw mapping-limits {napt44 or nat64}?
| +--rw limit-subscribers? uint32 | +--rw limit-subscribers? uint32
| +--rw limit-address-mappings? uint32 | +--rw limit-address-mappings? uint32
| +--rw limit-port-mappings? uint32 | +--rw limit-port-mappings? uint32
| +--rw limit-per-protocol* [protocol-id] | +--rw limit-per-protocol* [protocol-id]
skipping to change at page 21, line 48 skipping to change at page 21, line 48
| {napt44 or nat64}? | {napt44 or nat64}?
| +--ro protocol-id uint8 | +--ro protocol-id uint8
| +--ro total? yang:gauge32 | +--ro total? yang:gauge32
+--ro pools-stats {basic-nat44 or napt44 or nat64}? +--ro pools-stats {basic-nat44 or napt44 or nat64}?
+--ro addresses-allocated? yang:gauge32 +--ro addresses-allocated? yang:gauge32
+--ro addresses-free? yang:gauge32 +--ro addresses-free? yang:gauge32
+--ro ports-stats {napt44 or nat64}? +--ro ports-stats {napt44 or nat64}?
| +--ro ports-allocated? yang:gauge32 | +--ro ports-allocated? yang:gauge32
| +--ro ports-free? yang:gauge32 | +--ro ports-free? yang:gauge32
+--ro per-pool-stats* [pool-id] +--ro per-pool-stats* [pool-id]
{basic-nat44 or napt44 or nat64}? | {basic-nat44 or napt44 or nat64}?
+--ro pool-id uint32 +--ro pool-id uint32
+--ro discontinuity-time yang:date-and-time +--ro discontinuity-time yang:date-and-time
+--ro pool-stats +--ro pool-stats
| +--ro addresses-allocated? yang:gauge32 | +--ro addresses-allocated? yang:gauge32
| +--ro addresses-free? yang:gauge32 | +--ro addresses-free? yang:gauge32
+--ro port-stats {napt44 or nat64}? +--ro port-stats {napt44 or nat64}?
+--ro ports-allocated? yang:gauge32 +--ro ports-allocated? yang:gauge32
+--ro ports-free? yang:gauge32 +--ro ports-free? yang:gauge32
notifications: notifications:
+---n nat-pool-event {basic-nat44 or napt44 or nat64}? +---n nat-pool-event {basic-nat44 or napt44 or nat64}?
| +--ro id -> /nat/instances/instance/id | +--ro id -> /nat/instances/instance/id
| +--ro policy-id? | +--ro policy-id?
| | -> /nat/instances/instance/policy/id | | -> /nat/instances/instance/policy/id
| +--ro pool-id leafref | +--ro pool-id
| | -> /nat/instances/instance/policy/
| | external-ip-address-pool/pool-id
| +--ro notify-pool-threshold percent | +--ro notify-pool-threshold percent
+---n nat-instance-event {basic-nat44 or napt44 or nat64}? +---n nat-instance-event {basic-nat44 or napt44 or nat64}?
+--ro id +--ro id
| -> /nat/instances/instance/id | -> /nat/instances/instance/id
+--ro notify-subscribers-threshold? uint32 +--ro notify-subscribers-threshold? uint32
+--ro notify-addresses-threshold? percent +--ro notify-addresses-threshold? percent
+--ro notify-ports-threshold? percent +--ro notify-ports-threshold? percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2018-06-28.yang" <CODE BEGINS> file "ietf-nat@2018-09-27.yang"
module ietf-nat { module ietf-nat {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
prefix "nat"; prefix "nat";
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
"Section 4 of RFC 6991"; "Section 4 of RFC 6991";
skipping to change at page 23, line 49 skipping to change at page 23, line 52
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2018-06-28 { revision 2018-09-27 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Module for Network Address Translation "RFC XXXX: A YANG Module for Network Address Translation
(NAT) and Network Prefix Translation (NPT)"; (NAT) and Network Prefix Translation (NPT)";
} }
/* /*
* Definitions * Definitions
*/ */
typedef percent { typedef percent {
skipping to change at page 25, line 12 skipping to change at page 25, line 14
description description
"Destination NAT is a translation that acts on the destination "Destination NAT is a translation that acts on the destination
IP address and/or destination port number. This flavor is IP address and/or destination port number. This flavor is
usually deployed in load balancers or at devices usually deployed in load balancers or at devices
in front of public servers."; in front of public servers.";
} }
feature nat64 { feature nat64 {
description description
"NAT64 translation allows IPv6-only clients to contact IPv4 "NAT64 translation allows IPv6-only clients to contact IPv4
servers using, e.g., UDP, TCP, or ICMP. One or more servers using, e.g., UDP, TCP, or ICMP. One or more
public IPv4 addresses assigned to a NAT64 translator are public IPv4 addresses assigned to a NAT64 translator are
shared among several IPv6-only clients."; shared among several IPv6-only clients.";
reference reference
"RFC 6146: Stateful NAT64: Network Address and Protocol "RFC 6146: Stateful NAT64: Network Address and Protocol
Translation from IPv6 Clients to IPv4 Servers"; Translation from IPv6 Clients to IPv4 Servers";
} }
feature siit { feature siit {
description description
"The Stateless IP/ICMP Translation Algorithm (SIIT), which "The Stateless IP/ICMP Translation Algorithm (SIIT), which
skipping to change at page 28, line 11 skipping to change at page 28, line 11
reference reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
/* /*
* Grouping * Grouping
*/ */
grouping port-number { grouping port-number {
description description
"Individual port or a range of ports. "An individual port number or a range of ports.
When only start-port-number is present, When only start-port-number is present,
it represents a single port number."; it represents a single port number.";
leaf start-port-number { leaf start-port-number {
type inet:port-number; type inet:port-number;
description description
"Beginning of the port range."; "Beginning of the port range.";
reference reference
"Section 3.2.9 of RFC 8045."; "Section 3.2.9 of RFC 8045.";
} }
skipping to change at page 28, line 41 skipping to change at page 28, line 41
} }
description description
"End of the port range."; "End of the port range.";
reference reference
"Section 3.2.10 of RFC 8045."; "Section 3.2.10 of RFC 8045.";
} }
} }
grouping port-set { grouping port-set {
description description
"Indicates a set of ports. "Indicates a set of port numbers.
It may be a simple port range, or use the Port Set ID (PSID) It may be a simple port range, or use the Port Set ID (PSID)
algorithm to represent a range of transport layer algorithm to represent a range of transport layer
ports which will be used by a NAPT."; port numbers which will be used by a NAPT.";
choice port-type { choice port-type {
default port-range; default port-range;
description description
"Port type: port-range or port-set-algo."; "Port type: port-range or port-set-algo.";
case port-range { case port-range {
uses port-number; uses port-number;
} }
skipping to change at page 29, line 19 skipping to change at page 29, line 19
type uint8 { type uint8 {
range 0..15; range 0..15;
} }
description description
"The number of offset bits (a.k.a., 'a' bits). "The number of offset bits (a.k.a., 'a' bits).
Specifies the numeric value for the excluded port Specifies the numeric value for the excluded port
range/offset bits. range/offset bits.
Allowed values are between 0 and 15 "; Allowed values are between 0 and 15.";
reference reference
"Section 5.1 of RFC 7597"; "Section 5.1 of RFC 7597";
} }
leaf psid-len { leaf psid-len {
type uint8 { type uint8 {
range 0..15; range 0..15;
} }
mandatory true; mandatory true;
skipping to change at page 30, line 14 skipping to change at page 30, line 14
"Section 7597: Mapping of Address and Port with "Section 7597: Mapping of Address and Port with
Encapsulation (MAP-E)"; Encapsulation (MAP-E)";
} }
} }
grouping mapping-entry { grouping mapping-entry {
description description
"NAT mapping entry. "NAT mapping entry.
If an attribute is not stored in the mapping/session table, If an attribute is not stored in the mapping/session table,
this means the corresponding fields of a packet that this means the corresponding field of a packet that
matches this entry is not rewritten by the NAT or this matches this entry is not rewritten by the NAT or this
information is not required for NAT filtering purposes."; information is not required for NAT filtering purposes.";
leaf index { leaf index {
type uint32; type uint32;
description description
"A unique identifier of a mapping entry. This identifier can be "A unique identifier of a mapping entry. This identifier can be
automatically assigned by the NAT instance or be explicitly automatically assigned by the NAT instance or be explicitly
configured."; configured.";
} }
skipping to change at page 30, line 50 skipping to change at page 30, line 50
enum "dynamic-explicit" { enum "dynamic-explicit" {
description description
"This mapping is created as a result of an explicit "This mapping is created as a result of an explicit
request, e.g., a PCP message."; request, e.g., a PCP message.";
} }
} }
description description
"Indicates the type of a mapping entry. E.g., "Indicates the type of a mapping entry. E.g.,
a mapping can be: static, implicit dynamic a mapping can be: static, implicit dynamic,
or explicit dynamic."; or explicit dynamic.";
} }
leaf transport-protocol { leaf transport-protocol {
type uint8; type uint8;
description description
"Upper-layer protocol associated with this mapping. "Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry. Values are taken from the IANA protocol registry::
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP. 17 for UDP, 33 for DCCP, or 132 for SCTP.
If this leaf is not instantiated, then the mapping If this leaf is not instantiated, then the mapping
applies to any protocol."; applies to any protocol.";
} }
leaf internal-src-address { leaf internal-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the source IPv4/IPv6 address/prefix "Corresponds to the source IPv4/IPv6 address/prefix
of the packet received on an internal of the packet received on an internal interface.";
interface.";
} }
container internal-src-port { container internal-src-port {
description description
"Corresponds to the source port of the packet received "Corresponds to the source port of the packet received
on an internal interface. on an internal interface.
It is used also to indicate the internal source ICMP It is used also to indicate the internal source ICMP
identifier. identifier.
skipping to change at page 32, line 21 skipping to change at page 32, line 22
leaf internal-dst-address { leaf internal-dst-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the destination IP address/prefix
of the packet received on an internal interface of the packet received on an internal interface
of the NAT. of the NAT.
For example, some NAT implementations support For example, some NAT implementations support
the translation of both source and destination the translation of both source and destination
addresses and ports, sometimes referred to addresses and port numbers, sometimes referred to
as 'Twice NAT'."; as 'Twice NAT'.";
} }
container internal-dst-port { container internal-dst-port {
description description
"Corresponds to the destination port of the "Corresponds to the destination port of the
IP packet received on the internal interface. IP packet received on the internal interface.
It is used also to include the internal It is used also to include the internal
destination ICMP identifier."; destination ICMP identifier.";
skipping to change at page 35, line 32 skipping to change at page 35, line 35
description description
"List of supported protocols."; "List of supported protocols.";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol associated with a mapping. "Upper-layer protocol associated with a mapping.
Values are taken from the IANA protocol registry: Values are taken from the IANA protocol registry.
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP."; 17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf protocol-name { leaf protocol-name {
type string; type string;
description description
"The name of the Upper-layer protocol associated "The name of the Upper-layer protocol associated
with this mapping. with this mapping.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, TCP, UDP, DCCP, and SCTP."; For example, TCP, UDP, DCCP, and SCTP.";
} }
} }
leaf restricted-port-support { leaf restricted-port-support {
type boolean; type boolean;
description description
"Indicates source port NAT restriction support."; "Indicates source port NAT restriction support.";
reference reference
"RFC 7596: Lightweight 4over6: An Extension to "RFC 7596: Lightweight 4over6: An Extension to
the Dual-Stack Lite Architecture."; the Dual-Stack Lite Architecture.";
} }
skipping to change at page 46, line 52 skipping to change at page 46, line 50
the translator. the translator.
TCP and UDP are supported by default."; TCP and UDP are supported by default.";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol associated with this mapping. "Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry: Values are taken from the IANA protocol registry.
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP."; 17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf protocol-name { leaf protocol-name {
type string; type string;
description description
"The name of the Upper-layer protocol associated "The name of the Upper-layer protocol associated
with this mapping. with this mapping.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, TCP, UDP, DCCP, and SCTP."; For example, TCP, UDP, DCCP, and SCTP.";
} }
} }
leaf subscriber-mask-v6 { leaf subscriber-mask-v6 {
type uint8 { type uint8 {
range "0 .. 128"; range "0 .. 128";
} }
description description
skipping to change at page 55, line 29 skipping to change at page 55, line 23
type inet:port-number; type inet:port-number;
description description
"A port number."; "A port number.";
} }
leaf protocol { leaf protocol {
type uint8; type uint8;
description description
"Upper-layer protocol associated with this port. "Upper-layer protocol associated with this port.
Values are taken from the IANA protocol registry: Values are taken from the IANA protocol registry.
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml.
If no protocol is indicated, this means 'any If no protocol is indicated, this means 'any
protocol'."; protocol'.";
} }
leaf timeout { leaf timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
mandatory true; mandatory true;
description description
skipping to change at page 56, line 22 skipping to change at page 56, line 14
between old and new mappings and sessions. It ensures between old and new mappings and sessions. It ensures
that all established sessions are broken instead of that all established sessions are broken instead of
redirected to a different peer."; redirected to a different peer.";
reference reference
"REQ#8 of RFC 6888."; "REQ#8 of RFC 6888.";
} }
leaf hold-down-max { leaf hold-down-max {
type uint32; type uint32;
description description
"Maximum ports in the Hold down timer pool. "Maximum ports in the hold down port pool.";
Ports in the hold down pool are not reassigned
until hold-down-timeout expires.
The length of time and the maximum
number of ports in this state must be
configurable by the administrator.
This is necessary in order
to prevent collisions between old
and new mappings and sessions. It ensures
that all established sessions are broken
instead of redirected to a different peer.";
reference reference
"REQ#8 of RFC 6888."; "REQ#8 of RFC 6888.";
} }
} }
leaf fragments-limit{ leaf fragments-limit{
when "../fragment-behavior='out-of-order'"; when "../fragment-behavior='out-of-order'";
type uint32; type uint32;
description description
"Limits the number of out of order fragments that can "Limits the number of out of order fragments that can
skipping to change at page 57, line 44 skipping to change at page 57, line 26
leaf status { leaf status {
type boolean; type boolean;
description description
"Enable/disable the ALG."; "Enable/disable the ALG.";
} }
} }
leaf all-algs-enable { leaf all-algs-enable {
type boolean; type boolean;
description description
"Enable/disable all ALGs. "Disable/enable all ALGs.
When specified, this parameter overrides the one When specified, this parameter overrides the one
that may be indicated, eventually, by the 'status' that may be indicated, eventually, by the 'status'
of an individual ALG."; of an individual ALG.";
} }
container notify-pool-usage { container notify-pool-usage {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Notification of pool usage when certain criteria "Notification of pool usage when certain criteria
are met."; are met.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"Pool-ID for which the notification criteria "Pool-ID for which the notification criteria
is defined"; is defined";
} }
leaf high-threshold { leaf low-threshold {
type percent; type percent;
description description
"Notification must be generated when the defined high "Notification must be generated when the defined low
threshold is reached. threshold is reached.
For example, if a notification is required when the For example, if a notification is required when the
pool utilization reaches 90%, this configuration pool utilization reaches below 10%, this
parameter must be set to 90. configuration parameter must be set to 10.
0% indicates that no high threshold is enabled."; 0% indicates that low-threshold notification is
disabled.";
} }
leaf low-threshold { leaf high-threshold {
type percent; type percent;
must ". >= ../high-threshold" { must ". >= ../low-threshold" {
error-message error-message
"The upper port number must be greater than or "The high threshold must be greater than or equal
equal to lower port number."; to the low threshold.";
} }
description description
"Notification must be generated when the defined low "Notification must be generated when the defined high
threshold is reached. threshold is reached.
For example, if a notification is required when the For example, if a notification is required when the
pool utilization reaches below 10%, this pool utilization reaches 90%, this configuration
configuration parameter must be set to 10"; parameter must be set to 90.
Setting the same value as low-threshold is equivalent
to disabling high-threshold notification.";
} }
leaf notify-interval { leaf notify-interval {
type uint32 { type uint32 {
range "1 .. 3600"; range "1 .. 3600";
} }
units "seconds"; units "seconds";
default '20'; default '20';
description description
"Minimum number of seconds between successive "Minimum number of seconds between successive
skipping to change at page 60, line 44 skipping to change at page 60, line 30
description description
"Configure limits per transport protocol"; "Configure limits per transport protocol";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol. "Upper-layer protocol.
Values are taken from the IANA protocol registry: Values are taken from the IANA protocol registry.
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP."; 17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf limit { leaf limit {
type uint32; type uint32;
description description
"Maximum number of protocol-specific NAT mappings "Maximum number of protocol-specific NAT mappings
per instance."; per instance.";
} }
} }
} }
container connection-limits { container connection-limits {
skipping to change at page 61, line 47 skipping to change at page 61, line 31
key protocol-id; key protocol-id;
description description
"Configure limits per transport protocol"; "Configure limits per transport protocol";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol. "Upper-layer protocol.
Values are taken from the IANA protocol registry: Values are taken from the IANA protocol registry.
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP."; 17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf limit { leaf limit {
type uint32; type uint32;
description description
"Rate-limit the number of protocol-specific mappings "Limit the number of protocol-specific mappings
and sessions per instance."; and sessions per instance.";
} }
} }
} }
container notification-limits { container notification-limits {
description "Sets notification limits."; description "Sets notification limits.";
leaf notify-interval { leaf notify-interval {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
skipping to change at page 74, line 19 skipping to change at page 73, line 47
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
the "YANG Module Names" registry [RFC7950]. the "YANG Module Names" registry [RFC7950].
name: ietf-nat name: ietf-nat
namespace: urn:ietf:params:xml:ns:yang:ietf-nat namespace: urn:ietf:params:xml:ns:yang:ietf-nat
prefix: nat prefix: nat
reference: RFC XXXX reference: RFC XXXX
6. Acknowledgements 6. Acknowledgements
Many thanks to Dan Wing, Tianran Zhou, Tom Petch, and Warren Kumari Many thanks to Dan Wing, Tianran Zhou, Tom Petch, Warren Kumari, and
for the review. Benjamin Kaduk for the review.
Thanks to Juergen Schoenwaelder for the comments on the YANG Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. Mahesh Jethanandani structure and the suggestion to use NMDA. Mahesh Jethanandani
provided useful comments. provided useful comments.
Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
Kristian Poscic for the CGN review. Kristian Poscic for the CGN review.
Special thanks to Maros Marsalek and Marek Gradzki for sharing their Special thanks to Maros Marsalek and Marek Gradzki for sharing their
skipping to change at page 89, line 4 skipping to change at page 88, line 4
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.224/31 192.0.2.224/31
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
64:ff9b::/127 64:ff9b::/127
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
EAMs may be enabled jointly with statefull NAT64. This example shows EAMs may be enabled jointly with stateful NAT64. This example shows
a NAT64 function that supports static mappings: a NAT64 function that supports static mappings:
<capabilities <capabilities
<nat-flavor> <nat-flavor>
nat64 nat64
</nat-flavor> </nat-flavor>
<static-mapping-support> <static-mapping-support>
true true
</static-mapping-support> </static-mapping-support>
<port-randomization-support> <port-randomization-support>
 End of changes. 51 change blocks. 
98 lines changed or deleted 73 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/