draft-ietf-opsawg-nat-yang-17.txt   rfc8512.txt 
Network Working Group M. Boucadair, Ed. Internet Engineering Task Force (IETF) M. Boucadair, Ed.
Internet-Draft Orange Request for Comments: 8512 Orange
Intended status: Standards Track S. Sivakumar Category: Standards Track S. Sivakumar
Expires: March 31, 2019 Cisco Systems ISSN: 2070-1721 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
September 27, 2018 January 2019
A YANG Module for Network Address Translation (NAT) and Network Prefix A YANG Module for
Translation (NPT) Network Address Translation (NAT) and Network Prefix Translation (NPT)
draft-ietf-opsawg-nat-yang-17
Abstract Abstract
This document defines a YANG module for the Network Address This document defines a YANG module for the Network Address
Translation (NAT) function. Translation (NAT) function.
Network Address Translation from IPv4 to IPv4 (NAT44), Network Network Address Translation from IPv4 to IPv4 (NAT44), Network
Address and Protocol Translation from IPv6 Clients to IPv4 Servers Address and Protocol Translation from IPv6 Clients to IPv4 Servers
(NAT64), Customer-side transLATor (CLAT), Stateless IP/ICMP (NAT64), customer-side translator (CLAT), Stateless IP/ICMP
Translation (SIIT), Explicit Address Mappings for Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings (EAM) for SIIT,
Translation (SIIT EAM), IPv6 Network Prefix Translation (NPTv6), and IPv6-to-IPv6 Network Prefix Translation (NPTv6), and Destination NAT
Destination NAT are covered in this document. are covered in this document.
Editorial Note (To be removed by RFC Editor)
Please update these statements within the document with the RFC
number to be assigned to this document:
"This version of this YANG module is part of RFC XXXX;"
"RFC XXXX: A YANG Module for Network Address Translation (NAT) and
Network Prefix Translation (NPT)"
"reference: RFC XXXX"
Please update the "revision" date of the YANG module.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on March 31, 2019. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8512.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 6
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 7
2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 8
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 8
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 9
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 2.6. Port-Set Assignment . . . . . . . . . . . . . . . . . . . 9
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 9
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 9 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 10
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 13
2.10. Binding the NAT Function to an External Interface . . . . 15 2.10. Binding the NAT Function to an External Interface . . . . 16
2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 16
2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 17
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 24
4. Security Considerations . . . . . . . . . . . . . . . . . . . 71 4. Security Considerations . . . . . . . . . . . . . . . . . . . 68
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 70
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 73 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 70
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 6.1. Normative References . . . . . . . . . . . . . . . . . . 70
7.1. Normative References . . . . . . . . . . . . . . . . . . 74 6.2. Informative References . . . . . . . . . . . . . . . . . 73
7.2. Informative References . . . . . . . . . . . . . . . . . 77 Appendix A. Some Examples . . . . . . . . . . . . . . . . . . . 75
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 75
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 79 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 76
A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 80
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 80
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 81
A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84 A.6. Explicit Address Mappings (EAM) for Stateless IP/ICMP
A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . . . . . . . . . . 82
Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 85
A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 88 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 86
A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 86
A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90 A.10. Customer-Side Translator (CLAT) . . . . . . . . . . . . . 89
A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93 A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 90
A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 93 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 93
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 94
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the (NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC7950]. YANG data modeling language [RFC7950].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
a domain: a CGN is not managed by end users, but by service providers a domain: a CGN is not managed by end users but by service providers
instead. This document covers both traditional NATs and CGNs. instead. This document covers both traditional NATs and CGNs.
This document also covers NAT64 [RFC6146], customer-side translator This document also covers NAT64 [RFC6146], customer-side translator
(CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915], (CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915],
Explicit Address Mappings for Stateless IP/ICMP Translation (EAM) Explicit Address Mappings (EAM) for SIIT [RFC7757], IPv6 Network
[RFC7757], IPv6 Network Prefix Translation (NPTv6) [RFC6296], and Prefix Translation (NPTv6) [RFC6296], and Destination NAT. The full
Destination NAT. The full set of translation schemes that are in set of translation schemes that are in scope is included in
scope is included in Section 2.2. Section 2.2.
Sample examples are provided in Appendix A. These examples are not Some examples are provided in Appendix A. These examples are not
intended to be exhaustive. intended to be exhaustive.
1.1. Terminology 1.1. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o Basic Network Address Translation from IPv4 to IPv4 (NAT44): o Basic Network Address Translation from IPv4 to IPv4 (NAT44):
translation is limited to IP addresses alone (Section 2.1 of translation is limited to IP addresses alone (Section 2.1 of
[RFC3022]). [RFC3022]).
o Network Address/Port Translator (NAPT): translation in NAPT is o Network Address Port Translator (NAPT): translation in NAPT is
extended to include IP addresses and transport identifiers (such extended to include IP addresses and transport identifiers (such
as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of
[RFC3022]. A NAPT may use an extra identifier, in addition to the [RFC3022]. A NAPT may use an extra identifier, in addition to the
five transport tuple, to disambiguate bindings [RFC6619]. five transport tuples, to disambiguate bindings [RFC6619].
o Destination NAT: is a translation that acts on the destination IP o Destination NAT: is a translation that acts on the destination IP
address and/or destination port number. This flavor is usually address and/or destination port number. This flavor is usually
deployed in load balancers or at devices in front of public deployed in load balancers or at devices in front of public
servers. servers.
o Port-restricted IPv4 address: An IPv4 address with a restricted o Port-restricted IPv4 address: an IPv4 address with a restricted
port set. Multiple hosts may share the same IPv4 address; port set. Multiple hosts may share the same IPv4 address;
however, their port sets must not overlap [RFC7596]. however, their port sets must not overlap [RFC7596].
o Restricted port set: A non-overlapping range of allowed external o Restricted port set: a non-overlapping range of allowed external
ports to use for NAT operation. Source ports of IPv4 packets ports to use for NAT operation. Source ports of IPv4 packets
translated by a NAT must belong to the assigned port set. The translated by a NAT must belong to the assigned port set. The
port set is used for all port-aware IP protocols [RFC7596]. port set is used for all port-aware IP protocols [RFC7596].
o Internal Host: A host that may need to use a translation o Internal host: a host that may need to use a translation
capability to send to and receive traffic from the Internet. capability to send to and receive traffic from the Internet.
o Internal Address/prefix: The IP address/prefix of an internal o Internal address/prefix: the IP address/prefix of an internal
host. host.
o External Address: The IP address/prefix assigned by a translator o External address: the IP address/prefix assigned by a translator
to an internal host; this is the address that will be seen by a to an internal host; this is the address that will be seen by a
remote host on the Internet. remote host on the Internet.
o Mapping: denotes a state at the translator that is necessary for o Mapping: denotes a state at the translator that is necessary for
network address and/or port translation. network address and/or port translation.
o Dynamic implicit mapping: is created implicitly as a side effect o Dynamic implicit mapping: is created implicitly as a side effect
of processing a packet (e.g., an initial TCP SYN packet) that of processing a packet (e.g., an initial TCP SYN packet) that
requires a new mapping. A validity lifetime is associated with requires a new mapping. A validity lifetime is associated with
this mapping. this mapping.
o Dynamic explicit mapping: is created as a result of an explicit o Dynamic explicit mapping: is created as a result of an explicit
request, e.g., PCP message [RFC6887]. A validity lifetime is request, e.g., a Port Control Protocol (PCP) message [RFC6887]. A
associated with this mapping. validity lifetime is associated with this mapping.
o Static explicit mapping: is created using, e.g., a CLI interface. o Static explicit mapping: is created using, e.g., a command-line
This mapping is likely to be maintained by the NAT function till interface (CLI). This mapping is likely to be maintained by the
an explicit action is executed to remove it. NAT function till an explicit action is executed to remove it.
The usage of the term NAT in this document refers to any translation The usage of the term NAT in this document refers to any translation
flavor (NAT44, NAT64, etc.) indifferently. flavor (NAT44, NAT64, etc.) indifferently.
This document uses the term "session" as defined in [RFC2663] and This document uses the term "session" as defined in [RFC2663] and
[RFC6146] for NAT64. [RFC6146] for NAT64.
This document follows the guidelines of [RFC6087], uses the common This document follows the guidelines of [RFC8407], uses the common
YANG types defined in [RFC6991], and adopts the Network Management YANG types defined in [RFC6991], and adopts the Network Management
Datastore Architecture (NMDA). The meaning of the symbols in tree Datastore Architecture (NMDA). The meaning of the symbols in tree
diagrams is defined in [RFC8340]. diagrams is defined in [RFC8340].
2. Overview of the NAT YANG Data Model 2. Overview of the NAT YANG Data Model
2.1. Overview 2.1. Overview
The NAT YANG module is designed to cover dynamic implicit mappings The NAT YANG module is designed to cover dynamic implicit mappings
and static explicit mappings. The required functionality to instruct and static explicit mappings. The required functionality to instruct
dynamic explicit mappings is defined in separate documents such as dynamic explicit mappings is defined in separate documents such as
[I-D.boucadair-pcp-yang]. Considerations about instructing by [YANG-PCP]. Considerations about instructing by explicit dynamic
explicit dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of scope.
out of scope. As a reminder, REQ-9 of [RFC6888] requires that a CGN As a reminder, REQ-9 of [RFC6888] requires that a CGN must implement
must implement a protocol giving subscribers explicit control over a protocol giving subscribers explicit control over NAT mappings;
NAT mappings; that protocol should be the Port Control Protocol that protocol should be the Port Control Protocol [RFC6887].
[RFC6887].
A single NAT device can have multiple NAT instances; each of these A single NAT device can have multiple NAT instances; each of these
instances can be provided with its own policies (e.g., be responsible instances can be provided with its own policies (e.g., be responsible
for serving a group of hosts). This document does not make any for serving a group of hosts). This document does not make any
assumption about how internal hosts or flows are associated with a assumption about how internal hosts or flows are associated with a
given NAT instance. given NAT instance.
The NAT YANG module assumes that each NAT instance can be enabled/ The NAT YANG module assumes that each NAT instance can be enabled/
disabled, be provisioned with a specific set of configuration data, disabled, be provisioned with a specific set of configuration data,
and maintains its own mapping tables. and maintain its own mapping tables.
The NAT YANG module allows for a NAT instance to be provided with The NAT YANG module allows for a NAT instance to be provided with
multiple NAT policies (/nat/instances/instance/policy). The document multiple NAT policies (/nat/instances/instance/policy). The document
does not make any assumption about how flows are associated with a does not make any assumption about how flows are associated with a
given NAT policy of a given NAT instance. Classification filters are given NAT policy of a given NAT instance. Classification filters are
out of scope. out of scope.
Defining multiple NAT instances or configuring multiple NAT policies Defining multiple NAT instances or configuring multiple NAT policies
within one single NAT instance is implementation- and deployment- within one single NAT instance is implementation and deployment
specific. specific.
This YANG module does not provide any method to instruct a NAT This YANG module does not provide any method to instruct a NAT
function to enable the logging feature or to specify the information function to enable the logging feature or to specify the information
to be logged for administrative or regulatory reasons (Section 2.3 of to be logged for administrative or regulatory reasons (Section 2.3 of
[RFC6908] and REQ-12 of [RFC6888]). Those considerations are out of [RFC6908] and REQ-12 of [RFC6888]). Those considerations are out of
the scope of this document. the scope of this document.
2.2. Various Translation Flavors 2.2. Various Translation Flavors
skipping to change at page 6, line 24 skipping to change at page 7, line 24
[RFC7050]) [RFC7050])
o SIIT o SIIT
o CLAT o CLAT
o EAM o EAM
o NPTv6 o NPTv6
o Combination of Basic NAT/NAPT and Destination NAT o Combination of Basic NAT/NAPT and Destination NAT
o Combination of port-restricted and Destination NAT o Combination of port-restricted and Destination NAT
o Combination of NAT64 and EAM o Combination of NAT64 and EAM
o Stateful and Stateless NAT64 o Stateful and Stateless NAT64
[I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT [RFC8513] specifies an extension to the NAT YANG module to support
YANG module to support DS-Lite. Dual-Stack Lite (DS-Lite).
The YANG "feature" statement is used to indicate which of the The YANG "feature" statement is used to indicate which of the
different translation modes is relevant for a specific data node. different translation modes is relevant for a specific data node.
Table 1 lists defined features: Table 1 lists defined features:
+---------------------------------+--------------+ +---------------------------------+--------------+
| Translation Mode | YANG Feature | | Translation Mode | YANG Feature |
+---------------------------------+--------------+ +---------------------------------+--------------+
| Basic NAT44 | basic-nat44 | | Basic NAT44 | basic-nat44 |
| NAPT | napt44 | | NAPT | napt44 |
| Destination NAT | dst-nat | | Destination NAT | dst-nat |
| Stateful NAT64 | nat64 | | Stateful NAT64 | nat64 |
| Stateless IPv4/IPv6 translation | siit | | Stateless IPv4/IPv6 Translation | siit |
| CLAT | clat | | CLAT | clat |
| EAM | eam | | EAM | eam |
| NPTv6 | nptv6 | | NPTv6 | nptv6 |
+---------------------------------+--------------+ +---------------------------------+--------------+
Table 1: YANG NAT Features Table 1: NAT YANG Features
The following translation modes do not require defining dedicated The following translation modes do not require that dedicated
features: features be defined:
o Port-restricted NAT: This mode corresponds to supplying port o Port-restricted NAT: This mode corresponds to supplying port-
restriction policies to a NAPT or NAT64 (port-set-restrict). restriction policies to a NAPT or NAT64 (port-set-restrict).
o Combination of Basic NAT/NAPT and Destination NAT: This mode o Combination of Basic NAT/NAPT and Destination NAT: This mode
corresponds to setting 'dst-nat-enable' for Basic NAT44 or NAPT. corresponds to setting 'dst-nat-enable' for Basic NAT44 or NAPT.
o Combination of port-restricted and Destination NAT: This mode can o Combination of port-restricted and Destination NAT: This mode can
be achieved by configuring a NAPT with port restriction policies be achieved by configuring a NAPT with port restriction policies
(port-set-restrict) together with a destination IP address pool (port-set-restrict) together with a destination IP address pool
(dst-ip-address-pool). (dst-ip-address-pool).
o Combination of NAT64 and EAM: This mode corresponds to configuring o Combination of NAT64 and EAM: This mode corresponds to configuring
static mappings for NAT64. static mappings for NAT64.
o Stateful and stateless NAT64: A NAT64 implementation can be o Stateful and stateless NAT64: A NAT64 implementation can be
instructed to behave in the stateless mode for a given prefix by instructed to behave in the stateless mode for a given prefix by
setting the parameter (nat64-prefixes/stateless-enable). A NAT64 setting the parameter (nat64-prefixes/stateless-enable). A NAT64
implementation may behave in both stateful and stateless modes if, implementation may behave in both stateful and stateless modes if,
in addition to appropriately setting the parameter (nat64- in addition to appropriately setting the parameter
prefixes/stateless-enable), an external IPv4 address pool is (nat64-prefixes/stateless-enable), an external IPv4 address pool
configured. is configured.
The NAT YANG module provides a method to retrieve the capabilities of The NAT YANG module provides a method to retrieve the capabilities of
a NAT instance (including, list of supported translation modes, list a NAT instance (including a list of supported translation modes, a
of supported protocols, port restriction support status, supported list of supported protocols, the supported NAT mapping types, the
NAT mapping types, supported NAT filtering types, port range supported NAT filtering types, the behavior for handling fragments
allocation support status, port parity preservation support status, (all, out-of-order, in-order), and the support statuses for the
port preservation support status, the behavior for handling fragments following: port restriction, port range allocation, port parity
(all, out-of-order, in-order)). preservation, and port preservation).
2.3. TCP/UDP/ICMP NAT Behavioral Requirements 2.3. TCP/UDP/ICMP NAT Behavioral Requirements
This document assumes NAT behavioral recommendations for UDP This document assumes NAT behavioral recommendations for UDP
[RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default. [RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default.
Furthermore, the NAT YANG module relies upon the recommendations Furthermore, the NAT YANG module relies upon the recommendations
detailed in [RFC6888] and [RFC7857]. detailed in [RFC6888] and [RFC7857].
2.4. Other Transport Protocols 2.4. Other Transport Protocols
The module is structured to support protocols other than UDP, TCP, The module is structured to support protocols other than UDP, TCP,
and ICMP. Concretely, the module allows the operator to enable and ICMP. Concretely, the module allows the operator to enable
translation for other transport protocols when required translation for other transport protocols when required
(/nat/instances/instance/policy/transport-protocols). Moreover, the (/nat/instances/instance/policy/transport-protocols). Moreover, the
mapping table is designed so that it can indicate any transport mapping table is designed so that it can indicate any transport
protocol. For example, this module may be used to manage a DCCP- protocol. For example, this module may be used to manage a NAT
capable NAT that adheres to [RFC5597]. capable of the Datagram Congestion Control Protocol (DCCP) that
adheres to [RFC5597].
Future extensions may be needed to cover NAT-related considerations Future extensions may be needed to cover NAT-related considerations
that are specific to other transport protocols such as SCTP that are specific to other transport protocols such as the Stream
[I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be Control Transmission Protocol (SCTP) [NAT-SUPP]. Typically, the
extended to record two optional SCTP-specific parameters: Internal mapping entry can be extended to record two optional SCTP-specific
Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag). parameters: the Internal Verification Tag (Int-VTag) and External
Verification Tag (Ext-VTag).
This document only specifies transport protocol specific timers for This document only specifies transport-protocol-specific timers for
UDP, TCP, and ICMP. While some timers could potentially be UDP, TCP, and ICMP. While some timers could potentially be
generalized for other connection-oriented protocols, this document generalized for other connection-oriented protocols, this document
does not follow such an approach because there is no standard does not follow such an approach because there is no standard
document specifying such generic behavior. Future documents may be document specifying such generic behavior. Future documents may be
edited to clarify how to reuse TCP-specific timers when needed. edited to clarify how to reuse TCP-specific timers when needed.
2.5. IP Addresses Used for Translation 2.5. IP Addresses Used for Translation
The NAT YANG module assumes that blocks of IP external addresses The NAT YANG module assumes that blocks of IP external addresses
(external-ip-address-pool) can be provisioned to the NAT function. (external-ip-address-pool) can be provisioned to the NAT function.
These blocks may be contiguous or not. These blocks may be contiguous or not.
This behavior is aligned with [RFC6888] which specifies that a NAT This behavior is aligned with [RFC6888], which specifies that a NAT
function should not have any limitations on the size or the function should not have any limitations on the size or the
contiguity of the external address pool. In particular, the NAT contiguity of the external address pool. In particular, the NAT
function must be configurable with contiguous or non-contiguous function must be configurable with contiguous or non-contiguous
external IPv4 address ranges. To accommodate traditional NAT, the external IPv4 address ranges. To accommodate traditional NAT, the
module allows for a single IP address to be configured for external- module allows for a single IP address to be configured for external-
ip-address-pool. ip-address-pool.
Likewise, one or multiple IP address pools may be configured for Likewise, one or multiple IP address pools may be configured for
Destination NAT (dst-ip-address-pool). Destination NAT (dst-ip-address-pool).
2.6. Port Set Assignment 2.6. Port-Set Assignment
Port numbers can be assigned by a NAT individually (that is, a single Port numbers can be assigned by a NAT individually (that is, a single
port is assigned on a per session basis), but this port allocation port is assigned on a per-session basis), but this port allocation
scheme may not be optimal for logging purposes (Section 12 of scheme may not be optimal for logging purposes (Section 12 of
[RFC6269]). A NAT function should be able to assign port sets (e.g., [RFC6269]). A NAT function should be able to assign port sets (e.g.,
[RFC7753]) to optimize the volume of the logging data (REQ-14 of [RFC7753]) to optimize the volume of the logging data (REQ-14 of
[RFC6888]). Both allocation schemes are supported in the NAT YANG [RFC6888]). Both allocation schemes are supported in the NAT YANG
module. module.
When port set assignment is activated (i.e., port-allocation- When port-set assignment is activated (i.e., port-allocation-
type==port-range-allocation), the NAT can be provided with the size type==port-range-allocation), the NAT can be provided with the size
of the port set to be assigned (port-set-size). of the port set to be assigned (port-set-size).
2.7. Port-Restricted IP Addresses 2.7. Port-Restricted IP Addresses
Some NATs restrict the source port numbers (e.g., Lightweight 4over6 Some NATs restrict the source port numbers (e.g., Lightweight 4over6
[RFC7596], MAP-E [RFC7597]). Two schemes of port set assignments [RFC7596] and Mapping of Address and Port with Encapsulation (MAP-E)
(port-set-restrict) are supported in this document: [RFC7597]). Two schemes of port-set assignments (port-set-restrict)
are supported in this document:
o Simple port range: is defined by two port values, the start and o Simple port range: is defined by two port values, the start and
the end of the port range [RFC8045]. the end of the port range [RFC8045].
o Algorithmic: an algorithm is defined in [RFC7597] to characterize o Algorithmic: an algorithm is defined in [RFC7597] to characterize
the set of ports that can be used. the set of ports that can be used.
2.8. NAT Mapping Entries 2.8. NAT Mapping Entries
A TCP/UDP mapping entry maintains an association between the A TCP/UDP mapping entry maintains an association between the
skipping to change at page 9, line 33 skipping to change at page 10, line 36
Identifier'. Identifier'.
To cover TCP, UDP, and ICMP, the NAT YANG module assumes the To cover TCP, UDP, and ICMP, the NAT YANG module assumes the
following structure of a mapping entry: following structure of a mapping entry:
type: Indicates how the mapping was instantiated. For example, it type: Indicates how the mapping was instantiated. For example, it
may indicate whether a mapping is dynamically instantiated by a may indicate whether a mapping is dynamically instantiated by a
packet or statically configured. packet or statically configured.
transport-protocol: Indicates the transport protocol (e.g., UDP, transport-protocol: Indicates the transport protocol (e.g., UDP,
TCP, ICMP) of a given mapping. TCP, and ICMP) of a given mapping.
internal-src-address: Indicates the source IP address/prefix as used internal-src-address: Indicates the source IP address/prefix as used
by an internal host. by an internal host.
internal-src-port: Indicates the source port number (or ICMP internal-src-port: Indicates the source port number (or ICMP
identifier) as used by an internal host. identifier) as used by an internal host.
external-src-address: Indicates the source IP address/prefix as external-src-address: Indicates the source IP address/prefix as
assigned by the NAT. assigned by the NAT.
skipping to change at page 10, line 22 skipping to change at page 11, line 25
In order to cover both NAT64 and NAT44 flavors, the NAT mapping In order to cover both NAT64 and NAT44 flavors, the NAT mapping
structure allows for the inclusion of an IPv4 or an IPv6 address as structure allows for the inclusion of an IPv4 or an IPv6 address as
an internal IP address. Remaining fields are common to both NAT an internal IP address. Remaining fields are common to both NAT
schemes. schemes.
For example, the mapping that will be created by a NAT64 upon receipt For example, the mapping that will be created by a NAT64 upon receipt
of a TCP SYN from source address 2001:db8:aaaa::1 and source port of a TCP SYN from source address 2001:db8:aaaa::1 and source port
number 25636 to destination IP address 2001:db8:1234::198.51.100.1 number 25636 to destination IP address 2001:db8:1234::198.51.100.1
and destination port number 8080 is shown in Table 2. This example and destination port number 8080 is shown in Table 2. This example
assumes EDM (Endpoint-Dependent Mapping). assumes Endpoint-Dependent Mapping (EDM).
+-----------------------+-------------------------------------------+ +-----------------------+-------------------------------------------+
| Mapping Entry | Value | | Mapping Entry | Value |
| Attribute | | | Attribute | |
+-----------------------+-------------------------------------------+ +-----------------------+-------------------------------------------+
| type | dynamic implicit mapping | | type | dynamic implicit mapping |
| transport-protocol | 6 (TCP) | | transport-protocol | 6 (TCP) |
| internal-src-address | 2001:db8:aaaa::1 | | internal-src-address | 2001:db8:aaaa::1 |
| internal-src-port | 25636 | | internal-src-port | 25636 |
| external-src-address | T (an IPv4 address configured on the | | external-src-address | T (an IPv4 address configured on the |
skipping to change at page 10, line 47 skipping to change at page 12, line 8
| internal-dst-port | 8080 | | internal-dst-port | 8080 |
| external-dst-address | 198.51.100.1 | | external-dst-address | 198.51.100.1 |
| external-dst-port | 8080 | | external-dst-port | 8080 |
+-----------------------+-------------------------------------------+ +-----------------------+-------------------------------------------+
Table 2: Example of an EDM NAT64 Mapping Table 2: Example of an EDM NAT64 Mapping
The mappings that will be created by a NAT44 upon receipt of an ICMP The mappings that will be created by a NAT44 upon receipt of an ICMP
request from source address 198.51.100.1 and ICMP identifier (ID1) to request from source address 198.51.100.1 and ICMP identifier (ID1) to
destination IP address 198.51.100.11 is depicted in Table 3. This destination IP address 198.51.100.11 is depicted in Table 3. This
example assumes EIM (Endpoint-Independent Mapping). example assumes Endpoint-Independent Mapping (EIM).
+----------------------+--------------------------------------------+ +----------------------+--------------------------------------------+
| Mapping Entry | Value | | Mapping-Entry | Value |
| Attribute | | | Attribute | |
+----------------------+--------------------------------------------+ +----------------------+--------------------------------------------+
| type | dynamic implicit mapping | | type | dynamic implicit mapping |
| transport-protocol | 1 (ICMP) | | transport-protocol | 1 (ICMP) |
| internal-src-address | 198.51.100.1 | | internal-src-address | 198.51.100.1 |
| internal-src-port | ID1 | | internal-src-port | ID1 |
| external-src-address | T (an IPv4 address configured on the | | external-src-address | T (an IPv4 address configured on the |
| | NAT44) | | | NAT44) |
| external-src-port | ID2 (an ICMP identifier that is chosen by | | external-src-port | ID2 (an ICMP identifier that is chosen by |
| | the NAT44) | | | the NAT44) |
+----------------------+--------------------------------------------+ +----------------------+--------------------------------------------+
Table 3: Example of an EIM NAT44 Mapping Entry Table 3: Example of an EIM NAT44 Mapping Entry
The mapping that will be created by a NAT64 (EIM mode) upon receipt The mapping that will be created by a NAT64 (EIM mode) upon receipt
of an ICMP request from source address 2001:db8:aaaa::1 and ICMP of an ICMP request from source address 2001:db8:aaaa::1 and ICMP
identifier (ID1) to destination IP address identifier (ID1) to destination IP address
2001:db8:1234::198.51.100.1 is shown in Table 4. 2001:db8:1234::198.51.100.1 is shown in Table 4.
+----------------------+--------------------------------------------+ +----------------------+--------------------------------------------+
| Mapping Entry | Value | | Mapping-Entry | Value |
| Attribute | | | Attribute | |
+----------------------+--------------------------------------------+ +----------------------+--------------------------------------------+
| type | dynamic implicit mapping | | type | dynamic implicit mapping |
| transport-protocol | 58 (ICMPv6) | | transport-protocol | 58 (ICMPv6) |
| internal-src-address | 2001:db8:aaaa::1 | | internal-src-address | 2001:db8:aaaa::1 |
| internal-src-port | ID1 | | internal-src-port | ID1 |
| external-src-address | T (an IPv4 address configured on the | | external-src-address | T (an IPv4 address configured on the |
| | NAT64) | | | NAT64) |
| external-src-port | ID2 (an ICMP identifier that is chosen by | | external-src-port | ID2 (an ICMP identifier that is chosen by |
| | the NAT64) | | | the NAT64) |
skipping to change at page 12, line 6 skipping to change at page 13, line 18
o No mapping table is maintained for NPTv6 given that it is o No mapping table is maintained for NPTv6 given that it is
stateless and transport-agnostic. stateless and transport-agnostic.
o The double translations are stateless in CLAT if a dedicated IPv6 o The double translations are stateless in CLAT if a dedicated IPv6
prefix is provided for CLAT. If not, a stateful NAT44 will be prefix is provided for CLAT. If not, a stateful NAT44 will be
required. required.
o No per-flow mapping is maintained for EAM [RFC7757]. o No per-flow mapping is maintained for EAM [RFC7757].
o No mapping table is maintained for Stateless IPv4/IPv6 o No mapping table is maintained for Stateless IPv4/IPv6
translation. As a reminder, in such deployments internal IPv6 translation. As a reminder, in such deployments, internal IPv6
nodes are addressed using IPv4-translatable IPv6 addresses, which nodes are addressed using IPv4-translatable IPv6 addresses, which
enable them to be accessed by IPv4 nodes [RFC6052]. enable them to be accessed by IPv4 nodes [RFC6052].
2.9. Resource Limits 2.9. Resource Limits
In order to comply with CGN deployments in particular, the NAT YANG In order to comply with CGN deployments in particular, the NAT YANG
module allows limiting the number of external ports per subscriber module allows limiting the number of external ports per subscriber
(port-quota) and the amount of state memory allocated per mapping and (port-quota) and the amount of state memory allocated per mapping and
per subscriber (mapping-limits and connection-limits). According to per subscriber (mapping-limits and connection-limits). According to
[RFC6888], the module is designed to allow for the following: [RFC6888], the module is designed to allow for the following:
o Per-subscriber limits are configurable by the NAT administrator. o Per-subscriber limits are configurable by the NAT administrator.
o Per-subscriber limits are configurable independently per transport o Per-subscriber limits are configurable independently per the
protocol. transport protocol.
o Administrator-adjustable thresholds to prevent a single subscriber o Administrator-adjustable thresholds to prevent a single subscriber
from consuming excessive CPU resources from the NAT (e.g., rate- from consuming excessive CPU resources from the NAT (e.g., rate-
limit the subscriber's creation of new mappings) can be limit the subscriber's creation of new mappings) can be
configured. configured.
Table 5 lists the various limits that can be set using the NAT YANG Table 5 lists the various limits that can be set using the NAT YANG
module. Once a limit is reached, packets that would normally trigger module. Once a limit is reached, packets that would normally trigger
new port mappings or be translated because they match existing new port mappings or be translated because they match existing
mappings, are dropped by the translator. mappings, are dropped by the translator.
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| Limit | Description | | Limit | Description |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| port-quota | Specifies a port quota to be assigned per | | port-quota | Specifies a port quota to be assigned per |
| | subscriber. It corresponds to the maximum | | | subscriber. It corresponds to the maximum |
| | number of ports to be used by a subscriber. | | | number of ports to be used by a subscriber. |
| | The port quota can be configured to apply to | | | The port quota can be configured to apply to |
| | all protocols or to a specific protocol. | | | all protocols or to a specific protocol. |
| | Distinct port quota may be configured per | | | Distinct port quota may be configured per |
| | protocol. | | | protocol. |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| fragments-limit | In order to prevent denial of service attacks | | fragments-limit | In order to prevent denial-of-service (DoS) |
| | that can be caused by fragments, this | | | attacks that can be caused by fragments, this |
| | parameter is used to limit the number of out- | | | parameter is used to limit the number of out- |
| | of-order fragments that can be handled by a | | | of-order fragments that can be handled by a |
| | translator. | | | translator. |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| mapping-limits | This parameter can be used to control the | | mapping-limits | This parameter can be used to control the |
| | maximum number of subscribers that can be | | | maximum number of subscribers that can be |
| | serviced by a NAT instance (limit-subscriber) | | | serviced by a NAT instance (limit-subscriber) |
| | and the maximum number of address and/or port | | | and the maximum number of address and/or port |
| | mappings that can be maintained by a NAT | | | mappings that can be maintained by a NAT |
| | instance (limit-address-mappings and limit- | | | instance (limit-address-mappings and limit- |
| | port-mappings). Also, limits specific to | | | port-mappings). Also, limits specific to |
| | protocols (e.g., TCP, UDP, ICMP) can also be | | | protocols (e.g., TCP, UDP, ICMP) can also be |
| | specified (limit-per-protocol). | | | specified (limit-per-protocol). |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
| connection-limits | In order to prevent exhausting the resources | | connection-limits | In order to prevent exhausting the resources |
| | of a NAT implementation and to ensure | | | of a NAT implementation and to ensure |
| | fairness usage among subscribers, various | | | fairness usage among subscribers, various |
| | rate-limits can be specified. Rate-limiting | | | rate limits can be specified. Rate-limiting |
| | can be enforced per subscriber ((limit- | | | can be enforced per subscriber (limit- |
| | subscriber), per NAT instance (limit-per- | | | subscriber), per NAT instance (limit-per- |
| | instance), and/or be specified for each | | | instance), and/or be specified for each |
| | supported protocol (limit-per-protocol). | | | supported protocol (limit-per-protocol). |
+-------------------+-----------------------------------------------+ +-------------------+-----------------------------------------------+
Table 5: NAT Limits Table 5: NAT Limits
Table 6 describes limits, that once exceeded, will trigger Table 6 describes limits that, once exceeded, will trigger
notifications to be generated: notifications to be generated:
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| Notification Threshold | Description | | Notification Threshold | Description |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| high-threshold | Used to notify high address | | high-threshold | Used to notify high address |
| | utilization of a given pool. When | | | utilization of a given pool. When |
| | exceeded, a nat-pool-event | | | exceeded, a nat-pool-event |
| | notification will be generated. | | | notification will be generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| low-threshold | Used to notify low address utilization | | low-threshold | Used to notify low address utilization |
| | of a given pool. An administrator is | | | of a given pool. An administrator is |
| | supposed to configure low-threshold so | | | supposed to configure low-threshold so |
| | that it can reflect an abnormal usage | | | that it can reflect an abnormal usage |
| | of NAT resources. When exceeded, a | | | of NAT resources. When exceeded, a |
| | nat-pool-event notification will be | | | nat-pool-event notification will be |
| | generated. | | | generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| notify-addresses-usage | Used to notify high address | | notify-addresses-usage | Used to notify high address |
| | utilization of all pools configured to | | | utilization of all pools configured to |
| | a NAT instance. When exceeded, a nat- | | | a NAT instance. When exceeded, a nat- |
| | instance-event will be generated. | | | instance-event will be generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| notify-ports-usage | Used to notify high port allocation | | notify-ports-usage | Used to notify high port allocation |
| | taking into account all pools | | | taking into account all pools |
| | configured to a NAT instance. When | | | configured to a NAT instance. When |
| | exceeded, a nat-instance-event | | | exceeded, a nat-instance-event |
| | notification will be generated. | | | notification will be generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
| notify-subscribers-limit | Used to notify a high number of active | | notify-subscribers-limit | Used to notify a high number of active |
| | subscribers that are serviced by a NAT | | | subscribers that are serviced by a NAT |
| | instance. When exceeded, a nat- | | | instance. When exceeded, a nat- |
| | instance-event notification will be | | | instance-event notification will be |
| | generated. | | | generated. |
+--------------------------+----------------------------------------+ +--------------------------+----------------------------------------+
Table 6: Notification Thresholds Table 6: Notification Thresholds
In order to prevent a NAT implementation from generating frequent In order to prevent a NAT implementation from generating frequent
notifications, the NAT YANG module supports the following limits notifications, the NAT YANG module supports the following limits
(Table 7) used to control how frequent notifications can be (Table 7) used to control how frequent notifications can be
generated. That is, notifications are subject to rate-limiting generated. That is, notifications are subject to rate-limiting
skipping to change at page 15, line 30 skipping to change at page 16, line 36
2.10. Binding the NAT Function to an External Interface 2.10. Binding the NAT Function to an External Interface
The module is designed to specify an external realm on which the NAT The module is designed to specify an external realm on which the NAT
function must be applied (external-realm). The module supports function must be applied (external-realm). The module supports
indicating an interface as an external realm [RFC8343], but the indicating an interface as an external realm [RFC8343], but the
module is extensible so that other choices can be indicated in the module is extensible so that other choices can be indicated in the
future (e.g., Virtual Routing and Forwarding (VRF) instance). future (e.g., Virtual Routing and Forwarding (VRF) instance).
Distinct external realms can be provided as a function of the NAT Distinct external realms can be provided as a function of the NAT
policy (see for example, Section 4 of [RFC7289]). policy (see, for example, Section 4 of [RFC7289]).
If no external realm is provided, this assumes that the system is If no external realm is provided, this assumes that the system is
able to determine the external interface (VRF instance, etc.) on able to determine the external interface (VRF instance, etc.) on
which the NAT will be applied. Typically, the WAN and LAN interfaces which the NAT will be applied. Typically, the WAN and LAN interfaces
of a CPE are determined by the CPE. of Customer Premises Equipment (CPE) are determined by the CPE.
2.11. Relationship to NATV2-MIB 2.11. Relationship to NATV2-MIB
Section of 5.1 of [RFC7659] indicates that the NATV2-MIB assumes that Section of 5.1 of [RFC7659] indicates that the NATV2-MIB assumes that
the following information is configured on the NAT by some means, not the following information is configured on the NAT by some means,
specified in [RFC7659]: which is not specified in [RFC7659]:
o The set of address realms to which the device connect. o The set of address realms to which the device connects.
o For the CGN case, per-subscriber information including subscriber o For the CGN case, per-subscriber information including the
index, address realm, assigned prefix or address, and (possibly) subscriber index, address realm, assigned prefix or address, and
policies regarding address pool selection in the various possible (possibly) policies regarding address pool selection in the
address realms to which the subscriber may connect. various possible address realms to which the subscriber may
connect.
o The set of NAT instances running on the device, identified by NAT o The set of NAT instances running on the device, identified by NAT
instance index and name. instance index and name.
o The port mapping, filtering, pooling, and fragment behaviors for o The port mapping, filtering, pooling, and fragment behaviors for
each NAT instance. each NAT instance.
o The set of protocols supported by each NAT instance. o The set of protocols supported by each NAT instance.
o Address pools for each NAT instance, including for each pool the o Address pools for each NAT instance, including for each pool the
pool index, address realm, and minimum and maximum port number. pool index, address realm, and minimum and maximum port numbers.
o Static address and port mapping entries. o Static address and port mapping entries.
All the above parameters can be configured by means of the NAT YANG All the above parameters can be configured by means of the NAT YANG
module. module.
Unlike the NATV2-MIB, the NAT YANG module allows to configure Unlike the NATV2-MIB, the NAT YANG module allows the configuration of
multiple policies per NAT instance. multiple policies per NAT instance.
2.12. Tree Structure 2.12. Tree Structure
The tree structure of the NAT YANG module is provided below: The tree structure of the NAT YANG module is provided below:
module: ietf-nat module: ietf-nat
+--rw nat +--rw nat
+--rw instances +--rw instances
+--rw instance* [id] +--rw instance* [id]
+--rw id uint32 +--rw id uint32
+--rw name? string +--rw name? string
+--rw enable? boolean +--rw enable? boolean
+--ro capabilities +--ro capabilities
| +--ro nat-flavor* | +--ro nat-flavor*
| | identityref | | identityref
| +--ro per-interface-binding* | +--ro per-interface-binding*
skipping to change at page 22, line 10 skipping to change at page 23, line 25
| {basic-nat44 or napt44 or nat64}? | {basic-nat44 or napt44 or nat64}?
+--ro pool-id uint32 +--ro pool-id uint32
+--ro discontinuity-time yang:date-and-time +--ro discontinuity-time yang:date-and-time
+--ro pool-stats +--ro pool-stats
| +--ro addresses-allocated? yang:gauge32 | +--ro addresses-allocated? yang:gauge32
| +--ro addresses-free? yang:gauge32 | +--ro addresses-free? yang:gauge32
+--ro port-stats {napt44 or nat64}? +--ro port-stats {napt44 or nat64}?
+--ro ports-allocated? yang:gauge32 +--ro ports-allocated? yang:gauge32
+--ro ports-free? yang:gauge32 +--ro ports-free? yang:gauge32
notifications: notifications:
+---n nat-pool-event {basic-nat44 or napt44 or nat64}? +---n nat-pool-event {basic-nat44 or napt44 or nat64}?
| +--ro id -> /nat/instances/instance/id | +--ro id -> /nat/instances/instance/id
| +--ro policy-id? | +--ro policy-id?
| | -> /nat/instances/instance/policy/id | | -> /nat/instances/instance/policy/id
| +--ro pool-id | +--ro pool-id
| | -> /nat/instances/instance/policy/ | | -> /nat/instances/instance/policy/
| | external-ip-address-pool/pool-id | | external-ip-address-pool/pool-id
| +--ro notify-pool-threshold percent | +--ro notify-pool-threshold percent
+---n nat-instance-event {basic-nat44 or napt44 or nat64}? +---n nat-instance-event {basic-nat44 or napt44 or nat64}?
+--ro id +--ro id
| -> /nat/instances/instance/id | -> /nat/instances/instance/id
+--ro notify-subscribers-threshold? uint32 +--ro notify-subscribers-threshold? uint32
+--ro notify-addresses-threshold? percent +--ro notify-addresses-threshold? percent
+--ro notify-ports-threshold? percent +--ro notify-ports-threshold? percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2018-09-27.yang" <CODE BEGINS> file "ietf-nat@2019-01-10.yang"
module ietf-nat { module ietf-nat {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
prefix "nat"; prefix nat;
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
reference reference
"Section 4 of RFC 6991"; "Section 4 of RFC 6991";
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference reference
"Section 3 of RFC 6991"; "Section 3 of RFC 6991";
} }
import ietf-interfaces { import ietf-interfaces {
prefix if; prefix if;
reference reference
"RFC 8343: A YANG Data Model for Interface Management"; "RFC 8343: A YANG Data Model for Interface Management";
} }
organization organization
"IETF OPSAWG (Operations and Management Area Working Group)"; "IETF OPSAWG (Operations and Management Area Working Group)";
contact contact
"WG Web: <https://datatracker.ietf.org/wg/opsawg/> "WG Web: <https://datatracker.ietf.org/wg/opsawg/>
WG List: <mailto:opsawg@ietf.org> WG List: <mailto:opsawg@ietf.org>
Editor: Mohamed Boucadair Editor: Mohamed Boucadair
<mailto:mohamed.boucadair@orange.com> <mailto:mohamed.boucadair@orange.com>
Author: Senthil Sivakumar Author: Senthil Sivakumar
<mailto:ssenthil@cisco.com> <mailto:ssenthil@cisco.com>
Author: Christian Jacquenet Author: Christian Jacquenet
skipping to change at page 23, line 34 skipping to change at page 25, line 6
Author: Suresh Vinapamula Author: Suresh Vinapamula
<mailto:sureshk@juniper.net> <mailto:sureshk@juniper.net>
Author: Qin Wu Author: Qin Wu
<mailto:bill.wu@huawei.com>"; <mailto:bill.wu@huawei.com>";
description description
"This module is a YANG module for NAT implementations. "This module is a YANG module for NAT implementations.
NAT44, Network Address and Protocol Translation from IPv6 NAT44, Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Clients to IPv4 Servers (NAT64), customer-side translator
Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings (CLAT), Stateless IP/ICMP Translation (SIIT), Explicit
for Stateless IP/ICMP Translation (SIIT EAM), IPv6 Network Address Mappings (EAM) for SIIT, IPv6 Network Prefix
Prefix Translation (NPTv6), and Destination NAT are covered. Translation (NPTv6), and Destination NAT are covered.
Copyright (c) 2018 IETF Trust and the persons identified as Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC 8512; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2018-09-27 { revision 2019-01-10 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Module for Network Address Translation "RFC 8512: A YANG Module for Network Address Translation
(NAT) and Network Prefix Translation (NPT)"; (NAT) and Network Prefix Translation (NPT)";
} }
/* /*
* Definitions * Definitions
*/ */
typedef percent { typedef percent {
type uint8 { type uint8 {
range "0 .. 100"; range "0 .. 100";
} }
description description
"Percentage"; "Percentage";
} }
/* /*
* Features * Features
*/ */
feature basic-nat44{ feature basic-nat44 {
description description
"Basic NAT44 translation is limited to IP addresses alone."; "Basic NAT44 translation is limited to IP addresses alone.";
reference reference
"RFC 3022: Traditional IP Network Address Translator "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)"; (Traditional NAT)";
} }
feature napt44 { feature napt44 {
description description
"Network Address/Port Translator (NAPT): translation is "Network Address Port Translator (NAPT): translation is
extended to include IP addresses and transport identifiers extended to include IP addresses and transport identifiers
(such as a TCP/UDP port or ICMP query ID). (such as a TCP/UDP port or ICMP query ID).
If the internal IP address is not sufficient to uniquely If the internal IP address is not sufficient to uniquely
disambiguate NAPT44 mappings, an additional attribute is disambiguate NAPT44 mappings, an additional attribute is
required. For example, that additional attribute may required. For example, that additional attribute may
be an IPv6 address (a.k.a., DS-Lite) or be an IPv6 address (a.k.a., DS-Lite) or
a Layer 2 identifier (a.k.a., Per-Interface NAT)"; a Layer 2 identifier (a.k.a., Per-Interface NAT)";
reference reference
"RFC 3022: Traditional IP Network Address Translator "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)"; (Traditional NAT)";
} }
feature dst-nat { feature dst-nat {
description description
"Destination NAT is a translation that acts on the destination "Destination NAT is a translation that acts on the destination
IP address and/or destination port number. This flavor is IP address and/or destination port number. This flavor is
usually deployed in load balancers or at devices usually deployed in load balancers or at devices
in front of public servers."; in front of public servers.";
} }
feature nat64 { feature nat64 {
description description
"NAT64 translation allows IPv6-only clients to contact IPv4 "NAT64 translation allows IPv6-only clients to contact IPv4
servers using, e.g., UDP, TCP, or ICMP. One or more servers using, e.g., UDP, TCP, or ICMP. One or more
public IPv4 addresses assigned to a NAT64 translator are public IPv4 addresses assigned to a NAT64 translator are
shared among several IPv6-only clients."; shared among several IPv6-only clients.";
reference reference
"RFC 6146: Stateful NAT64: Network Address and Protocol "RFC 6146: Stateful NAT64: Network Address and Protocol
Translation from IPv6 Clients to IPv4 Servers"; Translation from IPv6 Clients to IPv4 Servers";
} }
feature siit { feature siit {
description description
"The Stateless IP/ICMP Translation Algorithm (SIIT), which "The Stateless IP/ICMP Translation Algorithm (SIIT), which
translates between IPv4 and IPv6 packet headers (including translates between IPv4 and IPv6 packet headers (including
ICMP headers). ICMP headers).
In the stateless mode, an IP/ICMP translator converts IPv4 In the stateless mode, an IP/ICMP translator converts IPv4
addresses to IPv6 and vice versa solely based on the addresses to IPv6, and vice versa, solely based on the
configuration of the stateless IP/ICMP translator and configuration of the stateless IP/ICMP translator and
information contained within the packet being translated. information contained within the packet being translated.
The translator must support the stateless address mapping The translator must support the stateless address mapping
algorithm defined in RFC6052, which is the default behavior."; algorithm defined in RFC 6052, which is the default behavior.";
reference reference
"RFC 7915: IP/ICMP Translation Algorithm"; "RFC 7915: IP/ICMP Translation Algorithm";
} }
feature clat { feature clat {
description description
"CLAT is customer-side translator that algorithmically "CLAT is customer-side translator that algorithmically
translates 1:1 private IPv4 addresses to global IPv6 addresses, translates 1:1 private IPv4 addresses to global IPv6
and vice versa. addresses, and vice versa.
When a dedicated /64 prefix is not available for translation When a dedicated /64 prefix is not available for translation
from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4 packets appear packets so that all the LAN-originated IPv4 packets appear
from a single IPv4 address and are then statelessly translated from a single IPv4 address and are then statelessly translated
to one interface IPv6 address that is claimed by the CLAT via to one interface IPv6 address that is claimed by the CLAT via
the Neighbor Discovery Protocol (NDP) and defended with the Neighbor Discovery Protocol (NDP) and defended with
Duplicate Address Detection."; Duplicate Address Detection.";
reference reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless "RFC 6877: 464XLAT: Combination of Stateful and
Translation"; Stateless Translation";
} }
feature eam { feature eam {
description description
"Explicit Address Mapping (EAM) is a bidirectional coupling "Explicit Address Mapping (EAM) is a bidirectional coupling
between an IPv4 Prefix and an IPv6 Prefix."; between an IPv4 prefix and an IPv6 prefix.";
reference reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation"; Translation";
} }
feature nptv6 { feature nptv6 {
description description
"NPTv6 is a stateless transport-agnostic IPv6-to-IPv6 "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6
prefix translation."; prefix translation.";
reference reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
skipping to change at page 27, line 41 skipping to change at page 29, line 13
reference reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless "RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation"; Translation";
} }
identity eam { identity eam {
base nat:nat-type; base nat:nat-type;
description description
"Identity for EAM support."; "Identity for EAM support.";
reference reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation"; Translation";
} }
identity nptv6 { identity nptv6 {
base nat:nat-type; base nat:nat-type;
description description
"Identity for NPTv6 support."; "Identity for NPTv6 support.";
reference reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
/* /*
* Grouping * Grouping
*/ */
grouping port-number { grouping port-number {
description description
"An individual port number or a range of ports. "An individual port number or a range of ports.
When only start-port-number is present, When only start-port-number is present,
it represents a single port number."; it represents a single port number.";
leaf start-port-number { leaf start-port-number {
type inet:port-number; type inet:port-number;
description description
"Beginning of the port range."; "Beginning of the port range.";
reference reference
"Section 3.2.9 of RFC 8045."; "Section 3.2.9 of RFC 8045";
} }
leaf end-port-number { leaf end-port-number {
type inet:port-number; type inet:port-number;
must '. >= ../start-port-number' {
must ". >= ../start-port-number" error-message
{ "The end-port-number must be greater than or
error-message equal to start-port-number.";
"The end-port-number must be greater than or }
equal to start-port-number.";
}
description description
"End of the port range."; "End of the port range.";
reference reference
"Section 3.2.10 of RFC 8045."; "Section 3.2.10 of RFC 8045";
} }
} }
grouping port-set { grouping port-set {
description description
"Indicates a set of port numbers. "Indicates a set of port numbers.
It may be a simple port range, or use the Port Set ID (PSID) It may be a simple port range, or use the Port Set
algorithm to represent a range of transport layer Identifier (PSID) algorithm to represent a range of
port numbers which will be used by a NAPT."; transport-layer port numbers that will be used by a
NAPT.";
choice port-type { choice port-type {
default port-range; default "port-range";
description description
"Port type: port-range or port-set-algo."; "Port type: port-range or port-set-algo.";
case port-range { case port-range {
uses port-number; uses port-number;
}
}
case port-set-algo { case port-set-algo {
leaf psid-offset { leaf psid-offset {
type uint8 { type uint8 {
range 0..15; range "0..15";
} }
description description
"The number of offset bits (a.k.a., 'a' bits). "The number of offset bits (a.k.a., 'a' bits).
Specifies the numeric value for the excluded port Specifies the numeric value for the excluded port
range/offset bits. range/offset bits.
Allowed values are between 0 and 15."; Allowed values are between 0 and 15.";
reference reference
"Section 5.1 of RFC 7597"; "Section 5.1 of RFC 7597";
} }
leaf psid-len { leaf psid-len {
type uint8 { type uint8 {
range 0..15; range "0..15";
} }
mandatory true; mandatory true;
description
"The length of PSID, representing the sharing
ratio for an IPv4 address.
description (also known as 'k').
"The length of PSID, representing the sharing
ratio for an IPv4 address.
(also known as 'k').
The address-sharing ratio would be 2^k."; The address-sharing ratio would be 2^k.";
reference reference
"Section 5.1 of RFC 7597"; "Section 5.1 of RFC 7597";
} }
leaf psid { leaf psid {
type uint16; type uint16;
mandatory true; mandatory true;
description description
"Port Set Identifier (PSID) value, which "PSID value, which identifies a set
identifies a set of ports algorithmically."; of ports algorithmically.";
reference reference
"Section 5.1 of RFC 7597"; "Section 5.1 of RFC 7597";
} }
} }
reference reference
"Section 7597: Mapping of Address and Port with "RFC 7597: Mapping of Address and Port with
Encapsulation (MAP-E)"; Encapsulation (MAP-E)";
} }
} }
grouping mapping-entry { grouping mapping-entry {
description description
"NAT mapping entry. "NAT mapping entry.
If an attribute is not stored in the mapping/session table, If an attribute is not stored in the mapping/session table,
this means the corresponding field of a packet that it means the corresponding field of a packet that
matches this entry is not rewritten by the NAT or this matches this entry is not rewritten by the NAT or this
information is not required for NAT filtering purposes."; information is not required for NAT filtering purposes.";
leaf index { leaf index {
type uint32; type uint32;
description description
"A unique identifier of a mapping entry. This identifier can be "A unique identifier of a mapping entry. This identifier
automatically assigned by the NAT instance or be explicitly can be automatically assigned by the NAT instance or be
configured."; explicitly configured.";
} }
leaf type { leaf type {
type enumeration { type enumeration {
enum "static" { enum static {
description description
"The mapping entry is explicitly configured "The mapping entry is explicitly configured
(e.g., via command-line interface)."; (e.g., via a command-line interface).";
} }
enum dynamic-implicit {
enum "dynamic-implicit" {
description description
"This mapping is created implicitly as a side effect "This mapping is created implicitly as a side effect
of processing a packet that requires a new mapping."; of processing a packet that requires a new mapping.";
} }
enum dynamic-explicit {
enum "dynamic-explicit" {
description description
"This mapping is created as a result of an explicit "This mapping is created as a result of an explicit
request, e.g., a PCP message."; request, e.g., a PCP message.";
} }
} }
description description
"Indicates the type of a mapping entry. E.g., "Indicates the type of a mapping entry. For example,
a mapping can be: static, implicit dynamic, a mapping can be: static, implicit dynamic,
or explicit dynamic."; or explicit dynamic.";
} }
leaf transport-protocol { leaf transport-protocol {
type uint8; type uint8;
description description
"Upper-layer protocol associated with this mapping. "The upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry:: Values are taken from the IANA Protocol Numbers registry:
https://www.iana.org/assignments/protocol-numbers/ <https://www.iana.org/assignments/protocol-numbers/>.
protocol-numbers.xhtml
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP. 17 for UDP, 33 for DCCP, or 132 for SCTP.
If this leaf is not instantiated, then the mapping If this leaf is not instantiated, then the mapping
applies to any protocol."; applies to any protocol.";
} }
leaf internal-src-address { leaf internal-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the source IPv4/IPv6 address/prefix "Corresponds to the source IPv4/IPv6 address/prefix
of the packet received on an internal interface."; of the packet received on an internal interface.";
} }
container internal-src-port { container internal-src-port {
description description
"Corresponds to the source port of the packet received "Corresponds to the source port of the packet received
on an internal interface. on an internal interface.
It is used also to indicate the internal source ICMP It is also used to indicate the internal source ICMP
identifier. identifier.
As a reminder, all the ICMP Query messages contain As a reminder, all the ICMP Query messages contain
an 'Identifier' field, which is referred to in this an 'Identifier' field, which is referred to in this
document as the 'ICMP Identifier'."; document as the 'ICMP Identifier'.";
uses port-number;
uses port-number;
} }
leaf external-src-address { leaf external-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Source IP address/prefix of the packet sent on an "Source IP address/prefix of the packet sent on an
external interface of the NAT."; external interface of the NAT.";
} }
container external-src-port { container external-src-port {
description description
"Source port of the packet sent on an external "Source port of the packet sent on an external
interface of the NAT. interface of the NAT.
It is used also to indicate the external source ICMP It is also used to indicate the external source ICMP
identifier."; identifier.";
uses port-number; uses port-number;
} }
leaf internal-dst-address { leaf internal-dst-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the destination IP address/prefix
of the packet received on an internal interface of the packet received on an internal interface
of the NAT. of the NAT.
For example, some NAT implementations support For example, some NAT implementations support
the translation of both source and destination the translation of both source and destination
addresses and port numbers, sometimes referred to addresses and port numbers, sometimes referred to
skipping to change at page 32, line 24 skipping to change at page 33, line 20
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the destination IP address/prefix
of the packet received on an internal interface of the packet received on an internal interface
of the NAT. of the NAT.
For example, some NAT implementations support For example, some NAT implementations support
the translation of both source and destination the translation of both source and destination
addresses and port numbers, sometimes referred to addresses and port numbers, sometimes referred to
as 'Twice NAT'."; as 'Twice NAT'.";
} }
container internal-dst-port { container internal-dst-port {
description description
"Corresponds to the destination port of the "Corresponds to the destination port of the
IP packet received on the internal interface. IP packet received on the internal interface.
It is used also to include the internal It is also used to include the internal
destination ICMP identifier."; destination ICMP identifier.";
uses port-number; uses port-number;
} }
leaf external-dst-address { leaf external-dst-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the destination IP address/prefix
of the packet sent on an external interface of the packet sent on an external interface
of the NAT."; of the NAT.";
} }
container external-dst-port { container external-dst-port {
description description
"Corresponds to the destination port number of "Corresponds to the destination port number of
the packet sent on the external interface the packet sent on the external interface
of the NAT. of the NAT.
It is used also to include the external It is also used to include the external
destination ICMP identifier."; destination ICMP identifier.";
uses port-number; uses port-number;
} }
leaf lifetime { leaf lifetime {
type uint32; type uint32;
units "seconds"; units "seconds";
description description
"When specified, it is used to track the connection that is "When specified, it is used to track the connection that is
fully-formed (e.g., once the three-way handshake fully formed (e.g., once the three-way handshake
TCP is completed) or the duration for maintaining TCP is completed) or the duration for maintaining
an explicit mapping alive. The mapping entry will be an explicit mapping alive. The mapping entry will be
removed by the NAT instance once this lifetime is expired. removed by the NAT instance once this lifetime is expired.
When reported in a get operation, the lifetime indicates When reported in a get operation, the lifetime indicates
the remaining validity lifetime. the remaining validity lifetime.
Static mappings may not be associated with a Static mappings may not be associated with a
lifetime. If no lifetime is associated with a lifetime. If no lifetime is associated with a
static mapping, an explicit action is required to static mapping, an explicit action is required to
remove that mapping."; remove that mapping.";
} }
} }
/* /*
* NAT Module * NAT Module
*/ */
container nat { container nat {
description description
"NAT module"; "NAT module";
container instances { container instances {
description description
"NAT instances"; "NAT instances";
list instance { list instance {
key "id"; key "id";
description description
"A NAT instance. This identifier can be automatically assigned "A NAT instance. This identifier can be automatically
or explicitly configured."; assigned or explicitly configured.";
leaf id { leaf id {
type uint32; type uint32;
must ". >= 1"; must '. >= 1';
description description
"NAT instance identifier. "NAT instance identifier.
The identifier must be greater than zero."; The identifier must be greater than zero.";
reference reference
"RFC 7659: Definitions of Managed Objects for Network "RFC 7659: Definitions of Managed Objects for Network
Address Translators (NATs)"; Address Translators (NATs)";
} }
leaf name { leaf name {
type string; type string;
description description
"A name associated with the NAT instance."; "A name associated with the NAT instance.";
reference reference
"RFC 7659: Definitions of Managed Objects for Network "RFC 7659: Definitions of Managed Objects for Network
Address Translators (NATs)"; Address Translators (NATs)";
} }
leaf enable { leaf enable {
type boolean; type boolean;
description description
"Status of the NAT instance."; "Status of the NAT instance.";
} }
container capabilities { container capabilities {
config false; config false;
description description
"NAT capabilities"; "NAT capabilities.";
leaf-list nat-flavor { leaf-list nat-flavor {
type identityref { type identityref {
base nat-type; base nat-type;
} }
description description
"Supported translation type(s)."; "Supported translation type(s).";
} }
leaf-list per-interface-binding { leaf-list per-interface-binding {
type enumeration { type enumeration {
enum "unsupported" { enum unsupported {
description description
"No capability to associate a NAT binding with "No capability to associate a NAT binding with
an extra identifier."; an extra identifier.";
}
enum layer-2 {
description
"The NAT instance is able to associate a mapping with
a Layer 2 identifier.";
}
enum dslite {
description
"The NAT instance is able to associate a mapping with
an IPv6 address (a.k.a., DS-Lite).";
}
} }
enum "layer-2" {
description
"The NAT instance is able to associate a mapping with
a layer-2 identifier.";
}
enum "dslite" {
description
"The NAT instance is able to associate a mapping with
an IPv6 address (a.k.a., DS-Lite).";
}
}
description
"Indicates the capability of a NAT to associate a particular
NAT session not only with the five tuples used for the
transport connection on both sides of the NAT but also with
the internal interface on which the user device is
connected to the NAT.";
reference
"Section 4 of RFC 6619";
}
list transport-protocols {
key protocol-id;
description
"List of supported protocols.";
leaf protocol-id {
type uint8;
mandatory true;
description description
"Upper-layer protocol associated with a mapping. "Indicates the capability of a NAT to associate a
particular NAT session not only with the five
Values are taken from the IANA protocol registry. tuples used for the transport connection on both
sides of the NAT but also with the internal
For example, this field contains 6 for TCP, interface on which the user device is
17 for UDP, 33 for DCCP, or 132 for SCTP."; connected to the NAT.";
reference
"Section 4 of RFC 6619";
} }
list transport-protocols {
leaf protocol-name { key "protocol-id";
type string;
description description
"The name of the Upper-layer protocol associated "List of supported protocols.";
with this mapping.
For example, TCP, UDP, DCCP, and SCTP.";
}
}
leaf restricted-port-support {
type boolean;
description
"Indicates source port NAT restriction support.";
reference
"RFC 7596: Lightweight 4over6: An Extension to
the Dual-Stack Lite Architecture.";
}
leaf static-mapping-support {
type boolean;
description
"Indicates whether static mappings are supported.";
}
leaf port-randomization-support {
type boolean;
description
"Indicates whether port randomization is supported.";
reference
"Section 4.2.1 of RFC 4787.";
}
leaf port-range-allocation-support {
type boolean;
description
"Indicates whether port range allocation is supported.";
reference
"Section 1.1 of RFC 7753.";
}
leaf port-preservation-suport {
type boolean;
description
"Indicates whether port preservation is supported.";
reference
"Section 4.2.1 of RFC 4787.";
}
leaf port-parity-preservation-support {
type boolean;
description
"Indicates whether port parity preservation is
supported.";
reference
"Section 8 of RFC 7857.";
}
leaf address-roundrobin-support {
type boolean;
description
"Indicates whether address allocation round robin is
supported.";
}
leaf paired-address-pooling-support {
type boolean;
description
"Indicates whether paired-address-pooling is
supported";
reference
"REQ-2 of RFC 4787.";
}
leaf endpoint-independent-mapping-support {
type boolean;
description
"Indicates whether endpoint-independent-
mapping is supported.";
reference
"Section 4 of RFC 4787.";
}
leaf address-dependent-mapping-support {
type boolean;
description
"Indicates whether address-dependent-mapping is
supported.";
reference
"Section 4 of RFC 4787.";
}
leaf address-and-port-dependent-mapping-support {
type boolean;
description
"Indicates whether address-and-port-dependent-mapping is
supported.";
reference
"Section 4 of RFC 4787.";
}
leaf endpoint-independent-filtering-support {
type boolean;
description
"Indicates whether endpoint-independent-filtering is
supported.";
reference
"Section 5 of RFC 4787.";
}
leaf address-dependent-filtering {
type boolean;
description
"Indicates whether address-dependent-filtering is
supported.";
reference
"Section 5 of RFC 4787.";
}
leaf address-and-port-dependent-filtering {
type boolean;
description
"Indicates whether address-and-port-dependent is
supported.";
reference
"Section 5 of RFC 4787.";
}
leaf fragment-behavior { leaf protocol-id {
type enumeration { type uint8;
enum "unsupported" { mandatory true;
description description
"No capability to translate incoming fragments. "The upper-layer protocol associated with a mapping.
All received fragments are dropped.";
}
enum "in-order" { Values are taken from the IANA Protocol Numbers
description registry.
"The NAT instance is able to translate fragments only if
they are received in order. That is, in particular the
header is in the first packet. Fragments received
out of order are dropped. ";
}
enum "out-of-order" { For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP.";
}
leaf protocol-name {
type string;
description description
"The NAT instance is able to translate a fragment even "The name of the upper-layer protocol associated
if it is received out of order. with this mapping.
This behavior is recommended."; For example, TCP, UDP, DCCP, and SCTP.";
reference
"REQ-14 of RFC 4787";
} }
} }
description leaf restricted-port-support {
"The fragment behavior is the NAT instance's capability to type boolean;
translate fragments received on the external interface of
the NAT.";
}
}
leaf type {
type identityref {
base nat-type;
}
description
"Specify the translation type. Particularly useful when
multiple translation flavors are supported.
If one type is supported by a NAT, this parameter is by
default set to that type.";
}
leaf per-interface-binding {
type enumeration {
enum "disabled" {
description description
"Disable the capability to associate an extra identifier "Indicates source port NAT restriction support.";
with NAT mappings."; reference
"RFC 7596: Lightweight 4over6: An Extension to
the Dual-Stack Lite Architecture";
} }
leaf static-mapping-support {
enum "layer-2" { type boolean;
description description
"The NAT instance is able to associate a mapping with "Indicates whether static mappings are supported.";
a layer-2 identifier.";
} }
leaf port-randomization-support {
enum "dslite" { type boolean;
description description
"The NAT instance is able to associate a mapping with "Indicates whether port randomization is supported.";
an IPv6 address (a.k.a., DS-Lite)."; reference
"Section 4.2.1 of RFC 4787";
} }
} leaf port-range-allocation-support {
description type boolean;
"A NAT that associates a particular NAT session not only with description
the five tuples used for the transport connection on both "Indicates whether port range allocation is supported.";
sides of the NAT but also with the internal interface on
which the user device is connected to the NAT.
If supported, this mode of operation should be configurable,
and it should be disabled by default in general-purpose NAT
devices.
If one single per-interface binding behavior is supported by
a NAT, this parameter is by default set to that behavior.";
reference
"Section 4 of RFC 6619";
}
list nat-pass-through {
if-feature "basic-nat44 or napt44 or dst-nat";
key id;
description
"IP prefix NAT pass through.";
leaf id {
type uint32;
description
"An identifier of the IP prefix pass through.";
}
leaf prefix {
type inet:ip-prefix;
mandatory true;
description
"The IP addresses that match should not be translated.
It must be possible to administratively turn
off translation for specific destination addresses
and/or ports.";
reference
"REQ#6 of RFC 6888.";
}
leaf port {
type inet:port-number;
description
"It must be possible to administratively turn off
translation for specific destination addresses
and/or ports.
If no prefix is defined, the NAT pass through bound
to a given port applies for any destination address.";
reference
"REQ#6 of RFC 6888.";
}
}
list policy {
key id;
description
"NAT parameters for a given instance";
leaf id {
type uint32;
description
"An identifier of the NAT policy. It must be unique
within the NAT instance.";
}
container clat-parameters {
if-feature clat;
description
"CLAT parameters.";
list clat-ipv6-prefixes {
key ipv6-prefix;
description
"464XLAT double translation treatment is stateless when a
dedicated /64 is available for translation on the CLAT.
Otherwise, the CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to a single IPv4
address and then stateless translation to a single
IPv6 address.";
reference reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless "Section 1.1 of RFC 7753";
Translation";
leaf ipv6-prefix {
type inet:ipv6-prefix;
description
"An IPv6 prefix used for CLAT.";
}
} }
leaf port-preservation-suport {
list ipv4-prefixes { type boolean;
key ipv4-prefix;
description description
"Pool of IPv4 addresses used for CLAT. "Indicates whether port preservation is supported.";
192.0.0.0/29 is the IPv4 service continuity prefix.";
reference reference
"RFC 7335: IPv4 Service Continuity Prefix"; "Section 4.2.1 of RFC 4787";
}
leaf ipv4-prefix { leaf port-parity-preservation-support {
type inet:ipv4-prefix; type boolean;
description
"464XLAT double translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to
a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation";
}
}
}
list nptv6-prefixes {
if-feature nptv6;
key internal-ipv6-prefix ;
description
"Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6.
In its simplest form, NPTv6 interconnects two network
links, one of which is an 'internal' network link
attached to a leaf network within a single
administrative domain and the other of which is an
'external' network with connectivity to the global
Internet.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
leaf internal-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description description
"An IPv6 prefix used by an internal interface of NPTv6."; "Indicates whether port parity preservation is
supported.";
reference reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; "Section 8 of RFC 7857";
}
leaf external-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"An IPv6 prefix used by the external interface of NPTv6.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
}
list eam {
if-feature eam;
key ipv4-prefix;
description
"The Explicit Address Mapping Table, a conceptual
table in which each row represents an EAM.
Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses.";
reference
"Section 3.1 of RFC 7757.";
leaf ipv4-prefix {
type inet:ipv4-prefix;
mandatory true;
description
"The IPv4 prefix of an EAM.";
reference
"Section 3.2 of RFC 7757.";
}
leaf ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"The IPv6 prefix of an EAM.";
reference
"Section 3.2 of RFC 7757.";
}
}
list nat64-prefixes {
if-feature "siit or nat64 or clat";
key nat64-prefix;
description
"Provides one or a list of NAT64 prefixes
with or without a list of destination IPv4 prefixes.
It allows mapping IPv4 address ranges to IPv6 prefixes.
For example:
192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
198.51.100.0/24 is mapped to 2001:db8:122::/48.";
reference
"Section 5.1 of RFC 7050.";
leaf nat64-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"A NAT64 prefix. Can be Network-Specific Prefix (NSP) or
Well-Known Prefix (WKP).
Organizations deploying stateless IPv4/IPv6 translation
should assign a Network-Specific Prefix to their
IPv4/IPv6 translation service.
For stateless NAT64, IPv4-translatable IPv6 addresses
must use the selected Network-Specific Prefix.
Both IPv4-translatable IPv6 addresses and IPv4-converted
IPv6 addresses should use the same prefix.";
reference
"Sections 3.3 and 3.4 of RFC 6052.";
}
list destination-ipv4-prefix {
key ipv4-prefix;
description
"An IPv4 prefix/address.";
leaf ipv4-prefix {
type inet:ipv4-prefix;
description
"An IPv4 address/prefix.";
}
} }
leaf address-roundrobin-support {
leaf stateless-enable {
type boolean; type boolean;
default false;
description description
"Enable explicitly stateless NAT64."; "Indicates whether address allocation round robin is
} supported.";
} }
leaf paired-address-pooling-support {
list external-ip-address-pool { type boolean;
if-feature "basic-nat44 or napt44 or nat64";
key pool-id;
description
"Pool of external IP addresses used to service internal
hosts.
A pool is a set of IP prefixes.";
leaf pool-id {
type uint32;
must ". >= 1";
description
"An identifier that uniquely identifies the address pool
within a NAT instance.
The identifier must be greater than zero.";
reference
"RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
}
leaf external-ip-pool {
type inet:ipv4-prefix;
mandatory true;
description
"An IPv4 prefix used for NAT purposes.";
}
}
container port-set-restrict {
if-feature "napt44 or nat64";
description
"Configures contiguous and non-contiguous port ranges.
The port set is used to restrict the external source
port numbers used by the translator.";
uses port-set;
}
leaf dst-nat-enable {
if-feature "basic-nat44 or napt44";
type boolean;
default false;
description
"Enable/Disable destination NAT.
A NAT44 may be configured to enable Destination
NAT, too.";
}
list dst-ip-address-pool {
if-feature dst-nat;
key pool-id;
description
"Pool of IP addresses used for destination NAT.";
leaf pool-id {
type uint32;
description description
"An identifier of the address pool."; "Indicates whether paired-address-pooling is
supported";
reference
"REQ-2 of RFC 4787";
} }
leaf endpoint-independent-mapping-support {
leaf dst-in-ip-pool { type boolean;
type inet:ip-prefix;
description description
"Is used to identify an internal destination "Indicates whether endpoint-independent-
IP prefix/address to be translated."; mapping is supported.";
reference
"Section 4 of RFC 4787";
} }
leaf address-dependent-mapping-support {
leaf dst-out-ip-pool { type boolean;
type inet:ip-prefix;
mandatory true;
description description
"IP address/prefix used for destination NAT."; "Indicates whether address-dependent-mapping is
supported.";
reference
"Section 4 of RFC 4787";
} }
} leaf address-and-port-dependent-mapping-support {
type boolean;
list transport-protocols {
if-feature "napt44 or nat64 or dst-nat";
key protocol-id;
description
"Configure the transport protocols to be handled by
the translator.
TCP and UDP are supported by default.";
leaf protocol-id {
type uint8;
mandatory true;
description description
"Upper-layer protocol associated with this mapping. "Indicates whether address-and-port-dependent-mapping is
supported.";
Values are taken from the IANA protocol registry. reference
"Section 4 of RFC 4787";
For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf endpoint-independent-filtering-support {
leaf protocol-name { type boolean;
type string;
description description
"The name of the Upper-layer protocol associated "Indicates whether endpoint-independent-filtering is
with this mapping. supported.";
reference
"Section 5 of RFC 4787";
}
leaf address-dependent-filtering {
type boolean;
description
"Indicates whether address-dependent-filtering is
supported.";
reference
"Section 5 of RFC 4787";
}
leaf address-and-port-dependent-filtering {
type boolean;
description
"Indicates whether address-and-port-dependent is
supported.";
reference
"Section 5 of RFC 4787";
}
leaf fragment-behavior {
type enumeration {
enum unsupported {
description
"No capability to translate incoming fragments.
All received fragments are dropped.";
}
enum in-order {
description
"The NAT instance is able to translate fragments
only if they are received in order. That is, in
particular the header is in the first packet.
Fragments received out of order are dropped. ";
}
enum out-of-order {
description
"The NAT instance is able to translate a fragment even
if it is received out of order.
For example, TCP, UDP, DCCP, and SCTP."; This behavior is recommended.";
reference
"REQ-14 of RFC 4787";
}
}
description
"The fragment behavior is the NAT instance's capability to
translate fragments received on the external interface of
the NAT.";
} }
} }
leaf type {
leaf subscriber-mask-v6 { type identityref {
type uint8 { base nat-type;
range "0 .. 128";
} }
description description
"The subscriber mask is an integer that indicates "Specify the translation type. Particularly useful when
the length of significant bits to be applied on multiple translation flavors are supported.
the source IPv6 address (internal side) to
unambiguously identify a user device (e.g., CPE).
Subscriber mask is a system-wide configuration
parameter that is used to enforce generic
per-subscriber policies (e.g., port-quota).
The enforcement of these generic policies does not
require the configuration of every subscriber's
prefix.
Example: suppose the 2001:db8:100:100::/56 prefix If one type is supported by a NAT, this parameter is by
is assigned to a NAT64 serviced CPE. Suppose also default set to that type.";
that 2001:db8:100:100::1 is the IPv6 address used
by the client that resides in that CPE. When the
NAT64 receives a packet from this client,
it applies the subscriber-mask-v6 (e.g., 56) on
the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56).
Then, the NAT64 enforces policies based on that
prefix (2001:db8:100:100::/56), not on the exact
source IPv6 address.";
} }
leaf per-interface-binding {
type enumeration {
enum disabled {
description
"Disable the capability to associate an extra identifier
with NAT mappings.";
}
enum layer-2 {
description
"The NAT instance is able to associate a mapping with
a Layer 2 identifier.";
}
enum dslite {
description
"The NAT instance is able to associate a mapping with
an IPv6 address (a.k.a., DS-Lite).";
}
}
description
"A NAT that associates a particular NAT session not
only with the five tuples used for the transport
connection on both sides of the NAT but also with
the internal interface on which the user device is
connected to the NAT.
list subscriber-match { If supported, this mode of operation should be
configurable, and it should be disabled by default in
general-purpose NAT devices.
If one single per-interface binding behavior is
supported by a NAT, this parameter is by default set to
that behavior.";
reference
"Section 4 of RFC 6619";
}
list nat-pass-through {
if-feature "basic-nat44 or napt44 or dst-nat"; if-feature "basic-nat44 or napt44 or dst-nat";
key match-id; key "id";
description description
"IP prefix match. "IP prefix NAT pass-through.";
A subscriber is identified by a subnet."; leaf id {
leaf match-id {
type uint32; type uint32;
description description
"An identifier of the subscriber match."; "An identifier of the IP prefix pass-through.";
} }
leaf prefix {
leaf subnet {
type inet:ip-prefix; type inet:ip-prefix;
mandatory true; mandatory true;
description description
"The IP address subnets that match "The IP addresses that match should not be translated.
should be translated. E.g., all addresses
that belong to the 192.0.2.0/24 prefix must
be processed by the NAT.";
}
}
leaf address-allocation-type { It must be possible to administratively turn
type enumeration { off translation for specific destination addresses
enum "arbitrary" { and/or ports.";
if-feature "basic-nat44 or napt44 or nat64"; reference
description "REQ-6 of RFC 6888";
"Arbitrary pooling behavior means that the NAT }
instance may create the new port mapping using any leaf port {
address in the pool that has a free port for the type inet:port-number;
protocol concerned."; description
} "It must be possible to administratively turn off
translation for specific destination addresses
and/or ports.
enum "roundrobin" { If no prefix is defined, the NAT pass-through bound
if-feature "basic-nat44 or napt44 or nat64"; to a given port applies for any destination address.";
reference
"REQ-6 of RFC 6888";
}
}
list policy {
key "id";
description
"NAT parameters for a given instance";
leaf id {
type uint32;
description
"An identifier of the NAT policy. It must be unique
within the NAT instance.";
}
container clat-parameters {
if-feature "clat";
description
"CLAT parameters.";
list clat-ipv6-prefixes {
key "ipv6-prefix";
description description
"Round robin allocation."; "464XLAT double-translation treatment is stateless
when a dedicated /64 is available for translation
on the CLAT. Otherwise, the CLAT will have both
stateful and stateless translation since it requires
NAT44 from the LAN to a single IPv4 address and then
stateless translation to a single IPv6 address.";
reference
"RFC 6877: 464XLAT: Combination of Stateful and
Stateless Translation";
leaf ipv6-prefix {
type inet:ipv6-prefix;
description
"An IPv6 prefix used for CLAT.";
}
} }
list ipv4-prefixes {
enum "paired" { key "ipv4-prefix";
if-feature "napt44 or nat64";
description description
"Paired address pooling informs the NAT "Pool of IPv4 addresses used for CLAT.
that all the flows from an internal IP 192.0.0.0/29 is the IPv4 service continuity prefix.";
address must be assigned the same external
address. This is the recommended behavior for
NAPT/NAT64.";
reference reference
"RFC 4787: Network Address Translation (NAT) "RFC 7335: IPv4 Service Continuity Prefix";
Behavioral Requirements for Unicast UDP"; leaf ipv4-prefix {
type inet:ipv4-prefix;
description
"464XLAT double-translation treatment is
stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless
translation since it requires NAT44 from the
LAN to a single IPv4 address and then stateless
translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4
packets appear from a single IPv4 address
and are then statelessly translated to one
interface IPv6 address that is claimed by
the CLAT.
An IPv4 address from this pool is also
provided to an application that makes
use of literals.";
reference
"RFC 6877: 464XLAT: Combination of Stateful and
Stateless Translation";
}
} }
} }
description list nptv6-prefixes {
"Specifies how external IP addresses are allocated."; if-feature "nptv6";
} key "internal-ipv6-prefix";
description
"Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6.
leaf port-allocation-type { In its simplest form, NPTv6 interconnects two
if-feature "napt44 or nat64"; network links: one is an 'internal' network
type enumeration { link attached to a leaf network within a single
enum "random" { administrative domain, and the other is an
'external' network with connectivity to the
global Internet.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
leaf internal-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description description
"Port randomization is enabled. A NAT port allocation "An IPv6 prefix used by an internal interface of
scheme should make it hard for attackers to guess NPTv6.";
port numbers";
reference reference
"REQ-15 of RFC 6888"; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
leaf external-ipv6-prefix {
enum "port-preservation" { type inet:ipv6-prefix;
mandatory true;
description description
"Indicates whether the NAT should preserve the internal "An IPv6 prefix used by the external interface of
port number."; NPTv6.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
}
list eam {
if-feature "eam";
key "ipv4-prefix";
description
"The Explicit Address Mapping Table is a conceptual
table in which each row represents an EAM.
enum "port-parity-preservation" { Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses.";
reference
"Section 3.1 of RFC 7757";
leaf ipv4-prefix {
type inet:ipv4-prefix;
mandatory true;
description description
"Indicates whether the NAT should preserve the port "The IPv4 prefix of an EAM.";
parity of the internal port number."; reference
"Section 3.2 of RFC 7757";
} }
leaf ipv6-prefix {
enum "port-range-allocation" { type inet:ipv6-prefix;
mandatory true;
description description
"Indicates whether the NAT assigns a range of ports "The IPv6 prefix of an EAM.";
for an internal host. This scheme allows to minimize
log volume.";
reference reference
"REQ-14 of RFC 6888"; "Section 3.2 of RFC 7757";
} }
} }
list nat64-prefixes {
if-feature "siit or nat64 or clat";
key "nat64-prefix";
description description
"Indicates the type of port allocation."; "Provides one or a list of NAT64 prefixes
} with or without a list of destination IPv4 prefixes.
It allows mapping IPv4 address ranges to IPv6 prefixes.
leaf mapping-type { For example:
if-feature "napt44 or nat64"; 192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
type enumeration { 198.51.100.0/24 is mapped to 2001:db8:122::/48.";
enum "eim" { reference
"Section 5.1 of RFC 7050";
leaf nat64-prefix {
type inet:ipv6-prefix;
mandatory true;
description description
"endpoint-independent-mapping."; "A NAT64 prefix. Can be a Network-Specific Prefix (NSP)
or a Well-Known Prefix (WKP).
Organizations deploying stateless IPv4/IPv6 translation
should assign an NSP to their IPv4/IPv6 translation
service.
For stateless NAT64, IPv4-translatable IPv6 addresses
must use the selected NSP.
Both IPv4-translatable IPv6 addresses and
IPv4-converted IPv6 addresses should use
the same prefix.";
reference reference
"Section 4 of RFC 4787."; "Sections 3.3 and 3.4 of RFC 6052";
} }
list destination-ipv4-prefix {
enum "adm" { key "ipv4-prefix";
description description
"address-dependent-mapping."; "An IPv4 prefix/address.";
reference leaf ipv4-prefix {
"Section 4 of RFC 4787."; type inet:ipv4-prefix;
description
"An IPv4 address/prefix.";
}
} }
leaf stateless-enable {
enum "edm" { type boolean;
default "false";
description description
"address-and-port-dependent-mapping."; "Enable explicitly stateless NAT64.";
reference
"Section 4 of RFC 4787.";
} }
} }
description list external-ip-address-pool {
"Indicates the type of a NAT mapping."; if-feature "basic-nat44 or napt44 or nat64";
} key "pool-id";
description
"Pool of external IP addresses used to service internal
hosts.
leaf filtering-type { A pool is a set of IP prefixes.";
if-feature "napt44 or nat64"; leaf pool-id {
type enumeration { type uint32;
enum "eif" { must '. >= 1';
description description
"endpoint-independent-filtering."; "An identifier that uniquely identifies the address pool
reference within a NAT instance.
"Section 5 of RFC 4787.";
}
enum "adf" { The identifier must be greater than zero.";
description
"address-dependent-filtering.";
reference reference
"Section 5 of RFC 4787."; "RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)";
} }
leaf external-ip-pool {
enum "edf" { type inet:ipv4-prefix;
mandatory true;
description description
"address-and-port-dependent-filtering"; "An IPv4 prefix used for NAT purposes.";
reference
"Section 5 of RFC 4787.";
} }
} }
container port-set-restrict {
if-feature "napt44 or nat64";
description description
"Indicates the type of a NAT filtering."; "Configures contiguous and non-contiguous port ranges.
}
leaf fragment-behavior { The port set is used to restrict the external source
if-feature "napt44 or nat64"; port numbers used by the translator.";
type enumeration { uses port-set;
enum "drop-all" { }
leaf dst-nat-enable {
if-feature "basic-nat44 or napt44";
type boolean;
default "false";
description
"Enable/disable Destination NAT.
A NAT44 may be configured to enable Destination
NAT, too.";
}
list dst-ip-address-pool {
if-feature "dst-nat";
key "pool-id";
description
"Pool of IP addresses used for Destination NAT.";
leaf pool-id {
type uint32;
description description
"All received fragments are dropped."; "An identifier of the address pool.";
} }
leaf dst-in-ip-pool {
enum "in-order" { type inet:ip-prefix;
description description
"Translate fragments only if they are received "Is used to identify an internal destination
in order."; IP prefix/address to be translated.";
}
leaf dst-out-ip-pool {
type inet:ip-prefix;
mandatory true;
description
"IP address/prefix used for Destination NAT.";
} }
}
list transport-protocols {
if-feature "napt44 or nat64 or dst-nat";
key "protocol-id";
description
"Configure the transport protocols to be handled by
the translator.
enum "out-of-order" { TCP and UDP are supported by default.";
leaf protocol-id {
type uint8;
mandatory true;
description description
"Translate a fragment even if it is received out "The upper-layer protocol associated with this
of order. mapping.
This behavior is recommended."; Values are taken from the IANA Protocol Numbers
reference registry.
"REQ-14 of RFC 4787";
} For example, this field contains 6 for TCP,
} 17 for UDP, 33 for DCCP, or 132 for SCTP.";
description }
"The fragment behavior instructs the NAT about the leaf protocol-name {
behavior to follow to translate fragments received type string;
on the external interface of the NAT."; description
"The name of the upper-layer protocol associated
with this mapping.
For example, TCP, UDP, DCCP, and SCTP.";
}
} }
leaf subscriber-mask-v6 {
type uint8 {
range "0 .. 128";
}
description
"The subscriber mask is an integer that indicates
the length of significant bits to be applied on
the source IPv6 address (internal side) to
unambiguously identify a user device (e.g., CPE).
list port-quota { Subscriber mask is a system-wide configuration
if-feature "napt44 or nat64"; parameter that is used to enforce generic
key quota-type; per-subscriber policies (e.g., port-quota).
description
"Configures a port quota to be assigned per subscriber.
It corresponds to the maximum number of ports to be
used by a subscriber.";
leaf port-limit { The enforcement of these generic policies does not
type uint16; require the configuration of every subscriber's
prefix.
Example: suppose the 2001:db8:100:100::/56 prefix
is assigned to a NAT64-serviced CPE. Suppose also
that 2001:db8:100:100::1 is the IPv6 address used
by the client that resides in that CPE. When the
NAT64 receives a packet from this client,
it applies the subscriber-mask-v6 (e.g., 56) on
the source IPv6 address to compute the associated
prefix for this client (2001:db8:100:100::/56).
Then, the NAT64 enforces policies based on that
prefix (2001:db8:100:100::/56), not on the exact
source IPv6 address.";
}
list subscriber-match {
if-feature "basic-nat44 or napt44 or dst-nat";
key "match-id";
description description
"Configures a port quota to be assigned per subscriber. "IP prefix match.
A subscriber is identified by a subnet.";
leaf match-id {
type uint32;
description
"An identifier of the subscriber match.";
}
leaf subnet {
type inet:ip-prefix;
mandatory true;
description
"The IP address subnets that match
should be translated. For example, all addresses
that belong to the 192.0.2.0/24 prefix must
be processed by the NAT.";
}
}
leaf address-allocation-type {
type enumeration {
enum arbitrary {
if-feature "basic-nat44 or napt44 or nat64";
description
"Arbitrary pooling behavior means that the NAT
instance may create the new port mapping using any
address in the pool that has a free port for the
protocol concerned.";
}
enum roundrobin {
if-feature "basic-nat44 or napt44 or nat64";
description
"Round-robin allocation.";
}
enum paired {
if-feature "napt44 or nat64";
description
"Paired address pooling informs the NAT
that all the flows from an internal IP
address must be assigned the same external
address. This is the recommended behavior
for NAPT/NAT64.";
reference
"RFC 4787: Network Address Translation (NAT)
Behavioral Requirements for Unicast UDP";
}
}
description
"Specifies how external IP addresses are allocated.";
}
leaf port-allocation-type {
if-feature "napt44 or nat64";
type enumeration {
enum random {
description
"Port randomization is enabled. A NAT port allocation
scheme should make it hard for attackers to guess
port numbers";
reference
"REQ-15 of RFC 6888";
}
enum port-preservation {
description
"Indicates whether the NAT should preserve the
internal port number.";
}
enum port-parity-preservation {
description
"Indicates whether the NAT should preserve the port
parity of the internal port number.";
}
enum port-range-allocation {
description
"Indicates whether the NAT assigns a range of ports
for an internal host. This scheme allows the
minimizing of the log volume.";
reference
"REQ-14 of RFC 6888";
}
}
description
"Indicates the type of port allocation.";
}
leaf mapping-type {
if-feature "napt44 or nat64";
type enumeration {
enum eim {
description
"endpoint-independent-mapping.";
reference
"Section 4 of RFC 4787";
}
enum adm {
description
"address-dependent-mapping.";
reference
"Section 4 of RFC 4787";
}
enum edm {
description
"address-and-port-dependent-mapping.";
reference
"Section 4 of RFC 4787";
}
}
description
"Indicates the type of NAT mapping.";
}
leaf filtering-type {
if-feature "napt44 or nat64";
type enumeration {
enum eif {
description
"endpoint-independent-filtering.";
reference
"Section 5 of RFC 4787";
}
enum adf {
description
"address-dependent-filtering.";
reference
"Section 5 of RFC 4787";
}
enum edf {
description
"address-and-port-dependent-filtering";
reference
"Section 5 of RFC 4787";
}
}
description
"Indicates the type of NAT filtering.";
}
leaf fragment-behavior {
if-feature "napt44 or nat64";
type enumeration {
enum drop-all {
description
"All received fragments are dropped.";
}
enum in-order {
description
"Translate fragments only if they are received
in order.";
}
enum out-of-order {
description
"Translate a fragment even if it is received out
of order.
This behavior is recommended.";
reference
"REQ-14 of RFC 4787";
}
}
description
"The fragment behavior instructs the NAT about the
behavior to follow to translate fragments received
on the external interface of the NAT.";
}
list port-quota {
if-feature "napt44 or nat64";
key "quota-type";
description
"Configures a port quota to be assigned per subscriber.
It corresponds to the maximum number of ports to be It corresponds to the maximum number of ports to be
used by a subscriber."; used by a subscriber.";
reference leaf port-limit {
"REQ-4 of RFC 6888."; type uint16;
} description
"Configures a port quota to be assigned per subscriber.
leaf quota-type { It corresponds to the maximum number of ports to be
used by a subscriber.";
reference
"REQ-4 of RFC 6888";
}
leaf quota-type {
type uint8; type uint8;
description description
"Indicates whether the port quota applies to "Indicates whether the port quota applies to
all protocols (0) or to a specific protocol."; all protocols (0) or to a specific protocol.";
}
} }
} container port-set {
when "../port-allocation-type = 'port-range-allocation'";
container port-set { if-feature "napt44 or nat64";
when "../port-allocation-type = 'port-range-allocation'";
if-feature "napt44 or nat64";
description
"Manages port-set assignments.";
leaf port-set-size {
type uint16;
mandatory true;
description description
"Indicates the size of assigned port sets."; "Manages port-set assignments.";
leaf port-set-size {
type uint16;
mandatory true;
description
"Indicates the size of assigned port sets.";
}
leaf port-set-timeout {
type uint32;
units "seconds";
description
"inactivity timeout for port sets.";
}
} }
container timers {
leaf port-set-timeout { if-feature "napt44 or nat64";
type uint32;
units "seconds";
description description
"inactivity timeout for port sets."; "Configure values of various timeouts.";
}
}
container timers {
if-feature "napt44 or nat64";
description
"Configure values of various timeouts.";
leaf udp-timeout { leaf udp-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 300; default "300";
description description
"UDP inactivity timeout. That is the time a mapping "UDP inactivity timeout. That is the time a mapping
will stay active without packets traversing the NAT."; will stay active without packets traversing the NAT.";
reference reference
"RFC 4787: Network Address Translation (NAT) "RFC 4787: Network Address Translation (NAT)
Behavioral Requirements for Unicast UDP"; Behavioral Requirements for Unicast UDP";
} }
leaf tcp-idle-timeout { leaf tcp-idle-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 7440; default "7440";
description description
"TCP Idle timeout should be 2 hours and 4 minutes."; "TCP idle timeout should be 2 hours and 4 minutes.";
reference reference
"RFC 5382: NAT Behavioral Requirements for TCP"; "RFC 5382: NAT Behavioral Requirements for TCP";
} }
leaf tcp-trans-open-timeout { leaf tcp-trans-open-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 240; default "240";
description description
"The value of the transitory open connection "The value of the transitory open connection
idle-timeout. idle-timeout.
A NAT should provide different configurable A NAT should provide different configurable
parameters for configuring the open and parameters for configuring the open and
closing idle timeouts. closing idle timeouts.
To accommodate deployments that consider To accommodate deployments that consider
a partially open timeout of 4 minutes as being a partially open timeout of 4 minutes as being
excessive from a security standpoint, a NAT may excessive from a security standpoint, a NAT may
allow the configured timeout to be less than allow the configured timeout to be less than
4 minutes. 4 minutes.
However, a minimum default transitory connection However, a minimum default transitory connection
idle-timeout of 4 minutes is recommended."; idle-timeout of 4 minutes is recommended.";
reference reference
"Section 2.1 of RFC 7857."; "Section 2.1 of RFC 7857";
} }
leaf tcp-trans-close-timeout { leaf tcp-trans-close-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 240; default "240";
description description
"The value of the transitory close connection "The value of the transitory close connection
idle-timeout. idle-timeout.
A NAT should provide different configurable A NAT should provide different configurable
parameters for configuring the open and parameters for configuring the open and
closing idle timeouts."; closing idle timeouts.";
reference reference
"Section 2.1 of RFC 7857."; "Section 2.1 of RFC 7857";
} }
leaf tcp-in-syn-timeout { leaf tcp-in-syn-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 6; default "6";
description description
"A NAT must not respond to an unsolicited "A NAT must not respond to an unsolicited
inbound SYN packet for at least 6 seconds inbound SYN packet for at least 6 seconds
after the packet is received. If during after the packet is received. If during
this interval the NAT receives and translates this interval the NAT receives and translates
an outbound SYN for the connection the NAT an outbound SYN for the connection the NAT
must silently drop the original unsolicited must silently drop the original unsolicited
inbound SYN packet."; inbound SYN packet.";
reference reference
"RFC 5382 NAT Behavioral Requirements for TCP"; "RFC 5382 NAT Behavioral Requirements for TCP";
} }
leaf fragment-min-timeout { leaf fragment-min-timeout {
when "../../fragment-behavior='out-of-order'"; when "../../fragment-behavior='out-of-order'";
type uint32; type uint32;
units "seconds"; units "seconds";
default 2; default "2";
description description
"As long as the NAT has available resources, "As long as the NAT has available resources,
the NAT allows the fragments to arrive the NAT allows the fragments to arrive
over fragment-min-timeout interval. over the fragment-min-timeout interval.
The default value is inspired from RFC6146."; The default value is inspired from RFC 6146.";
} }
leaf icmp-timeout { leaf icmp-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 60; default "60";
description description
"An ICMP Query session timer must not expire "An ICMP Query session timer must not expire
in less than 60 seconds. It is recommended in less than 60 seconds. It is recommended
that the ICMP Query session timer be made that the ICMP Query session timer be made
configurable"; configurable";
reference reference
"RFC 5508: NAT Behavioral Requirements for ICMP"; "RFC 5508: NAT Behavioral Requirements for ICMP";
} }
list per-port-timeout { list per-port-timeout {
key port-number; key "port-number";
description description
"Some NATs are configurable with short timeouts "Some NATs are configurable with short timeouts
for some ports, e.g., as 10 seconds on for some ports, e.g., as 10 seconds on
port 53 (DNS) and 123 (NTP) and longer timeouts port 53 (DNS) and 123 (NTP), and longer timeouts
on other ports."; on other ports.";
leaf port-number { leaf port-number {
type inet:port-number; type inet:port-number;
description description
"A port number."; "A port number.";
} }
leaf protocol { leaf protocol {
type uint8; type uint8;
description description
"Upper-layer protocol associated with this port. "The upper-layer protocol associated with this port.
Values are taken from the IANA protocol registry. Values are taken from the IANA Protocol Numbers
registry.
If no protocol is indicated, this means 'any If no protocol is indicated, it means 'any
protocol'."; protocol'.";
} }
leaf timeout { leaf timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
mandatory true; mandatory true;
description description
"Timeout for this port number"; "Timeout for this port number";
} }
} }
leaf hold-down-timeout { leaf hold-down-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 120; default "120";
description description
"Hold down timer. "Hold-down timer.
Ports in the hold down pool are not reassigned until Ports in the hold-down pool are not reassigned until
hold-down-timeout expires. hold-down-timeout expires.
The length of time and the maximum number of ports in The length of time and the maximum number of ports in
this state must be configurable by the administrator. this state must be configurable by the administrator.
This is necessary in order to prevent collisions This is necessary in order to prevent collisions
between old and new mappings and sessions. It ensures between old and new mappings and sessions. It ensures
that all established sessions are broken instead of that all established sessions are broken instead of
redirected to a different peer."; redirected to a different peer.";
reference reference
"REQ#8 of RFC 6888."; "REQ-8 of RFC 6888";
} }
leaf hold-down-max { leaf hold-down-max {
type uint32; type uint32;
description description
"Maximum ports in the hold down port pool."; "Maximum ports in the hold-down port pool.";
reference reference
"REQ#8 of RFC 6888."; "REQ-8 of RFC 6888";
} }
} }
leaf fragments-limit {
leaf fragments-limit{
when "../fragment-behavior='out-of-order'"; when "../fragment-behavior='out-of-order'";
type uint32; type uint32;
description description
"Limits the number of out of order fragments that can "Limits the number of out-of-order fragments that can
be handled."; be handled.";
reference reference
"Section 11 of RFC 4787."; "Section 11 of RFC 4787";
} }
list algs { list algs {
key name; key "name";
description description
"ALG-related features."; "Features related to the Application Layer
Gateway (ALG).";
leaf name { leaf name {
type string; type string;
description description
"The name of the ALG."; "The name of the ALG.";
} }
leaf transport-protocol { leaf transport-protocol {
type uint32; type uint32;
description description
"The transport protocol used by the ALG "The transport protocol used by the ALG
(e.g., TCP, UDP)."; (e.g., TCP and UDP).";
} }
container dst-transport-port { container dst-transport-port {
uses port-number; uses port-number;
description description
"The destination port number(s) used by the ALG. "The destination port number(s) used by the ALG.
For example, For example,
- 21 for the FTP ALG - 21 for the FTP ALG
- 53 for the DNS ALG."; - 53 for the DNS ALG.";
} }
container src-transport-port { container src-transport-port {
uses port-number; uses port-number;
description description
"The source port number(s) used by the ALG."; "The source port number(s) used by the ALG.";
} }
leaf status { leaf status {
type boolean; type boolean;
description description
"Enable/disable the ALG."; "Enable/disable the ALG.";
} }
} }
leaf all-algs-enable { leaf all-algs-enable {
type boolean; type boolean;
description description
"Disable/enable all ALGs. "Disable/enable all ALGs.
When specified, this parameter overrides the one When specified, this parameter overrides the one
that may be indicated, eventually, by the 'status' that may be indicated, eventually, by the 'status'
of an individual ALG."; of an individual ALG.";
} }
container notify-pool-usage { container notify-pool-usage {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Notification of pool usage when certain criteria "Notification of pool usage when certain criteria
are met."; are met.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"Pool-ID for which the notification criteria "Pool-ID for which the notification criteria
is defined"; is defined";
} }
leaf low-threshold { leaf low-threshold {
type percent; type percent;
description description
"Notification must be generated when the defined low "Notification must be generated when the defined low
threshold is reached. threshold is reached.
For example, if a notification is required when the For example, if a notification is required when the
pool utilization reaches below 10%, this pool utilization reaches below 10%, this
configuration parameter must be set to 10. configuration parameter must be set to 10.
skipping to change at page 58, line 10 skipping to change at page 56, line 21
"Notification must be generated when the defined low "Notification must be generated when the defined low
threshold is reached. threshold is reached.
For example, if a notification is required when the For example, if a notification is required when the
pool utilization reaches below 10%, this pool utilization reaches below 10%, this
configuration parameter must be set to 10. configuration parameter must be set to 10.
0% indicates that low-threshold notification is 0% indicates that low-threshold notification is
disabled."; disabled.";
} }
leaf high-threshold { leaf high-threshold {
type percent; type percent;
must ". >= ../low-threshold" { must '. >= ../low-threshold' {
error-message error-message
"The high threshold must be greater than or equal "The high threshold must be greater than or equal
to the low threshold."; to the low threshold.";
} }
description description
"Notification must be generated when the defined high "Notification must be generated when the defined high
threshold is reached. threshold is reached.
For example, if a notification is required when the For example, if a notification is required when the
pool utilization reaches 90%, this configuration pool utilization reaches 90%, this configuration
skipping to change at page 58, line 29 skipping to change at page 56, line 39
"Notification must be generated when the defined high "Notification must be generated when the defined high
threshold is reached. threshold is reached.
For example, if a notification is required when the For example, if a notification is required when the
pool utilization reaches 90%, this configuration pool utilization reaches 90%, this configuration
parameter must be set to 90. parameter must be set to 90.
Setting the same value as low-threshold is equivalent Setting the same value as low-threshold is equivalent
to disabling high-threshold notification."; to disabling high-threshold notification.";
} }
leaf notify-interval { leaf notify-interval {
type uint32 { type uint32 {
range "1 .. 3600"; range "1 .. 3600";
} }
units "seconds"; units "seconds";
default '20'; default "20";
description description
"Minimum number of seconds between successive "Minimum number of seconds between successive
notifications for this pool."; notifications for this pool.";
reference reference
"RFC 7659: Definitions of Managed Objects for "RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)"; Network Address Translators (NATs)";
} }
}
}
container external-realm { container external-realm {
description description
"Identifies the external realm of the NAT instance."; "Identifies the external realm of the NAT instance.";
choice realm-type { choice realm-type {
description description
"Can be an interface, VRF instance, etc."; "Can be an interface, VRF instance, etc.";
case interface { case interface {
description description
"External interface."; "External interface.";
leaf external-interface { leaf external-interface {
type if:interface-ref; type if:interface-ref;
description description
"Name of the external interface."; "Name of the external interface.";
} }
} }
} }
} }
} }
container mapping-limits { container mapping-limits {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
description description
"Information about the configuration parameters that "Information about the configuration parameters that
limits the mappings based upon various criteria."; limits the mappings based upon various criteria.";
leaf limit-subscribers { leaf limit-subscribers {
type uint32; type uint32;
description description
"Maximum number of subscribers that can be serviced "Maximum number of subscribers that can be serviced
by a NAT instance. by a NAT instance.
A subscriber is identified by a given prefix."; A subscriber is identified by a given prefix.";
reference reference
"RFC 7659: Definitions of Managed Objects for "RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)"; Network Address Translators (NATs)";
} }
leaf limit-address-mappings { leaf limit-address-mappings {
type uint32; type uint32;
description description
"Maximum number of address mappings that can be "Maximum number of address mappings that can be
handled by a NAT instance. handled by a NAT instance.
When this limit is reached, packets that would When this limit is reached, packets that would
normally trigger translation, will be dropped."; normally trigger translation will be dropped.";
reference reference
"RFC 7659: Definitions of Managed Objects "RFC 7659: Definitions of Managed Objects for
for Network Address Translators Network Address Translators (NATs)";
(NATs)";
} }
leaf limit-port-mappings { leaf limit-port-mappings {
type uint32; type uint32;
description description
"Maximum number of port mappings that can be handled "Maximum number of port mappings that can be handled
by a NAT instance. by a NAT instance.
When this limit is reached, packets that would When this limit is reached, packets that would
normally trigger translation, will be dropped."; normally trigger translation will be dropped.";
reference reference
"RFC 7659: Definitions of Managed Objects for "RFC 7659: Definitions of Managed Objects for
Network Address Translators (NATs)"; Network Address Translators (NATs)";
} }
list limit-per-protocol { list limit-per-protocol {
if-feature "napt44 or nat64 or dst-nat"; if-feature "napt44 or nat64 or dst-nat";
key protocol-id; key "protocol-id";
description description
"Configure limits per transport protocol"; "Configure limits per transport protocol";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol. "The upper-layer protocol.
Values are taken from the IANA protocol registry. Values are taken from the IANA Protocol Numbers
registry.
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP."; 17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf limit { leaf limit {
type uint32; type uint32;
description description
"Maximum number of protocol-specific NAT mappings "Maximum number of protocol-specific NAT mappings
per instance."; per instance.";
} }
} }
} }
container connection-limits { container connection-limits {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Information about the configuration parameters that "Information about the configuration parameters that
rate limit the translation based upon various criteria."; rate-limit the translation based upon various criteria.";
leaf limit-per-subscriber { leaf limit-per-subscriber {
type uint32; type uint32;
units "bits/second"; units "bits/second";
description description
"Rate-limit the number of new mappings and sessions "Rate-limit the number of new mappings and sessions
per subscriber."; per subscriber.";
} }
leaf limit-per-instance { leaf limit-per-instance {
type uint32; type uint32;
units "bits/second"; units "bits/second";
description description
"Rate-limit the number of new mappings and sessions "Rate-limit the number of new mappings and sessions
per instance."; per instance.";
} }
list limit-per-protocol { list limit-per-protocol {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
key protocol-id; key "protocol-id";
description description
"Configure limits per transport protocol"; "Configure limits per transport protocol";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol. "The upper-layer protocol.
Values are taken from the IANA protocol registry. Values are taken from the IANA Protocol Numbers
registry.
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP."; 17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf limit { leaf limit {
type uint32; type uint32;
description description
"Limit the number of protocol-specific mappings "Limit the number of protocol-specific mappings
and sessions per instance."; and sessions per instance.";
} }
} }
} }
container notification-limits { container notification-limits {
description "Sets notification limits."; description
"Sets notification limits.";
leaf notify-interval { leaf notify-interval {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type uint32 { type uint32 {
range "1 .. 3600"; range "1 .. 3600";
} }
units "seconds"; units "seconds";
default '10'; default "10";
description description
"Minimum number of seconds between successive "Minimum number of seconds between successive
notifications for this NAT instance."; notifications for this NAT instance.";
reference reference
"RFC 7659: Definitions of Managed Objects "RFC 7659: Definitions of Managed Objects for
for Network Address Translators (NATs)"; Network Address Translators (NATs)";
}
leaf notify-addresses-usage { }
leaf notify-addresses-usage {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type percent; type percent;
description description
"Notification of address mappings usage over "Notification of address mappings usage over
the whole NAT instance. the whole NAT instance.
Notification must be generated when the defined Notification must be generated when the defined
threshold is reached. threshold is reached.
For example, if a notification is required when For example, if a notification is required when
the address mappings utilization reaches 90%, the address mappings utilization reaches 90%,
this configuration parameter must be set this configuration parameter must be set
to 90."; to 90.";
} }
leaf notify-ports-usage {
leaf notify-ports-usage {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type percent; type percent;
description description
"Notification of port mappings usage over the "Notification of port mappings usage over the
whole NAT instance. whole NAT instance.
Notification must be generated when the defined Notification must be generated when the defined
threshold is reached. threshold is reached.
For example, if a notification is required when For example, if a notification is required when
the port mappings utilization reaches 90%, this the port mappings utilization reaches 90%, this
configuration parameter must be set to 90."; configuration parameter must be set to 90.";
} }
leaf notify-subscribers-limit {
leaf notify-subscribers-limit {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type uint32; type uint32;
description description
"Notification of active subscribers per NAT "Notification of active subscribers per NAT
instance. instance.
Notification must be generated when the defined Notification must be generated when the defined
threshold is reached."; threshold is reached.";
} }
} }
container mapping-table { container mapping-table {
if-feature "basic-nat44 or napt44 " + if-feature "basic-nat44 or napt44 or nat64 "
"or nat64 or clat or dst-nat"; + "or clat or dst-nat";
description description
"NAT mapping table. Applicable for functions which maintain "NAT mapping table. Applicable for functions that maintain
static and/or dynamic mappings, such as NAT44, Destination static and/or dynamic mappings, such as NAT44, Destination
NAT, NAT64, or CLAT."; NAT, NAT64, or CLAT.";
list mapping-entry { list mapping-entry {
key "index"; key "index";
description "NAT mapping entry."; description
"NAT mapping entry.";
uses mapping-entry; uses mapping-entry;
} }
} }
container statistics { container statistics {
config false; config false;
description description
"Statistics related to the NAT instance."; "Statistics related to the NAT instance.";
leaf discontinuity-time { leaf discontinuity-time {
type yang:date-and-time; type yang:date-and-time;
mandatory true; mandatory true;
description description
"The time on the most recent occasion at which the NAT "The time on the most recent occasion at which the NAT
instance suffered a discontinuity. This must be instance suffered a discontinuity. This must be
initialized when the NAT instance is configured initialized when the NAT instance is configured
or rebooted."; or rebooted.";
} }
container traffic-statistics { container traffic-statistics {
description description
"Generic traffic statistics."; "Generic traffic statistics.";
leaf sent-packets { leaf sent-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of packets sent."; "Number of packets sent.";
} }
leaf sent-bytes { leaf sent-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter for sent traffic in bytes."; "Counter for sent traffic in bytes.";
} }
leaf rcvd-packets { leaf rcvd-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of received packets."; "Number of received packets.";
} }
leaf rcvd-bytes { leaf rcvd-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter for received traffic in bytes."; "Counter for received traffic in bytes.";
} }
leaf dropped-packets { leaf dropped-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets."; "Number of dropped packets.";
} }
leaf dropped-bytes { leaf dropped-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter for dropped traffic in bytes."; "Counter for dropped traffic in bytes.";
} }
leaf dropped-fragments { leaf dropped-fragments {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped fragments on the external realm."; "Number of dropped fragments on the external realm.";
} }
leaf dropped-address-limit-packets { leaf dropped-address-limit-packets {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because an address limit "Number of dropped packets because an address limit
is reached."; is reached.";
} }
leaf dropped-address-limit-bytes { leaf dropped-address-limit-bytes {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
skipping to change at page 65, line 7 skipping to change at page 62, line 28
leaf dropped-address-limit-packets { leaf dropped-address-limit-packets {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because an address limit "Number of dropped packets because an address limit
is reached."; is reached.";
} }
leaf dropped-address-limit-bytes { leaf dropped-address-limit-bytes {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter of dropped packets because an address limit "Counter of dropped packets because an address limit
is reached, in bytes."; is reached, in bytes.";
} }
leaf dropped-address-packets { leaf dropped-address-packets {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because no address is "Number of dropped packets because no address is
available for allocation."; available for allocation.";
} }
leaf dropped-address-bytes { leaf dropped-address-bytes {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter of dropped packets because no address is "Counter of dropped packets because no address is
available for allocation, in bytes."; available for allocation, in bytes.";
} }
leaf dropped-port-limit-packets { leaf dropped-port-limit-packets {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because a port limit "Number of dropped packets because a port limit
is reached."; is reached.";
} }
leaf dropped-port-limit-bytes { leaf dropped-port-limit-bytes {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter of dropped packets because a port limit "Counter of dropped packets because a port limit
is reached, in bytes."; is reached, in bytes.";
} }
leaf dropped-port-packets { leaf dropped-port-packets {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because no port is "Number of dropped packets because no port is
available for allocation."; available for allocation.";
} }
leaf dropped-port-bytes { leaf dropped-port-bytes {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter of dropped packets because no port is "Counter of dropped packets because no port is
available for allocation, in bytes."; available for allocation, in bytes.";
} }
leaf dropped-subscriber-limit-packets { leaf dropped-subscriber-limit-packets {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets because the subscriber "Number of dropped packets because the subscriber
limit per instance is reached."; limit per instance is reached.";
} }
leaf dropped-subscriber-limit-bytes { leaf dropped-subscriber-limit-bytes {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units "bytes";
description description
"Counter of dropped packets because the subscriber "Counter of dropped packets because the subscriber
limit per instance is reached, in bytes."; limit per instance is reached, in bytes.";
} }
} }
container mappings-statistics { container mappings-statistics {
description description
"Mappings statistics."; "Mappings statistics.";
leaf total-active-subscribers { leaf total-active-subscribers {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type yang:gauge32; type yang:gauge32;
description description
"Total number of active subscribers (that is, "Total number of active subscribers (that is,
subscribers for which the NAT maintains active subscribers for which the NAT maintains active
mappings. mappings).
A subscriber is identified by a subnet, A subscriber is identified by a subnet,
subscriber-mask, etc."; subscriber-mask, etc.";
} }
leaf total-address-mappings { leaf total-address-mappings {
if-feature "basic-nat44 or napt44 " + if-feature "basic-nat44 or napt44 or nat64 "
"or nat64 or clat or dst-nat"; + "or clat or dst-nat";
type yang:gauge32; type yang:gauge32;
description description
"Total number of address mappings present at a given "Total number of address mappings present at a given
time. It includes both static and dynamic mappings."; time. It includes both static and dynamic mappings.";
reference reference
"Section 3.3.8 of RFC 7659"; "Section 3.3.8 of RFC 7659";
} }
leaf total-port-mappings { leaf total-port-mappings {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
type yang:gauge32; type yang:gauge32;
description description
"Total number of NAT port mappings present at "Total number of NAT port mappings present at
a given time. It includes both static and dynamic a given time. It includes both static and dynamic
mappings."; mappings.";
reference reference
"Section 3.3.9 of RFC 7659"; "Section 3.3.9 of RFC 7659";
} }
list total-per-protocol { list total-per-protocol {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
key protocol-id; key "protocol-id";
description description
"Total mappings for each enabled/supported protocol."; "Total mappings for each enabled/supported protocol.";
leaf protocol-id { leaf protocol-id {
type uint8; type uint8;
mandatory true; mandatory true;
description description
"Upper-layer protocol. "The upper-layer protocol.
For example, this field contains 6 for TCP, For example, this field contains 6 for TCP,
17 for UDP, 33 for DCCP, or 132 for SCTP."; 17 for UDP, 33 for DCCP, or 132 for SCTP.";
} }
leaf total { leaf total {
type yang:gauge32; type yang:gauge32;
description description
"Total number of a protocol-specific mappings present "Total number of a protocol-specific mappings present
at a given time. The protocol is identified by at a given time. The protocol is identified by
protocol-id."; protocol-id.";
} }
} }
} }
container pools-stats { container pools-stats {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Statistics related to address/prefix pools "Statistics related to address/prefix pools
usage"; usage";
leaf addresses-allocated { leaf addresses-allocated {
type yang:gauge32; type yang:gauge32;
description description
"Number of all allocated addresses."; "Number of all allocated addresses.";
} }
leaf addresses-free { leaf addresses-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of unallocated addresses of all pools at "Number of unallocated addresses of all pools at
a given time. The sum of unallocated and allocated a given time. The sum of unallocated and allocated
addresses is the total number of addresses of addresses is the total number of addresses of
the pools."; the pools.";
} }
container ports-stats { container ports-stats {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
description description
"Statistics related to port numbers usage."; "Statistics related to port numbers usage.";
leaf ports-allocated { leaf ports-allocated {
type yang:gauge32; type yang:gauge32;
description description
"Number of allocated ports from all pools."; "Number of allocated ports from all pools.";
} }
leaf ports-free { leaf ports-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of unallocated addresses from all pools."; "Number of unallocated addresses from all pools.";
} }
} }
list per-pool-stats { list per-pool-stats {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
key "pool-id"; key "pool-id";
description description
"Statistics related to address/prefix pool usage"; "Statistics related to address/prefix pool usage";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"Unique Identifier that represents a pool of "Unique identifier that represents a pool of
addresses/prefixes."; addresses/prefixes.";
} }
leaf discontinuity-time { leaf discontinuity-time {
type yang:date-and-time; type yang:date-and-time;
mandatory true; mandatory true;
description description
"The time on the most recent occasion at which this "The time on the most recent occasion at which this
pool counters suffered a discontinuity. This must pool counter suffered a discontinuity. This must
be initialized when the address pool is be initialized when the address pool is
configured."; configured.";
} }
container pool-stats { container pool-stats {
description description
"Statistics related to address/prefix pool usage"; "Statistics related to address/prefix pool usage";
leaf addresses-allocated { leaf addresses-allocated {
type yang:gauge32; type yang:gauge32;
description description
"Number of allocated addresses from this pool."; "Number of allocated addresses from this pool.";
} }
leaf addresses-free { leaf addresses-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of unallocated addresses in this pool."; "Number of unallocated addresses in this pool.";
} }
} }
container port-stats { container port-stats {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
description description
"Statistics related to port numbers usage."; "Statistics related to port numbers usage.";
leaf ports-allocated { leaf ports-allocated {
type yang:gauge32; type yang:gauge32;
description description
"Number of allocated ports from this pool."; "Number of allocated ports from this pool.";
} }
leaf ports-free { leaf ports-free {
type yang:gauge32; type yang:gauge32;
description description
"Number of unallocated addresses from this pool."; "Number of unallocated addresses from this pool.";
} }
} }
} }
} }
} }
} }
} }
} }
/* /*
* Notifications * Notifications
*/ */
notification nat-pool-event { notification nat-pool-event {
skipping to change at page 70, line 18 skipping to change at page 67, line 7
} }
/* /*
* Notifications * Notifications
*/ */
notification nat-pool-event { notification nat-pool-event {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Notifications must be generated when the defined high/low "Notifications must be generated when the defined high/low
threshold is reached. Related configuration parameters threshold is reached. Related configuration parameters
must be provided to trigger the notifications."; must be provided to trigger the notifications.";
leaf id { leaf id {
type leafref { type leafref {
path "/nat/instances/instance/id"; path "/nat/instances/instance/id";
} }
mandatory true; mandatory true;
description description
"NAT instance Identifier."; "NAT instance identifier.";
} }
leaf policy-id { leaf policy-id {
type leafref { type leafref {
path "/nat/instances/instance/policy/id"; path "/nat/instances/instance/policy/id";
} }
description description
"Policy Identifier."; "Policy identifier.";
} }
leaf pool-id { leaf pool-id {
type leafref { type leafref {
path "/nat/instances/instance/policy/" + path "/nat/instances/instance/policy"
"external-ip-address-pool/pool-id"; + "/external-ip-address-pool/pool-id";
} }
mandatory true; mandatory true;
description description
"Pool Identifier."; "Pool Identifier.";
} }
leaf notify-pool-threshold { leaf notify-pool-threshold {
type percent; type percent;
mandatory true; mandatory true;
description description
"A threshold (high-threshold or low-threshold) has "A threshold (high threshold or low threshold) has
been fired."; been fired.";
} }
} }
notification nat-instance-event { notification nat-instance-event {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
description description
"Notifications must be generated when notify-addresses-usage "Notifications must be generated when notify-addresses-usage
and/or notify-ports-usage threshold are reached."; and/or notify-ports-usage thresholds are reached.";
leaf id { leaf id {
type leafref { type leafref {
path "/nat/instances/instance/id"; path "/nat/instances/instance/id";
} }
mandatory true; mandatory true;
description description
"NAT instance Identifier."; "NAT instance identifier.";
} }
leaf notify-subscribers-threshold { leaf notify-subscribers-threshold {
type uint32; type uint32;
description description
"The notify-subscribers-limit threshold has been fired."; "The notify-subscribers-limit threshold has been fired.";
} }
leaf notify-addresses-threshold { leaf notify-addresses-threshold {
type percent; type percent;
description description
"The notify-addresses-usage threshold has been fired."; "The notify-addresses-usage threshold has been fired.";
} }
leaf notify-ports-threshold { leaf notify-ports-threshold {
type percent; type percent;
description description
"The notify-ports-usage threshold has been fired."; "The notify-ports-usage threshold has been fired.";
} }
} }
} }
<CODE ENDS>
<CODE ENDS>
4. Security Considerations 4. Security Considerations
Security considerations related to address and prefix translation are Security considerations related to address and prefix translation are
discussed in [RFC6888], [RFC6146], [RFC6877], [RFC6296], and discussed in [RFC6888], [RFC6146], [RFC6877], [RFC6296], and
[RFC7757]. [RFC7757].
The YANG module defined in this document is designed to be accessed The YANG module specified in this document defines a schema for data
via network management protocols such as NETCONF [RFC6241] or that is designed to be accessed via network management protocols such
RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer
layer, and the mandatory-to-implement secure transport is Secure is the secure transport layer, and the mandatory-to-implement secure
Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
mandatory-to-implement secure transport is TLS [RFC5246]. is HTTPS, and the mandatory-to-implement secure transport is TLS
[RFC8446].
The NETCONF access control model [RFC8341] provides the means to The Network Configuration Access Control Model (NACM) [RFC8341]
restrict access for particular NETCONF or RESTCONF users to a provides the means to restrict access for particular NETCONF or
preconfigured subset of all available NETCONF or RESTCONF protocol RESTCONF users to a preconfigured subset of all available NETCONF or
operations and content. RESTCONF protocol operations and content.
All data nodes defined in the YANG module which can be created, All data nodes defined in the YANG module that can be created,
modified and deleted (i.e., config true, which is the default) are modified, and deleted (i.e., config true, which is the default) are
considered sensitive. Write operations (e.g., edit-config) applied considered sensitive. Write operations (e.g., edit-config) applied
to these data nodes without proper protection can negatively affect to these data nodes without proper protection can negatively affect
network operations. The NAT YANG module provides a method to set network operations. The NAT YANG module provides a method to set
parameters to prevent a user from aggressively using NAT resources parameters to prevent a user from aggressively using NAT resources
(port-quota), rate-limit connections as a guard against Denial-of- (port-quota), rate-limit connections as a guard against DoS, or to
Service, or to enable notifications so that appropriate measures are enable notifications so that appropriate measures are enforced to
enforced to anticipate traffic drops. Nevertheless, an attacker who anticipate traffic drops. Nevertheless, an attacker who is able to
is able to access the NAT can undertake various attacks, such as: access the NAT can undertake various attacks, such as:
o Set a high or low resource limit to cause a DoS attack: o Set a high or low resource limit to cause a DoS attack:
* /nat/instances/instance/policy/port-quota * /nat/instances/instance/policy/port-quota
* /nat/instances/instance/policy/fragments-limit * /nat/instances/instance/policy/fragments-limit
* /nat/instances/instance/mapping-limits * /nat/instances/instance/mapping-limits
* /nat/instances/instance/connection-limits * /nat/instances/instance/connection-limits
skipping to change at page 73, line 30 skipping to change at page 70, line 14
* /nat/instances/instance/notification-limits/notify-interval * /nat/instances/instance/notification-limits/notify-interval
o Access to privacy data maintained in the mapping table. Such data o Access to privacy data maintained in the mapping table. Such data
can be misused to track the activity of a host: can be misused to track the activity of a host:
* /nat/instances/instance/mapping-table * /nat/instances/instance/mapping-table
5. IANA Considerations 5. IANA Considerations
This document requests IANA to register the following URI in the IANA has registered the following URI in the "ns" subregistry within
"IETF XML Registry" [RFC3688]: the "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-nat URI: urn:ietf:params:xml:ns:yang:ietf-nat
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in IANA has registered the following YANG module in the "YANG Module
the "YANG Module Names" registry [RFC7950]. Names" subregistry [RFC7950] within the "YANG Parameters" registry.
name: ietf-nat name: ietf-nat
namespace: urn:ietf:params:xml:ns:yang:ietf-nat namespace: urn:ietf:params:xml:ns:yang:ietf-nat
prefix: nat prefix: nat
reference: RFC XXXX reference: RFC 8512
6. Acknowledgements
Many thanks to Dan Wing, Tianran Zhou, Tom Petch, Warren Kumari, and
Benjamin Kaduk for the review.
Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. Mahesh Jethanandani
provided useful comments.
Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
Kristian Poscic for the CGN review.
Special thanks to Maros Marsalek and Marek Gradzki for sharing their
comments based on the FD.io implementation of this module
(https://git.fd.io/hc2vpp/tree/nat/nat-api/src/main/yang).
Rajiv Asati suggested to clarify how the module applies for both
stateless and stateful NAT64.
Juergen Schoenwaelder provided an early yandgoctors review. Many
thanks to him.
Thanks to Roni Even, Mach Chen, Tim Chown, and Stephen Farrel for the
directorates review. Igor Ryzhov identified a nit in one example.
Mirja Kuehlewind made a comment about the reuse of some TCP timers
for any connection-oriented protocol.
7. References 6. References
7.1. Normative References 6.1. Normative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast Translation (NAT) Behavioral Requirements for Unicast
UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
2007, <https://www.rfc-editor.org/info/rfc4787>. 2007, <https://www.rfc-editor.org/info/rfc4787>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and
(TLS) Protocol Version 1.2", RFC 5246, P. Srisuresh, "NAT Behavioral Requirements for TCP",
DOI 10.17487/RFC5246, August 2008, BCP 142, RFC 5382, DOI 10.17487/RFC5382, October 2008,
<https://www.rfc-editor.org/info/rfc5246>.
[RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P.
Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
RFC 5382, DOI 10.17487/RFC5382, October 2008,
<https://www.rfc-editor.org/info/rfc5382>. <https://www.rfc-editor.org/info/rfc5382>.
[RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
Behavioral Requirements for ICMP", BCP 148, RFC 5508, Behavioral Requirements for ICMP", BCP 148, RFC 5508,
DOI 10.17487/RFC5508, April 2009, DOI 10.17487/RFC5508, April 2009,
<https://www.rfc-editor.org/info/rfc5508>. <https://www.rfc-editor.org/info/rfc5508>.
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, X. Li, "IPv6 Addressing of IPv4/IPv6 Translators",
DOI 10.17487/RFC6052, October 2010, RFC 6052, DOI 10.17487/RFC6052, October 2010,
<https://www.rfc-editor.org/info/rfc6052>. <https://www.rfc-editor.org/info/rfc6052>.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6 NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
April 2011, <https://www.rfc-editor.org/info/rfc6146>. April 2011, <https://www.rfc-editor.org/info/rfc6146>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
skipping to change at page 76, line 5 skipping to change at page 71, line 47
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
A., and H. Ashida, "Common Requirements for Carrier-Grade A., and H. Ashida, "Common Requirements for Carrier-Grade
NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
April 2013, <https://www.rfc-editor.org/info/rfc6888>. April 2013, <https://www.rfc-editor.org/info/rfc6888>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. [RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and
Farrer, "Lightweight 4over6: An Extension to the Dual- I. Farrer, "Lightweight 4over6: An Extension to the Dual-
Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596,
July 2015, <https://www.rfc-editor.org/info/rfc7596>. July 2015, <https://www.rfc-editor.org/info/rfc7596>.
[RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S., [RFC7597] Troan, O., Ed., Dec, W., Li, X., Bao, C., Matsushima, S.,
Murakami, T., and T. Taylor, Ed., "Mapping of Address and Murakami, T., and T. Taylor, Ed., "Mapping of Address and
Port with Encapsulation (MAP-E)", RFC 7597, Port with Encapsulation (MAP-E)", RFC 7597,
DOI 10.17487/RFC7597, July 2015, DOI 10.17487/RFC7597, July 2015,
<https://www.rfc-editor.org/info/rfc7597>. <https://www.rfc-editor.org/info/rfc7597>.
[RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address [RFC7757] Anderson, T. and A. Leiva Popper, "Explicit Address
skipping to change at page 77, line 5 skipping to change at page 72, line 44
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341, Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018, DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>. <https://www.rfc-editor.org/info/rfc8341>.
[RFC8343] Bjorklund, M., "A YANG Data Model for Interface [RFC8343] Bjorklund, M., "A YANG Data Model for Interface
Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, Management", RFC 8343, DOI 10.17487/RFC8343, March 2018,
<https://www.rfc-editor.org/info/rfc8343>. <https://www.rfc-editor.org/info/rfc8343>.
7.2. Informative References [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
[I-D.boucadair-pcp-yang] <https://www.rfc-editor.org/info/rfc8446>.
Boucadair, M., Jacquenet, C., Sivakumar, S., and S.
Vinapamula, "YANG Modules for the Port Control Protocol
(PCP)", draft-boucadair-pcp-yang-05 (work in progress),
October 2017.
[I-D.ietf-softwire-dslite-yang] 6.2. Informative References
Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG
Data Model for Dual-Stack Lite (DS-Lite)", draft-ietf-
softwire-dslite-yang-17 (work in progress), May 2018.
[I-D.ietf-tsvwg-natsupp] [NAT-SUPP]
Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control
Transmission Protocol (SCTP) Network Address Translation Transmission Protocol (SCTP) Network Address Translation
Support", draft-ietf-tsvwg-natsupp-12 (work in progress), Support", Work in Progress, draft-ietf-tsvwg-natsupp-12,
July 2018. July 2018.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations", Translator (NAT) Terminology and Considerations",
RFC 2663, DOI 10.17487/RFC2663, August 1999, RFC 2663, DOI 10.17487/RFC2663, August 1999,
<https://www.rfc-editor.org/info/rfc2663>. <https://www.rfc-editor.org/info/rfc2663>.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, Address Translator (Traditional NAT)", RFC 3022,
DOI 10.17487/RFC3022, January 2001, DOI 10.17487/RFC3022, January 2001,
<https://www.rfc-editor.org/info/rfc3022>. <https://www.rfc-editor.org/info/rfc3022>.
[RFC5597] Denis-Courmont, R., "Network Address Translation (NAT) [RFC5597] Denis-Courmont, R., "Network Address Translation (NAT)
Behavioral Requirements for the Datagram Congestion Behavioral Requirements for the Datagram Congestion
Control Protocol", BCP 150, RFC 5597, Control Protocol", BCP 150, RFC 5597,
DOI 10.17487/RFC5597, September 2009, DOI 10.17487/RFC5597, September 2009,
<https://www.rfc-editor.org/info/rfc5597>. <https://www.rfc-editor.org/info/rfc5597>.
[RFC6087] Bierman, A., "Guidelines for Authors and Reviewers of YANG
Data Model Documents", RFC 6087, DOI 10.17487/RFC6087,
January 2011, <https://www.rfc-editor.org/info/rfc6087>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269, P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011, DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6269>. <https://www.rfc-editor.org/info/rfc6269>.
[RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo,
"Diameter Network Address and Port Translation Control "Diameter Network Address and Port Translation Control
Application", RFC 6736, DOI 10.17487/RFC6736, October Application", RFC 6736, DOI 10.17487/RFC6736, October
2012, <https://www.rfc-editor.org/info/rfc6736>. 2012, <https://www.rfc-editor.org/info/rfc6736>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013, DOI 10.17487/RFC6887, April 2013,
<https://www.rfc-editor.org/info/rfc6887>. <https://www.rfc-editor.org/info/rfc6887>.
[RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M. [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and
Boucadair, "Deployment Considerations for Dual-Stack M. Boucadair, "Deployment Considerations for Dual-Stack
Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013, Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013,
<https://www.rfc-editor.org/info/rfc6908>. <https://www.rfc-editor.org/info/rfc6908>.
[RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of
the IPv6 Prefix Used for IPv6 Address Synthesis", the IPv6 Prefix Used for IPv6 Address Synthesis",
RFC 7050, DOI 10.17487/RFC7050, November 2013, RFC 7050, DOI 10.17487/RFC7050, November 2013,
<https://www.rfc-editor.org/info/rfc7050>. <https://www.rfc-editor.org/info/rfc7050>.
[RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT
(CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289,
skipping to change at page 78, line 48 skipping to change at page 74, line 33
[RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar, [RFC8045] Cheng, D., Korhonen, J., Boucadair, M., and S. Sivakumar,
"RADIUS Extensions for IP Port Configuration and "RADIUS Extensions for IP Port Configuration and
Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017, Reporting", RFC 8045, DOI 10.17487/RFC8045, January 2017,
<https://www.rfc-editor.org/info/rfc8045>. <https://www.rfc-editor.org/info/rfc8045>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
Appendix A. Sample Examples [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of
Documents Containing YANG Data Models", BCP 216, RFC 8407,
DOI 10.17487/RFC8407, October 2018,
<https://www.rfc-editor.org/info/rfc8407>.
[RFC8513] Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG
Data Model for Dual-Stack Lite (DS-Lite)", RFC 8513,
DOI 10.17487/RFC8513, January 2019,
<https://www.rfc-editor.org/info/rfc8513>.
[YANG-PCP] Boucadair, M., Jacquenet, C., Sivakumar, S., and
S. Vinapamula, "YANG Modules for the Port Control Protocol
(PCP)", Work in Progress, draft-boucadair-pcp-yang-05,
October 2017.
Appendix A. Some Examples
This section provides a non-exhaustive set of examples to illustrate This section provides a non-exhaustive set of examples to illustrate
the use of the NAT YANG module. the use of the NAT YANG module.
A.1. Traditional NAT44 A.1. Traditional NAT44
Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the
same IPv4 address among hosts that are owned by the same subscriber. same IPv4 address among hosts that are owned by the same subscriber.
This is typically the NAT that is embedded in CPE devices. This is typically the NAT that is embedded in CPE devices.
skipping to change at page 80, line 39 skipping to change at page 76, line 45
<lifetime> <lifetime>
300 300
</lifetime> </lifetime>
</mapping-entry> </mapping-entry>
A.2. Carrier Grade NAT (CGN) A.2. Carrier Grade NAT (CGN)
The following XML snippet shows the example of the capabilities The following XML snippet shows the example of the capabilities
supported by a CGN as retrieved using NETCONF. supported by a CGN as retrieved using NETCONF.
<capabilities <capabilities>
<nat-flavor>napt44</nat-flavor> <nat-flavor>napt44</nat-flavor>
<transport-protocols> <transport-protocols>
<protocol-id>1</protocol-id> <protocol-id>1</protocol-id>
</transport-protocols> </transport-protocols>
<transport-protocols> <transport-protocols>
<protocol-id>6</protocol-id> <protocol-id>6</protocol-id>
</transport-protocols> </transport-protocols>
<transport-protocols> <transport-protocols>
<protocol-id>17</protocol-id> <protocol-id>17</protocol-id>
</transport-protocols> </transport-protocols>
<restricted-port-support> <restricted-port-support>
false false
</restricted-port-support> </restricted-port-support>
<static-mapping-support> <static-mapping-support>
true true
</static-mapping-support> </static-mapping-support>
skipping to change at page 82, line 35 skipping to change at page 79, line 4
port-range-allocation port-range-allocation
</port-allocation-type> </port-allocation-type>
<port-set> <port-set>
<port-set-size> <port-set-size>
256 256
</port-set-size> </port-set-size>
</port-set> </port-set>
.... ....
</instance> </instance>
</instances> </instances>
An administrator may decide to allocate one single port range per An administrator may decide to allocate one single port range per
subscriber (e.g., port range of 1024 ports) as shown below: subscriber (e.g., a port range of 1024 ports) as shown below:
<instances> <instances>
<instance> <instance>
<id>1</id> <id>1</id>
<name>myCGN</name> <name>myCGN</name>
.... ....
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
198.51.100.0/24 198.51.100.0/24
skipping to change at page 85, line 14 skipping to change at page 81, line 36
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:100::/40 2001:db8:100::/40
</nat64-prefix> </nat64-prefix>
</nat64-prefixes> </nat64-prefixes>
When the translator receives an IPv6 packet, for example, with a When the translator receives an IPv6 packet, for example, with a
source address (2001:db8:1c0:2:21::) and destination address source address (2001:db8:1c0:2:21::) and destination address
(2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses (2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses
following RFC6052 rules with 2001:db8:100::/40 as the NSP: following rules per RFC 6052 with 2001:db8:100::/40 as the NSP:
o 192.0.2.33 is extracted from 2001:db8:1c0:2:21:: o 192.0.2.33 is extracted from 2001:db8:1c0:2:21::
o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2:: o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2::
The translator transforms the IPv6 header into an IPv4 header using The translator transforms the IPv6 header into an IPv4 header using
the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will
include 192.0.2.33 as the source address and 198.51.100.2 as the include 192.0.2.33 as the source address and 198.51.100.2 as the
destination address. destination address.
Also, a NAT64 can be instructed to behave in the stateless mode by Also, a NAT64 can be instructed to behave in the stateless mode by
providing the following configuration. The same NAT64 prefix is used providing the following configuration. The same NAT64 prefix is used
for constructing both IPv4-translatable IPv6 addresses and for constructing both IPv4-translatable IPv6 addresses and
IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]). IPv4-converted IPv6 addresses (see Section 3.3 of [RFC6052]).
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:122:300::/56 2001:db8:122:300::/56
</nat64-prefix> </nat64-prefix>
<stateless-enable> <stateless-enable>
true true
</stateless-enable> </stateless-enable>
</nat64-prefixes> </nat64-prefixes>
A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM A.6. Explicit Address Mappings (EAM) for Stateless IP/ICMP Translation
SIIT) (SIIT)
As specified in [RFC7757], an EAM consists of an IPv4 prefix and an As specified in [RFC7757], an EAM consists of an IPv4 prefix and an
IPv6 prefix. Let's consider the set of EAM examples in Table 8. IPv6 prefix. Let's consider the set of EAM examples in Table 8.
+----------------+----------------------+ +----------------+----------------------+
| IPv4 Prefix | IPv6 Prefix | | IPv4 Prefix | IPv6 Prefix |
+----------------+----------------------+ +----------------+----------------------+
| 192.0.2.1 | 2001:db8:aaaa:: | | 192.0.2.1 | 2001:db8:aaaa:: |
| 192.0.2.2/32 | 2001:db8:bbbb::b/128 | | 192.0.2.2/32 | 2001:db8:bbbb::b/128 |
| 192.0.2.16/28 | 2001:db8:cccc::/124 | | 192.0.2.16/28 | 2001:db8:cccc::/124 |
| 192.0.2.128/26 | 2001:db8:dddd::/64 | | 192.0.2.128/26 | 2001:db8:dddd::/64 |
| 192.0.2.192/29 | 2001:db8:eeee:8::/62 | | 192.0.2.192/29 | 2001:db8:eeee:8::/62 |
| 192.0.2.224/31 | 64:ff9b::/127 | | 192.0.2.224/31 | 64:ff9b::/127 |
+----------------+----------------------+ +----------------+----------------------+
Table 8: EAM Examples (RFC7757) Table 8: EAM Examples (RFC 7757)
The following XML excerpt illustrates how these EAMs can be The following XML excerpt illustrates how these EAMs can be
configured using the YANG NAT module: configured using the NAT YANG module:
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.1/32 192.0.2.1/32
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
2001:db8:aaaa::/128 2001:db8:aaaa::/128
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
skipping to change at page 88, line 7 skipping to change at page 84, line 7
<ipv4-prefix> <ipv4-prefix>
192.0.2.224/31 192.0.2.224/31
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
64:ff9b::/127 64:ff9b::/127
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
EAMs may be enabled jointly with stateful NAT64. This example shows EAMs may be enabled jointly with stateful NAT64. This example shows
a NAT64 function that supports static mappings: a NAT64 function that supports static mappings:
<capabilities <capabilities>
<nat-flavor> <nat-flavor>
nat64 nat64
</nat-flavor> </nat-flavor>
<static-mapping-support> <static-mapping-support>
true true
</static-mapping-support> </static-mapping-support>
<port-randomization-support> <port-randomization-support>
true true
</port-randomization-support> </port-randomization-support>
<port-range-allocation-support> <port-range-allocation-support>
skipping to change at page 89, line 23 skipping to change at page 85, line 29
<internal-src-address> <internal-src-address>
192.0.2.1/32 192.0.2.1/32
</internal-src-address> </internal-src-address>
<internal-src-port> <internal-src-port>
<start-port-number> <start-port-number>
100 100
</start-port-number> </start-port-number>
<end-port-number> <end-port-number>
500 500
</end-port-number> </end-port-number>
</internal-dst-port> </internal-src-port>
<external-src-address> <external-src-address>
198.51.100.1/32 198.51.100.1/32
</external-src-address> </external-src-address>
<external-src-port> <external-src-port>
<start-port-number> <start-port-number>
1100 1100
</start-port-number> </start-port-number>
<end-port-number> <end-port-number>
1500 1500
</end-port-number> </end-port-number>
skipping to change at page 90, line 24 skipping to change at page 86, line 29
192.0.2.0/24 192.0.2.0/24
</internal-src-address> </internal-src-address>
<external-src-address> <external-src-address>
198.51.100.0/24 198.51.100.0/24
</external-src-address> </external-src-address>
... ...
</mapping-entry> </mapping-entry>
A.9. Destination NAT A.9. Destination NAT
The following XML snippet shows an example of a destination NAT that The following XML snippet shows an example of a Destination NAT that
is instructed to translate all packets having 192.0.2.1 as a is instructed to translate all packets having 192.0.2.1 as a
destination IP address to 198.51.100.1. destination IP address to 198.51.100.1.
<dst-ip-address-pool> <dst-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<dst-in-ip-pool> <dst-in-ip-pool>
192.0.2.1/32 192.0.2.1/32
</dst-in-ip-pool> </dst-in-ip-pool>
<dst-out-ip-pool> <dst-out-ip-pool>
198.51.100.1/32 198.51.100.1/32
skipping to change at page 91, line 30 skipping to change at page 88, line 4
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.1/32 198.51.100.1/32
</external-dst-address> </external-dst-address>
<external-dst-port> <external-dst-port>
<start-port-number> <start-port-number>
8080 8080
</start-port-number> </start-port-number>
</external-dst-port> </external-dst-port>
</mapping-entry> </mapping-entry>
In order to instruct a NAT to translate TCP packets destined to In order to instruct a NAT to translate TCP packets destined to
'192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh '192.0.2.1:80' (HTTP traffic) to 198.51.100.1 and '192.0.2.1:22' (SSH
traffic) to 198.51.100.2, the following XML snippet shows the static traffic) to 198.51.100.2, the following XML snippet shows the static
mappings configured on the NAT: mappings configured on the NAT:
<mapping-entry> <mapping-entry>
<index>123</index> <index>123</index>
<type> <type>
static static
</type> </type>
<transport-protocol> <transport-protocol>
6 6
skipping to change at page 92, line 47 skipping to change at page 89, line 4
<internal-dst-port> <internal-dst-port>
<start-port-number> <start-port-number>
22 22
</start-port-number> </start-port-number>
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.2/32 198.51.100.2/32
</external-dst-address> </external-dst-address>
... ...
</mapping-entry> </mapping-entry>
The NAT may also be instructed to proceed with both source and The NAT may also be instructed to proceed with both source and
destination NAT. To do so, in addition to the above sample to Destination NAT. To do so, in addition to the above example to
configure destination NAT, the NAT may be provided, for example with configure Destination NAT, the NAT may be provided, for example with
a pool of external IP addresses (198.51.100.0/24) to use for source a pool of external IP addresses (198.51.100.0/24) to use for source
address translation. An example of the corresponding XML snippet is address translation. An example of the corresponding XML snippet is
provided hereafter: provided hereafter:
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
198.51.100.0/24 198.51.100.0/24
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
Instead of providing an external IP address to share, the NAT may be Instead of providing an external IP address to share, the NAT may be
configured with static mapping entries that modify the internal IP configured with static mapping entries that modify the internal IP
address and/or port number. address and/or port number.
A.10. Customer-side Translator (CLAT) A.10. Customer-Side Translator (CLAT)
The following XML snippet shows the example of a CLAT that is The following XML snippet shows the example of a CLAT that is
configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and configured with 2001:db8:1234::/96 as a PLAT-side IPv6 prefix and
2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 2001:db8:aaaa::/96 as a CLAT-side IPv6 prefix. The CLAT is also
provided with 192.0.0.1/32 (which is selected from the IPv4 service provided with 192.0.0.1/32 (which is selected from the IPv4 service
continuity prefix defined in [RFC7335]). continuity prefix defined in [RFC7335]).
<clat-ipv6-prefixes> <clat-ipv6-prefixes>
<ipv6-prefix> <ipv6-prefix>
2001:db8:aaaa::/96 2001:db8:aaaa::/96
</ipv6-prefix> </ipv6-prefix>
</clat-ipv6-prefixes> </clat-ipv6-prefixes>
<clat-ipv4-prefixes> <clat-ipv4-prefixes>
<ipv4-prefix> <ipv4-prefix>
skipping to change at page 95, line 18 skipping to change at page 91, line 22
V |eth1 2001:db8:1::/48 V |eth1 2001:db8:1::/48
V +---------+ ^ V +---------+ ^
V | NPTv6 | ^ V | NPTv6 | ^
V | | ^ V | | ^
V +---------+ ^ V +---------+ ^
External Prefix |eth0 ^ External Prefix |eth0 ^
2001:db8:6666::/48 | ^ 2001:db8:6666::/48 | ^
-------------------------------------- --------------------------------------
Internal Prefix = fd03:c03a:ecab::/48 Internal Prefix = fd03:c03a:ecab::/48
Figure 3: Connecting two Peer Networks Figure 3: Connecting Two Peer Networks
To that aim, the following configuration is provided to the NPTv6 To that aim, the following configuration is provided to the NPTv6
translator: translator:
<policy> <policy>
<id>1</id> <id>1</id>
<nptv6-prefixes> <nptv6-prefixes>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd03:c03a:ecab::/48 fd03:c03a:ecab::/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
skipping to change at page 96, line 38 skipping to change at page 93, line 5
2001:db8:6666::/48 2001:db8:6666::/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
<external-realm> <external-realm>
<external-interface> <external-interface>
eth0 eth0
</external-interface> </external-interface>
</external-realm> </external-realm>
</policy> </policy>
Acknowledgements
Many thanks to Dan Wing, Tianran Zhou, Tom Petch, Warren Kumari, and
Benjamin Kaduk for their review.
Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. Mahesh Jethanandani
provided useful comments.
Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
Baker for the NPTv6 comments, Tore Anderson for the EAM SIIT review,
and Kristian Poscic for the CGN review.
Special thanks to Maros Marsalek and Marek Gradzki for sharing their
comments based on the FD.io implementation of this module
(https://git.fd.io/hc2vpp/tree/nat/nat-api/src/main/yang).
Rajiv Asati suggested clarifying how the module applies for both
stateless and stateful NAT64.
Juergen Schoenwaelder provided an early YANG Doctors review. Many
thanks to him.
Thanks to Roni Even, Mach(Guoyi) Chen, Tim Chown, and Stephen Farrell
for the directorates review. Igor Ryzhov identified a nit in one
example.
Mirja Kuehlewind made a comment about the reuse of some TCP timers
for any connection-oriented protocol.
Authors' Addresses Authors' Addresses
Mohamed Boucadair (editor) Mohamed Boucadair (editor)
Orange Orange
Rennes 35000 Rennes 35000
France France
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
Senthil Sivakumar Senthil Sivakumar
Cisco Systems Cisco Systems
7100-8 Kit Creek Road 7100-8 Kit Creek Road
Research Triangle Park, North Carolina 27709 Research Triangle Park, North Carolina 27709
USA United States of America
Phone: +1 919 392 5158 Phone: +1 919 392 5158
Email: ssenthil@cisco.com Email: ssenthil@cisco.com
Christian Jacquenet Christian Jacquenet
Orange Orange
Rennes 35000 Rennes 35000
France France
Email: christian.jacquenet@orange.com Email: christian.jacquenet@orange.com
Suresh Vinapamula Suresh Vinapamula
Juniper Networks Juniper Networks
1133 Innovation Way 1133 Innovation Way
Sunnyvale 94089 Sunnyvale 94089
USA United States of America
Email: sureshk@juniper.net Email: sureshk@juniper.net
Qin Wu Qin Wu
Huawei Huawei
101 Software Avenue, Yuhua District 101 Software Avenue, Yuhua District
Nanjing, Jiangsu 210012 Nanjing, Jiangsu 210012
China China
Email: bill.wu@huawei.com Email: bill.wu@huawei.com
 End of changes. 488 change blocks. 
1404 lines changed or deleted 1155 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/