draft-ietf-opsawg-nat-yang-04.txt   draft-ietf-opsawg-nat-yang-05.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: April 1, 2018 Cisco Systems Expires: April 4, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
September 28, 2017 October 1, 2017
A YANG Data Model for Network Address Translation (NAT) and Network A YANG Data Model for Network Address Translation (NAT) and Network
Prefix Translation (NPT) Prefix Translation (NPT)
draft-ietf-opsawg-nat-yang-04 draft-ietf-opsawg-nat-yang-05
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG module for the NAT function. document defines a YANG module for the NAT function.
NAT44, Network Address and Protocol Translation from IPv6 Clients to NAT44, Network Address and Protocol Translation from IPv6 Clients to
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 1, 2018. This Internet-Draft will expire on April 4, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 27 skipping to change at page 2, line 27
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 5 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 6
2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 9 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 10
2.10. Binding the NAT Function to an External Interface or VRF 10 2.10. Binding the NAT Function to an External Interface or VRF 10
2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10 2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 15
4. Security Considerations . . . . . . . . . . . . . . . . . . . 57 4. Security Considerations . . . . . . . . . . . . . . . . . . . 58
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 58
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 58 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 58
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 58 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 59
7.1. Normative References . . . . . . . . . . . . . . . . . . 58 7.1. Normative References . . . . . . . . . . . . . . . . . . 59
7.2. Informative References . . . . . . . . . . . . . . . . . 59 7.2. Informative References . . . . . . . . . . . . . . . . . 60
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 62 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 62
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 62 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 62
A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 66 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 67
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 67 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 68
A.5. Explicit Address Mappings for Stateless IP/ICMP A.5. Explicit Address Mappings for Stateless IP/ICMP
Translation . . . . . . . . . . . . . . . . . . . . . . . 67 Translation . . . . . . . . . . . . . . . . . . . . . . . 69
A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 71 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 72
A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 71 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 72
A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 72 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 73
A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 75 A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 76
A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 75 A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 79
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the (NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC6020]. YANG data modeling language [RFC6020].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
a domain: a CGN is not managed by end users, but by service providers a domain: a CGN is not managed by end users, but by service providers
instead. This document covers both traditional NATs and CGNs. instead. This document covers both traditional NATs and CGNs.
This document also covers NAT64 [RFC6146], customer-side translator This document also covers NAT64 [RFC6146], customer-side translator
(CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP (CLAT) [RFC6877], Explicit Address Mappings for Stateless IP/ICMP
Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation Translation (EAM) [RFC7757], and IPv6 Network Prefix Translation
(NPTv6) [RFC6296]. (NPTv6) [RFC6296]. The full set of translation schemes that are in
scope is included in Section 2.2.
Sample examples are provided in Appendix A. These examples are not Sample examples are provided in Appendix A. These examples are not
intended to be exhaustive. intended to be exhaustive.
1.1. Terminology 1.1. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o Basic NAT44: translation is limited to IP addresses alone o Basic NAT44: translation is limited to IP addresses alone
(Section 2.1 of [RFC3022]). (Section 2.1 of [RFC3022]).
skipping to change at page 6, line 5 skipping to change at page 6, line 13
which provides the templates to log the destination ports. which provides the templates to log the destination ports.
2.2. Various NAT Flavors 2.2. Various NAT Flavors
The following modes are supported: The following modes are supported:
1. Basic NAT44 1. Basic NAT44
2. NAPT 2. NAPT
3. Destination NAT 3. Destination NAT
4. Port-restricted NAT 4. Port-restricted NAT
5. NAT64 5. Stateful and stateless NAT64
6. EAM SIIT 6. EAM SIIT
7. CLAT 7. CLAT
8. NPTv6 8. NPTv6
9. Combination of Basic NAT/NAPT and Destination NAT 9. Combination of Basic NAT/NAPT and Destination NAT
10. Combination of port-restricted and Destination NAT 10. Combination of port-restricted and Destination NAT
11. Combination of NAT64 and EAM 11. Combination of NAT64 and EAM
[I-D.ietf-softwire-dslite-yang] specifies an extension to support DS- [I-D.ietf-softwire-dslite-yang] specifies an extension to support DS-
Lite. Lite.
skipping to change at page 9, line 46 skipping to change at page 10, line 5
o No mapping table is maintained for NPTv6 given that it is o No mapping table is maintained for NPTv6 given that it is
stateless and transport-agnostic. stateless and transport-agnostic.
o The double translations are stateless in CLAT if a dedicated IPv6 o The double translations are stateless in CLAT if a dedicated IPv6
prefix is provided for CLAT. If not, a stateful NAT44 will be prefix is provided for CLAT. If not, a stateful NAT44 will be
required. required.
o No per-flow mapping is maintained for EAM [RFC7757]. o No per-flow mapping is maintained for EAM [RFC7757].
o No mapping table is maintained for stateless NAT64. As a
reminder, in such deployments internal IPv6 nodes are addressed
using IPv4-translatable IPv6 addresses, which enable them to be
accessed by IPv4 nodes [RFC6052].
2.9. Resource Limits 2.9. Resource Limits
In order to comply with CGN deployments in particular, the NAT YANG In order to comply with CGN deployments in particular, the NAT YANG
module allows limiting the number of external ports per subscriber module allows limiting the number of external ports per subscriber
(port-quota) and the amount of state memory allocated per mapping and (port-quota) and the amount of state memory allocated per mapping and
per subscriber (mapping-limit and connection-limit). According to per subscriber (mapping-limit and connection-limit). According to
[RFC6888], the model allows for the following: [RFC6888], the model allows for the following:
o Per-subscriber limits are configurable by the NAT administrator. o Per-subscriber limits are configurable by the NAT administrator.
skipping to change at page 11, line 30 skipping to change at page 11, line 40
| +--rw nptv6-prefixes* [translation-id] | +--rw nptv6-prefixes* [translation-id]
| | +--rw translation-id uint32 | | +--rw translation-id uint32
| | +--rw internal-ipv6-prefix? inet:ipv6-prefix | | +--rw internal-ipv6-prefix? inet:ipv6-prefix
| | +--rw external-ipv6-prefix? inet:ipv6-prefix | | +--rw external-ipv6-prefix? inet:ipv6-prefix
| +--rw eam* [eam-ipv4-prefix] | +--rw eam* [eam-ipv4-prefix]
| | +--rw eam-ipv4-prefix inet:ipv4-prefix | | +--rw eam-ipv4-prefix inet:ipv4-prefix
| | +--rw eam-ipv6-prefix? inet:ipv6-prefix | | +--rw eam-ipv6-prefix? inet:ipv6-prefix
| +--rw nat64-prefixes* [nat64-prefix] | +--rw nat64-prefixes* [nat64-prefix]
| | +--rw nat64-prefix inet:ipv6-prefix | | +--rw nat64-prefix inet:ipv6-prefix
| | +--rw destination-ipv4-prefix* [ipv4-prefix] | | +--rw destination-ipv4-prefix* [ipv4-prefix]
| | +--rw ipv4-prefix inet:ipv4-prefix | | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw stateless-enable? boolean
| +--rw external-ip-address-pool* [pool-id] | +--rw external-ip-address-pool* [pool-id]
| | +--rw pool-id uint32 | | +--rw pool-id uint32
| | +--rw external-ip-pool? inet:ipv4-prefix | | +--rw external-ip-pool? inet:ipv4-prefix
| +--rw port-set-restrict | +--rw port-set-restrict
| | +--rw (port-type)? | | +--rw (port-type)?
| | +--:(port-range) | | +--:(port-range)
| | | +--rw start-port-number? inet:port-number | | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number | | | +--rw end-port-number? inet:port-number
| | +--:(port-set-algo) | | +--:(port-set-algo)
| | +--rw psid-offset? uint8 | | +--rw psid-offset? uint8
skipping to change at page 14, line 45 skipping to change at page 15, line 8
+--ro ports-free? uint32 +--ro ports-free? uint32
notifications: notifications:
+---n nat-event +---n nat-event
+--ro id? -> /nat-module/nat-instances/nat-instance/id +--ro id? -> /nat-module/nat-instances/nat-instance/id
+--ro policy-id? -> /nat-module/nat-instances/nat-instance/nat-policy/policy-id +--ro policy-id? -> /nat-module/nat-instances/nat-instance/nat-policy/policy-id
+--ro pool-id? -> /nat-module/nat-instances/nat-instance/nat-policy/external-ip-address-pool/pool-id +--ro pool-id? -> /nat-module/nat-instances/nat-instance/nat-policy/external-ip-address-pool/pool-id
+--ro notify-pool-threshold percent +--ro notify-pool-threshold percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2017-09-28.yang" <CODE BEGINS> file "ietf-nat@2017-10-02.yang"
module ietf-nat { module ietf-nat {
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
//namespace to be assigned by IANA //namespace to be assigned by IANA
prefix "nat"; prefix "nat";
import ietf-inet-types { prefix inet; } import ietf-inet-types { prefix inet; }
import ietf-yang-types { prefix yang; } import ietf-yang-types { prefix yang; }
skipping to change at page 15, line 38 skipping to change at page 15, line 48
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-10-02 {
description "Comments from Rajiv Asati to call out
explicitly stateless NAT64.";
reference "-ietf-04";
}
revision 2017-09-27 { revision 2017-09-27 {
description "Comments from Kris Poscic about NAT44, mainly: description "Comments from Kris Poscic about NAT44, mainly:
- Allow for multiple NAT policies within the same instance. - Allow for multiple NAT policies within the same instance.
- asociate an external interface/vrf per NAT policy."; - Associate an external interface/vrf per NAT policy.";
reference "-ietf-04"; reference "-ietf-04";
} }
revision 2017-09-18 { revision 2017-09-18 {
description "Comments from Tore Anderson about EAM-SIIT."; description "Comments from Tore Anderson about EAM-SIIT.";
reference "-ietf-03"; reference "-ietf-03";
} }
revision 2017-08-23 { revision 2017-08-23 {
description "Comments from F. Baker about NPTv6."; description "Comments from F. Baker about NPTv6.";
skipping to change at page 33, line 37 skipping to change at page 33, line 49
reference reference
"Section 5.1 of RFC7050."; "Section 5.1 of RFC7050.";
leaf nat64-prefix { leaf nat64-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
//default "64:ff9b::/96"; //default "64:ff9b::/96";
description description
"A NAT64 prefix. Can be NSP or a Well-Known "A NAT64 prefix. Can be NSP or a Well-Known
Prefix (WKP)."; Prefix (WKP).
Organizations deploying stateless IPv4/IPv6
translation should assign a Network-Specific
Prefix to their IPv4/IPv6 translation service.
For stateless NAT64, IPv4-translatable IPv6
addresses must use the selected Network-Specific
Prefix. Both IPv4-translatable IPv6 addresses
and IPv4-converted IPv6 addresses should use
the same prefix.";
reference reference
"RFC 6052."; "Sections 3.3 and 3.4 of RFC 6052.";
} }
list destination-ipv4-prefix { list destination-ipv4-prefix {
key ipv4-prefix; key ipv4-prefix;
description description
"An IPv4 prefix/address."; "An IPv4 prefix/address.";
leaf ipv4-prefix { leaf ipv4-prefix {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"An IPv4 address/prefix."; "An IPv4 address/prefix.";
} }
} }
leaf stateless-enable {
type boolean;
description
"Enable explicitly statless NAT64.";
}
} }
list external-ip-address-pool { list external-ip-address-pool {
key pool-id; key pool-id;
description description
"Pool of external IP addresses used to "Pool of external IP addresses used to
service internal hosts. service internal hosts.
Both contiguous and non-contiguous pools Both contiguous and non-contiguous pools
can be configured for NAT purposes."; can be configured for NAT purposes.";
skipping to change at page 58, line 25 skipping to change at page 59, line 13
structure and the suggestion to use NMDA. structure and the suggestion to use NMDA.
Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
Kristian Poscic for the CGN review. Kristian Poscic for the CGN review.
Special thanks to Maros Marsalek and Marek Gradzki for sharing their Special thanks to Maros Marsalek and Marek Gradzki for sharing their
comments based on the FD.io implementation of an earlier version of comments based on the FD.io implementation of an earlier version of
this module. this module.
Rajiv Asati suggested to clarify how the module applies for both
stateless and stateful NAT64.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast Translation (NAT) Behavioral Requirements for Unicast
skipping to change at page 67, line 28 skipping to change at page 68, line 28
2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052].
The XML snippet to configure the NAT64 prefix in such case is The XML snippet to configure the NAT64 prefix in such case is
depicted below: depicted below:
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:122:300::/56 2001:db8:122:300::/56
</nat64-prefix> </nat64-prefix>
</nat64-prefixes> </nat64-prefixes>
A NAT64 can be instructed to behave in the stateless mode by
providing the following configuration. The same NAT64 prefix is used
for constructing both IPv4- translatable IPv6 addresses and
IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]).
<nat64-prefixes>
<nat64-prefix>
2001:db8:122:300::/56
</nat64-prefix>
<stateless-enable>
true
</stateless-enable>
</nat64-prefixes>
Let's now consider the example of a NAT64 that should use Let's now consider the example of a NAT64 that should use
2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if
the destination address matches 198.51.100.0/24. The XML snippet to the destination address matches 198.51.100.0/24. The XML snippet to
configure the NAT64 prefix in such case is shown below: configure the NAT64 prefix in such case is shown below:
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:122::/48 2001:db8:122::/48
</nat64-prefix> </nat64-prefix>
<destination-ipv4-prefix> <destination-ipv4-prefix>
 End of changes. 22 change blocks. 
29 lines changed or deleted 78 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/