draft-ietf-opsawg-nat-yang-06.txt   draft-ietf-opsawg-nat-yang-07.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: April 14, 2018 Cisco Systems Expires: May 3, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
October 11, 2017 October 30, 2017
A YANG Data Model for Network Address Translation (NAT) and Network A YANG Data Model for Network Address Translation (NAT) and Network
Prefix Translation (NPT) Prefix Translation (NPT)
draft-ietf-opsawg-nat-yang-06 draft-ietf-opsawg-nat-yang-07
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG module for the NAT function. document defines a YANG module for the NAT function.
NAT44, Network Address and Protocol Translation from IPv6 Clients to NAT44, Network Address and Protocol Translation from IPv6 Clients to
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Explicit
Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), and
IPv6 Network Prefix Translation (NPTv6) are covered in this document. IPv6 Network Prefix Translation (NPTv6) are covered in this document.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
Please update this statement with the RFC number to be assigned to Please update these statements with the RFC number to be assigned to
ths document: this document:
"This version of this YANG module is part of RFC XXXX;" "This version of this YANG module is part of RFC XXXX;"
"RFC XXXX: A YANG Data Model for Network Address Translation (NAT)
and Network Prefix Translation (NPT)";
"reference: RFC XXXX"
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 14, 2018. This Internet-Draft will expire on May 3, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 5
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 6 2.2. Various NAT Flavors . . . . . . . . . . . . . . . . . . . 6
2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6 2.3. TCP, UDP and ICMP NAT Behavioral Requirements . . . . . . 6
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 6
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 6 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 7
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 7
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 7
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 7
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 10 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 10
2.10. Binding the NAT Function to an External Interface or VRF 10 2.10. Binding the NAT Function to an External Interface or VRF 10
2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 10 2.11. Tree Structure . . . . . . . . . . . . . . . . . . . . . 11
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 14 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 15
4. Security Considerations . . . . . . . . . . . . . . . . . . . 56 4. Security Considerations . . . . . . . . . . . . . . . . . . . 52
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 57 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 53
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 57 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 53
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 58 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 54
7.1. Normative References . . . . . . . . . . . . . . . . . . 58 7.1. Normative References . . . . . . . . . . . . . . . . . . 54
7.2. Informative References . . . . . . . . . . . . . . . . . 59 7.2. Informative References . . . . . . . . . . . . . . . . . 55
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 61 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 57
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 61 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 58
A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 A.2. CGN . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 66 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 62
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 67 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 63
A.5. Explicit Address Mappings for Stateless IP/ICMP A.5. Explicit Address Mappings for Stateless IP/ICMP
Translation . . . . . . . . . . . . . . . . . . . . . . . 68 Translation . . . . . . . . . . . . . . . . . . . . . . . 64
A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 71 A.6. Static Mappings with Port Ranges . . . . . . . . . . . . 67
A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 71 A.7. Static Mappings with IP Prefixes . . . . . . . . . . . . 67
A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 72 A.8. Destination NAT . . . . . . . . . . . . . . . . . . . . . 68
A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 75 A.9. CLAT . . . . . . . . . . . . . . . . . . . . . . . . . . 71
A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 75 A.10. NPTv6 . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 74
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the (NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC7950]. YANG data modeling language [RFC7950].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
skipping to change at page 4, line 28 skipping to change at page 4, line 33
host. host.
o External Address: The IP address/prefix assigned by a NAT/NPTv6 to o External Address: The IP address/prefix assigned by a NAT/NPTv6 to
an internal host; this is the address that will be seen by a an internal host; this is the address that will be seen by a
remote host on the Internet. remote host on the Internet.
o Mapping: denotes a state at the NAT that is necessary for network o Mapping: denotes a state at the NAT that is necessary for network
address and/or port translation. address and/or port translation.
o Dynamic implicit mapping: is created implicitly as a side effect o Dynamic implicit mapping: is created implicitly as a side effect
of traffic such as an outgoing TCP SYN or an outgoing UDP packet. of processing a packet (e.g., an initial TCP SYN packet) that
A validity lifetime is associated with this mapping. requires a new mapping. A validity lifetime is associated with
this mapping.
o Dynamic explicit mapping: is created as a result of an explicit o Dynamic explicit mapping: is created as a result of an explicit
request, e.g., PCP message [RFC6887]. A validity lifetime is request, e.g., PCP message [RFC6887]. A validity lifetime is
associated with this mapping. associated with this mapping.
o Static explicit mapping: is created manually. This mapping is o Static explicit mapping: is created using, e.g., a CLI interface.
likely to be maintained by the NAT function till an explicit This mapping is likely to be maintained by the NAT function till
action is executed to remove it. an explicit action is executed to remove it.
The usage of the term NAT in this document refers to any NAT flavor The usage of the term NAT in this document refers to any NAT flavor
(NAT44, NAT64, etc.) indifferently. (NAT44, NAT64, etc.) indifferently.
This document uses the term "session" as defined in [RFC2663] and This document uses the term "session" as defined in [RFC2663] and
[RFC6146] for NAT64. [RFC6146] for NAT64.
1.2. Tree Diagrams 1.2. Tree Diagrams
The meaning of the symbols in these diagrams is as follows: The meaning of the symbols in these diagrams is as follows:
skipping to change at page 5, line 28 skipping to change at page 5, line 37
2.1. Overview 2.1. Overview
The NAT YANG module is designed to cover dynamic implicit mappings The NAT YANG module is designed to cover dynamic implicit mappings
and static explicit mappings. The required functionality to instruct and static explicit mappings. The required functionality to instruct
dynamic explicit mappings is defined in separate documents such as dynamic explicit mappings is defined in separate documents such as
[I-D.boucadair-pcp-yang]. Considerations about instructing explicit [I-D.boucadair-pcp-yang]. Considerations about instructing explicit
dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of dynamic means (e.g., [RFC6887], [RFC6736], or [RFC8045]) are out of
scope. scope.
A single NAT device can have multiple NAT instances (nat-instance); A single NAT device can have multiple NAT instances; each of these
each of these instances can be provided with its own policies (e.g., instances can be provided with its own policies (e.g., be responsible
be responsible for serving a group of hosts). This document does not for serving a group of hosts). This document does not make any
make any assumption about how internal hosts or flows are associated assumption about how internal hosts or flows are associated with a
with a given NAT instance. given NAT instance.
The NAT YANG module assumes that each NAT instance can be enabled/ The NAT YANG module assumes that each NAT instance can be enabled/
disabled, be provisioned with a specific set of configuration data, disabled, be provisioned with a specific set of configuration data,
and maintains its own mapping tables. and maintains its own mapping tables.
Further, the NAT YANG module allows for a NAT instance to be provided Further, the NAT YANG module allows for a NAT instance to be provided
with multiple NAT policies (nat-policy). The document does not make with multiple NAT policies (policy). The document does not make any
any assumption about how flows are associated with a given NAT policy assumption about how flows are associated with a given NAT policy of
of a given NAT instance. Classification filters are out of scope. a given NAT instance. Classification filters are out of scope.
Defining multiple NAT instances or configuring multiple NAT policies Defining multiple NAT instances or configuring multiple NAT policies
within one single NAT instance is implementation- and deployment- within one single NAT instance is implementation- and deployment-
specific. specific.
To accommodate deployments where [RFC6302] is not enabled, this YANG To accommodate deployments where [RFC6302] is not enabled, this YANG
module allows to instruct a NAT function to log the destination port module allows to instruct a NAT function to log the destination port
number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging] number. The reader may refer to [I-D.ietf-behave-ipfix-nat-logging]
which provides the templates to log the destination ports. which provides the templates to log the destination ports.
skipping to change at page 10, line 45 skipping to change at page 11, line 10
If no external interface/VRF is provided, this assumes that the If no external interface/VRF is provided, this assumes that the
system is able to determine the external interface/VRF instance on system is able to determine the external interface/VRF instance on
which the NAT will be applied. Typically, the WAN and LAN interfaces which the NAT will be applied. Typically, the WAN and LAN interfaces
of a CPE is determined by the CPE. of a CPE is determined by the CPE.
2.11. Tree Structure 2.11. Tree Structure
The tree structure of the NAT YANG module is provided below: The tree structure of the NAT YANG module is provided below:
module: ietf-nat module: ietf-nat
+--rw nat-module +--rw nat
+--rw nat-instances +--rw instances
+--rw nat-instance* [id] +--rw instance* [id]
+--rw id uint32 +--rw id uint32
+--rw name? string +--rw name? string
+--rw enable? boolean +--rw enable? boolean
+--rw nat-capabilities +--rw capabilities
| +--rw nat-flavor* identityref | +--rw nat-flavor* identityref
| +--rw nat44-flavor* identityref | +--rw nat44-flavor* identityref
| +--rw restricted-port-support? boolean | +--rw restricted-port-support? boolean
| +--rw static-mapping-support? boolean | +--rw static-mapping-support? boolean
| +--rw port-randomization-support? boolean | +--rw port-randomization-support? boolean
| +--rw port-range-allocation-support? boolean | +--rw port-range-allocation-support? boolean
| +--rw port-preservation-suport? boolean | +--rw port-preservation-suport? boolean
| +--rw port-parity-preservation-support? boolean | +--rw port-parity-preservation-support? boolean
| +--rw address-roundrobin-support? boolean | +--rw address-roundrobin-support? boolean
| +--rw paired-address-pooling-support? boolean | +--rw paired-address-pooling-support? boolean
| +--rw endpoint-independent-mapping-support? boolean | +--rw endpoint-independent-mapping-support? boolean
| +--rw address-dependent-mapping-support? boolean | +--rw address-dependent-mapping-support? boolean
| +--rw address-and-port-dependent-mapping-support? boolean | +--rw address-and-port-dependent-mapping-support? boolean
| +--rw endpoint-independent-filtering-support? boolean | +--rw endpoint-independent-filtering-support? boolean
| +--rw address-dependent-filtering? boolean | +--rw address-dependent-filtering? boolean
| +--rw address-and-port-dependent-filtering? boolean | +--rw address-and-port-dependent-filtering? boolean
+--rw nat-pass-through* [nat-pass-through-id] +--rw nat-pass-through* [id]
| +--rw nat-pass-through-id uint32 | +--rw id uint32
| +--rw nat-pass-through-pref? inet:ip-prefix | +--rw prefix? inet:ip-prefix
| +--rw nat-pass-through-port? inet:port-number | +--rw port? inet:port-number
+--rw nat-policy* [policy-id] +--rw policy* [id]
| +--rw policy-id uint32 | +--rw id uint32
| +--rw clat-parameters | +--rw clat-parameters
| | +--rw clat-ipv6-prefixes* [clat-ipv6-prefix] | | +--rw clat-ipv6-prefixes* [ipv6-prefix]
| | | +--rw clat-ipv6-prefix inet:ipv6-prefix | | | +--rw ipv6-prefix inet:ipv6-prefix
| | +--rw clat-ipv4-prefixes* [clat-ipv4-prefix] | | +--rw ipv4-prefixes* [ipv4-prefix]
| | +--rw clat-ipv4-prefix inet:ipv4-prefix | | +--rw ipv4-prefix inet:ipv4-prefix
| +--rw nptv6-prefixes* [translation-id] | +--rw nptv6-prefixes* [translation-id]
| | +--rw translation-id uint32 | | +--rw translation-id uint32
| | +--rw internal-ipv6-prefix? inet:ipv6-prefix | | +--rw internal-ipv6-prefix? inet:ipv6-prefix
| | +--rw external-ipv6-prefix? inet:ipv6-prefix | | +--rw external-ipv6-prefix? inet:ipv6-prefix
| +--rw eam* [eam-ipv4-prefix] | +--rw eam* [ipv4-prefix]
| | +--rw eam-ipv4-prefix inet:ipv4-prefix | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw eam-ipv6-prefix? inet:ipv6-prefix | | +--rw ipv6-prefix? inet:ipv6-prefix
| +--rw nat64-prefixes* [nat64-prefix] | +--rw nat64-prefixes* [nat64-prefix]
| | +--rw nat64-prefix inet:ipv6-prefix | | +--rw nat64-prefix inet:ipv6-prefix
| | +--rw destination-ipv4-prefix* [ipv4-prefix] | | +--rw destination-ipv4-prefix* [ipv4-prefix]
| | | +--rw ipv4-prefix inet:ipv4-prefix | | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw stateless-enable? boolean | | +--rw stateless-enable? boolean
| +--rw external-ip-address-pool* [pool-id] | +--rw external-ip-address-pool* [pool-id]
| | +--rw pool-id uint32 | | +--rw pool-id uint32
| | +--rw external-ip-pool? inet:ipv4-prefix | | +--rw external-ip-pool? inet:ipv4-prefix
| +--rw port-set-restrict | +--rw port-set-restrict
| | +--rw (port-type)? | | +--rw (port-type)?
skipping to change at page 12, line 19 skipping to change at page 12, line 32
| | +--rw dst-in-ip-pool? inet:ip-prefix | | +--rw dst-in-ip-pool? inet:ip-prefix
| | +--rw dst-out-ip-pool? inet:ip-prefix | | +--rw dst-out-ip-pool? inet:ip-prefix
| +--rw supported-transport-protocols* [transport-protocol-id] | +--rw supported-transport-protocols* [transport-protocol-id]
| | +--rw transport-protocol-id uint8 | | +--rw transport-protocol-id uint8
| | +--rw transport-protocol-name? string | | +--rw transport-protocol-name? string
| +--rw subscriber-mask-v6? uint8 | +--rw subscriber-mask-v6? uint8
| +--rw subscriber-match* [sub-match-id] | +--rw subscriber-match* [sub-match-id]
| | +--rw sub-match-id uint32 | | +--rw sub-match-id uint32
| | +--rw sub-mask inet:ip-prefix | | +--rw sub-mask inet:ip-prefix
| +--rw paired-address-pooling? boolean | +--rw paired-address-pooling? boolean
| +--rw nat-mapping-type? enumeration | +--rw mapping-type? enumeration
| +--rw nat-filtering-type? enumeration | +--rw filtering-type? enumeration
| +--rw port-quota* [quota-type] | +--rw port-quota* [quota-type]
| | +--rw port-limit? uint16 | | +--rw port-limit? uint16
| | +--rw quota-type enumeration | | +--rw quota-type uint8
| +--rw port-allocation-type? enumeration | +--rw port-allocation-type? enumeration
| +--rw address-roundrobin-enable? boolean | +--rw address-roundrobin-enable? boolean
| +--rw port-set | +--rw port-set
| | +--rw port-set-size? uint16 | | +--rw port-set-size? uint16
| | +--rw port-set-timeout? uint32 | | +--rw port-set-timeout? uint32
| +--rw timers | +--rw timers
| | +--rw udp-timeout? uint32 | | +--rw udp-timeout? uint32
| | +--rw tcp-idle-timeout? uint32 | | +--rw tcp-idle-timeout? uint32
| | +--rw tcp-trans-open-timeout? uint32 | | +--rw tcp-trans-open-timeout? uint32
| | +--rw tcp-trans-close-timeout? uint32 | | +--rw tcp-trans-close-timeout? uint32
| | +--rw tcp-in-syn-timeout? uint32 | | +--rw tcp-in-syn-timeout? uint32
| | +--rw fragment-min-timeout? uint32 | | +--rw fragment-min-timeout? uint32
| | +--rw icmp-timeout? uint32 | | +--rw icmp-timeout? uint32
| | +--rw per-port-timeout* [port-number] | | +--rw per-port-timeout* [port-number]
| | | +--rw port-number inet:port-number | | | +--rw port-number inet:port-number
| | | +--rw port-timeout inet:port-number | | | +--rw port-timeout uint32
| | +--rw hold-down-timeout? uint32 | | +--rw hold-down-timeout? uint32
| | +--rw hold-down-max? uint32 | | +--rw hold-down-max? uint32
| +--rw algs* [alg-name] | +--rw algs* [name]
| | +--rw alg-name string | | +--rw name string
| | +--rw alg-transport-protocol? uint32 | | +--rw transport-protocol? uint32
| | +--rw alg-transport-port? inet:port-number | | +--rw transport-port? inet:port-number
| | +--rw alg-status? boolean | | +--rw status? boolean
| +--rw all-algs-enable? boolean | +--rw all-algs-enable? boolean
| +--rw notify-pool-usage | +--rw notify-pool-usage
| | +--rw pool-id? uint32 | | +--rw pool-id? uint32
| | +--rw notify-pool-hi-threshold percent | | +--rw high-threshold percent
| | +--rw notify-pool-low-threshold? percent | | +--rw low-threshold? percent
| +--rw external-realm | +--rw external-realm
| +--rw (realm-type)? | +--rw (realm-type)?
| +--:(interface) | +--:(interface)
| | +--rw external-interface? if:interface-ref | | +--rw external-interface? if:interface-ref
| +--:(vrf) | +--:(vrf)
| +--rw external-vrf-instance? identityref | +--rw external-vrf-instance? identityref
+--rw mapping-limit +--rw mapping-limit
| +--rw limit-per-subscriber? uint32 | +--rw limit-per-subscriber? uint32
| +--rw limit-per-vrf? uint32 | +--rw limit-per-vrf? uint32
| +--rw limit-per-subnet? inet:ip-prefix
| +--rw limit-per-instance uint32 | +--rw limit-per-instance uint32
| +--rw limit-per-udp uint32 | +--rw limit-per-udp uint32
| +--rw limit-per-tcp uint32 | +--rw limit-per-tcp uint32
| +--rw limit-per-icmp uint32 | +--rw limit-per-icmp uint32
+--rw connection-limit +--rw connection-limit
| +--rw limit-per-subscriber? uint32 | +--rw limit-per-subscriber? uint32
| +--rw limit-per-vrf? uint32 | +--rw limit-per-vrf? uint32
| +--rw limit-per-subnet? inet:ip-prefix
| +--rw limit-per-instance uint32 | +--rw limit-per-instance uint32
| +--rw limit-per-udp uint32 | +--rw limit-per-udp uint32
| +--rw limit-per-tcp uint32 | +--rw limit-per-tcp uint32
| +--rw limit-per-icmp uint32 | +--rw limit-per-icmp uint32
+--rw logging-info +--rw logging-info
| +--rw logging-enable? boolean | +--rw logging-enable? boolean
| +--rw destination-address inet:ip-prefix | +--rw destination-address inet:ip-prefix
| +--rw destination-port inet:port-number | +--rw destination-port inet:port-number
| +--rw (protocol)? | +--rw (protocol)?
| +--:(syslog) | +--:(syslog)
skipping to change at page 14, line 13 skipping to change at page 14, line 24
| +--rw internal-dst-port | +--rw internal-dst-port
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw external-dst-address? inet:ip-prefix | +--rw external-dst-address? inet:ip-prefix
| +--rw external-dst-port | +--rw external-dst-port
| | +--rw start-port-number? inet:port-number | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number | | +--rw end-port-number? inet:port-number
| +--rw lifetime? uint32 | +--rw lifetime? uint32
+--ro statistics +--ro statistics
+--ro traffic-statistics +--ro traffic-statistics
| +--ro sent-packet? yang:zero-based-counter64 | +--ro sent-packets? yang:zero-based-counter64
| +--ro sent-byte? yang:zero-based-counter64 | +--ro sent-bytes? yang:zero-based-counter64
| +--ro rcvd-packet? yang:zero-based-counter64 | +--ro rcvd-packets? yang:zero-based-counter64
| +--ro rcvd-byte? yang:zero-based-counter64 | +--ro rcvd-bytes? yang:zero-based-counter64
| +--ro dropped-packet? yang:zero-based-counter64 | +--ro dropped-packets? yang:zero-based-counter64
| +--ro dropped-byte? yang:zero-based-counter64 | +--ro dropped-bytes? yang:zero-based-counter64
+--ro mapping-statistics +--ro mapping-statistics
| +--ro total-mappings? uint32 | +--ro total-mappings? yang:gauge32
| +--ro total-tcp-mappings? uint32 | +--ro total-tcp-mappings? yang:gauge32
| +--ro total-udp-mappings? uint32 | +--ro total-udp-mappings? yang:gauge32
| +--ro total-icmp-mappings? uint32 | +--ro total-icmp-mappings? yang:gauge32
+--ro pool-stats +--ro pool-stats
+--ro pool-id? uint32 +--ro pool-id? uint32
+--ro address-allocated? uint32 +--ro addresses-allocated? yang:gauge32
+--ro address-free? uint32 +--ro addresses-free? yang:gauge32
+--ro port-stats +--ro port-stats
+--ro ports-allocated? uint32 +--ro ports-allocated? yang:gauge32
+--ro ports-free? uint32 +--ro ports-free? yang:gauge32
notifications: notifications:
+---n nat-event +---n nat-event
+--ro id? -> /nat-module/nat-instances/nat-instance/id +--ro id? -> /nat/instances/instance/id
+--ro policy-id? -> /nat-module/nat-instances/nat-instance/nat-policy/policy-id +--ro policy-id? -> /nat/instances/instance/policy/id
+--ro pool-id? -> /nat-module/nat-instances/nat-instance/nat-policy/external-ip-address-pool/pool-id +--ro pool-id? -> /nat/instances/instance/policy/external-ip-address-pool/pool-id
+--ro notify-pool-threshold percent +--ro notify-pool-threshold percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2017-10-12.yang" <CODE BEGINS> file "ietf-nat@2017-10-30.yang"
module ietf-nat { module ietf-nat {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
//namespace to be assigned by IANA //namespace to be assigned by IANA
prefix "nat"; prefix "nat";
import ietf-inet-types { prefix inet; } import ietf-inet-types { prefix inet; }
import ietf-yang-types { prefix yang; } import ietf-yang-types { prefix yang; }
import ietf-interfaces { prefix if; } import ietf-interfaces { prefix if; }
organization "IETF OPSAWG Working Group"; organization "IETF OPSAWG (Operations and Management Area Working Group)";
contact contact
"Mohamed Boucadair <mohamed.boucadair@orange.com>
Senthil Sivakumar <ssenthil@cisco.com> "WG Web: <https://datatracker.ietf.org/wg/opsawg/>
Chritsian Jacquenet <christian.jacquenet@orange.com> WG List: <mailto:opsawg@ietf.org>
Suresh Vinapamula <sureshk@juniper.net>
Qin Wu <bill.wu@huawei.com>"; WG Chair: Ignas Bagdonas
<mailto:ibagdona@gmail.com>
WG Chair: Joe Clarke
<mailto:jclarke@cisco.com>
WG Chair: Tianran Zhou
<mailto:zhoutianran@huawei.com>
Editor: Mohamed Boucadair
<mailto:mohamed.boucadair@orange.com>
Editor: Senthil Sivakumar
<mailto:ssenthil@cisco.com>
Editor: Chritsian Jacquenet
<mailto:christian.jacquenet@orange.com>
Editor: Suresh Vinapamula
<mailto:sureshk@juniper.net>
Editor: Qin Wu
<mailto:bill.wu@huawei.com>";
description description
"This module is a YANG module for NAT implementations "This module is a YANG module for NAT implementations
(including NAT44 and NAT64 flavors). (including NAT44 and NAT64 flavors).
Copyright (c) 2017 IETF Trust and the persons identified as Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-10-12 { revision 2017-10-30 {
description "Comments from Mahesh Jethanandani."; description
reference "-ietf-05"; "Initial revision.";
} reference
"RFC XXXX: A YANG Data Model for Network Address Translation
revision 2017-10-02 { (NAT) and Network Prefix Translation (NPT)";
description "Comments from Rajiv Asati to call out
explicitly stateless NAT64.";
reference "-ietf-04";
}
revision 2017-09-27 {
description "Comments from Kris Poscic about NAT44, mainly:
- Allow for multiple NAT policies within the same instance.
- Associate an external interface/vrf per NAT policy.";
reference "-ietf-04";
}
revision 2017-09-18 {
description "Comments from Tore Anderson about EAM-SIIT.";
reference "-ietf-03";
}
revision 2017-08-23 {
description "Comments from F. Baker about NPTv6.";
reference "-ietf-02";
}
revision 2017-08-21 {
description " Includes CLAT (Lee/Jordi).";
reference "-ietf-01";
}
revision 2017-08-03 {
description "Integrates comments from OPSAWG CFA.";
reference "-ietf-00";
}
revision 2017-07-03 {
description "Integrates comments from D. Wing and T. Zhou.";
reference "-07";
}
revision 2015-09-08 {
description "Fixes few YANG errors.";
reference "-02";
}
revision 2015-09-07 {
description "Completes the NAT64 model.";
reference "01";
}
revision 2015-08-29 {
description "Initial version.";
reference "00";
} }
/* /*
* Definitions * Definitions
*/ */
typedef percent { typedef percent {
type uint8 { type uint8 {
range "0 .. 100"; range "0 .. 100";
} }
skipping to change at page 17, line 19 skipping to change at page 17, line 4
* Identities * Identities
*/ */
identity nat-type { identity nat-type {
description description
"Base identity for nat type."; "Base identity for nat type.";
} }
identity nat44 { identity nat44 {
base nat:nat-type; base nat:nat-type;
description description
"Identity for traditional NAT support."; "Identity for traditional NAT support.";
reference reference
"RFC 3022."; "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)";
} }
identity basic-nat { identity basic-nat {
base nat:nat44; base nat:nat44;
description description
"Identity for Basic NAT support."; "Identity for Basic NAT support.";
reference reference
"RFC 3022."; "RFC 3022: Traditional IP Network Address Translator
(Traditional NAT)";
} }
identity napt { identity napt {
base nat:nat44; base nat:nat44;
description description
"Identity for NAPT support."; "Identity for NAPT support.";
reference reference
"RFC 3022."; "RFC 3022: Traditional IP Network Address Translator
} (Traditional NAT)";
identity restricted-nat {
base nat:nat44;
description
"Identity for Port-Restricted NAT support.";
reference
"RFC 7596.";
} }
identity dst-nat { identity dst-nat {
base nat:nat-type; base nat:nat-type;
description description
"Identity for Destination NAT support."; "Identity for Destination NAT support.";
} }
identity nat64 { identity nat64 {
base nat:nat-type; base nat:nat-type;
description description
"Identity for NAT64 support."; "Identity for NAT64 support.";
reference reference
"RFC 6146."; "RFC 6146: Stateful NAT64: Network Address and Protocol
Translation from IPv6 Clients to IPv4 Servers";
} }
identity clat { identity clat {
base nat:nat-type; base nat:nat-type;
description description
"Identity for CLAT support."; "Identity for CLAT support.";
reference reference
"RFC 6877."; "RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation";
} }
identity eam { identity eam {
base nat:nat-type; base nat:nat-type;
description description
"Identity for EAM support."; "Identity for EAM support.";
reference reference
"RFC 7757."; "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation";
} }
identity nptv6 { identity nptv6 {
base nat:nat-type; base nat:nat-type;
description description
"Identity for NPTv6 support."; "Identity for NPTv6 support.";
reference reference
"RFC 6296."; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
identity vrf-routing-instance { identity vrf-routing-instance {
description description
"This identity represents a VRF routing instance."; "This identity represents a VRF routing instance.";
reference reference
"Section 8.9 of RFC 4026."; "Section 8.9 of RFC 4026.";
} }
/* /*
* Grouping * Grouping
*/ */
// port numbers: single or port-range
grouping port-number { grouping port-number {
description description
"Individual port or a range of ports. "Individual port or a range of ports.
When only start-port-numbert is present, When only start-port-number is present,
it represents a single port."; it represents a single port.";
leaf start-port-number { leaf start-port-number {
type inet:port-number; type inet:port-number;
description description
"Begining of the port range."; "Begining of the port range.";
reference reference
"Section 3.2.9 of RFC 8045."; "Section 3.2.9 of RFC 8045.";
} }
leaf end-port-number { leaf end-port-number {
type inet:port-number; type inet:port-number;
must ". >= ../start-port-number" must ". >= ../start-port-number"
{ {
error-message error-message
skipping to change at page 19, line 48 skipping to change at page 19, line 9
type inet:port-number; type inet:port-number;
must ". >= ../start-port-number" must ". >= ../start-port-number"
{ {
error-message error-message
"The end-port-number must be greater than or "The end-port-number must be greater than or
equal to start-port-number."; equal to start-port-number.";
} }
description description
"End of the port range."; "End of the port range.";
reference reference
"Section 3.2.10 of RFC 8045."; "Section 3.2.10 of RFC 8045.";
} }
} }
// Set of ports
grouping port-set { grouping port-set {
description description
"Indicates a set of ports. "Indicates a set of ports.
It may be a simple port range, or use the PSID algorithm
to represent a range of transport layer It may be a simple port range, or use the Port Set ID (PSID)
algorithm to represent a range of transport layer
ports which will be used by a NAPT."; ports which will be used by a NAPT.";
choice port-type { choice port-type {
default port-range; default port-range;
description description
"Port type: port-range or port-set-algo."; "Port type: port-range or port-set-algo.";
case port-range { case port-range {
/*leaf start-port-number {
type inet:port-number;
description
"Begining of the port range.";
reference
"Section 3.2.9 of RFC 8045.";
}
leaf end-port-number {
type inet:port-number;
description
"End of the port range.";
reference
"Section 3.2.10 of RFC 8045.";
}*/
uses port-number; uses port-number;
} }
case port-set-algo { case port-set-algo {
leaf psid-offset { leaf psid-offset {
type uint8 { type uint8 {
range 0..16; range 0..15;
} }
description description
"The number of offset bits. In Lightweight 4over6, "The number of offset bits (a.k.a., 'a' bits).
the default value is 0 for assigning one contiguous
port range. In MAP-E/T, the default value is 6, Specifies the numeric value for the excluded port
which excludes system ports by default and assigns range/offset bits.
port ranges distributed across the entire port
space."; Allowed values are between 0 and 15 ";
reference
"Section 5.1 of RFC 7597";
} }
leaf psid-len { leaf psid-len {
type uint8 { type uint8 {
range 0..15; range 0..15;
} }
mandatory true; mandatory true;
description description
"The length of PSID, representing the sharing "The length of PSID, representing the sharing
ratio for an IPv4 address."; ratio for an IPv4 address.
(also known as 'k').
The address-sharing ratio would be 2^k.";
reference
"Section 5.1 of RFC 7597";
} }
leaf psid { leaf psid {
type uint16; type uint16;
mandatory true; mandatory true;
description description
"Port Set Identifier (PSID) value, which "Port Set Identifier (PSID) value, which
identifies a set of ports algorithmically."; identifies a set of ports algorithmically.";
reference
"Section 5.1 of RFC 7597";
} }
} }
reference
"Section 7597: Mapping of Address and Port with
Encapsulation (MAP-E)";
} }
} }
// Mapping Entry
grouping mapping-entry { grouping mapping-entry {
description description
"NAT mapping entry."; "NAT mapping entry.";
leaf index { leaf index {
type uint32; type uint32;
description description
"A unique identifier of a mapping entry."; "A unique identifier of a mapping entry.";
} }
leaf type { leaf type {
type enumeration { type enumeration {
enum "static" { enum "static" {
description description
"The mapping entry is manually "The mapping entry is explicitly configrued
configured."; (e.g., via command-line interface).";
}
enum "dynamic-implicit" {
description
"This mapping is created implicitely as a side effect
of processing a packet that requires a new mapping.";
} }
enum "dynamic-explicit" { enum "dynamic-explicit" {
description description
"This mapping is created by an "This mapping is created as a result of an explicit
outgoing packet."; request, e.g., a PCP message.";
}
enum "dynamic-implicit" {
description
"This mapping is created by an
explicit dynamic message.";
} }
} }
description description
"Indicates the type of a mapping entry. E.g., "Indicates the type of a mapping entry. E.g.,
a mapping can be: static, implicit dynamic a mapping can be: static, implicit dynamic
or explicit dynamic."; or explicit dynamic.";
} }
leaf transport-protocol { leaf transport-protocol {
type uint8; type uint8;
skipping to change at page 22, line 27 skipping to change at page 21, line 26
} }
} }
description description
"Indicates the type of a mapping entry. E.g., "Indicates the type of a mapping entry. E.g.,
a mapping can be: static, implicit dynamic a mapping can be: static, implicit dynamic
or explicit dynamic."; or explicit dynamic.";
} }
leaf transport-protocol { leaf transport-protocol {
type uint8; type uint8;
description description
"Upper-layer protocol associated with this mapping. "Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry. Values are taken from the IANA protocol registry.
For example, this field contains 6 (TCP) for a TCP For example, this field contains 6 (TCP) for a TCP
mapping or 17 (UDP) for a UDP mapping. No transport mapping or 17 (UDP) for a UDP mapping.
protocol is indicated if a mapping applies for any
protocol."; If this leaf is not instantiated, then the mapping
applies to any protocol.";
} }
leaf internal-src-address { leaf internal-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the source IPv4/IPv6 address/prefix "Corresponds to the source IPv4/IPv6 address/prefix
of the packet received on an internal of the packet received on an internal
interface."; interface.";
} }
container internal-src-port { container internal-src-port {
description description
"Corresponds to the source port of the "Corresponds to the source port of the
packet received on an internal interface. packet received on an internal interface.
skipping to change at page 22, line 51 skipping to change at page 21, line 49
"Corresponds to the source IPv4/IPv6 address/prefix "Corresponds to the source IPv4/IPv6 address/prefix
of the packet received on an internal of the packet received on an internal
interface."; interface.";
} }
container internal-src-port { container internal-src-port {
description description
"Corresponds to the source port of the "Corresponds to the source port of the
packet received on an internal interface. packet received on an internal interface.
It is used also to carry the internal It is used also to indicate the internal
source ICMP identifier."; source ICMP identifier.
As a reminder, all the ICMP Query messages contain
an 'Identifier' field, which is referred to in this
document as the 'ICMP Identifier'.";
uses port-number; uses port-number;
} }
leaf external-src-address { leaf external-src-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Source IP address/prefix of the packet sent "Source IP address/prefix of the packet sent
on an external interface of the NAT."; on an external interface of the NAT.";
} }
container external-src-port { container external-src-port {
description description
"Source port of the packet sent "Source port of the packet sent
on an external interafce of the NAT. on an external interafce of the NAT.
skipping to change at page 23, line 21 skipping to change at page 22, line 24
description description
"Source IP address/prefix of the packet sent "Source IP address/prefix of the packet sent
on an external interface of the NAT."; on an external interface of the NAT.";
} }
container external-src-port { container external-src-port {
description description
"Source port of the packet sent "Source port of the packet sent
on an external interafce of the NAT. on an external interafce of the NAT.
It is used also to carry the external It is used also to indicate the external
source ICMP identifier."; source ICMP identifier.";
uses port-number; uses port-number;
} }
leaf internal-dst-address { leaf internal-dst-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the destination IP address/prefix
of the packet received on an internal interface of the packet received on an internal interface
of the NAT. of the NAT.
For example, some NAT implementations support For example, some NAT implementations support
the translation of both source and destination the translation of both source and destination
addresses and ports, sometimes referred to addresses and ports, sometimes referred to
as 'Twice NAT'."; as 'Twice NAT'.";
} }
skipping to change at page 23, line 45 skipping to change at page 22, line 48
the translation of both source and destination the translation of both source and destination
addresses and ports, sometimes referred to addresses and ports, sometimes referred to
as 'Twice NAT'."; as 'Twice NAT'.";
} }
container internal-dst-port { container internal-dst-port {
description description
"Corresponds to the destination port of the "Corresponds to the destination port of the
IP packet received on the internal interface. IP packet received on the internal interface.
It is used also to carry the internal It is used also to include the internal
destination ICMP identifier."; destination ICMP identifier.";
uses port-number; uses port-number;
} }
leaf external-dst-address { leaf external-dst-address {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Corresponds to the destination IP address/prefix "Corresponds to the destination IP address/prefix
of the packet sent on an external interface of the packet sent on an external interface
of the NAT."; of the NAT.";
} }
container external-dst-port { container external-dst-port {
description description
skipping to change at page 24, line 16 skipping to change at page 23, line 18
of the packet sent on an external interface of the packet sent on an external interface
of the NAT."; of the NAT.";
} }
container external-dst-port { container external-dst-port {
description description
"Corresponds to the destination port number of "Corresponds to the destination port number of
the packet sent on the external interface the packet sent on the external interface
of the NAT. of the NAT.
It is used also to carry the external It is used also to include the external
destination ICMP identifier."; destination ICMP identifier.";
uses port-number; uses port-number;
} }
leaf lifetime { leaf lifetime {
type uint32; type uint32;
units "seconds";
description description
"When specified, it tracks the connection that is "When specified, it is used to track the connection that is
fully-formed (e.g., once the 3WHS TCP is completed) fully-formed (e.g., once the three-way handshake
or the duration for maintaining an explicit mapping TCP is completed) or the duration for maintaining
alive. Static mappings may not be associated with a an explicit mapping alive. The mapping entry will be
removed by the NAT instance once this lifetime is expired.
When reported in a get operation, the lifetime indicates
the remaining validity lifetime.
Static mappings may not be associated with a
lifetime. If no lifetime is associated with a lifetime. If no lifetime is associated with a
static mapping, an explicit action is requried to static mapping, an explicit action is requried to
remove that mapping."; remove that mapping.";
} }
} }
/* /*
* NAT Module * NAT Module
*/ */
container nat-module { container nat {
description description
"NAT module"; "NAT module";
container nat-instances { container instances {
description description
"NAT instances"; "NAT instances";
list nat-instance { list instance {
key "id"; key "id";
description description
"A NAT instance."; "A NAT instance.";
leaf id { leaf id {
type uint32; type uint32;
description description
"NAT instance identifier."; "NAT instance identifier.";
reference reference
"RFC 7659."; "RFC 7659.";
} }
leaf name { leaf name {
type string; type string;
description description
"A name associated with the NAT instance."; "A name associated with the NAT instance.";
} }
leaf enable { leaf enable {
type boolean; type boolean;
description description
"Status of the the NAT instance."; "Status of the the NAT instance.";
} }
container nat-capabilities { container capabilities {
description description
"NAT capabilities"; "NAT capabilities";
leaf-list nat-flavor { leaf-list nat-flavor {
type identityref { type identityref {
base nat-type; base nat-type;
} }
description description
"Type of NAT."; "Type of NAT.";
} }
skipping to change at page 25, line 44 skipping to change at page 24, line 49
leaf-list nat-flavor { leaf-list nat-flavor {
type identityref { type identityref {
base nat-type; base nat-type;
} }
description description
"Type of NAT."; "Type of NAT.";
} }
leaf-list nat44-flavor { leaf-list nat44-flavor {
when "../nat-flavor = 'nat44'"; when "../nat-flavor = 'nat44'";
type identityref { type identityref {
base nat44; base nat44;
} }
description description
"Type of NAT44: Basic NAT or NAPT."; "Type of NAT44: Basic NAT or NAPT.";
} }
leaf restricted-port-support { leaf restricted-port-support {
type boolean; type boolean;
description description
"Indicates source port NAT restriction "Indicates source port NAT restriction
support."; support.";
reference
"RFC 7596: Lightweight 4over6: An Extension to
the Dual-Stack Lite Architecture.";
} }
leaf static-mapping-support { leaf static-mapping-support {
type boolean; type boolean;
description description
"Indicates whether static mappings are supported."; "Indicates whether static mappings are supported.";
} }
leaf port-randomization-support { leaf port-randomization-support {
type boolean; type boolean;
description description
"Indicates whether port randomization is supported."; "Indicates whether port randomization is supported.";
reference
"Section 4.2.1. of RFC 4787.";
} }
leaf port-range-allocation-support { leaf port-range-allocation-support {
type boolean; type boolean;
description description
"Indicates whether port range allocation is supported."; "Indicates whether port range allocation is supported.";
reference
"Section 1.1 of RFC 7753.";
} }
leaf port-preservation-suport { leaf port-preservation-suport {
type boolean; type boolean;
description description
"Indicates whether port preservation is supported."; "Indicates whether port preservation is supported.";
reference
"Section 4.2.1. of RFC 4787.";
} }
leaf port-parity-preservation-support { leaf port-parity-preservation-support {
type boolean; type boolean;
description description
"Indicates whether port parity preservation is supported."; "Indicates whether port parity preservation is supported.";
reference
"Section 8 of RFC 7857.";
} }
leaf address-roundrobin-support { leaf address-roundrobin-support {
type boolean; type boolean;
description description
"Indicates whether address allocation round robin is supported."; "Indicates whether address allocation round robin is supported.";
} }
leaf paired-address-pooling-support { leaf paired-address-pooling-support {
type boolean; type boolean;
description description
"Indicates whether paired-address-pooling is supported"; "Indicates whether paired-address-pooling is supported";
reference
"REQ-2 of RFC 4787.";
} }
leaf endpoint-independent-mapping-support { leaf endpoint-independent-mapping-support {
type boolean; type boolean;
description description
"Indicates whether endpoint-independent- "Indicates whether endpoint-independent-
mapping in Section 4 of RFC 4787 is mapping in Section 4 of RFC 4787 is
supported."; supported.";
reference
"Section 4 of RFC 4787.";
} }
leaf address-dependent-mapping-support { leaf address-dependent-mapping-support {
type boolean; type boolean;
description description
"Indicates whether address-dependent-mapping is supported."; "Indicates whether address-dependent-mapping is supported.";
reference
"Section 4 of RFC 4787.";
} }
leaf address-and-port-dependent-mapping-support { leaf address-and-port-dependent-mapping-support {
type boolean; type boolean;
description description
"Indicates whether address-and-port-dependent-mapping is supported."; "Indicates whether address-and-port-dependent-mapping is supported.";
reference
"Section 4 of RFC 4787.";
} }
leaf endpoint-independent-filtering-support { leaf endpoint-independent-filtering-support {
type boolean; type boolean;
description description
"Indicates whether endpoint-independent-filtering is supported."; "Indicates whether endpoint-independent-filtering is supported.";
reference
"Section 5 of RFC 4787.";
} }
leaf address-dependent-filtering { leaf address-dependent-filtering {
type boolean; type boolean;
description
description "Indicates whether address-dependent-filtering is supported.";
"Indicates whether address-dependent-filtering is supported."; reference
"Section 5 of RFC 4787.";
} }
leaf address-and-port-dependent-filtering { leaf address-and-port-dependent-filtering {
type boolean; type boolean;
description description
"Indicates whether address-and-port-dependent is supported."; "Indicates whether address-and-port-dependent is supported.";
reference
"Section 5 of RFC 4787.";
} }
} }
// Parameters for NAT pass through
list nat-pass-through { list nat-pass-through {
key nat-pass-through-id; key id;
description description
"IP prefix NAT pass through."; "IP prefix NAT pass through.";
leaf nat-pass-through-id { leaf id {
type uint32; type uint32;
description description
"An identifier of the IP prefix pass "An identifier of the IP prefix pass
through."; through.";
} }
leaf nat-pass-through-pref { leaf prefix {
type inet:ip-prefix; type inet:ip-prefix;
description description
"The IP address subnets that match "The IP addresses that match
should not be translated. According to should not be translated. According to
REQ#6 of RFC6888, it must be possible REQ#6 of RFC6888, it must be possible
to administratively turn off translation to administratively turn off translation
for specific destination addresses for specific destination addresses
and/or ports."; and/or ports.";
reference reference
"REQ#6 of RFC6888."; "REQ#6 of RFC6888.";
} }
leaf nat-pass-through-port { leaf port {
type inet:port-number; type inet:port-number;
description description
"The IP address subnets that match "According to REQ#6 of RFC6888, it must
should not be translated. According to be possible to administratively turn off
REQ#6 of RFC6888, it must be possible to translation for specific destination addresses
administratively turn off translation and/or ports.
for specific destination addresses
and/or ports."; If no prefix is defined, the NAT pass through
bound to a given port applies for any destination
address.";
reference reference
"REQ#6 of RFC6888."; "REQ#6 of RFC6888.";
} }
} }
// NAT Policies: Multiple policies per NAT instance list policy {
key id;
list nat-policy {
key policy-id;
description description
"NAT parameters for a given instance"; "NAT parameters for a given instance";
leaf policy-id { leaf id {
type uint32; type uint32;
description description
"An identifier of the NAT policy."; "An identifier of the NAT policy.";
} }
// CLAT Parameters
container clat-parameters { container clat-parameters {
description description
"CLAT parameters."; "CLAT parameters.";
list clat-ipv6-prefixes { list clat-ipv6-prefixes {
when "../../../nat-capabilities/nat-flavor = 'clat' "; when "../../../capabilities/nat-flavor = 'clat' ";
key ipv6-prefix;
key clat-ipv6-prefix;
description description
"464XLAT double translation treatment is "464XLAT double translation treatment is
stateless when a dedicated /64 is available stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to since it requires NAT44 from the LAN to
a single IPv4 address and then stateless a single IPv4 address and then stateless
translation to a single IPv6 address."; translation to a single IPv6 address.";
reference reference
"RFC 6877."; "RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation";
leaf clat-ipv6-prefix { leaf ipv6-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
description description
"An IPv6 prefix used for CLAT."; "An IPv6 prefix used for CLAT.";
} }
} }
list clat-ipv4-prefixes {
when "../../../nat-capabilities/nat-flavor = 'clat'";
key clat-ipv4-prefix;
list ipv4-prefixes {
when "../../../capabilities/nat-flavor = 'clat'";
key ipv4-prefix;
description description
"Pool of IPv4 addresses used for CLAT. "Pool of IPv4 addresses used for CLAT.
192.0.0.0/29 is the IPv4 service continuity 192.0.0.0/29 is the IPv4 service continuity
prefix."; prefix.";
reference reference
"RFC 7335."; "RFC 7335: IPv4 Service Continuity Prefix";
leaf clat-ipv4-prefix { leaf ipv4-prefix {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"464XLAT double translation treatment is "464XLAT double translation treatment is
stateless when a dedicated /64 is available stateless when a dedicated /64 is available
for translation on the CLAT. Otherwise, the for translation on the CLAT. Otherwise, the
CLAT will have both stateful and stateless CLAT will have both stateful and stateless
since it requires NAT44 from the LAN to since it requires NAT44 from the LAN to
a single IPv4 address and then stateless a single IPv4 address and then stateless
translation to a single IPv6 address. translation to a single IPv6 address.
The CLAT performs NAT44 for all IPv4 LAN The CLAT performs NAT44 for all IPv4 LAN
packets so that all the LAN-originated IPv4 packets so that all the LAN-originated IPv4
skipping to change at page 30, line 40 skipping to change at page 29, line 40
packets appear from a single IPv4 address packets appear from a single IPv4 address
and are then statelessly translated to one and are then statelessly translated to one
interface IPv6 address that is claimed by interface IPv6 address that is claimed by
the CLAT. the CLAT.
An IPv4 address from this pool is also An IPv4 address from this pool is also
provided to an application that makes provided to an application that makes
use of literals."; use of literals.";
reference reference
"RFC 6877."; "RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation";
} }
} }
} }
// NPTv6 Parameters
list nptv6-prefixes { list nptv6-prefixes {
when "../../nat-capabilities/nat-flavor = 'nptv6' "; when "../../capabilities/nat-flavor = 'nptv6' ";
key translation-id; key translation-id;
description description
"Provides one or a list of (internal IPv6 prefix, "Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6. external IPv6 prefix) required for NPTv6.
In its simplest form, NPTv6 interconnects two network In its simplest form, NPTv6 interconnects two network
links, one of which is an 'internal' network link links, one of which is an 'internal' network link
attachedto a leaf network within a single attached to a leaf network within a single
administrative domain and the other of which is an administrative domain and the other of which is an
'external' network with connectivity to the global 'external' network with connectivity to the global
Internet."; Internet.";
reference reference
"RFC 6296."; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
leaf translation-id { leaf translation-id {
type uint32; type uint32;
description description
"An identifier of the NPTv6 prefixs."; "An identifier of the NPTv6 prefixes.";
} }
leaf internal-ipv6-prefix { leaf internal-ipv6-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
description description
"An IPv6 prefix used by an internal interface "An IPv6 prefix used by an internal interface
of NPTv6."; of NPTv6.";
reference reference
"RFC 6296."; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
leaf external-ipv6-prefix { leaf external-ipv6-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
description description
"An IPv6 prefix used by the external interface "An IPv6 prefix used by the external interface
of NPTv6."; of NPTv6.";
reference reference
"RFC 6296."; "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
} }
// EAM SIIT Parameters
list eam { list eam {
when "../../nat-capabilities/nat-flavor = 'eam' "; when "../../capabilities/nat-flavor = 'eam' ";
key eam-ipv4-prefix; key ipv4-prefix;
description description
"The Explicit Address Mapping Table, a conceptual "The Explicit Address Mapping Table, a conceptual
table in which each row represents an EAM. table in which each row represents an EAM.
Each EAM describes a mapping between IPv4 and IPv6 Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses."; prefixes/addresses.";
reference reference
"Section 3.1 of RFC 7757."; "Section 3.1 of RFC 7757.";
leaf eam-ipv4-prefix { leaf ipv4-prefix {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"The IPv4 prefix of an EAM."; "The IPv4 prefix of an EAM.";
reference reference
"Section 3.2 of RFC 7757."; "Section 3.2 of RFC 7757.";
} }
leaf eam-ipv6-prefix { leaf ipv6-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
description description
"The IPv6 prefix of an EAM."; "The IPv6 prefix of an EAM.";
reference reference
"Section 3.2 of RFC 7757."; "Section 3.2 of RFC 7757.";
} }
} }
//NAT64 IPv6 Prefixes
list nat64-prefixes { list nat64-prefixes {
when "../../nat-capabilities/nat-flavor = 'nat64' " + when "../../capabilities/nat-flavor = 'nat64' " +
" or ../../nat-capabilities/nat-flavor = 'clat'"; " or ../../capabilities/nat-flavor = 'clat'";
key nat64-prefix; key nat64-prefix;
description description
"Provides one or a list of NAT64 prefixes "Provides one or a list of NAT64 prefixes
with or without a list of destination IPv4 prefixes. with or without a list of destination IPv4 prefixes.
Destination-based Pref64::/n is discussed in Destination-based Pref64::/n is discussed in
Section 5.1 of [RFC7050]). For example: Section 5.1 of [RFC7050]). For example:
192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
198.51.100.0/24 is mapped to 2001:db8:122::/48."; 198.51.100.0/24 is mapped to 2001:db8:122::/48.";
reference reference
"Section 5.1 of RFC7050."; "Section 5.1 of RFC7050.";
leaf nat64-prefix { leaf nat64-prefix {
type inet:ipv6-prefix; type inet:ipv6-prefix;
//default "64:ff9b::/96";
description description
"A NAT64 prefix. Can be NSP or a Well-Known "A NAT64 prefix. Can be NSP or a Well-Known
Prefix (WKP). Prefix (WKP).
Organizations deploying stateless IPv4/IPv6 Organizations deploying stateless IPv4/IPv6
translation should assign a Network-Specific translation should assign a Network-Specific
Prefix to their IPv4/IPv6 translation service. Prefix to their IPv4/IPv6 translation service.
For stateless NAT64, IPv4-translatable IPv6 For stateless NAT64, IPv4-translatable IPv6
addresses must use the selected Network-Specific addresses must use the selected Network-Specific
skipping to change at page 33, line 47 skipping to change at page 32, line 18
leaf ipv4-prefix { leaf ipv4-prefix {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"An IPv4 address/prefix."; "An IPv4 address/prefix.";
} }
} }
leaf stateless-enable { leaf stateless-enable {
type boolean; type boolean;
description description
"Enable explicitly statless NAT64."; "Enable explicitly statless NAT64.";
} }
} }
list external-ip-address-pool { list external-ip-address-pool {
key pool-id; key pool-id;
description description
"Pool of external IP addresses used to "Pool of external IP addresses used to
service internal hosts. service internal hosts.
Both contiguous and non-contiguous pools A pool is a set of IP prefixes.";
can be configured for NAT purposes.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"An identifier of the address pool."; "An identifier of the address pool.";
} }
leaf external-ip-pool { leaf external-ip-pool {
type inet:ipv4-prefix; type inet:ipv4-prefix;
description description
"An IPv4 prefix used for NAT purposes."; "An IPv4 prefix used for NAT purposes.";
} }
} }
container port-set-restrict { container port-set-restrict {
when "../../nat-capabilities/restricted-port-support = 'true'"; when "../../capabilities/restricted-port-support = 'true'";
description description
"Configures contiguous and non-contiguous port ranges."; "Configures contiguous and non-contiguous port ranges.";
uses port-set; uses port-set;
} }
leaf dst-nat-enable { leaf dst-nat-enable {
type boolean; type boolean;
default false; default false;
description description
"Enable/Disable destination NAT. "Enable/Disable destination NAT.
A NAT44 may be configured to enable A NAT44 may be configured to enable
Destination NAT, too."; Destination NAT, too.";
} }
list dst-ip-address-pool { list dst-ip-address-pool {
when "../../nat-capabilities/nat-flavor = 'dst-nat' "; when "../../capabilities/nat-flavor = 'dst-nat' ";
key pool-id; key pool-id;
description description
"Pool of IP addresses used for destination NAT."; "Pool of IP addresses used for destination NAT.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"An identifier of the address pool."; "An identifier of the address pool.";
} }
leaf dst-in-ip-pool { leaf dst-in-ip-pool {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Internal IP prefix/address"; "Internal IP prefix/address";
} }
leaf dst-out-ip-pool { leaf dst-out-ip-pool {
type inet:ip-prefix; type inet:ip-prefix;
description description
"IP address/prefix used for destination NAT."; "IP address/prefix used for destination NAT.";
} }
} }
list supported-transport-protocols { list supported-transport-protocols {
key transport-protocol-id; key transport-protocol-id;
description description
"Supported transport protocols. "Supported transport protocols.
skipping to change at page 36, line 15 skipping to change at page 34, line 26
} }
leaf subscriber-mask-v6 { leaf subscriber-mask-v6 {
type uint8 { type uint8 {
range "0 .. 128"; range "0 .. 128";
} }
description description
"The subscriber-mask is an integer that indicates "The subscriber-mask is an integer that indicates
the length of significant bits to be applied on the length of significant bits to be applied on
the source IP address (internal side) to the source IPv6 address (internal side) to
unambiguously identify a CPE. unambiguously identify a CPE.
Subscriber-mask is a system-wide configuration Subscriber-mask is a system-wide configuration
parameter that is used to enforce generic parameter that is used to enforce generic
per-subscriber policies (e.g., port-quota). per-subscriber policies (e.g., port-quota).
The enforcement of these generic policies does not The enforcement of these generic policies does not
require the configuration of every subscriber's require the configuration of every subscriber's
prefix. prefix.
skipping to change at page 36, line 47 skipping to change at page 35, line 11
} }
list subscriber-match { list subscriber-match {
key sub-match-id; key sub-match-id;
description description
"IP prefix match."; "IP prefix match.";
leaf sub-match-id { leaf sub-match-id {
type uint32; type uint32;
description description
"An identifier of the subscriber masck."; "An identifier of the subscriber mask.";
} }
leaf sub-mask { leaf sub-mask {
type inet:ip-prefix; type inet:ip-prefix;
mandatory true; mandatory true;
description description
"The IP address subnets that match "The IP address subnets that match
should be translated. E.g., all addresses should be translated. E.g., all addresses
that belong to the 192.0.2.0/24 prefix must that belong to the 192.0.2.0/24 prefix must
be processed by the NAT."; be processed by the NAT.";
} }
} }
leaf paired-address-pooling { leaf paired-address-pooling {
type boolean; type boolean;
skipping to change at page 37, line 18 skipping to change at page 35, line 29
"The IP address subnets that match "The IP address subnets that match
should be translated. E.g., all addresses should be translated. E.g., all addresses
that belong to the 192.0.2.0/24 prefix must that belong to the 192.0.2.0/24 prefix must
be processed by the NAT."; be processed by the NAT.";
} }
} }
leaf paired-address-pooling { leaf paired-address-pooling {
type boolean; type boolean;
default true; default true;
description description
"Paired address pooling informs the NAT "Paired address pooling informs the NAT
that all the flows from an internal IP that all the flows from an internal IP
address must be assigned the same external address must be assigned the same external
address."; address.";
reference reference
"RFC 4007."; "RFC 4787: Network Address Translation (NAT) Behavioral Requirements
for Unicast UDP";
} }
leaf nat-mapping-type { leaf mapping-type {
type enumeration { type enumeration {
enum "eim" { enum "eim" {
description description
"endpoint-independent-mapping."; "endpoint-independent-mapping.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
} }
enum "adm" { enum "adm" {
description description
"address-dependent-mapping."; "address-dependent-mapping.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
skipping to change at page 37, line 50 skipping to change at page 36, line 12
description description
"address-dependent-mapping."; "address-dependent-mapping.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
} }
enum "edm" { enum "edm" {
description description
"address-and-port-dependent-mapping."; "address-and-port-dependent-mapping.";
reference reference
"Section 4 of RFC 4787."; "Section 4 of RFC 4787.";
} }
} }
description description
"Indicates the type of a NAT mapping."; "Indicates the type of a NAT mapping.";
} }
leaf nat-filtering-type { leaf filtering-type {
type enumeration { type enumeration {
enum "eif" { enum "eif" {
description description
"endpoint-independent- filtering."; "endpoint-independent-filtering.";
reference reference
"Section 5 of RFC 4787."; "Section 5 of RFC 4787.";
} }
enum "adf" { enum "adf" {
description description
"address-dependent-filtering."; "address-dependent-filtering.";
reference reference
"Section 5 of RFC 4787."; "Section 5 of RFC 4787.";
} }
enum "edf" { enum "edf" {
description description
"address-and-port-dependent-filtering"; "address-and-port-dependent-filtering";
reference reference
"Section 5 of RFC 4787."; "Section 5 of RFC 4787.";
} }
} }
description description
"Indicates the type of a NAT filtering."; "Indicates the type of a NAT filtering.";
} }
list port-quota { list port-quota {
when "../../nat-capabilities/nat44-flavor = "+ when "../../capabilities/nat44-flavor = "+
"'napt' or "+ "'napt' or "+
"../../nat-capabilities/nat-flavor = "+ "../../capabilities/nat-flavor = "+
"'nat64'"; "'nat64'";
key quota-type; key quota-type;
description description
"Configures a port quota to be assigned per "Configures a port quota to be assigned per
subscriber. It corresponds to the maximum subscriber. It corresponds to the maximum
number of ports to be used by a subscriber."; number of ports to be used by a subscriber.";
leaf port-limit { leaf port-limit {
type uint16; type uint16;
description description
"Configures a port quota to be assigned per "Configures a port quota to be assigned per
subscriber. It corresponds to the maximum subscriber. It corresponds to the maximum
number of ports to be used by a subscriber."; number of ports to be used by a subscriber.";
reference reference
"REQ-4 of RFC 6888."; "REQ-4 of RFC 6888.";
} }
leaf quota-type { leaf quota-type {
type enumeration { type uint8;
enum "all" {
description
"The limit applies to all protocols.";
reference
"REQ-4 of RFC 6888.";
}
enum "tcp" {
description
"TCP quota.";
reference
"REQ-4 of RFC 6888.";
}
enum "udp" {
description
"UDP quota.";
reference
"REQ-4 of RFC 6888.";
}
enum "icmp" {
description
"ICMP quota.";
reference
"REQ-4 of RFC 6888.";
}
}
description description
"Indicates whether the port quota applies to "Indicates whether the port quota applies to
all protocols or to a specific transport."; all protocols (0) or to a specific transport.";
}
} }
}
leaf port-allocation-type { leaf port-allocation-type {
type enumeration { type enumeration {
enum "random" { enum "random" {
description description
"Port randomization is enabled."; "Port randomization is enabled.";
} }
enum "port-preservation" { enum "port-preservation" {
description description
skipping to change at page 41, line 15 skipping to change at page 38, line 34
leaf port-set-size { leaf port-set-size {
type uint16; type uint16;
description description
"Indicates the size of assigned port "Indicates the size of assigned port
sets."; sets.";
} }
leaf port-set-timeout { leaf port-set-timeout {
type uint32; type uint32;
units "seconds";
description description
"Inactivty timeout for port sets."; "Inactivty timeout for port sets.";
} }
} }
container timers { container timers {
description description
"Configure values of various timeouts."; "Configure values of various timeouts.";
leaf udp-timeout { leaf udp-timeout {
skipping to change at page 41, line 28 skipping to change at page 38, line 48
} }
container timers { container timers {
description description
"Configure values of various timeouts."; "Configure values of various timeouts.";
leaf udp-timeout { leaf udp-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 300; default 300;
description description
"UDP inactivity timeout. That is the time a mapping "UDP inactivity timeout. That is the time a mapping
will stay active without packets traversing the NAT."; will stay active without packets traversing the NAT.";
reference reference
"RFC 4787."; "RFC 4787: Network Address Translation (NAT) Behavioral
Requirements for Unicast UDP";
} }
leaf tcp-idle-timeout { leaf tcp-idle-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 7440; default 7440;
description description
"TCP Idle timeout should be "TCP Idle timeout should be
2 hours and 4 minutes."; 2 hours and 4 minutes.";
reference reference
"RFC 5382."; "RFC 5382: NAT Behavioral Requirements for TCP";
} }
leaf tcp-trans-open-timeout { leaf tcp-trans-open-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 240; default 240;
description description
"The value of the transitory open connection "The value of the transitory open connection
idle-timeout. idle-timeout.
Section 2.1 of [RFC7857] clarifies that a NAT Section 2.1 of [RFC7857] clarifies that a NAT
should provide different configurable should provide different configurable
parameters for configuring the open and parameters for configuring the open and
closing idle timeouts. closing idle timeouts.
skipping to change at page 43, line 12 skipping to change at page 40, line 25
units "seconds"; units "seconds";
default 6; default 6;
description description
"A NAT must not respond to an unsolicited "A NAT must not respond to an unsolicited
inbound SYN packet for at least 6 seconds inbound SYN packet for at least 6 seconds
after the packet is received. If during after the packet is received. If during
this interval the NAT receives and translates this interval the NAT receives and translates
an outbound SYN for the connection the NAT an outbound SYN for the connection the NAT
must silently drop the original unsolicited must silently drop the original unsolicited
inbound SYN packet."; inbound SYN packet.";
reference reference
"RFC 5382."; "RFC 5382 NAT Behavioral Requirements for TCP";
} }
leaf fragment-min-timeout { leaf fragment-min-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 2; default 2;
description description
"As long as the NAT has available resources, "As long as the NAT has available resources,
the NAT allows the fragments to arrive the NAT allows the fragments to arrive
over fragment-min-timeout interval. over fragment-min-timeout interval.
The default value is inspired from RFC6146."; The default value is inspired from RFC6146.";
} }
leaf icmp-timeout { leaf icmp-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
skipping to change at page 43, line 33 skipping to change at page 40, line 44
"As long as the NAT has available resources, "As long as the NAT has available resources,
the NAT allows the fragments to arrive the NAT allows the fragments to arrive
over fragment-min-timeout interval. over fragment-min-timeout interval.
The default value is inspired from RFC6146."; The default value is inspired from RFC6146.";
} }
leaf icmp-timeout { leaf icmp-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 60; default 60;
description description
"An ICMP Query session timer must not expire "An ICMP Query session timer must not expire
in less than 60 seconds. It is recommended in less than 60 seconds. It is recommended
that the ICMP Query session timer be made that the ICMP Query session timer be made
configurable"; configurable";
reference reference
"RFC 5508."; "RFC 5508: NAT Behavioral Requirements for ICMP";
} }
list per-port-timeout { list per-port-timeout {
key port-number; key port-number;
description description
"Some NATs are configurable with short timeouts "Some NATs are configurable with short timeouts
for some ports, e.g., as 10 seconds on for some ports, e.g., as 10 seconds on
port 53 (DNS) and NTP (123) and longer timeouts port 53 (DNS) and NTP (123) and longer timeouts
on other ports."; on other ports.";
leaf port-number { leaf port-number {
type inet:port-number; type inet:port-number;
description description
"A port number."; "A port number.";
} }
leaf port-timeout { leaf port-timeout {
type inet:port-number; type uint32;
units "seconds";
mandatory true; mandatory true;
description description
"Timeout for this port"; "Timeout for this port";
} }
} }
leaf hold-down-timeout { leaf hold-down-timeout {
type uint32; type uint32;
units "seconds"; units "seconds";
default 120; default 120;
description description
"Hold down timer. "Hold down timer.
Ports in the hold down pool are not reassigned Ports in the hold down pool are not reassigned
until hold-down-timeout expires. until hold-down-timeout expires.
The length of time and the maximum The length of time and the maximum
number of ports in this state must be number of ports in this state must be
configurable by the administrator. configurable by the administrator.
This is necessary in order This is necessary in order
skipping to change at page 45, line 14 skipping to change at page 42, line 17
until hold-down-timeout expires. until hold-down-timeout expires.
The length of time and the maximum The length of time and the maximum
number of ports in this state must be number of ports in this state must be
configurable by the administrator. configurable by the administrator.
This is necessary in order This is necessary in order
to prevent collisions between old to prevent collisions between old
and new mappings and sessions. It ensures and new mappings and sessions. It ensures
that all established sessions are broken that all established sessions are broken
instead of redirected to a different peer."; instead of redirected to a different peer.";
reference reference
"REQ#8 of RFC 6888."; "REQ#8 of RFC 6888.";
} }
} }
list algs { list algs {
key name;
key alg-name;
description description
"ALG-related features."; "ALG-related features.";
leaf alg-name { leaf name {
type string; type string;
description description
"The name of the ALG"; "The name of the ALG";
} }
leaf alg-transport-protocol { leaf transport-protocol {
type uint32; type uint32;
description description
"The transport protocol used by the ALG."; "The transport protocol used by the ALG.";
} }
leaf alg-transport-port { leaf transport-port {
type inet:port-number; type inet:port-number;
description description
"The port number used by the ALG."; "The port number used by the ALG.";
} }
leaf alg-status { leaf status {
type boolean; type boolean;
description description
"Enable/disable the ALG."; "Enable/disable the ALG.";
} }
} }
leaf all-algs-enable { leaf all-algs-enable {
type boolean; type boolean;
description description
"Enable/disable all ALGs."; "Enable/disable all ALGs.
When specified, this parameter overrides the one
that may be indicated, eventually, by the 'status'
of an individual ALG.";
} }
container notify-pool-usage { container notify-pool-usage {
description description
"Notification of pool usage when certain criteria "Notification of pool usage when certain criteria
are met."; are met.";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"Pool-ID for which the notification "Pool-ID for which the notification
criteria is defined"; criteria is defined";
} }
leaf notify-pool-hi-threshold { leaf high-threshold {
type percent; type percent;
mandatory true; mandatory true;
description description
"Notification must be generated when the "Notification must be generated when the
defined high threshold is reached. defined high threshold is reached.
For example, if a notification is For example, if a notification is
required when the pool utilization reaches required when the pool utilization reaches
90%, this configuration parameter must 90%, this configuration parameter must
be set to 90%."; be set to 90%.";
} }
skipping to change at page 46, line 42 skipping to change at page 43, line 39
description description
"Notification must be generated when the "Notification must be generated when the
defined high threshold is reached. defined high threshold is reached.
For example, if a notification is For example, if a notification is
required when the pool utilization reaches required when the pool utilization reaches
90%, this configuration parameter must 90%, this configuration parameter must
be set to 90%."; be set to 90%.";
} }
leaf notify-pool-low-threshold { leaf low-threshold {
type percent; type percent;
description description
"Notification must be generated when the defined "Notification must be generated when the defined
low threshold is reached. low threshold is reached.
For example, if a notification is required when For example, if a notification is required when
the pool utilization reaches below 10%, the pool utilization reaches below 10%,
this configuration parameter must be set to this configuration parameter must be set to
10%."; 10%.";
} }
} }
skipping to change at page 47, line 42 skipping to change at page 44, line 37
leaf external-vrf-instance { leaf external-vrf-instance {
type identityref { type identityref {
base vrf-routing-instance; base vrf-routing-instance;
} }
description description
"A VRF instance."; "A VRF instance.";
} }
} }
} }
} }
} //nat-policy }
container mapping-limit { container mapping-limit {
description description
"Information about the configuration parameters that "Information about the configuration parameters that
limits the mappings based upon various criteria."; limits the mappings based upon various criteria.";
leaf limit-per-subscriber { leaf limit-per-subscriber {
type uint32; type uint32;
description description
"Maximum number of NAT mappings per subscriber."; "Maximum number of NAT mappings per subscriber.
}
A subscriber is identifier by a given prefix.";
}
leaf limit-per-vrf { leaf limit-per-vrf {
type uint32; type uint32;
description description
"Maximum number of NAT mappings per VLAN/VRF."; "Maximum number of NAT mappings per VLAN/VRF.";
} }
leaf limit-per-subnet {
type inet:ip-prefix;
description
"Maximum number of NAT mappings per subnet.";
}
leaf limit-per-instance { leaf limit-per-instance {
type uint32; type uint32;
mandatory true; mandatory true;
description description
"Maximum number of NAT mappings per instance."; "Maximum number of NAT mappings per instance.";
} }
leaf limit-per-udp { leaf limit-per-udp {
type uint32; type uint32;
mandatory true; mandatory true;
description description
"Maximum number of UDP NAT mappings per subscriber."; "Maximum number of UDP NAT mappings per subscriber.";
} }
leaf limit-per-tcp { leaf limit-per-tcp {
type uint32; type uint32;
mandatory true; mandatory true;
description description
"Maximum number of TCP NAT mappings per subscriber."; "Maximum number of TCP NAT mappings per subscriber.";
} }
leaf limit-per-icmp { leaf limit-per-icmp {
type uint32; type uint32;
mandatory true; mandatory true;
description description
"Maximum number of ICMP NAT mappings per subscriber."; "Maximum number of ICMP NAT mappings per subscriber.";
} }
} }
container connection-limit { container connection-limit {
description description
"Information about the configuration parameters that "Information about the configuration parameters that
rate limit the translation based upon various rate limit the translation based upon various
criteria."; criteria.";
leaf limit-per-subscriber { leaf limit-per-subscriber {
skipping to change at page 49, line 16 skipping to change at page 45, line 47
} }
container connection-limit { container connection-limit {
description description
"Information about the configuration parameters that "Information about the configuration parameters that
rate limit the translation based upon various rate limit the translation based upon various
criteria."; criteria.";
leaf limit-per-subscriber { leaf limit-per-subscriber {
type uint32; type uint32;
units "bits/second";
description description
"Rate-limit the number of new mappings "Rate-limit the number of new mappings
and sessions per subscriber."; and sessions per subscriber.";
} }
leaf limit-per-vrf { leaf limit-per-vrf {
type uint32; type uint32;
units "bits/second";
description description
"Rate-limit the number of new mappings "Rate-limit the number of new mappings
and sessions per VLAN/VRF."; and sessions per VLAN/VRF.";
} }
leaf limit-per-subnet {
type inet:ip-prefix;
description
"Rate-limit the number of new mappings
and sessions per subnet.";
}
leaf limit-per-instance { leaf limit-per-instance {
type uint32; type uint32;
units "bits/second";
mandatory true; mandatory true;
description description
"Rate-limit the number of new mappings "Rate-limit the number of new mappings
and sessions per instance."; and sessions per instance.";
} }
leaf limit-per-udp { leaf limit-per-udp {
type uint32; type uint32;
units "bits/second";
mandatory true; mandatory true;
description description
"Rate-limit the number of new UDP mappings "Rate-limit the number of new UDP mappings
and sessions per subscriber."; and sessions per subscriber.";
} }
leaf limit-per-tcp { leaf limit-per-tcp {
type uint32; type uint32;
units "bits/second";
mandatory true; mandatory true;
description description
"Rate-limit the number of new TCP mappings "Rate-limit the number of new TCP mappings
and sessions per subscriber."; and sessions per subscriber.";
} }
leaf limit-per-icmp { leaf limit-per-icmp {
type uint32; type uint32;
units "bits/second";
mandatory true; mandatory true;
description description
"Rate-limit the number of new ICMP mappings "Rate-limit the number of new ICMP mappings
and sessions per subscriber."; and sessions per subscriber.";
} }
} }
container logging-info { container logging-info {
description description
"Information about logging NAT events"; "Information about logging NAT events";
skipping to change at page 51, line 17 skipping to change at page 47, line 37
choice protocol { choice protocol {
description description
"Enable the protocol to be used for "Enable the protocol to be used for
the retrieval of logging entries."; the retrieval of logging entries.";
case syslog { case syslog {
leaf syslog { leaf syslog {
type boolean; type boolean;
description description
"If SYSLOG is in use."; "If SYSLOG is in use.";
} }
} }
case ipfix { case ipfix {
leaf ipfix { leaf ipfix {
type boolean; type boolean;
description description
"If IPFIX is in use."; "If IPFIX is in use.";
} }
} }
case ftp { case ftp {
leaf ftp { leaf ftp {
type boolean; type boolean;
description description
"If FTP is in use."; "If FTP is in use.";
} }
} }
} }
} }
container mapping-table { container mapping-table {
when "../nat-capabilities/nat-flavor = "+ when "../capabilities/nat-flavor = "+
"'nat44' or "+ "'nat44' or "+
"../nat-capabilities/nat-flavor = "+ "../capabilities/nat-flavor = "+
"'nat64'or "+ "'nat64'or "+
"../nat-capabilities/nat-flavor = "+ "../capabilities/nat-flavor = "+
"'clat'or "+ "'clat'or "+
"../nat-capabilities/nat-flavor = 'dst-nat'"; "../capabilities/nat-flavor = 'dst-nat'";
description description
"NAT mapping table. Applicable for functions "NAT mapping table. Applicable for functions
which maintains static and/or dynamic mappings, which maintains static and/or dynamic mappings,
such as NAT44, Destination NAT, NAT64, or CLAT."; such as NAT44, Destination NAT, NAT64, or CLAT.";
list mapping-entry { list mapping-entry {
key "index"; key "index";
description description
"NAT mapping entry."; "NAT mapping entry.";
uses mapping-entry; uses mapping-entry;
} }
} }
container statistics { container statistics {
config false; config false;
description description
"Statistics related to the NAT instance."; "Statistics related to the NAT instance.";
container traffic-statistics { container traffic-statistics {
description description
"Generic traffic statistics."; "Generic traffic statistics.";
leaf sent-packet { leaf sent-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of packets sent."; "Number of packets sent.";
} }
leaf sent-byte { leaf sent-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Counter for sent traffic in bytes."; "Counter for sent traffic in bytes.";
} }
leaf rcvd-packet { leaf rcvd-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of received packets."; "Number of received packets.";
} }
leaf rcvd-byte { leaf rcvd-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Counter for received traffic "Counter for received traffic
in bytes."; in bytes.";
} }
leaf dropped-packet { leaf dropped-packets {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Number of dropped packets."; "Number of dropped packets.";
} }
leaf dropped-byte { leaf dropped-bytes {
type yang:zero-based-counter64; type yang:zero-based-counter64;
description description
"Counter for dropped traffic in "Counter for dropped traffic in
bytes."; bytes.";
} }
} }
container mapping-statistics { container mapping-statistics {
when "../../nat-capabilities/nat-flavor = "+ when "../../capabilities/nat-flavor = "+
"'nat44' or "+ "'nat44' or "+
"../../nat-capabilities/nat-flavor = "+ "../../capabilities/nat-flavor = "+
"'nat64'or "+ "'nat64'or "+
"../../nat-capabilities/nat-flavor = 'dst-nat'"; "../../capabilities/nat-flavor = 'dst-nat'";
description description
"Mapping statistics."; "Mapping statistics.";
leaf total-mappings { leaf total-mappings {
type uint32; type yang:gauge32;
description description
"Total number of NAT mappings present "Total number of NAT mappings present
at a given time. This variable includes at a given time. This variable includes
all the static and dynamic mappings."; all the static and dynamic mappings.";
} }
leaf total-tcp-mappings { leaf total-tcp-mappings {
type uint32; type yang:gauge32;
description description
"Total number of TCP mappings present "Total number of TCP mappings present
at a given time."; at a given time.";
} }
leaf total-udp-mappings { leaf total-udp-mappings {
type uint32; type yang:gauge32;
description description
"Total number of UDP mappings present "Total number of UDP mappings present
at a given time."; at a given time.";
} }
leaf total-icmp-mappings { leaf total-icmp-mappings {
type uint32; type yang:gauge32;
description description
"Total number of ICMP mappings present "Total number of ICMP mappings present
at a given time."; at a given time.";
} }
} }
container pool-stats { container pool-stats {
when "../../nat-capabilities/nat-flavor = "+ when "../../capabilities/nat-flavor = "+
"'nat44' or "+ "'nat44' or "+
"../../nat-capabilities/nat-flavor = "+ "../../capabilities/nat-flavor = "+
"'nat64'"; "'nat64'";
description description
"Statistics related to address/prefix "Statistics related to address/prefix
pool usage"; pool usage";
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"Unique Identifier that represents "Unique Identifier that represents
a pool of addresses/prefixes."; a pool of addresses/prefixes.";
} }
leaf address-allocated { leaf addresses-allocated {
type uint32; type yang:gauge32;
description description
"Number of allocated addresses in "Number of allocated addresses in
the pool"; the pool";
} }
leaf address-free { leaf addresses-free {
type uint32; type yang:gauge32;
description description
"Number of unallocated addresses in "Number of unallocated addresses in
the pool at a given time.The sum of the pool at a given time.The sum of
unallocated and allocated unallocated and allocated
addresses is the total number of addresses is the total number of
addresses of the pool."; addresses of the pool.";
} }
container port-stats { container port-stats {
description description
"Statistics related to port "Statistics related to port
usage."; usage.";
leaf ports-allocated { leaf ports-allocated {
type uint32; type yang:gauge32;
description description
"Number of allocated ports "Number of allocated ports
in the pool."; in the pool.";
} }
leaf ports-free { leaf ports-free {
type uint32; type yang:gauge32;
description description
"Number of unallocated addresses "Number of unallocated addresses
in the pool."; in the pool.";
} }
} }
} }
}//statistics }
} }
} }
} }
/* /*
* Notifications * Notifications
*/ */
notification nat-event { notification nat-event {
description description
"Notifications must be generated when the defined "Notifications must be generated when the defined
high/low threshold is reached. Related high/low threshold is reached. Related
configuration parameters must be provided to configuration parameters must be provided to
trigger the notifications."; trigger the notifications.";
leaf id { leaf id {
type leafref { type leafref {
path path
"/nat-module/nat-instances/" "/nat/instances/"
+ "nat-instance/id"; + "instance/id";
} }
description description
"NAT instance ID."; "NAT instance ID.";
} }
leaf policy-id { leaf policy-id {
type leafref { type leafref {
path path
"/nat-module/nat-instances/" "/nat/instances/"
+ "nat-instance/nat-policy/policy-id"; + "instance/policy/id";
} }
description description
"Policy ID."; "Policy ID.";
} }
leaf pool-id { leaf pool-id {
type leafref { type leafref {
path path
"/nat-module/nat-instances/" "/nat/instances/"
+ "nat-instance/nat-policy/" + "instance/policy/"
+ "external-ip-address-pool/pool-id"; + "external-ip-address-pool/pool-id";
} }
description description
"Pool ID."; "Pool ID.";
} }
leaf notify-pool-threshold { leaf notify-pool-threshold {
type percent; type percent;
mandatory true; mandatory true;
description description
"A treshhold has been fired."; "A treshhold has been fired.";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4. Security Considerations 4. Security Considerations
The YANG module defined in this memo is designed to be accessed via The YANG module defined in this document is designed to be accessed
the NETCONF protocol [RFC6241]. The lowest NETCONF layer is the via network management protocols such as NETCONF [RFC6241] or
secure transport layer and the support of SSH is mandatory to RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport
implement secure transport [RFC6242]. The NETCONF access control layer, and the mandatory-to-implement secure transport is Secure
model [RFC6536] provides means to restrict access by some users to a Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the
pre-configured subset of all available NETCONF protocol operations mandatory-to-implement secure transport is TLS [RFC5246].
and data.
The NETCONF access control model [RFC6536] provides the means to
restrict access for particular NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content.
All data nodes defined in the YANG module which can be created, All data nodes defined in the YANG module which can be created,
modified and deleted (i.e., config true, which is the default). modified and deleted (i.e., config true, which is the default).
These data nodes are considered sensitive. Write operations (e.g., These data nodes are considered sensitive. Write operations (e.g.,
edit-config) applied to these data nodes without proper protection edit-config) applied to these data nodes without proper protection
can negatively affect network operations. can negatively affect network operations.
Security considerations related to address and prefix translation are
discussed in [RFC6888], [RFC6146], [RFC6877], [RFC7757], and
[RFC6296].
5. IANA Considerations 5. IANA Considerations
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-nat URI: urn:ietf:params:xml:ns:yang:ietf-nat
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
skipping to change at page 58, line 5 skipping to change at page 54, line 8
Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
Kristian Poscic for the CGN review. Kristian Poscic for the CGN review.
Special thanks to Maros Marsalek and Marek Gradzki for sharing their Special thanks to Maros Marsalek and Marek Gradzki for sharing their
comments based on the FD.io implementation of an earlier version of comments based on the FD.io implementation of an earlier version of
this module. this module.
Rajiv Asati suggested to clarify how the module applies for both Rajiv Asati suggested to clarify how the module applies for both
stateless and stateful NAT64. stateless and stateful NAT64.
Juergen Schoenwaelder provided an early yandgoctors review. Many
thanks to him.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast Translation (NAT) Behavioral Requirements for Unicast
UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
2007, <https://www.rfc-editor.org/info/rfc4787>. 2007, <https://www.rfc-editor.org/info/rfc4787>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>.
[RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P. [RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P.
Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
RFC 5382, DOI 10.17487/RFC5382, October 2008, RFC 5382, DOI 10.17487/RFC5382, October 2008,
<https://www.rfc-editor.org/info/rfc5382>. <https://www.rfc-editor.org/info/rfc5382>.
[RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
Behavioral Requirements for ICMP", BCP 148, RFC 5508, Behavioral Requirements for ICMP", BCP 148, RFC 5508,
DOI 10.17487/RFC5508, April 2009, DOI 10.17487/RFC5508, April 2009,
<https://www.rfc-editor.org/info/rfc5508>. <https://www.rfc-editor.org/info/rfc5508>.
skipping to change at page 59, line 25 skipping to change at page 55, line 35
[RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar, [RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar,
S., and K. Naito, "Updates to Network Address Translation S., and K. Naito, "Updates to Network Address Translation
(NAT) Behavioral Requirements", BCP 127, RFC 7857, (NAT) Behavioral Requirements", BCP 127, RFC 7857,
DOI 10.17487/RFC7857, April 2016, DOI 10.17487/RFC7857, April 2016,
<https://www.rfc-editor.org/info/rfc7857>. <https://www.rfc-editor.org/info/rfc7857>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
7.2. Informative References 7.2. Informative References
[I-D.boucadair-pcp-yang] [I-D.boucadair-pcp-yang]
Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Boucadair, M., Jacquenet, C., Sivakumar, S., and S.
Vinapamula, "YANG Data Models for the Port Control Vinapamula, "YANG Modules for the Port Control Protocol
Protocol (PCP)", draft-boucadair-pcp-yang-04 (work in (PCP)", draft-boucadair-pcp-yang-05 (work in progress),
progress), May 2017. October 2017.
[I-D.ietf-behave-ipfix-nat-logging] [I-D.ietf-behave-ipfix-nat-logging]
Sivakumar, S. and R. Penno, "IPFIX Information Elements Sivakumar, S. and R. Penno, "IPFIX Information Elements
for logging NAT Events", draft-ietf-behave-ipfix-nat- for logging NAT Events", draft-ietf-behave-ipfix-nat-
logging-13 (work in progress), January 2017. logging-13 (work in progress), January 2017.
[I-D.ietf-softwire-dslite-yang] [I-D.ietf-softwire-dslite-yang]
Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data Boucadair, M., Jacquenet, C., and S. Sivakumar, "YANG Data
Modules for the DS-Lite", draft-ietf-softwire-dslite- Modules for the DS-Lite", draft-ietf-softwire-dslite-
yang-07 (work in progress), October 2017. yang-07 (work in progress), October 2017.
skipping to change at page 62, line 5 skipping to change at page 58, line 16
Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the
same IPv4 address among hosts that are owned by the same subscriber. same IPv4 address among hosts that are owned by the same subscriber.
This is typically the NAT that is embedded in CPE devices. This is typically the NAT that is embedded in CPE devices.
This NAT is usually provided with one single external IPv4 address; This NAT is usually provided with one single external IPv4 address;
disambiguating connections is achieved by rewriting the source port disambiguating connections is achieved by rewriting the source port
number. The XML snippet to configure the external IPv4 address in number. The XML snippet to configure the external IPv4 address in
such case together with a mapping entry is depicted below: such case together with a mapping entry is depicted below:
<nat-instances> <instances>
<nat-instance> <instance>
<id>1</id> <id>1</id>
<name>NAT_Subscriber_A</name> <name>NAT_Subscriber_A</name>
.... ....
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
192.0.2.1 192.0.2.1
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
.... ....
<mapping-table> <mapping-table>
.... ....
<external-src-address> <external-src-address>
192.0.2.1 192.0.2.1
</external-src-address> </external-src-address>
.... ....
<mapping-table> <mapping-table>
</nat-instance> </instance>
</nat-instances> </instances>
The following shows the XML excerpt depicting a dynamic UDP mapping The following shows the XML excerpt depicting a dynamic UDP mapping
entry maintained by a traditional NAT44. In reference to this entry maintained by a traditional NAT44. In reference to this
example, the UDP packet received with a source IPv4 address example, the UDP packet received with a source IPv4 address
(192.0.2.1) and source port number (1568) is translated into a UDP (192.0.2.1) and source port number (1568) is translated into a UDP
packet having a source IPv4 address (198.51.100.1) and source port packet having a source IPv4 address (198.51.100.1) and source port
(15000). The lifetime of this mapping is 300 seconds. (15000). The lifetime of this mapping is 300 seconds.
<mapping-entry> <mapping-entry>
<index>15</index> <index>15</index>
skipping to change at page 64, line 5 skipping to change at page 60, line 5
<lifetime> <lifetime>
300 300
</lifetime> </lifetime>
</mapping-entry> </mapping-entry>
A.2. CGN A.2. CGN
The following XML snippet shows the example of the capabilities The following XML snippet shows the example of the capabilities
supported by a CGN as retrieved using NETCONF. supported by a CGN as retrieved using NETCONF.
<nat-capabilities <capabilities
<nat-flavor> <nat-flavor>
nat44 nat44
</nat44-flavor> </nat44-flavor>
<restricted-port-support> <restricted-port-support>
false false
</restricted-port-support> </restricted-port-support>
<static-mapping-support> <static-mapping-support>
true true
</static-mapping-support> </static-mapping-support>
<port-randomization-support> <port-randomization-support>
skipping to change at page 64, line 51 skipping to change at page 60, line 51
</address-and-port-dependent-mapping-support> </address-and-port-dependent-mapping-support>
<endpoint-independent-filtering-support> <endpoint-independent-filtering-support>
true true
</endpoint-independent-filtering-support> </endpoint-independent-filtering-support>
<address-dependent-filtering> <address-dependent-filtering>
false false
</address-dependent-filtering> </address-dependent-filtering>
<address-and-port-dependent-filtering> <address-and-port-dependent-filtering>
false false
</address-and-port-dependent-filtering> </address-and-port-dependent-filtering>
</nat-capabilities> </capabilities>
The following XML snippet shows the example of a CGN that is The following XML snippet shows the example of a CGN that is
provisioned with one contiguous pool of external IPv4 addresses provisioned with one contiguous pool of external IPv4 addresses
(192.0.2.0/24). Further, the CGN is instructed to limit the number (192.0.2.0/24). Further, the CGN is instructed to limit the number
of allocated ports per subscriber to 1024. Ports can be allocated by of allocated ports per subscriber to 1024. Ports can be allocated by
the CGN by assigning ranges of 256 ports (that is, a subscriber can the CGN by assigning ranges of 256 ports (that is, a subscriber can
be allocated up to four port ranges of 256 ports each). be allocated up to four port ranges of 256 ports each).
<nat-instances> <instances>
<nat-instance> <instance>
<id>1</id> <id>1</id>
<name>myCGN</name> <name>myCGN</name>
.... ....
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
192.0.2.0/24 192.0.2.0/24
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
<port-quota> <port-quota>
skipping to change at page 65, line 39 skipping to change at page 61, line 39
</port-quota> </port-quota>
<port-allocation-type> <port-allocation-type>
port-range-allocation port-range-allocation
</port-allocation-type> </port-allocation-type>
<port-set> <port-set>
<port-set-size> <port-set-size>
256 256
</port-set-size> </port-set-size>
</port-set> </port-set>
.... ....
</nat-instance> </instance>
</nat-instances> </instances>
An administrator may decide to allocate one single port range per An administrator may decide to allocate one single port range per
subscriber (port range of 1024 ports) as shown below: subscriber (port range of 1024 ports) as shown below:
<nat-instances> <instances>
<nat-instance> <instance>
<id>1</id> <id>1</id>
<name>myotherCGN</name> <name>myotherCGN</name>
.... ....
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
192.0.2.0/24 192.0.2.0/24
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
<port-quota> <port-quota>
skipping to change at page 66, line 34 skipping to change at page 62, line 34
<port-allocation-type> <port-allocation-type>
port-range-allocation port-range-allocation
</port-allocation-type> </port-allocation-type>
<port-set> <port-set>
<port-set-size> <port-set-size>
1024 1024
</port-set-size> </port-set-size>
.... ....
</port-set> </port-set>
.... ....
</nat-instance> </instance>
</nat-instances> </instances>
A.3. CGN Pass-Through A.3. CGN Pass-Through
Figure 1 illustrates an example of the CGN pass-through feature. Figure 1 illustrates an example of the CGN pass-through feature.
X1:x1 X1':x1' X2:x2 X1:x1 X1':x1' X2:x2
+---+from X1:x1 +---+from X1:x1 +---+ +---+from X1:x1 +---+from X1:x1 +---+
| C | to X2:x2 | | to X2:x2 | S | | C | to X2:x2 | | to X2:x2 | S |
| l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e |
| i | | G | | r | | i | | G | | r |
skipping to change at page 67, line 11 skipping to change at page 63, line 11
+---+ +---+ +---+ +---+ +---+ +---+
Figure 1: CGN Pass-Through Figure 1: CGN Pass-Through
For example, in order to disable NAT for communications issued by the For example, in order to disable NAT for communications issued by the
client (192.0.2.25), the following configuration parameter must be client (192.0.2.25), the following configuration parameter must be
set: set:
<nat-pass-through> <nat-pass-through>
... ...
<nat-pass-through-pref>192.0.2.25</nat-pass-through-pref> <prefix>192.0.2.25</prefix>
... ...
</nat-pass-through> </nat-pass-through>
A.4. NAT64 A.4. NAT64
Let's consider the example of a NAT64 that should use Let's consider the example of a NAT64 that should use
2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052].
The XML snippet to configure the NAT64 prefix in such case is The XML snippet to configure the NAT64 prefix in such case is
depicted below: depicted below:
skipping to change at page 69, line 6 skipping to change at page 65, line 6
| 5 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | | 5 | 192.0.2.192/29 | 2001:db8:eeee:8::/62 |
| 6 | 192.0.2.224/31 | 64:ff9b::/127 | | 6 | 192.0.2.224/31 | 64:ff9b::/127 |
+---+----------------+----------------------+ +---+----------------+----------------------+
Figure 2: EAM Examples (RFC7757) Figure 2: EAM Examples (RFC7757)
The following XML excerpt illustrates how these EAMs can be The following XML excerpt illustrates how these EAMs can be
configured using the YANG NAT module: configured using the YANG NAT module:
<eam> <eam>
<eam-ipv4-prefix> <ipv4-prefix>
192.0.2.1 192.0.2.1
</eam-ipv4-prefix> </ipv4-prefix>
<eam-ipv6-prefix> <ipv6-prefix>
2001:db8:aaaa:: 2001:db8:aaaa::
</eam-ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<eam-ipv4-prefix> <ipv4-prefix>
192.0.2.2/32 192.0.2.2/32
</eam-ipv4-prefix> </ipv4-prefix>
<eam-ipv6-prefix> <ipv6-prefix>
2001:db8:bbbb::b/128 2001:db8:bbbb::b/128
</eam-ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<eam-ipv4-prefix> <ipv4-prefix>
192.0.2.16/28 192.0.2.16/28
</eam-ipv4-prefix> </ipv4-prefix>
<eam-ipv6-prefix> <ipv6-prefix>
2001:db8:cccc::/124 2001:db8:cccc::/124
</eam-ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<eam-ipv4-prefix> <ipv4-prefix>
192.0.2.128/26 192.0.2.128/26
</eam-ipv4-prefix> </ipv4-prefix>
<eam-ipv6-prefix> <ipv6-prefix>
2001:db8:dddd::/64 2001:db8:dddd::/64
</eam-ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<eam-ipv4-prefix> <ipv4-prefix>
192.0.2.192/29 192.0.2.192/29
</eam-ipv4-prefix> </ipv4-prefix>
<eam-ipv6-prefix> <ipv6-prefix>
2001:db8:eeee:8::/62 2001:db8:eeee:8::/62
</eam-ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<eam-ipv4-prefix> <ipv4-prefix>
192.0.2.224/31 192.0.2.224/31
</eam-ipv4-prefix> </ipv4-prefix>
<eam-ipv6-prefix> <ipv6-prefix>
64:ff9b::/127 64:ff9b::/127
</eam-ipv6-prefix> </ipv6-prefix>
</eam> </eam>
EAMs may be enabled jointly with statefull NAT64. This example shows EAMs may be enabled jointly with statefull NAT64. This example shows
a NAT64 fucntion that supports static mappings: a NAT64 fucntion that supports static mappings:
<nat-capabilities <capabilities
<nat-flavor> <nat-flavor>
nat64 nat64
</nat44-flavor> </nat44-flavor>
<static-mapping-support> <static-mapping-support>
true true
</static-mapping-support> </static-mapping-support>
<port-randomization-support> <port-randomization-support>
true true
</port-randomization-support> </port-randomization-support>
<port-range-allocation-support> <port-range-allocation-support>
skipping to change at page 70, line 50 skipping to change at page 66, line 50
</address-and-port-dependent-mapping-support> </address-and-port-dependent-mapping-support>
<endpoint-independent-filtering-support> <endpoint-independent-filtering-support>
true true
</endpoint-independent-filtering-support> </endpoint-independent-filtering-support>
<address-dependent-filtering> <address-dependent-filtering>
false false
</address-dependent-filtering> </address-dependent-filtering>
<address-and-port-dependent-filtering> <address-and-port-dependent-filtering>
false false
</address-and-port-dependent-filtering> </address-and-port-dependent-filtering>
</nat-capabilities> </capabilities>
A.6. Static Mappings with Port Ranges A.6. Static Mappings with Port Ranges
The following example shows a static mapping that instructs a NAT to The following example shows a static mapping that instructs a NAT to
translate packets issued from 192.0.2.1 and with source ports in the translate packets issued from 192.0.2.1 and with source ports in the
100-500 range to 198.51.100.1:1100-1500. 100-500 range to 198.51.100.1:1100-1500.
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
skipping to change at page 75, line 25 skipping to change at page 71, line 25
A.9. CLAT A.9. CLAT
The following XML snippet shows the example of a CLAT that is The following XML snippet shows the example of a CLAT that is
configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and
2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also
provided with 192.0.0.1/32 (which is selected from the IPv4 service provided with 192.0.0.1/32 (which is selected from the IPv4 service
continuity prefix defined in [RFC7335]). continuity prefix defined in [RFC7335]).
<clat-ipv6-prefixes> <clat-ipv6-prefixes>
<clat-ipv6-prefix> <ipv6-prefix>
2001:db8:aaaa::/96 2001:db8:aaaa::/96
</clat-ipv6-prefix> </ipv6-prefix>
</clat-ipv6-prefixes> </clat-ipv6-prefixes>
<clat-ipv4-prefixes> <clat-ipv4-prefixes>
<clat-ipv4-prefix> <ipv4-prefix>
192.0.0.1/32 192.0.0.1/32
</clat-ipv4-prefix> </ipv4-prefix>
</clat-ipv4-prefixes> </clat-ipv4-prefixes>
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:1234::/96 2001:db8:1234::/96
</nat64-prefix> </nat64-prefix>
</nat64-prefixes> </nat64-prefixes>
A.10. NPTv6 A.10. NPTv6
Let's consider the example of a NPTv6 translator that should rewrite Let's consider the example of a NPTv6 translator that should rewrite
skipping to change at page 77, line 22 skipping to change at page 73, line 22
V +---------+ ^ V +---------+ ^
External Prefix |eth0 ^ External Prefix |eth0 ^
2001:db8:6666:/48 | ^ 2001:db8:6666:/48 | ^
-------------------------------------- --------------------------------------
Internal Prefix = fd01:203:405:/48 Internal Prefix = fd01:203:405:/48
Figure 3: Connecting two Peer Networks (RFC6296) Figure 3: Connecting two Peer Networks (RFC6296)
To that aim, the following configuration is provided to the NPTv6: To that aim, the following configuration is provided to the NPTv6:
<nat-policy> <policy>
<policy-id>1</policy-id> <id>1</id>
<nptv6-prefixes> <nptv6-prefixes>
<translation-id>1</translation-id> <translation-id>1</translation-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:203:405:/48 fd01:203:405:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:1:/48 2001:db8:1:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
<external-interface> <external-interface>
eth1 eth1
</external-interface> </external-interface>
</nat-policy> </policy>
<nat-policy> <policy>
<policy-id>2</policy-id> <id>2</id>
<nptv6-prefixes> <nptv6-prefixes>
<translation-id>2</translation-id> <translation-id>2</translation-id>
<internal-ipv6-prefix> <internal-ipv6-prefix>
fd01:4444:5555:/48 fd01:4444:5555:/48
</internal-ipv6-prefix> </internal-ipv6-prefix>
<external-ipv6-prefix> <external-ipv6-prefix>
2001:db8:6666:/48 2001:db8:6666:/48
</external-ipv6-prefix> </external-ipv6-prefix>
</nptv6-prefixes> </nptv6-prefixes>
<external-interface> <external-interface>
eth0 eth0
</external-interface> </external-interface>
</nat-policy> </policy>
Authors' Addresses Authors' Addresses
Mohamed Boucadair Mohamed Boucadair
Orange Orange
Rennes 35000 Rennes 35000
France France
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
 End of changes. 364 change blocks. 
613 lines changed or deleted 437 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/