draft-ietf-opsawg-nat-yang-10.txt   draft-ietf-opsawg-nat-yang-11.txt 
Network Working Group M. Boucadair Network Working Group M. Boucadair
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track S. Sivakumar Intended status: Standards Track S. Sivakumar
Expires: July 20, 2018 Cisco Systems Expires: August 10, 2018 Cisco Systems
C. Jacquenet C. Jacquenet
Orange Orange
S. Vinapamula S. Vinapamula
Juniper Networks Juniper Networks
Q. Wu Q. Wu
Huawei Huawei
January 16, 2018 February 6, 2018
A YANG Data Model for Network Address Translation (NAT) and Network A YANG Module for Network Address Translation (NAT)
Prefix Translation (NPT) draft-ietf-opsawg-nat-yang-11
draft-ietf-opsawg-nat-yang-10
Abstract Abstract
For the sake of network automation and the need for programming For the sake of network automation and the need for programming
Network Address Translation (NAT) function in particular, a data Network Address Translation (NAT) function in particular, a data
model for configuring and managing the NAT is essential. This model for configuring and managing the NAT is essential. This
document defines a YANG module for the NAT function. document defines a YANG module for the NAT function.
NAT44, Network Address and Protocol Translation from IPv6 Clients to NAT44, Network Address and Protocol Translation from IPv6 Clients to
IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/ IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/
ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/ ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/
ICMP Translation (SIIT EAM), and IPv6 Network Prefix Translation ICMP Translation (SIIT EAM), and Destination NAT are covered in this
(NPTv6) are covered in this document. document.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
Please update these statements with the RFC number to be assigned to Please update these statements with the RFC number to be assigned to
this document: this document:
"This version of this YANG module is part of RFC XXXX;" "This version of this YANG module is part of RFC XXXX;"
"RFC XXXX: A YANG Data Model for Network Address Translation (NAT) "RFC XXXX: A YANG Module for Network Address Translation (NAT)";
and Network Prefix Translation (NPT)";
"reference: RFC XXXX" "reference: RFC XXXX"
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 20, 2018. This Internet-Draft will expire on August 10, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 38 skipping to change at page 2, line 35
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 5
2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 7
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8
2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 11
2.10. Binding the NAT Function to an External Interface . . . . 15 2.10. Binding the NAT Function to an External Interface . . . . 14
2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 14
2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 15
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 21
4. Security Considerations . . . . . . . . . . . . . . . . . . . 72 4. Security Considerations . . . . . . . . . . . . . . . . . . . 69
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 71
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 71
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 72
7.1. Normative References . . . . . . . . . . . . . . . . . . 74 7.1. Normative References . . . . . . . . . . . . . . . . . . 72
7.2. Informative References . . . . . . . . . . . . . . . . . 76 7.2. Informative References . . . . . . . . . . . . . . . . . 74
Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 76
A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 78 A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 76
A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 78
A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 81
A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 82
A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 82
A.6. Explicit Address Mappings for Stateless IP/ICMP A.6. Explicit Address Mappings for Stateless IP/ICMP
Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85 Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 83
A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 89 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 87
A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 87
A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 88
A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 91
A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 93 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96
1. Introduction 1. Introduction
This document defines a data model for Network Address Translation This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the (NAT) capabilities using the YANG data modeling language [RFC7950].
YANG data modeling language [RFC7950].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of used to optimize the usage of global IP address space at the scale of
a domain: a CGN is not managed by end users, but by service providers a domain: a CGN is not managed by end users, but by service providers
instead. This document covers both traditional NATs and CGNs. instead. This document covers both traditional NATs and CGNs.
This document also covers NAT64 [RFC6146], customer-side translator This document also covers NAT64 [RFC6146], customer-side translator
(CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915], (CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915],
Explicit Address Mappings for Stateless IP/ICMP Translation (EAM) Explicit Address Mappings for Stateless IP/ICMP Translation (EAM)
[RFC7757], and IPv6 Network Prefix Translation (NPTv6) [RFC6296]. [RFC7757], and Destination NAT. The full set of translation schemes
The full set of translation schemes that are in scope is included in that are in scope is included in Section 2.2.
Section 2.2.
Sample examples are provided in Appendix A. These examples are not Sample examples are provided in Appendix A. These examples are not
intended to be exhaustive. intended to be exhaustive.
1.1. Terminology 1.1. Terminology
This document makes use of the following terms: This document makes use of the following terms:
o Basic NAT44: translation is limited to IP addresses alone o Basic NAT44: translation is limited to IP addresses alone
(Section 2.1 of [RFC3022]). (Section 2.1 of [RFC3022]).
skipping to change at page 4, line 25 skipping to change at page 4, line 19
o Port-restricted IPv4 address: An IPv4 address with a restricted o Port-restricted IPv4 address: An IPv4 address with a restricted
port set. Multiple hosts may share the same IPv4 address; port set. Multiple hosts may share the same IPv4 address;
however, their port sets must not overlap [RFC7596]. however, their port sets must not overlap [RFC7596].
o Restricted port set: A non-overlapping range of allowed external o Restricted port set: A non-overlapping range of allowed external
ports to use for NAT operation. Source ports of IPv4 packets ports to use for NAT operation. Source ports of IPv4 packets
translated by a NAT must belong to the assigned port set. The translated by a NAT must belong to the assigned port set. The
port set is used for all port-aware IP protocols [RFC7596]. port set is used for all port-aware IP protocols [RFC7596].
o Internal Host: A host that may solicit a NAT or an NPTv6 (or both) o Internal Host: A host that may need to use a translation
capability to send to and receive traffic from the Internet. capability to send to and receive traffic from the Internet.
o Internal Address/prefix: The IP address/prefix of an internal o Internal Address/prefix: The IP address/prefix of an internal
host. host.
o External Address: The IP address/prefix assigned by a NAT/NPTv6 to o External Address: The IP address/prefix assigned by a translator
an internal host; this is the address that will be seen by a to an internal host; this is the address that will be seen by a
remote host on the Internet. remote host on the Internet.
o Mapping: denotes a state at the NAT that is necessary for network o Mapping: denotes a state at the translator that is necessary for
address and/or port translation. network address and/or port translation.
o Dynamic implicit mapping: is created implicitly as a side effect o Dynamic implicit mapping: is created implicitly as a side effect
of processing a packet (e.g., an initial TCP SYN packet) that of processing a packet (e.g., an initial TCP SYN packet) that
requires a new mapping. A validity lifetime is associated with requires a new mapping. A validity lifetime is associated with
this mapping. this mapping.
o Dynamic explicit mapping: is created as a result of an explicit o Dynamic explicit mapping: is created as a result of an explicit
request, e.g., PCP message [RFC6887]. A validity lifetime is request, e.g., PCP message [RFC6887]. A validity lifetime is
associated with this mapping. associated with this mapping.
skipping to change at page 6, line 17 skipping to change at page 6, line 6
The following translation modes are supported: The following translation modes are supported:
o Basic NAT44 o Basic NAT44
o NAPT o NAPT
o Destination NAT o Destination NAT
o Port-restricted NAT o Port-restricted NAT
o Stateful NAT64 o Stateful NAT64
o SIIT o SIIT
o CLAT o CLAT
o EAM o EAM
o NPTv6
o Combination of Basic NAT/NAPT and Destination NAT o Combination of Basic NAT/NAPT and Destination NAT
o Combination of port-restricted and Destination NAT o Combination of port-restricted and Destination NAT
o Combination of NAT64 and EAM o Combination of NAT64 and EAM
o Stateful and Stateless NAT64 o Stateful and Stateless NAT64
[I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT [I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT
YANG module to support DS-Lite. YANG module to support DS-Lite.
The YANG "feature" statement is used to indicate which of the The YANG "feature" statement is used to indicate which of the
different translation modes is relevant for a specific data node. different translation modes is relevant for a specific data node.
skipping to change at page 6, line 40 skipping to change at page 6, line 28
+---------------------------------+--------------+ +---------------------------------+--------------+
| Translation Mode | YANG Feature | | Translation Mode | YANG Feature |
+---------------------------------+--------------+ +---------------------------------+--------------+
| Basic NAT44 | basic-nat44 | | Basic NAT44 | basic-nat44 |
| NAPT | napt44 | | NAPT | napt44 |
| Destination NAT | dst-nat | | Destination NAT | dst-nat |
| Stateful NAT64 | nat64 | | Stateful NAT64 | nat64 |
| Stateless IPv4/IPv6 translation | siit | | Stateless IPv4/IPv6 translation | siit |
| CLAT | clat | | CLAT | clat |
| EAM | eam | | EAM | eam |
| NPTv6 | nptv6 |
+---------------------------------+--------------+ +---------------------------------+--------------+
Table 1: YANG NAT Features Table 1: YANG NAT Features
The following translation modes do not require defining dedicated The following translation modes do not require defining dedicated
features: features:
o Port-restricted NAT: This mode corresponds to supplying port o Port-restricted NAT: This mode corresponds to supplying port
restriction policies to a NAPT or NAT64 (port-set-restrict). restriction policies to a NAPT or NAT64 (port-set-restrict).
o Combination of Basic NAT/NAPT and Destination NAT: This mode o Combination of Basic NAT/NAPT and Destination NAT: This mode
skipping to change at page 11, line 45 skipping to change at page 11, line 24
| | NAT64) | | | NAT64) |
| external-src-port | ID2 (an ICMP identifier that is chosen by | | external-src-port | ID2 (an ICMP identifier that is chosen by |
| | the NAT64) | | | the NAT64) |
+----------------------+--------------------------------------------+ +----------------------+--------------------------------------------+
Table 4: Example of an EIM NAT64 Mapping Entry Table 4: Example of an EIM NAT64 Mapping Entry
Note that a mapping table is maintained only for stateful NAT Note that a mapping table is maintained only for stateful NAT
functions. Particularly: functions. Particularly:
o No mapping table is maintained for NPTv6 given that it is
stateless and transport-agnostic.
o The double translations are stateless in CLAT if a dedicated IPv6 o The double translations are stateless in CLAT if a dedicated IPv6
prefix is provided for CLAT. If not, a stateful NAT44 will be prefix is provided for CLAT. If not, a stateful NAT44 will be
required. required.
o No per-flow mapping is maintained for EAM [RFC7757]. o No per-flow mapping is maintained for EAM [RFC7757].
o No mapping table is maintained for Stateless IPv4/IPv6 o No mapping table is maintained for Stateless IPv4/IPv6
translation. As a reminder, in such deployments internal IPv6 translation. As a reminder, in such deployments internal IPv6
nodes are addressed using IPv4-translatable IPv6 addresses, which nodes are addressed using IPv4-translatable IPv6 addresses, which
enable them to be accessed by IPv4 nodes [RFC6052]. enable them to be accessed by IPv4 nodes [RFC6052].
2.9. Resource Limits 2.9. Resource Limits
In order to comply with CGN deployments in particular, the NAT YANG In order to comply with CGN deployments in particular, the NAT YANG
module allows limiting the number of external ports per subscriber module allows limiting the number of external ports per subscriber
(port-quota) and the amount of state memory allocated per mapping and (port-quota) and the amount of state memory allocated per mapping and
per subscriber (mapping-limits and connection-limits). According to per subscriber (mapping-limits and connection-limits). According to
[RFC6888], the model allows for the following: [RFC6888], the module allows for the following:
o Per-subscriber limits are configurable by the NAT administrator. o Per-subscriber limits are configurable by the NAT administrator.
o Per-subscriber limits are configurable independently per transport o Per-subscriber limits are configurable independently per transport
protocol. protocol.
o Administrator-adjustable thresholds to prevent a single subscriber o Administrator-adjustable thresholds to prevent a single subscriber
from consuming excessive CPU resources from the NAT (e.g., rate- from consuming excessive CPU resources from the NAT (e.g., rate-
limit the subscriber's creation of new mappings) can be limit the subscriber's creation of new mappings) can be
configured. configured.
skipping to change at page 15, line 23 skipping to change at page 14, line 23
| notification-limits/notify-interval | Indicates the minimum | | notification-limits/notify-interval | Indicates the minimum |
| | number of seconds between | | | number of seconds between |
| | successive notifications | | | successive notifications |
| | for a NAT instance. | | | for a NAT instance. |
+-------------------------------------+-----------------------------+ +-------------------------------------+-----------------------------+
Table 7: Notification Intervals Table 7: Notification Intervals
2.10. Binding the NAT Function to an External Interface 2.10. Binding the NAT Function to an External Interface
The model is designed to specify an external realm on which the NAT The module is designed to specify an external realm on which the NAT
function must be applied (external-realm). The module supports function must be applied (external-realm). The module supports
indicating an interface as an external realm, but the module is indicating an interface as an external realm, but the module is
extensible so that other choices can be indicated in the future extensible so that other choices can be indicated in the future
(e.g., Virtual Routing and Forwarding (VRF) instance). (e.g., Virtual Routing and Forwarding (VRF) instance).
Distinct external realms can be provided as a function of the NAT Distinct external realms can be provided as a function of the NAT
policy (see for example, Section 4 of [RFC7289]). policy (see for example, Section 4 of [RFC7289]).
If no external realm is provided, this assumes that the system is If no external realm is provided, this assumes that the system is
able to determine the external interface (VRF instance, etc.) on able to determine the external interface (VRF instance, etc.) on
skipping to change at page 16, line 5 skipping to change at page 15, line 5
o The set of address realms to which the device connect. o The set of address realms to which the device connect.
o For the CGN case, per-subscriber information including subscriber o For the CGN case, per-subscriber information including subscriber
index, address realm, assigned prefix or address, and (possibly) index, address realm, assigned prefix or address, and (possibly)
policies regarding address pool selection in the various possible policies regarding address pool selection in the various possible
address realms to which the subscriber may connect. address realms to which the subscriber may connect.
o The set of NAT instances running on the device, identified by NAT o The set of NAT instances running on the device, identified by NAT
instance index and name. instance index and name.
o The port mapping, filtering, pooling, and fragment behavior for o The port mapping, filtering, pooling, and fragment behaviors for
each NAT instance. each NAT instance.
o The set of protocols supported by each NAT instance. o The set of protocols supported by each NAT instance.
o Address pools for each NAT instance, including for each pool the o Address pools for each NAT instance, including for each pool the
pool index, address realm, and minimum and maximum port number. pool index, address realm, and minimum and maximum port number.
o Static address and port mapping entries. o Static address and port mapping entries.
All the above parameters can be configured by means of the NAT YANG All the above parameters can be configured by means of the NAT YANG
module. module.
Unlike the NATV2-MIB, the NAT YANG module allows to configure Unlike the NATV2-MIB, the NAT YANG module allows to configure
multiple policies per NAT instance. multiple policies per NAT instance.
2.12. Tree Structure 2.12. Tree Structure
The tree structure of the NAT YANG module is provided below: The tree structure of the NAT YANG module is provided below:
module: ietf-nat module: ietf-nat
+--rw nat +--rw nat
+--rw instances +--rw instances
+--rw instance* [id] +--rw instance* [id]
+--rw id uint32 +--rw id uint32
+--rw name? string +--rw name? string
+--rw enable? boolean +--rw enable? boolean
+--ro capabilities +--ro capabilities
| +--ro nat-flavor* | +--ro nat-flavor*
| | identityref | | identityref
| +--ro per-interface-binding* | +--ro per-interface-binding*
| | enumeration | | enumeration
| +--ro transport-protocols* [protocol-id] | +--ro transport-protocols* [protocol-id]
| | +--ro protocol-id uint8 | | +--ro protocol-id uint8
| | +--ro protocol-name? string | | +--ro protocol-name? string
| +--ro restricted-port-support? | +--ro restricted-port-support?
| | boolean | | boolean
| +--ro static-mapping-support? | +--ro static-mapping-support?
| | boolean | | boolean
| +--ro port-randomization-support? | +--ro port-randomization-support?
| | boolean | | boolean
| +--ro port-range-allocation-support? | +--ro port-range-allocation-support?
| | boolean | | boolean
| +--ro port-preservation-suport? | +--ro port-preservation-suport?
| | boolean | | boolean
| +--ro port-parity-preservation-support? | +--ro port-parity-preservation-support?
| | boolean | | boolean
| +--ro address-roundrobin-support? | +--ro address-roundrobin-support?
| | boolean | | boolean
| +--ro paired-address-pooling-support? | +--ro paired-address-pooling-support?
| | boolean | | boolean
| +--ro endpoint-independent-mapping-support? | +--ro endpoint-independent-mapping-support?
| | boolean | | boolean
| +--ro address-dependent-mapping-support? | +--ro address-dependent-mapping-support?
| | boolean | | boolean
| +--ro address-and-port-dependent-mapping-support? | +--ro address-and-port-dependent-mapping-support?
| | boolean | | boolean
| +--ro endpoint-independent-filtering-support? | +--ro endpoint-independent-filtering-support?
| | boolean | | boolean
| +--ro address-dependent-filtering? | +--ro address-dependent-filtering?
| | boolean | | boolean
| +--ro address-and-port-dependent-filtering? | +--ro address-and-port-dependent-filtering?
| | boolean | | boolean
| +--ro fragment-behavior? | +--ro fragment-behavior?
| enumeration | enumeration
+--rw type? identityref +--rw type? identityref
+--rw per-interface-binding? enumeration +--rw per-interface-binding? enumeration
+--rw nat-pass-through* [id] +--rw nat-pass-through* [id]
| {basic-nat44 or napt44 or dst-nat}? | {basic-nat44 or napt44 or dst-nat}?
| +--rw id uint32 | +--rw id uint32
| +--rw prefix inet:ip-prefix | +--rw prefix inet:ip-prefix
| +--rw port? inet:port-number | +--rw port? inet:port-number
+--rw policy* [id] +--rw policy* [id]
| +--rw id uint32 | +--rw id uint32
| +--rw clat-parameters {clat}? | +--rw clat-parameters {clat}?
| | +--rw clat-ipv6-prefixes* [ipv6-prefix] | | +--rw clat-ipv6-prefixes* [ipv6-prefix]
| | | +--rw ipv6-prefix inet:ipv6-prefix | | | +--rw ipv6-prefix inet:ipv6-prefix
| | +--rw ipv4-prefixes* [ipv4-prefix] | | +--rw ipv4-prefixes* [ipv4-prefix]
| | +--rw ipv4-prefix inet:ipv4-prefix | | +--rw ipv4-prefix inet:ipv4-prefix
| +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}? | +--rw eam* [ipv4-prefix] {eam}?
| | +--rw internal-ipv6-prefix inet:ipv6-prefix | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw external-ipv6-prefix inet:ipv6-prefix | | +--rw ipv6-prefix inet:ipv6-prefix
| +--rw eam* [ipv4-prefix] {eam}? | +--rw nat64-prefixes* [nat64-prefix]
| | +--rw ipv4-prefix inet:ipv4-prefix | | {siit or nat64 or clat}?
| | +--rw ipv6-prefix inet:ipv6-prefix | | +--rw nat64-prefix inet:ipv6-prefix
| +--rw nat64-prefixes* [nat64-prefix] | | +--rw destination-ipv4-prefix* [ipv4-prefix]
| | {siit or nat64 or clat}? | | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw nat64-prefix inet:ipv6-prefix | | +--rw stateless-enable? boolean
| | +--rw destination-ipv4-prefix* [ipv4-prefix] | +--rw external-ip-address-pool* [pool-id]
| | | +--rw ipv4-prefix inet:ipv4-prefix
| | +--rw stateless-enable? boolean
| +--rw external-ip-address-pool* [pool-id]
| | {basic-nat44 or napt44 or nat64}?
| | +--rw pool-id uint32
| | +--rw external-ip-pool inet:ipv4-prefix
| +--rw port-set-restrict {napt44 or nat64}?
| | +--rw (port-type)?
| | +--:(port-range)
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--:(port-set-algo)
| | +--rw psid-offset? uint8
| | +--rw psid-len uint8
| | +--rw psid uint16
| +--rw dst-nat-enable? boolean
| | {basic-nat44 or napt44}?
| +--rw dst-ip-address-pool* [pool-id] {dst-nat}?
| | +--rw pool-id uint32
| | +--rw dst-in-ip-pool? inet:ip-prefix
| | +--rw dst-out-ip-pool inet:ip-prefix
| +--rw transport-protocols* [protocol-id]
| | {napt44 or nat64 or dst-nat}?
| | +--rw protocol-id uint8
| | +--rw protocol-name? string
| +--rw subscriber-mask-v6? uint8
| +--rw subscriber-match* [match-id]
| | {basic-nat44 or napt44 or dst-nat}?
| | +--rw match-id uint32
| | +--rw subnet inet:ip-prefix
| +--rw address-allocation-type? enumeration
| +--rw port-allocation-type? enumeration
| | {napt44 or nat64}?
| +--rw mapping-type? enumeration
| | {napt44 or nat64}?
| +--rw filtering-type? enumeration
| | {napt44 or nat64}?
| +--rw fragment-behavior? enumeration
| | {napt44 or nat64}?
| +--rw port-quota* [quota-type] {napt44 or nat64}?
| | +--rw port-limit? uint16
| | +--rw quota-type uint8
| +--rw port-set {napt44 or nat64}?
| | +--rw port-set-size uint16
| | +--rw port-set-timeout? uint32
| +--rw timers {napt44 or nat64}?
| | +--rw udp-timeout? uint32
| | +--rw tcp-idle-timeout? uint32
| | +--rw tcp-trans-open-timeout? uint32
| | +--rw tcp-trans-close-timeout? uint32
| | +--rw tcp-in-syn-timeout? uint32
| | +--rw fragment-min-timeout? uint32
| | +--rw icmp-timeout? uint32
| | +--rw per-port-timeout* [port-number]
| | | +--rw port-number inet:port-number
| | | +--rw timeout uint32
| | +--rw hold-down-timeout? uint32
| | +--rw hold-down-max? uint32
| +--rw fragments-limit? uint32
| +--rw algs* [name]
| | +--rw name string
| | +--rw transport-protocol? uint32
| | +--rw dst-transport-port
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--rw src-transport-port
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--rw status? boolean
| +--rw all-algs-enable? boolean
| +--rw notify-pool-usage
| | {basic-nat44 or napt44 or nat64}?
| | +--rw pool-id? uint32
| | +--rw high-threshold? percent
| | +--rw low-threshold? percent
| | +--rw notify-interval? uint32
| +--rw external-realm
| +--rw (realm-type)?
| +--:(interface)
| +--rw external-interface? if:interface-ref
+--rw mapping-limits {napt44 or nat64}?
| +--rw limit-subscribers? uint32
| +--rw limit-address-mapings? uint32
| +--rw limit-port-mappings? uint32
| +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64 or dst-nat}?
| +--rw protocol-id uint8
| +--rw limit? uint32
+--rw connection-limits
| {basic-nat44 or napt44 or nat64}?
| +--rw limit-per-subscriber? uint32
| +--rw limit-per-instance uint32
| +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64}?
| +--rw protocol-id uint8
| +--rw limit? uint32
+--rw notification-limits
| +--rw notify-interval? uint32
| | {basic-nat44 or napt44 or nat64}?
| +--rw notify-addresses-usage? percent
| | {basic-nat44 or napt44 or nat64}?
| +--rw notify-ports-usage? percent
| | {napt44 or nat64}?
| +--rw notify-subscribers-limit? uint32
| {basic-nat44 or napt44 or nat64}?
+--rw logging-enable? boolean
| {basic-nat44 or napt44 or nat64}?
+--rw mapping-table
| {basic-nat44 or napt44 or nat64 or clat or dst-nat}?
| +--rw mapping-entry* [index]
| +--rw index uint32
| +--rw type? enumeration
| +--rw transport-protocol? uint8
| +--rw internal-src-address? inet:ip-prefix
| +--rw internal-src-port
| | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number
| +--rw external-src-address? inet:ip-prefix
| +--rw external-src-port
| | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number
| +--rw internal-dst-address? inet:ip-prefix
| +--rw internal-dst-port
| | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number
| +--rw external-dst-address? inet:ip-prefix
| +--rw external-dst-port
| | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number
| +--rw lifetime? uint32
+--ro statistics
+--ro discontinuity-time yang:date-and-time
+--ro traffic-statistics
| +--ro sent-packets?
| | yang:zero-based-counter64
| +--ro sent-bytes?
| | yang:zero-based-counter64
| +--ro rcvd-packets?
| | yang:zero-based-counter64
| +--ro rcvd-bytes?
| | yang:zero-based-counter64
| +--ro dropped-packets?
| | yang:zero-based-counter64
| +--ro dropped-bytes?
| | yang:zero-based-counter64
| +--ro dropped-fragments?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-address-limit-packets?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-limit-bytes?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-packets?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-bytes?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-port-limit-packets? | | +--rw pool-id uint32
| | yang:zero-based-counter64 | | +--rw external-ip-pool inet:ipv4-prefix
| +--rw port-set-restrict {napt44 or nat64}?
| | +--rw (port-type)?
| | +--:(port-range)
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--:(port-set-algo)
| | +--rw psid-offset? uint8
| | +--rw psid-len uint8
| | +--rw psid uint16
| +--rw dst-nat-enable? boolean
| | {basic-nat44 or napt44}?
| +--rw dst-ip-address-pool* [pool-id] {dst-nat}?
| | +--rw pool-id uint32
| | +--rw dst-in-ip-pool? inet:ip-prefix
| | +--rw dst-out-ip-pool inet:ip-prefix
| +--rw transport-protocols* [protocol-id]
| | {napt44 or nat64 or dst-nat}?
| | +--rw protocol-id uint8
| | +--rw protocol-name? string
| +--rw subscriber-mask-v6? uint8
| +--rw subscriber-match* [match-id]
| | {basic-nat44 or napt44 or dst-nat}?
| | +--rw match-id uint32
| | +--rw subnet inet:ip-prefix
| +--rw address-allocation-type? enumeration
| +--rw port-allocation-type? enumeration
| | {napt44 or nat64}? | | {napt44 or nat64}?
| +--ro dropped-port-limit-bytes? | +--rw mapping-type? enumeration
| | yang:zero-based-counter64
| | {napt44 or nat64}? | | {napt44 or nat64}?
| +--ro dropped-port-packets? | +--rw filtering-type? enumeration
| | yang:zero-based-counter64
| | {napt44 or nat64}? | | {napt44 or nat64}?
| +--ro dropped-port-bytes? | +--rw fragment-behavior? enumeration
| | yang:zero-based-counter64
| | {napt44 or nat64}? | | {napt44 or nat64}?
| +--ro dropped-subscriber-limit-packets? | +--rw port-quota* [quota-type] {napt44 or nat64}?
| | yang:zero-based-counter64 | | +--rw port-limit? uint16
| | +--rw quota-type uint8
| +--rw port-set {napt44 or nat64}?
| | +--rw port-set-size uint16
| | +--rw port-set-timeout? uint32
| +--rw timers {napt44 or nat64}?
| | +--rw udp-timeout? uint32
| | +--rw tcp-idle-timeout? uint32
| | +--rw tcp-trans-open-timeout? uint32
| | +--rw tcp-trans-close-timeout? uint32
| | +--rw tcp-in-syn-timeout? uint32
| | +--rw fragment-min-timeout? uint32
| | +--rw icmp-timeout? uint32
| | +--rw per-port-timeout* [port-number]
| | | +--rw port-number inet:port-number
| | | +--rw timeout uint32
| | +--rw hold-down-timeout? uint32
| | +--rw hold-down-max? uint32
| +--rw fragments-limit? uint32
| +--rw algs* [name]
| | +--rw name string
| | +--rw transport-protocol? uint32
| | +--rw dst-transport-port
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--rw src-transport-port
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
| | +--rw status? boolean
| +--rw all-algs-enable? boolean
| +--rw notify-pool-usage
| | {basic-nat44 or napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-subscriber-limit-bytes? | | +--rw pool-id? uint32
| yang:zero-based-counter64 | | +--rw high-threshold? percent
| {basic-nat44 or napt44 or nat64}? | | +--rw low-threshold? percent
+--ro mappings-statistics | | +--rw notify-interval? uint32
| +--ro total-active-subscribers? yang:gauge32 | +--rw external-realm
| +--rw (realm-type)?
| +--:(interface)
| +--rw external-interface? if:interface-ref
+--rw mapping-limits {napt44 or nat64}?
| +--rw limit-subscribers? uint32
| +--rw limit-address-mapings? uint32
| +--rw limit-port-mappings? uint32
| +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64 or dst-nat}?
| +--rw protocol-id uint8
| +--rw limit? uint32
+--rw connection-limits
| {basic-nat44 or napt44 or nat64}?
| +--rw limit-per-subscriber? uint32
| +--rw limit-per-instance uint32
| +--rw limit-per-protocol* [protocol-id]
| {napt44 or nat64}?
| +--rw protocol-id uint8
| +--rw limit? uint32
+--rw notification-limits
| +--rw notify-interval? uint32
| | {basic-nat44 or napt44 or nat64}? | | {basic-nat44 or napt44 or nat64}?
| +--ro total-address-mappings? yang:gauge32 | +--rw notify-addresses-usage? percent
| |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? | | {basic-nat44 or napt44 or nat64}?
| +--ro total-port-mappings? yang:gauge32 | +--rw notify-ports-usage? percent
| | {napt44 or nat64}? | | {napt44 or nat64}?
| +--ro total-per-protocol* [protocol-id] | +--rw notify-subscribers-limit? uint32
| {napt44 or nat64}? | {basic-nat44 or napt44 or nat64}?
| +--ro protocol-id uint8 +--rw logging-enable? boolean
| +--ro total? yang:gauge32 | {basic-nat44 or napt44 or nat64}?
+--ro pools-stats {basic-nat44 or napt44 or nat64}? +--rw mapping-table
+--ro addresses-allocated? yang:gauge32 | +--rw mapping-entry* [index]
+--ro addresses-free? yang:gauge32 | +--rw index uint32
+--ro ports-stats {napt44 or nat64}? | +--rw type? enumeration
| +--ro ports-allocated? yang:gauge32 | +--rw transport-protocol? uint8
| +--ro ports-free? yang:gauge32 | +--rw internal-src-address? inet:ip-prefix
+--ro per-pool-stats* [pool-id] | +--rw internal-src-port
{basic-nat44 or napt44 or nat64}? | | +--rw start-port-number? inet:port-number
+--ro pool-id uint32 | | +--rw end-port-number? inet:port-number
+--ro discontinuity-time yang:date-and-time | +--rw external-src-address? inet:ip-prefix
+--ro pool-stats | +--rw external-src-port
| +--ro addresses-allocated? yang:gauge32 | | +--rw start-port-number? inet:port-number
| +--ro addresses-free? yang:gauge32 | | +--rw end-port-number? inet:port-number
+--ro port-stats {napt44 or nat64}? | +--rw internal-dst-address? inet:ip-prefix
+--ro ports-allocated? yang:gauge32 | +--rw internal-dst-port
+--ro ports-free? yang:gauge32 | | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number
| +--rw external-dst-address? inet:ip-prefix
| +--rw external-dst-port
| | +--rw start-port-number? inet:port-number
| | +--rw end-port-number? inet:port-number
| +--rw lifetime? uint32
+--ro statistics
+--ro discontinuity-time yang:date-and-time
+--ro traffic-statistics
| +--ro sent-packets?
| | yang:zero-based-counter64
| +--ro sent-bytes?
| | yang:zero-based-counter64
| +--ro rcvd-packets?
| | yang:zero-based-counter64
| +--ro rcvd-bytes?
| | yang:zero-based-counter64
| +--ro dropped-packets?
| | yang:zero-based-counter64
| +--ro dropped-bytes?
| | yang:zero-based-counter64
| +--ro dropped-fragments?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-address-limit-packets?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-limit-bytes?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-packets?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-address-bytes?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-port-limit-packets?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-port-limit-bytes?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-port-packets?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-port-bytes?
| | yang:zero-based-counter64
| | {napt44 or nat64}?
| +--ro dropped-subscriber-limit-packets?
| | yang:zero-based-counter64
| | {basic-nat44 or napt44 or nat64}?
| +--ro dropped-subscriber-limit-bytes?
| yang:zero-based-counter64
| {basic-nat44 or napt44 or nat64}?
+--ro mappings-statistics
| +--ro total-active-subscribers? yang:gauge32
| | {basic-nat44 or napt44 or nat64}?
| +--ro total-address-mappings? yang:gauge32
| +--ro total-port-mappings? yang:gauge32
| | {napt44 or nat64}?
| +--ro total-per-protocol* [protocol-id]
| {napt44 or nat64}?
| +--ro protocol-id uint8
| +--ro total? yang:gauge32
+--ro pools-stats {basic-nat44 or napt44 or nat64}?
+--ro addresses-allocated? yang:gauge32
+--ro addresses-free? yang:gauge32
+--ro ports-stats {napt44 or nat64}?
| +--ro ports-allocated? yang:gauge32
| +--ro ports-free? yang:gauge32
+--ro per-pool-stats* [pool-id]
{basic-nat44 or napt44 or nat64}?
+--ro pool-id uint32
+--ro discontinuity-time yang:date-and-time
+--ro pool-stats
| +--ro addresses-allocated? yang:gauge32
| +--ro addresses-free? yang:gauge32
+--ro port-stats {napt44 or nat64}?
+--ro ports-allocated? yang:gauge32
+--ro ports-free? yang:gauge32
notifications: notifications:
+---n nat-pool-event {basic-nat44 or napt44 or nat64}? +---n nat-pool-event {basic-nat44 or napt44 or nat64}?
| +--ro id -> /nat/instances/instance/id | +--ro id -> /nat/instances/instance/id
| +--ro policy-id? | +--ro policy-id?
| | -> /nat/instances/instance/policy/id | | -> /nat/instances/instance/policy/id
| +--ro pool-id leafref | +--ro pool-id leafref
| +--ro notify-pool-threshold percent | +--ro notify-pool-threshold percent
+---n nat-instance-event {basic-nat44 or napt44 or nat64}? +---n nat-instance-event {basic-nat44 or napt44 or nat64}?
+--ro id +--ro id
| -> /nat/instances/instance/id | -> /nat/instances/instance/id
+--ro notify-subscribers-threshold? uint32 +--ro notify-subscribers-threshold? uint32
+--ro notify-addresses-threshold? percent +--ro notify-addresses-threshold? percent
+--ro notify-ports-threshold? percent +--ro notify-ports-threshold? percent
3. NAT YANG Module 3. NAT YANG Module
<CODE BEGINS> file "ietf-nat@2017-11-16.yang" <CODE BEGINS> file "ietf-nat@2018-02-06.yang"
module ietf-nat { module ietf-nat {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
//namespace to be assigned by IANA //namespace to be assigned by IANA
prefix "nat"; prefix "nat";
import ietf-inet-types { prefix inet; } import ietf-inet-types { prefix inet; }
import ietf-yang-types { prefix yang; } import ietf-yang-types { prefix yang; }
skipping to change at page 23, line 22 skipping to change at page 22, line 16
<mailto:sureshk@juniper.net> <mailto:sureshk@juniper.net>
Editor: Qin Wu Editor: Qin Wu
<mailto:bill.wu@huawei.com>"; <mailto:bill.wu@huawei.com>";
description description
"This module is a YANG module for NAT implementations. "This module is a YANG module for NAT implementations.
NAT44, Network Address and Protocol Translation from IPv6 NAT44, Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT),
Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings Stateless IP/ICMP Translation (SIIT), and Explicit Address Mappings
for Stateless IP/ICMP Translation (SIIT EAM), and IPv6 Network for Stateless IP/ICMP Translation (SIIT EAM) are covered.
Prefix Translation (NPTv6) are covered.
Copyright (c) 2017 IETF Trust and the persons identified as Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-11-16 { revision 2018-02-06 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: A YANG Data Model for Network Address Translation "RFC XXXX: A YANG Module for Network Address Translation
(NAT) and Network Prefix Translation (NPT)"; (NAT)";
} }
/* /*
* Definitions * Definitions
*/ */
typedef percent { typedef percent {
type uint8 { type uint8 {
range "0 .. 100"; range "0 .. 100";
} }
skipping to change at page 26, line 4 skipping to change at page 24, line 45
Translation"; Translation";
} }
feature eam { feature eam {
description description
"Explicit Address Mapping (EAM) is a bidirectional coupling "Explicit Address Mapping (EAM) is a bidirectional coupling
between an IPv4 Prefix and an IPv6 Prefix."; between an IPv4 Prefix and an IPv6 Prefix.";
reference reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation"; Translation";
}
feature nptv6 {
description
"NPTv6 is a stateless transport-agnostic IPv6-to-IPv6
prefix translation.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
} }
/* /*
* Identities * Identities
*/ */
identity nat-type { identity nat-type {
description description
"Base identity for nat type."; "Base identity for nat type.";
} }
skipping to change at page 27, line 34 skipping to change at page 26, line 19
identity eam { identity eam {
base nat:nat-type; base nat:nat-type;
description description
"Identity for EAM support."; "Identity for EAM support.";
reference reference
"RFC 7757: Explicit Address Mappings for Stateless IP/ICMP "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
Translation"; Translation";
} }
identity nptv6 {
base nat:nat-type;
description
"Identity for NPTv6 support.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
/* /*
* Grouping * Grouping
*/ */
grouping port-number { grouping port-number {
description description
"Individual port or a range of ports. "Individual port or a range of ports.
When only start-port-number is present, When only start-port-number is present,
it represents a single port."; it represents a single port.";
skipping to change at page 42, line 21 skipping to change at page 40, line 46
provided to an application that makes provided to an application that makes
use of literals."; use of literals.";
reference reference
"RFC 6877: 464XLAT: Combination of Stateful and Stateless "RFC 6877: 464XLAT: Combination of Stateful and Stateless
Translation"; Translation";
} }
} }
} }
list nptv6-prefixes {
if-feature nptv6;
key internal-ipv6-prefix ;
description
"Provides one or a list of (internal IPv6 prefix,
external IPv6 prefix) required for NPTv6.
In its simplest form, NPTv6 interconnects two network
links, one of which is an 'internal' network link
attached to a leaf network within a single
administrative domain and the other of which is an
'external' network with connectivity to the global
Internet.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
leaf internal-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"An IPv6 prefix used by an internal interface of NPTv6.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
leaf external-ipv6-prefix {
type inet:ipv6-prefix;
mandatory true;
description
"An IPv6 prefix used by the external interface of NPTv6.";
reference
"RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
}
}
list eam { list eam {
if-feature eam; if-feature eam;
key ipv4-prefix; key ipv4-prefix;
description description
"The Explicit Address Mapping Table, a conceptual "The Explicit Address Mapping Table, a conceptual
table in which each row represents an EAM. table in which each row represents an EAM.
Each EAM describes a mapping between IPv4 and IPv6 Each EAM describes a mapping between IPv4 and IPv6
prefixes/addresses."; prefixes/addresses.";
reference reference
skipping to change at page 46, line 17 skipping to change at page 44, line 6
leaf pool-id { leaf pool-id {
type uint32; type uint32;
description description
"An identifier of the address pool."; "An identifier of the address pool.";
} }
leaf dst-in-ip-pool { leaf dst-in-ip-pool {
type inet:ip-prefix; type inet:ip-prefix;
description description
"Is used to identify an internal IP prefix/address "Is used to identify an internal destination
to be translated."; IP prefix/address to be translated.";
} }
leaf dst-out-ip-pool { leaf dst-out-ip-pool {
type inet:ip-prefix; type inet:ip-prefix;
mandatory true; mandatory true;
description description
"IP address/prefix used for destination NAT."; "IP address/prefix used for destination NAT.";
} }
} }
skipping to change at page 63, line 22 skipping to change at page 61, line 14
leaf logging-enable { leaf logging-enable {
if-feature "basic-nat44 or napt44 or nat64"; if-feature "basic-nat44 or napt44 or nat64";
type boolean; type boolean;
description description
"Enable logging features."; "Enable logging features.";
reference reference
"Section 2.3 of RFC 6908 and REQ-12 of RFC6888."; "Section 2.3 of RFC 6908 and REQ-12 of RFC6888.";
} }
container mapping-table { container mapping-table {
if-feature "basic-nat44 or napt44 " +
"or nat64 or clat or dst-nat";
description description
"NAT mapping table. Applicable for functions which maintain "NAT mapping table. Applicable for functions which maintain
static and/or dynamic mappings, such as NAT44, Destination static and/or dynamic mappings, such as NAT44, Destination
NAT, NAT64, or CLAT."; NAT, NAT64, or CLAT.";
list mapping-entry { list mapping-entry {
key "index"; key "index";
description "NAT mapping entry."; description "NAT mapping entry.";
uses mapping-entry; uses mapping-entry;
} }
skipping to change at page 67, line 13 skipping to change at page 64, line 51
description description
"Total number of active subscribers (that is, "Total number of active subscribers (that is,
subscribers for which the NAT maintains active subscribers for which the NAT maintains active
mappings. mappings.
A subscriber is identified by a subnet, A subscriber is identified by a subnet,
subscriber-mask, etc."; subscriber-mask, etc.";
} }
leaf total-address-mappings { leaf total-address-mappings {
if-feature "basic-nat44 or napt44 " +
"or nat64 or clat or dst-nat";
type yang:gauge32; type yang:gauge32;
description description
"Total number of address mappings present at a given "Total number of address mappings present at a given
time. It includes both static and dynamic mappings."; time. It includes both static and dynamic mappings.";
reference reference
"Section 3.3.8 of RFC 7659"; "Section 3.3.8 of RFC 7659";
} }
leaf total-port-mappings { leaf total-port-mappings {
if-feature "napt44 or nat64"; if-feature "napt44 or nat64";
skipping to change at page 70, line 51 skipping to change at page 68, line 38
type leafref { type leafref {
path "/nat/instances/instance/policy/id"; path "/nat/instances/instance/policy/id";
} }
description description
"Policy Identifier."; "Policy Identifier.";
} }
leaf pool-id { leaf pool-id {
type leafref { type leafref {
path path "/nat/instances/instance/policy/" +
"/nat/instances/instance/policy/" "external-ip-address-pool/pool-id";
+ "external-ip-address-pool/pool-id";
} }
mandatory true; mandatory true;
description description
"Pool Identifier."; "Pool Identifier.";
} }
leaf notify-pool-threshold { leaf notify-pool-threshold {
type percent; type percent;
mandatory true; mandatory true;
description description
skipping to change at page 72, line 4 skipping to change at page 69, line 39
type percent; type percent;
description description
"The notify-addresses-usage threshold has been fired."; "The notify-addresses-usage threshold has been fired.";
} }
leaf notify-ports-threshold { leaf notify-ports-threshold {
type percent; type percent;
description description
"The notify-ports-usage threshold has been fired."; "The notify-ports-usage threshold has been fired.";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4. Security Considerations 4. Security Considerations
Security considerations related to address and prefix translation are Security considerations related to address and prefix translation are
discussed in [RFC6888], [RFC6146], [RFC6877], [RFC7757], and discussed in [RFC6888], [RFC6146], [RFC6877], and [RFC7757].
[RFC6296].
The YANG module defined in this document is designed to be accessed The YANG module defined in this document is designed to be accessed
via network management protocols such as NETCONF [RFC6241] or via network management protocols such as NETCONF [RFC6241] or
RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport
layer, and the mandatory-to-implement secure transport is Secure layer, and the mandatory-to-implement secure transport is Secure
Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the
mandatory-to-implement secure transport is TLS [RFC5246]. mandatory-to-implement secure transport is TLS [RFC5246].
The NETCONF access control model [RFC6536] provides the means to The NETCONF access control model [RFC6536] provides the means to
restrict access for particular NETCONF or RESTCONF users to a restrict access for particular NETCONF or RESTCONF users to a
skipping to change at page 74, line 20 skipping to change at page 72, line 7
6. Acknowledgements 6. Acknowledgements
Many thanks to Dan Wing and Tianran Zhou for the review. Many thanks to Dan Wing and Tianran Zhou for the review.
Thanks to Juergen Schoenwaelder for the comments on the YANG Thanks to Juergen Schoenwaelder for the comments on the YANG
structure and the suggestion to use NMDA. Mahesh Jethanandani structure and the suggestion to use NMDA. Mahesh Jethanandani
provided useful comments. provided useful comments.
Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred
Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and
Kristian Poscic for the CGN review. Kristian Poscic for the CGN review. Tim Chown proposed to publish
the NPTv6 part of the YANG module as a separate document to avoid the
conflict between the intended status of this document and the one of
the NPTv6 specification (Experimental).
Special thanks to Maros Marsalek and Marek Gradzki for sharing their Special thanks to Maros Marsalek and Marek Gradzki for sharing their
comments based on the FD.io implementation of an earlier version of comments based on the FD.io implementation of an earlier version of
this module. this module.
Rajiv Asati suggested to clarify how the module applies for both Rajiv Asati suggested to clarify how the module applies for both
stateless and stateful NAT64. stateless and stateful NAT64.
Juergen Schoenwaelder provided an early yandgoctors review. Many Juergen Schoenwaelder provided an early yandgoctors review. Many
thanks to him. thanks to him.
Thanks to Roni Even and Mach Chen for the directorates review. Igor Thanks to Roni Even, Mach Chen, and Tim Chown for the directorates
Ryzhov identified a nit in one example. review. Igor Ryzhov identified a nit in one example.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
skipping to change at page 75, line 34 skipping to change at page 73, line 24
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>. <https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>. <https://www.rfc-editor.org/info/rfc6242>.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011,
<https://www.rfc-editor.org/info/rfc6296>.
[RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration
Protocol (NETCONF) Access Control Model", RFC 6536, Protocol (NETCONF) Access Control Model", RFC 6536,
DOI 10.17487/RFC6536, March 2012, DOI 10.17487/RFC6536, March 2012,
<https://www.rfc-editor.org/info/rfc6536>. <https://www.rfc-editor.org/info/rfc6536>.
[RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable
Operation of Address Translators with Per-Interface Operation of Address Translators with Per-Interface
Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012,
<https://www.rfc-editor.org/info/rfc6619>. <https://www.rfc-editor.org/info/rfc6619>.
skipping to change at page 77, line 7 skipping to change at page 74, line 45
7.2. Informative References 7.2. Informative References
[I-D.boucadair-pcp-yang] [I-D.boucadair-pcp-yang]
Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Boucadair, M., Jacquenet, C., Sivakumar, S., and S.
Vinapamula, "YANG Modules for the Port Control Protocol Vinapamula, "YANG Modules for the Port Control Protocol
(PCP)", draft-boucadair-pcp-yang-05 (work in progress), (PCP)", draft-boucadair-pcp-yang-05 (work in progress),
October 2017. October 2017.
[I-D.ietf-netmod-yang-tree-diagrams] [I-D.ietf-netmod-yang-tree-diagrams]
Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft- Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft-
ietf-netmod-yang-tree-diagrams-04 (work in progress), ietf-netmod-yang-tree-diagrams-05 (work in progress),
December 2017. January 2018.
[I-D.ietf-softwire-dslite-yang] [I-D.ietf-softwire-dslite-yang]
Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG
Data Module for Dual-Stack Lite (DS-Lite)", draft-ietf- Data Module for Dual-Stack Lite (DS-Lite)", draft-ietf-
softwire-dslite-yang-14 (work in progress), January 2018. softwire-dslite-yang-14 (work in progress), January 2018.
[I-D.ietf-tsvwg-natsupp] [I-D.ietf-tsvwg-natsupp]
Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control
Transmission Protocol (SCTP) Network Address Translation Transmission Protocol (SCTP) Network Address Translation
Support", draft-ietf-tsvwg-natsupp-11 (work in progress), Support", draft-ietf-tsvwg-natsupp-11 (work in progress),
skipping to change at page 79, line 5 skipping to change at page 77, line 5
Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the Traditional NAT44 is a Basic NAT44 or NAPT that is used to share the
same IPv4 address among hosts that are owned by the same subscriber. same IPv4 address among hosts that are owned by the same subscriber.
This is typically the NAT that is embedded in CPE devices. This is typically the NAT that is embedded in CPE devices.
This NAT is usually provided with one single external IPv4 address; This NAT is usually provided with one single external IPv4 address;
disambiguating connections is achieved by rewriting the source port disambiguating connections is achieved by rewriting the source port
number. The XML snippet to configure the external IPv4 address in number. The XML snippet to configure the external IPv4 address in
such case together with a mapping entry is depicted below: such case together with a mapping entry is depicted below:
<instances> <instances>
<instance> <instance>
<id>1</id> <id>1</id>
<name>NAT_Subscriber_A</name> <name>NAT_Subscriber_A</name>
.... ....
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
192.0.2.1 198.51.100.1/32
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
.... ....
<mapping-table> <mapping-table>
.... ....
<external-src-address> <external-src-address>
192.0.2.1 198.51.100.1/32
</external-src-address> </external-src-address>
.... ....
</mapping-table> </mapping-table>
</instance> </instance>
</instances> </instances>
The following shows the XML excerpt depicting a dynamic UDP mapping The following shows the XML excerpt depicting a dynamic UDP mapping
entry maintained by a traditional NAPT44. In reference to this entry maintained by a traditional NAPT44. In reference to this
example, the UDP packet received with a source IPv4 address example, the UDP packet received with a source IPv4 address
(192.0.2.1) and source port number (1568) is translated into a UDP (192.0.2.1) and source port number (1568) is translated into a UDP
packet having a source IPv4 address (198.51.100.1) and source port packet having a source IPv4 address (198.51.100.1) and source port
(15000). The remaining lifetime of this mapping is 300 seconds. (15000). The remaining lifetime of this mapping is 300 seconds.
<mapping-entry> <mapping-entry>
<index>15</index> <index>15</index>
<type> <type>
dynamic-explicit dynamic-explicit
</type> </type>
<transport-protocol> <transport-protocol>
17 17
</transport-protocol> </transport-protocol>
<internal-src-address> <internal-src-address>
192.0.2.1 192.0.2.1/32
</internal-src-address> </internal-src-address>
<internal-src-port> <internal-src-port>
<start-port-number> <start-port-number>
1568 1568
</start-port-number> </start-port-number>
</internal-src-port> </internal-src-port>
<external-src-address> <external-src-address>
198.51.100.1 198.51.100.1/32
</external-src-address> </external-src-address>
<external-src-port> <external-src-port>
<start-port-number> <start-port-number>
15000 15000
</start-port-number> </start-port-number>
</external-src-port> </external-src-port>
<lifetime> <lifetime>
300 300
</lifetime> </lifetime>
</mapping-entry> </mapping-entry>
A.2. Carrier Grade NAT (CGN) A.2. Carrier Grade NAT (CGN)
The following XML snippet shows the example of the capabilities The following XML snippet shows the example of the capabilities
supported by a CGN as retrieved using NETCONF. supported by a CGN as retrieved using NETCONF.
<capabilities <capabilities
<nat-flavor> <nat-flavor>
skipping to change at page 82, line 6 skipping to change at page 80, line 6
</endpoint-independent-filtering-support> </endpoint-independent-filtering-support>
<address-dependent-filtering> <address-dependent-filtering>
false false
</address-dependent-filtering> </address-dependent-filtering>
<address-and-port-dependent-filtering> <address-and-port-dependent-filtering>
false false
</address-and-port-dependent-filtering> </address-and-port-dependent-filtering>
</capabilities> </capabilities>
The following XML snippet shows the example of a CGN that is The following XML snippet shows the example of a CGN that is
provisioned with one contiguous pool of external IPv4 addresses provisioned with one contiguous pool of external IPv4 addresses
(192.0.2.0/24). Further, the CGN is instructed to limit the number (198.51.100.0/24). Further, the CGN is instructed to limit the
of allocated ports per subscriber to 1024. Ports can be allocated by number of allocated ports per subscriber to 1024. Ports can be
the CGN by assigning ranges of 256 ports (that is, a subscriber can allocated by the CGN by assigning ranges of 256 ports (that is, a
be allocated up to four port ranges of 256 ports each). subscriber can be allocated up to four port ranges of 256 ports
each).
<instances> <instances>
<instance> <instance>
<id>1</id> <id>1</id>
<name>myCGN</name> <name>myCGN</name>
.... ....
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
192.0.2.0/24 198.51.100.0/24
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
<port-quota> <port-quota>
<port-limit> <port-limit>
1024 1024
</port-limit> </port-limit>
<quota-type > <quota-type >
all all
</quota-type > </quota-type >
</port-quota> </port-quota>
<port-allocation-type> <port-allocation-type>
port-range-allocation port-range-allocation
</port-allocation-type> </port-allocation-type>
<port-set> <port-set>
<port-set-size> <port-set-size>
256 256
</port-set-size> </port-set-size>
</port-set> </port-set>
.... ....
</instance> </instance>
</instances> </instances>
An administrator may decide to allocate one single port range per An administrator may decide to allocate one single port range per
subscriber (port range of 1024 ports) as shown below: subscriber (port range of 1024 ports) as shown below:
<instances> <instances>
<instance> <instance>
<id>1</id> <id>1</id>
<name>myotherCGN</name> <name>myotherCGN</name>
.... ....
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
192.0.2.0/24 198.51.100.0/24
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
<port-quota> <port-quota>
<port-limit> <port-limit>
1024 1024
</port-limit> </port-limit>
<quota-type > <quota-type >
all all
</quota-type > </quota-type >
</port-quota> </port-quota>
<port-allocation-type> <port-allocation-type>
port-range-allocation port-range-allocation
</port-allocation-type> </port-allocation-type>
<port-set> <port-set>
<port-set-size> <port-set-size>
1024 1024
</port-set-size> </port-set-size>
.... ....
</port-set> </port-set>
.... ....
</instance> </instance>
</instances> </instances>
A.3. CGN Pass-Through A.3. CGN Pass-Through
Figure 1 illustrates an example of the CGN pass-through feature. Figure 1 illustrates an example of the CGN pass-through feature.
X1:x1 X1':x1' X2:x2 X1:x1 X1':x1' X2:x2
+---+from X1:x1 +---+from X1:x1 +---+ +---+from X1:x1 +---+from X1:x1 +---+
| C | to X2:x2 | | to X2:x2 | S | | C | to X2:x2 | | to X2:x2 | S |
| l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e |
| i | | G | | r | | i | | G | | r |
| e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v |
| n |from X2:x2 | |from X2:x2 | e | | n |from X2:x2 | |from X2:x2 | e |
| t | to X1:x1 | | to X1:x1 | r | | t | to X1:x1 | | to X1:x1 | r |
+---+ +---+ +---+ +---+ +---+ +---+
Figure 1: CGN Pass-Through Figure 1: CGN Pass-Through
For example, in order to disable NAT for communications issued by the For example, in order to disable NAT for communications issued by the
client (192.0.2.25), the following configuration parameter must be client (192.0.2.1), the following configuration parameter must be
set: set:
<nat-pass-through> <nat-pass-through>
... ...
<prefix>192.0.2.25</prefix> <prefix>192.0.2.1/32</prefix>
... ...
</nat-pass-through> </nat-pass-through>
A.4. NAT64 A.4. NAT64
Let's consider the example of a NAT64 that should use Let's consider the example of a NAT64 that should use
2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052].
The XML snippet to configure the NAT64 prefix in such case is The XML snippet to configure the NAT64 prefix in such case is
depicted below: depicted below:
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:122:300::/56 2001:db8:122:300::/56
</nat64-prefix> </nat64-prefix>
</nat64-prefixes> </nat64-prefixes>
Let's now consider the example of a NAT64 that should use Let's now consider the example of a NAT64 that should use
2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if 2001:db8:122::/48 to perform IPv6 address synthesis [RFC6052] only if
the destination address matches 198.51.100.0/24. The XML snippet to the destination address matches 198.51.100.0/24. The XML snippet to
configure the NAT64 prefix in such case is shown below: configure the NAT64 prefix in such case is shown below:
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:122::/48 2001:db8:122::/48
</nat64-prefix> </nat64-prefix>
<destination-ipv4-prefix> <destination-ipv4-prefix>
<ipv4-prefix> <ipv4-prefix>
198.51.100.0/24 198.51.100.0/24
</ipv4-prefix> </ipv4-prefix>
</destination-ipv4-prefix> </destination-ipv4-prefix>
</nat64-prefixes> </nat64-prefixes>
A.5. Stateless IP/ICMP Translation (SIIT) A.5. Stateless IP/ICMP Translation (SIIT)
Let's consider the example of a stateless translator that is Let's consider the example of a stateless translator that is
configured with 2001:db8:100::/40 to perform IPv6 address synthesis configured with 2001:db8:100::/40 to perform IPv6 address synthesis
[RFC6052]. Similar to the NAT64 case, the XML snippet to configure [RFC6052]. Similar to the NAT64 case, the XML snippet to configure
the NAT64 prefix in such case is depicted below: the NAT64 prefix in such case is depicted below:
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:100::/40 2001:db8:100::/40
</nat64-prefix> </nat64-prefix>
</nat64-prefixes> </nat64-prefixes>
When the translator receives an IPv6 packet, for example, with a When the translator receives an IPv6 packet, for example, with a
source address (2001:db8:1c0:2:21::) and destination address source address (2001:db8:1c0:2:21::) and destination address
(2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses (2001:db8:1c6:3364:2::), it extracts embedded IPv4 addresses
following RFC6052 rules with 2001:db8:100::/40 as the NSP: following RFC6052 rules with 2001:db8:100::/40 as the NSP:
o 192.0.2.33 is extracted from 2001:db8:1c0:2:21:: o 192.0.2.33 is extracted from 2001:db8:1c0:2:21::
o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2:: o 198.51.100.2 is extracted from 2001:db8:1c6:3364:2::
skipping to change at page 85, line 31 skipping to change at page 83, line 31
the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will the IP/ICMP Translation Algorithm [RFC7915]. The IPv4 packets will
include 192.0.2.33 as the source address and 198.51.100.2 as the include 192.0.2.33 as the source address and 198.51.100.2 as the
destination address. destination address.
Also, a NAT64 can be instructed to behave in the stateless mode by Also, a NAT64 can be instructed to behave in the stateless mode by
providing the following configuration. The same NAT64 prefix is used providing the following configuration. The same NAT64 prefix is used
for constructing both IPv4-translatable IPv6 addresses and for constructing both IPv4-translatable IPv6 addresses and
IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]). IPv4-converted IPv6 addresses (Section 3.3 of [RFC6052]).
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:122:300::/56 2001:db8:122:300::/56
</nat64-prefix> </nat64-prefix>
<stateless-enable> <stateless-enable>
true true
</stateless-enable> </stateless-enable>
</nat64-prefixes> </nat64-prefixes>
A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM
SIIT) SIIT)
As specified in [RFC7757], an EAM consists of an IPv4 prefix and an As specified in [RFC7757], an EAM consists of an IPv4 prefix and an
IPv6 prefix. Let's consider the set of EAM examples in Figure 2. IPv6 prefix. Let's consider the set of EAM examples in Table 8.
+----------------+----------------------+ +----------------+----------------------+
| IPv4 Prefix | IPv6 Prefix | | IPv4 Prefix | IPv6 Prefix |
+----------------+----------------------+ +----------------+----------------------+
| 192.0.2.1 | 2001:db8:aaaa:: | | 192.0.2.1 | 2001:db8:aaaa:: |
| 192.0.2.2/32 | 2001:db8:bbbb::b/128 | | 192.0.2.2/32 | 2001:db8:bbbb::b/128 |
| 192.0.2.16/28 | 2001:db8:cccc::/124 | | 192.0.2.16/28 | 2001:db8:cccc::/124 |
| 192.0.2.128/26 | 2001:db8:dddd::/64 | | 192.0.2.128/26 | 2001:db8:dddd::/64 |
| 192.0.2.192/29 | 2001:db8:eeee:8::/62 | | 192.0.2.192/29 | 2001:db8:eeee:8::/62 |
| 192.0.2.224/31 | 64:ff9b::/127 | | 192.0.2.224/31 | 64:ff9b::/127 |
+----------------+----------------------+ +----------------+----------------------+
Figure 2: EAM Examples (RFC7757) Table 8: EAM Examples (RFC7757)
The following XML excerpt illustrates how these EAMs can be The following XML excerpt illustrates how these EAMs can be
configured using the YANG NAT module: configured using the YANG NAT module:
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.1 192.0.2.1
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
2001:db8:aaaa:: 2001:db8:aaaa::
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.2/32 192.0.2.2/32
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
2001:db8:bbbb::b/128 2001:db8:bbbb::b/128
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.16/28 192.0.2.16/28
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
2001:db8:cccc::/124 2001:db8:cccc::/124
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.128/26 192.0.2.128/26
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
2001:db8:dddd::/64 2001:db8:dddd::/64
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.192/29 192.0.2.192/29
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
2001:db8:eeee:8::/62 2001:db8:eeee:8::/62
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
<eam> <eam>
<ipv4-prefix> <ipv4-prefix>
192.0.2.224/31 192.0.2.224/31
</ipv4-prefix> </ipv4-prefix>
<ipv6-prefix> <ipv6-prefix>
64:ff9b::/127 64:ff9b::/127
</ipv6-prefix> </ipv6-prefix>
</eam> </eam>
EAMs may be enabled jointly with statefull NAT64. This example shows EAMs may be enabled jointly with statefull NAT64. This example shows
a NAT64 function that supports static mappings: a NAT64 function that supports static mappings:
<capabilities <capabilities
<nat-flavor> <nat-flavor>
nat64 nat64
</nat-flavor> </nat-flavor>
<static-mapping-support> <static-mapping-support>
true true
</static-mapping-support> </static-mapping-support>
<port-randomization-support> <port-randomization-support>
true true
</port-randomization-support> </port-randomization-support>
<port-range-allocation-support> <port-range-allocation-support>
true true
</port-range-allocation-support> </port-range-allocation-support>
skipping to change at page 89, line 16 skipping to change at page 87, line 16
The following example shows a static mapping that instructs a NAT to The following example shows a static mapping that instructs a NAT to
translate packets issued from 192.0.2.1 and with source ports in the translate packets issued from 192.0.2.1 and with source ports in the
100-500 range to 198.51.100.1:1100-1500. 100-500 range to 198.51.100.1:1100-1500.
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-src-address> <internal-src-address>
192.0.2.1 192.0.2.1/32
</internal-src-address> </internal-src-address>
<internal-src-port> <internal-src-port>
<start-port-number> <start-port-number>
100 100
</start-port-number> </start-port-number>
<end-port-number> <end-port-number>
500 500
</end-port-number> </end-port-number>
</internal-dst-port> </internal-dst-port>
<external-src-address> <external-src-address>
198.51.100.1 198.51.100.1/32
</external-src-address> </external-src-address>
<external-src-port> <external-src-port>
<start-port-number> <start-port-number>
1100 1100
</start-port-number> </start-port-number>
<end-port-number> <end-port-number>
1500 1500
</end-port-number> </end-port-number>
</external-src-port> </external-src-port>
... ...
</mapping-entry> </mapping-entry>
A.8. Static Mappings with IP Prefixes A.8. Static Mappings with IP Prefixes
The following example shows a static mapping that instructs a NAT to The following example shows a static mapping that instructs a NAT to
translate TCP packets issued from 192.0.2.1/24 to 198.51.100.1/24. translate TCP packets issued from 192.0.2.0/24 to 198.51.100.0/24.
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-src-address> <internal-src-address>
192.0.2.1/24 192.0.2.0/24
</internal-src-address> </internal-src-address>
<external-src-address> <external-src-address>
198.51.100.1/24 198.51.100.0/24
</external-src-address> </external-src-address>
... ...
</mapping-entry> </mapping-entry>
A.9. Destination NAT A.9. Destination NAT
The following XML snippet shows an example of a destination NAT that The following XML snippet shows an example of a destination NAT that
is instructed to translate all packets having 192.0.2.1 as a is instructed to translate all packets having 192.0.2.1 as a
destination IP address to 198.51.100.1. destination IP address to 198.51.100.1.
<dst-ip-address-pool> <dst-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<dst-in-ip-pool> <dst-in-ip-pool>
192.0.2.1 192.0.2.1/32
</dst-in-ip-pool> </dst-in-ip-pool>
<dst-out-ip-pool> <dst-out-ip-pool>
198.51.100.1 198.51.100.1/32
</dst-out-ip-pool> </dst-out-ip-pool>
</dst-ip-address-pool> </dst-ip-address-pool>
In order to instruct a NAT to translate TCP packets destined to In order to instruct a NAT to translate TCP packets destined to
'192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet '192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet
shows the static mapping to be configured on the NAT: shows the static mapping to be configured on the NAT:
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-dst-address> <internal-dst-address>
192.0.2.1 192.0.2.1/32
</internal-dst-address> </internal-dst-address>
<internal-dst-port> <internal-dst-port>
<start-port-number>80</start-port-number> <start-port-number>80</start-port-number>
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.1 198.51.100.1/32
</external-dst-address> </external-dst-address>
<external-dst-port> <external-dst-port>
<start-port-number>8080</start-port-number> <start-port-number>8080</start-port-number>
</external-dst-port> </external-dst-port>
</mapping-entry> </mapping-entry>
In order to instruct a NAT to translate TCP packets destined to In order to instruct a NAT to translate TCP packets destined to
'192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh '192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh
traffic) to 198.51.100.2, the following XML snippet shows the static traffic) to 198.51.100.2, the following XML snippet shows the static
mappings to be configured on the NAT: mappings to be configured on the NAT:
<mapping-entry> <mapping-entry>
<index>1</index> <index>1</index>
<type>static</type> <type>static</type>
<transport-protocol>6</transport-protocol> <transport-protocol>6</transport-protocol>
<internal-dst-address> <internal-dst-address>
192.0.2.1 192.0.2.1/32
</internal-dst-address> </internal-dst-address>
<internal-dst-port> <internal-dst-port>
<start-port-number> <start-port-number>
80 80
</start-port-number> </start-port-number>
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.1 198.51.100.1/32
</external-dst-address> </external-dst-address>
... ...
</mapping-entry> </mapping-entry>
<mapping-entry> <mapping-entry>
<index>2</index> <index>2</index>
<type>static</type> <type>static</type>
<transport-protocol> <transport-protocol>
6 6
</transport-protocol> </transport-protocol>
<internal-dst-address> <internal-dst-address>
192.0.2.1 192.0.2.1/32
</internal-dst-address> </internal-dst-address>
<internal-dst-port> <internal-dst-port>
<start-port-number> <start-port-number>
22 22
</start-port-number> </start-port-number>
</internal-dst-port> </internal-dst-port>
<external-dst-address> <external-dst-address>
198.51.100.2 198.51.100.2/32
</external-dst-address> </external-dst-address>
... ...
</mapping-entry> </mapping-entry>
The NAT may also be instructed to proceed with both source and The NAT may also be instructed to proceed with both source and
destination NAT. To do so, in addition to the above sample to destination NAT. To do so, in addition to the above sample to
configure destination NAT, the NAT may be provided, for example with configure destination NAT, the NAT may be provided, for example with
a pool of external IP addresses (198.51.100.0/24) to use for source a pool of external IP addresses (198.51.100.0/24) to use for source
address translation. An example of the corresponding XML snippet is address translation. An example of the corresponding XML snippet is
provided hereafter: provided hereafter:
<external-ip-address-pool> <external-ip-address-pool>
<pool-id>1</pool-id> <pool-id>1</pool-id>
<external-ip-pool> <external-ip-pool>
198.51.100.0/24 198.51.100.0/24
</external-ip-pool> </external-ip-pool>
</external-ip-address-pool> </external-ip-address-pool>
Instead of providing an external IP address to share, the NAT may be Instead of providing an external IP address to share, the NAT may be
configured with static mapping entries that modifies the internal IP configured with static mapping entries that modifies the internal IP
address and/or port number. address and/or port number.
A.10. Customer-side Translator (CLAT) A.10. Customer-side Translator (CLAT)
The following XML snippet shows the example of a CLAT that is The following XML snippet shows the example of a CLAT that is
configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and configured with 2001:db8:1234::/96 as PLAT-side IPv6 prefix and
2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also 2001:db8:aaaa::/96 as CLAT-side IPv6 prefix. The CLAT is also
provided with 192.0.0.1/32 (which is selected from the IPv4 service provided with 192.0.0.1/32 (which is selected from the IPv4 service
continuity prefix defined in [RFC7335]). continuity prefix defined in [RFC7335]).
<clat-ipv6-prefixes> <clat-ipv6-prefixes>
<ipv6-prefix> <ipv6-prefix>
2001:db8:aaaa::/96 2001:db8:aaaa::/96
</ipv6-prefix> </ipv6-prefix>
</clat-ipv6-prefixes> </clat-ipv6-prefixes>
<clat-ipv4-prefixes> <clat-ipv4-prefixes>
<ipv4-prefix> <ipv4-prefix>
192.0.0.1/32 192.0.0.1/32
</ipv4-prefix> </ipv4-prefix>
</clat-ipv4-prefixes> </clat-ipv4-prefixes>
<nat64-prefixes> <nat64-prefixes>
<nat64-prefix> <nat64-prefix>
2001:db8:1234::/96 2001:db8:1234::/96
</nat64-prefix> </nat64-prefix>
</nat64-prefixes> </nat64-prefixes>
A.11. IPv6 Network Prefix Translation (NPTv6)
Let's consider the example of a NPTv6 translator that should rewrite
packets with the source prefix (fd01:203:405:/48) with the external
prefix (2001:db8:1:/48). The internal interface is "eth0" while the
external interface is "eth1".
External Network: Prefix = 2001:db8:1:/48
--------------------------------------
|
|eth1
+-------------+
eth4| NPTv6 |eth2
...-----| |------...
+-------------+
|eth0
|
--------------------------------------
Internal Network: Prefix = fd01:203:405:/48
Example of NPTv6 (RFC6296)
The XML snippet to configure NPTv6 prefixes in such case is depicted
below:
<nptv6-prefixes>
<internal-ipv6-prefix>
fd01:203:405:/48
</internal-ipv6-prefix>
<external-ipv6-prefix>
2001:db8:1:/48
</external-ipv6-prefix>
</nptv6-prefixes>
...
<external-realm>
<external-interface>
eth1
</external-interface>
</external-realm>
Figure 3 shows an example of an NPTv6 that interconnects two internal
networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is
translated using a dedicated prefix (2001:db8:1:/48 and
2001:db8:6666:/48, respectively).
Internal Prefix = fd01:4444:5555:/48
--------------------------------------
V | External Prefix
V |eth1 2001:db8:1:/48
V +---------+ ^
V | NPTv6 | ^
V | | ^
V +---------+ ^
External Prefix |eth0 ^
2001:db8:6666:/48 | ^
--------------------------------------
Internal Prefix = fd01:203:405:/48
Figure 3: Connecting two Peer Networks (RFC6296)
To that aim, the following configuration is provided to the NPTv6:
<policy>
<id>1</id>
<nptv6-prefixes>
<internal-ipv6-prefix>
fd01:203:405:/48
</internal-ipv6-prefix>
<external-ipv6-prefix>
2001:db8:1:/48
</external-ipv6-prefix>
</nptv6-prefixes>
<external-realm>
<external-interface>
eth1
</external-interface>
</external-realm>
</policy>
<policy>
<id>2</id>
<nptv6-prefixes>
<internal-ipv6-prefix>
fd01:4444:5555:/48
</internal-ipv6-prefix>
<external-ipv6-prefix>
2001:db8:6666:/48
</external-ipv6-prefix>
</nptv6-prefixes>
<external-realm>
<external-interface>
eth0
</external-interface>
</external-realm>
</policy>
Authors' Addresses Authors' Addresses
Mohamed Boucadair Mohamed Boucadair
Orange Orange
Rennes 35000 Rennes 35000
France France
Email: mohamed.boucadair@orange.com Email: mohamed.boucadair@orange.com
Senthil Sivakumar Senthil Sivakumar
Cisco Systems Cisco Systems
 End of changes. 112 change blocks. 
626 lines changed or deleted 456 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/