--- 1/draft-ietf-opsawg-nat-yang-10.txt 2018-02-07 00:13:09.260739076 -0800 +++ 2/draft-ietf-opsawg-nat-yang-11.txt 2018-02-07 00:13:09.416742814 -0800 @@ -1,68 +1,66 @@ Network Working Group M. Boucadair Internet-Draft Orange Intended status: Standards Track S. Sivakumar -Expires: July 20, 2018 Cisco Systems +Expires: August 10, 2018 Cisco Systems C. Jacquenet Orange S. Vinapamula Juniper Networks Q. Wu Huawei - January 16, 2018 + February 6, 2018 - A YANG Data Model for Network Address Translation (NAT) and Network - Prefix Translation (NPT) - draft-ietf-opsawg-nat-yang-10 + A YANG Module for Network Address Translation (NAT) + draft-ietf-opsawg-nat-yang-11 Abstract For the sake of network automation and the need for programming Network Address Translation (NAT) function in particular, a data model for configuring and managing the NAT is essential. This document defines a YANG module for the NAT function. NAT44, Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/ ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/ - ICMP Translation (SIIT EAM), and IPv6 Network Prefix Translation - (NPTv6) are covered in this document. + ICMP Translation (SIIT EAM), and Destination NAT are covered in this + document. Editorial Note (To be removed by RFC Editor) Please update these statements with the RFC number to be assigned to this document: "This version of this YANG module is part of RFC XXXX;" - "RFC XXXX: A YANG Data Model for Network Address Translation (NAT) - and Network Prefix Translation (NPT)"; + "RFC XXXX: A YANG Module for Network Address Translation (NAT)"; "reference: RFC XXXX" Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on July 20, 2018. + This Internet-Draft will expire on August 10, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -71,71 +69,68 @@ include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 - 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 + 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 5 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 - 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 + 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 7 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8 - 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 - 2.10. Binding the NAT Function to an External Interface . . . . 15 - 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 - 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 - 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 - 4. Security Considerations . . . . . . . . . . . . . . . . . . . 72 - 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 - 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74 - 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 - 7.1. Normative References . . . . . . . . . . . . . . . . . . 74 - 7.2. Informative References . . . . . . . . . . . . . . . . . 76 - Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78 - A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 78 - A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80 - A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83 - A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84 - A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84 + 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 11 + 2.10. Binding the NAT Function to an External Interface . . . . 14 + 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 14 + 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 15 + 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 21 + 4. Security Considerations . . . . . . . . . . . . . . . . . . . 69 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 71 + 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 71 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 72 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 72 + 7.2. Informative References . . . . . . . . . . . . . . . . . 74 + Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 76 + A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 76 + A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 78 + A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 81 + A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 82 + A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 82 A.6. Explicit Address Mappings for Stateless IP/ICMP - Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85 - A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 89 - A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89 - A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90 - A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93 - A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 93 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96 + Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 83 + A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 87 + A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 87 + A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 88 + A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 91 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 91 1. Introduction This document defines a data model for Network Address Translation - (NAT) and Network Prefix Translation (NPT) capabilities using the - YANG data modeling language [RFC7950]. + (NAT) capabilities using the YANG data modeling language [RFC7950]. Traditional NAT is defined in [RFC2663], while Carrier Grade NAT (CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is used to optimize the usage of global IP address space at the scale of a domain: a CGN is not managed by end users, but by service providers instead. This document covers both traditional NATs and CGNs. This document also covers NAT64 [RFC6146], customer-side translator (CLAT) [RFC6877], Stateless IP/ICMP Translation (SIIT) [RFC7915], Explicit Address Mappings for Stateless IP/ICMP Translation (EAM) - [RFC7757], and IPv6 Network Prefix Translation (NPTv6) [RFC6296]. - The full set of translation schemes that are in scope is included in - Section 2.2. + [RFC7757], and Destination NAT. The full set of translation schemes + that are in scope is included in Section 2.2. Sample examples are provided in Appendix A. These examples are not intended to be exhaustive. 1.1. Terminology This document makes use of the following terms: o Basic NAT44: translation is limited to IP addresses alone (Section 2.1 of [RFC3022]). @@ -153,32 +148,32 @@ o Port-restricted IPv4 address: An IPv4 address with a restricted port set. Multiple hosts may share the same IPv4 address; however, their port sets must not overlap [RFC7596]. o Restricted port set: A non-overlapping range of allowed external ports to use for NAT operation. Source ports of IPv4 packets translated by a NAT must belong to the assigned port set. The port set is used for all port-aware IP protocols [RFC7596]. - o Internal Host: A host that may solicit a NAT or an NPTv6 (or both) + o Internal Host: A host that may need to use a translation capability to send to and receive traffic from the Internet. o Internal Address/prefix: The IP address/prefix of an internal host. - o External Address: The IP address/prefix assigned by a NAT/NPTv6 to - an internal host; this is the address that will be seen by a + o External Address: The IP address/prefix assigned by a translator + to an internal host; this is the address that will be seen by a remote host on the Internet. - o Mapping: denotes a state at the NAT that is necessary for network - address and/or port translation. + o Mapping: denotes a state at the translator that is necessary for + network address and/or port translation. o Dynamic implicit mapping: is created implicitly as a side effect of processing a packet (e.g., an initial TCP SYN packet) that requires a new mapping. A validity lifetime is associated with this mapping. o Dynamic explicit mapping: is created as a result of an explicit request, e.g., PCP message [RFC6887]. A validity lifetime is associated with this mapping. @@ -238,21 +233,20 @@ The following translation modes are supported: o Basic NAT44 o NAPT o Destination NAT o Port-restricted NAT o Stateful NAT64 o SIIT o CLAT o EAM - o NPTv6 o Combination of Basic NAT/NAPT and Destination NAT o Combination of port-restricted and Destination NAT o Combination of NAT64 and EAM o Stateful and Stateless NAT64 [I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT YANG module to support DS-Lite. The YANG "feature" statement is used to indicate which of the different translation modes is relevant for a specific data node. @@ -261,21 +255,20 @@ +---------------------------------+--------------+ | Translation Mode | YANG Feature | +---------------------------------+--------------+ | Basic NAT44 | basic-nat44 | | NAPT | napt44 | | Destination NAT | dst-nat | | Stateful NAT64 | nat64 | | Stateless IPv4/IPv6 translation | siit | | CLAT | clat | | EAM | eam | - | NPTv6 | nptv6 | +---------------------------------+--------------+ Table 1: YANG NAT Features The following translation modes do not require defining dedicated features: o Port-restricted NAT: This mode corresponds to supplying port restriction policies to a NAPT or NAT64 (port-set-restrict). o Combination of Basic NAT/NAPT and Destination NAT: This mode @@ -495,41 +487,38 @@ | | NAT64) | | external-src-port | ID2 (an ICMP identifier that is chosen by | | | the NAT64) | +----------------------+--------------------------------------------+ Table 4: Example of an EIM NAT64 Mapping Entry Note that a mapping table is maintained only for stateful NAT functions. Particularly: - o No mapping table is maintained for NPTv6 given that it is - stateless and transport-agnostic. - o The double translations are stateless in CLAT if a dedicated IPv6 prefix is provided for CLAT. If not, a stateful NAT44 will be required. o No per-flow mapping is maintained for EAM [RFC7757]. o No mapping table is maintained for Stateless IPv4/IPv6 translation. As a reminder, in such deployments internal IPv6 nodes are addressed using IPv4-translatable IPv6 addresses, which enable them to be accessed by IPv4 nodes [RFC6052]. 2.9. Resource Limits In order to comply with CGN deployments in particular, the NAT YANG module allows limiting the number of external ports per subscriber (port-quota) and the amount of state memory allocated per mapping and per subscriber (mapping-limits and connection-limits). According to - [RFC6888], the model allows for the following: + [RFC6888], the module allows for the following: o Per-subscriber limits are configurable by the NAT administrator. o Per-subscriber limits are configurable independently per transport protocol. o Administrator-adjustable thresholds to prevent a single subscriber from consuming excessive CPU resources from the NAT (e.g., rate- limit the subscriber's creation of new mappings) can be configured. @@ -633,21 +622,21 @@ | notification-limits/notify-interval | Indicates the minimum | | | number of seconds between | | | successive notifications | | | for a NAT instance. | +-------------------------------------+-----------------------------+ Table 7: Notification Intervals 2.10. Binding the NAT Function to an External Interface - The model is designed to specify an external realm on which the NAT + The module is designed to specify an external realm on which the NAT function must be applied (external-realm). The module supports indicating an interface as an external realm, but the module is extensible so that other choices can be indicated in the future (e.g., Virtual Routing and Forwarding (VRF) instance). Distinct external realms can be provided as a function of the NAT policy (see for example, Section 4 of [RFC7289]). If no external realm is provided, this assumes that the system is able to determine the external interface (VRF instance, etc.) on @@ -663,21 +652,21 @@ o The set of address realms to which the device connect. o For the CGN case, per-subscriber information including subscriber index, address realm, assigned prefix or address, and (possibly) policies regarding address pool selection in the various possible address realms to which the subscriber may connect. o The set of NAT instances running on the device, identified by NAT instance index and name. - o The port mapping, filtering, pooling, and fragment behavior for + o The port mapping, filtering, pooling, and fragment behaviors for each NAT instance. o The set of protocols supported by each NAT instance. o Address pools for each NAT instance, including for each pool the pool index, address realm, and minimum and maximum port number. o Static address and port mapping entries. All the above parameters can be configured by means of the NAT YANG @@ -742,23 +731,20 @@ | +--rw id uint32 | +--rw prefix inet:ip-prefix | +--rw port? inet:port-number +--rw policy* [id] | +--rw id uint32 | +--rw clat-parameters {clat}? | | +--rw clat-ipv6-prefixes* [ipv6-prefix] | | | +--rw ipv6-prefix inet:ipv6-prefix | | +--rw ipv4-prefixes* [ipv4-prefix] | | +--rw ipv4-prefix inet:ipv4-prefix - | +--rw nptv6-prefixes* [internal-ipv6-prefix] {nptv6}? - | | +--rw internal-ipv6-prefix inet:ipv6-prefix - | | +--rw external-ipv6-prefix inet:ipv6-prefix | +--rw eam* [ipv4-prefix] {eam}? | | +--rw ipv4-prefix inet:ipv4-prefix | | +--rw ipv6-prefix inet:ipv6-prefix | +--rw nat64-prefixes* [nat64-prefix] | | {siit or nat64 or clat}? | | +--rw nat64-prefix inet:ipv6-prefix | | +--rw destination-ipv4-prefix* [ipv4-prefix] | | | +--rw ipv4-prefix inet:ipv4-prefix | | +--rw stateless-enable? boolean | +--rw external-ip-address-pool* [pool-id] @@ -860,21 +846,20 @@ | | {basic-nat44 or napt44 or nat64}? | +--rw notify-addresses-usage? percent | | {basic-nat44 or napt44 or nat64}? | +--rw notify-ports-usage? percent | | {napt44 or nat64}? | +--rw notify-subscribers-limit? uint32 | {basic-nat44 or napt44 or nat64}? +--rw logging-enable? boolean | {basic-nat44 or napt44 or nat64}? +--rw mapping-table - | {basic-nat44 or napt44 or nat64 or clat or dst-nat}? | +--rw mapping-entry* [index] | +--rw index uint32 | +--rw type? enumeration | +--rw transport-protocol? uint8 | +--rw internal-src-address? inet:ip-prefix | +--rw internal-src-port | | +--rw start-port-number? inet:port-number | | +--rw end-port-number? inet:port-number | +--rw external-src-address? inet:ip-prefix | +--rw external-src-port @@ -934,21 +919,20 @@ | +--ro dropped-subscriber-limit-packets? | | yang:zero-based-counter64 | | {basic-nat44 or napt44 or nat64}? | +--ro dropped-subscriber-limit-bytes? | yang:zero-based-counter64 | {basic-nat44 or napt44 or nat64}? +--ro mappings-statistics | +--ro total-active-subscribers? yang:gauge32 | | {basic-nat44 or napt44 or nat64}? | +--ro total-address-mappings? yang:gauge32 - | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? | +--ro total-port-mappings? yang:gauge32 | | {napt44 or nat64}? | +--ro total-per-protocol* [protocol-id] | {napt44 or nat64}? | +--ro protocol-id uint8 | +--ro total? yang:gauge32 +--ro pools-stats {basic-nat44 or napt44 or nat64}? +--ro addresses-allocated? yang:gauge32 +--ro addresses-free? yang:gauge32 +--ro ports-stats {napt44 or nat64}? @@ -974,21 +958,21 @@ | +--ro notify-pool-threshold percent +---n nat-instance-event {basic-nat44 or napt44 or nat64}? +--ro id | -> /nat/instances/instance/id +--ro notify-subscribers-threshold? uint32 +--ro notify-addresses-threshold? percent +--ro notify-ports-threshold? percent 3. NAT YANG Module - file "ietf-nat@2017-11-16.yang" + file "ietf-nat@2018-02-06.yang" module ietf-nat { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; //namespace to be assigned by IANA prefix "nat"; import ietf-inet-types { prefix inet; } import ietf-yang-types { prefix yang; } @@ -1015,43 +999,42 @@ Editor: Qin Wu "; description "This module is a YANG module for NAT implementations. NAT44, Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), - Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings - for Stateless IP/ICMP Translation (SIIT EAM), and IPv6 Network - Prefix Translation (NPTv6) are covered. + Stateless IP/ICMP Translation (SIIT), and Explicit Address Mappings + for Stateless IP/ICMP Translation (SIIT EAM) are covered. - Copyright (c) 2017 IETF Trust and the persons identified as + Copyright (c) 2018 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision 2017-11-16 { + revision 2018-02-06 { description "Initial revision."; reference - "RFC XXXX: A YANG Data Model for Network Address Translation - (NAT) and Network Prefix Translation (NPT)"; + "RFC XXXX: A YANG Module for Network Address Translation + (NAT)"; } /* * Definitions */ typedef percent { type uint8 { range "0 .. 100"; } @@ -1142,29 +1125,20 @@ Translation"; } feature eam { description "Explicit Address Mapping (EAM) is a bidirectional coupling between an IPv4 Prefix and an IPv6 Prefix."; reference "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP Translation"; - - } - - feature nptv6 { - description - "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6 - prefix translation."; - reference - "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; } /* * Identities */ identity nat-type { description "Base identity for nat type."; } @@ -1221,28 +1195,20 @@ identity eam { base nat:nat-type; description "Identity for EAM support."; reference "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP Translation"; } - identity nptv6 { - base nat:nat-type; - description - "Identity for NPTv6 support."; - reference - "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; - } - /* * Grouping */ grouping port-number { description "Individual port or a range of ports. When only start-port-number is present, it represents a single port."; @@ -1929,55 +1898,20 @@ provided to an application that makes use of literals."; reference "RFC 6877: 464XLAT: Combination of Stateful and Stateless Translation"; } } } - list nptv6-prefixes { - if-feature nptv6; - key internal-ipv6-prefix ; - description - "Provides one or a list of (internal IPv6 prefix, - external IPv6 prefix) required for NPTv6. - - In its simplest form, NPTv6 interconnects two network - links, one of which is an 'internal' network link - attached to a leaf network within a single - administrative domain and the other of which is an - 'external' network with connectivity to the global - Internet."; - reference - "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; - - leaf internal-ipv6-prefix { - type inet:ipv6-prefix; - mandatory true; - description - "An IPv6 prefix used by an internal interface of NPTv6."; - reference - "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; - } - - leaf external-ipv6-prefix { - type inet:ipv6-prefix; - mandatory true; - description - "An IPv6 prefix used by the external interface of NPTv6."; - reference - "RFC 6296: IPv6-to-IPv6 Network Prefix Translation"; - } - } - list eam { if-feature eam; key ipv4-prefix; description "The Explicit Address Mapping Table, a conceptual table in which each row represents an EAM. Each EAM describes a mapping between IPv4 and IPv6 prefixes/addresses."; reference @@ -2118,22 +2053,22 @@ leaf pool-id { type uint32; description "An identifier of the address pool."; } leaf dst-in-ip-pool { type inet:ip-prefix; description - "Is used to identify an internal IP prefix/address - to be translated."; + "Is used to identify an internal destination + IP prefix/address to be translated."; } leaf dst-out-ip-pool { type inet:ip-prefix; mandatory true; description "IP address/prefix used for destination NAT."; } } @@ -2945,22 +2879,20 @@ leaf logging-enable { if-feature "basic-nat44 or napt44 or nat64"; type boolean; description "Enable logging features."; reference "Section 2.3 of RFC 6908 and REQ-12 of RFC6888."; } container mapping-table { - if-feature "basic-nat44 or napt44 " + - "or nat64 or clat or dst-nat"; description "NAT mapping table. Applicable for functions which maintain static and/or dynamic mappings, such as NAT44, Destination NAT, NAT64, or CLAT."; list mapping-entry { key "index"; description "NAT mapping entry."; uses mapping-entry; } @@ -3128,22 +3058,20 @@ description "Total number of active subscribers (that is, subscribers for which the NAT maintains active mappings. A subscriber is identified by a subnet, subscriber-mask, etc."; } leaf total-address-mappings { - if-feature "basic-nat44 or napt44 " + - "or nat64 or clat or dst-nat"; type yang:gauge32; description "Total number of address mappings present at a given time. It includes both static and dynamic mappings."; reference "Section 3.3.8 of RFC 7659"; } leaf total-port-mappings { if-feature "napt44 or nat64"; @@ -3310,23 +3238,22 @@ type leafref { path "/nat/instances/instance/policy/id"; } description "Policy Identifier."; } leaf pool-id { type leafref { - path - "/nat/instances/instance/policy/" - + "external-ip-address-pool/pool-id"; + path "/nat/instances/instance/policy/" + + "external-ip-address-pool/pool-id"; } mandatory true; description "Pool Identifier."; } leaf notify-pool-threshold { type percent; mandatory true; description @@ -3360,30 +3288,28 @@ type percent; description "The notify-addresses-usage threshold has been fired."; } leaf notify-ports-threshold { type percent; description "The notify-ports-usage threshold has been fired."; } - } } 4. Security Considerations Security considerations related to address and prefix translation are - discussed in [RFC6888], [RFC6146], [RFC6877], [RFC7757], and - [RFC6296]. + discussed in [RFC6888], [RFC6146], [RFC6877], and [RFC7757]. The YANG module defined in this document is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC5246]. The NETCONF access control model [RFC6536] provides the means to restrict access for particular NETCONF or RESTCONF users to a @@ -3469,34 +3395,37 @@ 6. Acknowledgements Many thanks to Dan Wing and Tianran Zhou for the review. Thanks to Juergen Schoenwaelder for the comments on the YANG structure and the suggestion to use NMDA. Mahesh Jethanandani provided useful comments. Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and - Kristian Poscic for the CGN review. + Kristian Poscic for the CGN review. Tim Chown proposed to publish + the NPTv6 part of the YANG module as a separate document to avoid the + conflict between the intended status of this document and the one of + the NPTv6 specification (Experimental). Special thanks to Maros Marsalek and Marek Gradzki for sharing their comments based on the FD.io implementation of an earlier version of this module. Rajiv Asati suggested to clarify how the module applies for both stateless and stateful NAT64. Juergen Schoenwaelder provided an early yandgoctors review. Many thanks to him. - Thanks to Roni Even and Mach Chen for the directorates review. Igor - Ryzhov identified a nit in one example. + Thanks to Roni Even, Mach Chen, and Tim Chown for the directorates + review. Igor Ryzhov identified a nit in one example. 7. References 7.1. Normative References [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, . [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address @@ -3531,24 +3460,20 @@ [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, . [RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011, . - [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix - Translation", RFC 6296, DOI 10.17487/RFC6296, June 2011, - . - [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration Protocol (NETCONF) Access Control Model", RFC 6536, DOI 10.17487/RFC6536, March 2012, . [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable Operation of Address Translators with Per-Interface Bindings", RFC 6619, DOI 10.17487/RFC6619, June 2012, . @@ -3600,22 +3525,22 @@ 7.2. Informative References [I-D.boucadair-pcp-yang] Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Vinapamula, "YANG Modules for the Port Control Protocol (PCP)", draft-boucadair-pcp-yang-05 (work in progress), October 2017. [I-D.ietf-netmod-yang-tree-diagrams] Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft- - ietf-netmod-yang-tree-diagrams-04 (work in progress), - December 2017. + ietf-netmod-yang-tree-diagrams-05 (work in progress), + January 2018. [I-D.ietf-softwire-dslite-yang] Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG Data Module for Dual-Stack Lite (DS-Lite)", draft-ietf- softwire-dslite-yang-14 (work in progress), January 2018. [I-D.ietf-tsvwg-natsupp] Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Transmission Protocol (SCTP) Network Address Translation Support", draft-ietf-tsvwg-natsupp-11 (work in progress), @@ -3693,28 +3618,28 @@ such case together with a mapping entry is depicted below: 1 NAT_Subscriber_A .... 1 - 192.0.2.1 + 198.51.100.1/32 .... .... - 192.0.2.1 + 198.51.100.1/32 .... The following shows the XML excerpt depicting a dynamic UDP mapping entry maintained by a traditional NAPT44. In reference to this example, the UDP packet received with a source IPv4 address (192.0.2.1) and source port number (1568) is translated into a UDP @@ -3723,29 +3648,29 @@ 15 dynamic-explicit 17 - 192.0.2.1 + 192.0.2.1/32 1568 - 198.51.100.1 + 198.51.100.1/32 15000 300 @@ -3797,34 +3722,35 @@ false false The following XML snippet shows the example of a CGN that is provisioned with one contiguous pool of external IPv4 addresses - (192.0.2.0/24). Further, the CGN is instructed to limit the number - of allocated ports per subscriber to 1024. Ports can be allocated by - the CGN by assigning ranges of 256 ports (that is, a subscriber can - be allocated up to four port ranges of 256 ports each). + (198.51.100.0/24). Further, the CGN is instructed to limit the + number of allocated ports per subscriber to 1024. Ports can be + allocated by the CGN by assigning ranges of 256 ports (that is, a + subscriber can be allocated up to four port ranges of 256 ports + each). 1 myCGN .... 1 - 192.0.2.0/24 + 198.51.100.0/24 1024 all @@ -3844,21 +3770,21 @@ subscriber (port range of 1024 ports) as shown below: 1 myotherCGN .... 1 - 192.0.2.0/24 + 198.51.100.0/24 1024 all @@ -3885,26 +3811,26 @@ | l |>>>>>>>>>>>>| C |>>>>>>>>>>>>>>| e | | i | | G | | r | | e |<<<<<<<<<<<<| N |<<<<<<<<<<<<<<| v | | n |from X2:x2 | |from X2:x2 | e | | t | to X1:x1 | | to X1:x1 | r | +---+ +---+ +---+ Figure 1: CGN Pass-Through For example, in order to disable NAT for communications issued by the - client (192.0.2.25), the following configuration parameter must be + client (192.0.2.1), the following configuration parameter must be set: ... - 192.0.2.25 + 192.0.2.1/32 ... A.4. NAT64 Let's consider the example of a NAT64 that should use 2001:db8:122:300::/56 to perform IPv6 address synthesis [RFC6052]. The XML snippet to configure the NAT64 prefix in such case is depicted below: @@ -3968,34 +3894,34 @@ true A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM SIIT) As specified in [RFC7757], an EAM consists of an IPv4 prefix and an - IPv6 prefix. Let's consider the set of EAM examples in Figure 2. + IPv6 prefix. Let's consider the set of EAM examples in Table 8. +----------------+----------------------+ | IPv4 Prefix | IPv6 Prefix | +----------------+----------------------+ | 192.0.2.1 | 2001:db8:aaaa:: | | 192.0.2.2/32 | 2001:db8:bbbb::b/128 | | 192.0.2.16/28 | 2001:db8:cccc::/124 | | 192.0.2.128/26 | 2001:db8:dddd::/64 | | 192.0.2.192/29 | 2001:db8:eeee:8::/62 | | 192.0.2.224/31 | 64:ff9b::/127 | +----------------+----------------------+ - Figure 2: EAM Examples (RFC7757) + Table 8: EAM Examples (RFC7757) The following XML excerpt illustrates how these EAMs can be configured using the YANG NAT module: 192.0.2.1 2001:db8:aaaa:: @@ -4093,138 +4019,138 @@ The following example shows a static mapping that instructs a NAT to translate packets issued from 192.0.2.1 and with source ports in the 100-500 range to 198.51.100.1:1100-1500. 1 static 6 - 192.0.2.1 + 192.0.2.1/32 100 500 - 198.51.100.1 + 198.51.100.1/32 1100 1500 ... A.8. Static Mappings with IP Prefixes The following example shows a static mapping that instructs a NAT to - translate TCP packets issued from 192.0.2.1/24 to 198.51.100.1/24. + translate TCP packets issued from 192.0.2.0/24 to 198.51.100.0/24. 1 static 6 - 192.0.2.1/24 + 192.0.2.0/24 - 198.51.100.1/24 + 198.51.100.0/24 ... A.9. Destination NAT The following XML snippet shows an example of a destination NAT that is instructed to translate all packets having 192.0.2.1 as a destination IP address to 198.51.100.1. 1 - 192.0.2.1 + 192.0.2.1/32 - 198.51.100.1 + 198.51.100.1/32 In order to instruct a NAT to translate TCP packets destined to '192.0.2.1:80' to '198.51.100.1:8080', the following XML snippet shows the static mapping to be configured on the NAT: 1 static 6 - 192.0.2.1 + 192.0.2.1/32 80 - 198.51.100.1 + 198.51.100.1/32 8080 In order to instruct a NAT to translate TCP packets destined to '192.0.2.1:80' (http traffic) to 198.51.100.1 and '192.0.2.1:22' (ssh traffic) to 198.51.100.2, the following XML snippet shows the static mappings to be configured on the NAT: 1 static 6 - 192.0.2.1 + 192.0.2.1/32 80 - 198.51.100.1 + 198.51.100.1/32 ... 2 static 6 - 192.0.2.1 + 192.0.2.1/32 22 - 198.51.100.2 + 198.51.100.2/32 ... The NAT may also be instructed to proceed with both source and destination NAT. To do so, in addition to the above sample to configure destination NAT, the NAT may be provided, for example with a pool of external IP addresses (198.51.100.0/24) to use for source address translation. An example of the corresponding XML snippet is provided hereafter: @@ -4257,115 +4183,20 @@ 192.0.0.1/32 2001:db8:1234::/96 -A.11. IPv6 Network Prefix Translation (NPTv6) - - Let's consider the example of a NPTv6 translator that should rewrite - packets with the source prefix (fd01:203:405:/48) with the external - prefix (2001:db8:1:/48). The internal interface is "eth0" while the - external interface is "eth1". - - External Network: Prefix = 2001:db8:1:/48 - -------------------------------------- - | - |eth1 - +-------------+ - eth4| NPTv6 |eth2 - ...-----| |------... - +-------------+ - |eth0 - | - -------------------------------------- - Internal Network: Prefix = fd01:203:405:/48 - - Example of NPTv6 (RFC6296) - - The XML snippet to configure NPTv6 prefixes in such case is depicted - below: - - - - fd01:203:405:/48 - - - 2001:db8:1:/48 - - - ... - - - eth1 - - - - Figure 3 shows an example of an NPTv6 that interconnects two internal - networks (fd01:203:405:/48 and fd01:4444:5555:/48); each is - translated using a dedicated prefix (2001:db8:1:/48 and - 2001:db8:6666:/48, respectively). - - Internal Prefix = fd01:4444:5555:/48 - -------------------------------------- - V | External Prefix - V |eth1 2001:db8:1:/48 - V +---------+ ^ - V | NPTv6 | ^ - V | | ^ - V +---------+ ^ - External Prefix |eth0 ^ - 2001:db8:6666:/48 | ^ - -------------------------------------- - Internal Prefix = fd01:203:405:/48 - - Figure 3: Connecting two Peer Networks (RFC6296) - - To that aim, the following configuration is provided to the NPTv6: - - - 1 - - - fd01:203:405:/48 - - - 2001:db8:1:/48 - - - - - eth1 - - - - - 2 - - - fd01:4444:5555:/48 - - - 2001:db8:6666:/48 - - - - - eth0 - - - - Authors' Addresses Mohamed Boucadair Orange Rennes 35000 France Email: mohamed.boucadair@orange.com Senthil Sivakumar Cisco Systems