--- 1/draft-ietf-opsawg-nat-yang-11.txt 2018-02-07 23:13:09.248991166 -0800 +++ 2/draft-ietf-opsawg-nat-yang-12.txt 2018-02-07 23:13:09.404994892 -0800 @@ -1,25 +1,25 @@ Network Working Group M. Boucadair Internet-Draft Orange Intended status: Standards Track S. Sivakumar -Expires: August 10, 2018 Cisco Systems +Expires: August 11, 2018 Cisco Systems C. Jacquenet Orange S. Vinapamula Juniper Networks Q. Wu Huawei - February 6, 2018 + February 7, 2018 A YANG Module for Network Address Translation (NAT) - draft-ietf-opsawg-nat-yang-11 + draft-ietf-opsawg-nat-yang-12 Abstract For the sake of network automation and the need for programming Network Address Translation (NAT) function in particular, a data model for configuring and managing the NAT is essential. This document defines a YANG module for the NAT function. NAT44, Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/ @@ -46,21 +46,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on August 10, 2018. + This Internet-Draft will expire on August 11, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -131,21 +131,21 @@ 1.1. Terminology This document makes use of the following terms: o Basic NAT44: translation is limited to IP addresses alone (Section 2.1 of [RFC3022]). o Network Address/Port Translator (NAPT): translation in NAPT is extended to include IP addresses and transport identifiers (such as a TCP/UDP port or ICMP query ID); refer to Section 2.2 of - [RFC3022]. A NAPT my use an extra identifier, in addition to the + [RFC3022]. A NAPT may use an extra identifier, in addition to the five transport tuple, to disambiguate bindings [RFC6619]. o Destination NAT: is a translation that acts on the destination IP address and/or destination port number. This flavor is usually deployed in load balancers or at devices in front of public servers. o Port-restricted IPv4 address: An IPv4 address with a restricted port set. Multiple hosts may share the same IPv4 address; however, their port sets must not overlap [RFC7596]. @@ -218,32 +218,34 @@ multiple NAT policies (/nat/instances/instance/policy). The document does not make any assumption about how flows are associated with a given NAT policy of a given NAT instance. Classification filters are out of scope. Defining multiple NAT instances or configuring multiple NAT policies within one single NAT instance is implementation- and deployment- specific. This YANG module allows to instruct a NAT function to enable the - logging feature. Nevertheless, configuration parameters specific to - logging protocols are out of the scope of this document. + logging feature (Section 2.3 of [RFC6908] and REQ-12 of [RFC6888]). + Nevertheless, configuration parameters specific to logging protocols + are out of the scope of this document. 2.2. Various Translation Flavors The following translation modes are supported: o Basic NAT44 o NAPT o Destination NAT o Port-restricted NAT - o Stateful NAT64 + o Stateful NAT64 (including with destination-based Pref64::/n + [RFC7050]) o SIIT o CLAT o EAM o Combination of Basic NAT/NAPT and Destination NAT o Combination of port-restricted and Destination NAT o Combination of NAT64 and EAM o Stateful and Stateless NAT64 [I-D.ietf-softwire-dslite-yang] specifies an extension to the NAT YANG module to support DS-Lite. @@ -1056,23 +1058,22 @@ feature napt44 { description "Network Address/Port Translator (NAPT): translation is extended to include IP addresses and transport identifiers (such as a TCP/UDP port or ICMP query ID). If the internal IP address is not sufficient to uniquely disambiguate NAPT44 mappings, an additional attribute is required. For example, that additional attribute may - be an IPv6 address (a.k.a., DS-Lite (RFC 6333)) or - a Layer 2 identifier (a.k.a., Per-Interface NAT - (RFC 6619))"; + be an IPv6 address (a.k.a., DS-Lite) or + a Layer 2 identifier (a.k.a., Per-Interface NAT)"; reference "RFC 3022: Traditional IP Network Address Translator (Traditional NAT)"; } feature dst-nat { description "Destination NAT is a translation that acts on the destination IP address and/or destination port number. This flavor is usually deployed in load balancers or at devices @@ -1483,21 +1485,21 @@ description "A NAT instance. This identifier can be automatically assigned or explicitly configured."; leaf id { type uint32; must ". >= 1"; description "NAT instance identifier. - The identifier must be greater than zero as per RFC 7659."; + The identifier must be greater than zero."; reference "RFC 7659: Definitions of Managed Objects for Network Address Translators (NATs)"; } leaf name { type string; description "A name associated with the NAT instance."; reference @@ -1650,22 +1652,21 @@ "Indicates whether paired-address-pooling is supported"; reference "REQ-2 of RFC 4787."; } leaf endpoint-independent-mapping-support { type boolean; description "Indicates whether endpoint-independent- - mapping in Section 4 of RFC 4787 is - supported."; + mapping is supported."; reference "Section 4 of RFC 4787."; } leaf address-dependent-mapping-support { type boolean; description "Indicates whether address-dependent-mapping is supported."; reference @@ -1722,21 +1724,21 @@ they are received in order. That is, in particular the header is in the first packet. Fragments received out of order are dropped. "; } enum "out-of-order" { description "The NAT instance is able to translate a fragment even if it is received out of order. - This behavior is the one recommended in RFC4787."; + This behavior is recommended."; reference "REQ-14 of RFC 4787"; } } description "The fragment behavior is the NAT instance's capability to translate fragments received on the external interface of the NAT."; } } @@ -1802,38 +1802,35 @@ description "An identifier of the IP prefix pass through."; } leaf prefix { type inet:ip-prefix; mandatory true; description "The IP addresses that match should not be translated. - According to REQ#6 of RFC6888, it must be possible to - administratively turn off translation for specific - destination addresses and/or ports."; + It must be possible to administratively turn + off translation for specific destination addresses + and/or ports."; reference "REQ#6 of RFC6888."; - } - leaf port { type inet:port-number; description - "According to REQ#6 of RFC6888, it must be possible to - administratively turn off translation for specific - destination addresses and/or ports. + "It must be possible to administratively turn off + translation for specific destination addresses + and/or ports. If no prefix is defined, the NAT pass through bound to a given port applies for any destination address."; - reference "REQ#6 of RFC6888."; } } list policy { key id; description "NAT parameters for a given instance"; @@ -1935,23 +1934,23 @@ "Section 3.2 of RFC 7757."; } } list nat64-prefixes { if-feature "siit or nat64 or clat"; key nat64-prefix; description "Provides one or a list of NAT64 prefixes with or without a list of destination IPv4 prefixes. + It allows mapping IPv4 address ranges to IPv6 prefixes. - Destination-based Pref64::/n is discussed in - Section 5.1 of [RFC7050]). For example: + For example: 192.0.2.0/24 is mapped to 2001:db8:122:300::/56. 198.51.100.0/24 is mapped to 2001:db8:122::/48."; reference "Section 5.1 of RFC7050."; leaf nat64-prefix { type inet:ipv6-prefix; mandatory true; description "A NAT64 prefix. Can be Network-Specific Prefix (NSP) or @@ -2000,23 +1999,21 @@ A pool is a set of IP prefixes."; leaf pool-id { type uint32; must ". >= 1"; description "An identifier that uniquely identifies the address pool within a NAT instance. - The identifier must be greater than zero as per - RFC 7659."; - + The identifier must be greater than zero."; reference "RFC 7659: Definitions of Managed Objects for Network Address Translators (NATs)"; } leaf external-ip-pool { type inet:ipv4-prefix; mandatory true; description "An IPv4 prefix used for NAT purposes."; @@ -2306,21 +2304,21 @@ description "Translate fragments only if they are received in order."; } enum "out-of-order" { description "Translate a fragment even if it is received out of order. - This behavior is the recommended behavior."; + This behavior is recommended."; reference "REQ-14 of RFC 4787"; } } description "The fragment behavior instructs the NAT about the behavior to follow to translate fragments received on the external interface of the NAT."; } @@ -2401,22 +2401,21 @@ } leaf tcp-trans-open-timeout { type uint32; units "seconds"; default 240; description "The value of the transitory open connection idle-timeout. - Section 2.1 of [RFC7857] clarifies that a NAT - should provide different configurable + A NAT should provide different configurable parameters for configuring the open and closing idle timeouts. To accommodate deployments that consider a partially open timeout of 4 minutes as being excessive from a security standpoint, a NAT may allow the configured timeout to be less than 4 minutes. However, a minimum default transitory connection @@ -2426,22 +2425,21 @@ } leaf tcp-trans-close-timeout { type uint32; units "seconds"; default 240; description "The value of the transitory close connection idle-timeout. - Section 2.1 of [RFC7857] clarifies that a NAT - should provide different configurable + A NAT should provide different configurable parameters for configuring the open and closing idle timeouts."; reference "Section 2.1 of RFC 7857."; } leaf tcp-in-syn-timeout { type uint32; units "seconds"; default 6; @@ -3387,21 +3381,21 @@ This document requests IANA to register the following YANG module in the "YANG Module Names" registry [RFC7950]. name: ietf-nat namespace: urn:ietf:params:xml:ns:yang:ietf-nat prefix: nat reference: RFC XXXX 6. Acknowledgements - Many thanks to Dan Wing and Tianran Zhou for the review. + Many thanks to Dan Wing, Tianran Zhou, and Tom Petch for the review. Thanks to Juergen Schoenwaelder for the comments on the YANG structure and the suggestion to use NMDA. Mahesh Jethanandani provided useful comments. Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and Kristian Poscic for the CGN review. Tim Chown proposed to publish the NPTv6 part of the YANG module as a separate document to avoid the conflict between the intended status of this document and the one of @@ -3570,20 +3564,30 @@ [RFC6736] Brockners, F., Bhandari, S., Singh, V., and V. Fajardo, "Diameter Network Address and Port Translation Control Application", RFC 6736, DOI 10.17487/RFC6736, October 2012, . [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, DOI 10.17487/RFC6887, April 2013, . + [RFC6908] Lee, Y., Maglione, R., Williams, C., Jacquenet, C., and M. + Boucadair, "Deployment Considerations for Dual-Stack + Lite", RFC 6908, DOI 10.17487/RFC6908, March 2013, + . + + [RFC7050] Savolainen, T., Korhonen, J., and D. Wing, "Discovery of + the IPv6 Prefix Used for IPv6 Address Synthesis", + RFC 7050, DOI 10.17487/RFC7050, November 2013, + . + [RFC7289] Kuarsingh, V., Ed. and J. Cianfarani, "Carrier-Grade NAT (CGN) Deployment with BGP/MPLS IP VPNs", RFC 7289, DOI 10.17487/RFC7289, June 2014, . [RFC7335] Byrne, C., "IPv4 Service Continuity Prefix", RFC 7335, DOI 10.17487/RFC7335, August 2014, . [RFC7659] Perreault, S., Tsou, T., Sivakumar, S., and T. Taylor,