--- 1/draft-ietf-opsawg-nat-yang-14.txt 2018-06-28 02:13:12.741852924 -0700 +++ 2/draft-ietf-opsawg-nat-yang-15.txt 2018-06-28 02:13:12.905856866 -0700 @@ -1,45 +1,43 @@ Network Working Group M. Boucadair, Ed. Internet-Draft Orange Intended status: Standards Track S. Sivakumar -Expires: September 24, 2018 Cisco Systems +Expires: December 29, 2018 Cisco Systems C. Jacquenet Orange S. Vinapamula Juniper Networks Q. Wu Huawei - March 23, 2018 + June 27, 2018 A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT) - draft-ietf-opsawg-nat-yang-14 + draft-ietf-opsawg-nat-yang-15 Abstract - For the sake of network automation and the need for programming - Network Address Translation (NAT) function in particular, a data - model for configuring and managing the NAT is essential. This - document defines a YANG module for the NAT function. + This document defines a YANG module for the Network Address + Translation (NAT) function. Network Address Translation from IPv4 to IPv4 (NAT44), Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT), Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings for Stateless IP/ICMP Translation (SIIT EAM), IPv6 Network Prefix Translation (NPTv6), and Destination NAT are covered in this document. Editorial Note (To be removed by RFC Editor) - Please update these statements with the RFC number to be assigned to - this document: + Please update these statements within the document with the RFC + number to be assigned to this document: "This version of this YANG module is part of RFC XXXX;" "RFC XXXX: A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)" "reference: RFC XXXX" Please update the "revision" date of the YANG module. @@ -51,63 +49,63 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 24, 2018. + This Internet-Draft will expire on December 29, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 - 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 + 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6 - 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 8 - 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 8 + 2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7 + 2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7 2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8 2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8 - 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 9 - 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 9 + 2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8 + 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8 2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12 2.10. Binding the NAT Function to an External Interface . . . . 15 2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15 2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16 3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 - 4. Security Considerations . . . . . . . . . . . . . . . . . . . 72 + 4. Security Considerations . . . . . . . . . . . . . . . . . . . 71 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73 - 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74 + 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 73 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74 7.1. Normative References . . . . . . . . . . . . . . . . . . 74 - 7.2. Informative References . . . . . . . . . . . . . . . . . 77 + 7.2. Informative References . . . . . . . . . . . . . . . . . 76 Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78 - A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 79 + A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 78 A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80 A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83 A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84 A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84 A.6. Explicit Address Mappings for Stateless IP/ICMP Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85 A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 88 A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89 A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90 A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93 @@ -228,24 +226,25 @@ The NAT YANG module allows for a NAT instance to be provided with multiple NAT policies (/nat/instances/instance/policy). The document does not make any assumption about how flows are associated with a given NAT policy of a given NAT instance. Classification filters are out of scope. Defining multiple NAT instances or configuring multiple NAT policies within one single NAT instance is implementation- and deployment- specific. - This YANG module provides a method to instruct a NAT function to - enable the logging feature (Section 2.3 of [RFC6908] and REQ-12 of - [RFC6888]). Nevertheless, configuration parameters specific to - logging protocols are out of the scope of this document. + This YANG module does not provide any method to instruct a NAT + function to enable the logging feature or to specify the information + to be logged for administrative or regulatory reasons (Section 2.3 of + [RFC6908] and REQ-12 of [RFC6888]). Those considerations are out of + the scope of this document. 2.2. Various Translation Flavors The following translation modes are supported: o Basic NAT44 o NAPT o Destination NAT o Port-restricted NAT o Stateful NAT64 (including with destination-based Pref64::/n @@ -853,36 +852,34 @@ | +--rw limit-subscribers? uint32 | +--rw limit-address-mappings? uint32 | +--rw limit-port-mappings? uint32 | +--rw limit-per-protocol* [protocol-id] | {napt44 or nat64 or dst-nat}? | +--rw protocol-id uint8 | +--rw limit? uint32 +--rw connection-limits | {basic-nat44 or napt44 or nat64}? | +--rw limit-per-subscriber? uint32 - | +--rw limit-per-instance uint32 + | +--rw limit-per-instance? uint32 | +--rw limit-per-protocol* [protocol-id] | {napt44 or nat64}? | +--rw protocol-id uint8 | +--rw limit? uint32 +--rw notification-limits | +--rw notify-interval? uint32 | | {basic-nat44 or napt44 or nat64}? | +--rw notify-addresses-usage? percent | | {basic-nat44 or napt44 or nat64}? | +--rw notify-ports-usage? percent | | {napt44 or nat64}? | +--rw notify-subscribers-limit? uint32 | {basic-nat44 or napt44 or nat64}? - +--rw logging-enable? boolean - | {basic-nat44 or napt44 or nat64}? +--rw mapping-table | |{basic-nat44 or napt44 or nat64 or clat or dst-nat}? | +--rw mapping-entry* [index] | +--rw index uint32 | +--rw type? enumeration | +--rw transport-protocol? uint8 | +--rw internal-src-address? inet:ip-prefix | +--rw internal-src-port | | +--rw start-port-number? inet:port-number | | +--rw end-port-number? inet:port-number @@ -984,21 +981,21 @@ | +--ro notify-pool-threshold percent +---n nat-instance-event {basic-nat44 or napt44 or nat64}? +--ro id | -> /nat/instances/instance/id +--ro notify-subscribers-threshold? uint32 +--ro notify-addresses-threshold? percent +--ro notify-ports-threshold? percent 3. NAT YANG Module - file "ietf-nat@2018-02-23.yang" + file "ietf-nat@2018-06-28.yang" module ietf-nat { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-nat"; prefix "nat"; import ietf-inet-types { prefix inet; reference "Section 4 of RFC 6991"; @@ -1053,24 +1051,23 @@ Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; - revision 2018-02-23 { + revision 2018-06-28 { description "Initial revision."; - reference "RFC XXXX: A YANG Module for Network Address Translation (NAT) and Network Prefix Translation (NPT)"; } /* * Definitions */ typedef percent { @@ -2864,21 +2845,20 @@ type uint32; units "bits/second"; description "Rate-limit the number of new mappings and sessions per subscriber."; } leaf limit-per-instance { type uint32; units "bits/second"; - mandatory true; description "Rate-limit the number of new mappings and sessions per instance."; } list limit-per-protocol { if-feature "napt44 or nat64"; key protocol-id; description "Configure limits per transport protocol"; @@ -2959,29 +2940,20 @@ type uint32; description "Notification of active subscribers per NAT instance. Notification must be generated when the defined threshold is reached."; } } - leaf logging-enable { - if-feature "basic-nat44 or napt44 or nat64"; - type boolean; - description - "Enable logging features."; - reference - "Section 2.3 of RFC 6908 and REQ-12 of RFC 6888."; - } - container mapping-table { if-feature "basic-nat44 or napt44 " + "or nat64 or clat or dst-nat"; description "NAT mapping table. Applicable for functions which maintain static and/or dynamic mappings, such as NAT44, Destination NAT, NAT64, or CLAT."; list mapping-entry { key "index"; @@ -3494,31 +3467,31 @@ Thanks to Juergen Schoenwaelder for the comments on the YANG structure and the suggestion to use NMDA. Mahesh Jethanandani provided useful comments. Thanks to Lee Howard and Jordi Palet for the CLAT comments, Fred Baker for the NPTv6 comments, Tore Anderson for EAM SIIT review, and Kristian Poscic for the CGN review. Special thanks to Maros Marsalek and Marek Gradzki for sharing their - comments based on the FD.io implementation of an earlier version of - this module. + comments based on the FD.io implementation of this module + (https://git.fd.io/hc2vpp/tree/nat/nat-api/src/main/yang). Rajiv Asati suggested to clarify how the module applies for both stateless and stateful NAT64. Juergen Schoenwaelder provided an early yandgoctors review. Many thanks to him. - Thanks to Roni Even, Mach Chen, and Tim Chown for the directorates - review. Igor Ryzhov identified a nit in one example. + Thanks to Roni Even, Mach Chen, Tim Chown, and Stephen Farrel for the + directorates review. Igor Ryzhov identified a nit in one example. 7. References 7.1. Normative References [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, . [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address @@ -3630,22 +3603,22 @@ 7.2. Informative References [I-D.boucadair-pcp-yang] Boucadair, M., Jacquenet, C., Sivakumar, S., and S. Vinapamula, "YANG Modules for the Port Control Protocol (PCP)", draft-boucadair-pcp-yang-05 (work in progress), October 2017. [I-D.ietf-softwire-dslite-yang] Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG - Data Module for Dual-Stack Lite (DS-Lite)", draft-ietf- - softwire-dslite-yang-15 (work in progress), February 2018. + Data Model for Dual-Stack Lite (DS-Lite)", draft-ietf- + softwire-dslite-yang-17 (work in progress), May 2018. [I-D.ietf-tsvwg-natsupp] Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control Transmission Protocol (SCTP) Network Address Translation Support", draft-ietf-tsvwg-natsupp-11 (work in progress), July 2017. [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, DOI 10.17487/RFC2663, August 1999,