--- 1/draft-ietf-opsawg-nat-yang-15.txt 2018-09-24 07:13:24.294498932 -0700
+++ 2/draft-ietf-opsawg-nat-yang-16.txt 2018-09-24 07:13:24.458502828 -0700
@@ -1,26 +1,26 @@
Network Working Group M. Boucadair, Ed.
Internet-Draft Orange
Intended status: Standards Track S. Sivakumar
-Expires: December 29, 2018 Cisco Systems
+Expires: March 28, 2019 Cisco Systems
C. Jacquenet
Orange
S. Vinapamula
Juniper Networks
Q. Wu
Huawei
- June 27, 2018
+ September 24, 2018
A YANG Module for Network Address Translation (NAT) and Network Prefix
Translation (NPT)
- draft-ietf-opsawg-nat-yang-15
+ draft-ietf-opsawg-nat-yang-16
Abstract
This document defines a YANG module for the Network Address
Translation (NAT) function.
Network Address Translation from IPv4 to IPv4 (NAT44), Network
Address and Protocol Translation from IPv6 Clients to IPv4 Servers
(NAT64), Customer-side transLATor (CLAT), Stateless IP/ICMP
Translation (SIIT), Explicit Address Mappings for Stateless IP/ICMP
@@ -49,21 +49,21 @@
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on December 29, 2018.
+ This Internet-Draft will expire on March 28, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
@@ -78,46 +78,46 @@
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Overview of the NAT YANG Data Model . . . . . . . . . . . . . 5
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2. Various Translation Flavors . . . . . . . . . . . . . . . 6
2.3. TCP/UDP/ICMP NAT Behavioral Requirements . . . . . . . . 7
2.4. Other Transport Protocols . . . . . . . . . . . . . . . . 7
2.5. IP Addresses Used for Translation . . . . . . . . . . . . 8
2.6. Port Set Assignment . . . . . . . . . . . . . . . . . . . 8
2.7. Port-Restricted IP Addresses . . . . . . . . . . . . . . 8
- 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 8
+ 2.8. NAT Mapping Entries . . . . . . . . . . . . . . . . . . . 9
2.9. Resource Limits . . . . . . . . . . . . . . . . . . . . . 12
2.10. Binding the NAT Function to an External Interface . . . . 15
2.11. Relationship to NATV2-MIB . . . . . . . . . . . . . . . . 15
2.12. Tree Structure . . . . . . . . . . . . . . . . . . . . . 16
3. NAT YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22
- 4. Security Considerations . . . . . . . . . . . . . . . . . . . 71
+ 4. Security Considerations . . . . . . . . . . . . . . . . . . . 72
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 73
- 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 73
+ 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 74
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 74
- 7.1. Normative References . . . . . . . . . . . . . . . . . . 74
- 7.2. Informative References . . . . . . . . . . . . . . . . . 76
- Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 78
- A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 78
- A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 80
- A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 83
- A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 84
- A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 84
+ 7.1. Normative References . . . . . . . . . . . . . . . . . . 75
+ 7.2. Informative References . . . . . . . . . . . . . . . . . 77
+ Appendix A. Sample Examples . . . . . . . . . . . . . . . . . . 79
+ A.1. Traditional NAT44 . . . . . . . . . . . . . . . . . . . . 79
+ A.2. Carrier Grade NAT (CGN) . . . . . . . . . . . . . . . . . 81
+ A.3. CGN Pass-Through . . . . . . . . . . . . . . . . . . . . 84
+ A.4. NAT64 . . . . . . . . . . . . . . . . . . . . . . . . . . 85
+ A.5. Stateless IP/ICMP Translation (SIIT) . . . . . . . . . . 85
A.6. Explicit Address Mappings for Stateless IP/ICMP
- Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 85
- A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 88
- A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 89
- A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 90
- A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 93
- A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 93
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 96
+ Translation (EAM SIIT) . . . . . . . . . . . . . . . . . 86
+ A.7. Static Mappings with Port Ranges . . . . . . . . . . . . 89
+ A.8. Static Mappings with IP Prefixes . . . . . . . . . . . . 90
+ A.9. Destination NAT . . . . . . . . . . . . . . . . . . . . . 91
+ A.10. Customer-side Translator (CLAT) . . . . . . . . . . . . . 94
+ A.11. IPv6 Network Prefix Translation (NPTv6) . . . . . . . . . 94
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 97
1. Introduction
This document defines a data model for Network Address Translation
(NAT) and Network Prefix Translation (NPT) capabilities using the
YANG data modeling language [RFC7950].
Traditional NAT is defined in [RFC2663], while Carrier Grade NAT
(CGN) is defined in [RFC6888]. Unlike traditional NAT, the CGN is
used to optimize the usage of global IP address space at the scale of
@@ -314,33 +314,39 @@
This document assumes NAT behavioral recommendations for UDP
[RFC4787], TCP [RFC5382], and ICMP [RFC5508] are enabled by default.
Furthermore, the NAT YANG module relies upon the recommendations
detailed in [RFC6888] and [RFC7857].
2.4. Other Transport Protocols
The module is structured to support protocols other than UDP, TCP,
- and ICMP. The mapping table is designed so that it can indicate any
- transport protocol. For example, this module may be used to manage a
- DCCP-capable NAT that adheres to [RFC5597].
+ and ICMP. Concretely, the module allows the operator to enable
+ translation for other transport protocols when required
+ (/nat/instances/instance/policy/transport-protocols). Moreover, the
+ mapping table is designed so that it can indicate any transport
+ protocol. For example, this module may be used to manage a DCCP-
+ capable NAT that adheres to [RFC5597].
Future extensions may be needed to cover NAT-related considerations
that are specific to other transport protocols such as SCTP
[I-D.ietf-tsvwg-natsupp]. Typically, the mapping entry can be
extended to record two optional SCTP-specific parameters: Internal
Verification Tag (Int-VTag) and External Verification Tag (Ext-VTag).
- Also, the module allows the operator to enable translation for these
- protocols when required (/nat/instances/instance/policy/transport-
- protocols).
+ This document only specifies transport protocol specific timers for
+ UDP, TCP, and ICMP. While some timers could potentially be
+ generalized for other connection-oriented protocols, this document
+ does not follow such an approach because there is no standard
+ document specifying such generic behavior. Future documents may be
+ edited to clarify how to reuse TCP-specific timers when needed.
2.5. IP Addresses Used for Translation
The NAT YANG module assumes that blocks of IP external addresses
(external-ip-address-pool) can be provisioned to the NAT function.
These blocks may be contiguous or not.
This behavior is aligned with [RFC6888] which specifies that a NAT
function should not have any limitations on the size or the
contiguity of the external address pool. In particular, the NAT
@@ -816,20 +822,21 @@
| +--rw timers {napt44 or nat64}?
| | +--rw udp-timeout? uint32
| | +--rw tcp-idle-timeout? uint32
| | +--rw tcp-trans-open-timeout? uint32
| | +--rw tcp-trans-close-timeout? uint32
| | +--rw tcp-in-syn-timeout? uint32
| | +--rw fragment-min-timeout? uint32
| | +--rw icmp-timeout? uint32
| | +--rw per-port-timeout* [port-number]
| | | +--rw port-number inet:port-number
+ | | | +--rw protocol? uint32
| | | +--rw timeout uint32
| | +--rw hold-down-timeout? uint32
| | +--rw hold-down-max? uint32
| +--rw fragments-limit? uint32
| +--rw algs* [name]
| | +--rw name string
| | +--rw transport-protocol? uint32
| | +--rw dst-transport-port
| | | +--rw start-port-number? inet:port-number
| | | +--rw end-port-number? inet:port-number
@@ -1017,30 +1023,30 @@
"IETF OPSAWG (Operations and Management Area Working Group)";
contact
"WG Web:
WG List:
Editor: Mohamed Boucadair
- Editor: Senthil Sivakumar
+ Author: Senthil Sivakumar
- Editor: Christian Jacquenet
+ Author: Christian Jacquenet
- Editor: Suresh Vinapamula
+ Author: Suresh Vinapamula
- Editor: Qin Wu
+ Author: Qin Wu
";
description
"This module is a YANG module for NAT implementations.
NAT44, Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT),
Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings
for Stateless IP/ICMP Translation (SIIT EAM), IPv6 Network
Prefix Translation (NPTv6), and Destination NAT are covered.
@@ -1110,21 +1117,21 @@
description
"Destination NAT is a translation that acts on the destination
IP address and/or destination port number. This flavor is
usually deployed in load balancers or at devices
in front of public servers.";
}
feature nat64 {
description
"NAT64 translation allows IPv6-only clients to contact IPv4
- servers using unicast UDP, TCP, or ICMP. One or more
+ servers using, e.g., UDP, TCP, or ICMP. One or more
public IPv4 addresses assigned to a NAT64 translator are
shared among several IPv6-only clients.";
reference
"RFC 6146: Stateful NAT64: Network Address and Protocol
Translation from IPv6 Clients to IPv4 Servers";
}
feature siit {
description
"The Stateless IP/ICMP Translation Algorithm (SIIT), which
@@ -1392,28 +1398,31 @@
description
"This mapping is created as a result of an explicit
request, e.g., a PCP message.";
}
}
description
"Indicates the type of a mapping entry. E.g.,
a mapping can be: static, implicit dynamic
or explicit dynamic.";
+
}
+
leaf transport-protocol {
type uint8;
description
"Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry.
- For example, this field contains 6 (TCP) for a TCP
- mapping or 17 (UDP) for a UDP mapping.
+
+ For example, this field contains 6 for TCP,
+ 17 for UDP, 33 for DCCP, or 132 for SCTP.
If this leaf is not instantiated, then the mapping
applies to any protocol.";
}
leaf internal-src-address {
type inet:ip-prefix;
description
"Corresponds to the source IPv4/IPv6 address/prefix
of the packet received on an internal
@@ -1609,28 +1618,28 @@
list transport-protocols {
key protocol-id;
description
"List of supported protocols.";
leaf protocol-id {
type uint8;
mandatory true;
description
- "Upper-layer protocol associated with this mapping.
+ "Upper-layer protocol associated with a mapping.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
- For example, this field contains 6 (TCP) for a TCP
- mapping or 17 (UDP) for a UDP mapping.";
+ For example, this field contains 6 for TCP,
+ 17 for UDP, 33 for DCCP, or 132 for SCTP.";
}
leaf protocol-name {
type string;
description
"The name of the Upper-layer protocol associated
with this mapping.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
@@ -2160,25 +2174,26 @@
TCP and UDP are supported by default.";
leaf protocol-id {
type uint8;
mandatory true;
description
"Upper-layer protocol associated with this mapping.
Values are taken from the IANA protocol registry:
+
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
- For example, this field contains 6 (TCP) for a TCP
- mapping or 17 (UDP) for a UDP mapping.";
+ For example, this field contains 6 for TCP,
+ 17 for UDP, 33 for DCCP, or 132 for SCTP.";
}
leaf protocol-name {
type string;
description
"The name of the Upper-layer protocol associated
with this mapping.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
@@ -2565,20 +2583,33 @@
for some ports, e.g., as 10 seconds on
port 53 (DNS) and 123 (NTP) and longer timeouts
on other ports.";
leaf port-number {
type inet:port-number;
description
"A port number.";
}
+ leaf protocol {
+ type uint8;
+ description
+ "Upper-layer protocol associated with this port.
+
+ Values are taken from the IANA protocol registry:
+ https://www.iana.org/assignments/protocol-numbers/
+ protocol-numbers.xhtml.
+
+ If no protocol is indicated, this means 'any
+ protocol'.";
+ }
+
leaf timeout {
type uint32;
units "seconds";
mandatory true;
description
"Timeout for this port number";
}
}
leaf hold-down-timeout {
@@ -2809,30 +2842,29 @@
if-feature "napt44 or nat64 or dst-nat";
key protocol-id;
description
"Configure limits per transport protocol";
leaf protocol-id {
type uint8;
mandatory true;
description
- "Upper-layer protocol associated with this mapping.
+ "Upper-layer protocol.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
- For example, this field contains 6 (TCP) for a TCP
- mapping or 17 (UDP) for a UDP mapping.";
+ For example, this field contains 6 for TCP,
+ 17 for UDP, 33 for DCCP, or 132 for SCTP.";
}
-
leaf limit {
type uint32;
description
"Maximum number of protocol-specific NAT mappings
per instance.";
}
}
}
container connection-limits {
@@ -2860,28 +2892,28 @@
list limit-per-protocol {
if-feature "napt44 or nat64";
key protocol-id;
description
"Configure limits per transport protocol";
leaf protocol-id {
type uint8;
mandatory true;
description
- "Upper-layer protocol associated with this mapping.
+ "Upper-layer protocol.
Values are taken from the IANA protocol registry:
https://www.iana.org/assignments/protocol-numbers/
protocol-numbers.xhtml
- For example, this field contains 6 (TCP) for a TCP
- mapping or 17 (UDP) for a UDP mapping.";
+ For example, this field contains 6 for TCP,
+ 17 for UDP, 33 for DCCP, or 132 for SCTP.";
}
leaf limit {
type uint32;
description
"Rate-limit the number of protocol-specific mappings
and sessions per instance.";
}
}
}
@@ -3154,23 +3186,23 @@
list total-per-protocol {
if-feature "napt44 or nat64";
key protocol-id;
description
"Total mappings for each enabled/supported protocol.";
leaf protocol-id {
type uint8;
mandatory true;
description
- "Upper-layer protocol associated with this mapping.
- For example, this field contains 6 (TCP) for a TCP
- mapping or 17 (UDP) for a UDP mapping.";
+ "Upper-layer protocol.
+ For example, this field contains 6 for TCP,
+ 17 for UDP, 33 for DCCP, or 132 for SCTP.";
}
leaf total {
type yang:gauge32;
description
"Total number of a protocol-specific mappings present
at a given time. The protocol is identified by
protocol-id.";
}
}
@@ -3479,22 +3508,24 @@
Rajiv Asati suggested to clarify how the module applies for both
stateless and stateful NAT64.
Juergen Schoenwaelder provided an early yandgoctors review. Many
thanks to him.
Thanks to Roni Even, Mach Chen, Tim Chown, and Stephen Farrel for the
directorates review. Igor Ryzhov identified a nit in one example.
-7. References
+ Mirja Kuehlewind made a comment about the reuse of some TCP timers
+ for any connection-oriented protocol.
+7. References
7.1. Normative References
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004,
.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast
UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
2007, .
@@ -3609,22 +3640,22 @@
October 2017.
[I-D.ietf-softwire-dslite-yang]
Boucadair, M., Jacquenet, C., and S. Sivakumar, "A YANG
Data Model for Dual-Stack Lite (DS-Lite)", draft-ietf-
softwire-dslite-yang-17 (work in progress), May 2018.
[I-D.ietf-tsvwg-natsupp]
Stewart, R., Tuexen, M., and I. Ruengeler, "Stream Control
Transmission Protocol (SCTP) Network Address Translation
- Support", draft-ietf-tsvwg-natsupp-11 (work in progress),
- July 2017.
+ Support", draft-ietf-tsvwg-natsupp-12 (work in progress),
+ July 2018.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations",
RFC 2663, DOI 10.17487/RFC2663, August 1999,
.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022,
DOI 10.17487/RFC3022, January 2001,
.